I'm trying to integrate my Spring app with governmental system responsible for user's authentication (SAML). The main concept is that "my" app is receiving already logged user with so called assertion. And the point is how can I customize Spring Security to recognize mentioned before assertion as proof that user is authenticated. Or maybe should I write my own filters instead of using Spring Security?
Unfortunately I can't share the code - company policy ;(
Any feedback is appreciated.
Maciek
If you receive a SAML assertion (it's easy to see, it's a whole XML packet), you absolutely need a library to deal with that complexity.
pac4j (security engine for Java) supports the SAML protocol. So either you keep Spring Security and use the pac4j extension for Spring Security: spring-security-pac4j or you directly use the pac4j security libraries for Spring MVC/Boot: spring-webmvc-pac4j or for J2E: j2e-pac4j for example.
Related
I’m trying to build a spring boot web app where I have my own login module with rest api backends that would do credential validation for me. I need to use spring security to have TLS implemented but even though I managed to override the login page the css would not work. And secondly,when I give the loginprocessingurl in the securityConfig as my controller route to what manages the credential validation, it says too many redirects.
Can I bypass the login module entirely ?
I don’t want to encrypt the password at client end and would really like to utilise spring security.
Thanks in advance!
I have a similar question to this one however our application (which makes use of only Spring Beans & Annotations) currently does not use the Spring Security component/API. Would like to know if we can support the plain vanilla login (based on username password) mechanism for one set of users and support SAML based logins for another set of users (thereby using only Spring SAML extension). Or is there some basic Spring security config to incorporate before we use the SAML extension? Thanks in advance.
It is in fact possible to use Spring SAML extension without 'implementing' the Spring security aspect in the project. However the spring security jars are needed as a dependency.
I need to make simple CRUD application with user registration and authentication using Spring boot, but I have some trouble figuring out how to do this right. I have created user table at RDMS and set up Redis for storing user sessions as explained here.
At Spring boot docs it's said that
If Spring Security is on the classpath then web applications will be
secure by default with ‘basic’ authentication on all HTTP endpoints.
But I defined several CrudRepository intefaces and after starting my application I can GET it's data using browser without authentication. I thought that it should work out of the box without additional tuning and therefore checked if Spring Security is on the classpath with gradlew dependencies command and it appears to be there:
Also default user password that should be displayed during application start up does not show up. So maybe I am missing something here?
Also I am not sure if that would be the best option for mobile app because it possibly uses short-living tokens. There are several other options, among which using a WebView and cookies (as was recommended by Google long ago), creating a custom authentication entry point, using approach that was used in Angular web app and finally stateless authentication with OAuth 2.0. Directly in opposite to author of Angular web app tutorial who claims
The main point to take on board here is that security is stateful. You
can’t have a secure, stateless application.
So how do we need to pass token? How long should it live? Do we need to make additional XSRF token or not? Should we use out of the box solution or implement own one? Can we make it stateless?
I am starting with new Spring project where i am planning to use SSO. I have red the blogs and come to know spring security SAML will be best solution for SP.
So i have implemented Spring Security SAML sample application provided by spring site https://github.com/SpringSource/spring-security-saml as SP along with Shibboleth IDP.
IDP connects with LDAP server. I am able to execute the Spring security sample application.
I am confused how can i use this Spring security SAML extension along with multiple spring projects.
Any example link or suggestions on architecturing the Spring SAML project integration with multiple Spring MVC application will be helpful.
Provided your REST APIs are only called by the web application which is deployed together with them (in a single war and therefore sharing the same HTTP session) you can use Spring SAML + Spring Security to secure them.
Spring SAML will be used to authenticate the users against a remote IDP and populate their entitlements (granted authorities); Spring Security can then be used to define security policies for the APIs called from the UI.
In case you want to be able to call the REST APIs from remote clients, you may want to look into the Spring Security OAuth project - as this is no longer about web single sign-on.
It is possible to create a central installation of Spring SAML which handles all SSO logic. Of course you will need to implement a mechanism in which Spring SAML relays information about the authenticated user and her attributes to your other applications, and do so in a secure way. One possible way to approach it (provided the applications are deployed on the same domain and therefore can share cookies) is to:
after authentication in Spring SAML set a shared cookie which is visible to all the other applications and which is e.g. signed by the Spring SAML's key, or encrypted using a shared key, the cookie should also contain user's attributes
this can be done in a custom AuthenticationSuccessHandler which is subsequently expected to redirect user to the correct application (e.g. based on some custom logic or relay state)
the target application needs to verify the cookie (by checking the signature or decrypting using a shared key, possibly performing other checks), parse the attributes and start own session which is pre-authenticated based on the content of the cookie
All of this can be done with implementations to standard interfaces of Spring Security and Spring SAML. But it's not a trivial task - mainly considering that any security vulnerability in your implementation might compromise security of your applications.
What is appropriate way to integrate SpringSecurity with Capcha ?
I have following use case :
When user will tries to login, if we he failed to login N times, captcha will be displayed, so authentication will be using three parameters : username, password, captcha. But Spring Security doesn't support built in Captcha handling.
I just start thinking about implementation. And have following variants:
Adding separate security filter in Spring Security filter stack,
Entirely rewrite AuthenticationProcessingFilter to support some Captcha
Use some programmatic authentication with interception captcha logic and then transfering username and password to Spring Security
As a Captcha implementation I think about JCaptcha, but what your thougths?
As an alternative to using JCaptcha, if you'd like to use the reCAPTCHA Service on your site, then check out the free Section 4.4 (direct PDF link) of the new Spring in Practice book (currently in beta).
This shows you integration with Spring MVC and Spring Validation. Since the integration is on the front-end, w/external APIs, Spring Security doesn't really come into the picture here.
I am not sure what your use case is? Are you hoping to use captchas as an alternative to authentication to prove "human"-ness?
Take a look at this article: Spring Security 3: Integrating reCAPTCHA Service.
This uses two filters to make reCAPTCHA integration as seamless and unobstrusive as possible. That means your existing Spring Security implementation will not break. No need to touch existing classes
I've done integration with reCaptcha and Spring Security (Spring Web Flow + JSF) by defining custom security filter. Maybe it isn't most elegant, but works good.
You can look at my blog - unfortunately in polish, but maybe will help You or someone...
http://marioosh.net/blog/?p=1087
Kaptcha is easy to use.