I have a spring boot application with a MySQL database which is designed to store information about doctor appointments.
Let's say that I have an endpoint at localhost:8080/visit/{id} which is secured as such that only authenticated users with group claims of patient and doctor can access it.
How can I integrate an okta user who is a doctor or a patient, which I use to log in with with this database table relationship?
I thought of storing the user data in a local table on login based on the user claims, but it duplicates the users stored in okta which seems pointless.
Maybe it's not a bad idea to store the user data in a local table on login based on the user claims since you might need to correlate some other info for this user, which might not be convenient to use Okta user only.
Related
So, I have three users in my oracle database: user_role, admin_role, provider_role. They have access to execute different procedures. Also, I have a Spring boot app with a login page. How can I change my connection to the database according to the database role?
In your data model, you should introduce a concept called permissions and roles. A role can hold multiple different permissions. You don't need three different tables like user_role, admin_roles, and provider_role. Just create a single table for users, another tables for roles and permissions. For every user there will be at least one role and each role can hold multiple permissions.
Your SpringBoot application should have an authorization layer. All the execution path should goes through this authorization layer. All your model(DB) layer access, constrained with the permissions allowed for different type of users. That gate keeping task is going to be taken care by your authorization layer in your service.
I use keycloak server for Authorization. I create my user in my database and in keycloak.
Now I need to delete user from my database when user is deleted in keycloak.
My server is written by Java.
How can I get event from keycloak to my server when user is deleted or updated in keycloak?
I think you are better off using Keycloak User Storage SPI feature:
You can use the User Storage SPI to write extensions to Keycloak to
connect to external user databases and credential stores. The built-in
LDAP and ActiveDirectory support is an implementation of this SPI in
action. Out of the box, Keycloak uses its local database to create,
update, and look up users and validate credentials. Often though,
organizations have existing external proprietary user databases that
they cannot migrate to Keycloak’s data model. For those situations,
application developers can write implementations of the User Storage
SPI to bridge the external user store and the internal user object
model that Keycloak uses to log in users and manage them.
In this way you do not need to have some callback mechanism that is trigger whenever a user gets deleted, updated or whatever. You just configure your DB as an external user DB to be used by Keycloak. Moreover, you can configured it so that whenever a user gets add, deleted, or update it reflect immediately on your DB. This approach is easier to implement, cleaner, more maintainable and performance- and memory- wise better.
please check this example KecyloakEventExample
I hope it will be useful
I'm using HSQLDB (locally) in order to store and display some data in an application. Now, I want to create an administration app where I can manage these data. For this, I need a login page.
I was wondering what was the best way to do so? I noticed that HSQL is using a login system but I don't really know how it works. Is it meaningful to use it or rather make a custom login system by creating a table in the database and checking-in when the user is logging?
In HSQLDB there are database USERs that can have different ROLEs. Each USER or ROLE can have its own level of privileges. See the Guide http://hsqldb.org/doc/2.0/guide/accesscontrol-chapt.html
It is a good idea to use the USER with the DBA role solely for admin tasks. For general application access, you should create a USER and grant it a different ROLE without the DBA privileges.
As each USER has its own password, the password for admin USER should be different from the non-admin USER.
I'm new to Spring Roo and would like to know how to implement user authentication and authorization. I followed the tutorial and focused on Spring Security but it doesn't really do what I want. I'd like to present the user with a login page where they enter their email and password. The email and password will then be compared to a 'User' table in MySQL and if it exists, present the user with a different user interface depending on the 'role' attribute in the table (e.g, a doctor user has a different user interface and a patient user has a different interface). What would be the proper steps to doing this?
I can connect to MySQL fine, I'm just not sure how to go about creating the login page and creating some kind of active session.
Chapter 8 in this book (highly recommended!) goes into some detail how to set up spring security using a database in spring roo. Reading that chapter will also show you how to customize the UI based on the role. Alternatively, this blog gives some pointers in setting up a database for credentials with roo.
If you want more than just customizing the UI based on the role, for example, if you want to redirect users based on their role to different parts of the site after login, then this link presents two options.
I'm building a Google App Engine for Java app using Federated login.
When a user has logged into my app using an OAuth provider I get a User object back [http://code.google.com/appengine/docs/java/javadoc/com/google/appengine/api/users/User.html].
I want to persist a link to that user in the datastore. However, what do I use as the unique key? Is it the getFederatedIdentity() or getUserId() ? There is hardly any JavaDoc on either. Obviously when a user subsequently logs into my app I want to retrieve the Object I have saved to the datastore.
I understand the federatedIdentity field, which I understand should always be populated (I only allow federated logons). However, if that's the field to use to link my details to the logged on user, then Google leaves this empty when testing on the local server... so that wouldn't be much use.
What is the getUserId field - how does Google set it? Will it guarantee to stay the same if the user's federated identity stays the same?
Thanks a lot
From the Users Java API Overview
While a user is signed in to an app, the app can access the account's email address or OpenID identifier for every request the user makes to the app. The app can also access a user ID that identifies the user uniquely, even if the user changes the email address for her account.
sounds like getUserId() is the best choice.
You don't need to store either - you can store the User object directly in the datastore. See here for a list of supported object types.