I have a scenario where I am trying to connect my Frontend system (SAP UI5) to an OData Source for fetching the results.
However, there is a middleware layer in Java - Spring boot, which captures all the requests from the UI and forwards it to the OData services. The reason is, the OData services are not pubicly available. They are behind a firewall whereas the Spring Boot application is publicly available. So, I am using a reverse proxy to make the connection between Spring Boot and OData services, which works.
But the problem here is the OData services (API) require user authentication to access data. This user authentication is already done once on the UI layer.
There is App2Appp SSO enabled from UI -> SPring Boot application. So I can make use of Spring security to access the Principal object. I want to know, besides knowing the username of the logged in user, how do I get the password ?
When you have an application secured with Spring Security, either Spring Boot or normal Spring, you have an object that accesses the security of a particular authentication.
You can call and get the Principal (object of java security):
Object principal = SecurityContextHolder.getContext().getAuthentication().getPrincipal();
This principal in spring is a UserDetails object, which is where we configure all user information in Spring.
Then to get the username and password and pass them to your OData services:
String username = ((UserDetails)principal).getUsername();
String password = ((UserDetails)principal).getPassword();
Related
I am using spring boot with angular for azure ad authentication. In angular i have used Microsoft adal library for authentication. From that I am getting an access token, and passing as header with request to spring boot app. But When i am retrieving SecurityContext object, i am getting anonymous user.
Now how does spring security knows about this user login. Do i need to explicitly do any code for this to get done?
Configure properly azure-spring-boot (ad client id and secret) and then in WebSecurityConfigurerAdapter filter your requests with AADAuthenticationFilter. Check out a sample here.
I have two spring boot application. One is Rest and the other one is Spring boot web MVC app which consumes the Rest. The Rest has spring security configured and I want to login/logout from the client app. The client app has nothing but view and controllers to interact with the rest api.
I am using rest template to interact with the api now.
If the client app is not secured so any other anonymous app may do the same, and this is not security, it's a sieve ...
If you want to create a custom authorization/authentication, you can create own protocol and use tokens/JWT (possibly, OpenID or other global technology) and exchange information between applications.
But there is technology to do it all centrally and reliably - OAuth2, and Spring has it 'from the box' - authorization server, resource server, client. The most advantage - multiple applications (clients), one authorization - you create one user and can authenticate it on any client with the same credentials. You can customize it with JWT, and use any data in the access token and as a consequence get any information about principle/authorization.
I have read some articles for Keycloak spring implementation (eg: easily-secure-your-spring-boot-applications-with-keycloak) but no one mention how to use with JWT.
I have created zuul api gateway and add Keycloak adapter as described in the previously linked article. That's ok, but I want to use JWT with keycloak.
Mentioned elsewhere set the client access type to bearer-only and the session strategy to NullAuthenticatedSessionStrategy. That's enough or need something else for JWT?
So my questions:
How do I configure client on Keycloak admin for JWT?
How do I configure Keycloak in backend config file for JWT?
How do I configure Keycloak adapter for JWT?
How do I pass user info to microservice? Create filter in gateway? But how I get user info from request?
Keycloak access token is a JWT. It is a JSON and each field in that JSON is called a claim. By default, logged in username is returned in a claim named “preferred_username” in access token. Spring Security OAuth2 Resource Server expects username in a claim named “user_name”. So, you need to create mapper to map logged in username to a new claim named user_name.
In order to provide access to client (micro-service), respective role needs to be assigned/mapped to user.
In your spring boot application, then you need to configure connection to keycloak server, providing, auth url, token url, scope, grant-type, client-id and client-secret.
Afterthat, your app be able to parse JWT token, you need to create some JwtAccessTokenCustomizer. This class should extend DefaultAccessTokenConverter and implement JwtAccessTokenConverterConfigurer classes. The main logic lays in public OAuth2Authentication extractAuthentication(Map<String, ?> tokenMap) method.
Then you need to configure OAuth2 Resource Server to provide access for other micro services. For that you define here - Oauth2RestTemplate Bean.
And in the end, secure your REST API, via the standard configuration Component.
So, you can see that, it is a large work, and couldn't be described with code, show some of your work, divide it to the chunk, and ask interesting your questions.
I am currently usingstruts, spring and hibernate in my application. I'm using CAS for authentication. The table containing the user name and password fields are mentioned in the deploymentConfigContext.xml of the CAS war file.
Using spring security how can I implement the same in my application for web services?
How is the username and password given from a client invoking my web services?
Your WS is protected by some sort of CAS filter, that is perhaps provided by Spring Security. When a request comes in, the filter intercepts and redirects to CAS login. User logs in, and they go back to the WS. Filter intercepts the request again, validates the ticket and moves onto the WS
I am using spring security for my spring multitenant application. I am using spring security 3.2
I am using spring security for my spring multitenant application. My requirement
is tenant1 should be authorized against oauth and tenant2 should be authorized
against ldap and tenant3 should be authorized against database. I will be knowing
the authorization method for the tenant through properties file. I am able to
authorize user against any single authorization method. But i am not able to
configure for multiple authorization methods. Please someone give any suggestions
on this.
In case of web application, you can use different login URLs and allow user to choose authentication method. Then separate security filters should be applied for each URL.
You can check this configuration: https://code.google.com/p/opendatakit/source/browse/eclipse-aggregate-gae/war/WEB-INF/applicationContext-security.xml?repo=aggregate