I have an application and API. I am using Spring and Spring security for both. Authentication is required to access API.
I configured RESTFUL web service only respond when authentication is successful (handling with JSESSIONID after login) which makes querying database not possible if user is not logged in or credentials are wrong. But somehow, I need to access database and make some changes for forgotten password. I need to check if requested email is on the record. Also, update the database after password change. eg; If I make 'UPDATE USER' action permitAll(), there will be a security problem.
Can you give me some ideas to handle that problem?
You can create some user with permissions to change password and later when changing password automaticly login this user -> send request ->logout user and all of that behind user view.
Related
I'm currently building an application that uses Okta for authentication, and I'd like to build a feature that allows users to change their password once they've logged in. Unfortunately, I can't seem to find an endpoint that will serve this purpose. The main change password API, api/v1/authn/credentials/change_password only works for users currently in the PASSWORD_WARN, and PASSWORD_EXPIRED states. Is there any way to use this or another similar endpoint once the user has logged in?
Yes, in this case you'll want to look at the Users API (and specifically the Change Password section).
Generally, the /api/v1/authn/credentials/change_password endpoint that you mentioned in the prompt is strictly for the authn flow - it's the endpoint you use to transition the user from PASSWORD_WARN or PASSWORD_EXPIRED to the next authentication state (by providing a new password).
The /api/v1/users/:id/credentials/change_password endpoint can be called at any time by your backend service, and doesn't strictly require the user to be authenticated - it's not CORS enabled and you'll need to provide an ApiToken when sending a request to it.
My requirement is authenticate the login request to the Active Directory LDAP and to the local db as the user may be created manually or by the LDAP.
I am loading all the users i my database in a users table but i want to make the dynamic login to LDAP for the ldap users if user did not get authenticated by LDAP with invalid login or invalid user then only i need to authenticate it to the db.
Am not certain on this, so obviously please confirm, but in your Spring security.xml, set up two authentication providers under your authentication manager, first your ldap one and then your database one. A failure with the LDAP authentication should cause the DB one to activate and give the user a second chance to authenticate with the same credentials. Also see this article for some testing I had done earlier with Active Directory and Spring Security.
I know this question asked many times but I did not get answer that I required.
I want link that can help me to create a spring security framework, In which I donot whant login form validation.
It should be done by login RestAPI. I just hit url like-
http://localhost:8080/login
post request containing username and password and it return json response with sucess or failure status
if sucess I would be able to hit secure API Requests.
I am using spring and spring security since 1 and half year with spring security to develop rest API I use below technique for user authentication
Follow below steps
Allow to access http:// localhost:8080/login for all user
User will pass username and password in body
Authenticate user with database entry
create access token and send back to response
using this access token user with interact with secure API.
I will provide source code if you need.
I suggest you to try with Basic Authentication. I believe Rest services are mutual contract between the consumer and provider, so re design your service to access the basic auth header. Your client need to pass the base64 encoded value of username:password, Your service should get the header value and decode you will get the original data back, Check against your backend storage (Ldap or DB).
More about basic authentication . BasicAuthentication
I want user to be authenticated by using its windows login credentials without explicitly showing him login page. The user will just login to his machine and when we will try to open the url he will be authenticated by spring security using his windows login credentials and data related to his role will be fetched from AD. How can I achieve this?
Adding to this question, what I need to do if machine is non-window? say CentOS?
I want to secure my RESTful webservice in some way, i read for past few hours about spring security and I am not sure if I can achieve what I want with it.
Here is typical scenario:
User tries to access www.address.com/rest/getSomething - he gets 401 Unauthorized and he is not redirected.
He goes to www.address.com/rest/login with username and password parameters
His credentials are checked against those in database (I'm using JPA over Hibernate)
If they are correct user receives 200 OK, and info that he's logged in is stored in session, so he does not need to send username and pass when accessing other addresses. Info that he logged in succesfully (or not) is stored in DB
If login is unsuccessful he receives 401
User uses webservice as much as he wanst (on each access, his session is checked)
After lets say 10 minutes of inactivity his session ends, and he needs to log in again
He may visit www.address.com/rest/logout to logout properly (session invalidate maybe?)
I also want to introduce some kind of password recovery, if user accesses www.address.com/rest/remindPass an email will be sent with newly generated password.
EDIT:
And i forgot, about one more thing. I also need another filter for checking if user has enough privilage to access an address.