I am writing web application using Spring MVC, Security. I would like to store some information for not logged users, and keep it in anonymous session. It will be some random uid, and some configurations that anonymous user could change. When user logs in, that data should be used in authentication using custom AuthenticationProvider.
How can I hook into Spring security anonymous authentication to put there UID?
How can I retrieve later the session while user is loging in?
thanks for any advices :)
Related
Problem
Implementing SSO login for multiple OAuth2 providers in Spring Boot.
Setup
Two Spring Boot web applications (App1 and App2) that are configured to be OAuth2 clients. Both will communicate with a Keycloak authorization server that has two realms.
Business Requirements
Implement Single Sign-On functionality (SSO).
Multi tenancy with shared user base.
Only one user can access one tenant at any time.
I have two spring boot applications which are OAuth2 clients running in docker containers. We are setting up multiple Keycloak realms that are configured for each tenant. From the Spring side of things, we include the auto configuration properties for two providers where each provider will be mapped to a different Keycloak realm. So the properties will look as follows:
spring.security.oauth2.client.provider.realm1......
spring.security.oauth2.client.provider.realm2......
Behavior
When a user logs into the first application (App1), Spring shows a generated html page. This page shows a list of each provider configured from the application.properties as an option to login to.
A user can select one and is redirected to the Keycloak login page with the realm that was mapped from Spring's provider properties. Then when successfully logged in, the user is redirected back as expected.
We use Spring Mongo session to store the session information and we also see in the Keycloak admin client the realm that shows the active session as well.
When trying to access the other application (App2), Spring does not detect the user or session and will show the same generated html page that shows the providers to select and login to.
When clicking on the same provider (realm), Spring will then find the session and will be redirected to the requested resource and all is well. This part is what I am trying to implement without asking for the provider first. The main reason is to enforce a business requirement where a user in a session can not access more than one realm at a time.
Attempted Solution
Provide a Spring Security login controller that will have a service layer to find the mongo session and then build the OAuth2 link Spring generates when you click a provider from the list.
However, I dont have the user yet. This also becomes a problem when opening a different tab as I dont believe I have any scope to the cookies that were created from the first application as well.
The only other thing I can think of is trying to get the client ip and store that in the session so I can find it later. However, when using nginx proxy configuration, this becomes a problem as I cant seem to get the actual ip and always seem to get the proxy ip instead even with the nginx headers I have seen from documentation.
Question
Is there anyway to find the session and redirect to the requested provider programmatically?
Note: I am currently aware of the keycloak starter dependencies that are available but I was trying to see if there is a more Spring oriented solution with its general OAuth2 client security configuration.
Front end solution
User navigate to app1, app1 detects no user session (need for login), app1 redirects user to app2 with some query parameters indicating purpose of redirect.
App2 receives redirect request and check if session exist (user logged in to app2). Now you can deal with it. redirect back to app1 or display some error, etc.
User not logged in to app2 , app2 redirects back to app1 with indication "show providers"
Symmetrical behavior shall be implemented on app1 too.
Depending on security requirements query parameters can be encrypted to prevent manual url hacking.
If you need further protection Keycloak authentication can be extended with functionality to check your Session storage for already logged in users.
I am new to spring. My requirement is:
I need to get the user name and password in my component class. validate it with by invoking the webservices available at my client.
So I want to provide security to my password which can not be directly visible anywhere.
So how to implement this?
Please give suggestions
Spring Security can participate in many different authentication environments. While we recommend people use Spring Security for authentication and not integrate with existing Container Managed Authentication, it is nevertheless supported - as is integrating with your own proprietary authentication system.
What is authentication in Spring Security?
Let's consider a standard authentication scenario that everyone is familiar with.
A user is prompted to log in with a username and password.
The system (successfully) verifies that the password is correct for the username.
The context information for that user is obtained (their list of roles and so on).
A security context is established for the user
The user proceeds, potentially to perform some operation which is potentially protected by an access control mechanism which checks the required permissions for the operation against the current security context information.
The first three items constitute the authentication process so we'll take a look at how these take place within Spring Security.
The username and password are obtained and combined into an instance of UsernamePasswordAuthenticationToken (an instance of the Authentication interface, which we saw earlier).
The token is passed to an instance of AuthenticationManager for validation.
The AuthenticationManager returns a fully populated Authentication instance on successful authentication.
The security context is established by calling SecurityContextHolder.getContext().setAuthentication(...), passing in the returned authentication object.
This could help: http://www.viddler.com/v/c596114a
I developed a web application using spring and hibernate. By using Spring Security , i am restricting one session per user. When user try to attempt multiple login then old session will be invalidated and new one will be active.I have registered HttpSessionListener in my web.xml file.In sessionDistroyed method i am writing some functionality that will be executed when Http Session getting invalidating.
Now problem is when a single user try to do multiple login ,spring security expiring the old session but not invalidating the old session.So in that case sessionDistroyed method not being executed.But i want sessionDistroyed method to be called when spring security expiring the old session.
Can anyone please help to resolve this problem.
I am new to Spring
Problem Statement:
I have setup ldap server(Apache DS) with roles and users.
I need to authorize the same in my spring application. I need to block the urls, based on the authorization roles coming from LDAP.
How do I tell my Spring application to authorize the data coming from LDAP.
As of now it is letting me login, but on click on any of the links with the urls given to provide access I am getting access denied(403) exception.
In my knowledge I feel I need to configure the same in spring, but how do I do it, I am not able to figure out.
I tried searching in Google, but I could not find any good examples where a username and password are checked with a database for authentication purposes.
In further simple words, how can I create a simple login form using Spring and Hibernate and NOT SPRING SECURITY where the credentials are checked with the database.
Please help me creating a simple login form with just Spring 3.0 and no Spring Security 3.0. Thanks.
Simplest way to do a login form post to a Spring Controller which take username and password as parameter.
In the controller you do what ever you want to authenticate the username and password. Best is to delegate to some service layer which takes care of it.
If successfully authenticated then what you want to do? May be redirect to say home page.
Now the home page rendering should know that the user is already authenticated. This is where spring security helps.
But you can also achieve by writing a Servlet Filter where you check if user is already authenticated by checking the http session. Of course after successful login you need to store that in the session then only it will be available to the filter.
There are many other ways to achieve the same which depends upon your requirement as in what kind of security control is required.
Your solution has two parts, one of which involves Spring and another that is your code:
// DAO returns null if no such username appears in the table.
String password = userDao.findPassword(username);
boolean isValidUser = (!password.equals(null));
// Write the code to implement behavior for valid and invalid users.
If you can do a database SELECT for a password, you can do Spring authentication without Spring Security.
You may need to put that logic in an aspect that's woven in before method calls.
You may want to cache that result in session and invalidate it if a timeout is exceeded.