Custom Role Based Authorization in Spring Boot - spring

I am developing a web application where I have React as my Frontend and Spring boot as the Backend REST API. I have authentication mechanism setup where user can login with email and password. My application will be used by a group of people for a company. The admin user will login initially and sends invites to other people in the group with predefined access privileges available in the application. How can I implement this type of role based access in spring boot.
I gone across Spring security for role based access, but I didn't find how to create custom fine grained roles based on our web application. Please someone help just to give me the path I need to go.
P.S: I want to implement the way AWS or other cloud providers implement there IAM roles to assign it to different users in their organization but not as complex but a similar functionality

Related

Spring webapp with multiple auth type: basic and social login togheter

I wrote a spring boot webapp with spring security authentication over jpa. It uses jwt to grant access to a simple html/js application.
I'd like to add oauth2 flow in order to allow users to authenticate over github or google or whatever cloud system.
What kind of solution may I adopt to target it?
I see many applications like udemy, for example, or others. They allow multiple authentication types:
username and password
google account
facebook account
How may I replicate this behaviour in my webapp?

How to integrate Keycloak user data into app db

I have a spring boot application and a user column in my app db. The problem is now that my user informations are divided up at the spring boot db and the Keycloak db.
I found this older posts where there synced the data manually (redundant on both dbs), isn't there a best practice way, isn't this a standard usecase, I am wondering why there is no information about this?
How to integrate or make use of KeyCloak user database in my application?
Keycloak provider and user storage
I would say that the standard use-case is you connect
Keycloak to your application's database, which contains users' information (keycloak is just a server to authenticate your users).
To be able to connect from Keycloak to your application's database, you need to implement new Service provider interface (User Storage SPI) as mentioned in the documentation.

Spring Boot REST service – End User Authentication vs APP (REST client) Authentication

I have gone through many posts and articles but didn't find a straightforward solution for the case below which I have to implement.
Platform: Spring Boot 2.x.x (Spring Security 5.x.x) with embed Tomcat
Solution: REST service that consume many client apps and many end users.
I have to implement a REST end point /api/search which accessible for many client application. As an example, web application APP-X (Angular), web application APP-Y(Jquery/Bootstrap) and mobile application APP-Z (IOS). All three clients are separate entities (both technical perspective and business perspective).
So I have to authenticate above application using onetime token. Therefore I planned to go for Spring OAuth2 by enabling #EnableAuthorizationServer and #EnableResourceServer. For each app client I’ll generate a token and they can use it when they connect with my REST service. Is this approach correct?
Apart from the app clients system has capability to register and login functionality for end users. Also my end point (/api/search) can access both anonymous users and users who registered under ROLE_REGUSER role. And through the security context, I need to access the user details as usual user authentication.
This is the place I got stuck. How can I handle the following points together using Spring Security 5.x.x (Spring Boot 2.x.x).
I. Both client apps and end users authentications.
II. Allow access for anonymous users and registered users for same end point.
I have attached small diagram to elaborate the above scenario.
Thanks
I found a solution when I upgraded my spring security version to 5.2. In version 5.2, they have depreciated #EnableAuthorizationServer and #EnableResourceServer. So I had to move with an external authorization provider who supports auth2. I chose AWS Cognito, and fulfill the above requirement, using the user pool option.
In AWS Cognito
I created a user pool.
Then created two app clients in the same user pool.
One app client configured as support to the client credentials flow.
The second app client configured as support to the user authentication flow.
In client applications
Retrieve access token directly from AWS Cognito using client credentials and used to secure all API calls.
If a user login at any stage, retrieve access token directly from AWS Cognito using the authorization code and replace any existing access token.
The advantage is, the resources server can validate any access token that generated related to the same user pool.
In resources server (backend API/Spring Boot)
Validate access token.

Authenticate user within Spring Boot + Vaadin application

I am building a Spring Boot application with Vaadin as front end. The application uses a third party library to authenticate the user with his identity card via SAML.
After this authentication the user is redirected back to my service and I can fetch the authentication result and optional attributes.
My question is, how can I implement the protection of specific Vaadin views within my application based on the authentication via the user's ID card and how do I set the user as authenticated appropriately?
I am new to Spring Security and the majority of its examples shows authentication via a login form with username and password which does not fit in this case.
You can find two approaches to secure your Spring Vaadin Application with either filter based (so only Spring Security) security, or a hybrid approach in this Github repository: https://github.com/peholmst/SpringSecurityDemo
You can also find blogposts about both approaches here:
Filter Based Security
Hybrid Approach
For you especially the Filter based approach could be interesting. You could implement a Filter checking the token (or whatever) you get from your login server and then allow/deny certain pages on your server for certain roles.

Spring security, LDAP and SSO

I am trying to build an application where login is done by siteminder SSO. Once login is done I need to get the user info(like roles,permissions) for logged in user from LDAP and put in session.
Aslo I am using spring MVC to expose REST services. I want my rest services to be accessible only for certain roles(Like Manager/Admin etc). Also UI will display/hide pages based roles.
I want to know what is the best approach to achieve the above.
Please note I am using spring MVC on WAS7.

Resources