I'm new to web applications and security and I have a basic question.
Imagine a single java web application with a single database but multiple accounts. Let's think about a to-do list for simplicity where people can access only their own 'items' at /item/item-id. EG:
User1 creates items 1 and 2;
User2 creates items 3 and 4;
How do I prevent User2 from accessing /item/1 for instance?
This seems to go beyond Authentication (who is this?) and Authorization (what role does he/she have?) to me.
Should I keep a persisted map of user-items and check every time before returning a response?
Are there any Spring (or other) tricks/helpers for this problem?
Authorization isn't "What role do you have?". It's "Are you allowed to do this?". The role will play a part in deciding if the subject is allowed.
What you are describing is exactly the purpose of authorization.
User2 is trying to access (think of CRUD in HTTP GET,POST,DELETE,PUT) the resource at /item/1. Are they allowed? No. So deny them access.
Should I keep a persisted map of user-items and check every time before returning a response?
How you perform authorization is up to you. Spring security definitely offers some good tools to do it from a database while separating that logic from your application logic (if need be).
I'd also like to recommend another security framework: Apache Shiro. I think it's a little easier to configure than Spring security and I find its authentication/authorization logic more straightforward .
In addition to Spring Security and Apache Shiro, you want to consider XACML-based authorization frameworks e.g. SunXACML, WSO2, Axiomatics (disclaimer: I work for Axiomatics).
XACML is the eXtensible Access Control Markup Language. It's the de-facto standard for fine-grained authorization. Much like SAML is great at identity federation / SSO, XACML helps you achieve authorization.
XACML gives you an architecture (see picture below) as well as an authorization language which you can use to express specific authorization scenarios e.g.
doctors can view medical records of patients they are assigned to
nurses can view medical records of patients that belong to the same clinic
patients can view their own records and that of patients for whom they are the guardian
You can have as many rules as you like. There is no limit.
Related
What I'm trying to do is to create an application with Angular frontend and Spring Boot backend with OAuth2 authentication.
The issue is that I don't know how to get on the frontend the ROLES user has so that I'll be able, for instance, to show something role-based on the page. Yes, there are scopes that OAuth provides in the response but the problem is that these scopes are for the CLIENT but not for the specific USER itself. And that CLIENT is my frontend side (correct me if I'm wrong) which basically means that every user operating my application(client) going to have the same scopes(roles). Moreover, I can specify roles on the backend with the help of Spring and UserDetailsService and then use those roles with #PreAuthorize, etc. But not on the frontend side.
Just as an example, if I simply used single JWT then with a token itself I'd return both the username and roles to frontend. And then I could store that data and use it on the frontend side according to my needs.
So what I'm asking is if it's actually possible and if this is correct to do so?
And how can I possibly implement such behavior?
OAuth doesn't solve this problem and it is best solved via claims in your API. OAuth should deal with authentication only. My below post may help you to think about the best separation: https://authguidance.com/2017/10/03/api-tokens-claims/
In a nutshell you will have to look up user rights such as roles after the OAuth processing completes.
There is a great video from Spring developer on YouTube about OAuth2/OpenID Connect. It shows how to implement the resource server using the newest Spring Security 5 solution.
Probably the easiest and the best way to achieve this is to use an OpenID Connect server which will provide all user management stuff. On the market there are many solutions. Auth0 and Okta are Identity Clouds which provides their services for small amount of money. On the other hand you have Keycloak, which is a server which you can install in Docker or even on bare metal - it's free and open-source.
I want to have authorization in my Java EE application.
Online it describes how you should define the roles in sun-web.xml. However I would like to have all my roles, and groups defined in a database table.
That means, when I access a method for my application, the request needs to be intercepted to see if the user is allowed in the role.
Do I need to
create some kind of interceptor class that checks auth as user makes call to my web service method
create a custom Login Module that fishes out the group and role data from the database when a user first logs on
Any pointers would be really helpful.
First of all: I would strongly suggest using standard authorization mechanisms.
But for your use-case these standard mechanisms won't work, see this post: dynamic roles on a Java EE server
Roles have to be declared in the web.xml or sun-web.xml.
Frameworks
The next thing I would look into are frameworks, that could help you with that. The link will provide you with two suggested frameworks.
Building your own
If you don't need it for productive purposes, I would suggest the following:
use Filters to check for authorization and authentication: Filters a fairly easy to use ,very powerful and often used for security purposes: See http://docs.oracle.com/javaee/6/tutorial/doc/bnagb.html for more information about filter.
For the login, you could probably just stick with the standard form-based login.
We are using Spring Security and it is working fine in the single web application. Now, I need to create another Web application with Spring security. In the first application the user can sell his/her stuff (e.g. EBay). The second app which I am creating now, it is for general users where he can save his general preferences, searches, save some items he looked at etc. He may/may not be the existing user. So the difference between the two users are:
User 1 (existing user): Can post his stuff for sale.
User 2: He/she should be able to login. Save his general activities etc. & if he/she wants to sell his/her item, he/she needs to go thru the additional steps for verification.
All this cannot be done in just one application due to some reasons. My question is on how to handle the security? Should I create separate security filters for each applications or is there a way to use common security implementation who can manager both of these application. Please provide your feedback, I would really appreciate it.
if you wrap both components in two different webapps, each will have his own spring security web filter infrastructure.
So in principle there will be a security session for each web application, to be backed by whatever authentication system you use.
If you use JDBC then the user would have to login twice.
If you want your customers to only login once, you can for example use a token based system.
When you cross link from webapp 1 to webapp 2, you could hook the links up to a redirect servlet.
The servlet then generates a token, persists it in a database and forwards the user with the token in the url to the other webapp.
In spring security you can then implement your own PRE_AUTH_FILTER which reads out the token, verifies if it is persisted in the Database.
For security reasons you should make these tokens only one use.
I am planing to start a web-based project that involves user registrations just like forums/CMS, but my barrier is that I have not idea how to implement the so-called role-based access control.
I googled for "role-based access control" and I found in the results books about:
Design Patters.
Is this related to what I need?
Is there a tutorial about implementing this idea?
Is the implementation on database-side or language programming-side?
Any reference? Any title?
Design your tables such that user can have one or multiple role based on your system
Define your access to pages for group
admin.allowed = .*
user.allowed=/home/.*,/profile/.*
in some properties file
Create a Web Filter that reads the user from session and determines the role and sees if the page it is being requested is allowed if not it redirects to some other page
See Also
Writing an authorization filter for my web app(JSF 2.0)
I want to implement a token-based authentication mechanism for a scenario which is similar to the following:
In Google Calendar, you can invite guests to your event, who in turn can respond to these events right from the email invitation. The invitation to such an event contains the respective links to respond (Yes, No, Maybe) with authentication tokens encoded in the URL. These authentication tokens are restricted to the specific event and user.
What's the best practice to generate these kinds of "one-time" tokens that can only perform limited actions and have only access to limited resources (and potentially are only valid for a limited amount of time)? And how do I implement this in Glassfish? I want to expose this through the RESTful API of my application (using Jersey). Currently, all URL paths in my app are secured with an authentication constraint, which I configured in the web.xml.
My approach to this would be as follows:
Provide a URL where no authentication constraint is applied (e.g. /token_auth) and use this for token authentication.
In the web service method, manually check the security tokens and do the required actions. The tokens are saved in the DB along with information such as username, expiration date, authorized resources, etc.
I was wondering whether there is a more elegant solution using any frameworks or built-in container capabilities that can avoid all the manual work. And whether this solution might have some security drawbacks.
A similar question has been asked on SO before: Newbie at JAAS authentication; Sign in using a token in the URL Bar
Have you looked into UUIDs?
At work we use the Safehaus UUID.
You approach looks fine. I am not aware of a framework to do this kind of thing for you. Spring Security may have something you can use but not the whole thing.