Preauthentication with LTPA token - spring

What is the best way to initialize a Spring context given pre-authentication through Websphere LTPA SSO token? Right now I have a custom filter that provides a PreAuthorizedAuthenticationToken to the Spring Security context. Is there an existing filter that would do this for me automatically? I have always run into trouble with GrantedAuthorities when I've tried to use the PreAuth classes.
Cheers

Best option is to have a custom preauthentication filter by extending AbstractPreAuthenticatedProcessingFilter.
You can fetch the token from request and return it in getPreAuthenticatedCredentials() method.
You can define your own AuthenticationUserDetailsService and pass it to PreAuthenticatedAuthenticationProvider, here you can fetch the granted authorities and return them in UserDetails Object
<bean id="preAuthAuthenticationProvider"
class="org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider">
<property name="preAuthenticatedUserDetailsService">
<bean id="myUserDetailsService"
class="MyUserDetailsService">
</bean>
</property>
</bean>
If you have granted auth, not starting with default prefix ROLE, you can define your custom prefix
<bean id="myPermissionRoleVoter" class="org.springframework.security.access.vote.RoleVoter">
<property name="rolePrefix" value="myprefix"/>
</bean>

Related

Avoid JDBCTokenStore in spring Oauth2

I was creating a spring oath2 application. It works. I have a doubt.
Based on this URL http://projects.spring.io/spring-security-oauth/docs/oauth2.html there are only 2 real options:
JdbcTokenStore, JwtTokenStore.
Is it possible to use JDBCTokenStore but not refer to it in the resourceServers?
I mean can we not have it referred directly only in the AuthorizationServer and the resource servers could use an endpoint from AuthorizationServer instead of configuring another direct JDBCTokenStore reference.
Motive: Want to avoid sharing a database between AuthorizationServer and multiple ResourceServers. Is there any other way to achieve this motive.
R
In your Resource Servers you can use RemoteTokenServices. This class queries the /check_token endpoint present in Authorization Server to verify tokens.
You can have a database only for authentication server and another databases for your resource servers.
<bean id="tokenServices" class="org.springframework.security.oauth2.provider.token.RemoteTokenServices">
<property name="checkTokenEndpointUrl" value="${auth.service.url:https://localhost:8443/auth-service}/oauth/check_token"/>
<property name="clientId" value="${auth.client.name:TEST_API}"/>
<property name="clientSecret" value="${auth.client.secret:password}"/>
<property name="accessTokenConverter" ref="accessTokenConverter"/>
<property name="restTemplate" ref="oauth2RestTemplate"/>
</bean>

Spring SAML and ADFS 2.0

I used Spring SAML Sample application and followed the instructions. My configuration worked perfectly as expected, when SSOCircle IDP was used. However, I wanted to work this with ADFS. So, I followed the instructions on how to configure Spring SAML with ADFS. I got it through where when I access Spring SAML application is invoked, it displays the IDP Selection page with URL to adfs/services/trust. When I click on it, it prompts me for AD authentication, which is what I expected. But, when I provide the user id/password for the AD authentication, it process it and displays a message that reads "page can't be displayed".
On the address bar, the url to the page is displayed as:
https://localhost:8443/spring-security-saml2-sample/saml/login?idp=http%3A%2F%2FTest-DC.TEST.local%2Fadfs%2Fservices%2Ftrust.
Test-DC.TEST.local is my server where ADFS and AD is hosted.
There are no errors on the tomcat log or anywhere.
could someone who has setup Spring SAML with ADFS help here please?
Make sure that you're using SHA2 and not SHA1.
either override the afterPropertiesSet method:
public class SSOConfigBean
implements InitializingBean
{
private String signatureAlgorithmSHA = SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA256;
private String digestAlgorithmSHA = SignatureConstants.ALGO_ID_DIGEST_SHA256;
#Override
public void afterPropertiesSet() throws Exception
{
BasicSecurityConfiguration config = (BasicSecurityConfiguration) Configuration.getGlobalSecurityConfiguration();
config.registerSignatureAlgorithmURI("RSA", signatureAlgorithmSHA);
config.setSignatureReferenceDigestMethod(digestAlgorithmSHA);
}
}
and add this to your securityContext:
<!-- setting encryption to SHA2 instead of default SHA1 -->
<bean class="path.to.SSOConfigBean"/>
Or update the securityContext you're using while setting your SP metadata as below:
<bean id="metadataGeneratorFilter" class="org.springframework.security.saml.metadata.MetadataGeneratorFilter">
<constructor-arg>
<bean class="org.springframework.security.saml.metadata.MetadataGenerator">
<property name="entityId" value="urn:samltest"/>
<property name="extendedMetadata">
<bean class="org.springframework.security.saml.metadata.ExtendedMetadata">
<property name="idpDiscoveryEnabled" value="false"/>
<property name="local" value="true"/>
<property name="signingAlgorithm" value="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
</bean>
</property>
</bean>
</constructor-arg>
</bean>

Spring Security SAML autologin for user in domain

I've got application with spring security SAML filters. There is configuration with ADFS 2.0. Server is standing on machine out of domain. I try to login on my App on domain account of user (but window to input domain user principals is displayed). Is there possibility to config this to autologin for user on which domain user we're logged on windows?
Thanks a log.
You can configure custom authnContext sent in your SAML request by changing bean samlEntryPoint in the following way:
<bean id="samlEntryPoint" class="org.springframework.security.saml.SAMLEntryPoint">
<property name="defaultProfileOptions">
<bean class="org.springframework.security.saml.websso.WebSSOProfileOptions">
<property name="authnContexts"
value="urn:federation:authentication:windows"/>
</bean>
</property>
</bean>

Spring Security: redirect to a URL with path variable after successful login

The following is what I have to redirect a visitor to a page after successful login:
<bean id="authenticationSuccessHandler" class="org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler" p:defaultTargetUrl="/account/quickview"/>
I would like to direct a visitor to a url with the following URL:
/account/quickview/id_of_account_object
How can I configure Spring security to append that account ID to the "/account/quickview" after successful login?
I am using Spring Security 3.1
Thanks and regards.
Here is how I solved this
I created a subclass of SavedRequestAwareAuthenticationSuccessHandler and I added a property called temporaryTargetUrl, which is set to "/account/quickview". When the class' onAuthenticationSuccess is called, I obtain the principal and the account id from the principal. At this moment, I append "/account_id" to temporaryTargetUrl and call the super:
super.setDefaultTargetUrl(this.temporaryTargetUrl + "/" + account.getId());
Note that getDetaulTargetUrl of SavedRequestAwareAuthenticationSuccessHandler is not available outside Spring's package, which is why I created temporaryTargetUrl in the first place.
Please feel free to comment.
Thanks!
You can save the account ID into the spring security session object and retrieve the object when is called the quickview url.
to redirect to the url add into the bean customAuthenticationSuccessHandler the following property
<property name="authenticationSuccessHandler" ref="successHandler" />
and create the successHandler bean:
<bean id="successHandler" class="org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler">
<property name="defaultTargetUrl" value="/account/quickview" />
<property name="alwaysUseDefaultTargetUrl" value="true" />
</bean>
regards

Spring LdapAuthentication and Load roles from local database

I have Spring Security configured to authenticate against LDAP server.
<security:authentication-manager >
<security:ldap-authentication-provider user-dn-pattern="uid={0}" />
</security:authentication-manager>
After authentication I want to load roles from local database for the same user. How can I load local database roles using "ldap-authentication-provider"?
If I add the second authentication provider as below:
<security:authentication-manager >
<security:ldap-authentication-provider user-dn-pattern="uid={0}" />
<security:authentication-provider ref="daoAuthenticationProvider" />
</security:authentication-manager>
daoAuthenticationProvider added, but Spring does not use the second provider when first auth provider authenticates the user. Only if the first auth provider fails to authenticate it goes next in the list.
So basically look like we have to customize
<security:ldap-authentication-provider user-dn-pattern="uid={0}" />
to load ROLEs from local database.
Any suggestions? How should this be implemented?
An authentication provider must deliver a fully populated authentication token on successfull authentication, so it's not possible to use one provider to check the user's credentials, and another one to assign authorities (roles) to it.
You can however customize an ldap auth provider to fetch user roles from database instead of the default behaviour (searching for the user's groups in ldap). The LdapAuthenticationProvider has two strategies injected: one that performs the authentication itself (LdapAuthenticator), and another one that fetches the user's authorities (LdapAuthoritiesPopulator). You can achieve your requirements if you supply an LdapAuthoritiesPopulator implementation that loads roles from database. In case you already have a UserDetailsService working against the database, you can easily integrate that by wrapping it in a UserDetailsServiceLdapAuthoritiesPopulator and injecting it in the LdapAuthenticationProvider.
Since this configuration is rather uncommon, the security xml namespace doesn't provide tags/attributes to set it up, but the raw bean config isn't too complicated. Here is the outline:
1) I suppose you have an ldap-server somewhere in your config. It's important to assign and id to it, which will allow us to reference it later.
<security:ldap-server url="..." id="ldapServer" .../>
2) From the authentication-manager section, you will only refer to the customized provider:
<security:authentication-manager>
<security:authentication-provider ref="customLdapAuthProvider"/>
</security:authentication-manager>
3) Now, the essential part:
<bean id="customLdapAuthProvider" class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
<constructor-arg name="authenticator">
<bean class="org.springframework.security.ldap.authentication.BindAuthenticator">
<constructor-arg name="contextSource" ref="ldapServer"/>
<property name="userDnPatterns">
<list>
<value>uid={0}</value>
</list>
</property>
</bean>
</constructor-arg>
<constructor-arg name="authoritiesPopulator">
<bean class="org.springframework.security.ldap.authentication.UserDetailsServiceLdapAuthoritiesPopulator">
<constructor-arg name="userService" ref="userService"/>
</bean>
</constructor-arg>
</bean>
The authenticator is basically the same as the one that would be created by the namespace config. (Note the contextSource attribute referencing the ldap server.)
The authoritiesPopulator is a simple wrapper around your userService implementation which is supposed to be defined somewhere in your config.

Resources