I have configured spring security using ldap authentication.
I have also configured the remember me service for this.
But the LdapUserDetail returned by the LdapService doesnt contain
the password . Hence the rememberme service (TokenBasedRememberMeServices )is not able to generate the token.
Could some one help me out here as to what could be the issue .
1.Should we do any CustomUserAttributingMapping or
2.The password is restricted read at the ldap server
or any other thing
Related
I want to only use the the authentication part of spring security and use email instead of username with mysql. does anyone has a code for that?
or maybe without spring security how to authenticate?
Without spring security that means that you will just check if user exists in the database with correct credentials, you can follow this tutorial https://www.baeldung.com/registration-restful-api
I have a legacy desktop application that communicates with a Spring Boot server (latest version 2.2.2.RELEASE). I'm using OAuth2 for authentication (provided by spring-boot-starter-oauth2-client). I want to avoid changing the client because is a legacy application. It is capable of collecting the credentials and start the session via HTTP Basic Authentication, and then keep the cookies for the session in the following requests.
Given this scenario, I think best option is to make use the OAuth2 Resource Owner Password Credentials grant. With this, we can exchange the collected credentials by the OAuth2 Tokens. We have two options:
Option 1:
Modify the client application to use the access tokens via the Authorization header. This will require to make an initial call to the Authorization Provider to exchange the collected credentials by the tokens.
Option 2:
Keep using the Spring session and store the information about the OAuth client in the server.
I found this project ALMOST does that: https://github.com/jgrandja/spring-security-oauth-5-2-migrate. It has a client (messaging-client-password) defined with authorization-grant-type: password which will activate the OAuth2 Resource Owner Password Credentials grant in Spring Boot.
It creates an OAuth2 client and stores its information in the session, then Spring is able to use that client in further requests. The problem with this project is it seems to only work as when the OAuth client is used to make HTTP requests (e. g. an endpoint that makes a call to another service) and not provide authentication to the controller. You can find more information about this in here:
Spring Security 5.2 Password Flow
Github related issues: link1, link2, link3
Exception thrown when we try to use the password client as authentication
The natural idea to overcome this is to implement a proxy and use the OAuth2 client in the requests. Well, Spring already offers a proxy solution, the Spring Cloud Gateway. But I don't know to accomplish that with this setup.
Any insights? Am I thinking correctly or should I follow a different approach?
I'm trying to implement a Zuul reverse proxy with #EnableOAuth2Sso so I can relay the access tokens obtained from the authentication server to my resource server.
The question is how do I configure the Zuul proxy to forward the username and password to the authentication server, since I am using the password grant flow to obtain the tokens.
If the question is still relevant...
I had a task to configure Authorization and Resource servers behind Zuul using password grant type.
This article and example on github helped me a lot, but mostly I've used debug to configure the environment.
Please check my example of configuration OAuth2 Password Grant Type behind Zuul.
To run the example, inside every service folder run mnv spring-boot:run
In browser go to http://localhost:8765, credentials user/user, admin/admin
http://localhost:8761/ - eureka
I have not used #EnableOAuth2Sso, but instead #EnableOAuth2Client and configure only ResourceOwnerPasswordAccessTokenProvider (more details here).
#EnableOAuth2Sso is configured all token providers, but I need only password provider.
Example uses JwtTokens.
I have a requirement in grails spring security.
When the user logs in to the application, check if ldap is available, then authenticate using ldap.
If ldap is not available, then authenticate using database.
Please let me know if it is possible.
My App does the following,
it checks for the user in ldap, if the user is not available in ldap, then it checks database which is ok, if ldap is not reachable for some reason, then it is failing with an error "unable to connect to ldap server"
but my requirment is, If ldap is not reachable, then authenticate with database.
We are using Spring security LDAP authentication in our application for authentication purpose. For ldap authentication, we configure a userid and password in the applicationContext-security.xml. I would like to know if there is a way to authenticate via LDAP without specifying the User parameters for accessing the LDAP server in the configuration(applicationContext-security.xml) file .
Thanks in Advance
Jasypt supports encrypting .properties files and transparently decrypting it when Spring accesses it.
So , you can try to specify the authentication details inside a .properties file , then use Jasypt to encrypt this .properties file . Use <context:property-placeholder> to inject the authentication details from the .properties files into the applicationContext-security.xml
If your LDAP allows anonymous access you may not specify userDn and password in the configuration of contextSource. In this case Spring Security will use anonymous for read-write operations.