I want to secure my rest services with spring security using token based authentication.
My approach here is with the help of filters every request has to validate whether it have a valid access token which is already created through loginservice and saved in hashmap.
Now what am excepting here is all the process done so far is handled by developer . How it can be given to spring security to handle all those stuffs?
Is OAuth is suits for this rest service authentication?
Thanks in advance
Related
I've got a spring-boot app that authenticates with OIDC (oauth2) and I'm trying to get a list of all the users from the authorization server - how should I implement this using spring?
Spring Security OAuth2 doesn't have an API for expressing a user repository. It does have a UserDetailsService interface, but you'll note that it only has the loadUserByUsername method.
If you are building an OAuth 2 authorization server, you could take a look at Spring Data and Spring MVC to expose a query endpoint (using Spring Security to secure that endpoint).
If you are building an OAuth 2 resource server or client that is talking to a third-party authorization server, you could take a look at RestTemplate or WebClient to formulate whatever proprietary query your authorization server wants since like #Ronald said, there is no OAuth 2.0 standard for querying users.
When a user signs in into his identity provider his personal information can be accessed by the claims the identity token contains. Or by approaching the userinfo endpoint.
There is no endpoint which returns all the users from the authorization server according to the OIDC standard.
I have access to a web application which has a link to another application I'm developing. When that link is clicked the URL is filled with two parameters: user, and token.
This token is generated per every user login on that very same web application.
I want to use that token and user to authenticate someone in the application I'm developing!
I have access to the source app's database in order to query against the token and username.
However I need help finding a way to implement this logic with Spring-Boot. Do I need a custom filter / authentication provider? How to wire these things up with Spring?
I want to stick to the framework rather than developing my own solution for this.
TL;DR: I need help securing a RESTful controller with a token I obtain through GET
Thank you!
Yes, you could write filter to authenticate token.
If you want make architecture a bit better I would recommend creating gateway (i.e. Zuul) and invoke second application through gateway. Implement gateway to authenticate requests. In my architecture I create separate Auth component to generate token and validate token. Gateway could call Auth to validate token.
I have a spring boot web app with spring security integrated with LDAP authentication. This web app internally makes REST calls. These REST calls are having username-password authentication. This username-password is the same used by spring security. Is there anyway I can get the username-password authenticated by spring security, so as to use in the REST calls. If not this way, is there any other way to achieve this.
Thanks in advance.
There is a quite nice way that I think fit your case.
By default Spring Security does not store the password in memory after authentication has been made, so you need to change that. With Java config, add in configure(AuthenticationManagerBuilder) method:
auth.eraseCredentials(false);
Then you can get the username and password for the current user with:
String username = SecurityContextHolder.getContext().getAuthentication().getName();
Object rawPassword = SecurityContextHolder.getContext().getAuthentication().getCredentials();
Spring Security is performed based on the rule in the security properties.
This means that you just need to have spring-security enabled, the only problem is that if not authorised it will go to the Not Authorised Page which a Restful client will not understand. But if the Restful client has authenticated and been granted a valid session then it will be able to get past the Security_check and access the protected page.
I guess Spring security is working like AOP so each protected page has a Security_check crosscut that only allows access to the page if the authentication is there.
Anyway, I solved the problem writing a custom AuthenticationProvider, which will perform the LDAP authentication and get the username-password for the future REST calls.
I want to create a REST API on Java Servlet for user authentication using simple Oauth and JSON. When the user login correctly, it will generate a unique access token. The token will be used as a representation of user session state. Then, the token will be used when the user access certain pages.
Can you give me an example or reference link?
You can implement this API that is used for security systems
http://shiro.apache.org/webapp-tutorial.html
You can use JHipster project. This generator of Web application generate a backend with Spring MVC, Spring Core, Spring Security and Oauth Token.
Exemple of Web site generate by JHipster: http://www.tests-psychotechniques.fr
I'm struggling to design a SAML2.0 authentication for a REST API using a gateway. REST is used between my backend and my application. I'm using Java Servlet filter and Spring.
I see two possibilities:
Adding the SAML tokens into the header each time.
Authenticate once with SAML, then using a session or similar (secure conversation) between the client and the gateway.
Case 1: It's a good solution because we are still RESTful but:
SAML tokens are quite big. It's may generated problem due to big header size.
Replaying tokens is not the best way for security concern.
Case 2: It's no more stateless and I have to managed a link with the client. Since I use a gateway, the underlying services can still be RESTful.
Case 2 looks for the better choice despite the fact that it does not follow the rest constraints.
Is someone had already to do it and give me some pointers (for design or implementation)?
Is there a better way to do it with SAML?
Any help or advice are welcome.
It is still draft, but: the OAuth2 SAML bearer profile may a possible solution.
https://datatracker.ietf.org/doc/html/draft-ietf-oauth-saml2-bearer-17
Use a SAML2 to authenticate to an OAuth2 provider, then call your service with the OAuth2 token.
Also, you could generate a jwt token and put it inside of a SAML attribute: from this moment on you could pass the jwt inside of an http header.
It is sort of mixing oauth with saml but if you still need the latter for authentication it could be the way to go.