I am trying to secure Spring boot REST apis that only need the user to enter a valid OTP (which I am already validating), I have no problem implementing this using sessions/cookies/JWTs but I need to use the simplest implementation that is supported by Spring boot to give the user a token or to know him in some way so that he will access the secured REST APIs.
I could create the Jwt & send it to the user, but Authenticating this across every API seems too much by making a filter & using it on every secured API
This is (compared with using something like this reference) where we can see that Spring security already provides simple & global protection for the APIs but depends on authentication using username & password.
I don't want to recreate the wheel as in security I believe it is best to use standard libraries to avoid any issues.
What is the best practice for the scenario above as I was overwhelmed from the different approaches that I saw & I don't know what is the best?
1- Validating the Jwts in a central place for secured APIs?
2- Creating session for the user (without using Redis or DB) but only keeping it in Application server?
Any help is appreciated.
Related
there is my application in which I am using Angular on the UI side and on the API side I have a spring boot app and for managing users- using the AWS Cognito user pool. currently, I am able to connect with my user pools in my application, which means I have manually implemented the verification, decoding, and filtering id tokens and access tokens based on role manually. but I want to use the spring oauth2 feature to do the same and want to remove manual verification and boilerplate code.
can anyone help me please to provide the steps how can I achieve it, if you know certain steps,
it will be really helpful for me.
I am having difficult integrating with SSO with my web application.
I have an sample dropwizard application.
I tried integrating with google and facebook open connect.
I thought of 2 approaches for integration
1. fetch the token from frontend js once the user is authenticated using open id, pass that token to the dropwizard server as cookie.
2. fetch the token from the dropwizard server itself and store the set token in cookie while responding to the frontend.
I am not sure on which of the above 2 is best or is there any recommend way of integrating with the open connect in dropwizard?
I like delegating SSO to well known applications/ libraries specific for the job. Keycloak is the application I’m familiar with. But I suppose some of the points below are application independent. This partial answer is a possible direction of a solution, but I don’t think it’s the recommended way, if there is any such way. Some people will dislike the approach.
The front end is responsible for authentication. But it cannot be trusted to be unmodified since it is in user space. Therefore calls to the back end should be validated for validity and authorization (which should be a back end task anyway).
Keycloak has libraries for well known front and back end implementations that allow easy integration. I’ve used it successfully with Angular and Dropwizard.
Integration with various identity providers can be combined. Therefore it is probably a pretty safe bet for a situation where authentication demands are expected to change. It takes some getting used to the extra layer though, so your mileage may vary.
Some links:
https://www.keycloak.org
https://www.npmjs.com/package/keycloak-angular
https://www.keycloak.org/docs/latest/securing_apps/index.html
I am currently developing a REST-application which needs to be very scalable. From what I have learned about load balancing, one should split up the actual application into independent parts. So far I've separated creating accounts and the login from the actual application. I followed this tutorial to implement JWT. Is that best practice or can this solution be improved?
However, I have my actual REST-application as a separate project. Obviously, these two applications need to work together. How can I accomplish that? Is there a way to store the Token & access it in the second application?
Someone told me to follow microservice architecture according to this tutorial.
I really appreciate your help!
With the JWT pattern as described in that auth0 blog, the services are designed to be stateless. In fact, the example code explicitly disables the Spring session. All information required for authorization are fully contained in the JWT token itself and cryptographically protected.
Therefore, there is no need to store or share the token between multiple services / applications, as long as they are all configured with the same SECRET. Each load balanced service simply needs to verify the token received by the client, using the JWTAuthorizationFilter class.
From a best practice perspective, instead of "manually" issuing JWT tokens from each service, consider using an oauth2 or OpenID Connect service. This can be your own service, or you can use a 3rd party service such as auth0 or okta. (OpenID Connect is an extension to oauth2).
You can read more about oauth2 from https://auth0.com/blog/securing-spring-boot-apis-and-spas-with-oauth2/
Is it possible to forget the authentication, jwt login stuff and security for now and implement it later?
I choosed java for my restful service back-end for my game, but i'm having such a hard time setting up a simple login system with a mysql database, jwt authentication and spring boot. I followed a great tutorial, but it's only concerning Spring boot, not JWT security.
I would like to move forward and implement the security later if possible.
Right now i just gave up and i'm doing simple apis with just spring boot based on this architecture : https://github.com/djdjalas/SpringBootIn50/tree/master/src/main/java/com/yourname, i replaced the fake data with jdbc calls to the mysql database. Is it ok? Will it be hard to implement autentication later when i will have many services?
Thank you.
Spring Security itself is hard to understand and master in the way it should be done as it requires more understanding of the processes behind its configuration. Anyway, if you get familiar with it you won't have serious difficulties here. There will be no major changes to your code. You'll end up generally with one more configuration class/file and this is it.
Can't say anything about JWT but don't think it will be a problem either.
I need to make simple CRUD application with user registration and authentication using Spring boot, but I have some trouble figuring out how to do this right. I have created user table at RDMS and set up Redis for storing user sessions as explained here.
At Spring boot docs it's said that
If Spring Security is on the classpath then web applications will be
secure by default with ‘basic’ authentication on all HTTP endpoints.
But I defined several CrudRepository intefaces and after starting my application I can GET it's data using browser without authentication. I thought that it should work out of the box without additional tuning and therefore checked if Spring Security is on the classpath with gradlew dependencies command and it appears to be there:
Also default user password that should be displayed during application start up does not show up. So maybe I am missing something here?
Also I am not sure if that would be the best option for mobile app because it possibly uses short-living tokens. There are several other options, among which using a WebView and cookies (as was recommended by Google long ago), creating a custom authentication entry point, using approach that was used in Angular web app and finally stateless authentication with OAuth 2.0. Directly in opposite to author of Angular web app tutorial who claims
The main point to take on board here is that security is stateful. You
can’t have a secure, stateless application.
So how do we need to pass token? How long should it live? Do we need to make additional XSRF token or not? Should we use out of the box solution or implement own one? Can we make it stateless?