I'm running a Spring app on Kubernetes. App is authenticated via keycloak (also run on k8s).
The problem is that in case when Kubernetes will have configured more than one edge node I can connect only from node which is configured in keycloak.auth-server-url in the Spring app. On other edge nodes I'm getting Invalid token issuer error. Do you know any solution for that problem?
Remember that first, during keycloak configuration you have to create a new client with the name persons-app specific for the application. You can do that under Clients in the left column and then clicking Create.
Then proper redirect URL needs to be configured.
After setting up the proper client, a new role user is added to Keycloak. This role can later be assigned to individual users in order to define appropriate access policies.
The last thing you have to do is creating an actual user and assigning the newly created role to that user. This can be done by clicking Add User under the page Users.
Next, you have to set a password for the user. In this example, it is the standard password for example projects (i.e. password).
Roles of a user can be managed under the tab Role Mappings. You have to add the role user to Assigned Roles.
That's it. Keycloak is now ready to be used and has already a very (very) small user base. Now you can proceed to the actual application, which should be secured.
Remember that in order to store relevant information and configuration, a PostgreSQL database must be set up first.
More information you can find here: spring-keycloak.
Related
Assume I have a database composed of user and projects. A user has a one to many relationship with projects. The user can do operations using rest endpoints.
The problem is:
how can I verify that this user owns this resource?
I don't want a malicious user to change an id then suddenly he views another person's project details/images/etc. Think of it like a social media (my app is not a social media but trying to illustrate the issue): where you can view only your images but not another person's images despite having the same "status".
Most spring-security blogs online is using a role based approach. I have no idea what to even search for in this case (tried multiple search queries to no avail).
One option is to run some sort of multijoin query on every resource request/operation till I reach that resource id and check it's owning user to check if it is the logged in user. However, I am not sure if this way is efficient since there are multiple tables in a chain in the real app (could have a lot of joins if I go this way manually; example: user -> project -> tasklist-> ... -> Note; deleting a note would trigger a large chain) or how to make the "authorizer" use it.
what are my options?
In case it matters:
I am using spring-boot + hibernate/JPA + spring-security
Spring Security has the following concepts:
Authentication:
Proving the an actor is who it vouches to be. Authentication is done using credentials, where credentials can take any number of forms - username/password, token, hardware key, etc.
You can set up Spring Security with a set of acceptable authentication providers.
Authorization:
Given an authenticated user, deciding if that user has access to a given resource. Where the resource can be:
An HTTP endpoint.
An Java Method.
A property of an object.
What you want to do here is provide a custom authorization scheme.
You can read about Spring Security's authorization architecture here, including how to set up custom authorization. Once you're ready you might ask specific questions as you go.
On a JHipster application, I've added a custom authentication provider, to verify user and password of Active Directory users that have login inside. This custom component implements AuthenticationProvider, and inside "authenticate" method, istance an ActiveDirectoryLdapAuthenticationProvider object to get authentication and verify presense on specifical groups.
With a simple A.D. test environment I've no problem, but in production, my company ask me to bind a service account, and I cannot found any method to setup manager-ad and password. How can I get around this problem?
On Spring documentation I've read the phrase "There is no concept of a "manager" user."
My app use 5.1.8.RELEASE
Thanks!
Looking at the code, it validates the user's credentials by binding using the user's credentials. That's really the only way to validate credentials.
I assume, since it has already made a successful bind, it just continues on making whatever search it needs to.
There might be a way to use different credentials for reading the groups, but it all depends on what your current code looks like. But there really is little point in doing this. You have to bind using the user's credentials to validate their credentials. So you may as well continue using that same connection.
I'm connecting to the v1 connect API to grab inventory for a couple items in my store. I'm using the PERSONAL_ACCESS_TOKEN
The end point is connecting fine, but it's returning a blank dataset, presumably because when i connected to v1/me
I only have the following permissions :
"account_capabilities":["EMPLOYEE_MANAGEMENT","TIMECARD_MANAGEMENT"]
Inventory needs "ITEMS_READ", is there a way to change this without having to use OAuth, or am i stuck making an oAuth request everytime i need to pull inventory?
I believe this is occurring because your Square account is a Multilocation account. Because of this, you need to access Connect API endpoints slightly differently:
Use the List Locations endpoint (/v1/me/locations) to get the id for each of your business's individual locations.
To access item, inventory, or payment information for one of your individual locations, provide that location's id as the value of the merchant_id path parameter (instead of providing me) in your request.
Note that the account_capabilities listed by /v1/me are different from capabilities described by OAuth permissions. Regardless, your personal access token grants you complete access to all endpoints for your own Square account.
I want to add a feature to my spring roo project. I have an user entity that logs into the application and adds additional users.
When I add those users there is an email adress(field) on which I want to send the validation with additional link to activating the account. Also the user has a field that represents if he or she has an active profile in a way is it possible to log in or not - this field needs to change after I click the provided link in the email.
I already have an velocity templates and everything set up, I just need the process of forming that link and assuring that the user will have an active account after clicking on it.
I solved this using a REST call and Spring Security. When the user first signs up, you create the UserDetails object (mine was in a DB table), but set it as not enabled before you save it (there are 4 booleans in the UserDetails object you can manipulate to enable/disable the user in various ways that Spring Security checks). I also stored a UUID code I generated off the user id in a table, and then generated an email which included a link to the REST service to validate the account.
The REST service was simple. The user clicks the link, which would include the UUID code I generated. You could optionally require them to enter some number or do something here as another authentication step, but in my case I simply looked up the UUID to get the associated UserDetails, flipped the bit to enabled and saved it, and sent them to a page saying their account was now active. I then did something like in this post to auto-login the user.
I am using Tomcat realm for security and my question is that I didn't know where to get the user's information after logging in.
I want to use the role of the user that has logged on and I don't know what Tomcat sets in it's session after logging on.
Tomcat follows the servlet specification and makes the user's information available to your webapp in two ways:
Use request.getUserPrincipal to get the java.security.Principal that represents the user. You can call Principal.getName to get the user's name.
Use request.isUserInRole to check if a user has a particular role.
Note that you can't just get "the user's role" because the user may have multiple roles. The standard API does not include a way to get all the user's roles: you have to check for them individually.