In Spring Security, how can I use session for some url(eg. /index.html), and meanwhile use stateless for other url(eg. /api/view) in one server? I only see the session can be disabled globaly, but I want to disable by url, how can I do this? Thank you.
By the way, I'm using Spring Security 4.0 with Spring Boot and like to use java configuration.
You can use multiple http elements with different create-session attributes in each. See here and here
Related
I have 2 Spring web-apps. I'm using Keycloak to protect them. In Keycloak doc it's said that to logout i can use:
HttpServletRequest.logout()
Yes, it loges out user from one app. But the second one still remains active. How to configure Keycloak and/or Spring to provide Single Sign Out?
If you're using the Spring Security adapter use the /sso/logout endpoint instead (either in GET or POST). For instance:
http://myapplication/sso/logout
I have a single grails (3.3.5) web server, and I am interested in improving the availability and I'd like to add another server and put a load balancer in front of it.
Rather than share sessions between servers, or use sticky sessions, i'd like to know if there is a good way to have a session-less front-end server. I don't use sessions for anything other than using spring-security to validate the session token that it is using to identify the user.
I'd like to find a token based authentication system suitable for the front-end such that the token is safe and sufficient for identifying the current user.
I've seen the grails-spring-security-rest plugin which looks promising, but it seems like everyone is using it for back-end rest api calls. Is it also suitable for front-end authentication when you aren't storing application data in the webapp session?
If you don't use the session objects in your controller then tomcat will not create any sessions for you.
Also you can define your controllers to be
static singleton = true
then they will be instantiated not on per-request basis.
Now, if you still want to use sessions, you can use something like Cookie Sessions and keep your data inside the cookies instead of tomcat's memory.
I haven't used the grails-spring-security-rest, but you should be able to tweak spring-security-core to be session-less. You should set scr.allowSessionCreation to false and use remember-me.
Since Grails is built on Spring Boot, you can access all the features of Spring Session (https://docs.spring.io/spring-session/docs/2.0.x/reference/html5/), which includes the ability to share session data between server instances with some data store instead of keeping it in memory.
In those docs you'll find this pointer to a guide with a Grails 3.1 example that uses Redis as the store. https://github.com/spring-projects/spring-session/tree/2.0.3.RELEASE/samples/misc/grails3
Is it also suitable for front-end authentication when you aren't storing application data in the webapp session?
Yes, you can use JWT tokens in your front-end. You need to properly configure the security filters of your controllers so that they are not using cookie for authentication but they are looking for JWT.
See : http://alvarosanchez.github.io/grails-spring-security-rest/latest/docs/#_plugin_configuration for configuration of endpoints that should validate JWT tokens.
Have a look at https://github.com/hantsy/angularjs-grails-sample/wiki/3-basic-auth for a stateless example with Angular.
I am using Spring boot 2 with spring webflux running on netty.
I would like to add session management without needing to have a backing database or redis server (so Spring Session doesn't seem to be a solution here).
I could use WebSession in my controllers, but then I would need to enable sticky sessions on my load balancer, which I would prefer to avoid.
What I would like is one of the following:
Client side session like in Play framework (session is stored as a cookie and added onto each subsequent request)
Hazelcast session replication but this only works with servlet containers
Has anyone experienced the same thing and found a viable solution?
Spring Session has plans for providing Hazelcast implementation of ReactiveSessionRepository. The current plan is to wait for Hazelcast 4.0, which will move to Java 8 as baseline and use CompletableFuture instead of their own ICompletableFuture. You can track gh-831 for progress on this topic.
In the meanwhile you could try and use ReactiveMapSessionRepository, passing in Hazelcast's IMap.
While doing some practice examples to learn spring security, I come up with some following use case. But I did not find best possible approach using spring security. Could some one please help me on this
I have angularJs application, Spring boot application running on different servers . In redis cache I have user info(role, and some other info) with gsid as key. In each rest call I am passing gsid as cookie. Now I want to validate each request in the Spring security Filter by fetching user info from the redis cache before sending to #Restcontroller.
what could be best approach to authenticate and authorize the request using spring boot security.
Use spring-session with redis, it also provides integration with spring-security.
I am new to Spring Security and am mulling over the idea of using it or not in my application.
The requirement is as follows :
In my web application i store a session information inside the database,a key for this is stored in a cookie
2.Now whenever someone tries to access a url which is not according to the flow i want to deny access.
3.Can i use Spring Security for this.
I am using Spring MVC,Mongo DB and MySQL as the develeoment environment.
Regards,
Abhishek
If you're trying to simply control the flow of an application, I'd suggest using Spring Webflow. This allows you to define set flows in a multi-page application.
Spring Security can be used to control flows, but only for access control. It integrates well with Webflow (and with Spring MVC) to ensure you can secure some or all of your flows.