What is the standard approach in securing REST endpoints implemented with CXF in OSGI?
The system in question is a web application deployed as a WAB in Karaf. The application contains JavaScript making AJAX calls to REST service implemented in a separate OSGI bundle using CXF. The main Web application is secured using Spring Security (with the standard DelegatingFilterProxy). The application should be open to be used with any security provider compatible with Spring Security.
We need to be able to obtain the user information in REST services based on the principal with which the user authenticated in the main Web application.
What is the best way to secure the REST endpoints in the application?
Thank you,
Michael
Related
Our stack includes the following services, each service runs in a docker container:
Front-end in React
Backend service based on Spring boot "resource-service"
Keycloak
Other backend service (consumer)
Both the front-end and the consumer services communicate with the backend using REST API.
We use Keycloak as our user management and authentication service.
We would like to integrate our Spring based service "resource-service" with Keycloak by serving both web application and a service flows:
Web application - React based front-send that should get a redirect 302 from the "resource-service" and send the user / browser to login in the Keycloak site and then return to get the requested resource.
Server 2 Server coomunication - A server that need to use the "resource-service" API's should get 401 in case of authentication issues and not a redirection / login page.
There are few options to integrate Spring with Keycloak:
Keycloak Spring Boot Adapter
Keycloak Spring Security Adapter
Spring Security and OAuth2
I noticed that there is a "autodetect-bearer-only" in Keycloak documentation, that seems to support exactly that case. But -
There are a lot of integration options and I'm not sure what is the best way to go, for a new Spring boot service.
In addition, I didn't find where to configure that property.
I've used approaches one and two and in my opinion, if you are using Spring Boot, use the corresponding adapter, use the Spring Security adapter if you're still using plain Spring MVC. I've never seen the necessity for the third approach as you basically have to do everything on your own, why would anyone not use the first two methods?
As for using the Spring Bood adapter, the only configuration necessary is the following:
keycloak:
bearer-only: true
auth-server-url: your-url
realm: your-realm
resource: your-resource
And you're done. The bearer-only is so that you return 401 if a client arrives without a bearer token and isn't redirected to a login page, as you wanted. At least that's what's working for us :-)
After that, you can either use the configuration for securing endpoints but it's a bit more flexible to either use httpSecurity or #EnableGlobalMethodSecurity which we're doing with e. g. #Secured({"ROLE_whatever_role"}).
If you're using the newest Spring Boot version combined with Spring Cloud, you might run into this issue.
I configure my resource-servers to always return 401 when Authorization header is missing or invalid (and never 302), whatever the client.
The client handles authentication when it is required, token refreshing, etc.: Some of certified OpenID client libs even propose features to ensure user has a valid access-token before issuing requests to protected resources. My favorite for Angular is angular-auth-oidc-client, but I don't know which React lib has same features.
Keycloak adapters for Spring are now deprecated. You can refer to this tutorials for various resource-server security configuration options. It covers uses cases from most simple RBAC to building DSL like: #PreAuthorize("is(#username) or isNice() or onBehalfOf(#username).can('greet')")
I have two spring boot application. One is Rest and the other one is Spring boot web MVC app which consumes the Rest. The Rest has spring security configured and I want to login/logout from the client app. The client app has nothing but view and controllers to interact with the rest api.
I am using rest template to interact with the api now.
If the client app is not secured so any other anonymous app may do the same, and this is not security, it's a sieve ...
If you want to create a custom authorization/authentication, you can create own protocol and use tokens/JWT (possibly, OpenID or other global technology) and exchange information between applications.
But there is technology to do it all centrally and reliably - OAuth2, and Spring has it 'from the box' - authorization server, resource server, client. The most advantage - multiple applications (clients), one authorization - you create one user and can authenticate it on any client with the same credentials. You can customize it with JWT, and use any data in the access token and as a consequence get any information about principle/authorization.
I have an app (A) exposing REST services secured with oauth2. (spring security oauth2/spring-web)
I want to create a second app (B) (spring-boot or normal spring), from where I can login then call the REST services from A.
How can I configure security in app B so I can use both social login (facebook, twitter, google) and call REST services from app A? Is there an example using spring security/oauth/social integration?
I've found some examples but none sais how to integrate them
Have you tries the Spring oAuth2 tutorial with FB and Google login? This also includes a local login. All code is available in git from the link in the right column of the tutorial.
I'm in the process of converting a Tomcat deployed web app to a Spring Boot packaged web UI. The original Tomcat WAR used Spring Security to secure URL's exposed by the web app. Within a short while I will be developing a second web app that will be deployed as a second discrete Spring Boot app.
Before using Spring Boot I would probably have encapsulated both web apps into a single WAR file using Spring Security to secure the URL's of both.
However, given that that there are now two distinct JAR's deployed onto two distinct servers, how do I apply a common Spring Security model? If a user is authenticated on web app #1 then I want that authenticated state to be recognized by web app #2, to avoid the user having to login again.
To reduce inter dependence should I configure each Spring Boot app to employ the same underlying Spring Security configuration? Or is there a different appraoch required?
An excellent article for your problem at https://spring.io/guides/tutorials/spring-security-and-angular-js/
You have to use #EnableRedisHttpSession and #EnableZuulProxy annotations.
This is my first question on StackOverflow and I hope someone can help me. :-)
I am planning to build a web-application (backend) with spring roo. For the backend I will use Spring and Hibernate/JPA. In the future I will implement a web client (JSF/Primefaces), a mobile client (Android) and a Windows App.
With spring roo it is easy to create a layered architecture with domain classes, repositories and services. This part is fun.
But now I am thinking about remoting and how to connect all the clients (web, mobile, windows) with my backend.
1.) What do you prefer for the remoting between client and backend? SOAP-Web Services or a REST-API (e.g. with JSON).
2.) If REST-API: How should the API look like for authentication/login functionality? REST is resource-oriented but how do you implement authentication with REST API?
At the moment I think a REST-API is a good idea. Because I am using spring it is easy to create a Spring MVC controller with REST support. But is this the correct way to implement a REST API for all the three devices? The web client e.g. should be implemented with JSF and Primefaces and I donĀ“t use spring MVC for the web layer.
3.)Can I nevertheless use Spring MVC controllers to build the REST API (together with JSF in the web layer)? Or is there a better way?
1.) What do you prefer for the remoting between client and backend? SOAP-Web Services or a REST-API (e.g. with JSON).
I don't have too much experience with SOAP-WS, but I have a ton of experience with REST-APIs using JSON. There are many implementations for mobile, web and server side clients that are fairly simple to implement.
2.) If REST-API: How should the API look like for authentication/login functionality? REST is resource oriented but how to implement authentication with REST API?
If you are already using spring, I recommend securing your API with Spring Security. You can use spring security even if you don't end up going with Spring MVC for your API implementation. There are many ways to secure a rest API with spring security, but I the simplest is to send the basic auth header with every request to a secure URI
3.)Can I nevertheless use Spring MVC controllers to build the REST API (together with JSF in the web layer)? Or is there a better way?
Spring MVC Controllers will work fine, but I would recommend going with RestEasy or Jersey. I find them to be more flexable.
I agree with #mad_fox. Additionally, i want to add another option regarding your question#2. If you dont want to use Spring security, you can write your own token based authentication mechanism using spring and basic java interceptors.
You can store the token in your browser local storage.