I'm new to the Play framework and want to implement some authentication for my webapp.
I have already some experiences with Spring and Spring Security and want to use this, but I'm not sure if this makes sense, because the Spring Security is mainly for the ServletAPI.
Does it makes sense to integrate Play with Spring Security?
Thanks.
After further searches I have found this post:
https://groups.google.com/d/msg/play-framework/K7l6vHa0UUA/MYDlsaIfJEMJ
It seems to be possible, but still a lot of Play specific implementations (filter, etc.) have to be done.
You should - perhaps - look on Deadbolt 2. It is dedicated solution, so it will run out of the box.
Yes, it makes sense to use spring security with play. Spring security has been used in lots of projects, and writing secure code is much harder than it looks.
You have two problems. One is authentication. You need to do something to achieve authentication. This means either twiddling play so it becomes a stateful container (but then again, why would you use play at all in this case?) or throwing spring-security-web and deadbolt very hard at each other so you use spring for authentication, but integrate with the cookie goodness of play so you don't have to store stuff in a session object on the server side. I would suggest you fetch the authorities that drive authorization from somewhere for every request, though. You want to keep the session size down.
The Security object also has some good hints on how to go about doing this.
Authorization in spring is not hard to handle as long as you have got an authentication object stored in a threadlocal or something. Create something that calls the spring access decision voters in a wrapper - something like
def handleRequest ... {
withAuthorization(<list of roles necessary>) {
service code
}
}
should do the trick. For added goodness, add a flag in a threadlocal when you do this - the presence of the flag makes it easy to write assertions in your tests that require authorization to have taken place. This is one of the biggest security issues for developers out there - see https://cwe.mitre.org/data/definitions/862.html
Hope this helps.
Related
What I'm trying to do is to create an application with Angular frontend and Spring Boot backend with OAuth2 authentication.
The issue is that I don't know how to get on the frontend the ROLES user has so that I'll be able, for instance, to show something role-based on the page. Yes, there are scopes that OAuth provides in the response but the problem is that these scopes are for the CLIENT but not for the specific USER itself. And that CLIENT is my frontend side (correct me if I'm wrong) which basically means that every user operating my application(client) going to have the same scopes(roles). Moreover, I can specify roles on the backend with the help of Spring and UserDetailsService and then use those roles with #PreAuthorize, etc. But not on the frontend side.
Just as an example, if I simply used single JWT then with a token itself I'd return both the username and roles to frontend. And then I could store that data and use it on the frontend side according to my needs.
So what I'm asking is if it's actually possible and if this is correct to do so?
And how can I possibly implement such behavior?
OAuth doesn't solve this problem and it is best solved via claims in your API. OAuth should deal with authentication only. My below post may help you to think about the best separation: https://authguidance.com/2017/10/03/api-tokens-claims/
In a nutshell you will have to look up user rights such as roles after the OAuth processing completes.
There is a great video from Spring developer on YouTube about OAuth2/OpenID Connect. It shows how to implement the resource server using the newest Spring Security 5 solution.
Probably the easiest and the best way to achieve this is to use an OpenID Connect server which will provide all user management stuff. On the market there are many solutions. Auth0 and Okta are Identity Clouds which provides their services for small amount of money. On the other hand you have Keycloak, which is a server which you can install in Docker or even on bare metal - it's free and open-source.
actually I'm just starting to play around spring mvc in webapp and I have tumble across spring security which handles the authentication and session. My question is how does it handles session and can I create my own session id reference for spring security to use. I did use spring security but somewhat I feel blinded by it's process. Another thing is that can I add my own session service that I can control more if its implementable can you give me an insight in where can I start.. Furthermore I'm sorry for my English and if it is a duplicate question, though I think that topics concerning with spring security doesn't satisfy what i had in mind... Thanks for the feedback...
Spring Security handles sessions nicely on its own. If you make a request, it'll append the session id in the response. You can read it and store it if you want to, so you can send it back as a cookie. We use this method with our Android application, because it does not handle it automatically as web browsers do.
If you're making a web application, the browser will store and send back the session id, so you don't have to worry about it.
It seems that spring security implementation is not tied to HTTP session directly, take a look at this package org.springframework.security.core.session, There is SessionCreationEvent, SessionDestroyedEvent and SessionInformation. SessionInformation assumes that you have a String ID for the session but nothing else.
Now of you take a look at SessionRegistryImpl the java doc says you have to add org.springframework.security.web.session.HttpSessionEventPublisher to your web.xml for the registry to be notified of the session events. So if you want to provide your own implementation of session management just replace HttpSessionEventPublisher with your own implementation.
I want to have authorization in my Java EE application.
Online it describes how you should define the roles in sun-web.xml. However I would like to have all my roles, and groups defined in a database table.
That means, when I access a method for my application, the request needs to be intercepted to see if the user is allowed in the role.
Do I need to
create some kind of interceptor class that checks auth as user makes call to my web service method
create a custom Login Module that fishes out the group and role data from the database when a user first logs on
Any pointers would be really helpful.
First of all: I would strongly suggest using standard authorization mechanisms.
But for your use-case these standard mechanisms won't work, see this post: dynamic roles on a Java EE server
Roles have to be declared in the web.xml or sun-web.xml.
Frameworks
The next thing I would look into are frameworks, that could help you with that. The link will provide you with two suggested frameworks.
Building your own
If you don't need it for productive purposes, I would suggest the following:
use Filters to check for authorization and authentication: Filters a fairly easy to use ,very powerful and often used for security purposes: See http://docs.oracle.com/javaee/6/tutorial/doc/bnagb.html for more information about filter.
For the login, you could probably just stick with the standard form-based login.
I'm new to web applications and security and I have a basic question.
Imagine a single java web application with a single database but multiple accounts. Let's think about a to-do list for simplicity where people can access only their own 'items' at /item/item-id. EG:
User1 creates items 1 and 2;
User2 creates items 3 and 4;
How do I prevent User2 from accessing /item/1 for instance?
This seems to go beyond Authentication (who is this?) and Authorization (what role does he/she have?) to me.
Should I keep a persisted map of user-items and check every time before returning a response?
Are there any Spring (or other) tricks/helpers for this problem?
Authorization isn't "What role do you have?". It's "Are you allowed to do this?". The role will play a part in deciding if the subject is allowed.
What you are describing is exactly the purpose of authorization.
User2 is trying to access (think of CRUD in HTTP GET,POST,DELETE,PUT) the resource at /item/1. Are they allowed? No. So deny them access.
Should I keep a persisted map of user-items and check every time before returning a response?
How you perform authorization is up to you. Spring security definitely offers some good tools to do it from a database while separating that logic from your application logic (if need be).
I'd also like to recommend another security framework: Apache Shiro. I think it's a little easier to configure than Spring security and I find its authentication/authorization logic more straightforward .
In addition to Spring Security and Apache Shiro, you want to consider XACML-based authorization frameworks e.g. SunXACML, WSO2, Axiomatics (disclaimer: I work for Axiomatics).
XACML is the eXtensible Access Control Markup Language. It's the de-facto standard for fine-grained authorization. Much like SAML is great at identity federation / SSO, XACML helps you achieve authorization.
XACML gives you an architecture (see picture below) as well as an authorization language which you can use to express specific authorization scenarios e.g.
doctors can view medical records of patients they are assigned to
nurses can view medical records of patients that belong to the same clinic
patients can view their own records and that of patients for whom they are the guardian
You can have as many rules as you like. There is no limit.
I'm trying to get Spring Security to handle authorization via GET variables. All the examples I've been able to find focus pretty much entirely on role-based authorization, which doesn't really work for my application. The way the authentication/authorization process needs to work is as follows:
User authenticates through external system, gets a session ID.
User passes two GET parameters to my application, sessionId and objectId.
Application verifies that session is valid (already figured this part out)
Application verifies that the object is visible to the user (need help here)
Application returns object information to the user
All the examples I've seen have been demonstrating how powerfully Spring Security can check a granted authority on a URL pattern or a Java method. But I need to implement a custom check on step 4 to make sure that the user has the correct permissions in the backend (users can be granted object-specific rights, so a role approach won't work here).
I am new to Spring Security, so it could be that my thought process is just all sorts of wrong. If I am, feel free to correct me!
You need to use ACL feature or you can emulate the same thing via some custom code (for example via custom web security expression). See this post for details.
I think you need to look at the Pre-Authentication Scenarios section in the documentation. In particular, you will probably need to implement a AbstractPreAuthenticatedProcessingFilter to pre-authenticate the user based on the GET parameters.