I have a spring boot web app with spring security integrated with LDAP authentication. This web app internally makes REST calls. These REST calls are having username-password authentication. This username-password is the same used by spring security. Is there anyway I can get the username-password authenticated by spring security, so as to use in the REST calls. If not this way, is there any other way to achieve this.
Thanks in advance.
There is a quite nice way that I think fit your case.
By default Spring Security does not store the password in memory after authentication has been made, so you need to change that. With Java config, add in configure(AuthenticationManagerBuilder) method:
auth.eraseCredentials(false);
Then you can get the username and password for the current user with:
String username = SecurityContextHolder.getContext().getAuthentication().getName();
Object rawPassword = SecurityContextHolder.getContext().getAuthentication().getCredentials();
Spring Security is performed based on the rule in the security properties.
This means that you just need to have spring-security enabled, the only problem is that if not authorised it will go to the Not Authorised Page which a Restful client will not understand. But if the Restful client has authenticated and been granted a valid session then it will be able to get past the Security_check and access the protected page.
I guess Spring security is working like AOP so each protected page has a Security_check crosscut that only allows access to the page if the authentication is there.
Anyway, I solved the problem writing a custom AuthenticationProvider, which will perform the LDAP authentication and get the username-password for the future REST calls.
Related
I've a Java Spring Web application (no Spring Boot) with a "standard" authentication mechanism using database user credentials (It uses Spring Security lib).
Now I need to know if is it possible to include a second auth method with an external Identity Provider and a SSO login.
For example: A user with a specific e-mail domain ex: userX#domain1.com, login with his DB credentials but another type of user (ex: userY#domain2.com) need to be able to login against an external IDP.
I've already developed a bunch of application with Spring Security SAML lib with ADFS or OpenAM but that was the only login method for all the users.
If is it possibile, how I need to setup the Spring Security Configuration in order to achive this? Maybe I should use a multi-provider config?
Thanks.
Supporting multiple authentication mechanisms can be achieved by checking the user domain and redirecting to your own service that supports UserNamePassword based DB authentication or redirecting to the SSO service.
And for configuring Spring Security, you can create separate implementations extending
org.springframework.security.authentication.AuthenticationProvider
Checkout this link that guides on how to implement multiple authentication mechansism
For SSO specificly, you have to configure a redirectURL with the SSO provider, that internally calls your API with the SAML response.
SSO with spring security
I have access to a web application which has a link to another application I'm developing. When that link is clicked the URL is filled with two parameters: user, and token.
This token is generated per every user login on that very same web application.
I want to use that token and user to authenticate someone in the application I'm developing!
I have access to the source app's database in order to query against the token and username.
However I need help finding a way to implement this logic with Spring-Boot. Do I need a custom filter / authentication provider? How to wire these things up with Spring?
I want to stick to the framework rather than developing my own solution for this.
TL;DR: I need help securing a RESTful controller with a token I obtain through GET
Thank you!
Yes, you could write filter to authenticate token.
If you want make architecture a bit better I would recommend creating gateway (i.e. Zuul) and invoke second application through gateway. Implement gateway to authenticate requests. In my architecture I create separate Auth component to generate token and validate token. Gateway could call Auth to validate token.
I have been following the example in this tutorial: https://spring.io/blog/2015/01/28/the-api-gateway-pattern-angular-js-and-spring-security-part-iv
In brief:
I have a server called UI that has some html and angular js.
I have a server called resource that has a RestController who is serving the content from a DB. All the calls must be authenticated.
The UI server has a login page which works with spring http basic login and creates a spring session that is stored in a Redis server and it is shared to the resource server. When i have some dummy users in memory authentication everything works fine.
The question is:
I want my UI server to be able to perform a login with real users, that exist in the DB. The UI server should not have any DB related code (not knowing its existence) but it should call a REST service in the resource server. The only way i was thinking (but is sounds wrong to me) is to implement a userDetailsService bean in the UI and the loadUserByUsername method should call a rest service from the resource server (e.g. /getUser). The rest service should return all the user details including credentials and roles for the given username. However, to my understanding, this service cannot be secured (for the call to be successful) which compromises the entire security.
I am open to all suggestions and recommendations. Bare in mind this is my first attempt to work with Spring.
Thank you in advance,
Nicolas
In case that someone is interested how i tackled this..
I decided to do the prudent thing and study spring security.. :)
My answer is to use a custom AuthenicationProvider in my UI server, which will call an unprotected rest login service in the resource server, which in turn validate the user against the DB.
If the response is successful (e.g. a user object could be returned with username, password, roles) then i will create a UsernamePasswordAuthenticationToken object out of it and return it.
If the response is NOT successful (e.g. return object was null or an exception was thrown) then i will either return null or throw an AuthenticationException, it depends on how Spring behaves... I haven't reached that part of studying yet..
http://docs.spring.io/spring-security/site/docs/3.1.x/reference/springsecurity-single.html#tech-intro-authentication
Spring Security is a powerful and highly customizable authentication and access-control framework. It is the de-facto standard for securing Spring-based applications.
Spring Security is a framework that focuses on providing both authentication and authorization to Java applications. Like all Spring projects, the real power of Spring Security is found in how easily it can be extended to meet custom requirements
Features
Comprehensive and extensible support for both Authentication and Authorization
Protection against attacks like session fixation, clickjacking, cross site request forgery, etc
Servlet API integration
Optional integration with Spring Web MVC
I want to secure my rest services with spring security using token based authentication.
My approach here is with the help of filters every request has to validate whether it have a valid access token which is already created through loginservice and saved in hashmap.
Now what am excepting here is all the process done so far is handled by developer . How it can be given to spring security to handle all those stuffs?
Is OAuth is suits for this rest service authentication?
Thanks in advance
I'm hosting a REST web service in a Grails application, using Spring Security, i.e.:
#Secured(['IS_AUTHENTICATED_REMEMBERED'])
def save = {
println "Save Ride REST WebMethod called"
}
I'm calling it from an Android app. (Calling the unsecured service works just fine.)
To call the service, I'm manually building up a request (HttpUriRequest) and executing it with an HttpClient.
I'm wondering what the best practices are, and how to implement them... Specifically, should I:
Perform a login once, to retrieve a JSESSION_ID, then add a header containing it into the HttpUriRequest for each subsequent request?
Or (not sure how I would even do this) include the login and password directly on each request, foregoing the cookie/server-side session
I think I can get option 1 working, but am not sure if Spring Security permits (2), if that's the way to go... Thanks!
--also, there isn't any library I'm missing that would do all this for me is there? :)
Spring security does support both basic authentication and form based authentication (embedding the username/password in the URL).
A REST service is generally authenticated on each and every request, not normally by a session. The default spring security authentication (assuming you're on 3.x) should look for basic authentication parameters or form parameters (j_username and j_password) (in the form http://you.com/rest_service?j_username=xyz&j_password=abc).
Manually tacking the j_username/j_password onto the URL, adding them as post parameters (I believe), or setting the basic authentication username/password should all work to authenticate a REST service against the default Spring Security interceptors, right out of the box.
I will admit that I haven't tried this on REST services, though I do clearly recall reading exactly this in the docs as I did the same for basic page logins on spring security recently. Disclaimer over.
I think you can use a login-once-and-get-a-token method that's similar to how oauth works.
sending username and password across the network outside of secured channel(https/ssl) is a terrible idea. anyone on the network can sniff your request package and see the clear text password.
on the other hand, if you use a token method, since the token string is randomly generated, even the token is compromised, the worst case is someone can use the token accessing your REST API.
another solution is going through ssl tunnel(HTTPS). i have actually done a comparison and result shows: 80 requests/min(https) vs 300 requests/min(http)