I am new to spring security 3.1.4 and I have the following problem. My Users get the Role ROLER_USER after log in. They are able to purchase a premium state within the web application.
I am now looking for a safe way to grant users who purchased the premium state a new role ROLE_PREMIUM_USER. I looked into the security documentation and the only way I could figure out was to implement Authentication in my own class and make it mutable, to access and and to the List of granted authorities.
This seems wrong for me, and in the abstract Spring class it says: Implementations which use this class should be immutable.
What is the right and safe way to add a role to an already logged in user?
Thanx a lot ;)
Related
I am currently developing a web service with Spring. I would like to provide users the possibility to login via external OAuth-Services, e.g. Google, Github,... as well as a traditional username/password-login. POJO-wise, I have the following setup:
Each User has a One-to-Many relation to AuthenticationMethods
Each AuthenticationMethod has exactly one AuthenticationProvider (e.g. google, github, local) and stores the sub of this authentication method and the corresponding User. In case of a local authentication, it is the User's ID.
Each AuthenticationMethod with AuthenticationProvider == local additionally stores a password.
What already works
Local authentication (username/password) is done through an own OAuth2 authentication server (part of the Spring application) and returns an JWTAccessToken , containing the username (the frontend never sees the client_secret, thus a password grant is acceptible in this situation).
I am also able to retrieve access tokens from the external OAuth Providers (Google, Github,...) via the authorization_request grant process containing their user'S sup from said provider.
Problem
I need to map the external sub to a User object. Since, in theory, two different users could have the same sub at two different, external providers, I would have to check the issuer as well, resulting in a nasty if-else construct. Also, this translation from JWT token to a User must be performed with every access where authorization is required.
Ideas for solutions
What I would like to do is add information to the externally generated JWT. This is obviously not possible since I cannot "re-sign" the external JWT. My idea is to intercept the external JWT and issue a local JWT, containing the username, thus using the external JWT only for initial authentication.
Is there a built-in possibility in Spring to accomplish what I want? Or is there a "best-practice" to solve this problem?
The best practice is to have OAuth2 server to add username as an additional claim to JWT. Spring already has a handle that takes "user_name" claim from JWT and uses it as Principal object.
I'm studying chapters 47...50 of the JavaEE 7 tutorial about security, authentication, realms... Server managed authentication is totally new to me, so please be patient.
I created my own JDBC realm (using WildFly 8.2) as described at paragraph 50.3 and with the help of this beautiful article.
I have some general questions, I hope you can help:
Once the user is authenticated, I obviously need a way to retrieve his identity from within my application. In 48.3.2 (Checking Caller Identity Programmatically) the getRemoteUser() method is presented, but the paragraph also says
The security API described in this section should be used only in the
less frequent situations in which the web component methods need to
access the security context information.
What does it mean? Does it mean that using those methods is some kind of bad practice? Is there any other way to retrieve current user data that I'm missing?
What if I would like to perform some operations when user successful logs in? Is there something like a method triggered by the "user logged in" event?
JDBC realm authentication implies that user credentials are read and checked by the server, the application doesn't even know the coordinates for the auth-reserved DB. For a "new user sign up", do I have to implement a classic solution via application (accessing auth DB, check if chosen username is already present, inert row in the table...) or is there some server-implemented mechanism that I ignore?
I am using Spring-Security in my project. I have a question about it because I have 3 roles in my IS. User, manager, admin. In my system is many rooms, which every room have one manager. But manager can manage only his own room. What is the best way for this? Now I have only basic security manager can manage all rooms. But this is correct only for administrator. My question are what is best and fastest way? (Because this solution seems to be little bit huge)
use role and permissions in controller
#PreAuthorize("hasRole('ROLE_FORUM_MANAGER') and hasPermission(#forum,'update'))
and domain ACL
and Domain ACLs
http://docs.spring.io/spring-security/site/docs/3.1.x/reference/domain-acls.html
or something else?
I am asking for purpose easiest and fastest way.
This is the most usual case for using the ACLs based solution, because the permission can only be determined depending on the domain object being used.
To do this in Acls, start by creating an Acl for each room. Then each user as a security identity on type principal in the SID table. Then grant to each user access to it's room by creating an ACE (access control entry) linking the room ACL to the users SID.
Role based authentication (RBAC) should not be applicable here, as it does not allow to give fine grained permissions dependent on the relation between the user and a domain object.
Its possible to combine RBAC hasRole with Acl hasPermission(#forum,'update') but since we will already use Acls, it's better to use only Acls in order to push the permission access to the data only.
If later we change ideas about who accesses a given room there is not code impact, only security reference data impact.
I'm trying to get Spring Security to handle authorization via GET variables. All the examples I've been able to find focus pretty much entirely on role-based authorization, which doesn't really work for my application. The way the authentication/authorization process needs to work is as follows:
User authenticates through external system, gets a session ID.
User passes two GET parameters to my application, sessionId and objectId.
Application verifies that session is valid (already figured this part out)
Application verifies that the object is visible to the user (need help here)
Application returns object information to the user
All the examples I've seen have been demonstrating how powerfully Spring Security can check a granted authority on a URL pattern or a Java method. But I need to implement a custom check on step 4 to make sure that the user has the correct permissions in the backend (users can be granted object-specific rights, so a role approach won't work here).
I am new to Spring Security, so it could be that my thought process is just all sorts of wrong. If I am, feel free to correct me!
You need to use ACL feature or you can emulate the same thing via some custom code (for example via custom web security expression). See this post for details.
I think you need to look at the Pre-Authentication Scenarios section in the documentation. In particular, you will probably need to implement a AbstractPreAuthenticatedProcessingFilter to pre-authenticate the user based on the GET parameters.
I'm working on Spring based application with Spring Security. I have users with different roles and would like to implement access denial handling depending on the role. More specifically the desired effect would be the following: when user tries to access a resource that he is not allowed to, I would like to distinguish between the case when the denial is because the user is not authenticated and the case when it is due to insufficient privileges (wrong role). The users who are not authenticated can be directed to the regular 403 page, but the ones with just a wrong role I would like to redirect to a form in which they could request granting appropriate role.
I'm thinking about either adding the "<access-denied-handler error-page="/xyz">" and implementing the xyz controller or somehow (not yet sure how) implement this as a custom filter.
How would you tackle the problem? Is there any best practice for that? Was trying to google for some examples as I would consider this as a quite common pattern, but no success.
Thanks a lot.
How would you tackle the problem?
I would try to implement my custom AccessDeniedHandler and try to "register" it in the org.springframework.security.web.access.ExceptionTranslationFilter (read its class JavaDoc!)