I have question:
It is possible to customize query at authentication provider using jdbc-user-service ?
For example:
i have an application where users chose there roles when they insert there logins and passwords, so i want to create a query like this:
select login,password, enabled from xxxx where username=?
and after this query i want to attribute to this person (returned by this query),if exists, a role which is xxxx. I should also pass the role selected to this query.
xxxx is the role which is selected by user at first
I hope that you understand me and sorry if it is a stupid question , i'm still beginner.
I think you should consider writing custom authentication service class, instead of jdbc-user-service query. You hold the user role somehow and while building authorities of logged in user in UserDetails service, add appropriate role in the collection. OR The role of logged in user can be manipulated later. You are gonna have to try and manipulate spring security context. Read this forum page to know more.
Related
Good morning. Question scenario is as follows. Suppose an employee with a role goes to annual leave and he has an account in a spring boot application. How can I disable his user account so that logins fail at that time. How do I write the code? I'm using WebSecurityConfigurerAdapter but I failed to accomplish this task. I need sample working code using preferably Spring boot 2.6.* cause other resources I found on the net are using older versions.
Thanks in advance.
If you want to disable a user for a certain period of time where the user can not log in till u enable his ID, then I assume that u created a table of name "User" where you store all user credentials, specify two more columns "role" and "isActive(boolean)", in "role" column you can specify your role as ADMIN or ROLE_ADMIN and write a code with logic where an admin has all authorization, as an admin you can alter the data, before that you should write a code for only active users can log in, then as an admin, you can change the state from "true" to "false" in the specific user's "isActive" column, now the user only able to login if his "isActive" state is true.
you can ping me any time...
I have the following use case:
Users have general roles like:
devteam
this will give them access to several functions in the backend.
But additionally they also have a non-fix set of roles which may be added during time. Something like
devteam-europe (composite role to devteam role)
devteam-asia (composite role to devteam role)
etc.
Now I want the backend functions to behave like this:
Access function if role is "devteam": that works :)
But in the underlying sql queries I want to restrict the resultset depending on other roles. So devteam-europe will get other results as devteam-asia.
The big problem is, that in my applicaton each team has a uuid, while in KeyCloak the role has a speaking name. So I need to map somehow
devteam-europe to my internal UUID!
I could add attributes or properties to the role in KeyCloak, but they don't seem to be available in the JWT.
In my real world project it's a multi-tenancy applicatio with various entities.
Do you have any ideas, on how to to accomplish this?
Cheers Maik
I could add attributes or properties to the role in KeyCloak, but they don't seem to be available in the JWT.
In the corresponding client, you must define a Token Mapper which will tell Keycloak what source (in your case attribute or property) will map to which target (key => value) in your JWT.
I have created a Spring security application. When the user logs in the user name and roles get stored in Security Context. The same can be retrieved using Object principal = SecurityContextHolder.getContext().getAuthentication().getPrincipal();
How can I store the additional user information like user ID, Email, Associated Branch ID etc in the context?
The basic idea is to implement a custom UserDetails. You can read
this question for a longer explanation.
I'm developing an application using Grails and Spring Security.
My wish is, when the user creates his account informing his company name, the app creates an entry in the company, role and user tables and relates that role and user with the company entry.
The role created will be like an administrator which has permission for do every thing. This user with that role can creates new roles specifying the permissions but all roles created should be only in the company scope, so those roles should not be available for users of others companies.
I've seen that the Spring Security has a feature called Requestmap which for each URL, the application can specify the roles which will have access.
I don't know if this is the best solution, because in my app the number of roles will increase at least as many as the number of user.
Do you guys have some advice of how to solve this problem?
Thank you for all.
You should have a look on Spring Security ACL plugin.
With this plugin you would be able to add permissions (like write or read permission) to certain users on certain domain models.
Have a look on example taken from documentation:
#Transactional
#PreAuthorize("hasPermission(#report, write) or " +
"hasPermission(#report, admin)")
Report updateReport(Report report, params) {
report.properties = params
report.save()
report
}
By using PreAuthorize annotation it is checked if user has write (or admin) permission on this certain Report entity.
We are using 2.x spring security right now. I am asked to build an admin tool so that the ROLE_ADMIN can change to any user in the site and view the site as that person (each person on the site may see different stuff depending on the role which is dynamically granted base on the database) and of course the admin should be able to switch back to admin without logging in.
Is there a build in function, if not how should I do this?
Thanks in advance!
Use the existing Spring SwitchUserFilter:
http://static.springsource.org/spring-security/site/docs/3.0.x/apidocs/org/springframework/security/web/authentication/switchuser/SwitchUserFilter.html
I don't know any spring-security out-of-the-box solution that will answer your requirement, but I can suggest you a way for implementing it.
Declare a url for the "view the site as" action with a query param to get the user name, for example: /myApp/viewTheSiteAs?user=marley
Write your own custom filter that will do the following:
2.1 Validate that the authenticated user is "admin" user
2.2 Extract the user from the action ("marley" :-))
2.3 Validate that it exists (using the UserDetailsService).
2.4 Construct new Authentication object with the granted authorities that fits the user you have extracted, and replace the current Authentication object with your own object: SecurityContextHolder.getContext().setAuthentication(myNewAuthObject)
Add a filter chain in spring security config file for /ViewTheSiteAs that will act as regular filter chain (should authenticate the "real" user as regular), and locate your custom filter at the end of the chain.
Doing the following will cause spring security to think that the user from viewTheSiteAs action is the authenticated one, and by that check the permissions according this user.
p.s. - this is not a security break since it downgrades the authenticated user permissions, which means "less powerful" user.
Good luck.