I want to implement a simple app that enables users to log in with a local account or to register a new account or to login with OAuth2 - e.g. facebook. For the users which chose Facebook I would like to automatically create a local account and log them in with that account.
As far as I understand Spring Social is dead (it would be really helpful if this is mentioned on the home page of the project, because it would save efforts for people like me who invested in learning spring social).
The other thing that I understand is that "OAuth2 and OIDC are now first-class citizens in the Spring Boot and Spring Security ecosystems." Seems that the right way to go is to use Spring Security 5 with its first-class support of OAuth2!
So... let's go. My application.yaml:
spring:
security:
oauth2:
client:
registration:
facebook:
client-id: senko
client-secret: topsecret
The security configuration:
#Override
protected void configure(HttpSecurity http) throws Exception {
// for the ant pattern matcher syntax, please check:
// https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/util/AntPathMatcher.html
http
.formLogin()
.loginPage("/login")
.loginProcessingUrl("/login/authenticate")
.failureUrl("/login?param.error=bad_credentials")
.successForwardUrl("/home")
.and()
.logout()
.logoutUrl("/logout")
.deleteCookies("JSESSIONID").
and()
.authorizeRequests()
.antMatchers("/login**").permitAll()
.antMatchers("/**").authenticated().
and().
oauth2Login().
loginPage("/login");
}
#Override
public void configureGlobal(AuthenticationManagerBuilder auth)
throws Exception {
auth.userDetailsService(userDetailsService).passwordEncoder(
new BCryptPasswordEncoder());
}
My user service uses local storage backed by MySQL. The login form in short (thymeleaf):
Login:
<form id="signin" th:action="#{/login/authenticate}" method="post">
<input id="login" name="username" type="text" size="25"></input>
<input id="password" name="password" type="password" size="25"></input>
<button type="submit">Login In</button>
</form>
Or...:
<a th:href="#{/oauth2/authorization/facebook}">Sign in with Facebook</a>
So far I'm able to login with local account. I'm also able to login with Facebook. What I miss here is the part where I should create a local user account after the successful Facebook login. What is the correct way to implement that? I'm totally clueless. What I've tried so far is to search in google and to read the code of OAuth2LoginAuthenticationProvider. Any help will be appreciated.
UPDATE: I'm exploring if implementing an AuthenticationSuccessHandler is a proper option...
You can register a custom bean (OAuth2UserService) that will automatically replace the default configuration. Actually the example below just delegates to an implementation from the default configuration but allows to extend / add additional logic (in this example to process a user).
#Bean
public OAuth2UserService<OAuth2UserRequest, OAuth2User> oauth2UserService() {
DefaultOAuth2UserService service = new DefaultOAuth2UserService();
return request -> {
OAuth2User user = service.loadUser(request);
System.out.println("User attributes: " + user.getAttributes()); // can be converted and saved
return user;
};
}
Related
Hi I have a spring application using PKCE flow, I want to use custom login page in angular application (actually I use defaul login page spring app), follow my configuration in spring:
#Bean
public SecurityFilterChain resourcedefaultSecurityFilterChain(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/categorias").permitAll()
.anyRequest().authenticated()
.and()
.csrf().disable()
.oauth2ResourceServer().jwt().jwtAuthenticationConverter(jwtAuthenticationConverter());
http.logout(logoutConfig -> logoutConfig.logoutSuccessHandler((request, response, auth) -> {
var returnTo = request.getParameter("returnTo");
if (StringUtils.isBlank(returnTo)){
returnTo = algamoneyApiProperty.getSeguranca().getAuthServerUrl();
}
response.setStatus(FOUND);
response.sendRedirect(returnTo);
}));
return http.formLogin(Customizer.withDefaults()).build();// I want disable this config and use my login form in front-en
}
I have a question about this:
I my login page what endpoint I need to send a user credentials for spring app ? '/login', 'oauth2/login' and how params I need to use in this request?
I use spring-authorization-server in 0.3.1 version
I have spring MVC application and I am trying to register different SSO login on same application. For example if url is (admin.abc.com), It should login from microsoft SSO and if the url is abc.com it should redirect to google login.
Here is my code but when I run the code both sso open with giving me the option to choose.
Is there any way I can set sso login based on domain instead of select option.
#Autowired
ClientRegistrationRepository regRepository;
#Bean
public ClientRegistrationRepository clientRegistrationRepository() {
return new InMemoryClientRegistrationRepository(Arrays.asList(msClientRegistration(), googleSSOClientRegistration()));
}
and the configuration for antmatcher is like this
#Override
protected void configure(final HttpSecurity http)
throws Exception {
http.antMatcher("/**")
.authorizeRequests()
.antMatchers("/login.htm").authenticated()
.antMatchers("/**")
.permitAll().anyRequest()
.authenticated().and().logout()
.logoutSuccessHandler(oauthLogoutSuccessHandler())
.invalidateHttpSession(true)
.logoutUrl("/logout")
.and().oauth2Login()
.failureHandler(new CustomAuthenticationFailureHandler())
.authorizationEndpoint()
.authorizationRequestResolver(
new CustomAuthorizationRequestResolver(regRepository, "/oauth2/authorization"))
.and().tokenEndpoint()
.accessTokenResponseClient(authorizationCodeTokenResponseClient())
.and().and().headers()
.frameOptions()
.sameOrigin().and().csrf()
.disable();
}
How to add antMatcher configuration based on domain url? google sso for abc.com and admin.abc.com for microsoft login with OAuth2.
Instead of having this I want to redirect base on url's.. either Google login or Microsoft.
I am trying that when a user logs into my system via Saml2, it automatically redirects him to the associated configuration based on his domain, without having to go through the login page like the one shown.
For example the user: user1#company1.com, I would like to be automatically redirected to the authentication page corresponding to the domain (company1 > singlesignon.url), without having to go through this intermediate.
I have tried to solve this using Saml2SecurityConfig, but I don't know how I have to set up it right.
How could it be done?
security:
saml2:
relyingparty:
registration:
company1:
identityprovider:
entity-id:
verification.credentials:
- certificate-location:
singlesignon.url: https://login.microsoftonline.com/XXXX/saml2
singlesignon.sign-request:
company2:
identityprovider:
entity-id:
verification.credentials:
- certificate-location:
singlesignon.url:
singlesignon.sign-request:
Saml2Config
public class Saml2Config extends WebSecurityConfigurerAdapter {
#Override
protected void configure(HttpSecurity http) throws Exception {
OpenSamlAuthenticationProvider authenticationProvider = new OpenSamlAuthenticationProvider();
authenticationProvider.setResponseAuthenticationConverter(responseToken -> {
Saml2Authentication authentication = OpenSamlAuthenticationProvider
.createDefaultResponseAuthenticationConverter()
.convert(responseToken);
Assertion assertion = responseToken.getResponse().getAssertions().get(0);
String username = assertion.getSubject().getNameID().getValue();
UserDetails userDetails = inMemoryUserDetailsManager().loadUserByUsername(username);
authentication.setDetails(userDetails);
return authentication;
});
http
.requestMatchers()
.antMatchers("/login/**","/saml2/**")
.and()
.authorizeRequests()
.anyRequest().authenticated()
.and()
.saml2Login().authenticationManager(new ProviderManager(authenticationProvider))
.and().csrf().disable();
}
}
I generally see organizations disambiguate their partners via the user's email address (like how the Office 365 Portal does it) or via a customer-specific FQDN (e.g., customer.service.com) similar to how Salesforce does it with their "My Domain" configuration.
If you use email address, then you should put that into the Subject of the AuthnRequest so that the IdP can use that in the login screen.
How to I get the value of the check box in my loginpage?
In my Jsp I have a remember me check box.
<form:form action="${pageContext.request.contextPath}/amPostLogin" method="POST" modelAttribute="userLogin">
<form:input type="text" path="username" id="username" placeholder="username"required="required" autofocus="autofocus"/>
<form:input type="password" path="password" id="password" placeholder="password" required="required"/>
<br><form:checkbox label="Remember Me" path="isRemember" />
<br><form:checkbox label="Auto Login" path="isAutoLogin"/>
<form:button class="login-button" >Login</form:button>
</form:form>
In my Spring Security I have:
#Override
protected void configure(HttpSecurity http) throws Exception {
http
.antMatcher("/am*")
.authorizeRequests()
.anyRequest()
.authenticated()
.and()
.formLogin()
.loginPage("/login_AM")
.loginProcessingUrl("/amPostLogin")
.failureUrl("/login_AM?error=true")
.defaultSuccessUrl("/amChatPage")
.and()
.logout()
.logoutUrl("/amLogout")
.logoutSuccessUrl("/logoutSuccessful_AM")
.and()
.exceptionHandling()
.accessDeniedPage("/am403")
.and().httpBasic()
.and().csrf().disable();
}
Now I want to get the values of AutoLogin and RememberMe in my controller.
How do I do that?
I tried creating a controller for "/amPostLogin" but for some reason it doesn't get inside the controller. How can I get the value of those checkbox in my controller? Please someone help me. Thank you.
ANSWER
Instead of getting the value of checkbox in the controller, I created an AuthenticationSuccessHandler and get the values there.
#Override
public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws IOException, ServletException {
boolean isRemember = Boolean.parseBoolean(request.getParameter("isRemember"));
boolean isAutoLogin = Boolean.parseBoolean(request.getParameter("isAutoLogin"));
response.setStatus(HttpServletResponse.SC_OK);
response.sendRedirect("amChatPage");
}
If you are using spring mvc your login jsp needs some changes .
1)You login page action should be mapped to j_spring_security_check.htm, spring's UsernamePasswordAuthenticationFilter.java intercepts this url for authentication.
2)Your username and password should be mapped to is j_username and j_password , this above filter expects these fields to be set, you can check the source code.
3)You also need to provide an authentication provider in context.xml
4)You need to define lgtAuthenticationFailureHandler and lgtAuthenticationsuccessHandler. From lgtAuthenticationsuccessHandler you can direct to your home page of application.
This is the login part.You can refer many sites for login authentication in spring.
For cookie part,
what you can do is on click of remember me checkbox , you can write a javascript that will create a remember me cookie with username in it and all other parameters like expiry n all.
when next time the page loads you can write a onload javascript funtion where you can check if remember me cookie exists and based in that you can populate username and tick your remember me checkbox.
This is how i have implemented so you can try this.
Is there a way to integrate Spring Security 4 (Mainly for managing user access levels and which views they can access) and JSF 2?
I found this neat thing which allows you to mix both Spring Boot, and JSF 2 with PrimeFaces 5. Great stuff. I want to see if you can kick it up another level.
Normally you would configure Spring Security for Spring MVC like so:
WebSecurityConfig.java
#Configuration
#EnableWebMvcSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
#Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/", "/home").permitAll()
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/login")
.permitAll()
.and()
.logout()
.permitAll();
}
#Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth
.inMemoryAuthentication()
.withUser("Zyst").password("password").roles("USER");
}
}
And then those would as far as I know, do correct me if I'm mistaken, look in your MvcConfig to see what it actually means by "/home" and the like:
MvcConfig.java
#Configuration
public class MvcConfig extends WebMvcConfigurerAdapter {
#Override
public void addViewControllers(ViewControllerRegistry registry) {
registry.addViewController("/home").setViewName("home");
registry.addViewController("/").setViewName("home");
registry.addViewController("/hello").setViewName("hello");
registry.addViewController("/login").setViewName("login");
}
}
However, I've been googling for a few hours and cannot really find a conclusive answer how to configure Spring Security for JSF. Can you implement your front end using JSF and then make that managed by Spring Security, so, for example Links, ie: localhost:8080/home instead of localhost:8080/home.xhtml are properly managed and served? And so that user levels defined in WebSecurityConfig.java can only access pages relevant to themselves.
From what I've (briefly) investigated it might not be possible due to Faces and Mvc being different technologies that don't particularly play well together. However, if possible I'd like to make sure of whether it's possible or not.
And if it IS possible, can you provide either a working example, or a link to somewhere that goes more in depth? I did google quite a bit but it's 100% possible I ended up missing something.
Any and all answers are greatly appreciated.
There's no problem in using Spring Boot, Spring Security, JSF and Spring Core all together, in the end, JSF views are resolved as urls and that's what you work in Spring Security with. That's an example for the configuration in my own application, which I've pruned a bit to minimize the code amount. The code is self-explanatory:
#Configuration
#EnableWebMvcSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
#Override
protected void configure(HttpSecurity http) throws Exception {
// Have to disable it for POST methods:
// http://stackoverflow.com/a/20608149/1199132
http.csrf().disable();
// Logout and redirection:
// http://stackoverflow.com/a/24987207/1199132
http.logout()
.logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
.invalidateHttpSession(true)
.logoutSuccessUrl(
"/login.xhtml");
http.authorizeRequests()
// Some filters enabling url regex:
// http://stackoverflow.com/a/8911284/1199132
.regexMatchers(
"\\A/page1.xhtml\\?param1=true\\Z",
"\\A/page2.xhtml.*")
.permitAll()
//Permit access for all to error and denied views
.antMatchers("/500.xhtml", "/denied.xhtml")
.permitAll()
// Only access with admin role
.antMatchers("/config/**")
.hasRole("ADMIN")
//Permit access only for some roles
.antMatchers("/page3.xhtml")
.hasAnyRole("ADMIN", "MANAGEMENT")
//If user doesn't have permission, forward him to login page
.and()
.formLogin()
.loginPage("/login.xhtml")
.loginProcessingUrl("/login")
.defaultSuccessUrl("/main.xhtml")
.and().exceptionHandling().accessDeniedPage("/denied.xhtml");
}
#Autowired
public void configureGlobal(AuthenticationManagerBuilder auth)
throws Exception {
//Configure roles and passwords as in-memory authentication
auth.inMemoryAuthentication()
.withUser("administrator")
.password("pass")
.roles("ADMIN");
auth.inMemoryAuthentication()
.withUser("manager")
.password("pass")
.roles("MANAGEMENT");
}
}
Of course, this code works with *.xhtml suffixed urls, as they're served by the JSF Servlet. If you want to avoid this suffix, you should use a url rewriting tool as Prettyfaces. But that's another story that has already been widely discussed in StackOverflow.
Also, remember to target your login form to the configured login processing url to let Spring Security handle the authentication and redirection to your main page. What I usually do is to use a non-JSF form and apply the Primefaces styles on it:
<form id="login_form" action="#{request.contextPath}/login" method="post">
<p>
<label for="j_username" class="login-form-tag">User</label> <input
type="text" id="username" name="username" class="ui-corner-all"
required="required" />
</p>
<p>
<label for="j_password" class="login-form-tag">Password</label>
<input type="password" id="password" name="password"
class="ui-corner-all" required="required" />
</p>
<p>
<button type="submit"
class="ui-button ui-widget ui-state-default ui-corner-all ui-button-text-only">
<span class="ui-button-text">Login</span>
</button>
</p>
</form>
See also:
Spring and JSF integration
Spring Boot JSF Integration