I have been tasked with taking an existing Java Web application, using JSP, and add in Multi-factor authentication. We are using Microsoft ADFS. The trust relationship setup by our administrator looks like this:
I've tried using open source helper libraries such as Coveo/saml-client and Onelogin/java-saml. It may have been my understanding, but both proved to not work so well. No errors in the code, just when an error when submitting my request.
We have folks in Brazil who have successfully implemented the same, but they developed their application using Spring Boot and ulisesbocchio/spring-boot-security-saml. So I am trying to replicate that effort.
Using one of the sample applications from ulisesbocchio/spring-boot-security-saml and some of the configuration from our Brazil team, I have a spring boot application, but I am still receiving the same bland, generic ADFS error:
My AuthNRequest, as generated from the ulisesbocchio/spring-boot-security-saml is:
I think the error is caused by ADFS not finding the trust when I am using the Entity ID, or Relying Party Identifier, Mixing. I've also tried using http://machine name/Mixing with the same error.
Maybe this is not the issue, and if that is the case, then I have no idea where to look next.
Please help me figure out where I am going wrong.
Related
So I have a Spring Boot app, with an Angular Front-end. My plan is to embed Tomcat in the Spring Boot app for routing, reverse proxies, etc. What I want to happen is the user types in the URL, the Spring Boot tomcat server figures out if there is a domain linked to that request and so on, however if the user types in the specified IP and Port it brings up the Admin Panel which is the Angular CLI application which already has injections, and Authentication and session control. I don't want people being routed to the Admin Panel unless that condition is filled. I would like the http request to go to the tomcat server and if the condition is met then it pulls up the Angular App. However, I am not quite sure how one would go about this, is it possible to call the Angular app from the Spring application?
Update:
After hearing some feedback I made a diagram to help explain what I am looking for:
Routing Diagram, so in this a client or user would type in "https://example.com/" in their browser, it would first go to angular being the frontend, angular realizes it does not have the example.com resource so it requests just example.com/ from the backend, which knows where the resource is and then injects the html file back into the front end. The only time in which a user would be greeted with the login page I have constructed is if they have typed in the primary IP address of the server, which I would probably end up injecting by some variable from the backend as the front end wouldn't know what the IP is... thats a different issue I would have to solve. Is there a better way to do this? Should I be using React.js instead of angular? so far my application structure is very similar to this github repository: https://github.com/liliumbosniacum/spring-security-angular I have modified it and fixed some of the code and am looking into better ways but this was my starting point. I really hope this clarifies, I am looking for if there is a better way to do this or if this is not how it should be done how should it be done? like just an explanation with a diagram on what a better way would be? and Is Angular the Right front end for me?
What I understand from your problem is that you want your Spring boot app to route requests to views created by your Angular program and need some authentication features.
For me, I'd rather divide the project into frontend and backend and use JWT tokens, but for your situations you can have a look on this official Spring documentation. It's a detailed post that integrates Spring boot and Angular, and it also deals with Spring security.
I am trying to build my first website using Spring boot + ReactJS and MySQL.
It's essentially a gym website where users can create an account, sign in and then choose a membership + checkout etc.
What I have done so far is:
Spring Boot REST Api for creating a new customer + other CRUD features.
React Front End Registration form with Spring boot server validation, the form posts the data to the REST api using axios.
I have a design in figma of the website and I've been working on that in the meanwhile because honestly, i am stuck.
Some problems I'm facing:
Spring Security, I have used JSP before and it was easier for me to get the hang of it since it is server sided and I just had controller methods etc. Now that I'm using react I have no idea how the security function would work with Spring Boot.
Since the front and back end are served on different ports, how would my Spring configure
method look like? (The class that extends WebSecurityConfigurerAdapter).
How do I restrict access to URL's on the front end using React Router? Since Spring Boot and React router are both on different ends I am struggling to understand how that works? What about the API endpoints being accessible as well.
Authentication + Authorization, I've looked up tutorials and I've pretty much only seen Authentication by the use of JWT tokens when working with Spring Boot + React, is there no other option other than JWT? (For me it looks really confusing so I'd like to know if there's a valid alternative or not) - if not , why JWT?
I know Spring Security on its own is a complicated framework and I've read a alot about it, though some concepts do confuse me. (UserDetailsService vs UserDetails, Types of Authentication Managers you get)
In general, the integration of Spring Boot with a SPA such as react, if someone could explain the flow of how it functions on both the front and back end.
Not long ago i had similar problems like u. I would suggest to check out this tutorial: https://youtu.be/VVn9OG9nfH0
It should answer all of your questions.
Is it possible to forget the authentication, jwt login stuff and security for now and implement it later?
I choosed java for my restful service back-end for my game, but i'm having such a hard time setting up a simple login system with a mysql database, jwt authentication and spring boot. I followed a great tutorial, but it's only concerning Spring boot, not JWT security.
I would like to move forward and implement the security later if possible.
Right now i just gave up and i'm doing simple apis with just spring boot based on this architecture : https://github.com/djdjalas/SpringBootIn50/tree/master/src/main/java/com/yourname, i replaced the fake data with jdbc calls to the mysql database. Is it ok? Will it be hard to implement autentication later when i will have many services?
Thank you.
Spring Security itself is hard to understand and master in the way it should be done as it requires more understanding of the processes behind its configuration. Anyway, if you get familiar with it you won't have serious difficulties here. There will be no major changes to your code. You'll end up generally with one more configuration class/file and this is it.
Can't say anything about JWT but don't think it will be a problem either.
I am new to Java and i developing a small web application using spring web, using java config. Now i want my clients to authenticate using ADFS 2.0, i tried the spring security SAML sample app but i couldn't run it (i got this error: http://s14.postimg.org/tzlzaumrl/IMG_20160321_174454_resized.jpg).
so I started look for another way to implement saml in my app but i don't know what is the best and simplest way to do so.
In .Net it's very simple, you just right click on the project, enter the app URL and the ADFS metadata URL and thats all. is there any easy way in java to do that?
"is there any easy way in java to do that" - No.
Your error is an invalid response. Look in the ADFS event log for clues.
You need to use a SAML stack - refer: SAML : SAML connectivity / toolkit.
I've been tasked with creating a Security Proxy service. The idea is that if the backend security provider changes there is no impact on the main application. This ideally is what the backend security provider is for, but I have been tasked with creating a seperate service which will affectively be a proxy to the backend security provider.
I don't want to have to write a complete security module to do something that is already done by a dozen services. I want to be able to set up a service that can be updated if needs be.
I am wondering if anyone knows of a solution which can take care of this with minimal coding/configuration?
Any help would be useful, if you want more information please comment and I'll try and enrich as best I can.
[Front end is Tomcat Web Application written in Java (and GWT), Spring Security is preferable]
[Backend is SiteMinder (at the moment)] http://www.ca.com/us/internet-access-control.aspx
[I have been looking at CAS but wanted to ask a learned community before deciding how best to proceed]