I need to deny unauthenticated users to access some website pages. I know that dotCMS roles can do that, but i need to guarantee that Spring do the same job.
It's possible apply Spring Security in dotCMS?
I tried to implement some security with Java Config but with no success.
I've seen this post but it wasn't conclusive to me.
I didn't find any other example of this on the web.
I am not (by any means) an expert with Spring Security, but it seems I would add the Spring Security filter (via a plugin) to dotCMS before the dotCMS filters and use it to secure your dotcms via urls. You might want to write a custom filter that checks the dotCMS roles for the proper permissions. Depends on your case.
Related
I'm just wrapping my head on Oauth2. I have a Spring boot app with its own users and roles system handled by Spring Security 5. Internally I use email to identify users, I want people who registered with their gmail addresses to be able to log in through Oauth2. Or, more generally, how do I make one of my users log in to my app using Oauth2? If you need code or more information just ask. Thanks in advance.
As far as I understood your question, you are looking for a general approach to authenticate users for using your Spring Boot application with the help of OAuth2 protocol.
In your case you will probably use Google as an authentication provider and your application as resource server, according to the OAuth2 standard wording. First at all to answer your general question, there are different ways of using OAuth2 to authenticate users. A good starting points are these links:
https://www.rfc-editor.org/rfc/rfc6749
https://auth0.com
To find the proper way of implementing OAuth2 for your usecase I recommend using this decision tree: https://auth0.com/docs/api-auth/which-oauth-flow-to-use
For starting to implement OAuth2 in Spring Boot you can use several Spring Security projects with further documentation:
https://docs.spring.io/spring-boot/docs/current/reference/html/boot-features-security.html#boot-features-security-oauth2
https://docs.spring.io/spring-security-oauth2-boot/docs/current-SNAPSHOT/reference/htmlsingle/
I have been looking everywhere on how I can implement Spring Security based on a Container Managed Security Model. In my test case, I am using Tomcat and it's corresponding tomcat-users.xml file. The issue is, I cannot get Spring Security to play well (meaning pass authentication over to Tomcat) to let the app server perform the Authentication and have Spring manage the role based security once someone is authenticated. I am using the latest Spring versions, so it's all Java config as I am just not familiar enough with XML based config. I have read many examples that talk about using a PreAuthenticatedAuthenticationProvider but the examples are poor not to mention the Spring documentation is quite confusing IMHO. I even downloaded the sample preauth code from the Spring Security GIT hub but I still cannot see how the example code is tied to the authentication that Tomcat is performing. When I run the Spring sample code for preauth, it doesn't authenticate with any of the users in my tomcat-users XML file as I deployed my code to Tomcat 8. Wondering if anyone has any ideas on where I can look in order to understand how Spring Security and the authentication performed by Tomcat (container managed) happens?
UPDATE:
It appears I had to start from scratch and simply get the authentication to work with a very simply app created in my IDE. Basically I had a folder that was called secure, one folder that was called unsecure and I mapped the paths according to the Servlet 3 spec to secure and unsecure what I needed. I had to use a web.xml in order to contain the security constraints. Once I tested in both Tomcat 7 and 8, where I tried to hit a secure URL, I was challenged to enter an ID and password. Please note you have to define the path to a login page, mine was a simple JSP. I also had to submit to the j_security_check and also make sure to use the j_username and j_password field names. Once I knew I could hit a secure page, I then started introducing the Spring components. This involved Spring Security, Spring Boot etc. The key was in the WebSecurityConfigurerAdapter. Where I normally would have basic auth or form based security enabled, I removed those and instead used the jee() setting based on the same fluent builder API used to configure your security settings. I left all antmatcher settings in the web.xml, so my WebSecurityConfigurerAdapter was very basic. When you are debugging controllers, you can inject the HttpServletRequest directly in the method and that request contains a userPrincipal request value containing things such as the user ID, and roles. Good luck, hope this helps others because it was painfully long for me to figure out such a simple solution.
See the update for a detailed explanation on my solution.
Developed Rest API using Java/Spring MVC
Can we provide authentication for RestAPI? If yes, How?
Now I am struggling with authentication for RestApi. Can anyone send some examples regarding the same.
Accessing rest API through AJAX request.
Since you are already using Spring, you can use Spring security to provide security related functionality. This can give you one stop solution for your security needs. Common security mechanisms for Rest API's (basic, digest) and features are supported out of box and it's very easy to add your custom security too. For a start tutorial you can have a look here
I am a beginner and i read some part of Spring Security.
from docs,
Spring Security provides you with a very flexible framework for your
authentication and authorization requirements,
But i didn't get the actual goal behind Spring Security. Why i need spring security as i can achieve same thing by simple java filter manually.
What Spring Security make sense to worth using it?
Appreciate if anyone can explain in simple words and mention some use cases for that.
refer
http://docs.spring.io/spring-security/site/docs/3.2.x/reference/htmlsingle/faq.html#faq-web-xml
Spring Security isn't only for protecting pages it can also protect methods, do ACL on your domain objects. Prevent (or at least make it more difficult) to do session hijacking, it also has support for concurrent session usage (a single user can login only max x times at once).
The current release also has support for security headers and out-of-the-box CSFR protection for your forms.
Next to all that it provides, out-of-the-box, multiple ways of storing your security related data be it in files, database, ldap, active directory
Whilst you might be able to do simple protection of pages in a filter it doesn't give you any of the added benefits of Spring Security.
Finally Spring Security has been battle tested and is used by many companies, small to large, whilst your simple custom filter isn't.
I have configured security on the enterprise projects using both the ways: Here is the benefits using Spring Security over writing Filter:
1) Ease to Use & Configure
2) Multiple Auth Provider (i.e. LDAP, SSO, etc)
3) Maintainabilty
4) Ease to implement Session Management
5) Ease to implement Remember Me Functionality
I'm adding Spring security to an internal website. I've been asked to have the authentication be tied to tomcat-users.xml, so that we can cut down on the number of passwords to change/remember.
From what I've been able to Google up, this isn't very straighforward, if at all possible.
Things are working fine, for now, with a user + role hardcoded in springSecurity.xml.
You can treat container security as a pre-authenticated scenario.
There's a sample app in the codebase which uses this approach. It uses explicit bean configuration, but there is also a <jee> namespace element available.
This could be done as a pre-authenticate scenario as Luke indicates but I do not suggest that option. When you are using tomcat xml file you are using MemoryRealm but you could switch to JDBCRealm and have both users (Spring and Tomcat) stored in the database. I suggest this for maintenance, consistency and security. If you change your servlet container you will have to migrate your security users and roles.
https://tomcat.apache.org/tomcat-8.0-doc/realm-howto.html#MemoryRealm