Spring security, LDAP and SSO - spring

I am trying to build an application where login is done by siteminder SSO. Once login is done I need to get the user info(like roles,permissions) for logged in user from LDAP and put in session.
Aslo I am using spring MVC to expose REST services. I want my rest services to be accessible only for certain roles(Like Manager/Admin etc). Also UI will display/hide pages based roles.
I want to know what is the best approach to achieve the above.
Please note I am using spring MVC on WAS7.

Related

Custom Role Based Authorization in Spring Boot

I am developing a web application where I have React as my Frontend and Spring boot as the Backend REST API. I have authentication mechanism setup where user can login with email and password. My application will be used by a group of people for a company. The admin user will login initially and sends invites to other people in the group with predefined access privileges available in the application. How can I implement this type of role based access in spring boot.
I gone across Spring security for role based access, but I didn't find how to create custom fine grained roles based on our web application. Please someone help just to give me the path I need to go.
P.S: I want to implement the way AWS or other cloud providers implement there IAM roles to assign it to different users in their organization but not as complex but a similar functionality

Implement Keycloack Authorization server using Spring Security 5 OAuth2

I've written a software system that uses Spring Cloud Netflix. Due to Spring Security 5 not offering support for writing an Authorization Server (pls shout out here https://github.com/spring-projects/spring-security/issues/6320) I need to write my own Authorization server. I want my application to permit Social login and username/password registration, have a custom login page but also use keycloack. I don't even know from where to start, if you have any documentations or code samples please provide.
You can use the cas project. By using the overlay it is easy to set up and to customize:
https://github.com/apereo/cas-overlay-template/blob/master/README.md
It serves a frontend where your user can be redirected to and can login. After successful login, the user is redirected back to your web page. The frontend is completely customizable.
It supports all kinda of authentication providers like keycloak, database or Google/Facebook.
After basic setup you just add the dependency inside the gradle file, configure your keycloak/database/... in the application.properties and can start using it as authentication server.
It fits perfect into a microservice landscape and is curated by professionals implementing security best practice.
https://apereo.github.io/cas/6.1.x/planning/Getting-Started.html

Authenticate user within Spring Boot + Vaadin application

I am building a Spring Boot application with Vaadin as front end. The application uses a third party library to authenticate the user with his identity card via SAML.
After this authentication the user is redirected back to my service and I can fetch the authentication result and optional attributes.
My question is, how can I implement the protection of specific Vaadin views within my application based on the authentication via the user's ID card and how do I set the user as authenticated appropriately?
I am new to Spring Security and the majority of its examples shows authentication via a login form with username and password which does not fit in this case.
You can find two approaches to secure your Spring Vaadin Application with either filter based (so only Spring Security) security, or a hybrid approach in this Github repository: https://github.com/peholmst/SpringSecurityDemo
You can also find blogposts about both approaches here:
Filter Based Security
Hybrid Approach
For you especially the Filter based approach could be interesting. You could implement a Filter checking the token (or whatever) you get from your login server and then allow/deny certain pages on your server for certain roles.

How can I use multiple Oauth2 SSO Servers on a single Spring boot application with Spring Cloud Security Oauth2?

I'd like to give users the option to login to a Spring Boot web application using their Google or Facebook account.
I checked The Spring Cloud Security documentation and also This GitHub issue to add such SSO functionality, but on both they only show how to configure one SSO server, so it's either Google or Facebook.
How can I add both options? on the web front-end I will add a button for each option so the users can choose which account to use, either Google or Facebook.
Or I am choosing the wrong package and should use something different altogether to achieve this?
Thanks!
You basically have to install a separate authentication filter for each provider. There's a tutorial here: https://spring.io/guides/tutorials/spring-boot-oauth2/.

Spring 3.5 Security

Form based Authentication for Spring based Application
I need to design Login page such way that Authentication upon login user and subsequent web request will validate if user is logged or not and redirect to the login page if not logged in . This is classical web application login flow. The authentication needs to be done via custom logic (application specific).
Can you provide sample Spring configuration 3.5 or working example application does this ? One approach is do login check via Web Filter and have login controller. Is there a better way doing via Spring Security model ? Any help will be greatly appreciated.
Thanks,
Bmis13
The default way would be to use the spring securtiy filter chain.
Spring Security has already everything to do form based authentication, the only thing you need to do is
configure it
write an jsp page (with the two input fields for user name and password)
See this create article: http://www.mularien.com/blog/2008/07/07/5-minute-guide-to-spring-security/ it explain the first steps.
And have a look at this article too: http://www.mkyong.com/spring-security/spring-security-form-login-example/ - It set some default values (urls) this make it more clear how the filters works.

Resources