How to set up a database for authenticate and data management - vaadin-grid

I just finished the in deph course of vaadin fusion (#marcushellberg). It was really good.
Now Im trying to do the same but now I have a Postgres database with info, but I don't know how to load the information in the grid from the database
And how to authenticate an user from database instead of hardcode the credentials... Anyone can help?
I just created my personalized entities, endpoints, repositories and the view for one of them however the view do not load the info from database, also I have the application.properties file with database info and tested
Is there something that I am missing?
Thanks in advance and if you need more info from my project just let me know.
I notice that in my browser I am getting this
Error: Endpoint 'SupermercadosEndpoint' method 'getSupermercadosData' request cannot be accessed, reason: 'Access denied'

Vaadin Fusion uses Spring Security, you can follow any Spring Security tutorials on database authentication if you want to store your credentials there. Here's one for example https://www.baeldung.com/spring-security-authentication-with-a-database
For the endpoint access, ensure you have a #PermitAll or another appropriate annotation on the Endpoint as they are deny all by default when you have security enabled https://vaadin.com/docs/latest/fusion/security/configuring/#security-options

Related

Where does Spring Security stores my session data by default?

I'm currently trying to implemente some basic security structure to my Spring Boot project, but I can't find an really concrete answer to what is going on in the authentication process. Basically, I just followed this tutorial:
https://leaks.wanari.com/2017/11/28/how-to-make-custom-usernamepasswordauthenticationfilter-with-spring-security
An it seems to be using the default Spring Security protocols and stuff, i really only implemented a custom filter where my code checks MongoDB for an existing user, and the thing works as expected.
The thing is, Postman tells me that whenever I do a successful login I receive a JSESSIONID cookie, and this cookie is used on get requests, for example. If there is a SESSION ID, I assume that Spring somehow knows how to map ID to users, but how? I haven't set up any DB configuration for that, and Spring seems to store that state somewhere. How can I access it, or change to a DB on which access I have control of?
if you want to save sessions to database, you can add org.springframework.session:spring-session-jdbc dependencty. You can choose sql file from here for your database and create tables.

Get Google User data with Keycloak identity provider

I have succesfully set up Google as Identity Provider in Keycloak, following the docs, and I'm now able to login to my application using keycloak.
Is there a way to get the user data from the google account that is logged in. In my application I would like to retrieve profile information like in this example and then add it later to my mappers so I could see it in my Access Token(Adding attributes in my access token is not an issue, that works fine)?
Try making a request against the userinfo endpoint
https://www.googleapis.com/oauth2/v3/userinfo?Access_token=XXX
It should work but you may have to add a profile scope to your request i cant remember.

Spring Security Kerberos SSO for a REST API (Tomcat)

Here is my problem:
Context :
-Windows Server 2012 with ActiveDirectory
-Tomcat
-Rest API (Spring)
I'm currently trying to restrict REST request. I want that only specific groups of the AD could access to specific resources. I'm restricted to Kerberos authentication.
System configuration
Create a user in domain "Tomcat"
setspn -a HTTP/apirest.domain#DOMAIN
Generate a tomcat.keytab using ktpass
API rest configuration
I'm using the spring security sample on github that you can find here :
https://github.com/spring-projects/spring-security-kerberos/tree/master/spring-security-kerberos-samples/sec-server-win-auth
I know that there is an EntryPoint and this is not needed in my context (API Rest). I've chosen this sample because it seems to use the windows authentication context and use it to automatically authenticate me in the spring security context. Right after, an ldap request is send to extract all information about the user logged. In my case, I need to extract the group.
I'm also using :
https://github.com/GyllingSW/kerberos-demo
To extract the role of the user with the class "RoleStrippingLdapUserDetailsMapper.java" instead of the "ActiveDirectoryLdapAuthoritiesPopulator". This implementation also offers localhost authentication but the issue with the NTLM token seems to be fixed in last commit of spring security.
I'm not really sure if this is the right way to do what I want.
My authentication seems to fail and I only have one things going wrong in my logs..
"Property 'userDn' not set - anonymous context will be used for read-write operations"
Questions
Do I have to run my tomcat service using the tomcat account ? (Seems to be, yes)
Am I doing the right things with Kerberos security ?
How can I get rid of the anonymous context?
The anonymous context seems to be set just right after Tomcat start. I want to get a context just after that my user (For instance, user1) requests the rest API (EntryPoint or whatever)
If there is something unclear let me know, I will try to reformulate!
Thanks,
You do not need to query LDAP to get information about which groups does user belong to. Active Directory already adds this information to the Kerberos ticket which is sent from browser to Tomcat.
You just need to extract this information from the token for example using Kerb4J library. It comes with Spring integration inspired by spring-security-kerberos project so it should be pretty easy to switch to it.
If you still want to query LDAP you need to authenticate in LDAP before you can make any queries. Again there's no need to use end-user accounts for it - you can use the keytab file for Kerberos authentication in LDAP and query groups using "Tomcat" account
I found a way to fix my issue.
In a REST API context, you have no entry point. I tried to set my entry point to an unmapped URL, just to do the negociation. By doing this, you will receive an HTTP response with the error code 404 (Not found) but with the right header was added by spring security (WWW-Authenticate).
The web browser will not send the ticket service if the error code is not 401.
To solve this problem, you have to create a CustomEntryPoint class (implements AuthenticationEntryPoint) and you need to override the "commence" method to return a 401 HTTP code with the right header.
I hope that could help. If there is a better way, let me know !

Spring SSO always creates new session after refresh the client web app

I was creating my own oauth2 server with SSO enabled for Google and Facebook. I found this example https://github.com/spring-guides/tut-spring-boot-oauth2 to be very useful and I was able to make my oauth2 server expandable after several tweaks.
For session storage, I used redis and everything seems to be working with the spring magics.
However I encountered a session problem when implementing logout. According to single sign on best practice, when a user logout from one client, all other clients with the same session from the auth server should also be logged out. So I added an endpoint for each client to invoke upon successful login to register it's name based on the user session from the auth server. However I noticed that each time I refresh the page on my client web app, I get a new session from the auth server. As a result, each time when I try to logout, the session associated with all registered clients will always become the old one.
I've been searching for solutions online but no luck yet. It would be greatly appreciated if someone could help me with this issue.
TL;DR version:
I implemented an oauth2 server with SSO enabled for Facebook with Spring Boot. After I successfully logged in with my Facebook account, I can see my client web app resources. Every time I refresh the page, I see a new session gets created from the oauth2 server and it gets stored in the redis storage and all the old sessions are kept in the storage as well.
UPDATE
It seems that all the new sessions are generated by anonymous users each time I refresh the page.
Ok after some digging, it turns out that anonymous user by Spring Boot is not much different from unauthenticated users, according to this doc https://docs.spring.io/spring-security/site/docs/current/reference/html/anonymous.html.
It makes sense that every time I refresh page a new session would generate. My problem was that I wasn't using the correct session ID when registering client app upon successful user authentication. Therefore I override "SavedRequestAwareAuthenticationSuccessHandler.java" file so that I can obtain client_id from the request parameter and then register the correct session ID obtained from the Authentication object to this client ID.

Need to authenicate my Spring MVC web Application by Active Directory LDAP and then to the database together

My requirement is authenticate the login request to the Active Directory LDAP and to the local db as the user may be created manually or by the LDAP.
I am loading all the users i my database in a users table but i want to make the dynamic login to LDAP for the ldap users if user did not get authenticated by LDAP with invalid login or invalid user then only i need to authenticate it to the db.
Am not certain on this, so obviously please confirm, but in your Spring security.xml, set up two authentication providers under your authentication manager, first your ldap one and then your database one. A failure with the LDAP authentication should cause the DB one to activate and give the user a second chance to authenticate with the same credentials. Also see this article for some testing I had done earlier with Active Directory and Spring Security.

Resources