I don't understand really the logics of the roles/authorities in Spring Security using Spring Boot (despite the documentation).
I would authorise the mapped controller requests according to the logged user.
Could someone help me?
Thank you in advance!
General idea is very easy: you have role in your application, you have a users. Users have the collection of roles(may be empty). Also, all endpoints of you application(controller methods, service methods) can be allowed to reach only for some sets of this roles(see #RolesAllowed annotation). If you try to reach this method(via http request, for example) and you(as user) haven't this roles, you would be banned to get valid response instead you will receive 403 error
I used the following as a reference to add spring security in a rest based application. I hope this helps others as well..
http://www.baeldung.com/securing-a-restful-web-service-with-spring-security
There is a link with sample code to take inspiration.
The idea being in rest we don't redirect and disable these redirections for login and provide alternatives HTTP responses.
Related
I'm using Spring security OAuth 2.0 authorization in a Spring Boot REST API. It works as expected in Postman tests but I don't succeed to make it working from Swagger "Try out". I'm using this post here: How to configure oAuth2 with password flow with Swagger ui in spring boot rest application. This is supposed to work but it doesn't in my case. I just need some clarification on the following method:
private SecurityContext securityContext() {
return SecurityContext.builder().securityReferences(defaultAuth()).forPaths(PathSelectors.ant("/user/**"))
.build();
}
What the /user/** URL stands for ? Does it means that the defined security context should apply on all URL matching the pattern ? Or does it mean that this URL shall be called to get the user details ?
My code is exactly as the one in the post, however, after I fill in the dialog box with the user credentials and scopes, etc. I get "Auth ErrorTypeError: Failed to fetch" and whatever I do I can't get any usefull log message.
It might have something to do with CORS as the HTTP filters, which are called when I'm doing Postman tests, aren't called in this case.
Any suggestion please ?
Many thanks in advance.
Kind regards,
Nicolas
I confirm that the code mentioned in the article works as expected. I was mistaken while performing tests with wrong URLs, etc. Sorry for the smalltalk.
Kind regards,
Nicolas
Hi I am really new to Spring boot and Oauth2. I need to understand how to authenticate Spring boot web service with Oauth2 authentication with refresh token and access tokens. Likewise I need to know how to limit the access of different users (accessing resources) dynamically as well. I have searched in many articles on line and ended up with nothing that I really need to learn. I do not need SSO config with facebook or google. I want to know how to make our own authorization server.
Can anybody please help me to guide or send me a link of a useful tutorial that helps me to learn.
thank you.
This is a very open-ended question. So few links to start with:
Ok, start with OAuth2 Guide then OAuth2 Grant types. These are generic stuff you need to know.
Then In Spring Security OAuth 2 using Spring Boot .
You can basically restrict the API access in Resource Server by using a combination of OAuth scopes and Roles.
And finally, this is an amazing example which shows you how to manage OAuth clients, their grant types, tokens and so on.
Please get back with specific queries, it would be easier to help.
I have a small problem at the moment. The problem is that my web service is RESTful. Consequently, I need a stateless session for Spring Security in order not to break REST conception. I want to get the current user information and since my Spring Security session is stateless I don't know how. I also wanted to use #PreAuthorized annotations, but, now, it's impossible too for the reasons, I wrote above. Honestly, I'm new to REST services and I would be grateful for a piece of advice.
Thank you in advance.
So the problem is in JSESSIONID. Spring use it as token in security filter chain to get UserDetails. But it's not good practice to use JSESSIONID for REST.
Briefly:
I suppose you should use Spring OAuth/OAuth2 for authorization. You will have to configure AuthorizationServerConfigurerAdapter and ResourceServerConfigurerAdapter. Then you will be able authenticate your user -> obtain access_token and refresh_token. After that you can use access_token for your REST requests, for example as HTTP header Authorization: Bearer access_token. When access_token become expired you should use refresh_token to refresh it. As usually you will be able to access UserDetails via SecurityContextHolder.
Hope it's useful for you.
I am implementing a Spring Data REST based app and I would like to know if there is an elegant way to implement authentication and authorization rules using this framework or related frameworks.
All HTTP requests to the REST server must carry authentication headers, I need to check them and decide to authorize or not based on the HTTP method and the association of the authenticated user with the resource being requested. For example, (the app is the REST server of an e-learning system), the instructors can access only their own course sections, students can access only the courses sections they are subscribed, etc.
I would like to know if there is a default way to implement authorization in Spring Data REST. If the answer is no, could you make a suggestion for my issue? I am thinking about:
Servlet Filters
Spring Security
Spring Data REST Handlers (how to access the HTTP headers?)
The best bet for you is Spring Security.
That would help you achieve authorization is much simpler manner.
Spring Security would require you an implementation that looks at request headers and performs the log-in operation programmatically.
Refer the accepted answer here.. I had followed the same and implemented the security layer in front of my rest services ( which were build using RestEasy )
RESTful Authentication via Spring
There is an alternate method as well..
Refer
http://www.baeldung.com/spring-security-authentication-provider
In both cases you can disable the session creation by declaring the stateless authentication in spring security, this would help you improve the performance considerably when large volume of hits are made to the state-less REST services..
Form based Authentication for Spring based Application
I need to design Login page such way that Authentication upon login user and subsequent web request will validate if user is logged or not and redirect to the login page if not logged in . This is classical web application login flow. The authentication needs to be done via custom logic (application specific).
Can you provide sample Spring configuration 3.5 or working example application does this ? One approach is do login check via Web Filter and have login controller. Is there a better way doing via Spring Security model ? Any help will be greatly appreciated.
Thanks,
Bmis13
The default way would be to use the spring securtiy filter chain.
Spring Security has already everything to do form based authentication, the only thing you need to do is
configure it
write an jsp page (with the two input fields for user name and password)
See this create article: http://www.mularien.com/blog/2008/07/07/5-minute-guide-to-spring-security/ it explain the first steps.
And have a look at this article too: http://www.mkyong.com/spring-security/spring-security-form-login-example/ - It set some default values (urls) this make it more clear how the filters works.