Is there any facility in spring security for using two different authentication managers for one security http tag.
I need functionality like when the user try to login, first I will check in RDBMS if not success then I will check in LDAP
How can I achieve this theme? Is there any way to achieve this?
Related
I have a complex situation where I need to implement a security for web app on tomcat 8 that serve both static html and rest services. the app is spring mvc application (no spring boot)
the authntication ( sso ) process will go as follow:
if user jwt not exist in http header then authonticate with ldap, getting user authorities from db and create jwt back to user.
if jwt exist in header, skip ldap filtering , extract the user authorities from token.
I was thinking of first servlet filter that uses spnego library and get the windows domain name (user name to use in ldap) that filter will also check to see if ldap authontication is needed ( if token not provided) and pass it back to spring filter chine through http params..
I'm struggling to implement he ideal.
please help.
thanks
As I know, there is support for LDAP in spring security, might be it will help you.
Other than that, if you want to write your own filters then you have to add those in spring security filter chain.
I am using spring security for my spring multitenant application. I am using spring security 3.2
I am using spring security for my spring multitenant application. My requirement
is tenant1 should be authorized against oauth and tenant2 should be authorized
against ldap and tenant3 should be authorized against database. I will be knowing
the authorization method for the tenant through properties file. I am able to
authorize user against any single authorization method. But i am not able to
configure for multiple authorization methods. Please someone give any suggestions
on this.
In case of web application, you can use different login URLs and allow user to choose authentication method. Then separate security filters should be applied for each URL.
You can check this configuration: https://code.google.com/p/opendatakit/source/browse/eclipse-aggregate-gae/war/WEB-INF/applicationContext-security.xml?repo=aggregate
I am new to Spring Security and am mulling over the idea of using it or not in my application.
The requirement is as follows :
In my web application i store a session information inside the database,a key for this is stored in a cookie
2.Now whenever someone tries to access a url which is not according to the flow i want to deny access.
3.Can i use Spring Security for this.
I am using Spring MVC,Mongo DB and MySQL as the develeoment environment.
Regards,
Abhishek
If you're trying to simply control the flow of an application, I'd suggest using Spring Webflow. This allows you to define set flows in a multi-page application.
Spring Security can be used to control flows, but only for access control. It integrates well with Webflow (and with Spring MVC) to ensure you can secure some or all of your flows.
I started working on JAAS with SSO,I have some doubt about JAAS. JAAS (Java Authentication and Authorization Service) framework to cater to multiple authentication mechanisms. The SSO server validates sign-on information against its own database or an external directory server and returns the session context and list of applications that the signed-on user can execute.Here i want to implement one more web application's.As per my knowledge the SSO JAAS will return Session context. In my client web applications already, i have acegi security for authentication, using my acegi security how can i get the session context from my SSO JAAS for Authorization.I am trying to find out any configuration sample , but still I did't get any work around example.
Take a look at this spring security configuration. It is not exactly what you want but it will show you the way
Key points
Check how authentication-manager is defined by using
PreAuthenticatedAuthenticationProvider. The preAuthenticatedUserDetailsService property defines a bean that will allow you to create your spring security UserDetails object from the JAAS Authentication object
The j2eePreAuthFilter filter is the one that will delegate security from JAAS to spring security.
The rest is standard spring security configuration
Hope it helps a bit
I wonder if its possible to config spring security with a ldap as authentication provider so that only some of the users in the ldap is getting access? Is it possible to config it so that I can write in the names of the users that is giving access?
Im using Spring 3.1
Yes, it is posible, see the spring documentation. Your second question is not clear for me. Do you mean that, once the user from ldap is authenticated you want to display the user name? Thas is possible.