How could I setup Spring Cloud Data Flow security (login page, user, pass,...)
I have tried to use these following properties in application.properties but it does not work:
security.basic.enabled = true
security.basic.realm = Spring Cloud Data Flow
security.user.name = admin
security.user.password = admin
security.user.role = VIEW,CREATE,MANAGE
Please review the security configuration section from the reference guide in entirety.
There's no true basic-auth as an option that is provided in SCDF. It used to be in 1.7.x, but that has been deprecated in favor of OAuth+OIDC standardization since SCDF 2.0.x. That means you will have to use an OAuth identity provider to set up your custom authentication and authorization workflows.
You could use the Password Grant Type supported by OAuth2+OIDC as the mechanism to mimic the username+password-based authentication workflow. UAA can be used as an identity provider, as well. We have a sample on this subject.
Related
I'm using Spring Boot Keycloak Adapter in my backend application.
It has properties for extracting roles from JWT token:
keycloak:
use-resource-roles-mapping: true
If this option is set to true, then the toles of user will be extracted from token from the field resource_access.roles[]
If this option is set to false, then the roles of user will be extracted from token from the field realm_access.roles[]
But I have roles in my token in another field, roles[] are placed in root directly, without wrappers resource_access or realm_access
As I see, Keycloak adapter does not allow to customize the behaviour of extracting roles from token.
So, the question is, how do I ovveride this behaviour to extract roles from token from the field I want?
Actually, client roles are held in resource_access.{client-id}.roles, (not resource_access.roles).
Keycloak adapters were deprecated a year ago and are not compatible with spring-boot 3. Just don't use it.
You can refer to the accepted answer to "Use Keycloak Spring Adapter with Spring Boot 3" for alternatives. The solution exposed there works for spring-boot pulling versions of spring-security with SecurityFilterChain (boot 2.4 or so) with almost no modification (just a few configuration methods have been renamed in spring-security 6 (boot 3) to align reactive and servlet DSLs).
You should read the part of the answer with "my" starters which enable to configure role mapping from application.properties (or yaml): source claims (not just one claim at a time, but as many as you need), prefix and case transformation. All that for each issuer (possible to accept identities from as many realms, Keycloak instance or even from other OIDC authorization-servers than Keycloak).
I need to secure a web-app, the backend will be Java Rest API, meanwhile I'll use Angular for my front.
I am using Keycloak to authenticate into my webapp, but I need to follow the standard flow of OAuth, that means I need to get first the auth code and then the access&refresh tokens.
I saw some configuration, but they're all related to Spring, like putting this code in application.properties
# keycloak properties
keycloak.realm = services
keycloak.auth-server-url = http://127.0.0.1:8080/auth
keycloak.ssl-required = external
keycloak.resource = todo-api
keycloak.use-resource-role-mappings = true
keycloak.security-constraints[0].authRoles[0]=users
keycloak.security-constraints[0].securityCollections[0].patterns[0]=/api/todo/*
The thing is in my project I don't have an application.properties file.
I've created a client in Keycloak, how do I have to configurate my JEE project to get the auth code?
Thanks a lot
You will need to log into Keycloak and select your realm and client "todo-api". Select the Installation tab and usually the Keycloak OIDC JSON format. This will create a configuration file that your frontend application will use for managing keycloak. To enforce the Auth code flow, disable the "Implicit Flow Enabled" and "Direct Access Grants Enabled" setting on the "todo-api" client.
Based on the SCDF document, as of Spring Cloud Data Flow 2.0, OAuth2 is the only mechanism for providing authentication and authorization.
However, I want to create the simple login page without using Authentication provider. Could I apply Spring Boot Security following this link to Spring Cloud Data Flow project?
I have also tried the example using UAA and LDAP server here. But I am looking for the more simple way for authorization.
I have 2 applications:
Spring Application 1 is client and resource server.
Spring Application 2 is authorization server.
User will be able to login in Application 1 and access its resources.
And I want to implement the following flow:
User enter his credentials in login form -> Application 1 will get token from Application 2 using user credentials and its clientId with password grant type -> Access resources of Application 1 with token.
The question is if Spring Security 5 supports password grant type for client? I found all rest grant types, but not password in Spring Security 5 implementation.
Spring Security 5.1.x doesn't support it, see Spring Security Reference:
6.6 OAuth 2.0 Client
The OAuth 2.0 Client features provide support for the Client role as defined in the OAuth 2.0 Authorization Framework.
The following main features are available:
Authorization Code Grant
Client Credentials Grant
WebClient extension for Servlet Environments (for making protected resource requests)
HttpSecurity.oauth2Client() provides a number of configuration options for customizing OAuth 2.0 Client.
However, you could use Spring Security OAuth2, see OAuth 2 Developers Guide:
Accessing Protected Resources
As a general rule, a web application should not use password grants, so avoid using ResourceOwnerPasswordResourceDetails if you can in favour of AuthorizationCodeResourceDetails. If you desparately need password grants to work from a Java client, then use the same mechanism to configure your OAuth2RestTemplate and add the credentials to the AccessTokenRequest (which is a Map and is ephemeral) not the ResourceOwnerPasswordResourceDetails (which is shared between all access tokens).
Or you could update to Spring Security 5.2.x, see Spring Security Reference:
11.2 OAuth 2.0 Client
The OAuth 2.0 Client features provide support for the Client role as defined in the OAuth 2.0 Authorization Framework.
At a high-level, the core features available are:
Authorization Grant support
Authorization Code
Refresh Token
Client Credentials
Resource Owner Password Credentials
I started working on JAAS with SSO,I have some doubt about JAAS. JAAS (Java Authentication and Authorization Service) framework to cater to multiple authentication mechanisms. The SSO server validates sign-on information against its own database or an external directory server and returns the session context and list of applications that the signed-on user can execute.Here i want to implement one more web application's.As per my knowledge the SSO JAAS will return Session context. In my client web applications already, i have acegi security for authentication, using my acegi security how can i get the session context from my SSO JAAS for Authorization.I am trying to find out any configuration sample , but still I did't get any work around example.
Take a look at this spring security configuration. It is not exactly what you want but it will show you the way
Key points
Check how authentication-manager is defined by using
PreAuthenticatedAuthenticationProvider. The preAuthenticatedUserDetailsService property defines a bean that will allow you to create your spring security UserDetails object from the JAAS Authentication object
The j2eePreAuthFilter filter is the one that will delegate security from JAAS to spring security.
The rest is standard spring security configuration
Hope it helps a bit