I am looking for some possible solutions for my web application security.
The web application redirect the user to the login server. Then after authentication is successful the user will be forwarded back to a certain page within my application. The login credentials are forward with the user. My page is served via a controller that authenticates the user for my application. (Authentication is accomplished using Liberty ID-FF 1.2.)
Currently, I am using Spring 3 page interceptors for the redirection.
My question is; How can I accomplish this with Spring Security? Or, is there another comparable framework? I like Spring Security for how easy it is to configure and how it protects the resources. To use it I need to have the authentication controller redirect the user to the login server. How do I do that in the authentication controller?
I am using JBoss 4.0.5, Spring 3.0, Java EE 5, and ID-FF 1.2.
I am afraid there is any support for Liberty ID-FF in Spring. Currently, there is SAML2 extension module only available for Spring Security.
More info:
http://static.springsource.org/spring-security/site/extensions.html
Related
I am developing a spring boot application that integrates with multiple Idp's. I have checked many examples over the internet on integrating Spring application with SAML, all of them show how to integrate with IDP's via application properties.
In the case of OAuth 2.0, we had Clients provided by MSAL libraries, we integrated as below.
ConfidentialClientApplication
.builder(decryptCredential(adClientId), clientSecret)
.authority(authorityURL).build();
clientApplication.getAuthorizationRequestUrl(parameters).toString();
clientApplication.acquireToken(authorizationCodeParameters);
Is there a similar way in Spring boot, to have a Client call to ADFS SAMLIDP and get the user authenticated?
Based on the request, fetch IDP details from Database and invoke a call to the appropriate IDP to get the user authenticated.
thanks in advance.
I explored coveooss library, which has clients and it is easiest one to invoke ADFS to fetch SAML assertions. Here is the link for COVEOOSS git link
I've written a software system that uses Spring Cloud Netflix. Due to Spring Security 5 not offering support for writing an Authorization Server (pls shout out here https://github.com/spring-projects/spring-security/issues/6320) I need to write my own Authorization server. I want my application to permit Social login and username/password registration, have a custom login page but also use keycloack. I don't even know from where to start, if you have any documentations or code samples please provide.
You can use the cas project. By using the overlay it is easy to set up and to customize:
https://github.com/apereo/cas-overlay-template/blob/master/README.md
It serves a frontend where your user can be redirected to and can login. After successful login, the user is redirected back to your web page. The frontend is completely customizable.
It supports all kinda of authentication providers like keycloak, database or Google/Facebook.
After basic setup you just add the dependency inside the gradle file, configure your keycloak/database/... in the application.properties and can start using it as authentication server.
It fits perfect into a microservice landscape and is curated by professionals implementing security best practice.
https://apereo.github.io/cas/6.1.x/planning/Getting-Started.html
Our stack includes the following services, each service runs in a docker container:
Front-end in React
Backend service based on Spring boot "resource-service"
Keycloak
Other backend service (consumer)
Both the front-end and the consumer services communicate with the backend using REST API.
We use Keycloak as our user management and authentication service.
We would like to integrate our Spring based service "resource-service" with Keycloak by serving both web application and a service flows:
Web application - React based front-send that should get a redirect 302 from the "resource-service" and send the user / browser to login in the Keycloak site and then return to get the requested resource.
Server 2 Server coomunication - A server that need to use the "resource-service" API's should get 401 in case of authentication issues and not a redirection / login page.
There are few options to integrate Spring with Keycloak:
Keycloak Spring Boot Adapter
Keycloak Spring Security Adapter
Spring Security and OAuth2
I noticed that there is a "autodetect-bearer-only" in Keycloak documentation, that seems to support exactly that case. But -
There are a lot of integration options and I'm not sure what is the best way to go, for a new Spring boot service.
In addition, I didn't find where to configure that property.
I've used approaches one and two and in my opinion, if you are using Spring Boot, use the corresponding adapter, use the Spring Security adapter if you're still using plain Spring MVC. I've never seen the necessity for the third approach as you basically have to do everything on your own, why would anyone not use the first two methods?
As for using the Spring Bood adapter, the only configuration necessary is the following:
keycloak:
bearer-only: true
auth-server-url: your-url
realm: your-realm
resource: your-resource
And you're done. The bearer-only is so that you return 401 if a client arrives without a bearer token and isn't redirected to a login page, as you wanted. At least that's what's working for us :-)
After that, you can either use the configuration for securing endpoints but it's a bit more flexible to either use httpSecurity or #EnableGlobalMethodSecurity which we're doing with e. g. #Secured({"ROLE_whatever_role"}).
If you're using the newest Spring Boot version combined with Spring Cloud, you might run into this issue.
I configure my resource-servers to always return 401 when Authorization header is missing or invalid (and never 302), whatever the client.
The client handles authentication when it is required, token refreshing, etc.: Some of certified OpenID client libs even propose features to ensure user has a valid access-token before issuing requests to protected resources. My favorite for Angular is angular-auth-oidc-client, but I don't know which React lib has same features.
Keycloak adapters for Spring are now deprecated. You can refer to this tutorials for various resource-server security configuration options. It covers uses cases from most simple RBAC to building DSL like: #PreAuthorize("is(#username) or isNice() or onBehalfOf(#username).can('greet')")
I am trying to build an application where login is done by siteminder SSO. Once login is done I need to get the user info(like roles,permissions) for logged in user from LDAP and put in session.
Aslo I am using spring MVC to expose REST services. I want my rest services to be accessible only for certain roles(Like Manager/Admin etc). Also UI will display/hide pages based roles.
I want to know what is the best approach to achieve the above.
Please note I am using spring MVC on WAS7.
I am using spring security for my spring multitenant application. I am using spring security 3.2
I am using spring security for my spring multitenant application. My requirement
is tenant1 should be authorized against oauth and tenant2 should be authorized
against ldap and tenant3 should be authorized against database. I will be knowing
the authorization method for the tenant through properties file. I am able to
authorize user against any single authorization method. But i am not able to
configure for multiple authorization methods. Please someone give any suggestions
on this.
In case of web application, you can use different login URLs and allow user to choose authentication method. Then separate security filters should be applied for each URL.
You can check this configuration: https://code.google.com/p/opendatakit/source/browse/eclipse-aggregate-gae/war/WEB-INF/applicationContext-security.xml?repo=aggregate