on a Spring Security service layer I have a method createUser() with annotation #PreAuthorize("hasAuthority('ROLE_ADMIN')"). This already works.
But when installing this application, the first user must be created. Currently I am trying to create a default user on startup when the user database is empty. Later this should be done via web interface. But what is the best approach for something like this? Currently I can not create the first user because I am no admin. I could secure the method in the web controller, but securing the service layer is a better approach I think.
Do I need something like
#PreAuthorize("hasAuthority('ROLE_ADMIN')") OR DATABASE IS EMPTY
or is it possible to call a local method with an authority?
I would assume this problem is already solved 100 times :-)
Best regards,
Jochen
Related
I'm building a simple project management web application and I'm having some problems finding the best practices for storing the current logged user without recurring to spring security.
I was thinking of creating a filter or maybe a interceptor to reduce code but I'm still struggling with how to actually store the user. Is it better to had a specific header to the request or is there a more elegant way to do this?
You can use spring session to maintain the login information in you app in a better way, there are various options available in spring to replace normal HttpSession like Spring Session JDBC.
See Here: https://spring.io/projects/spring-session
I have a single grails (3.3.5) web server, and I am interested in improving the availability and I'd like to add another server and put a load balancer in front of it.
Rather than share sessions between servers, or use sticky sessions, i'd like to know if there is a good way to have a session-less front-end server. I don't use sessions for anything other than using spring-security to validate the session token that it is using to identify the user.
I'd like to find a token based authentication system suitable for the front-end such that the token is safe and sufficient for identifying the current user.
I've seen the grails-spring-security-rest plugin which looks promising, but it seems like everyone is using it for back-end rest api calls. Is it also suitable for front-end authentication when you aren't storing application data in the webapp session?
If you don't use the session objects in your controller then tomcat will not create any sessions for you.
Also you can define your controllers to be
static singleton = true
then they will be instantiated not on per-request basis.
Now, if you still want to use sessions, you can use something like Cookie Sessions and keep your data inside the cookies instead of tomcat's memory.
I haven't used the grails-spring-security-rest, but you should be able to tweak spring-security-core to be session-less. You should set scr.allowSessionCreation to false and use remember-me.
Since Grails is built on Spring Boot, you can access all the features of Spring Session (https://docs.spring.io/spring-session/docs/2.0.x/reference/html5/), which includes the ability to share session data between server instances with some data store instead of keeping it in memory.
In those docs you'll find this pointer to a guide with a Grails 3.1 example that uses Redis as the store. https://github.com/spring-projects/spring-session/tree/2.0.3.RELEASE/samples/misc/grails3
Is it also suitable for front-end authentication when you aren't storing application data in the webapp session?
Yes, you can use JWT tokens in your front-end. You need to properly configure the security filters of your controllers so that they are not using cookie for authentication but they are looking for JWT.
See : http://alvarosanchez.github.io/grails-spring-security-rest/latest/docs/#_plugin_configuration for configuration of endpoints that should validate JWT tokens.
Have a look at https://github.com/hantsy/angularjs-grails-sample/wiki/3-basic-auth for a stateless example with Angular.
I'm new to Spring Security, and I can't grasp the basic workflow of it. I read again and again the official documentation but I feel more confused. I can't figure out what are exactly :
authentication manager/provider
authentication object
user detail
user details service
It seems that authentication object is built thanks to user detail but the latter need the former to be built (that's what I understood from the doc).
Does anyone have a simple explanation on how all of these things are used ?
Authentication manager allows multiple authentication providers (eg an in memory db and a normal db?). Authentication provider looks up a user details implementation, via whichever user details service has been specified. The authentication object is then created from that.
User service and user details implementation are completely independent of spring security, you do not need spring security to use them.
[Ref docs]
I am about to start creating a new application and wanted to get some feedback on the approach I plan on using. We will be using spring and spring data jpa.
Can controllers call domain services and repositories or should the controller only make calls to application and infrastructure services?
If its "ok" to call domain services and repositories from a controller and a domain service operation needs a transaction, can/should I just put the #Transactional annotation on the domain service method? Or should I have an application service that wraps the call (not sure I like this approach because you would end up with a bunch of pass through methods)?
If its not "ok" to call domain services and repositories from a controller do I need to create application services to wrap all possible domain service calls(like I said in 2 that could be a lot of pass through methods)?
The best solution I can come up with is something like the following:
Repositories will have the #Transactional annotation with propagation REQUIRED when writing to the database and propagation set to readOnly=true and propagation set to SUPPORTS when reading from the database.
Application and Domain Services will add the #Transactional annotation as needed
If the controller ever needs to make make a direct call to a repository a domain service or an application service it can. No pass throughs.
I am not clear for your question. What is the Domain Services doing? I knew Application Services and Domain Repositories very well.
In spring , there are two layers service and data access layer.
Service layer can used #Service (In your design it will be application Services) but not used #Transactional Tag.
Data access layer used #Repository Tag and also #Transactional Tag, Because This layer is directly connected and make operation with the Database. So, I like to know what 's function of the Domain Service. I am not clear for that.
Thanks buddy.
I personally would only access your domain and application services from your controllers. That way you only have to put #Transactional annotations at one "level". You get transactionality out of the box at your repository layer if you're extending the regular Spring Data repository interfaces. I would leave that layer as simple as possible. Put your readOnly and other configuration at the service layer.
Creating "pass through" methods allows you more flexibility down the road too if you ever decide to change your DAO implementation.
I tried searching in Google, but I could not find any good examples where a username and password are checked with a database for authentication purposes.
In further simple words, how can I create a simple login form using Spring and Hibernate and NOT SPRING SECURITY where the credentials are checked with the database.
Please help me creating a simple login form with just Spring 3.0 and no Spring Security 3.0. Thanks.
Simplest way to do a login form post to a Spring Controller which take username and password as parameter.
In the controller you do what ever you want to authenticate the username and password. Best is to delegate to some service layer which takes care of it.
If successfully authenticated then what you want to do? May be redirect to say home page.
Now the home page rendering should know that the user is already authenticated. This is where spring security helps.
But you can also achieve by writing a Servlet Filter where you check if user is already authenticated by checking the http session. Of course after successful login you need to store that in the session then only it will be available to the filter.
There are many other ways to achieve the same which depends upon your requirement as in what kind of security control is required.
Your solution has two parts, one of which involves Spring and another that is your code:
// DAO returns null if no such username appears in the table.
String password = userDao.findPassword(username);
boolean isValidUser = (!password.equals(null));
// Write the code to implement behavior for valid and invalid users.
If you can do a database SELECT for a password, you can do Spring authentication without Spring Security.
You may need to put that logic in an aspect that's woven in before method calls.
You may want to cache that result in session and invalidate it if a timeout is exceeded.