I am building a cloud based applications using spring, spring security, hibernate and Oauth.
It has different products and each product has multiple
modules. Modules also have multiple functionality.
Clients has to subscribe to each product independently to use them
Each client can have multiple user and client will have to provide access their user to product.
Client have to select packages(silver, gold, ..) while subscribing
for each product
Package will have modules details and No of users allowed for each product and client user will be
able to access only to the modules(selected package) which client is
subscribed to and user have access to.
I have to create Rest Api's for each functionality.
Problem : I am using Spring Oauth2 to secure my API's so only registered clients and their users can access them but they can access all the API's .I should allow clients to access only those API's which it has access to/subscribed to. How can I achieve that in Spring?
Currently I am planning to use inteceptors but it highly depends on URL pattern. So for each product and module i will be having different Interceptor
URL pattern : http://abc/rest/PRODUCT/MODULE/..
Is there a better way to implement it?
You can choose another way, which might be better as you don't have to write custom URL interceptors.
You can use Spring Security with it's #Secured({"ROLE"}) or #PreAuthorize annotations for which you can create roles for each product and you give the clients the roles for which they subscribed. You can find more information about this annotation and how it works here.
For #Secured and #PreAuthorize to work, you need to have the annotation #EnableGlobalMethodSecurity on the Spring Boot context class.
Hope it helps.
Related
I am developing a web application where I have React as my Frontend and Spring boot as the Backend REST API. I have authentication mechanism setup where user can login with email and password. My application will be used by a group of people for a company. The admin user will login initially and sends invites to other people in the group with predefined access privileges available in the application. How can I implement this type of role based access in spring boot.
I gone across Spring security for role based access, but I didn't find how to create custom fine grained roles based on our web application. Please someone help just to give me the path I need to go.
P.S: I want to implement the way AWS or other cloud providers implement there IAM roles to assign it to different users in their organization but not as complex but a similar functionality
I am trying to build an application where login is done by siteminder SSO. Once login is done I need to get the user info(like roles,permissions) for logged in user from LDAP and put in session.
Aslo I am using spring MVC to expose REST services. I want my rest services to be accessible only for certain roles(Like Manager/Admin etc). Also UI will display/hide pages based roles.
I want to know what is the best approach to achieve the above.
Please note I am using spring MVC on WAS7.
I'm working on GWT application and I have followed this tutorial (http://www.mkyong.com/spring-security/spring-security-form-login-using-database/) to do authentication.
Now I need to handle roles, for example ROLE_USER can to see some GWT widget or he can execute some method. I saw that in spring-security.xml it is possible to handle roles basing them on url pattern but it isn't my case.
Can somebody help me with example code? Thanks.
You won't be ablet o use the Spring Roles directly in your GWT application.
You probabably have to role your own security mechanisms on the GWT side, which includes following steps:
Transmit the Spring roles for the corresponding user from your Spring backend to your GWT frontend (using RequestFactory, RequestBuilder, RPC or dynamic host page)
If you use an MVP framework (i.e. GWTP) it might support authorization out of the box (for example GWTP has Gatekeepers that provides authorization support for Presenters) or you will have to role your own authorization framework. AFAIK there is UiBinderAutho which supports authorization of a widget level).
One import thing: NEVER TRUST THE CLIENT
That means you should always do authorization also on the backend side (Spring).
I am implementing a Spring Data REST based app and I would like to know if there is an elegant way to implement authentication and authorization rules using this framework or related frameworks.
All HTTP requests to the REST server must carry authentication headers, I need to check them and decide to authorize or not based on the HTTP method and the association of the authenticated user with the resource being requested. For example, (the app is the REST server of an e-learning system), the instructors can access only their own course sections, students can access only the courses sections they are subscribed, etc.
I would like to know if there is a default way to implement authorization in Spring Data REST. If the answer is no, could you make a suggestion for my issue? I am thinking about:
Servlet Filters
Spring Security
Spring Data REST Handlers (how to access the HTTP headers?)
The best bet for you is Spring Security.
That would help you achieve authorization is much simpler manner.
Spring Security would require you an implementation that looks at request headers and performs the log-in operation programmatically.
Refer the accepted answer here.. I had followed the same and implemented the security layer in front of my rest services ( which were build using RestEasy )
RESTful Authentication via Spring
There is an alternate method as well..
Refer
http://www.baeldung.com/spring-security-authentication-provider
In both cases you can disable the session creation by declaring the stateless authentication in spring security, this would help you improve the performance considerably when large volume of hits are made to the state-less REST services..
Can spring Acegi security be used for a social networking application where users can set their security preferences to share their data only with their friends?
The common scenario of the Acegi tutorials is where you want to authorize actions per user role, but what about authorizing users to view specific data, say, only their friends'?
Is it possible to use Acegi for that? How?
Short answer: yes.
Note that Acegi is now part of Spring, and is now known as Spring Security.
As to how to it, that's a much more complicated question, and likely has as many right answers as those willing to try. Your final solution will depend on the needs of the app your developing, the environment your in, and the organization you are designing for. I'll assume that you want everyone (or most) to see the basic information, and that the sensitive information only appears on the page if the requester is a friend.
I believe the most basic means of all will involve using the SecurityContext within your servlet/controllers/resources (far too many ways to design a web app to make assumptions here), and page templates (jsf, jsp, etc..., etc..), to get get access to the currently authenticated user, and include only the information that user is allowed to access.
The fundamental elements of Spring Security are
- Security Interceptor
- Authentication Manager
- Access Decision Manager
- Run-As Manager
- After-Invocation Manager
The actual implementation of a security interceptor will depend on what resource is being secured. If you’re securing a URL in a web application, the security interceptor will be implemented as a servlet filter. But if you’re securing a method invocation, aspects will be used to enforce security.
A security interceptor does little more than intercept access to resources to enforce security. It does not actually apply security rules. Instead, it delegates that
responsibility to the various managers.
Through using proper manager(s) you will manage to fulfill your requirements.
Reference: Manning Spring in Action 2nd Edition August 2007