Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 9 years ago.
Improve this question
I have a web application (JSP) and i need to limit the access, so only the logged in users see the application. I looked it and i found many diferrent approaches. Some say to use cookies, sessions or frameworks such as Spring Security. What should i use? So far i have a medium experience in java and jsp programming, so what do you recommend me to to do?thank you a lot!
Instead of preparing home made version of Spring Security I propose to use it directly. Consider following advantages:
In the future if you need some new security features then you can just turn them on instead of developing them from zero (for example LDAP authentication, SSO, ...)
There are chances that new developer is already familiar with your security framework (on the other side it is sure that it will be not familiar with your home made labrary)
Most of them have good documentation so learning cuve is small when we talk about basic URL authorization (do you have enough time to prepare the same level of documentation for your home made library?).
They have built-in support against attacks like session fixation, etc.
They have multiple extension points, so you will be not limited by framework (you will be able to add / modify necessary functionality).
They have moduled structure, you do not need to load all modules / know about them. Use only what you need.
It may be useful for you to check Apache Shiro and Spring Security.
In a case of Spring Security if you start reading official documentation from here then you can prepare all conf for basic URL authorization (with hard coded users in the conf) in less than 30 minutes. Then you need to include corresponding jars in your classpath (for Spring and Spring Security) and that's all. Turn on debug logging for org.springframework.security to see what's going on.
Consider the use of a servlet filter. Store the logged-in user in the session and configure a filter to check the user is logged when he/she attempts to access the secure directories of your site (via url-pattern).
Basic info here http://www.tutorialspoint.com/jsp/jsp_writing_filters.htm.
But here's something more specific to get you started.
Create a class that implements javax.servlet.Filter, override the doFilter method and check that the user is logged in and configure the urlPatterns using annotations.
The annotation on the filter would be something like this:
#WebFilter(filterName="LoggingFilter", urlPatterns={"/secured/*"})
the directory that you wish to protect is called 'secured'.
In the class override the doFilter() method and check that the user is logged in:
User user = session.getAttribute("user");
if (user != null) {
chain.doFilter(request, response); // User is logged in so forward response.
} else {
response.sendRedirect("login"); // User not logged in so redirect to login page.
}
This is an effective way to restrict a logged in user to specified parts of the site. This simple example can be extended to restrict access to different parts of the site based on user type or some other criteria.
Related
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 1 year ago.
Improve this question
I am trying to venture into the full-stack development realm during some of my free time, and I just have a few general questions about my current understanding of OAuth2. I am very green when it comes to this stuff, but I've watched some Udemy videos to gain a basic understanding.
Anyway... this project that I'm working on, I'm planning on having a custom authorization server, a resource server, and a single client (which will likely be a SPA). This authorization server will only allow the authorization code (probably with the PKCE extension) grant type. Which leads me to my first general question...
Intuitively, I assumed that the password grant type would be sufficient. As I've done more and more reading, it looks like this grant flow is not the way to go. As I understand it, using this flow would require the client to provide some form so that the user may login. Doing so gives the client access to user credentials, which very much defeats one of the purposes of OAuth2. I'm not sure this is an issue with what I'm developing, however, because I am creating the authorization server. I know by using this grant flow, I am not validating the client. Can someone explain how this might be an issue? Is there anything else I'm missing here? Everything I've read has deterred me from using this grant flow, which is mostly why I ended up deciding on the authorization code (w/ PKCE) flow.
So... assuming I go with this flow, my client should provide a login button. Pressing this login button will re-direct the client to a web page where the resource owner can authorize the client and provide user credentials. My authorization server will then validate these user credentials. I plan on storing user credentials in a database on the VM running the auth server. I don't plan on allowing users to register an account. Instead, I'm just going to have a static list of account credentials in this database for people on my team. So I guess I'm just going to insert these accounts when the database is created? If so, how do I allow these users to change their passwords? I guess I'm thinking that initially these accounts will be assigned an e-mail, username, and random password that I can communicate with them. However, I'd like the user an option to change this random password to something more familiar. I don't currently know how to do something like this with the OAuth2 implementation. Do I just provide a way in the client to change the password when the user is logged in? If so, doesn't this somewhat defeat the purpose of using OAuth2 as now my client would have knowledge of the user credentials? If I were to do this, however, would this just be implemented as a POST request to a REST API at the auth server for updating the password?
I would start by using a free cloud provider as the Authorization Server. Have a look at the following tutorial of mine, which uses Authorization Code Flow + PKCE:
Blog Post
Easy to run SPA and API Code Sample
This sample uses AWS Cognito which is a fast option for getting started. It will enable you to create users - they will then be prompted to change the password on the first login.
The important points are these:
Write simple standards based code in your apps and spend time learning the recommended flows and design ppatterns
Once code is written you should be able to switch to a different Authorization Server later, if needed
Avoid building your own Authorization Server, and use one that has been provided by specialists
You should only need Spring for the resource server (my API above uses Node.js). If you want an easy to follow Spring resource server sample maybe see this one.
Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 1 year ago.
Improve this question
I'm looking for help in choosing the right, most modern and safest way to authenticate. I'm using Spring as backend along with Angular on frontend. I'll add that I want to use OAuth2. I've really searched quite a few sites and haven't found a straight answer. I'm really confused...
I started with this implementation, but than I stopped after reading this recommendations. So far I know that I should use Authorization Code Grant with PKCE.
How is it done in applications that are already in production?
The most sensible (as I think) option so far is implementing auth with Keycloak. Is embedded version reliable?
If you want to secure your API with OAuth there are many products out there which you can use (both open-source and paid solutions, if you search for "identity server" you should be able to find a few solutions). Keycloak is a viable option, but there are others.
When it comes to choosing a flow, I would also go with the Authorization Code Grant with PKCE. This currently is the recommended way, especially if you'll be performing OAuth flows directly from your Angular app.
That's another decision you would have to make - whether you want your frontend client contact the Authorization Server directly (then you have to handle tokens in the frontend app), or you want to call your backend and have the backend talk to the Authorization Server (then you would probably have a session cookie, and associate the session with any access tokens).
Assume I have a database composed of user and projects. A user has a one to many relationship with projects. The user can do operations using rest endpoints.
The problem is:
how can I verify that this user owns this resource?
I don't want a malicious user to change an id then suddenly he views another person's project details/images/etc. Think of it like a social media (my app is not a social media but trying to illustrate the issue): where you can view only your images but not another person's images despite having the same "status".
Most spring-security blogs online is using a role based approach. I have no idea what to even search for in this case (tried multiple search queries to no avail).
One option is to run some sort of multijoin query on every resource request/operation till I reach that resource id and check it's owning user to check if it is the logged in user. However, I am not sure if this way is efficient since there are multiple tables in a chain in the real app (could have a lot of joins if I go this way manually; example: user -> project -> tasklist-> ... -> Note; deleting a note would trigger a large chain) or how to make the "authorizer" use it.
what are my options?
In case it matters:
I am using spring-boot + hibernate/JPA + spring-security
Spring Security has the following concepts:
Authentication:
Proving the an actor is who it vouches to be. Authentication is done using credentials, where credentials can take any number of forms - username/password, token, hardware key, etc.
You can set up Spring Security with a set of acceptable authentication providers.
Authorization:
Given an authenticated user, deciding if that user has access to a given resource. Where the resource can be:
An HTTP endpoint.
An Java Method.
A property of an object.
What you want to do here is provide a custom authorization scheme.
You can read about Spring Security's authorization architecture here, including how to set up custom authorization. Once you're ready you might ask specific questions as you go.
I'm currently working on a iphone/android project where the mobile talk ta java backend server through REST API calls.
The Java backend is done using Spring and its Authentication system (with a JSESSION ID token)
I'm not an expert in security but I can see that if not implemented correctly there could be quite a lot of issues.
One of my biggest concern would be user creation for example.
When the app creates a user it simply makes a POST request to (url.com/rest/create)
How can I avoid, server side, that a malicious user puts this url in a loop and create thousands of users ?
What are common best practices to secure API calls ?
Is the Spring Authentication token enough ?
Thank you!
It's not really possible to prevent a client from making many calls to your server. A malicious user can create a script or application firing requests to your server.
The solution is to authenticate and authorize the calls to the server. You give certain users (for example administrators) the privilege to create users. You trust those users to behave in a correct manner. You have your users authenticate before they call the APIs on your server. Then, on the server side your check who the user is and what he/she is allowed to do.
If you are still concerned about privileged users not behaving, you can assign quota to each user on the actions they are allowed to perform.
The hightech solution (with as much framework fuctions as possible) would be
first: have a created-by and created-date field at the entity you want to protect (I recommend to use Spring-Data-JPA Auditing for that).
second: create a custom spring method (or web) expression method that is able to check how many items the current user has created in the (for example) last 10minutes and if this are more then (for examle) 20, then return false (or make them parameters of the method).
Then you can protect your method (or url) with that expression (#PreAuthorize("createsNotExeced(10, 20)"))
But this is the high tech solution - it would be quite intresstion implementing them when one wants to learn spring security. (and you would need to add some caching, but this is also a Spring feature).
The lowtech solution would be: put an list of timestamp in the users session, and add an new item to that array whenever the user creates an new item. When the last (for example) 20 timestamp enties are within the last (for example) 10 minutes, then throw an TooMuchHeavyUseRuntimeException or somthing else.
Currently I have a custom form login page in Spring Security 3 that sends its form data to the correct authentication url.
However now I need to extend the process to support security questions after logging in but before hitting the rest of the site.
I have a few options from reading the documentation, but I'm confused as to the correct option to choose.
Option 1: Keep the current login system and set a special role that only lets the user access the security questions page. If they pass through the security questions process successfully, add their correct roles into the security context.
Option 2: Subclass AbstractAuthenticationProcessingFilter and do security questions as a part of the login process. This seems more spring-like but I'm stuck on how to support the multiple pages for the questions with breaking the rest of the authentication framework.
What about this approach:
When a user submits her username/password, save them into her session.
Redirect her to your questions.
When she is finished answering your questions, see if you want to let her login.
3.1. If yes, POST her saved credentials so that they could be caught and processed by Spring Security filter chain.
3.2. If no, take her back to the login page. (Or whatever you want to do in this case.)
I ended up using Option 1. #craftsman's answer doesn't fit since the questions are specific per user. Its actually worked out really well.