in a project for my internship I have a spring boot application that manages some products, orders, and users.
I chose to use keycloak for authentication and authorization I achieved a good part of the job but now I'm facing a problem that makes the whole usage of keycloak in such a project a question.
So briefly the user authenticates in keycloak and I got the token in spring I extract the Infos and if the user is not in my database (the one related to spring which is different from keycloak database ) I create a new one but now when I'm thinking if a user is deleted from keycloak it will remain in my application database and even the update of users is gonna be difficult.
So my question is should I continue searching for a solution (calling keycloak endpoint from spring is one of them but still thinking about it ) or just go for a JWT implementation .
I chose keycloak cause it's a tested solution and got many features that are easy to use if I needed them in the future but now I got these problems with it.
THANKS for the help !!
Have you considered to configure Keycloak with a custom provider (external user database)?
Something like that: https://www.baeldung.com/java-keycloak-custom-user-providers.
This way, your spring services keep complete control over users database.
Related
How would I achieve Spring Boot + Keycloak authentication with PostgreSQL database having users and user role tables already built from the Django application?
configure Keycloak to use your existing database (plenty of answers / articles / doc on the subject)
configure Spring API applications as resource-servers
configure UI applications as OpenID clients (with a help of an OpenID client lib)
Let me understand your scenario first.Then maybe I or someone else can help you. Do you have a set of users and user roles in an existing system that is built using Django application and Postgres DB ? And you want to use the same database as your keycloak database in a Spring Boot + Keycloak authentication system ?
Keycloak generally as it's own structure for database management. You can't just use any existing database used on another authentication system that doesn't follow the exact same ways like keycloak. IMO, what you can do is migrate your existing users and user role data in keycloak database using any migration script or api. Keycloak has a hell lot of apis for almost all sorts of needs. This link has a lot of api examples. You can also follow their api documentation.
there is my application in which I am using Angular on the UI side and on the API side I have a spring boot app and for managing users- using the AWS Cognito user pool. currently, I am able to connect with my user pools in my application, which means I have manually implemented the verification, decoding, and filtering id tokens and access tokens based on role manually. but I want to use the spring oauth2 feature to do the same and want to remove manual verification and boilerplate code.
can anyone help me please to provide the steps how can I achieve it, if you know certain steps,
it will be really helpful for me.
Is it possible to forget the authentication, jwt login stuff and security for now and implement it later?
I choosed java for my restful service back-end for my game, but i'm having such a hard time setting up a simple login system with a mysql database, jwt authentication and spring boot. I followed a great tutorial, but it's only concerning Spring boot, not JWT security.
I would like to move forward and implement the security later if possible.
Right now i just gave up and i'm doing simple apis with just spring boot based on this architecture : https://github.com/djdjalas/SpringBootIn50/tree/master/src/main/java/com/yourname, i replaced the fake data with jdbc calls to the mysql database. Is it ok? Will it be hard to implement autentication later when i will have many services?
Thank you.
Spring Security itself is hard to understand and master in the way it should be done as it requires more understanding of the processes behind its configuration. Anyway, if you get familiar with it you won't have serious difficulties here. There will be no major changes to your code. You'll end up generally with one more configuration class/file and this is it.
Can't say anything about JWT but don't think it will be a problem either.
Our project consists of Java back end(spring web application) and iOS and Android client applications. Now we need to add an authentication for client applications to Java back end. The idea is to register user for the first time using an external web service. At this step user provides full credentials(login and "big" password) and chooses some PIN for further authorization. After that primary step is complete successfully, user should be able to authenticate using his login and PIN(which he chose previously himself). Those login and pin should be stored in our DB. We should also be able to destroy that "session" and PIN whenever is necessary. We expect web application to have up to 10 000 registered users with up to 1000 users being online simultaneously.
We also don't plan to use any separate Authentication server, we plan to embed security into web application(back end) itself.
I've been investigating 2 different approaches. First is usual spring #EnableWebSecurity approach. This seems pretty straight forward, but some people say it will create "sessions", which are bad for the server. Session will consume lots of memory, and overall impact on performance will be bad. Is it true?
The other approach is to use Spring Oauth2 implementation. I didn't have time to study it properly, this seems to be a little bit of an overkill to me. Is it worth to study for our needs? (we are running out of time btw).
I also need to have some proper DB sctructure for the security needs.
So the question is, what is the best approach for our situation? Are there any open source projects, solving similar issue? I would appreciate any help.
Thank you.
Whatever technology you use for authentication, you will require sessions to maintain the state of authenticated user. You can use Spring security alone or with Oauth2 .
I'll suggest for simplicity you can go with Spring Security with Token functionality.
However you can find an good blog over Spring Security and Oauth.
Securing REST Services with Spring Security and OAuth2
For more clarification you can also visit here
Sessions should only take up allot of memory if you were to store large amounts of data in the session. So long as you don't do that there won't be any problem. You will need to make your own authentication decision based on your acceptable levels for security and user experience, there is no one 'right' answer. Spring security and sessions have already been talked about here How can I use Spring Security without sessions?.
I need to make simple CRUD application with user registration and authentication using Spring boot, but I have some trouble figuring out how to do this right. I have created user table at RDMS and set up Redis for storing user sessions as explained here.
At Spring boot docs it's said that
If Spring Security is on the classpath then web applications will be
secure by default with ‘basic’ authentication on all HTTP endpoints.
But I defined several CrudRepository intefaces and after starting my application I can GET it's data using browser without authentication. I thought that it should work out of the box without additional tuning and therefore checked if Spring Security is on the classpath with gradlew dependencies command and it appears to be there:
Also default user password that should be displayed during application start up does not show up. So maybe I am missing something here?
Also I am not sure if that would be the best option for mobile app because it possibly uses short-living tokens. There are several other options, among which using a WebView and cookies (as was recommended by Google long ago), creating a custom authentication entry point, using approach that was used in Angular web app and finally stateless authentication with OAuth 2.0. Directly in opposite to author of Angular web app tutorial who claims
The main point to take on board here is that security is stateful. You
can’t have a secure, stateless application.
So how do we need to pass token? How long should it live? Do we need to make additional XSRF token or not? Should we use out of the box solution or implement own one? Can we make it stateless?