My requirement is authenticate the login request to the Active Directory LDAP and to the local db as the user may be created manually or by the LDAP.
I am loading all the users i my database in a users table but i want to make the dynamic login to LDAP for the ldap users if user did not get authenticated by LDAP with invalid login or invalid user then only i need to authenticate it to the db.
Am not certain on this, so obviously please confirm, but in your Spring security.xml, set up two authentication providers under your authentication manager, first your ldap one and then your database one. A failure with the LDAP authentication should cause the DB one to activate and give the user a second chance to authenticate with the same credentials. Also see this article for some testing I had done earlier with Active Directory and Spring Security.
Related
I'm using keycloak for authentication and authorization, I want to get the active session information of the users or the user, but I couldn't find such information in the docs.
If there is an active session belonging to the user, I want to prevent this user from deleting it, so I need such information.
If we can't get the active session information, I can accept a different alternative answer.
I am using Spring boot and keycloak version 15.0.2.
You can get this API
"Get user sessions for client Returns a list of user sessions associated with this client"
GET /{realm}/clients/{sessionId}/user-sessions?first={startIndex}&max={numberUser}
It is located in https://www.keycloak.org/docs-api/15.0/rest-api/index.html
This is demo
Get master admin token
Get the list of "Account-console" client ID
Get the it's users session
It should be match with Keycloak UI's client session information
if you want to prevent a deletion session of user, remove assigned realm management role
Then he/she can't call remove a user session API
"Remove a specific user session"
DELETE /{realm}/sessions/{sessionId}
I am going to deploy a small spring boot application on a server running on my company network. Its a Spring boot application and i need to implement the Authentication/Authorization using an existing OAtuh2 authentication server .
Now the requirement says: If i am already logged in to my network, it should do an SSO sign-in to the application using a token from existing oAuth server that is being used. If not logged into the network, it should not allow me to get to the application.
Also I wanted to know if i can extract various roles and permissions associated with a user from an oAuth2 token as i need to populate data based on user Permissions . Is this possible to extract this info from an oAuth token or Is this possible only possible via a JWT token? Which will be the best approach to solve this?
I created an entity with crud operations.
I have used spring-boot, spring-security, oauth2, jwt.
By this article http://sivatechlab.com/secure-rest-api-using-spring-security-oauth2-jwt/
Why do I need to create the table oauth_client_details?
When I want to login, first I need to enter login and password from oauth_client_details
And after that enter username and password for my user
How should I tune login for my entity and receive a token after success login?
If you use JdbcTokenStore, you need to setup oauth related table in database. In my template project, I use JwtTokenStore for oauth2 stateless.
So, you don't need any oauth related table. Here complete spring-boot-rest api sample project. You can reference the following thing
spring-boot
mybatic with mysql
ExceptionHandlerAspect
LoggingAspect with log4j2
ResponseBodyAdvice
ResponseEntityExceptionHandler
spring-security-5 with oauth2
Run DB.sql for database setup in src/main/resources.
When I want to login, first I need to enter login and password from oauth_client_details
If you use oauth, you have to know your application structure. Oauth2 have the following flow -
Authorization Code Grant
Implicit
Client Credential Grant
Password Grant
In my application, I use Implicit because of - We have
Server REST API (spring-boot)
Web Site (client)
Mobile App (client)
Customer/User (Actual User)
So according to oauth, client(web site or mobile app) need to authenticate itself.
Otherwise, you cannot get access_token. Read more here.
I have an application and API. I am using Spring and Spring security for both. Authentication is required to access API.
I configured RESTFUL web service only respond when authentication is successful (handling with JSESSIONID after login) which makes querying database not possible if user is not logged in or credentials are wrong. But somehow, I need to access database and make some changes for forgotten password. I need to check if requested email is on the record. Also, update the database after password change. eg; If I make 'UPDATE USER' action permitAll(), there will be a security problem.
Can you give me some ideas to handle that problem?
You can create some user with permissions to change password and later when changing password automaticly login this user -> send request ->logout user and all of that behind user view.
I want user to be authenticated by using its windows login credentials without explicitly showing him login page. The user will just login to his machine and when we will try to open the url he will be authenticated by spring security using his windows login credentials and data related to his role will be fetched from AD. How can I achieve this?
Adding to this question, what I need to do if machine is non-window? say CentOS?