I want to integrate spring security in REST web services but when the url is hit default login page displayed by the Spring Security. How I can authenticate REST web service without any displaying any login page or any JSP page.
You can configure Spring security in your application, using preAuthorization in #EnableGlobalSecurityMEthod ~, I think is this annotation. In your restservice, using #PreAuthorization("<role>"), I think is this annotation. This works very good.
If you have basic authentication, then you can simply post username/password encoded in Authorization http header from client.
Or you can have PreAuthenticatedAuthenticationProvider configured with a pre-authentication RequestHeaderAuthenticationFilter
Related
i am currently working on a project where my backend uses Spring Boot, Spring security + keycloak and runs on localhost:8081.
My frontend (svelte) runs on http://127.0.0.1:5173/ and the url http://127.0.0.1:5173/products needs to access data from localhost:8081/products (which needs a login) but the login page from keycloak doesnt appear.
In other words, what i am trying to achieve:
I want that the url http://127.0.0.1:5173/products redirects to localhost:8081/products which redirects to keycloak login page and after a successfull login i want to return to http://127.0.0.1:5173/products where i will be able to see the data.
is there an elegant solution to this problem? Im really stuck on this problem and this is one of my first projects.
Thanks in advance!!
Some OAuth2 wording:
Keycloak is an authorization-server (OIDC complient)
Svelte app is a client
Spring REST API is a resource-server
Ensure that a "public" client is declared in Keycloak.
Configure your Svelte client with an existing OIDC lib (component) of your choice to:
use the "public" client deckared in Keycloak
authenticate users against Keycloak (socket is not the same as spring API)
add an authorization header with a JWT access-token retrieved from Keycloak (when issuing requests to your secured REST endpoints)
Configure Spring API as a secured resource-server with a JWT decoder.
You can refer to this article for configuring Keycloak and resource-server with JWT access-tokens.
How do i call an api from an app secured by spring security.
I have a api provider completely secured with spring security.
Now i want to allow other clients/service to consume my rest from their apps. eg using jquery, php, etc. But my app is secured.
Your assistance will be highly appreciated.
A REST API is a set of URLs. You access these URLs secured by Spring in the same way you'd access any secured Web app.
That is, use a Web client, establish a session by using the authentication method configured, and send the HTTP method request you want.
I am currently usingstruts, spring and hibernate in my application. I'm using CAS for authentication. The table containing the user name and password fields are mentioned in the deploymentConfigContext.xml of the CAS war file.
Using spring security how can I implement the same in my application for web services?
How is the username and password given from a client invoking my web services?
Your WS is protected by some sort of CAS filter, that is perhaps provided by Spring Security. When a request comes in, the filter intercepts and redirects to CAS login. User logs in, and they go back to the WS. Filter intercepts the request again, validates the ticket and moves onto the WS
I and my team have developed a small spring project. We have jsp pages in which we have written ajax calls and through these calls data is fetched, as JSON, and displayed through javascript. Now we need to add security to both, the JSP pages and REST services.
Our requirements:
The server should be stateless
Client cannot be expected to store cookies.
Credentials sent to the server should not be plain text
I am new to Spring Security so I would appreciate if I can get any help in implementing it.
1 . The server should be state less.
Starting spring 3.1 it is easy as setting an attribute in your spring security http tag.
<http create-session="stateless"> ..</http>
2 . Client cannot be expected to store cookies.
Then I would opt for basic authentication for the rest api and ajax calls.
The client however has to cache the username and password and send it with each request.
3 . Credentials to the server should not be plaintext.
Use HTTPS with a valid SSL Certificate.
I am looking for some possible solutions for my web application security.
The web application redirect the user to the login server. Then after authentication is successful the user will be forwarded back to a certain page within my application. The login credentials are forward with the user. My page is served via a controller that authenticates the user for my application. (Authentication is accomplished using Liberty ID-FF 1.2.)
Currently, I am using Spring 3 page interceptors for the redirection.
My question is; How can I accomplish this with Spring Security? Or, is there another comparable framework? I like Spring Security for how easy it is to configure and how it protects the resources. To use it I need to have the authentication controller redirect the user to the login server. How do I do that in the authentication controller?
I am using JBoss 4.0.5, Spring 3.0, Java EE 5, and ID-FF 1.2.
I am afraid there is any support for Liberty ID-FF in Spring. Currently, there is SAML2 extension module only available for Spring Security.
More info:
http://static.springsource.org/spring-security/site/extensions.html