I have 2 Spring web-apps. I'm using Keycloak to protect them. In Keycloak doc it's said that to logout i can use:
HttpServletRequest.logout()
Yes, it loges out user from one app. But the second one still remains active. How to configure Keycloak and/or Spring to provide Single Sign Out?
If you're using the Spring Security adapter use the /sso/logout endpoint instead (either in GET or POST). For instance:
http://myapplication/sso/logout
Related
The default URLs for starting oAuth and getting the auth code from the OAuth provider in Spring Boot are:
/oauth2/authorization/{providerReg} (example: /oauth2/authorization/azure)
/login/oauth2/code/{providerReg}
I need to change these so that they have a prefix in front of them. How do I do this?
It appears as though this is hardcoded in DefaultOAuth2AuthorizationRequestResolver and DefaultServerOAuth2AuthorizationRequestResolver. Is there a way to either make those take my URLs or to make Spring Boot use my implementation instead?
Refer to the documentation https://docs.spring.io/spring-security/site/docs/5.1.0.RELEASE/reference/htmlsingle/#oauth2login-advanced-login-page
To override the default login page, configure oauth2Login().loginPage() and (optionally) oauth2Login().authorizationEndpoint().baseUri().
In Spring Security, how can I use session for some url(eg. /index.html), and meanwhile use stateless for other url(eg. /api/view) in one server? I only see the session can be disabled globaly, but I want to disable by url, how can I do this? Thank you.
By the way, I'm using Spring Security 4.0 with Spring Boot and like to use java configuration.
You can use multiple http elements with different create-session attributes in each. See here and here
I have been looking everywhere on how I can implement Spring Security based on a Container Managed Security Model. In my test case, I am using Tomcat and it's corresponding tomcat-users.xml file. The issue is, I cannot get Spring Security to play well (meaning pass authentication over to Tomcat) to let the app server perform the Authentication and have Spring manage the role based security once someone is authenticated. I am using the latest Spring versions, so it's all Java config as I am just not familiar enough with XML based config. I have read many examples that talk about using a PreAuthenticatedAuthenticationProvider but the examples are poor not to mention the Spring documentation is quite confusing IMHO. I even downloaded the sample preauth code from the Spring Security GIT hub but I still cannot see how the example code is tied to the authentication that Tomcat is performing. When I run the Spring sample code for preauth, it doesn't authenticate with any of the users in my tomcat-users XML file as I deployed my code to Tomcat 8. Wondering if anyone has any ideas on where I can look in order to understand how Spring Security and the authentication performed by Tomcat (container managed) happens?
UPDATE:
It appears I had to start from scratch and simply get the authentication to work with a very simply app created in my IDE. Basically I had a folder that was called secure, one folder that was called unsecure and I mapped the paths according to the Servlet 3 spec to secure and unsecure what I needed. I had to use a web.xml in order to contain the security constraints. Once I tested in both Tomcat 7 and 8, where I tried to hit a secure URL, I was challenged to enter an ID and password. Please note you have to define the path to a login page, mine was a simple JSP. I also had to submit to the j_security_check and also make sure to use the j_username and j_password field names. Once I knew I could hit a secure page, I then started introducing the Spring components. This involved Spring Security, Spring Boot etc. The key was in the WebSecurityConfigurerAdapter. Where I normally would have basic auth or form based security enabled, I removed those and instead used the jee() setting based on the same fluent builder API used to configure your security settings. I left all antmatcher settings in the web.xml, so my WebSecurityConfigurerAdapter was very basic. When you are debugging controllers, you can inject the HttpServletRequest directly in the method and that request contains a userPrincipal request value containing things such as the user ID, and roles. Good luck, hope this helps others because it was painfully long for me to figure out such a simple solution.
See the update for a detailed explanation on my solution.
I'd like to give users the option to login to a Spring Boot web application using their Google or Facebook account.
I checked The Spring Cloud Security documentation and also This GitHub issue to add such SSO functionality, but on both they only show how to configure one SSO server, so it's either Google or Facebook.
How can I add both options? on the web front-end I will add a button for each option so the users can choose which account to use, either Google or Facebook.
Or I am choosing the wrong package and should use something different altogether to achieve this?
Thanks!
You basically have to install a separate authentication filter for each provider. There's a tutorial here: https://spring.io/guides/tutorials/spring-boot-oauth2/.
I am new to Spring Security and am mulling over the idea of using it or not in my application.
The requirement is as follows :
In my web application i store a session information inside the database,a key for this is stored in a cookie
2.Now whenever someone tries to access a url which is not according to the flow i want to deny access.
3.Can i use Spring Security for this.
I am using Spring MVC,Mongo DB and MySQL as the develeoment environment.
Regards,
Abhishek
If you're trying to simply control the flow of an application, I'd suggest using Spring Webflow. This allows you to define set flows in a multi-page application.
Spring Security can be used to control flows, but only for access control. It integrates well with Webflow (and with Spring MVC) to ensure you can secure some or all of your flows.