I have some endpoints in my REST API (Java + Spring Boot under the hood). I am using SpringFox with Swagger-UI do have some documentation. But I have a problem now. I would like to show for endpoints for user related to his role.
So, for example, some user with role A should see only /endpoint-A1 and /endpoint-A2 and user with role B should see only /endpoint-B1 and /endpoint-B2, and admin role should see all the endpoints.
As far as I researched, it is not an option to achieve this with SpringFox. And I understand that because there is no place to interact between Spring Security and SpringFox on this field. Correct me if I'm wrong.
But I thought maybe you know an option, to use Spring Boot code and generate the documentation bases on it and export it somewhere - I do not need to host it as SpringFox is doing. I only need to have this generated to separate files based on user roles. Later I will manage the user roles somehow. Do you know such a tool? Or maybe you have any idea how to achieve that in another way?
Related
I have already set up a running application having:
an authentication server
several resource servers
a javascript-frontend
For the authentication I am using the oauth2-stack of Spring-Security to hand out JWT-tokens to successfully authenticated user's. The login-information is collected in the javascript-fronted which then asks the authentication-server for an auth-token and stores it. This all works well for my application.
What I want to do now is integrate third-party-login-services like Google or Facebook. Currently I am at a point where the process can be started from the javascript-frontend, then the authentication-server does it's magic and communication with the third-party-login-provider. I've gotten so far that the login process is successful and I get the needed information which actually is only the e-mail-address.
But now I'm stuck. I have the authentication information on the server but now I need to construct one of my own authentication-JWT-tokens and hand it to my javascript-frontend. Can anybody give me a hint on how to achieve that?
The JWT Login Sample in Spring Security Samples demonstrates how to create JWT tokens for your own purposes. The key is to ensure that authentication has already occurred, prior to provisioning said token (which in your example is already the case).
Note that the sample uses the com.nimbusds:nimbus-jose-jwt dependency as Spring Security already depends on this library internally. You may also consider using io.jsonwebtoken:jjwt-api or another library instead. jwt.io has a useful list of libraries that support creation of JWTs, and you can filter by Java and click through to the repository to get more information about any of them.
In any case, the sample should be easily adapted to your choice of library, and the out-of-the-box support for verifying JWTs in Spring Security should work.
What I'm trying to do is to create an application with Angular frontend and Spring Boot backend with OAuth2 authentication.
The issue is that I don't know how to get on the frontend the ROLES user has so that I'll be able, for instance, to show something role-based on the page. Yes, there are scopes that OAuth provides in the response but the problem is that these scopes are for the CLIENT but not for the specific USER itself. And that CLIENT is my frontend side (correct me if I'm wrong) which basically means that every user operating my application(client) going to have the same scopes(roles). Moreover, I can specify roles on the backend with the help of Spring and UserDetailsService and then use those roles with #PreAuthorize, etc. But not on the frontend side.
Just as an example, if I simply used single JWT then with a token itself I'd return both the username and roles to frontend. And then I could store that data and use it on the frontend side according to my needs.
So what I'm asking is if it's actually possible and if this is correct to do so?
And how can I possibly implement such behavior?
OAuth doesn't solve this problem and it is best solved via claims in your API. OAuth should deal with authentication only. My below post may help you to think about the best separation: https://authguidance.com/2017/10/03/api-tokens-claims/
In a nutshell you will have to look up user rights such as roles after the OAuth processing completes.
There is a great video from Spring developer on YouTube about OAuth2/OpenID Connect. It shows how to implement the resource server using the newest Spring Security 5 solution.
Probably the easiest and the best way to achieve this is to use an OpenID Connect server which will provide all user management stuff. On the market there are many solutions. Auth0 and Okta are Identity Clouds which provides their services for small amount of money. On the other hand you have Keycloak, which is a server which you can install in Docker or even on bare metal - it's free and open-source.
I want to have authorization in my Java EE application.
Online it describes how you should define the roles in sun-web.xml. However I would like to have all my roles, and groups defined in a database table.
That means, when I access a method for my application, the request needs to be intercepted to see if the user is allowed in the role.
Do I need to
create some kind of interceptor class that checks auth as user makes call to my web service method
create a custom Login Module that fishes out the group and role data from the database when a user first logs on
Any pointers would be really helpful.
First of all: I would strongly suggest using standard authorization mechanisms.
But for your use-case these standard mechanisms won't work, see this post: dynamic roles on a Java EE server
Roles have to be declared in the web.xml or sun-web.xml.
Frameworks
The next thing I would look into are frameworks, that could help you with that. The link will provide you with two suggested frameworks.
Building your own
If you don't need it for productive purposes, I would suggest the following:
use Filters to check for authorization and authentication: Filters a fairly easy to use ,very powerful and often used for security purposes: See http://docs.oracle.com/javaee/6/tutorial/doc/bnagb.html for more information about filter.
For the login, you could probably just stick with the standard form-based login.
I'm trying to get Spring Security to handle authorization via GET variables. All the examples I've been able to find focus pretty much entirely on role-based authorization, which doesn't really work for my application. The way the authentication/authorization process needs to work is as follows:
User authenticates through external system, gets a session ID.
User passes two GET parameters to my application, sessionId and objectId.
Application verifies that session is valid (already figured this part out)
Application verifies that the object is visible to the user (need help here)
Application returns object information to the user
All the examples I've seen have been demonstrating how powerfully Spring Security can check a granted authority on a URL pattern or a Java method. But I need to implement a custom check on step 4 to make sure that the user has the correct permissions in the backend (users can be granted object-specific rights, so a role approach won't work here).
I am new to Spring Security, so it could be that my thought process is just all sorts of wrong. If I am, feel free to correct me!
You need to use ACL feature or you can emulate the same thing via some custom code (for example via custom web security expression). See this post for details.
I think you need to look at the Pre-Authentication Scenarios section in the documentation. In particular, you will probably need to implement a AbstractPreAuthenticatedProcessingFilter to pre-authenticate the user based on the GET parameters.
I'm looking for a java package/spring user management package that is similar to django's auth application, which provides the database models such as User and Group out-of-the-box.
I have a standard spring/hibernate application (based on Spring ROO), and I would like to use an existing User/Group/Role implementation instead of reinventing it (the actual authentication can use spring's mechanism, but I'd like to save the time implementing the user management part).
Thanks for the help
The Emmet project may be of interest to you. Emmet includes a custom SpringSecurity UserDetailsStore and a webapp for user account management. Out of the box functionality includes basic user account details, roles, support for multiple identities, support password aging, self registration and password reset. You can use it in conjunction with SpringSecurity based authentication and access control, or (at a pinch) with other "stacks".
(Emmet also provides some custom SpringSecurity authentication components, and potted wirings, but you can ignore that aspect if you like.)
Disclaimer: I'm the lead developer for Emmet.
Spring Security is a full-featured and widely-used Java auth module. While it doesn't have data models right out of the box, there is documentation provided that gives you the DDL to create the most basic tables you'd need:
Spring Security Database Schema
in this period I've created a new Open Source project related the RBAC and a generic solution for the user management:
microservice-rbac-user-management
You can find an RBAC apis and model here ready to use and with all the documentation. Ready to be used also with Docker.
I hope this will help you.