I'm building a Angular 6 front-end and Spring boot based REST api. Angular app is going to be hosted separately behind a nginx. I want to implement spring security in order to secure REST apis. As per my understanding I need to two following things.
Spring security to authenticate API calls for valid tokens and respond 403 if not
Angular library in order to redirect user to google login and maintain access/refresh tokens, pass access token for api calls in headers and refresh access token if backend respond with 403.
I'm not quite sure whether the authenticate request go via spring backend or directly to google.
I have been searching for a good tutorial for sometime but didn't find one matching my requirement( most are html pages hosted within spring ). So please correct if my understanding on how to do this is wrong and share if there are tutorials.
Check this article. This might be the article which help to you.
Moreover let me know if it worked.
Related
I'm trying to do a POC project. I want to login just like stackoverflow. User just login their google account without having to register first and forget password in the future.
My stack is Angular + Spring boot. Angular or React shouldn't matter here. I have did some research and see how people setup on Google GCP and use it in the webapp.
Ok, now assume I can login in my webapp. I got user's name, picture, etc. How would my Spring boot server auth with the info I got from google?
Any help is appreciated!
Usually, you would get a JWT from Google (or other type of token) that you need to send to your Spring Boot server.
The server should then be configured to verify the token. See https://docs.spring.io/spring-security/reference/servlet/oauth2/resource-server/index.html and https://docs.spring.io/spring-security/reference/servlet/oauth2/resource-server/jwt.html (for JWT).
Basically, add spring-security-oauth2-resource-server (and spring-security-oauth2-jose if JWT) and set the issuer-uri in your applications.(yml | properties)
I think it is https://accounts.google.com/ for Google. This also assumes that you have created app/oauth2 in google console. See https://developers.google.com/identity/protocols/oauth2/openid-connect for details.
I want to use auth from google firebase, and integrate it with spring boot.
I am not sure that I have good idea how to implement roles/authorities.
I have in mind this scenario:
On success authentication with firebase, frontend send request to secured spring backend endpoint, and data on this endpoint contains which roles should user have, so frontend use this data to set claims for user. Backend use claims to authorize user when accessing endpoints.
Is this okey, or is there faster/better solution?
That sounds like a good approach. Have a look at the Firebase documentation on verifying ID tokens as that'll be your starting point once your backend receives the token from the client.
The only addition I can make at this point is that many of Firebase's own backend services cache recently decoded tokens (with the undecoded token as the key) to allow subsequent requests to more quickly look up the information for that token. While this is not required, it's an easy speed up once you're ready for that.
I am a Spring Developer trying to figure out how to connect a WordPress WooCommerce Website to my REST Spring boot Service. I haven't worked with WordPress, so there are a lot of unknown unknowns for me there. I am in collaboration with another developer on the WordPress side of things, trying to solve this issue, but we are a little lost.
Are there Best Practices for a WordPress website to access the Spring boot Oauth2 API (including JWT Token delivery Service) ?
CONCRETE DESCRIPTION OF MY SITUATION:
State right now (working):
Someone orders a Product on the WooCommerce website and the order status is set to processing.
The goal:
WordPress WooCommerce Backend calls the Spring boot API to send how many Products were ordered.
WHAT WE FOUND OUT AND WHAT WE TRIED:
Spring boot:
We found out that Spring boot outh2 is the way to go for the REST API ENDPOINT
The only resource I found about this are this once, which are very good and sufficient:
https://developer.okta.com/blog/2018/04/02/client-creds-with-spring-boot
https://www.youtube.com/watch?v=X80nJ5T7YpE
WordPress:
The Problem is, that we find a lot on WordPress Webhooks but not a lot on how to call an API Endpoint with a Token system.
Here are some resources we worked through, which are not sufficient:
https://developer.wordpress.org/plugins/http-api/
https://woocommerce.github.io/woocommerce-rest-api-docs/v3.html?shell#webhooks
https://duckduckgo.com/?q=wordpress+oauth2+rest+call&t=bravened&ia=web
WHAT WE THINK TO KNOW ABOUT THE SERVER TO SERVER COMMUNICATION IN THIS CASE** (Handshake):
In WordPress, I manually safely store a Username and a Password which
Spring Security knows about, on WordPress.
WordPress, an order has been finished.
WordPress calls Spring boot Https Request to /api with Payload:
OrderInformation, Password and Username.
Spring sees that there is no Token or the Token is outdated
Spring searches the Request Payload for Username and Password
Spring generates a signed JWT Token based on Username and Password.
WordPress receives that Token and stores is safely
WordPress HTTPS Request /api with Payload: OrderInformation, Token.
Spring validates the Token, accepts the OrderInformation
Spring does what ever it needs to do with the information and when
everything works out
Spring Oauth2 somehow has to tell Woocomerce that the information
was successfully delivered. Otherwise Woocomerce has to resend the
information. And start form point
WHAT WE HOPE THIS POST SHOULD ACCOMPLISH FOR PEOPLE WITH THE SAME QUESTION:
If someone knows any resource or best practices how to configure WordPress WooCommerce, please let us, who have a lot of unknown unknowns, know what to do next.
We hope this post and its answers can be a gateway and vertex for other people to find the information they need.
Thank you very much in advance
I am not sure about Spring Boot API specifically, but I have done this type of integration with other REST API's.
I would recommend using wordpress action hook. The hook that I would recommend you to use is woocommerce_order_status_changed.
// define the woocommerce_order_status_changed callback
function action_woocommerce_order_status_changed( $this_get_id, $this_status_transition_from, $this_status_transition_to, $instance ) {
// make action magic happen here...
};
// add the action
add_action( 'woocommerce_order_status_changed', 'action_woocommerce_order_status_changed', 10, 4 );
At the place of // make action magic happen here... write the logic where you contact with your API. Run your code when $this_status_transition_to is processing. The $instance should have woocommerce order instance which you can use to push to API.
Some pointers that I would like to give are.
Save the API Token/Credentials in an Enviroment Variable for security.
Would recommend using Guzzle package to make http request. Use composer to install the package.
I'm very new in Spring and never really used java for making web. And I'm making a web with a separated frontend and backend services and I'm trying to make an authentication system using Spring Boot Security. How can I do it? Do I put the security on both the service or just one of them? What's the best way to implement it?
The question is subjective and can have too many interpretations based on context. My understanding is that putting security on both front-end and backend is the best way to implement. After a successful backend authentication you should issue a unique cookie to the browser as it allows users to continue using a site without having to log in to every single page. For each subsequent call, the website recognizes the user from cookie data.
You can use this link for a better understanding of dual authentication mechanism.
I have a Webapp that consists of a REST API, and then another app that represents a frontend of this API. Both of this apps are developed using Spring.
Currently my REST api is not secured and data can be accessed directly by calling the REST endpoint without additional security info.
My frontend does have a login form (I'm using Spring Security for that), but does not have access to a database (the only access is through the REST endpoint). So the login process is done through an extension of the AuthenticationProvider that calls the REST api with the user and password and then responds with the authentication result. No authentication/authorization is kept on the REST side since to my knowledge this protocol should be stateless.
The problem is I need to incorporate ACL into my app, so that a user can only see those resources he's authorized to see (i.e. those he created). But given that my authentication process takes place on the frontend layer (which is where I keep a session attribute with the user info), I have two main problems:
How can I secure my REST channel?
How can I know which user is making the request on every communication, without explicitly passing the userdetails in each API request? is this even possible?
Doing it stateless and making two separate web application usually is overkill.
What I usually end up doing is.
Make my RestAPI stateful, because usually scaling is not an issue and simple form authentication will suffice.
Combine a Rest API/HTML Client in one Webapplication. If you want to keep it modular, you could create a Rest API module and integrate it as a JAR file in the lib folder of your web app.
Here is also some thread which goes through different alternatives for a rest API.
How to do authentication with a REST API right? (Browser + Native clients)