Is it possible to forget the authentication, jwt login stuff and security for now and implement it later?
I choosed java for my restful service back-end for my game, but i'm having such a hard time setting up a simple login system with a mysql database, jwt authentication and spring boot. I followed a great tutorial, but it's only concerning Spring boot, not JWT security.
I would like to move forward and implement the security later if possible.
Right now i just gave up and i'm doing simple apis with just spring boot based on this architecture : https://github.com/djdjalas/SpringBootIn50/tree/master/src/main/java/com/yourname, i replaced the fake data with jdbc calls to the mysql database. Is it ok? Will it be hard to implement autentication later when i will have many services?
Thank you.
Spring Security itself is hard to understand and master in the way it should be done as it requires more understanding of the processes behind its configuration. Anyway, if you get familiar with it you won't have serious difficulties here. There will be no major changes to your code. You'll end up generally with one more configuration class/file and this is it.
Can't say anything about JWT but don't think it will be a problem either.
Related
I am trying to build my first website using Spring boot + ReactJS and MySQL.
It's essentially a gym website where users can create an account, sign in and then choose a membership + checkout etc.
What I have done so far is:
Spring Boot REST Api for creating a new customer + other CRUD features.
React Front End Registration form with Spring boot server validation, the form posts the data to the REST api using axios.
I have a design in figma of the website and I've been working on that in the meanwhile because honestly, i am stuck.
Some problems I'm facing:
Spring Security, I have used JSP before and it was easier for me to get the hang of it since it is server sided and I just had controller methods etc. Now that I'm using react I have no idea how the security function would work with Spring Boot.
Since the front and back end are served on different ports, how would my Spring configure
method look like? (The class that extends WebSecurityConfigurerAdapter).
How do I restrict access to URL's on the front end using React Router? Since Spring Boot and React router are both on different ends I am struggling to understand how that works? What about the API endpoints being accessible as well.
Authentication + Authorization, I've looked up tutorials and I've pretty much only seen Authentication by the use of JWT tokens when working with Spring Boot + React, is there no other option other than JWT? (For me it looks really confusing so I'd like to know if there's a valid alternative or not) - if not , why JWT?
I know Spring Security on its own is a complicated framework and I've read a alot about it, though some concepts do confuse me. (UserDetailsService vs UserDetails, Types of Authentication Managers you get)
In general, the integration of Spring Boot with a SPA such as react, if someone could explain the flow of how it functions on both the front and back end.
Not long ago i had similar problems like u. I would suggest to check out this tutorial: https://youtu.be/VVn9OG9nfH0
It should answer all of your questions.
I am developing a back-end application, but my application is only part of the whole project, there exists a cookies login application so that the authentication is done and not my control.
In this app, i have to design a file sharing system, some types of clients, file sharing between clients.
I can only get the cookie(custom logic and not standard) which contains all data i need.
My manager advices me to use spring security to do only authorization and then code the acl logic in the authorization. I doubt if it is a good idea.
i have read the spring security doc in brief, cant find any idea about my situation.
Finally sorry for my poor english.
Its up to you. But I would suggest Spring Security.It is a flexible and powerful authentication and access control framework to secure Spring-based Java web application.
Our project consists of Java back end(spring web application) and iOS and Android client applications. Now we need to add an authentication for client applications to Java back end. The idea is to register user for the first time using an external web service. At this step user provides full credentials(login and "big" password) and chooses some PIN for further authorization. After that primary step is complete successfully, user should be able to authenticate using his login and PIN(which he chose previously himself). Those login and pin should be stored in our DB. We should also be able to destroy that "session" and PIN whenever is necessary. We expect web application to have up to 10 000 registered users with up to 1000 users being online simultaneously.
We also don't plan to use any separate Authentication server, we plan to embed security into web application(back end) itself.
I've been investigating 2 different approaches. First is usual spring #EnableWebSecurity approach. This seems pretty straight forward, but some people say it will create "sessions", which are bad for the server. Session will consume lots of memory, and overall impact on performance will be bad. Is it true?
The other approach is to use Spring Oauth2 implementation. I didn't have time to study it properly, this seems to be a little bit of an overkill to me. Is it worth to study for our needs? (we are running out of time btw).
I also need to have some proper DB sctructure for the security needs.
So the question is, what is the best approach for our situation? Are there any open source projects, solving similar issue? I would appreciate any help.
Thank you.
Whatever technology you use for authentication, you will require sessions to maintain the state of authenticated user. You can use Spring security alone or with Oauth2 .
I'll suggest for simplicity you can go with Spring Security with Token functionality.
However you can find an good blog over Spring Security and Oauth.
Securing REST Services with Spring Security and OAuth2
For more clarification you can also visit here
Sessions should only take up allot of memory if you were to store large amounts of data in the session. So long as you don't do that there won't be any problem. You will need to make your own authentication decision based on your acceptable levels for security and user experience, there is no one 'right' answer. Spring security and sessions have already been talked about here How can I use Spring Security without sessions?.
I need to make simple CRUD application with user registration and authentication using Spring boot, but I have some trouble figuring out how to do this right. I have created user table at RDMS and set up Redis for storing user sessions as explained here.
At Spring boot docs it's said that
If Spring Security is on the classpath then web applications will be
secure by default with ‘basic’ authentication on all HTTP endpoints.
But I defined several CrudRepository intefaces and after starting my application I can GET it's data using browser without authentication. I thought that it should work out of the box without additional tuning and therefore checked if Spring Security is on the classpath with gradlew dependencies command and it appears to be there:
Also default user password that should be displayed during application start up does not show up. So maybe I am missing something here?
Also I am not sure if that would be the best option for mobile app because it possibly uses short-living tokens. There are several other options, among which using a WebView and cookies (as was recommended by Google long ago), creating a custom authentication entry point, using approach that was used in Angular web app and finally stateless authentication with OAuth 2.0. Directly in opposite to author of Angular web app tutorial who claims
The main point to take on board here is that security is stateful. You
can’t have a secure, stateless application.
So how do we need to pass token? How long should it live? Do we need to make additional XSRF token or not? Should we use out of the box solution or implement own one? Can we make it stateless?
I've been tasked with creating a Security Proxy service. The idea is that if the backend security provider changes there is no impact on the main application. This ideally is what the backend security provider is for, but I have been tasked with creating a seperate service which will affectively be a proxy to the backend security provider.
I don't want to have to write a complete security module to do something that is already done by a dozen services. I want to be able to set up a service that can be updated if needs be.
I am wondering if anyone knows of a solution which can take care of this with minimal coding/configuration?
Any help would be useful, if you want more information please comment and I'll try and enrich as best I can.
[Front end is Tomcat Web Application written in Java (and GWT), Spring Security is preferable]
[Backend is SiteMinder (at the moment)] http://www.ca.com/us/internet-access-control.aspx
[I have been looking at CAS but wanted to ask a learned community before deciding how best to proceed]