For example I need that my Web app will support two different auth methods, for GUI it will be OpenID, already configured and worked. For API it will be Http Basic Authentication based (I guess) on <basicRegistry>.
How do I need to configure web.xml that liberty will know (if it possible at all) to which authentication method redirect user?
Thank you.
See if you can make use of the authentication filters for openID. So that it will go to openID for the specified cases in filters and use default authentication otherwise. You will define a filter in server.xml and then make use of that filter in openID configuration(server.xml too).
Configuring Authentication Filters:
https://www.ibm.com/support/knowledgecenter/en/SSEQTP_8.5.5/com.ibm.websphere.wlp.doc/ae/rwlp_auth_filter.html
You can use the authentication filter to determine whether certain HTTP servlet requests are processed by certain providers.
Liberty server authentication filter uses the filter criteria that are specified in the authFilter element in the server.xml file to determine whether certain HTTP servlet requests are processed by certain providers, such as OpenID, OpenID Connect, or SPNEGO, for authentication.
Configuring Authentication Filter for OpenId:
https://www.ibm.com/support/knowledgecenter/en/SSEQTP_8.5.5/com.ibm.websphere.wlp.doc/ae/twlp_config_rp_openid.html
Optional: Configure the Authentication Filter.
If the providerIdentifier attribute is configured inside the openId element in the server.xml file, you can configure authFilterRef to limit the requests that should be intercepted by the OpenID provider defined by the providerIdentifier attribute.
Related
One can define an OAUTH2 server easily based on the quarkus documentation.
quarkus.oauth2.client-id=XXXX
quarkus.oauth2.client-secret=YYYY
quarkus.oauth2.introspection-url=https://example.com/oauth2/...
How should I configure quarkus if I have to give the option to the users to choose their own OAUTH2 provider (github, gitlab, whatever)?
One solution can be running separate Quarkus instances for each OAuth2 provider.
If you need to have all requests to be sent to same path and port, a mediator instance can be created for handling requests and sending them to appropriate instance with chosen OAuth2 provider.
Scenario: The application sits behind an NGINX that terminates the TLS connection and does the mutual authentication with the client. The NGINX then forwards the client certificate in an X-SSL-CERT header to the spring-based application. In the application I want to access the information provided inside the certificate and also based on this create an Authentication.
Current Approach: To get it up and running, I implemented a custom Filter that extracts the header, parses the string into an X509 certificate, extracts the required information into a custom Authentication and then uses the SecurityContextHolder to add the Authentication into the SecurityContext. This works and I can access the Authentication inside my controller methods with #AuthenticationPrinciple annotation.
However, while reading the documentation I felt that this approach might not be secure and also not as it is intended by spring since there is already an X509AuthenticationFilter to use in pre-authentication scenarios.
I then came up with the idea to just place the parsed X509Certificate inside the ServletRequest attribute and use the provided X509AuthenticationFilter. I quickly ran into issues, since I do not provide an UserDetailsService.
Questions:
Is the first approach I described considered to be valid/secure?
How can I use the X509AuthenticationFilter for pre-authentication use cases
and without providing a UserDetailsService since I don't require anything to get those information
Is it secure to directly use the SecurityContextHolder to add my custom Authentication from inside the filter
I have a complex situation where I need to implement a security for web app on tomcat 8 that serve both static html and rest services. the app is spring mvc application (no spring boot)
the authntication ( sso ) process will go as follow:
if user jwt not exist in http header then authonticate with ldap, getting user authorities from db and create jwt back to user.
if jwt exist in header, skip ldap filtering , extract the user authorities from token.
I was thinking of first servlet filter that uses spnego library and get the windows domain name (user name to use in ldap) that filter will also check to see if ldap authontication is needed ( if token not provided) and pass it back to spring filter chine through http params..
I'm struggling to implement he ideal.
please help.
thanks
As I know, there is support for LDAP in spring security, might be it will help you.
Other than that, if you want to write your own filters then you have to add those in spring security filter chain.
I started working on JAAS with SSO,I have some doubt about JAAS. JAAS (Java Authentication and Authorization Service) framework to cater to multiple authentication mechanisms. The SSO server validates sign-on information against its own database or an external directory server and returns the session context and list of applications that the signed-on user can execute.Here i want to implement one more web application's.As per my knowledge the SSO JAAS will return Session context. In my client web applications already, i have acegi security for authentication, using my acegi security how can i get the session context from my SSO JAAS for Authorization.I am trying to find out any configuration sample , but still I did't get any work around example.
Take a look at this spring security configuration. It is not exactly what you want but it will show you the way
Key points
Check how authentication-manager is defined by using
PreAuthenticatedAuthenticationProvider. The preAuthenticatedUserDetailsService property defines a bean that will allow you to create your spring security UserDetails object from the JAAS Authentication object
The j2eePreAuthFilter filter is the one that will delegate security from JAAS to spring security.
The rest is standard spring security configuration
Hope it helps a bit
I had recently been able to secure my web application and authenticate the user by using basic authentication. An added requirement was to check against user's ip address from request parameter and I leveraged use of Custom authentication details source and override of BASIC_AUTH_FILTER. (see:http://stackoverflow.com/questions/9854592/accessing-httpservletrequest-during-daoauthenticationprovider-authenticate-in-sp)
Now I have a Spring Web Service that uses SimplePasswordValidationCallbackHandler and the same AuthenticationManager / Provider configuration as above (except for the http namespace configuration which has all my custom filter logic).
I would like to do a similar activity to authenticate a user completely only if their ip addresses match when authenticating in a Web Service.
I pass the username and password in the SOAP headers and authentication happens without any issues.
Any thoughts if i can reuse my existing configuration here for the AuthenticationDetailsSource and Custom filter. Is this even achievable or am I on a completely different track here?
Thanks.
I added a RequestContext Listener to my web.xml and got access to the HttpServletRequest using a RequestContextHolder during my authentication process in a custom DAOProvider.
Anyone with a better solution, let me know !