I have a RESTful API built with Spring 3.1, using Spring Security as well. I have a web application, also a Spring 3.1 MVC application. I am planning to have mobile clients accessing my REST API. So my API is the central place to authenticate, get data served from, etc.. It all makes sense so far.
Now what I cannot wrap my head around is how to add Spring Social in an easy and smart way. How did you do it? Did you maybe only move the ConnectionRepository to the API? Or did you have the API do it all? I want to prevent double-authorization for each client-technology by all means (preventing double-authorization meaning userA connects to facebook in the webapp, and then starts using our mobile client and should NOT be asked to connect to facebook again just b/c userA is using a different client).
Thanks for sharing your thoughts!
The solution we use it to secure our rest-webservices using spring security, with a cookie based remember me service. This uses well documented traditional spring-security techniques.
We then plugged in spring-social to our system, which then simply logs in the user as normal using spring secruity. The social api looks up the, for example, facebook id in your db table, if it finds existing connection logs the user in using their account on your system (and can redirect to sign up page etc).
I suggest breaking down the question into more specific areas.
Related
i have a spring boot application that provides an API consumed by a frontend app (CRUD operation). This spring boot app is based on oauth2.0 authentication standard to verify the JWT access token received in the header of each API against an authorization server. I want to provide another API to be consumed by a backend (M2M usage). This API will rely on same database (same entities) but it will be slightly different (only Read operations are allowed here and responses contain more fields). Also this new API will rely on an another authorization server to verify the JWT token.
Firstly, i was thinking to provide both API with the same spring boot application, but it looks like it will a hack to support both (for instance issuer uri of the token are diferent, port can be different, path of API are different..).
So, I'm now thinking to separate the 2 APIS into 2 different spring boot application, so that the apps are isolated by nature, but i'm not sure it's a good practice at the end? For instance, what about the concurrency issues that can occur with such design ? In the opposite, can i build easily teh 2 spring boot apps that share the same code repo (some code should be common for both apps). Those are the questions i have, so any suggestion will be appreciated.
You can try with multiple authentication providers. Example given in following -
Java Spring Security config - multiple authentication providers
i have my web app builded with Angular 4/5 and Spring Boot. Now i want to add user-accounts to my app and there i have some problems. I would like have my Auth serwer (in Spring Boot) and also i want use providers like Facebook and Google. There is my first question, when user will choose Facebook to auth, then how my resource server will know who is asking for resource. When i use my own Auth serwer i am doing it like this:
#GetMapping("/user/name")
public ResponseEntity<String>(Principle principle) {
return new ResponseEntity<String>(principle.getName(), HttpStatus.OK);
}
and this is working, but how to get user username when user is using Facebook or Google auth?
My second questions is how to properly handle expire Tokens time in Angular 4.
My third and last questions. Some resources from my server will be availible for
not logged user(annonymous) so how can i protect my resources to prevent other's than my clients using my API?
If you have some advices or examples, please help!
Don't worry about the rude comment on your question, Single Sign-On (SSO) can be pretty complicated.
If your using Facebook and Google as optional SSO providers then what you have to realize is that those providers are going to give you some sort of unique identifier along side the user information when you request it.
Spring Security and the corresponding Spring Boot auto configuration has some pretty good support for linking SSO user information to a Principal. Ill add some good references below to help understand Springs solution for this. I'm going to assume Spring Boot 2 and Spring Security 5 since your versions aren't listed.
Spring Boot 2 OAuth2.0 Client Configuration
Spring Security 5 Custom OIDC User Service
[VIDEO] Next Generation OAuth Support with Spring Security 5.0 - Joe Grandja
You can also look into Spring Social if your looking to do more than just SSO.
I am developing a RESTful web service as a back-end layer for mobile application. This service receives combination of device id (as user id) an a pin (as password), and passes to another back-end service, that validates and returns the status of successful login along the user information, in case, the user is authorized. My service is not validating the user. And mobile sends sub sequent requests to my RESTful service.
So, please suggest, how can I make all this system(especially the RESTful) secured, using Spring security.
I am using a Tomcat server, Spring and Jersey
I recently implemented a method to secure my existing RESTful APIs in Spring. I have used a token based authentication model using OAuth2. In my project, I wanted to secure my API's in a way that every request is individually authenticated and authorised based on the token present in the header. If this is something you are looking for, then I would highly recommend you to take a look at the documentation here. If there is anything you are stuck at while implementing it. Please do let me know.
Also, you can find multiple projects for Spring and OAuth here
This is my first question on StackOverflow and I hope someone can help me. :-)
I am planning to build a web-application (backend) with spring roo. For the backend I will use Spring and Hibernate/JPA. In the future I will implement a web client (JSF/Primefaces), a mobile client (Android) and a Windows App.
With spring roo it is easy to create a layered architecture with domain classes, repositories and services. This part is fun.
But now I am thinking about remoting and how to connect all the clients (web, mobile, windows) with my backend.
1.) What do you prefer for the remoting between client and backend? SOAP-Web Services or a REST-API (e.g. with JSON).
2.) If REST-API: How should the API look like for authentication/login functionality? REST is resource-oriented but how do you implement authentication with REST API?
At the moment I think a REST-API is a good idea. Because I am using spring it is easy to create a Spring MVC controller with REST support. But is this the correct way to implement a REST API for all the three devices? The web client e.g. should be implemented with JSF and Primefaces and I donĀ“t use spring MVC for the web layer.
3.)Can I nevertheless use Spring MVC controllers to build the REST API (together with JSF in the web layer)? Or is there a better way?
1.) What do you prefer for the remoting between client and backend? SOAP-Web Services or a REST-API (e.g. with JSON).
I don't have too much experience with SOAP-WS, but I have a ton of experience with REST-APIs using JSON. There are many implementations for mobile, web and server side clients that are fairly simple to implement.
2.) If REST-API: How should the API look like for authentication/login functionality? REST is resource oriented but how to implement authentication with REST API?
If you are already using spring, I recommend securing your API with Spring Security. You can use spring security even if you don't end up going with Spring MVC for your API implementation. There are many ways to secure a rest API with spring security, but I the simplest is to send the basic auth header with every request to a secure URI
3.)Can I nevertheless use Spring MVC controllers to build the REST API (together with JSF in the web layer)? Or is there a better way?
Spring MVC Controllers will work fine, but I would recommend going with RestEasy or Jersey. I find them to be more flexable.
I agree with #mad_fox. Additionally, i want to add another option regarding your question#2. If you dont want to use Spring security, you can write your own token based authentication mechanism using spring and basic java interceptors.
You can store the token in your browser local storage.
I'm new to Spring Social and I'm writing a Spring MVC application which users should use for, let's say, tweet, follow/unfollow users. So far I can do everything I want with my own credentials (stored in a property file) using the TwitterTemplate.
I need the application to do the same on behalf of other users (authenticating them when registering in my application).
You probably want to look at this part of Spring Social reference document as an entry point. I have experienced it with facebook and linked in and it works pretty well to store connections credentials in a database.
You also want to make sure I guess that you do not use the ProviderSignInController highlighted in some of the code samples which is designed for using the social provider as an authentication infrastructure for a web application but a ConnectController which has proved to be efficient in offline access cases. See section 4 of the spring social reference documentation.