I am using spring boot 2.2.4 and spring security and I would like to know if there is a reason why the user details service is called so many times ?.
I have 3 databases which the user can select to authenticate against but the loadUserByUsername is called many times.
I know I should put some code but I am not close to the laptop...
Related
Problem
Implementing SSO login for multiple OAuth2 providers in Spring Boot.
Setup
Two Spring Boot web applications (App1 and App2) that are configured to be OAuth2 clients. Both will communicate with a Keycloak authorization server that has two realms.
Business Requirements
Implement Single Sign-On functionality (SSO).
Multi tenancy with shared user base.
Only one user can access one tenant at any time.
I have two spring boot applications which are OAuth2 clients running in docker containers. We are setting up multiple Keycloak realms that are configured for each tenant. From the Spring side of things, we include the auto configuration properties for two providers where each provider will be mapped to a different Keycloak realm. So the properties will look as follows:
spring.security.oauth2.client.provider.realm1......
spring.security.oauth2.client.provider.realm2......
Behavior
When a user logs into the first application (App1), Spring shows a generated html page. This page shows a list of each provider configured from the application.properties as an option to login to.
A user can select one and is redirected to the Keycloak login page with the realm that was mapped from Spring's provider properties. Then when successfully logged in, the user is redirected back as expected.
We use Spring Mongo session to store the session information and we also see in the Keycloak admin client the realm that shows the active session as well.
When trying to access the other application (App2), Spring does not detect the user or session and will show the same generated html page that shows the providers to select and login to.
When clicking on the same provider (realm), Spring will then find the session and will be redirected to the requested resource and all is well. This part is what I am trying to implement without asking for the provider first. The main reason is to enforce a business requirement where a user in a session can not access more than one realm at a time.
Attempted Solution
Provide a Spring Security login controller that will have a service layer to find the mongo session and then build the OAuth2 link Spring generates when you click a provider from the list.
However, I dont have the user yet. This also becomes a problem when opening a different tab as I dont believe I have any scope to the cookies that were created from the first application as well.
The only other thing I can think of is trying to get the client ip and store that in the session so I can find it later. However, when using nginx proxy configuration, this becomes a problem as I cant seem to get the actual ip and always seem to get the proxy ip instead even with the nginx headers I have seen from documentation.
Question
Is there anyway to find the session and redirect to the requested provider programmatically?
Note: I am currently aware of the keycloak starter dependencies that are available but I was trying to see if there is a more Spring oriented solution with its general OAuth2 client security configuration.
Front end solution
User navigate to app1, app1 detects no user session (need for login), app1 redirects user to app2 with some query parameters indicating purpose of redirect.
App2 receives redirect request and check if session exist (user logged in to app2). Now you can deal with it. redirect back to app1 or display some error, etc.
User not logged in to app2 , app2 redirects back to app1 with indication "show providers"
Symmetrical behavior shall be implemented on app1 too.
Depending on security requirements query parameters can be encrypted to prevent manual url hacking.
If you need further protection Keycloak authentication can be extended with functionality to check your Session storage for already logged in users.
on a Spring Security service layer I have a method createUser() with annotation #PreAuthorize("hasAuthority('ROLE_ADMIN')"). This already works.
But when installing this application, the first user must be created. Currently I am trying to create a default user on startup when the user database is empty. Later this should be done via web interface. But what is the best approach for something like this? Currently I can not create the first user because I am no admin. I could secure the method in the web controller, but securing the service layer is a better approach I think.
Do I need something like
#PreAuthorize("hasAuthority('ROLE_ADMIN')") OR DATABASE IS EMPTY
or is it possible to call a local method with an authority?
I would assume this problem is already solved 100 times :-)
Best regards,
Jochen
I am building a Spring Boot application with Vaadin as front end. The application uses a third party library to authenticate the user with his identity card via SAML.
After this authentication the user is redirected back to my service and I can fetch the authentication result and optional attributes.
My question is, how can I implement the protection of specific Vaadin views within my application based on the authentication via the user's ID card and how do I set the user as authenticated appropriately?
I am new to Spring Security and the majority of its examples shows authentication via a login form with username and password which does not fit in this case.
You can find two approaches to secure your Spring Vaadin Application with either filter based (so only Spring Security) security, or a hybrid approach in this Github repository: https://github.com/peholmst/SpringSecurityDemo
You can also find blogposts about both approaches here:
Filter Based Security
Hybrid Approach
For you especially the Filter based approach could be interesting. You could implement a Filter checking the token (or whatever) you get from your login server and then allow/deny certain pages on your server for certain roles.
I tried searching in Google, but I could not find any good examples where a username and password are checked with a database for authentication purposes.
In further simple words, how can I create a simple login form using Spring and Hibernate and NOT SPRING SECURITY where the credentials are checked with the database.
Please help me creating a simple login form with just Spring 3.0 and no Spring Security 3.0. Thanks.
Simplest way to do a login form post to a Spring Controller which take username and password as parameter.
In the controller you do what ever you want to authenticate the username and password. Best is to delegate to some service layer which takes care of it.
If successfully authenticated then what you want to do? May be redirect to say home page.
Now the home page rendering should know that the user is already authenticated. This is where spring security helps.
But you can also achieve by writing a Servlet Filter where you check if user is already authenticated by checking the http session. Of course after successful login you need to store that in the session then only it will be available to the filter.
There are many other ways to achieve the same which depends upon your requirement as in what kind of security control is required.
Your solution has two parts, one of which involves Spring and another that is your code:
// DAO returns null if no such username appears in the table.
String password = userDao.findPassword(username);
boolean isValidUser = (!password.equals(null));
// Write the code to implement behavior for valid and invalid users.
If you can do a database SELECT for a password, you can do Spring authentication without Spring Security.
You may need to put that logic in an aspect that's woven in before method calls.
You may want to cache that result in session and invalidate it if a timeout is exceeded.
My web app is using Spring Security 3 as login manager and users data (username, password, etc) are saved on database.
Now we added external applications that are supposed to use the same login page internally to the first app. That could be a problem especially for performance reasons. Is it possible take out the "spring security part" as a separate module? How can I keep in this case the redirection working in the main application? Design suggestions?
You seem to need a Single Sign On concept implemented.
Spring security supports two of those out of the box. You could refer to this answer for details.