I have a requirement in grails spring security.
When the user logs in to the application, check if ldap is available, then authenticate using ldap.
If ldap is not available, then authenticate using database.
Please let me know if it is possible.
My App does the following,
it checks for the user in ldap, if the user is not available in ldap, then it checks database which is ok, if ldap is not reachable for some reason, then it is failing with an error "unable to connect to ldap server"
but my requirment is, If ldap is not reachable, then authenticate with database.
Related
I have a legacy desktop application that communicates with a Spring Boot server (latest version 2.2.2.RELEASE). I'm using OAuth2 for authentication (provided by spring-boot-starter-oauth2-client). I want to avoid changing the client because is a legacy application. It is capable of collecting the credentials and start the session via HTTP Basic Authentication, and then keep the cookies for the session in the following requests.
Given this scenario, I think best option is to make use the OAuth2 Resource Owner Password Credentials grant. With this, we can exchange the collected credentials by the OAuth2 Tokens. We have two options:
Option 1:
Modify the client application to use the access tokens via the Authorization header. This will require to make an initial call to the Authorization Provider to exchange the collected credentials by the tokens.
Option 2:
Keep using the Spring session and store the information about the OAuth client in the server.
I found this project ALMOST does that: https://github.com/jgrandja/spring-security-oauth-5-2-migrate. It has a client (messaging-client-password) defined with authorization-grant-type: password which will activate the OAuth2 Resource Owner Password Credentials grant in Spring Boot.
It creates an OAuth2 client and stores its information in the session, then Spring is able to use that client in further requests. The problem with this project is it seems to only work as when the OAuth client is used to make HTTP requests (e. g. an endpoint that makes a call to another service) and not provide authentication to the controller. You can find more information about this in here:
Spring Security 5.2 Password Flow
Github related issues: link1, link2, link3
Exception thrown when we try to use the password client as authentication
The natural idea to overcome this is to implement a proxy and use the OAuth2 client in the requests. Well, Spring already offers a proxy solution, the Spring Cloud Gateway. But I don't know to accomplish that with this setup.
Any insights? Am I thinking correctly or should I follow a different approach?
I have an architecture where my user application wants to use a basic authentication when accessing a spring service. This service has to use a Keycloak instance to verify the user/pass of the user application. I don't succeed to configure it (and don't know if its possible).
Yes, it is possible. Keycloak has Spring Security adapter that can be configured for Client and/or Resource Server.
https://www.keycloak.org/docs/latest/securing_apps/index.html#_spring_security_adapter
And also a working example here:
https://github.com/keycloak/keycloak-quickstarts/tree/latest/app-authz-spring-security
I already could add multiple authentication providers as mentioned in Adding multiple authenticaion providers. Now Spring will check in both LDAP and database for users.
However my use case is little different. I want to bind a authentication provider per a client, not check in all providers. Say for clients with clienti_d1 and client_id2 it will check users in LDAP and for client_id3 it will check database. Basically LDAP based authentication for internal apps and database based authentication for external apps.
POST /oauth/token for client_id1:secret1 => hit LDAP authentication
POST /oauth/token for client_id2:secret2 => hit DB authentication
I've been given a requirement that an application must be configurable to use either LDAP or container-managed authentication. The LDAP requirement has already been fulfilled, but the container-managed, in this case the container is Tomcat, remains a head-scratcher. How do I use the existing Spring Authentication framework to authenticate a users details against tomcat-users.xml?
Many thanks
Angus
I have configured spring security using ldap authentication.
I have also configured the remember me service for this.
But the LdapUserDetail returned by the LdapService doesnt contain
the password . Hence the rememberme service (TokenBasedRememberMeServices )is not able to generate the token.
Could some one help me out here as to what could be the issue .
1.Should we do any CustomUserAttributingMapping or
2.The password is restricted read at the ldap server
or any other thing