I am new to spring security but the scenario I am trying to achieve is to provide basic authentication/authorization(security). The user story requires integration of ForgeRock OpenAM(mandatory) for security. Scenario: I have a spring boot microservice which exposes APIs to allow a UI to connect to a server. How can I include OpenAM within spring boot REST service so that I can provide basic security? What all do I require to achieve the same?
You can use OAuth2 or OIDC to integrate your REST-Service with OpenAM.
For information on OAuth2 and REST look at this e.g.: https://content.pivotal.io/blog/securing-restful-web-services-with-oauth2
For information on using OAuth2 with OpenAM look here: https://backstage.forgerock.com/docs/am/5.5/oauth2-guide/
Same for OIDC with OpenAM: https://backstage.forgerock.com/docs/am/5.5/oidc1-guide/
Hope I could help you :)
There are probably plenty of ways to do that: Some Forgerock plugins, let gateways do the AuthX, SAML2, OAuth2/OIDC, ...
The way I'd recommend is to stick to standards - because they are interchangeable and you can apply them to any application or use them with every modern identity provider.
I personally favor OIDC (aka. OpenID Connect, which is based on OAuth2) for an SSO in applications. There are plenty of good resources on how to setup OIDC/OAuth2 with OpenAM and same for Spring Security.
Here are some links that will help you to learn about it:
To learn about OIDC the standard has a pretty good website linking to good resources: https://openid.net/connect/
Same for OAuth2: https://www.oauth.com
Baeldung Spring Security OIDC example: https://www.baeldung.com/spring-security-openid-connect
OIDC Guide for OpenAM by Forgerock: https://wikis.forgerock.org/confluence/display/openam/OpenID+Connect+Quick+Start
Related
Our team has a REST server and a web application developed using Jersey. Currently we support only authentication in our application using OpenID [1]. We're planning to introduce authorization. In my research I found that role based authorization is one way we can implement this. This approach is to have our own tables like user, privileges and user_privileges and we assign users the required privileges (one to many mapping).
I have the following questions:
Since we have a web application and a REST server. Should the authorization be implemented “inside” the REST server, or in the Web Application Server.
Would like to understand the benefit of using Java's security frameworks like JAAS, Apache Shiro, OACC, Java security annotations [2] (#RolesAllowed) apart from code reuse ability, easy implementation.
Would also like to receive recommendations on which framework to choose from the above mentioned (JAAS, Apache Shiro, OACC, Java security annotations) if suggested.
Thank you.
[1] https://en.wikipedia.org/wiki/OpenID
[2] https://docs.oracle.com/javaee/7/tutorial/security-javaee002.htm
As to your question: "Should the authorization be implemented “inside” the REST server, or in the Web Application Server": My recommendation is to implement it in neither! Instead, implement security inside the services that are called by your REST layer. In other words security is implemented in the very heart of your services, and is enforced regardless of how the service is called.
As for the security frameworks you mentioned, I am biased/partial to OACC. OACC provides a fully implemented API, uses an innovative design to seamlessly integrate with your application, supports a number of database back-ends to persist the security data, and is extensively tested with 1000+ integration tests.
This is a good article that discusses the OACC security model: https://dzone.com/articles/a-different-kind-of-java-security-framework
(Disclosure: I am the creator/chief architect of the OACC framework)
I'm trying to integrate my Spring app with governmental system responsible for user's authentication (SAML). The main concept is that "my" app is receiving already logged user with so called assertion. And the point is how can I customize Spring Security to recognize mentioned before assertion as proof that user is authenticated. Or maybe should I write my own filters instead of using Spring Security?
Unfortunately I can't share the code - company policy ;(
Any feedback is appreciated.
Maciek
If you receive a SAML assertion (it's easy to see, it's a whole XML packet), you absolutely need a library to deal with that complexity.
pac4j (security engine for Java) supports the SAML protocol. So either you keep Spring Security and use the pac4j extension for Spring Security: spring-security-pac4j or you directly use the pac4j security libraries for Spring MVC/Boot: spring-webmvc-pac4j or for J2E: j2e-pac4j for example.
I was wondering if it's possible to integrate Spring Security 3 into a GAE application without having to bring the whole Spring + Spring MVC stack with it. Every example I've seen so far has Spring Beans and / or Spring MVC in it
What I want to do is basically implement generic authentication (basic register, login, logout, reset password, etc), include OpenID, Google Authentication, Facebook Authentication, etc all in one place - Spring Security does this quite nice.
Or alternatively, I would prefer to have as few libraries as possible and roll my own, does anyone have a link or some great resource on setting up an authentication service that allows logging in with Custom Login, Google, Facebook, etc without the use of Spring Security?
You can not use Spring MVC, but anyway you need spring core.
Answer to this question is highlighted in spring security FAQ:
http://docs.spring.io/spring-security/site/faq/faq.html#faq-what-dependencies
More detailed about dependesies you can find here:
http://docs.spring.io/spring-security/site/docs/3.1.x/reference/springsecurity-single.html#appendix-dependencies
I've got web application developed in spring mvc, java, mysql (hibernate). Now the customer wants new features. Forum and wiki.
From past experience I know of two good ones but they're done in php, those are either phpbb/mybb/punbb or mediawiki for wiki.
Since I have secure salted password in my database with custom salting methods, I was wondering what would be good way of integrating those two or those three working together?
By working together I mean when user logs in the spring mvc app, he shouldn't re-login in order to appear logged in once on forum or wiki.
Right now I have no idea where to start let alone how to do it, some creative ideas would be excellent from whoever people with or without experience with these.
The canonical answer to this is to set up an OpenID infrastructure (based on your Spring MVC web app with its password store) and use OpenID integration to authenticate users on the forum and wiki apps.
There's an OpenID plugin for phpbb; MediaWiki also has a plugin.
You can learn about OpenID from the interwebs; here's an article on using OpenID with Spring Security.
What is appropriate way to integrate SpringSecurity with Capcha ?
I have following use case :
When user will tries to login, if we he failed to login N times, captcha will be displayed, so authentication will be using three parameters : username, password, captcha. But Spring Security doesn't support built in Captcha handling.
I just start thinking about implementation. And have following variants:
Adding separate security filter in Spring Security filter stack,
Entirely rewrite AuthenticationProcessingFilter to support some Captcha
Use some programmatic authentication with interception captcha logic and then transfering username and password to Spring Security
As a Captcha implementation I think about JCaptcha, but what your thougths?
As an alternative to using JCaptcha, if you'd like to use the reCAPTCHA Service on your site, then check out the free Section 4.4 (direct PDF link) of the new Spring in Practice book (currently in beta).
This shows you integration with Spring MVC and Spring Validation. Since the integration is on the front-end, w/external APIs, Spring Security doesn't really come into the picture here.
I am not sure what your use case is? Are you hoping to use captchas as an alternative to authentication to prove "human"-ness?
Take a look at this article: Spring Security 3: Integrating reCAPTCHA Service.
This uses two filters to make reCAPTCHA integration as seamless and unobstrusive as possible. That means your existing Spring Security implementation will not break. No need to touch existing classes
I've done integration with reCaptcha and Spring Security (Spring Web Flow + JSF) by defining custom security filter. Maybe it isn't most elegant, but works good.
You can look at my blog - unfortunately in polish, but maybe will help You or someone...
http://marioosh.net/blog/?p=1087
Kaptcha is easy to use.