Current Model
I have one Angular application that calls a Java rest service (not a spring boot application) that have multiple rest end points. Initially the login will be called using username and password to acquire a JSESSIONID and this id will be passed in Authorization header of all subsequent rest calls.
New Model
Now I need to change the login scenario using Azure AD.
Angular will call the AAD login and this is working by registering the app as a SPA in Azure. Now how to implement the Rest calls flow using the token.
Do I need to register the Rest API also in Azure?
Is there a way to validate the token in java back end manually.?
Rest application Java - most of the samples uses Spring or spring boot. Is there any samples other than spring / spring security.
I would say that the best practice is to register the API and UI as a separate application in Azure AD.
You will have to grant the web application permissions to the web API and request an access token for it. Here is a good reading (the article is about Azure AD B2C, but it is the same for Azure AD):
Configure authentication in a sample single-page application
Related
I need to build microservice architecture like in the image. The question is how do I must authenticate users in resource service using keycloack. Do I must to get the token from UI app and add this token manually in the app or there is some automatic method using spring app to get info from the resource service?
If I need to add it manually then how can I get this token inside the app?
Keycloak provides spring security integration module. It renders login form for your UI application that authenticates user against keycloak. The token is stored then in session. Keycloak plugin is responsible to validate the token against keycloak server.
https://github.com/keycloak/keycloak-documentation/blob/master/securing_apps/topics/oidc/java/spring-security-adapter.adoc
We are designing an application which can be accessible via both mobile app and web app.
Mobile app will get data using exposed REST API (we are using CXF). For web app, we are using Spring MVC, it will also get data from REST API. In both cases, we want to show data for the authenticated users. For authentication, we are using JWT token.
My question here is we are offering two ways of accessing data via REST or web, and both need authentication. How can we reuse our security code in both components.
URL for web component
http://localhost:8080/web/resource/
URL for REST API component
http://localhost:8080/rest/resource/
URL for authentication
http://localhost:8080/auth/
Initially, we thought of having two different filters for each component, i.e. web and REST. From each of them we'll make a REST call to authentication API for validating the token. One doubt with this approach is if user going through web, then with this design we are validating token twice. So the better would be calling to the authentication API from REST API, avoiding it in web because rest api will always going to make authentication call.
Is there any other better way to do the same?
I am using some angular ui routing in some places, and I wanted the java server to not control some of the urls.
Perhaps it makes more sense to run the java app elsewhere? The reason I have the angularJS in the same url is because there are some authentication checks for my springboot app. So I want most URLs controlled.
But there's a few where I may want to control the authentication----but not the templating.
I think my problem is my Spring Boot code is trying to use velocity, when some of those URLs should just forward to AngularJS routing.
So a URL=/myreport/
--> goes to Java 404 error, instead of just forwarding to Angular UI Routing
--> But in some cases, Java should return 404/500/403 et al
Is there a way to do like a RestController that just forwards to AngularJS after authenticating? or to disable velocity??
This would probably be more straightforward if you limit your Spring Boot code to just doing authentication and providing an API, and implement all of your UI in the Angular app.
You can then still use Spring Security to control access to the API.
On the Angular side, you can use AuthGuards in your routes to control access to parts of your UI based on the user's role.
To get a nice, clean separation, it is helpful to use token-based authentication instead of, say, Form-Based or Basic authentication. That way, the Angular app can present the login UI, and make a REST call to the Spring Boot app to log in, and get a token back, which is used on subsequent calls.
If you use JWT, you can have the back-end produce a token that includes the users' role, and then read that in the Angular app.
I recently wrote a 2-part blog post showing how to create an Angular 2 app with a Spring Boot back-end using JWT.
See http://chariotsolutions.com/blog/post/angular-2-spring-boot-jwt-cors_part1 and http://chariotsolutions.com/blog/post/angular-2-spring-boot-jwt-cors_part2
I want to create a REST API on Java Servlet for user authentication using simple Oauth and JSON. When the user login correctly, it will generate a unique access token. The token will be used as a representation of user session state. Then, the token will be used when the user access certain pages.
Can you give me an example or reference link?
You can implement this API that is used for security systems
http://shiro.apache.org/webapp-tutorial.html
You can use JHipster project. This generator of Web application generate a backend with Spring MVC, Spring Core, Spring Security and Oauth Token.
Exemple of Web site generate by JHipster: http://www.tests-psychotechniques.fr
I have a web application that contains ui based on jsf 2.0 and a set of rest apis.
The ui side of the application is accessed from a browser and rest apis are invoked from a mobile app.
For the authentication for the UI is managed by jsf , (no form nothing, jsf manages everything). Now, I want the user to be authenticated before he/she can access the rest apis.
Can I set up the web application to have Basic authentication so that I can set the username and password in the header when calling the rest apis?
You will need to have a security filter for your web application. (this can be done with spring security - Integrating Spring security with JSF 2 )
The user will have to pass a username and password to your application.
Then, you just need to configure your rest api to work with basic authentication. Since basic authentication is a HTTP feature, every time you call the rest service, you will need to pass the username/password in the request.