Spring Security - Add TAN system - spring

I'm using Spring Security 3.04 to authenticate the users of my system using 3 Roles, while all of them are allowed to access something like a landing page.
From this landing page, there should be another system which can only be accessed by one Role and by a TAN-authenticated user.
So my question is: What would be the best way to add a third login-attribute to spring security? Or is there a way to store attributes within the security context?
Or is there any other way to add a multi-level-authentication to my application using spring security?
Thanks in advance for any help!
Best regards,
Robert

There is an excellent walkthrough on how to integrate an external authentication mechanism here:
http://blog.springsource.com/2010/08/02/spring-security-in-google-app-engine/
That should get you on the right track.
Grant

Related

Quarkus Security : Impersonate User

I am currently using Quarkus in combination with "quarkus-security-jpa" to realize a form based authentication. No problems here so far. I now got another requirement to enable user impersonation in my app. For example the admin can impersonate the user A to get the same access rights and see the same data. In Spring I would use the SwitchUserFilter for this feature.
Now to my question. Does Quarkus has a similar function? And if yes how can I use it? Does anybody have an idea how to realize this feature in Quarkus?
Best regards and thanks in advance

Standard way to implement login or signup in Spring

I have to implement a login authentication & user registration feature for my product.
What is the standard and effective way of doing this using spring which would provide standard security (meaning nothing super fancy, but nothing easy to get around as well)?
As this has been done so many times there has to be a standard way to achieve this ?
The implementation should include :
user registration form after registering through g+ or fb etc
login form
storing user profiles, passwords, preferences in some backend
db or system
role management : different roles like admin would have
access to all etc
Standard : that which can put in production.
I found too many things scattered all around the net and although this seems like a broad topic its difficult to get started with especially when this going straight into production and not as a hobby project. The tutorials are always good to get started however are a starting point only. I want to know whats the best route or path that can be used for a product in production.
Securing a web application is not small topic, so you will need to read some tutorials.
You'll find very quick an easy to understand guides (with working examples)
at Spring Boot guides web site.
Spring Boot guides
Securing web application
JPA for your hibernate requirement
If you want going deeper you could read these great tutorials:
Spring security form login

Single Sign-on through Spring Security

I have a web portal built with spring security 3.X. My web portal has links of external web applications also built with spring. Id like to know if there are any working examples or code snippets on how i can automatically POST users login credentials from my portal to my external web applications in order to simulate SSO
I assume you are not looking for an SSO solution for which you could use http://projects.spring.io/spring-security-saml/ with OpenAM/OpenSSO.
In your case you could use the AbstractPreAuthenticatedProcessingFilter, here the documentation:
http://docs.spring.io/spring-security/site/docs/3.2.5.RELEASE/reference/htmlsingle/#preauth
Here a practical example I found:
PreAuthentication with Spring Security -> Based on URL parameters
Answering my own question.....
Solution was to create a table in the db containing username,password,and application name..
On a click event of a link the controller checks if the user has a record in the table with the corresponding application name, if so the user credentials is pasted into the form and submitted automatically.

Session management functionality in jsf project

i am a beginner programmer and want to know how session management and login logout functionality can be incorporated in jsf project. Right now i can authenticate users from a table in the database but giving the direct url of the pages in the browser takes any anonymous user to the requested page of mine. i want only authenticated users to access the pages while their sessions are active. how is this done and what exactly i need to study to get this functionality in my application.
bundles of thanks in advance.
I suggest looking at something like Seam Security: http://seamframework.org/Seam3/SecurityModule
I was able to resolve this issue. There was a statement in my HibernateUtils class
session.close which was commented out and this is now working as expected after removing this comment.
Thanks for your help.

Extending the Spring Security Login Process

Currently I have a custom form login page in Spring Security 3 that sends its form data to the correct authentication url.
However now I need to extend the process to support security questions after logging in but before hitting the rest of the site.
I have a few options from reading the documentation, but I'm confused as to the correct option to choose.
Option 1: Keep the current login system and set a special role that only lets the user access the security questions page. If they pass through the security questions process successfully, add their correct roles into the security context.
Option 2: Subclass AbstractAuthenticationProcessingFilter and do security questions as a part of the login process. This seems more spring-like but I'm stuck on how to support the multiple pages for the questions with breaking the rest of the authentication framework.
What about this approach:
When a user submits her username/password, save them into her session.
Redirect her to your questions.
When she is finished answering your questions, see if you want to let her login.
3.1. If yes, POST her saved credentials so that they could be caught and processed by Spring Security filter chain.
3.2. If no, take her back to the login page. (Or whatever you want to do in this case.)
I ended up using Option 1. #craftsman's answer doesn't fit since the questions are specific per user. Its actually worked out really well.

Resources