everyone. Please i'm new in spring boot. Someone has ressources or project to implement spring security authentification (Login, Logout, Autorisation)
Please
Well you have to search this on your own. But as a starting point read this https://spring.io/guides/tutorials/spring-security-and-angular-js/.
Read it, play with it.
Probably you may need to read it multiple times if you are new to security stuff (I had to read it many times).
If you are really really new, start from the basics (ex: authentication vs authorization).
The journey is hard, but worth it (go for youtube resources as well, probably will make a difference in speed of the journey).
After all this is security we are talking about, right? :)
Good luck.
Related
Anybody have experience using OAuth2.0 and OAuth 1.0a client authentication in same Spring Boot application? Having some trouble getting the 2 working in the same system. Our use case -
User can connect multiple 3rd party accounts to our web app. This connection happens via OAuth, and in the case of 3rd party services that use OAuth 2.0, we have no problems. Now we want to add Twitter as a supported connection, with their OAuth 1.0a path we are having a lot of trouble getting this to work. Can only find examples of this using spring-social and that probably doesn't fit our use case as it isn't compatible with the rest of our integration paths.
Any experience or input would be greatly appreciated.
rms.
Keep in mind that OAuth 2.0 is really not backward compatible with OAuth 1.0, so you won't find a solution that will handle both versions simultaneously.
To help you understand better the difference between the two, I suggest reading How is OAuth 2 different from OAuth 1?
You would need to handle both version separately, which may lead to some pretty confusing pieces of code.
Anyhow, it's a shame that Twitter isn't migrating to OAuth 2.0 for user-based authentication, that would make everything much less complicated for you.
First off, you'll need both spring-security-oauth and spring-security-oauth2 dependencies. I suggest looking here: https://github.com/spring-projects/spring-security-oauth/tree/master/samples
There's an example for both versions.
I'm not sure how you configured your OAuth2, but since the two dependencies mentionned above do not use the same property names and OAuth2 can almost be entirely configured through the properties file, I doubt you need to worry about OAuth2's implementation.
I have an example about the implementation of OAuth2 with nearly no configuration required here https://github.com/TwinProduction/spring-security-oauth2-client-example , maybe you can start off that, add the OAuth 1.0 dependency and build your way up from there.
Good luck!
My suggestion,
Use scribe. They have done an amazing job getting the OAutdone across a large base of providers. Go to their example source code, plugin your appId and secret and you can pretty much see almost all the providers working
https://github.com/scribejava
I've been 2 days trying to understand how does Spring social works. I don't have a high Spring knowledge so i might be asking something really stupid , sorry in thath case :P. The thing is that the example provided by Spring works prefect, but when i try to do exactly the same on other project, when i try to access to /connect/facebook the browser ask me for a username and password, i dont know why.
Thanks you for your time! :P
Hehe, i think i finally found out the problem. I was importing Spring security dependencies and some other that i didn't need.
I am developing a jsp dynamic web project on eclipse.
I want to create an website with login functionality. I intend to store users' accounts and passwords in MySQL database. Of course, different users have different roles and rights to access different web pages. What is the best approach to implement it?
So far, I know these approaches:
1) Users enter accounts/passwords in login.jsp. LoginServlet then connects to MySQL database to check if it is correct. AuthenticationFilters will make sure only users with rights can access certain pages.
2) Use Role Based Authentication by declaring user roles in web.xml. I find this approach is not flexible, because I need to declare roles in advance.
3) Use HttpServletRequest's login/logout methods. I have not studied it.
Is my understanding correct? Could someone gives me some suggestions? Some clues would be very helpful!
Besides, I know that using POST alone to send passwords is not safe enough. Many websites suggest to use HTTPS connections. So if using HTTPS connections, does it affect the approach I choose to implement the login function?
Thanks!
--
Now, I know I need to use Spring. But Spring seems difficult for me... In Spring website I cant find out the link to download jar files. The user guide says I need to use Gradle or Maven, which I haven't used before, and have no idea why I need them. Besides, there are many Spring projects. Which one should I choose? Spring framework?
--
Have you looked into using Spring Security? It's built for just that. You don't need to be familiar with Spring but it may help.
Here are a couple of tutorials that use database authentication:
1: Spring Security Authentication and Authorization Example with Database Credentials
2: Spring Security Login Example with Database
Edit:
You don't have to Maven or Gradle. You can simply add the jars to your build path and they will work. The only projects you need to implement for the login to work is the Spring Framework and Spring Security.
To use Spring Security without Maven or Gradle:
Download the Spring Framework jars, unzip them, and add them to your project and build path. It's probably a good idea to find a hello world tutorial using Spring to get you started. A quick Google search should turn up many results.
After you have Spring implemented in your project, download the Spring Security jars, unzip those, and add them to your build path. The links to the tutorials that I previously posted will get you started. They may take a little while to go through and you may not understand exactly what is happening behind the scenes, but once you get it set up is works outstanding. I'm also not sure if you are using xml configuration or Java config but I believe those tutorials are for xml.
Spring Security was built so that it could be added to any project and have you up and running with basic configuration in about 15 minutes. After you get the basic login going (it will use the generic login form), you can search for how to implement your own custom login form, add permissions or restrictions to users and url patters, adding custom filters, etc. I encourage you to spend some time learning it as it is highly flexible and customizable.
I'm going to start the development of an web application system with multiple modules. The system will be built over Springframework, which is the reason why I'm going to use Spring Security. However, I have doubts about the choice of the authentication system.
The idea is to create restufull services that will be consumed by extjs pages (in case of web application) and mobile application.
Please suggest alternative authentication systems (more current). I have minimal expertise in system security and I'm worried about how to protect user credentials while maintaining a high level of response speed.
Even though you have no prior experience with Spring Security, I would still recomend that you use it:
It works very well out of the box with minumum configuration effort.
There is alot of support available because it has become the de facto standard security implementation on many full stack solutions. It is unlikely that you will run into a problem that has not been solved before
Spring Security is very robust and well tested.
out-of-the box integration for almost anything i can think of
finally, spring-security is ment for the springframework. The integration is flawless. Why give up the best part the framework has to offer?
Response speed should not be a criteria when selecting security framwork. Usually repsonse speed is slow due to bad software design or configuration issues. I have never ecountered a system that was slow due to the selected security framework.
I started using Spring Security a few years ago. It took me less than a week to set it up and It has worked properly ever since.
If you need to go for simple authentication then this can easily be achieved mentioning it in Deployment Descriptors , you can specify Authorization Constraint, Security Constraints for Resources, Authentication mechanism and all . pls have a look at this link :
http://docs.oracle.com/javaee/6/tutorial/doc/gkbaa.html
I'd like to learn Spring MVC framework basis.
My personal experience tells clearly that more than reading manuals, docs, howtos only is only one important part of self-training, but to capitalize real experience you need to solve real problems.
May someone suggest a fake-project that I can implement in my free-time, avoiding only-theoretical approaches and at the same time watch at the main issues of Spring programming?
Does a NerdDinner.com-like free-chapter somewhere exists for Spring?
You could go through each of the Spring samples, and attempt to recreate them on your own.
I have found that a very effective method for learning Spring is to go on the Spring JIRA and solve a bug. It forces you to get down and dirty in the code, and you get to see what's really going on behind the scenes.