I need to know If I can use JWT in grails application using spring security plugin. I want to generate token store it in cookie and than use it to login. Is it Possible through spring security plugin?
Please checkout https://github.com/alvarosanchez/grails-spring-security-rest the rest security plugin. It has support for JWT and is straight forward to configure.
Be aware that there's a possible security issue with JWT (the user is serialized in the JWT token and deserialized without checking the existence of the user), I made a pull request for this.
Related
I'm developing an app.
Front/bff/api.
I'm using an open id provider that allows to check token remotely.
The bff intercepts the front requests and sends them to the API with the jwt token in the header.
The api should ask the open ip provider if the token is correct (but remotely, not using the offline mode with the public key ).
The api is a spring boot 3.0.1 project.
How to configure security in spring boot 3.0.1 to do that check?
Thank you in advance.
You do that with access-token introspection. In spring-security conf, that means using opaqueToken() instead of jwt() (the first configures a resource-server with introspection and the second with a JWT decoder).
Be aware that token introspection is far less efficient than using a JWT decoder as a request is sent to the authorization-server for each and every request to a resource-server. Tutorial there.
I am working on securing a REST API, here is the basic set up (Happy Path) I am working with:
1) UI will request to authenticate with another service, this service will return a JWT to the UI.
2) Once a user of the UI is done with their work, they will make a request to the REST API that I am tasked with securing using a JWT that is passed to me.
3) I will then ensure the JWT is legit, get the users roles and then determine if the user is authorized to access that endpoint (perform the requested function).
I am sure this is possible, but my past experience with Spring Security wasn't dealing with JWT or Authorization only.
Would it be a correct approach to implement Authentication and Authorization, get that working and then back out the Authentication part?
Thank you for your kind help!
I suggest that you take a look at the Spring Security OAuth2 project. It makes this kind of thing fairly easy.
In particular, have a look at this section about using JWT
I have a complex situation where I need to implement a security for web app on tomcat 8 that serve both static html and rest services. the app is spring mvc application (no spring boot)
the authntication ( sso ) process will go as follow:
if user jwt not exist in http header then authonticate with ldap, getting user authorities from db and create jwt back to user.
if jwt exist in header, skip ldap filtering , extract the user authorities from token.
I was thinking of first servlet filter that uses spnego library and get the windows domain name (user name to use in ldap) that filter will also check to see if ldap authontication is needed ( if token not provided) and pass it back to spring filter chine through http params..
I'm struggling to implement he ideal.
please help.
thanks
As I know, there is support for LDAP in spring security, might be it will help you.
Other than that, if you want to write your own filters then you have to add those in spring security filter chain.
I'm about to implement a token based authentication system with Spring Boot and Json web token. I have a frontend app built with Angular. My understanding is that once authenticated, all API calls from the angular app will send the token to the server to be verified before a response is sent back.
I'm wondering then how Spring Security would fit into the picture. It seems like it is no longer necessary if I just use the server to verify the token every time the frontend makes a call.
My question is whether or not Spring Security is required in this instance and if it is, what role will/can it play?
I would like to know from the outset before diving in. Thanks!
How can I implement token-based authentication without cookies for my Spring Boot RESTful application (not MVC)? I've searched the web, but not found any good tutorials.
Create a Authentication filter and check the token in header there. Load the used based on the token from your user store and set it as the request principle.
Checkout the following for an example
Authentication Filter Example