I've a Java Spring Web application (no Spring Boot) with a "standard" authentication mechanism using database user credentials (It uses Spring Security lib).
Now I need to know if is it possible to include a second auth method with an external Identity Provider and a SSO login.
For example: A user with a specific e-mail domain ex: userX#domain1.com, login with his DB credentials but another type of user (ex: userY#domain2.com) need to be able to login against an external IDP.
I've already developed a bunch of application with Spring Security SAML lib with ADFS or OpenAM but that was the only login method for all the users.
If is it possibile, how I need to setup the Spring Security Configuration in order to achive this? Maybe I should use a multi-provider config?
Thanks.
Supporting multiple authentication mechanisms can be achieved by checking the user domain and redirecting to your own service that supports UserNamePassword based DB authentication or redirecting to the SSO service.
And for configuring Spring Security, you can create separate implementations extending
org.springframework.security.authentication.AuthenticationProvider
Checkout this link that guides on how to implement multiple authentication mechansism
For SSO specificly, you have to configure a redirectURL with the SSO provider, that internally calls your API with the SAML response.
SSO with spring security
Related
I have a java application running on wildfly server, that uses ejbs and Servlet HttpSecurity. There is no Spring Boot implemented. I am working on a task where access control of the application must be handled by Okta. Basically when user hits the url to access the application, they must be redirected to Okta log in page, where they provide the credentials. And after authentication, user can access the app.
Is there any way this task can be done without using Spring Boot?
I tried https://github.com/okta/okta-auth-java#usage-guide but it requires username and password to be provided in the code itself which is not the requirement.
I've got a spring-boot app that authenticates with OIDC (oauth2) and I'm trying to get a list of all the users from the authorization server - how should I implement this using spring?
Spring Security OAuth2 doesn't have an API for expressing a user repository. It does have a UserDetailsService interface, but you'll note that it only has the loadUserByUsername method.
If you are building an OAuth 2 authorization server, you could take a look at Spring Data and Spring MVC to expose a query endpoint (using Spring Security to secure that endpoint).
If you are building an OAuth 2 resource server or client that is talking to a third-party authorization server, you could take a look at RestTemplate or WebClient to formulate whatever proprietary query your authorization server wants since like #Ronald said, there is no OAuth 2.0 standard for querying users.
When a user signs in into his identity provider his personal information can be accessed by the claims the identity token contains. Or by approaching the userinfo endpoint.
There is no endpoint which returns all the users from the authorization server according to the OIDC standard.
I have a Spring Boot API application which require users to login in order to consume the API.
The login step is an API say /api/login is publicly accessible and once user called this API and authenticated, an HTTP session is created with the name "USER_PROFILE" and an object containing user info and stored in the session
session.setAttribute("USER_PROFILE", userProfile).
What I want to do is to integrate with Spring Security, API other than /api/login Spring Security will automatically check if the session "USER_PROFILE" has existed in the session and if no, a 403 error will be returned.
Traditionally (without spring security) I will just create a web filter for the path "/api/*" and the filter will check the session. I am not sure for same logic using Spring Boot Security what is the best way to do so?
I have a spring boot web app with spring security integrated with LDAP authentication. This web app internally makes REST calls. These REST calls are having username-password authentication. This username-password is the same used by spring security. Is there anyway I can get the username-password authenticated by spring security, so as to use in the REST calls. If not this way, is there any other way to achieve this.
Thanks in advance.
There is a quite nice way that I think fit your case.
By default Spring Security does not store the password in memory after authentication has been made, so you need to change that. With Java config, add in configure(AuthenticationManagerBuilder) method:
auth.eraseCredentials(false);
Then you can get the username and password for the current user with:
String username = SecurityContextHolder.getContext().getAuthentication().getName();
Object rawPassword = SecurityContextHolder.getContext().getAuthentication().getCredentials();
Spring Security is performed based on the rule in the security properties.
This means that you just need to have spring-security enabled, the only problem is that if not authorised it will go to the Not Authorised Page which a Restful client will not understand. But if the Restful client has authenticated and been granted a valid session then it will be able to get past the Security_check and access the protected page.
I guess Spring security is working like AOP so each protected page has a Security_check crosscut that only allows access to the page if the authentication is there.
Anyway, I solved the problem writing a custom AuthenticationProvider, which will perform the LDAP authentication and get the username-password for the future REST calls.
I am new to spring security. My application is already using spring security to authenticate and authorize the user. Now i want to use the CAS authentication for the user to authenticate and the authorization to be done by my application only. I tried to configure my application by referring the below website:
https://wiki.jasig.org/display/CASC/Using+the+CAS+Client+3.1+with+Spring+Security
But every time my application ends up with not invoking the CAS filter and goes to the default configured login page and not the CAS login page.
Is there any website or documentation by following it I will easily implement the CAS.
The Spring Security documentation is good: http://docs.spring.io/spring-security/site/docs/3.2.4.RELEASE/reference/htmlsingle/#cas