I am trying to implement a role management for in spring boot APIs.
I went through the link but I could not get the below details
1. Here they are using #Secured, I am not sure when actually role verification is called
Because there is a separate server which has the Role and Authorities details, Hence I want to call External Server to fetch the role and verify the Authorities ? here external server will give role details like userid and roles and allowed action like Delete, Create etc .
2. how the username or userid is fetched while validating the access ?
Related
I have added a oauth-2 resource server in my spring boot resource API. Auth0 handles authentication.
I want to store a User object locally in a database as they have relations, like products in a cart.
I'm thinking of creating a auth0 custom action, that calls the resource server endpoint /post/user and creates a new User object with auth0's user identifier. So on each call I can retrieve the user with the identifier (from access token) from my db.
What is the best way to solve this problem?
I'm currently using OAuth with the password grant type to manage the security of my Spring Boot application. Now I want to store a login id which is queried by the auth server from the database when the client has successfully requested an access token.
To realize this I thought of passing it with the JWT. I used a custom TokenEnhancer in combination with a TokenChain to add the additional login id, which works fine. My problem is that I couldn't find a way, other than parsing the token myself, to get that login id.
Another, but a very bad solution could be to just pass it as authority.
I created an entity with crud operations.
I have used spring-boot, spring-security, oauth2, jwt.
By this article http://sivatechlab.com/secure-rest-api-using-spring-security-oauth2-jwt/
Why do I need to create the table oauth_client_details?
When I want to login, first I need to enter login and password from oauth_client_details
And after that enter username and password for my user
How should I tune login for my entity and receive a token after success login?
If you use JdbcTokenStore, you need to setup oauth related table in database. In my template project, I use JwtTokenStore for oauth2 stateless.
So, you don't need any oauth related table. Here complete spring-boot-rest api sample project. You can reference the following thing
spring-boot
mybatic with mysql
ExceptionHandlerAspect
LoggingAspect with log4j2
ResponseBodyAdvice
ResponseEntityExceptionHandler
spring-security-5 with oauth2
Run DB.sql for database setup in src/main/resources.
When I want to login, first I need to enter login and password from oauth_client_details
If you use oauth, you have to know your application structure. Oauth2 have the following flow -
Authorization Code Grant
Implicit
Client Credential Grant
Password Grant
In my application, I use Implicit because of - We have
Server REST API (spring-boot)
Web Site (client)
Mobile App (client)
Customer/User (Actual User)
So according to oauth, client(web site or mobile app) need to authenticate itself.
Otherwise, you cannot get access_token. Read more here.
My requirement is authenticate the login request to the Active Directory LDAP and to the local db as the user may be created manually or by the LDAP.
I am loading all the users i my database in a users table but i want to make the dynamic login to LDAP for the ldap users if user did not get authenticated by LDAP with invalid login or invalid user then only i need to authenticate it to the db.
Am not certain on this, so obviously please confirm, but in your Spring security.xml, set up two authentication providers under your authentication manager, first your ldap one and then your database one. A failure with the LDAP authentication should cause the DB one to activate and give the user a second chance to authenticate with the same credentials. Also see this article for some testing I had done earlier with Active Directory and Spring Security.
I have an application and API. I am using Spring and Spring security for both. Authentication is required to access API.
I configured RESTFUL web service only respond when authentication is successful (handling with JSESSIONID after login) which makes querying database not possible if user is not logged in or credentials are wrong. But somehow, I need to access database and make some changes for forgotten password. I need to check if requested email is on the record. Also, update the database after password change. eg; If I make 'UPDATE USER' action permitAll(), there will be a security problem.
Can you give me some ideas to handle that problem?
You can create some user with permissions to change password and later when changing password automaticly login this user -> send request ->logout user and all of that behind user view.