I have application which is divided into 2 parts: GUI is in address localhost:8080/simple-gui and backend localhost:8080/simple-backend. In backend I have defined simple spring security (details are here: Validate test user with spring security against database) Problem is this security protects all pages in simple-backend. How to protect also simple-gui and redirect all unauthorized users to login page: localhost:8080/simple-gui/login.html
Simple gui has nothing to do with java. It is just html so I cant create spring security there.
As per the question, both application seems to be separate wars when deployed in tomcat. So if you are thinking that adding configurations for simple-gui in simple-backend will also secure simple-gui, that I guess will not happen.
Either, you can have separate configurations for simple-gui in that project itself or What you need to study about is SSO or OAUTH, if you want to perform something like this.
Related
I'm pretty new to Angular and jsp and I have a question about general architecture of a single-page system.
I understand that jsp mvc has it's own security features that some of course related to conditionally delivering static/dynamic pages to the clients.
How can that feature work with Angular? Obviously in a single page application, working with partials, the server does not need to pass pages to the client.
My specific question is about the login page. Do I need to separate my login html from my main 'single-page' index.html with all my routes?
Will I have a 'login.jsp' file which is a stand-alone file handled by jsp and only after login routing to the single-page part of the application?
Thanks!!!
Regarding the login part:
My recommendation is that as an application developer you should not be thinking in how to implement your login page. This would bind your application to a specific authentication mechanism, and its a sign of getting into troubles (implementing the whole app security by your own)
It is preferable that this binding is performed in a pluggable (declarative) way, like it is done in JEE by the container or in Spring security by a dedicated framework.
So answering your question: you should no have a login.jsp at all, this page would be automatically generated once you have properly configured your application security with a 'login form' authentication mechanism. (Both JEE and Spring provide also mechanisms for customizing this pages).
The framework/container would intercept the request to your web app, identify if the user is authenticated, redirect to the login page and finally redirect to the original url, if authentication succeeds.
Cheers,
Nacho
I have the following architecture:
front-end = AngularJS
back-end = Java EE7/REST-API
Both are deployed on Wildfly 8.2 using Undertow as application server.
My first question is regarding the authentication mechanism:
Should I use form based authentication and having a web.xml that protect my pages with security constraint ? same for REST-API, they will be protected by a security constraint.
I can have then a j_security_check with j_username and j_password on a simple login page.
On server side, I can do a JAAS login then.
Should I use JSON token authentication, so login and logout will use REST web services and generate some access token, those tokens will be saved into a database with a specific time-limit.
That is all regarding security.
Now I am talking about the $scope object in Angular, as you know it will disappear on Angular 2.0, so I am trying to avoid it as much as possible but then how to replace these:
$scope.$apply()
$rootScope
$broadcast
I know that Angular 2.0 encourage web components development with directives as controllers but I have no idea how to replace these specific objets.
Thank you for your help !
Security:
Let me ask you this in a different way. Is your back end going to be
a) Web layer for all the front end applications
b) API layer that has consumers outside of web pages.
If you answered a) Then you may probably go for form based/container based security.
If you answered b) Then you may think of token based authentication
Angular $scope
Try to follow some common style guide like https://github.com/johnpapa/angular-styleguide#controllers. This might not be a complete solution but will help you avoid $scope.
BTW: Here is my generator that is based on the style-guide that can help you getting the code cleaner and have best practices. http://reflexdemon.github.io/slush-angular-gulp/
We are using Spring Security and it is working fine in the single web application. Now, I need to create another Web application with Spring security. In the first application the user can sell his/her stuff (e.g. EBay). The second app which I am creating now, it is for general users where he can save his general preferences, searches, save some items he looked at etc. He may/may not be the existing user. So the difference between the two users are:
User 1 (existing user): Can post his stuff for sale.
User 2: He/she should be able to login. Save his general activities etc. & if he/she wants to sell his/her item, he/she needs to go thru the additional steps for verification.
All this cannot be done in just one application due to some reasons. My question is on how to handle the security? Should I create separate security filters for each applications or is there a way to use common security implementation who can manager both of these application. Please provide your feedback, I would really appreciate it.
if you wrap both components in two different webapps, each will have his own spring security web filter infrastructure.
So in principle there will be a security session for each web application, to be backed by whatever authentication system you use.
If you use JDBC then the user would have to login twice.
If you want your customers to only login once, you can for example use a token based system.
When you cross link from webapp 1 to webapp 2, you could hook the links up to a redirect servlet.
The servlet then generates a token, persists it in a database and forwards the user with the token in the url to the other webapp.
In spring security you can then implement your own PRE_AUTH_FILTER which reads out the token, verifies if it is persisted in the Database.
For security reasons you should make these tokens only one use.
We are using Spring 3 framework and we have a SSO (Single sign on) provider which redirects to our app passing special tokens in the request to indicate the user is authenticated.
I would like to use Spring security to handle stuff like denying access to pages unless the user is authenticated, but I'd also like to be able to bypass this on my local machine while developing the application.
So in the production scenario, I expect the SSO to redirect to our app, specifically to a "/login.html" target which is supposed to somehow trigger a custom class I write to pull the expected login info from request and load up the user's info from our database and put it in session for the rest of the app to use.
Then in the development scenario I need to bypass SSO by just being able to create a session using a custom login page and then load the user's info from database just as above.
I am trying to figure out how to do it myself but I can't seem to wrap my head around all of it.
Any info on how to accomplish this even just high level kind of road map would be a huge help
If you write a custom AuthenticationProvider for Spring Security to authenticate with your SSO provider, then you could have two Spring Security configurations, one that wires up your custom AuthenticationProvider for production and one for development that uses a standard authentication provider.
I have a couple of Java-based web applications developed. Both the applications have separate Authentication logic based on some ActiveX directory implementation.
Now, I need to change this to Windows authentication so that whenever the user hits the URLs of my web applications, instead of redirecting him to login page I need to check his Windows credentials.
I do not want to store his windows credentials in URL.
Is there any good way to do this ?
Depending on the level of integration you want your web application to have, Spring Security should have you covered in just about all aspects of what you are after.
If redirecting to a login page and authenticating the entered credentials against an Active Directory server via LDAP is acceptable, then the LDAP extension is the way to go.
If you want more of a Single Sign On (SSO) flow and your users are already authenticated against the authoritative Active Directory server in question (eg. they are logged in to the domain), then the Kerberos plugin for Spring Security may be more appealing, since your users will simply have to go to the web application and won't have to go through any other authentication steps. The systems will take care of it behind the scenes.
You can also combine / layer these approaches if you which and try Kerberos-based authentication first and if that falls through, fall back to a login form and LDAP-based authentication.
If you need to go beyond that, Spring Security is flexible enough to allow you to use OpenID or in-app authentication as well if needed.
I'd recommending using Active Directory to expose it's windows authentication layer over LDAP, which can then be hit by something like Spring Security.
This would effectively force anyone using your application to use their windows login.