I am using Tomcat realm for security and my question is that I didn't know where to get the user's information after logging in.
I want to use the role of the user that has logged on and I don't know what Tomcat sets in it's session after logging on.
Tomcat follows the servlet specification and makes the user's information available to your webapp in two ways:
Use request.getUserPrincipal to get the java.security.Principal that represents the user. You can call Principal.getName to get the user's name.
Use request.isUserInRole to check if a user has a particular role.
Note that you can't just get "the user's role" because the user may have multiple roles. The standard API does not include a way to get all the user's roles: you have to check for them individually.
Related
On a JHipster application, I've added a custom authentication provider, to verify user and password of Active Directory users that have login inside. This custom component implements AuthenticationProvider, and inside "authenticate" method, istance an ActiveDirectoryLdapAuthenticationProvider object to get authentication and verify presense on specifical groups.
With a simple A.D. test environment I've no problem, but in production, my company ask me to bind a service account, and I cannot found any method to setup manager-ad and password. How can I get around this problem?
On Spring documentation I've read the phrase "There is no concept of a "manager" user."
My app use 5.1.8.RELEASE
Thanks!
Looking at the code, it validates the user's credentials by binding using the user's credentials. That's really the only way to validate credentials.
I assume, since it has already made a successful bind, it just continues on making whatever search it needs to.
There might be a way to use different credentials for reading the groups, but it all depends on what your current code looks like. But there really is little point in doing this. You have to bind using the user's credentials to validate their credentials. So you may as well continue using that same connection.
I'm running a Spring app on Kubernetes. App is authenticated via keycloak (also run on k8s).
The problem is that in case when Kubernetes will have configured more than one edge node I can connect only from node which is configured in keycloak.auth-server-url in the Spring app. On other edge nodes I'm getting Invalid token issuer error. Do you know any solution for that problem?
Remember that first, during keycloak configuration you have to create a new client with the name persons-app specific for the application. You can do that under Clients in the left column and then clicking Create.
Then proper redirect URL needs to be configured.
After setting up the proper client, a new role user is added to Keycloak. This role can later be assigned to individual users in order to define appropriate access policies.
The last thing you have to do is creating an actual user and assigning the newly created role to that user. This can be done by clicking Add User under the page Users.
Next, you have to set a password for the user. In this example, it is the standard password for example projects (i.e. password).
Roles of a user can be managed under the tab Role Mappings. You have to add the role user to Assigned Roles.
That's it. Keycloak is now ready to be used and has already a very (very) small user base. Now you can proceed to the actual application, which should be secured.
Remember that in order to store relevant information and configuration, a PostgreSQL database must be set up first.
More information you can find here: spring-keycloak.
I'm trying to write a function that shows if certain users are currently authenticated with Spring Security. Basically, just to display if a certain user is logged in right now.
I know I can get all logged in users via sessionRegistry.getAllPrincipals(), but what I just want to see if a specific user is logged in right now (e.g. on their profile page).
Is there a built-in function for this? If not, where's an entry point I can use to implement this functionality myself?
I want to retrieve the Windows login of my users when they run my JSF script. The goal is to avoid asking my user a login information, just want get the Windows login throw the request.
I try this How to obtain request headers, remote address and other HttpServletRequest-specific information? but I always get a null String with externalContext.getRemoteUser().
Does it mean that the web browser doesn't send the remote user information? Must I change the configuration of my browser? Is it possible to get this information?
Thanks,
Philippe
Spring security kerberos plugin will pull this off quite nicely, but you'll be taking the spring framework on as a dependency. I'm also assuming here that you're running a managed security enterprise where your users authenticate against a domain.
What you want to achieve cannot be done by pure Java EE spec (someone prove otherwise). The purpose of the getRemoteUser method is to retrieve the username of the authenticated user who has been authenticated either by the Webapp container or third party web auth framework. See spec here
See this answer for more insight
We are using 2.x spring security right now. I am asked to build an admin tool so that the ROLE_ADMIN can change to any user in the site and view the site as that person (each person on the site may see different stuff depending on the role which is dynamically granted base on the database) and of course the admin should be able to switch back to admin without logging in.
Is there a build in function, if not how should I do this?
Thanks in advance!
Use the existing Spring SwitchUserFilter:
http://static.springsource.org/spring-security/site/docs/3.0.x/apidocs/org/springframework/security/web/authentication/switchuser/SwitchUserFilter.html
I don't know any spring-security out-of-the-box solution that will answer your requirement, but I can suggest you a way for implementing it.
Declare a url for the "view the site as" action with a query param to get the user name, for example: /myApp/viewTheSiteAs?user=marley
Write your own custom filter that will do the following:
2.1 Validate that the authenticated user is "admin" user
2.2 Extract the user from the action ("marley" :-))
2.3 Validate that it exists (using the UserDetailsService).
2.4 Construct new Authentication object with the granted authorities that fits the user you have extracted, and replace the current Authentication object with your own object: SecurityContextHolder.getContext().setAuthentication(myNewAuthObject)
Add a filter chain in spring security config file for /ViewTheSiteAs that will act as regular filter chain (should authenticate the "real" user as regular), and locate your custom filter at the end of the chain.
Doing the following will cause spring security to think that the user from viewTheSiteAs action is the authenticated one, and by that check the permissions according this user.
p.s. - this is not a security break since it downgrades the authenticated user permissions, which means "less powerful" user.
Good luck.