I am starting with new Spring project where i am planning to use SSO. I have red the blogs and come to know spring security SAML will be best solution for SP.
So i have implemented Spring Security SAML sample application provided by spring site https://github.com/SpringSource/spring-security-saml as SP along with Shibboleth IDP.
IDP connects with LDAP server. I am able to execute the Spring security sample application.
I am confused how can i use this Spring security SAML extension along with multiple spring projects.
Any example link or suggestions on architecturing the Spring SAML project integration with multiple Spring MVC application will be helpful.
Provided your REST APIs are only called by the web application which is deployed together with them (in a single war and therefore sharing the same HTTP session) you can use Spring SAML + Spring Security to secure them.
Spring SAML will be used to authenticate the users against a remote IDP and populate their entitlements (granted authorities); Spring Security can then be used to define security policies for the APIs called from the UI.
In case you want to be able to call the REST APIs from remote clients, you may want to look into the Spring Security OAuth project - as this is no longer about web single sign-on.
It is possible to create a central installation of Spring SAML which handles all SSO logic. Of course you will need to implement a mechanism in which Spring SAML relays information about the authenticated user and her attributes to your other applications, and do so in a secure way. One possible way to approach it (provided the applications are deployed on the same domain and therefore can share cookies) is to:
after authentication in Spring SAML set a shared cookie which is visible to all the other applications and which is e.g. signed by the Spring SAML's key, or encrypted using a shared key, the cookie should also contain user's attributes
this can be done in a custom AuthenticationSuccessHandler which is subsequently expected to redirect user to the correct application (e.g. based on some custom logic or relay state)
the target application needs to verify the cookie (by checking the signature or decrypting using a shared key, possibly performing other checks), parse the attributes and start own session which is pre-authenticated based on the content of the cookie
All of this can be done with implementations to standard interfaces of Spring Security and Spring SAML. But it's not a trivial task - mainly considering that any security vulnerability in your implementation might compromise security of your applications.
Related
I'm trying to integrate my Spring app with governmental system responsible for user's authentication (SAML). The main concept is that "my" app is receiving already logged user with so called assertion. And the point is how can I customize Spring Security to recognize mentioned before assertion as proof that user is authenticated. Or maybe should I write my own filters instead of using Spring Security?
Unfortunately I can't share the code - company policy ;(
Any feedback is appreciated.
Maciek
If you receive a SAML assertion (it's easy to see, it's a whole XML packet), you absolutely need a library to deal with that complexity.
pac4j (security engine for Java) supports the SAML protocol. So either you keep Spring Security and use the pac4j extension for Spring Security: spring-security-pac4j or you directly use the pac4j security libraries for Spring MVC/Boot: spring-webmvc-pac4j or for J2E: j2e-pac4j for example.
I have misunderstanding security in microservices in spring boot (and general). I want to build a project using Spring framework and microservices but in architecture planning I stuck. How should be security in microservices at all? In my opinion that in all project should be one component which all request go throw the component and spread to other components. What I could find it's Spring Cloud Zuul which is api gateway in microservices and I got idea to make a project which is response for gateway and add security in the component as well. I mean it will be something like a project that contains Spring Cloud Zuul, Spring Security, Spring Data JPA dependencies. How do you think is it good way to provide a security or not? Is it possible to build something like that?
In the project I was involved, we used security at a couple of different levels:
Security at individual route level in Zuul.
Security at each internal service
Here is the flowchart for the security model used in our Spring Cloud project,
When Zuul receives a request, it checks if a route exists for the request.
If a route exists, checks if the route is secured based on custom configuration.
If the route is secured, authenticates the request.
Once the request is authenticated at Zuul, Zuul again checks if the internal service, to which request is to be routed, is secured based on configuration.
If the internal service is secured, creates a new Authentication header based on the user credentials (stored in the custom configuration) before routing the service to the internal service.
Once the internal service receives the request from Zuul, it checks if the request needs to be authenticated.
Once authenticated, processes the request and sends the response back.
I think the answer here might help you, they are talking about using firewall to limit the access from the outbound IP and only allow zuul gateway to access all microservice.
Don't allow direct calls to Microservices. Only allow through API Gateway
I think you can consider using OAuth.
It uses JWT(Jason web token), which is a token passed along with all request/response.
you can find detailed information here: https://nordicapis.com/api-security-oauth-openid-connect-depth/
I have a similar question to this one however our application (which makes use of only Spring Beans & Annotations) currently does not use the Spring Security component/API. Would like to know if we can support the plain vanilla login (based on username password) mechanism for one set of users and support SAML based logins for another set of users (thereby using only Spring SAML extension). Or is there some basic Spring security config to incorporate before we use the SAML extension? Thanks in advance.
It is in fact possible to use Spring SAML extension without 'implementing' the Spring security aspect in the project. However the spring security jars are needed as a dependency.
I was trying to learn JAAS, then i came up with the terms SAML and Realm, and now I am confused.
In any of the basic tutorials of JAAS, we are pretty much configuring the basic that a normal Realm configuration is. If I read configuration of SAML then it looks similar as JAAS. I have absolutely no idea why different names. May be SAML is built on Realm and JAAS on SAML, not sure can any body please clearly state the difference.
Please a humble request if you share any link, Please define a bit of it, so that it help me when i am reading them.
I have successfully configured, JAAS's BASIC and FROM based authentication on both JBOSS and Glassfish. It helped me to protect my JSP and Servelets (Web Project). where to look if I want to protect an EJB as part of my application.
JAAS is a set of standard APIs for Java SE and EE which provide basic ways to achieve authentication and limited authorization. The typical use of JAAS for authentication is through LoginModules. Implementation of a LoginModule interface (javax.security.auth.spi.LoginModule) is able to authenticate user based on credentials provided by the caller in CallbackHandler. Most application servers allows you to plug-in your own LoginModules. Other key concepts of JAAS are Subject (a collection of information about a user) and Principal (a single attribute of a user - an ID, a password). Capabilities of JAAS for authorization are rather limited and are rarely used directly.
The standard authentication mechanism for Java web applications (like FORM, BASIC or DIGEST declared in your web.xml descriptor) typically delegate verification of the provided credentials to the configured JAAS LoginModules.
Realm is a concept used to denote separation of authentication and authorization policies for different applications/systems. E.g. if you want to authenticate users in application A using LDAP and applicaton B uses database table, you can put them into different security realms, so that their security requirments are isolated and correctly enforced. The typical system which uses this term is Tomcat, but you will find similarities in othe containers/application servers too. In most cases (e.g. when depoying a single application) you don't need to worry about Realms too much.
Java EE provides standard mechanisms for securing of EJBs using role based access control (RBAC). You first define which roles are applicable to your application, then define which users accessing your application belong to which roles. You can then use either declarative authorization (= annotate your methods with security annotations such as #RolesAllowed, #PermitAll, #DeclareRoles, or do the same using XML descriptors) or programmatic authorization (= test whether user belongs to a role by calling isCallerInRole on EJBContext directly in your code). A basic tutorial can be found here http://docs.oracle.com/javaee/6/tutorial/doc/bnbyl.html
SAML is a very different beast from the previous ones. In a very simplistic way you can see SAML WebSSO as an authentication method. Generally SAML is a standard which defines an XML-based protocol used to transfer information about users, their authentication events and security attributes between remote systems in a secure way. Apart from the protocol itself SAML standard defines typical use-cases for the protocol, the most common being Web Single Sign-On (a possibility to authenticate user externally from the application at an entity called Identity Provider and login to an application - Service Provider without revealing user's credentials to it). In these use-cases SAML is similar to OpenID or OAuth 2.0 authentication you can see provided by Facebook or Google to 3rd party developers.
Hope this helps,
Vladimir Schafer
See if this helps you. A realm is a area where a specific configuration is in place. JAAS and SAML are both authentication modules that can be configured to handle authentication on that reaml. SAML is an authentication scheme. http://en.wikipedia.org/wiki/Security_Assertion_Markup_Language
To add to the other answers, I found the following explanation from this article to be helpful:
In reality, SAML and JAAS are two distinct security frameworks. SAML is an XML framework for exchanging authentication and authorization information. SAML provides a standard XML schema for specifying authentication, attribute, and authorization decision statements, and it additionally specifies a Web services-based request/reply protocol for exchanging these statements.
JAAS, on the other hand, through implementation-specific login modules receives information about the user, authenticates the user, and verifies that they are a valid subject.
So as I understand it, JAAS can be used to implement custom authentication and authorization for your app, and there are many possible ways to do this, some of which involve SAML. For example, you could use SAML to get the user's identity and role/group information; this would be stored in XML tokens that your JAAS module would need to parse.
I am currently trying to implement a single sign on solution across multiple JVM based (Grails, Servlets) web applications currently all deployed in the same servlet container (currently Tomcat, but don't want to limit my solution to just Tomcat). All web applications share a common database.
I've looked at various options from using CAS or other third party libraries to creating a new web service to handle Single Sign On, but none seem to really satisfy the business. My current implementation involves creating a new jar library which has a common implementation of AuthenticationProviders, and Pre-Authentication Filters based on Spring Security.
In this approach I have multiple AuthenticationProviders (currently Active Directory, and Database) for the application to authenticate against. Upon successful authentication a row would be inserted in a session table that contains the user, an expiration time, and a token. The token would be also stored as a cookie on the user's machine and that would be used to validate they have a current session in the Pre-Authentication Filters.
Having never done this before I want to make sure I'm not creating a huge security problem, and I'd also like to know what I would need to create the token? At this point a simple GUID seems to be sufficent?
Currently we are working on Spring Security 3.0.x, and haven't upgraded to 3.1 yet.
Thanks in advance.
I ended up solving this problem by doing the following:
I created a AuthenticationSuccessHandler which would add a cookie to the user's session which had identifying information as well as the hostname to try to secure it as much as possible. (The application was running internally at most customer sites so the risks here were determined to be minimal, but be careful about cookie jacking.)
Then on each application that needed to have SSO I implemented a AbstractPreAuthenticatedProcessingFilter, and placed in before the authentication filter which would pull the cookie out and create an Authentication object. Lastly I created an AuthenticationProvider which validated the information from the cookie.
Hopefully that helps someone else in the future for this type of request.
There are extensions available for KERBEROS, OAuth and SAML available on the Spring Security Extensions website. Here is the blog entry which provides an example: SpringSource Blog
If you are using NTLM as your SSO Provider, take a look at the jespa-spring project.
Or you might want to look at the Java Open Single Sign-On Project