How to enforce Spring Security as main Security Manager? - spring

is there any way to enable java SecurityManager while using spring security ?
I have a Swing standalone application and using spring jdbcDaoImpl to authenticate and authorize using MySql Database (default spring security schema)
but I want to know how to force all tasks be secured, like what happens in setting System.setSecurityManager(...)

Related

Spring Application (ear) on JBoss using keycloak

I have a spring application (not boot) that is deployed on a jboss 7.2.4 as an .ear file.
For security reasons I have to protect all REST-API ports that are provided by the application. For this our AD provides users and user groups to use.
As I cannot migrate the application into spring boot I have to use the existing spring/jboss installation and have to use keycloak for security handling.
I found no information how to use keycloak inside an jboss installation. Can anybody help? Is it possible at all?
Just configure an authorities converter to map authorities from keycloak roles and configure your authentication converter to use this authorities converter.
You can refer to this article for #Beans definition (yes, it is boot app, but it configures the two beans I'm talking about).

Client Application using Basic Auth with Spring Security and Keycloak

I have an architecture where my user application wants to use a basic authentication when accessing a spring service. This service has to use a Keycloak instance to verify the user/pass of the user application. I don't succeed to configure it (and don't know if its possible).
Yes, it is possible. Keycloak has Spring Security adapter that can be configured for Client and/or Resource Server.
https://www.keycloak.org/docs/latest/securing_apps/index.html#_spring_security_adapter
And also a working example here:
https://github.com/keycloak/keycloak-quickstarts/tree/latest/app-authz-spring-security

Spring boot LDAP auto configuration - anonymous access

If the ldap server allows anonymous access, how do I configure the following properties.
spring.ldap.username
spring.ldap.password
If I leave out these properties, I am getting null pointer exception as internally hashtable is used.
I run in the same problem with a transient dependency of Spring ldap security from another project and Spring boot 2.1 and Spring boot admin. My LDAP is not configured (with Spring boot) and a Spring boot admin console initiates a health check. Because of Spring boot auto-configuration a LDAP health check bean is enabled and then the check runs into a NullPointerException.
For this case I excluded the LdapHealthIndicatorAutoConfiguration.class via #SpringBootApplication.
For your problem your maybe need more excludes. Please refer https://docs.spring.io/spring-boot/docs/current/reference/html/auto-configuration-classes.html for existing auto configuration classes. Search for LDAP and try to exclude the found classes in your application.
I'm pretty sure this is a bug in Spring LDAP security, because an anonymous LDAP configuration (no user and password) was intended to work.
I think, this should able to use. Just don't provider membership detail.

Spring Security - OAuth, LDAP Integration for multitenant application

I am using spring security for my spring multitenant application. I am using spring security 3.2
I am using spring security for my spring multitenant application. My requirement
is tenant1 should be authorized against oauth and tenant2 should be authorized
against ldap and tenant3 should be authorized against database. I will be knowing
the authorization method for the tenant through properties file. I am able to
authorize user against any single authorization method. But i am not able to
configure for multiple authorization methods. Please someone give any suggestions
on this.
In case of web application, you can use different login URLs and allow user to choose authentication method. Then separate security filters should be applied for each URL.
You can check this configuration: https://code.google.com/p/opendatakit/source/browse/eclipse-aggregate-gae/war/WEB-INF/applicationContext-security.xml?repo=aggregate

how to implement single sign-on for multiple Web applications based on JAAS(Authorization)

I started working on JAAS with SSO,I have some doubt about JAAS. JAAS (Java Authentication and Authorization Service) framework to cater to multiple authentication mechanisms. The SSO server validates sign-on information against its own database or an external directory server and returns the session context and list of applications that the signed-on user can execute.Here i want to implement one more web application's.As per my knowledge the SSO JAAS will return Session context. In my client web applications already, i have acegi security for authentication, using my acegi security how can i get the session context from my SSO JAAS for Authorization.I am trying to find out any configuration sample , but still I did't get any work around example.
Take a look at this spring security configuration. It is not exactly what you want but it will show you the way
Key points
Check how authentication-manager is defined by using
PreAuthenticatedAuthenticationProvider. The preAuthenticatedUserDetailsService property defines a bean that will allow you to create your spring security UserDetails object from the JAAS Authentication object
The j2eePreAuthFilter filter is the one that will delegate security from JAAS to spring security.
The rest is standard spring security configuration
Hope it helps a bit

Resources