I am using spring and spring security in our application, and authentication is done through ldap. after authentication role is check with database, and according to role he was able access specific role pages. I want to add some disclaimer message in web app. after user log-in in application then disclaimer message is display. if user accept disclaimer then he will able to access application , else login window is displayed. Is there some way to call Spring handler , or maybe there is a better solution ?
We handle this scenario with an extra custom spring security filter.
e.g it checks if the disclaimer has been already accepted and if not redirects to a disclaimer page.
Related
I have implemented a Spring Boot application with AngularJS frontend. Have also setup users along with their permissions. Right now I am able to login with any of these users and is working well with Spring security. I would like to turn this traditional login flow into a Facebook/Google OAuth login flow, where in I want the users to use their Facebook/Google account to log in and they will be mapped to their internal users automatically. This will help me in getting rid of maintaining passwords of these users.
I found many articles talking about setting up OAuth with Spring Boot and how can Facebook/Google login be integrated with a Spring Boot application. But I am having difficulty in finding an article which talks about linking a Facebook/Google user with internal users.
How should I go about this?
Look for a user with the associated facebook/google userID.
If that user does not exist you request an email address and try to match it with an existing legacy account.
If you do not get a email adress for any reason (not acceping the authorization request for example) you could show a popup box asking for the email adress explaining why you need it.
You then locate the legacy user and merge it adding the facebook/google ID to look it up in the future.
If no user is found with the email adress you either refuse the user or create a new account.
you should be able to do all of this by implementing your own AuthenticationProvider
Before you can fetch a user’s data from Facebook, you must specify your application’s ID and secret by setting the spring.social.facebook.appId and spring.social.facebook.appSecret properties. You can set these via any means supported by Spring Boot, including setting them in an application.properties file:
spring.social.facebook.appId=233668646673605
spring.social.facebook.appSecret=33b17e044ee6a4fa383f46ec6e28ea1d
For reference you can follow this article: https://spring.io/guides/gs/accessing-facebook/
I am developing spring MVC application, in my project, i have login page where I can successfully log in, the problem is that if I open new tab and log in with different username it's logging in, means at a time in the same browser I am able to login in multiple users which I don't want ,I want my application to single user login per browser how to make it.
While rendering login page, you check authentication. If you are using Spring security, you can check for principal auth present or not. If auth is present render home page else render login page. I think this can solve your issue neatly.
I suppose that Spring Security session management is what you're looking for:
Spring Security is able to prevent a principal from concurrently
authenticating to the same application more than a specified number of
times. Many ISVs take advantage of this to enforce licensing, whilst
network administrators like this feature because it helps prevent
people from sharing login names. You can, for example, stop user
“Batman” from logging onto the web application from two different
sessions. You can either expire their previous login or you can report
an error when they try to log in again, preventing the second login.
For more information, read the following docs:
http://docs.spring.io/spring-security/site/docs/3.1.x/reference/session-mgmt.html
Control the Session with Spring Security
I have a web portal built with spring security 3.X. My web portal has links of external web applications also built with spring. Id like to know if there are any working examples or code snippets on how i can automatically POST users login credentials from my portal to my external web applications in order to simulate SSO
I assume you are not looking for an SSO solution for which you could use http://projects.spring.io/spring-security-saml/ with OpenAM/OpenSSO.
In your case you could use the AbstractPreAuthenticatedProcessingFilter, here the documentation:
http://docs.spring.io/spring-security/site/docs/3.2.5.RELEASE/reference/htmlsingle/#preauth
Here a practical example I found:
PreAuthentication with Spring Security -> Based on URL parameters
Answering my own question.....
Solution was to create a table in the db containing username,password,and application name..
On a click event of a link the controller checks if the user has a record in the table with the corresponding application name, if so the user credentials is pasted into the form and submitted automatically.
Currently I have a custom form login page in Spring Security 3 that sends its form data to the correct authentication url.
However now I need to extend the process to support security questions after logging in but before hitting the rest of the site.
I have a few options from reading the documentation, but I'm confused as to the correct option to choose.
Option 1: Keep the current login system and set a special role that only lets the user access the security questions page. If they pass through the security questions process successfully, add their correct roles into the security context.
Option 2: Subclass AbstractAuthenticationProcessingFilter and do security questions as a part of the login process. This seems more spring-like but I'm stuck on how to support the multiple pages for the questions with breaking the rest of the authentication framework.
What about this approach:
When a user submits her username/password, save them into her session.
Redirect her to your questions.
When she is finished answering your questions, see if you want to let her login.
3.1. If yes, POST her saved credentials so that they could be caught and processed by Spring Security filter chain.
3.2. If no, take her back to the login page. (Or whatever you want to do in this case.)
I ended up using Option 1. #craftsman's answer doesn't fit since the questions are specific per user. Its actually worked out really well.
How can I achieve such functionality in java ee (servlets, web.xml):
In database there are user credentials (username and password). All users that like to access my service should be prompted to login. When session expires user should be logged out and see login page again. All resources under my WEB-INF should be protected.
I read about user roles and realms, but this is not what I need. It limits users to defined in application container.
I'd like to provide my users functionality to register and login.
How can this be achieved in java ee? Can this be done by configuring web.xml ?
I tried servlet mapping on /* and authentication in servler (redirect to login page in case of session expiration) but it didn't worked for my static content (i.e. index.html)
Examples appreciated. Thanks for all answers.
Using google app engine and gwt.
You can use container based authentication like JDBCRealm for login/logout functionality but you have to implement the register functionality yourself. A simple CRUD-application for your user and group table in the database should be a good starting point.
If you use JSF, Tutorials for creating CRUD applications with JSF can be found here for Netbeans IDE.