Customizing Spring Session - spring-boot

I am using Spring Boot with Spring Session for storing session data. Users log in to the application with Spring Social. As a result, the saved security context has a SocialAuthenticationToken. This means that other web apps sharing the session data need to use Spring Social and also have access to the social tokens.
What I'd like to do is save the sessionAttr:SPRING_SECURITY_CONTEXT with a token that is available through Spring Security only. Furthermore, I'd like to add a second Redis key for the social information.
Where are the extension points for adding this kind of customization to Spring Session? I would like it to be as unobtrusive as possible.

Related

Refresh Token Rotation in Spring Boot

We use Spring Boot for OAUTH2 implementation which is very good in supporting all kinds of grants and follow the standards.
We would to like Refresh token rotation as below to use in Single Page Application
https://auth0.com/docs/secure/tokens/refresh-tokens/refresh-token-rotation
I know the default spring boot doesn't support it. Is there any way to support this feature with existing Spring security.

How to get principal - user information from a spring boot restApi which has security configured in to a client spring boot app?

I have two spring boot application. One is Rest and the other one is Spring boot web MVC app which consumes the Rest. The Rest has spring security configured and I want to login/logout from the client app. The client app has nothing but view and controllers to interact with the rest api.
I am using rest template to interact with the api now.
If the client app is not secured so any other anonymous app may do the same, and this is not security, it's a sieve ...
If you want to create a custom authorization/authentication, you can create own protocol and use tokens/JWT (possibly, OpenID or other global technology) and exchange information between applications.
But there is technology to do it all centrally and reliably - OAuth2, and Spring has it 'from the box' - authorization server, resource server, client. The most advantage - multiple applications (clients), one authorization - you create one user and can authenticate it on any client with the same credentials. You can customize it with JWT, and use any data in the access token and as a consequence get any information about principle/authorization.

Spring boot stateless security with redis cache data

While doing some practice examples to learn spring security, I come up with some following use case. But I did not find best possible approach using spring security. Could some one please help me on this
I have angularJs application, Spring boot application running on different servers . In redis cache I have user info(role, and some other info) with gsid as key. In each rest call I am passing gsid as cookie. Now I want to validate each request in the Spring security Filter by fetching user info from the redis cache before sending to #Restcontroller.
what could be best approach to authenticate and authorize the request using spring boot security.
Use spring-session with redis, it also provides integration with spring-security.

Spring Security - Preventing Users access to a page if an id is invalid

I am new to Spring Security and am mulling over the idea of using it or not in my application.
The requirement is as follows :
In my web application i store a session information inside the database,a key for this is stored in a cookie
2.Now whenever someone tries to access a url which is not according to the flow i want to deny access.
3.Can i use Spring Security for this.
I am using Spring MVC,Mongo DB and MySQL as the develeoment environment.
Regards,
Abhishek
If you're trying to simply control the flow of an application, I'd suggest using Spring Webflow. This allows you to define set flows in a multi-page application.
Spring Security can be used to control flows, but only for access control. It integrates well with Webflow (and with Spring MVC) to ensure you can secure some or all of your flows.

how to implement single sign-on for multiple Web applications based on JAAS(Authorization)

I started working on JAAS with SSO,I have some doubt about JAAS. JAAS (Java Authentication and Authorization Service) framework to cater to multiple authentication mechanisms. The SSO server validates sign-on information against its own database or an external directory server and returns the session context and list of applications that the signed-on user can execute.Here i want to implement one more web application's.As per my knowledge the SSO JAAS will return Session context. In my client web applications already, i have acegi security for authentication, using my acegi security how can i get the session context from my SSO JAAS for Authorization.I am trying to find out any configuration sample , but still I did't get any work around example.
Take a look at this spring security configuration. It is not exactly what you want but it will show you the way
Key points
Check how authentication-manager is defined by using
PreAuthenticatedAuthenticationProvider. The preAuthenticatedUserDetailsService property defines a bean that will allow you to create your spring security UserDetails object from the JAAS Authentication object
The j2eePreAuthFilter filter is the one that will delegate security from JAAS to spring security.
The rest is standard spring security configuration
Hope it helps a bit

Resources