Anybody have experience using OAuth2.0 and OAuth 1.0a client authentication in same Spring Boot application? Having some trouble getting the 2 working in the same system. Our use case -
User can connect multiple 3rd party accounts to our web app. This connection happens via OAuth, and in the case of 3rd party services that use OAuth 2.0, we have no problems. Now we want to add Twitter as a supported connection, with their OAuth 1.0a path we are having a lot of trouble getting this to work. Can only find examples of this using spring-social and that probably doesn't fit our use case as it isn't compatible with the rest of our integration paths.
Any experience or input would be greatly appreciated.
rms.
Keep in mind that OAuth 2.0 is really not backward compatible with OAuth 1.0, so you won't find a solution that will handle both versions simultaneously.
To help you understand better the difference between the two, I suggest reading How is OAuth 2 different from OAuth 1?
You would need to handle both version separately, which may lead to some pretty confusing pieces of code.
Anyhow, it's a shame that Twitter isn't migrating to OAuth 2.0 for user-based authentication, that would make everything much less complicated for you.
First off, you'll need both spring-security-oauth and spring-security-oauth2 dependencies. I suggest looking here: https://github.com/spring-projects/spring-security-oauth/tree/master/samples
There's an example for both versions.
I'm not sure how you configured your OAuth2, but since the two dependencies mentionned above do not use the same property names and OAuth2 can almost be entirely configured through the properties file, I doubt you need to worry about OAuth2's implementation.
I have an example about the implementation of OAuth2 with nearly no configuration required here https://github.com/TwinProduction/spring-security-oauth2-client-example , maybe you can start off that, add the OAuth 1.0 dependency and build your way up from there.
Good luck!
My suggestion,
Use scribe. They have done an amazing job getting the OAutdone across a large base of providers. Go to their example source code, plugin your appId and secret and you can pretty much see almost all the providers working
https://github.com/scribejava
Related
Lagom by default uses Google Guice as implementation od DI pattern.
I would like to use Spring Framework instead.
Is it possible? IF so, how should it be done?
I have successfully integrated Akka with Spring (using hints from documentation and Internet), however I cannot find anything in documentation about integrating with Spring.
Possible? Yes. Will you be constantly swimming upstream, with reach upgrade break in new and unexpected ways requiring you to debug undocumented internal APIs? Most probably.
Lagom is built on Play, Play's DI support is ostensibly pluggable, when I wrote it I hacked together a proof of concept to ensure that Spring could be plugged into it. But it was only ever a proof of concept, neither I or the Play team ever had any desire or intention of maintaining it, so I published my work to GitHub:
https://github.com/jroper/play-spring
So that anyone for whom Spring support was important could continue where I left off. That was 3 years ago. In spite of a community of over a hundred thousand developers, no one ever took the work up. There's not a lot of work to do on the module itself, where most of the work would be is in Play and Lagom to fix areas where they have grown incompatible with Spring.
But really, why do you want to use Spring? The whole Lagom and Play ecosystems are built on Guice, saying you want to use Spring with Lagom is like saying you want to use a narrow gauge train in a country that only has standard guage rails, you're going to have to build yourself an entire new rail system to do so. What do you hope to achieve?
I am developing a jsp dynamic web project on eclipse.
I want to create an website with login functionality. I intend to store users' accounts and passwords in MySQL database. Of course, different users have different roles and rights to access different web pages. What is the best approach to implement it?
So far, I know these approaches:
1) Users enter accounts/passwords in login.jsp. LoginServlet then connects to MySQL database to check if it is correct. AuthenticationFilters will make sure only users with rights can access certain pages.
2) Use Role Based Authentication by declaring user roles in web.xml. I find this approach is not flexible, because I need to declare roles in advance.
3) Use HttpServletRequest's login/logout methods. I have not studied it.
Is my understanding correct? Could someone gives me some suggestions? Some clues would be very helpful!
Besides, I know that using POST alone to send passwords is not safe enough. Many websites suggest to use HTTPS connections. So if using HTTPS connections, does it affect the approach I choose to implement the login function?
Thanks!
--
Now, I know I need to use Spring. But Spring seems difficult for me... In Spring website I cant find out the link to download jar files. The user guide says I need to use Gradle or Maven, which I haven't used before, and have no idea why I need them. Besides, there are many Spring projects. Which one should I choose? Spring framework?
--
Have you looked into using Spring Security? It's built for just that. You don't need to be familiar with Spring but it may help.
Here are a couple of tutorials that use database authentication:
1: Spring Security Authentication and Authorization Example with Database Credentials
2: Spring Security Login Example with Database
Edit:
You don't have to Maven or Gradle. You can simply add the jars to your build path and they will work. The only projects you need to implement for the login to work is the Spring Framework and Spring Security.
To use Spring Security without Maven or Gradle:
Download the Spring Framework jars, unzip them, and add them to your project and build path. It's probably a good idea to find a hello world tutorial using Spring to get you started. A quick Google search should turn up many results.
After you have Spring implemented in your project, download the Spring Security jars, unzip those, and add them to your build path. The links to the tutorials that I previously posted will get you started. They may take a little while to go through and you may not understand exactly what is happening behind the scenes, but once you get it set up is works outstanding. I'm also not sure if you are using xml configuration or Java config but I believe those tutorials are for xml.
Spring Security was built so that it could be added to any project and have you up and running with basic configuration in about 15 minutes. After you get the basic login going (it will use the generic login form), you can search for how to implement your own custom login form, add permissions or restrictions to users and url patters, adding custom filters, etc. I encourage you to spend some time learning it as it is highly flexible and customizable.
I have been searching for an example Spring Webservice which is being protected using oauth 2.0..
Looking around I found https://github.com/spring-projects/spring-security-oauth/tree/master/samples/oauth2 but there some files seems to be missing from the project.
Two things that I am looking for is :
When user authenticates, user name and password goes to /login.do , now I can not understand how this Servlet is being configured, if its not controller. web.xml is missing.
When I try to see how beans configured then applicationContext.xml is also missing. I am not able to find those files in order to see how things are configured.
Help Required :
Should I use annotation in order to configure my web service or xml configuration. I am willing to use the latest version, and leverage advanced configurations, for better security.
I have another Single page application ( HTML5 ) , which accesses data from this spring web service, which is being hosted on Google App Engine. My ultimate objective is to create a chrome plugin of (html5) pages and use my service from there..
Please suggest a better path so that I can achieve my objectives.
Best regards,
Shashank Pratap
Apologize for late reply.
1) Regarding Oauth2.0 implementation : Since GAE does not support Servlet 3.0 therefore, developer is restricted to servlet 2.5. Therefore I found that we are restricted to 1.0.5.RELEASE. I was able to configure it successfully.
Best Practice on GAE : Rather than following this approach, I would suggest others to use Google Endpoints. As it supports oauth2.0 as well as we can develop REST API relatively quickly.
Scale ability and Response time : Since I was using Spring dependency injection along with spring security, application responded slower than the combination of Google Endpoints and Google Juice, as juice does injection just in time, where as spring prepares everything as soon as new instance starts, which created problem for me.
2) Chrome Plugin is completely different story. :-)
Please correct if I am wrong.
Thanks,
Shashank Pratap
I'm going to start the development of an web application system with multiple modules. The system will be built over Springframework, which is the reason why I'm going to use Spring Security. However, I have doubts about the choice of the authentication system.
The idea is to create restufull services that will be consumed by extjs pages (in case of web application) and mobile application.
Please suggest alternative authentication systems (more current). I have minimal expertise in system security and I'm worried about how to protect user credentials while maintaining a high level of response speed.
Even though you have no prior experience with Spring Security, I would still recomend that you use it:
It works very well out of the box with minumum configuration effort.
There is alot of support available because it has become the de facto standard security implementation on many full stack solutions. It is unlikely that you will run into a problem that has not been solved before
Spring Security is very robust and well tested.
out-of-the box integration for almost anything i can think of
finally, spring-security is ment for the springframework. The integration is flawless. Why give up the best part the framework has to offer?
Response speed should not be a criteria when selecting security framwork. Usually repsonse speed is slow due to bad software design or configuration issues. I have never ecountered a system that was slow due to the selected security framework.
I started using Spring Security a few years ago. It took me less than a week to set it up and It has worked properly ever since.
If you need to go for simple authentication then this can easily be achieved mentioning it in Deployment Descriptors , you can specify Authorization Constraint, Security Constraints for Resources, Authentication mechanism and all . pls have a look at this link :
http://docs.oracle.com/javaee/6/tutorial/doc/gkbaa.html
What security features does Spring provide that are not already provided by the Java EE specs?
In the Java EE specs we have:
A range of sevlet security options in the web.xml. Most people will configure basic or form based authentication. They link their Java EE application to an LDAP server - which stores users / groups. Request will be encrypted and come in over HTTPS.
Possibility to annotate any EJB and only allow certain roles execute certain methods
Ability to check user principle at runtime programmatically
So what security extras does Spring 3.0 give me?
Even if you just need some fairly simple authentication, Spring Security provides support for lots of simple but useful features (think of redirecting after logout, redirecting to login page on all URLs, remember-me). With Java EE you'll end up writing this yourself and - possibly - screwing up so you'll have an insecure app.
Spring Security works well with many standards/protocols/etc. out of the box (LDAP, JAAS, X.509). There's also more advanced stuff like SSO or ACLs. And if the standard functionality doesn't suit you, you can customize this fairly easily, often requiring just a little code.
What I also like is that it's fairly non-intrusive, your controller/action/… classes typically don't have to be involved.
That said, if you use it for the first time, it takes some time to set Spring Security up and get used to it.
(Finally, here's their own feature list: http://static.springsource.org/spring-security/site/features.html)
One killer Feature are ACLs!
#See: Spring Security Reference Chapter 17. Domain Object Security (ACLs)
And I have the feeling that Spring Security is much easier to customize. For example if you need a User Management where the User can self register and get some of this privileges limitedly and some others after this email address has been confirmed.