I have access to a web application which has a link to another application I'm developing. When that link is clicked the URL is filled with two parameters: user, and token.
This token is generated per every user login on that very same web application.
I want to use that token and user to authenticate someone in the application I'm developing!
I have access to the source app's database in order to query against the token and username.
However I need help finding a way to implement this logic with Spring-Boot. Do I need a custom filter / authentication provider? How to wire these things up with Spring?
I want to stick to the framework rather than developing my own solution for this.
TL;DR: I need help securing a RESTful controller with a token I obtain through GET
Thank you!
Yes, you could write filter to authenticate token.
If you want make architecture a bit better I would recommend creating gateway (i.e. Zuul) and invoke second application through gateway. Implement gateway to authenticate requests. In my architecture I create separate Auth component to generate token and validate token. Gateway could call Auth to validate token.
Related
I'm learning Ouath2 implementation in spring boot below way.
I want user to authorize himself first and then get a token, once get a token I want user to send that token with its REST API request to get resources.
Then resource server will verify the token and once valid will release the resource back to user request.
I know there are many examples and studies are available, but what I have observed that, most of the example are using GOOGLE, FACEBOOK etc to authenticate their user, that's not gonna help to understand my learning to develop everything manually for better understanding.
My ask is, Is anyone can share any example or references where I have control over (user authentication process + release token) and once user has token, then on resource server (validate the token with authorization server + full fill user request) I could implement token validation and return result ?
I'm want to do this authentication mechanism by myself for b. Is there any open source example is available just for learning purpose ?
All suggestions are welcome
The name of the thing your are looking for is Keycloak or Okta (these two are most popular). There are a lot of tutorials of course.
I have a web application that provides several rest services (Jersey). Most of the endpoints are secured by BASIC authentification. Further more I use SSL for transport and demand POSTs for every call.
The clients/consumers are android apps.
So far so good. The only service that seems to be vulnerable is the registration. It's the 'first' service to call and a user does not exist yet. So I cannot use OAuth, etc. I also have to keep the endpoint easy accessible to enable the user to regster.
How do I secure this service, so it's not spammed by a bot flooding my database?
How about these?
Use a registration link with a token in the request parameter. Ensure that the tokens expire after sometime. You could create a token endpoint url as well for a client to get a valid token.
Use a custom header or a dynamic custom header in your request. Additionally, you could check for a dynamic custom header to validate the request's authenticity.
Use registration confirmation workflows, such as an email / text verification as soon the registration is done. Run a process every day to delete any user accounts, which are not validated in say x days.
I do not think you can really secure the registration URL in a HTTP way. IMHO, anyone who has the registration url can be a right guy trying to register. So if you ask me, option 3 is better than others.
I have a spring boot web app with spring security integrated with LDAP authentication. This web app internally makes REST calls. These REST calls are having username-password authentication. This username-password is the same used by spring security. Is there anyway I can get the username-password authenticated by spring security, so as to use in the REST calls. If not this way, is there any other way to achieve this.
Thanks in advance.
There is a quite nice way that I think fit your case.
By default Spring Security does not store the password in memory after authentication has been made, so you need to change that. With Java config, add in configure(AuthenticationManagerBuilder) method:
auth.eraseCredentials(false);
Then you can get the username and password for the current user with:
String username = SecurityContextHolder.getContext().getAuthentication().getName();
Object rawPassword = SecurityContextHolder.getContext().getAuthentication().getCredentials();
Spring Security is performed based on the rule in the security properties.
This means that you just need to have spring-security enabled, the only problem is that if not authorised it will go to the Not Authorised Page which a Restful client will not understand. But if the Restful client has authenticated and been granted a valid session then it will be able to get past the Security_check and access the protected page.
I guess Spring security is working like AOP so each protected page has a Security_check crosscut that only allows access to the page if the authentication is there.
Anyway, I solved the problem writing a custom AuthenticationProvider, which will perform the LDAP authentication and get the username-password for the future REST calls.
I want to create a REST API on Java Servlet for user authentication using simple Oauth and JSON. When the user login correctly, it will generate a unique access token. The token will be used as a representation of user session state. Then, the token will be used when the user access certain pages.
Can you give me an example or reference link?
You can implement this API that is used for security systems
http://shiro.apache.org/webapp-tutorial.html
You can use JHipster project. This generator of Web application generate a backend with Spring MVC, Spring Core, Spring Security and Oauth Token.
Exemple of Web site generate by JHipster: http://www.tests-psychotechniques.fr
I want to secure my rest services with spring security using token based authentication.
My approach here is with the help of filters every request has to validate whether it have a valid access token which is already created through loginservice and saved in hashmap.
Now what am excepting here is all the process done so far is handled by developer . How it can be given to spring security to handle all those stuffs?
Is OAuth is suits for this rest service authentication?
Thanks in advance