I am using Spring Security 3 for Authorization. By default if user does not mention any pattern in intercept url tag then Spring does not restrict that user from accessing that url. I want to restrict this default behavior of Spring Security programatically. I dont want to use denyAll in Sprig Security xml.
My requirement is whenever any Authenticated user tries to access any url,first I want to manually check whether that URL is present in Spring Security xml. If it is there then I will ask Spring to follow its normal Authorization process; but if URL is not there then I want to restrict user access for that URL. Please help me out to meet my requirement.
Related
I want to change the redirect_url in Keycloak. But am not sure how I can modify it. The redirected url should be on a completely different domain. I'm using spring security and it automatically assigns the redirect_url.
I have a complex situation where I need to implement a security for web app on tomcat 8 that serve both static html and rest services. the app is spring mvc application (no spring boot)
the authntication ( sso ) process will go as follow:
if user jwt not exist in http header then authonticate with ldap, getting user authorities from db and create jwt back to user.
if jwt exist in header, skip ldap filtering , extract the user authorities from token.
I was thinking of first servlet filter that uses spnego library and get the windows domain name (user name to use in ldap) that filter will also check to see if ldap authontication is needed ( if token not provided) and pass it back to spring filter chine through http params..
I'm struggling to implement he ideal.
please help.
thanks
As I know, there is support for LDAP in spring security, might be it will help you.
Other than that, if you want to write your own filters then you have to add those in spring security filter chain.
I am trying to build an application where login is done by siteminder SSO. Once login is done I need to get the user info(like roles,permissions) for logged in user from LDAP and put in session.
Aslo I am using spring MVC to expose REST services. I want my rest services to be accessible only for certain roles(Like Manager/Admin etc). Also UI will display/hide pages based roles.
I want to know what is the best approach to achieve the above.
Please note I am using spring MVC on WAS7.
I am using spring security for my spring multitenant application. I am using spring security 3.2
I am using spring security for my spring multitenant application. My requirement
is tenant1 should be authorized against oauth and tenant2 should be authorized
against ldap and tenant3 should be authorized against database. I will be knowing
the authorization method for the tenant through properties file. I am able to
authorize user against any single authorization method. But i am not able to
configure for multiple authorization methods. Please someone give any suggestions
on this.
In case of web application, you can use different login URLs and allow user to choose authentication method. Then separate security filters should be applied for each URL.
You can check this configuration: https://code.google.com/p/opendatakit/source/browse/eclipse-aggregate-gae/war/WEB-INF/applicationContext-security.xml?repo=aggregate
Form based Authentication for Spring based Application
I need to design Login page such way that Authentication upon login user and subsequent web request will validate if user is logged or not and redirect to the login page if not logged in . This is classical web application login flow. The authentication needs to be done via custom logic (application specific).
Can you provide sample Spring configuration 3.5 or working example application does this ? One approach is do login check via Web Filter and have login controller. Is there a better way doing via Spring Security model ? Any help will be greatly appreciated.
Thanks,
Bmis13
The default way would be to use the spring securtiy filter chain.
Spring Security has already everything to do form based authentication, the only thing you need to do is
configure it
write an jsp page (with the two input fields for user name and password)
See this create article: http://www.mularien.com/blog/2008/07/07/5-minute-guide-to-spring-security/ it explain the first steps.
And have a look at this article too: http://www.mkyong.com/spring-security/spring-security-form-login-example/ - It set some default values (urls) this make it more clear how the filters works.