Spring security tied to Apache Tomcat tomcat-users.xml UserDatabaseRealm - spring

I'm adding Spring security to an internal website. I've been asked to have the authentication be tied to tomcat-users.xml, so that we can cut down on the number of passwords to change/remember.
From what I've been able to Google up, this isn't very straighforward, if at all possible.
Things are working fine, for now, with a user + role hardcoded in springSecurity.xml.

You can treat container security as a pre-authenticated scenario.
There's a sample app in the codebase which uses this approach. It uses explicit bean configuration, but there is also a <jee> namespace element available.

This could be done as a pre-authenticate scenario as Luke indicates but I do not suggest that option. When you are using tomcat xml file you are using MemoryRealm but you could switch to JDBCRealm and have both users (Spring and Tomcat) stored in the database. I suggest this for maintenance, consistency and security. If you change your servlet container you will have to migrate your security users and roles.
https://tomcat.apache.org/tomcat-8.0-doc/realm-howto.html#MemoryRealm

Related

How to configure Spring Boot Tomcat Basic Auth together with Spring Security?

I'm currently trying to make a Spring Boot app. I've managed to create successfully user authentication using LDAP and custom logic.
However, I'm trying to add another layer of security on top of that, something like "htaccess" to prevent unauthorized users from even seeing the web page (client requirement), as well as stop Google from indexing the page. This can be a single predefined user (doesn't need to be connected to ldap auth).
I've read about configuring the tomcat realm, tomcat-users etc. but since it's Spring Boot app with embedded tomcat, I can't find a place to successfully configure it.
Does anyone have any idea how to create such setup?

Container Managed Security, Spring Security and Authentication

I have been looking everywhere on how I can implement Spring Security based on a Container Managed Security Model. In my test case, I am using Tomcat and it's corresponding tomcat-users.xml file. The issue is, I cannot get Spring Security to play well (meaning pass authentication over to Tomcat) to let the app server perform the Authentication and have Spring manage the role based security once someone is authenticated. I am using the latest Spring versions, so it's all Java config as I am just not familiar enough with XML based config. I have read many examples that talk about using a PreAuthenticatedAuthenticationProvider but the examples are poor not to mention the Spring documentation is quite confusing IMHO. I even downloaded the sample preauth code from the Spring Security GIT hub but I still cannot see how the example code is tied to the authentication that Tomcat is performing. When I run the Spring sample code for preauth, it doesn't authenticate with any of the users in my tomcat-users XML file as I deployed my code to Tomcat 8. Wondering if anyone has any ideas on where I can look in order to understand how Spring Security and the authentication performed by Tomcat (container managed) happens?
UPDATE:
It appears I had to start from scratch and simply get the authentication to work with a very simply app created in my IDE. Basically I had a folder that was called secure, one folder that was called unsecure and I mapped the paths according to the Servlet 3 spec to secure and unsecure what I needed. I had to use a web.xml in order to contain the security constraints. Once I tested in both Tomcat 7 and 8, where I tried to hit a secure URL, I was challenged to enter an ID and password. Please note you have to define the path to a login page, mine was a simple JSP. I also had to submit to the j_security_check and also make sure to use the j_username and j_password field names. Once I knew I could hit a secure page, I then started introducing the Spring components. This involved Spring Security, Spring Boot etc. The key was in the WebSecurityConfigurerAdapter. Where I normally would have basic auth or form based security enabled, I removed those and instead used the jee() setting based on the same fluent builder API used to configure your security settings. I left all antmatcher settings in the web.xml, so my WebSecurityConfigurerAdapter was very basic. When you are debugging controllers, you can inject the HttpServletRequest directly in the method and that request contains a userPrincipal request value containing things such as the user ID, and roles. Good luck, hope this helps others because it was painfully long for me to figure out such a simple solution.
See the update for a detailed explanation on my solution.

Camunda authentication and identity service with Spring boot

We're using the Camunda RestAPI to communicate with the camunda-engine in the backend, so far so good, but we haven't been able to enable the Camunda authentication service so that users/rolls can only instanciate/claim/complete/see (when requesting via http) the tasks and processes which are assigned to them or their groups.
We're also using the spring boot implementation of the configuration, we have tried several things, but non has work so far as anyone can do anything and it's not even asking for credentials, so I was thinking I may be doing something wrong considering how complicated it has been.
So the question is, what are the standard steps we need to take to make these services work?
Thanks in advance.
Camunda is running bundled with a Tomcat server which allows LDAP, so one way might be to let your Tomcat do the permission management. In other words, you might limit the user access via the hosting web server.

Sharing security context between few web applications

I need to have web application which actually consist from few separate wars unified into same navigration bar on UI, i need to have all system secured but have authentication only to main web application and after automatic propagation of this security context to sub web applications. I'm using spring security, could someone help me with advice? thanks
This can be achieved by following approach. In Spring, SecurityContext by default is stored in HttpSession. Instead you can configure it to store in some shared repository.
So, configuration should be changed to use your own SecurityContextRepository implementation instead of HttpSessionSecurityContextRepository. Once configured, the security framework will look at the Repository which is available to all your web applications.
The Repository can be either a database or a cached server.
Spring Security stores the login data in the http session. So what I would try is to share the session between the applications.
It seams that this is possible (in Tomcat) by using the Single Sing On attribute.
But be warned, sharing the session between two applications is not without danger. See this Stack Overflow question.

Spring Security - Preventing Users access to a page if an id is invalid

I am new to Spring Security and am mulling over the idea of using it or not in my application.
The requirement is as follows :
In my web application i store a session information inside the database,a key for this is stored in a cookie
2.Now whenever someone tries to access a url which is not according to the flow i want to deny access.
3.Can i use Spring Security for this.
I am using Spring MVC,Mongo DB and MySQL as the develeoment environment.
Regards,
Abhishek
If you're trying to simply control the flow of an application, I'd suggest using Spring Webflow. This allows you to define set flows in a multi-page application.
Spring Security can be used to control flows, but only for access control. It integrates well with Webflow (and with Spring MVC) to ensure you can secure some or all of your flows.

Resources