I am new to spring security. My application is already using spring security to authenticate and authorize the user. Now i want to use the CAS authentication for the user to authenticate and the authorization to be done by my application only. I tried to configure my application by referring the below website:
https://wiki.jasig.org/display/CASC/Using+the+CAS+Client+3.1+with+Spring+Security
But every time my application ends up with not invoking the CAS filter and goes to the default configured login page and not the CAS login page.
Is there any website or documentation by following it I will easily implement the CAS.
The Spring Security documentation is good: http://docs.spring.io/spring-security/site/docs/3.2.4.RELEASE/reference/htmlsingle/#cas
Related
I've a Java Spring Web application (no Spring Boot) with a "standard" authentication mechanism using database user credentials (It uses Spring Security lib).
Now I need to know if is it possible to include a second auth method with an external Identity Provider and a SSO login.
For example: A user with a specific e-mail domain ex: userX#domain1.com, login with his DB credentials but another type of user (ex: userY#domain2.com) need to be able to login against an external IDP.
I've already developed a bunch of application with Spring Security SAML lib with ADFS or OpenAM but that was the only login method for all the users.
If is it possibile, how I need to setup the Spring Security Configuration in order to achive this? Maybe I should use a multi-provider config?
Thanks.
Supporting multiple authentication mechanisms can be achieved by checking the user domain and redirecting to your own service that supports UserNamePassword based DB authentication or redirecting to the SSO service.
And for configuring Spring Security, you can create separate implementations extending
org.springframework.security.authentication.AuthenticationProvider
Checkout this link that guides on how to implement multiple authentication mechansism
For SSO specificly, you have to configure a redirectURL with the SSO provider, that internally calls your API with the SAML response.
SSO with spring security
I have a java application running on wildfly server, that uses ejbs and Servlet HttpSecurity. There is no Spring Boot implemented. I am working on a task where access control of the application must be handled by Okta. Basically when user hits the url to access the application, they must be redirected to Okta log in page, where they provide the credentials. And after authentication, user can access the app.
Is there any way this task can be done without using Spring Boot?
I tried https://github.com/okta/okta-auth-java#usage-guide but it requires username and password to be provided in the code itself which is not the requirement.
Trying to setup a SSO for a Java web application built with Spring MVC.
I've registered my application to an OKTA server, got a Metadata URL and a SignOn URL. I'm using the SignOn URL from my application, authenticating with success, then a POST request is made with some form data that include a SAML Response object.
What should be the next step from here?
I've decoded the SAML response, and now from my understanding I need to get a token or a session ID that I'll need to use to my further requests to the OKTA server.
Edit 1:
Ran the spring-boot-saml-example, the authentication works as expected.
But, when trying to get the current session using OKTA Session API from the Spring application, an HTTP 404 code is returned. Fetching the current session using the browser work fine.
Take a look at this blog post, this example uses Spring Security and an Okta SAML app . Take a look at that, and if that doesn't help let us know.
You can use the spring-webmvc-pac4j security library which provides SAML authentication for Spring MVC (Boot) app.
Configuration is straightfoward for Okta like for any other SAML identity provider: https://github.com/pac4j/spring-webmvc-pac4j-demo/blob/master/src/main/webapp/WEB-INF/demo-servlet.xml#L44 + https://github.com/pac4j/spring-webmvc-pac4j-demo/blob/master/src/main/webapp/WEB-INF/demo-servlet.xml#L214
I have a spring boot web app with spring security integrated with LDAP authentication. This web app internally makes REST calls. These REST calls are having username-password authentication. This username-password is the same used by spring security. Is there anyway I can get the username-password authenticated by spring security, so as to use in the REST calls. If not this way, is there any other way to achieve this.
Thanks in advance.
There is a quite nice way that I think fit your case.
By default Spring Security does not store the password in memory after authentication has been made, so you need to change that. With Java config, add in configure(AuthenticationManagerBuilder) method:
auth.eraseCredentials(false);
Then you can get the username and password for the current user with:
String username = SecurityContextHolder.getContext().getAuthentication().getName();
Object rawPassword = SecurityContextHolder.getContext().getAuthentication().getCredentials();
Spring Security is performed based on the rule in the security properties.
This means that you just need to have spring-security enabled, the only problem is that if not authorised it will go to the Not Authorised Page which a Restful client will not understand. But if the Restful client has authenticated and been granted a valid session then it will be able to get past the Security_check and access the protected page.
I guess Spring security is working like AOP so each protected page has a Security_check crosscut that only allows access to the page if the authentication is there.
Anyway, I solved the problem writing a custom AuthenticationProvider, which will perform the LDAP authentication and get the username-password for the future REST calls.
I am using Spring Boot and using Spring Security SAML, I have been trying to authenticate the user with ADFS of my organisation. I have used Spring Security SAML Sample application (https://github.com/vdenotaris/spring-boot-security-saml-sample) and able to authenticate the user using Sample app.
After that I have extended my application code referring this sample code and I am able to authenticate the user from my application.
Requirement in my application is:
I want to use my own login page (instead of ADFS login redirect) to capture the username and password
Pass on those credentials to ADFS server for authentication
Once user is authenticated, then redirect user to success page else redirect user to error page.
Till now what I have online seen references to ADFS login page only. Can anyone please guide or share pointers how I can use Spring Security SAML to integrate with ADFS without redirect to ADFS login page.
I know I can send the POST request on /adfs/services/trust/13/UsernameMixed URI and validate the user but this will be regular POST service. My question is how I can use Spring Security SAML Framework to achieve this?
Thanks,
Gourav.