We have a existing java web based application built on Jersey framework and looking to provide SSO support using Okta or any other IDP. I have seen many example applications for saml support for spring based applications. Is there any framework which can provide saml support for Jersey based applications? Or Spring SAML extensions can be tweaked to provide support for non-spring baed applications?
Please provide any links or pointers.
Thanks in advance!
It's possible to apply the Spring Security SAML extension on a non-Spring application. We are using Spring SAML with a Wicket web application.
I built a prototype with ADFS as an IdP to check feasibility, before we implemented this approach on the project. You can find the prototype in my Bitbucket repository: blog-spring-security.
Basically, you can use AbstractSecurityWebApplicationInitializer which should transparently enable Spring Security in your application.
public class WebAppInitializer extends AbstractSecurityWebApplicationInitializer {
public WebAppInitializer() {
super(SecurityConfiguration.class);
}
}
Spring configuration for SAML is quite extensive (couple of pages of source code), so I won't paste it here, but if you are going to use Java configuration you can utilize my SecurityConfiguration.java.
In case of XML configuration, I would recommend to follow either Reference Documentation, or sample project securityContext.xml.
Related
I have a web application NOT implemented on Spring Boot or Spring itself. It has no Spring whatsoever, it was made using RESTEasy running on Tomcat.
I'm supposed to add ADFS authentication to this web application through the use of Spring's Security SAML Extension.
I've seen a lot of projects online that implement this feature but all of them use Spring Boot or run on Spring. At the same time I've seen mentions of being able to implement Spring SAML without having a Spring project. So I'm a little confused now.
Is this feat achievable?
If so, could you guide me on how to do it?
Which Maven dependencies do I need exactly?
Which web.xml configs do I need?
Which Beans do I need to implement?
Thank you in advance.
I am in desperate need of help. So as a prerequisite I am tasked with creating a simple web application. The application requirements are to create a simple web form that collects user data and then sends an email verification to the user that just provided information. The difficult aspect of this project is CAS Integration with the Marist College CAS authentication system. A requirement of this project was that I use Spring Boot to create the project. At the moment I have already implemented Spring Security to authenticate users. I have been trying everything online to integrate CAS with my existing project. I was hoping that someone on StackOverflow may have more knowledge on how to integrate CAS with SpringSecurtiy. Also please don't be harsh on me I have never used the spring framework before this project and this is all new to me. The Url of the CAS server is "https://login.marist.edu/cas/". I have looked into https://github.com/apereo/java-cas-client spring support I just don't know how to integrate it with my current application. Thank you to anyone in advance that lends me a hand with this.
As I previously stated I would provide the solution to the problem that I experienced during the processes of integrating a spring application with the Marist CAS 2.0 Authentication System. As Stated above there is a Spring Boot AutoConfiguration that can be used. While this may not be the best method for securing your application it satisfied my needs for the project that I was working on. The Steps to configure your spring application with CAS 2.0 are bellow.
Add Maven Dependency
Maven:
<dependency>
<groupId>org.jasig.cas.client</groupId>
<artifactId>cas-client-support-springboot</artifactId>
<version>${java.cas.client.version}</version>
</dependency>
Add the following required properties in Spring Boot's application.properties or application.yml
cas.server-url-prefix=https://cashost.com/cas
cas.server-login-url=https://cashost.com/cas/login
cas.client-host-url=https://casclient.com
3)Annotate Spring Boot application (or any #Configuration class) with #EnableCasClient annotation
#SpringBootApplication
#Controller
#EnableCasClient
public class MyApplication { .. }
4)For CAS3 protocol (authentication and validation filters) - which is default if nothing is specified
cas.validation-type=CAS3
For CAS2 protocol (authentication and validation filters)
cas.validation-type=CAS
For SAML protocol (authentication and validation filters)
cas.validation-type=SAML
I have a simple web application which I am writing using spring-boot and storm path for user authentication. (I'm actually using spring-boot-starter-stormpath-thymeleaf)
I have a have the following request mapping in my controller
#RequestMapping(value = "/secure", method = RequestMethod.GET)
public String secure(Model mode, HttpServletRequest request) {
Account account = AccountResolver.INSTANCE.getAccount(request);
if (account != null)
return "secure";
else
return "redirect:/login?next=secure";
}
which forces a user to login to view the secure page. It works, but it doesn't feel like it is the most elegant of solutions. Is there a better way? I think a solution with filters should be possible but I cannot figure it out.
The current Stormpath Spring Boot starter does not (yet) have an authentication filter, but it will on future releases for those that want an out-of-the-box experience without having to use Spring Security or Apache Shiro.
That said, we're currently working on natively supporting Spring Security and Apache Shiro as Spring Boot starters that 'just work' with the Stormpath Spring Boot starter. Until we can release those, creating a custom servlet filter as you indicate is the best approach.
Are you also using the Stormpath Servlet as well?
If so, you could do what you need following this piece of documentation. This way you will only need to declare which are the resources of your application that you want to secure and Stormpath's authc filter will prompt for authentication when required.
If you're using Spring MVC, you should use Spring Security and have Stormpath acting as an authentication provider. Then use the standard Spring Security tools to declare access rules and inject the current user where needed.
I am searching for a security framework that allows role based security for OSGi services as well as CXF webservices.
Some time ago I already used spring security but as we now switched to blueprint it is not an option anymore as far as I understood. To configure the access rules I would like to mainly use the standard #RolesAllowed annotation. So what are my best starting points? I also thought about implementing this myself as a blueprint extension but I would prefer an existing solution.
I would suggest you go with Apache Shiro instead, http://shiro.apache.org/ .
It provides easy API's for authentication, authorization, cryptography, and session management. It can also be easily deployed inside a OSGI container. Some pros of Apache Shiro are listed here Apache Shiro vs Java EE native APIs
In the mean time I created a blueprint extension for authorization based on JAAS and Java EE annoations (#RolesAllowed, #PermitAll, #DenyAll). You can add the extension to any blueprint file. It will then scan all beans for these annoations and intercept calls if they are found. It uses an existing JAAS context to get the roles of the user.
So prerequisite for this is doing a JAAS login. I have also created a CXF JAASAuthentication feature that logs in a user based on basic auth or ws security username principal. The module works together with the Apache Karaf JAAS support. So all karaf users and roles apply.
I will create a tutorial to show how to use all of this once the aries blueprint release that includes the authorization module is out. In the mean time I would be happy if you try it out and report any problems you have.
Btw. another approach for karaf is the role based access control for OSGi services that is built into karaf 3+. It does not work with annotations but is also easy to use. See
http://coderthoughts.blogspot.de/2013/10/role-based-access-control-for-karaf.html
I am currently developing my project using Spring, Sutruts2 & Hibernate. Now i want to apply acegi security for authentication & authrization purpose.
But, i m totally new with acegi, so i want to use acegisecurity framework with spring configuration.
If anyone have link for an simple example of acegi with spring, struts2 & hibernate then please provide me it.
Thanx in advance.....
Are you using acegi or spring security? Acegi has been repackaged (and simplified with respect to configuration) to become spring security, as described on the homepage
Acegi Security is now Spring Security, the official security project of the Spring Portfolio. If you are planning a new project, we'd recommend you consider using Spring Security. Acegi Security 1.0.7 will be the last non-critical release of the 1.0.x series.
See also Ben Alex's blog
Update: A spring security tutorial is available here
There is a tutorial sample available as part of the acegi distribution.