Container Managed Security, Spring Security and Authentication - spring

I have been looking everywhere on how I can implement Spring Security based on a Container Managed Security Model. In my test case, I am using Tomcat and it's corresponding tomcat-users.xml file. The issue is, I cannot get Spring Security to play well (meaning pass authentication over to Tomcat) to let the app server perform the Authentication and have Spring manage the role based security once someone is authenticated. I am using the latest Spring versions, so it's all Java config as I am just not familiar enough with XML based config. I have read many examples that talk about using a PreAuthenticatedAuthenticationProvider but the examples are poor not to mention the Spring documentation is quite confusing IMHO. I even downloaded the sample preauth code from the Spring Security GIT hub but I still cannot see how the example code is tied to the authentication that Tomcat is performing. When I run the Spring sample code for preauth, it doesn't authenticate with any of the users in my tomcat-users XML file as I deployed my code to Tomcat 8. Wondering if anyone has any ideas on where I can look in order to understand how Spring Security and the authentication performed by Tomcat (container managed) happens?
UPDATE:
It appears I had to start from scratch and simply get the authentication to work with a very simply app created in my IDE. Basically I had a folder that was called secure, one folder that was called unsecure and I mapped the paths according to the Servlet 3 spec to secure and unsecure what I needed. I had to use a web.xml in order to contain the security constraints. Once I tested in both Tomcat 7 and 8, where I tried to hit a secure URL, I was challenged to enter an ID and password. Please note you have to define the path to a login page, mine was a simple JSP. I also had to submit to the j_security_check and also make sure to use the j_username and j_password field names. Once I knew I could hit a secure page, I then started introducing the Spring components. This involved Spring Security, Spring Boot etc. The key was in the WebSecurityConfigurerAdapter. Where I normally would have basic auth or form based security enabled, I removed those and instead used the jee() setting based on the same fluent builder API used to configure your security settings. I left all antmatcher settings in the web.xml, so my WebSecurityConfigurerAdapter was very basic. When you are debugging controllers, you can inject the HttpServletRequest directly in the method and that request contains a userPrincipal request value containing things such as the user ID, and roles. Good luck, hope this helps others because it was painfully long for me to figure out such a simple solution.

See the update for a detailed explanation on my solution.

Related

Spring Security with SOAP web service is working in Tomcat, but not in WebLogic

I have created a sample SOAP Web Service project (spring boot) and trying to integrate Okta as a resource server for authentication.
I am able to deploy the application to WebLogic, but when testing the service using SOAP UI, it gives the response even when there is no Token included in the header.
When I access WSDL from a browser using my wsdl url, http://myhost:port/appservice/app.wsdl I see the 401 error, so I think it is picking up the Security config changes. But it is not working for SOAP requests, I would get response even with out Okta token.
Is it because for SOAP requests, do I need to include any interceptors on top of Security Config java file. Or am I taking a wrong path for security with SOAP. Can someone let me know what am I missing or point me to right direction. Is token validation part of WS-Security? or the authentication manager in Okta resource server enough for this?
I followed this documentation to create it.
I have read most of the SO questions related to this and spring documentation, but could not connect the missing dots. Please help me with this. After spending lot of time, I felt like I was moving in circles.
UPDATE:
I have enabled spring security debug logs by doing below
#EnableWebSecurity(debug=true)
logging.level.org.springframework.security.web.FilterChainProxy=DEBUG
UPDATE2:
I haven't made any big changes to my configuration, but when I ran the project on embedded tomcat locally, it started working. To run on Tomcat, I changed packaging from war to jar, excluded Tomcat in my POM and in my Main class, I had to remove the SpringBootServletInitializer and WebApplicationInitializer. That's it. I tested SOAP UI with the Okta bearer token and it gave me response. With out the token it did not give me response.
Spring Security not working only in case of WebLogic12c. I don't know what I am missing to include for that to work in WebLogic. when deployed through Tomcat, request is passed through all the beans in Security Filter Chain {
WebAsyncManagerIntegrationFilter,
SecurityContextPersistenceFilter,
HeaderWriterFilter,
CsrfFilter,
LogoutFilter,
BearerTokenAuthenticationFilter,
RequestCacheAwareFilter,
SecurityContextHolderAwareRequestFilter,
AnonymousAuthenticationFilter,
SessionManagementFilter,
ExceptionTranslationFilter,
FilterSecurityInterceptor}
But on WebLogic, the request is passed only through first four beans in Security Filter Chain {WebAsyncManagerIntegrationFilter,
SecurityContextPersistenceFilter,
HeaderWriterFilter,
CsrfFilter}
I just wanted to update the alternate solution I found for this problem, for completeness.
Spring Security Filter chain was not working for Weblogic, where as same was working in Tomcat, even for Weblogic version 12.2.1.4.
I had followed this example, and implemented Okta filter as spring boot version was not working in Weblogic 12.2.1.4.
Thanks to #Toerktumlare, I have implemented logging with logback-spring.xml

How to configure Spring Boot Tomcat Basic Auth together with Spring Security?

I'm currently trying to make a Spring Boot app. I've managed to create successfully user authentication using LDAP and custom logic.
However, I'm trying to add another layer of security on top of that, something like "htaccess" to prevent unauthorized users from even seeing the web page (client requirement), as well as stop Google from indexing the page. This can be a single predefined user (doesn't need to be connected to ldap auth).
I've read about configuring the tomcat realm, tomcat-users etc. but since it's Spring Boot app with embedded tomcat, I can't find a place to successfully configure it.
Does anyone have any idea how to create such setup?

How to integrate Spring Security with dotCMS

I need to deny unauthenticated users to access some website pages. I know that dotCMS roles can do that, but i need to guarantee that Spring do the same job.
It's possible apply Spring Security in dotCMS?
I tried to implement some security with Java Config but with no success.
I've seen this post but it wasn't conclusive to me.
I didn't find any other example of this on the web.
I am not (by any means) an expert with Spring Security, but it seems I would add the Spring Security filter (via a plugin) to dotCMS before the dotCMS filters and use it to secure your dotcms via urls. You might want to write a custom filter that checks the dotCMS roles for the proper permissions. Depends on your case.

Spring security tied to Apache Tomcat tomcat-users.xml UserDatabaseRealm

I'm adding Spring security to an internal website. I've been asked to have the authentication be tied to tomcat-users.xml, so that we can cut down on the number of passwords to change/remember.
From what I've been able to Google up, this isn't very straighforward, if at all possible.
Things are working fine, for now, with a user + role hardcoded in springSecurity.xml.
You can treat container security as a pre-authenticated scenario.
There's a sample app in the codebase which uses this approach. It uses explicit bean configuration, but there is also a <jee> namespace element available.
This could be done as a pre-authenticate scenario as Luke indicates but I do not suggest that option. When you are using tomcat xml file you are using MemoryRealm but you could switch to JDBCRealm and have both users (Spring and Tomcat) stored in the database. I suggest this for maintenance, consistency and security. If you change your servlet container you will have to migrate your security users and roles.
https://tomcat.apache.org/tomcat-8.0-doc/realm-howto.html#MemoryRealm

Sharing security context between few web applications

I need to have web application which actually consist from few separate wars unified into same navigration bar on UI, i need to have all system secured but have authentication only to main web application and after automatic propagation of this security context to sub web applications. I'm using spring security, could someone help me with advice? thanks
This can be achieved by following approach. In Spring, SecurityContext by default is stored in HttpSession. Instead you can configure it to store in some shared repository.
So, configuration should be changed to use your own SecurityContextRepository implementation instead of HttpSessionSecurityContextRepository. Once configured, the security framework will look at the Repository which is available to all your web applications.
The Repository can be either a database or a cached server.
Spring Security stores the login data in the http session. So what I would try is to share the session between the applications.
It seams that this is possible (in Tomcat) by using the Single Sing On attribute.
But be warned, sharing the session between two applications is not without danger. See this Stack Overflow question.

Resources