We are designing an application which can be accessible via both mobile app and web app.
Mobile app will get data using exposed REST API (we are using CXF). For web app, we are using Spring MVC, it will also get data from REST API. In both cases, we want to show data for the authenticated users. For authentication, we are using JWT token.
My question here is we are offering two ways of accessing data via REST or web, and both need authentication. How can we reuse our security code in both components.
URL for web component
http://localhost:8080/web/resource/
URL for REST API component
http://localhost:8080/rest/resource/
URL for authentication
http://localhost:8080/auth/
Initially, we thought of having two different filters for each component, i.e. web and REST. From each of them we'll make a REST call to authentication API for validating the token. One doubt with this approach is if user going through web, then with this design we are validating token twice. So the better would be calling to the authentication API from REST API, avoiding it in web because rest api will always going to make authentication call.
Is there any other better way to do the same?
Related
I am using some angular ui routing in some places, and I wanted the java server to not control some of the urls.
Perhaps it makes more sense to run the java app elsewhere? The reason I have the angularJS in the same url is because there are some authentication checks for my springboot app. So I want most URLs controlled.
But there's a few where I may want to control the authentication----but not the templating.
I think my problem is my Spring Boot code is trying to use velocity, when some of those URLs should just forward to AngularJS routing.
So a URL=/myreport/
--> goes to Java 404 error, instead of just forwarding to Angular UI Routing
--> But in some cases, Java should return 404/500/403 et al
Is there a way to do like a RestController that just forwards to AngularJS after authenticating? or to disable velocity??
This would probably be more straightforward if you limit your Spring Boot code to just doing authentication and providing an API, and implement all of your UI in the Angular app.
You can then still use Spring Security to control access to the API.
On the Angular side, you can use AuthGuards in your routes to control access to parts of your UI based on the user's role.
To get a nice, clean separation, it is helpful to use token-based authentication instead of, say, Form-Based or Basic authentication. That way, the Angular app can present the login UI, and make a REST call to the Spring Boot app to log in, and get a token back, which is used on subsequent calls.
If you use JWT, you can have the back-end produce a token that includes the users' role, and then read that in the Angular app.
I recently wrote a 2-part blog post showing how to create an Angular 2 app with a Spring Boot back-end using JWT.
See http://chariotsolutions.com/blog/post/angular-2-spring-boot-jwt-cors_part1 and http://chariotsolutions.com/blog/post/angular-2-spring-boot-jwt-cors_part2
I have access to a web application which has a link to another application I'm developing. When that link is clicked the URL is filled with two parameters: user, and token.
This token is generated per every user login on that very same web application.
I want to use that token and user to authenticate someone in the application I'm developing!
I have access to the source app's database in order to query against the token and username.
However I need help finding a way to implement this logic with Spring-Boot. Do I need a custom filter / authentication provider? How to wire these things up with Spring?
I want to stick to the framework rather than developing my own solution for this.
TL;DR: I need help securing a RESTful controller with a token I obtain through GET
Thank you!
Yes, you could write filter to authenticate token.
If you want make architecture a bit better I would recommend creating gateway (i.e. Zuul) and invoke second application through gateway. Implement gateway to authenticate requests. In my architecture I create separate Auth component to generate token and validate token. Gateway could call Auth to validate token.
iRecently my app got hacked by using sql map.We added few filters to avoid unwanted requests but how to integrate security to the api calls, in back end my app communicates with spring controllers.
Well are you using any authentication on the requests made from the mobile?
Like JWT or a security token. You can check this ionic or auth.
Also make sure your making the api call your making it you can hide it many ways. Store it in a object and then call that object when your making the http or ng-resource request.
We have an existing legacy web application(Servlet+jsp+spring+hibernate) and we are going to develop some new features of the application using a new stack (angularjs+Spring mvc). Currently suggested approach is to register a new servlet and develop the new features in the same codebase, so the authenticated users will have access to the new functionality we develop in the system. Is there a better way of doing this as a two different web applications (without SSO) ? Can two web applications be secured under the same form based authentication settings ?
I think architecture and security usability is very important before dive into something.
If both apps use same login, then I assume the newer application is more likely a service oriented application. Ex: RESTful
Authorization may be an issue. Ex: Legacy app is used by user set A, new one is used by both user set A and B.
Otherwise you can use a shared database for example MongoDB to store your login info i.e token.
When you log in, return that token and use for the other service via angular client. When you log out remove any token for that user session. You may also need to concern about token expiration.
However you have to refactor your legacy system in someway to use a token. If it is not possible, you can use session sharing which is handled by the the container if the the both apps are running under same container. Ex: Tomcat. But now it may very hard to integrate with a native mobile app if you are hoping to do so.
Sharing session data between contexts in Tomcat
From the point of Spring security and angularjs, authenticating via form is just an http POST with content type being application/x-www-form-urlencoded. One difference is the response to a non authenticated request, for one response should be a http redirect (jsp, to a login page), one with an unauthorized code (for angularjs). That could be handled with a custom AuthenticationFailureHandler or on the client side. A similar difference may occur for the successful login redirection.
I have a web application that contains ui based on jsf 2.0 and a set of rest apis.
The ui side of the application is accessed from a browser and rest apis are invoked from a mobile app.
For the authentication for the UI is managed by jsf , (no form nothing, jsf manages everything). Now, I want the user to be authenticated before he/she can access the rest apis.
Can I set up the web application to have Basic authentication so that I can set the username and password in the header when calling the rest apis?
You will need to have a security filter for your web application. (this can be done with spring security - Integrating Spring security with JSF 2 )
The user will have to pass a username and password to your application.
Then, you just need to configure your rest api to work with basic authentication. Since basic authentication is a HTTP feature, every time you call the rest service, you will need to pass the username/password in the request.