I want to create one authentication link, like account.envato.com and multiple applications will be automatically authenticated by same username and password. How can I implement this?
Related
I've a Java Spring Web application (no Spring Boot) with a "standard" authentication mechanism using database user credentials (It uses Spring Security lib).
Now I need to know if is it possible to include a second auth method with an external Identity Provider and a SSO login.
For example: A user with a specific e-mail domain ex: userX#domain1.com, login with his DB credentials but another type of user (ex: userY#domain2.com) need to be able to login against an external IDP.
I've already developed a bunch of application with Spring Security SAML lib with ADFS or OpenAM but that was the only login method for all the users.
If is it possibile, how I need to setup the Spring Security Configuration in order to achive this? Maybe I should use a multi-provider config?
Thanks.
Supporting multiple authentication mechanisms can be achieved by checking the user domain and redirecting to your own service that supports UserNamePassword based DB authentication or redirecting to the SSO service.
And for configuring Spring Security, you can create separate implementations extending
org.springframework.security.authentication.AuthenticationProvider
Checkout this link that guides on how to implement multiple authentication mechansism
For SSO specificly, you have to configure a redirectURL with the SSO provider, that internally calls your API with the SAML response.
SSO with spring security
We are in the process of introducing WSO2 Identity Server in our infrastructure and there is the need to have two authentication methods but - if possible - using the same login form, without redirecting to external forms (like facebook login).
The idea is that we have "normal" and "power" users where normal users will authenticate using the basic authenticator provided by WSO2 IS (using email as username), while power users have a specific type of username (let's say "Power User XXXX") and their authentication is being handled and approved on a specific resource from an existing API.
So, what I would like to do is have the basic authentication form shown from WSO2 and when I identity the power user username format, delegate authentication to the aforementioned API.
I know that in order to delegate to an external service, I need to introduce a federated authenticator - which is not the problem here. My problem is how to do the following:
reuse the same form and handle the different cases behind the scenes
assign responsibility to the custom and federated authenticator based on the username pattern
Has anyone managed to do something similar? Is it even possible do achieve what I'm trying to do?
For your use case, you can write a local authenticator extending the default BasicAuthenticator.
In processAuthenticationResponse, you can check the username pattern and call the external API and authenticate the user else you can call the super
There is another option where we can implement a dedicated authenticator and page to authenticate with the external API.
In the SP configuration set up an identifier first as the first step and default basic and custom authenticator as a second step. Then from the username provided in the identifier first select second step authenticator. This can be done by 'authenticationOptions' in authentication script
I'm creating a spring mvc (spring 4) with spring security 3.2. I have a login page which works fine, with custom UserDetailsService. I want to add on website a new functionality, adding some demands. When someone add a demand, he will receive an email with a button through he can manage this demand, including the creation of a session for the website. I want to create him an account.. and give him authetincation from this button's url which will be handled by a controller. How should i do that? create an account with some hardcoded password? and how about the authentication provider? User with demand couldn't login through normal login page.
In database that type of accounts will have a different status than the normal accounts. Hope you understand what i need...
You can try creating a common user for all such use cases (called guest or similar). If you have validated a user using the trusted url which they have provided, you can query the database using the hard coded username (guest), and get the authentication details like passoword, roles etc. Then you can programatically authenticate the user. In such a way, user only has to provide you a url, and your code can fetch a real authentication detail from the db.
For the authentication part, you may refer to the below link.
stackoverflow.com/a/15119876/3981536
I have 4 single page applications with same technologies: Spring MVC, Spring Security, Angulajs.
Each application has own ldap authentication and authorization. We want to build a single sign architecture and make a central authentication application. And make the other 4 application use this central application.
When user login into one of the apps, he should not need to login the others.
What is the easy way to implent this in server side and client side?
What you want is Single Sign-On (SSO). There are two options:
Use some existed SSO server like CAS.
Do it yourself using subdomain cookie technique.
First option is exactly what you want implement. When you open URL of app1 you will be redirected to SSO server and prompted for login/password. After successful authentication you will be redirected to app1 URL. Now if you open app2 URL you will be signed in automatically. One of advantages is that user password is stored only in SSO server.
Second option is more lightweight IMHO, because instead of using existed SSO server for sharing authentication information between your apps you use HTTP cookies. From the other side you need to write some minimal authentication code which may be less secure.
Subdomain cookie technique:
Use subdomains for all your apps (app1.domain.com, app2.domain.com)
When user connects to app1, generate some token (your session id), store it in some shared DB and as a cookie for domain.com
When user opens app2, check if token is present (as a cookie for domain.com), verify that it is valid (use shared DB) and allow access.
It is very simple algorithm that do not take into account all possible security vulnerabilities (like session fixation for example). So if you do not have enough time to solve them it may be better to go with first option.
I'm developing some site with openid auth.
For openid auth I use standarts spring security filter and provider:
org.springframework.security.openid.OpenIDAuthenticationFilter,
org.springframework.security.openid.OpenIDAuthenticationProvider
And for create user I use my custom UserDetailsService.
So question is where's the best place (filter, provider, detailsService) to save user email got from OpenIDAttribute?
Typically its the UserDetailsService where you construct your domain objects i.e. load/generate a "User" object based on the information passed from OpenId/SAML etc. I guess you're trying to implement some sort of on the fly provisioning in which a user signs in with his OpenId credentials and you look for an existing local account and if you cant find one you generate one?