Spring security authorization via GET parameters - java

I'm trying to get Spring Security to handle authorization via GET variables. All the examples I've been able to find focus pretty much entirely on role-based authorization, which doesn't really work for my application. The way the authentication/authorization process needs to work is as follows:
User authenticates through external system, gets a session ID.
User passes two GET parameters to my application, sessionId and objectId.
Application verifies that session is valid (already figured this part out)
Application verifies that the object is visible to the user (need help here)
Application returns object information to the user
All the examples I've seen have been demonstrating how powerfully Spring Security can check a granted authority on a URL pattern or a Java method. But I need to implement a custom check on step 4 to make sure that the user has the correct permissions in the backend (users can be granted object-specific rights, so a role approach won't work here).
I am new to Spring Security, so it could be that my thought process is just all sorts of wrong. If I am, feel free to correct me!

You need to use ACL feature or you can emulate the same thing via some custom code (for example via custom web security expression). See this post for details.

I think you need to look at the Pre-Authentication Scenarios section in the documentation. In particular, you will probably need to implement a AbstractPreAuthenticatedProcessingFilter to pre-authenticate the user based on the GET parameters.

Related

Java, Oauth2.0: Can I add a custom property to the authorization process?

I don't know if I worded this question correctly, Spring Security is something I'm not very familiar with.
In my spring boot application the login is done with OAuth 2.0 and gluu. So far it works well and without issue. However, after the user logs in I check whether a user with the ID provided by the gluu server exists in our database because I need additional information on the user. Now, this is done after the login when checking things like permissions and fetching user-specific properties like settings. If the user does not exist on our end I get a NullPointerException. This case should (in an ideal world) not happen but I'd still like to handle it properly.
I'd like to make that check happen as part of the authorization process, so the login fails if we don't have any information on the user instead of checking it after the login has completed.
Does that make sense? I'm having a hard time wording it properly so I couldn't find any useful results on google. A link to some tutorial or docs would be greatly appreciated!
You can handle this with an Interception Script. And you will also need to add customAuthParamz in oxAuth configuration (JSON Configuration > OxAuth).
If you want to do it in spring-security, you can provide a Converter<Jwt, AbstractAuthenticationToken> #Bean (to replace default JwtAuthenticationConverter).
This bean would call your user repo (maybe on a #Cachable method) and could even return an Authentication of your own with all user data you need for your security rules (maybe either create missing user record in databse or return AnonymousAuthenticationToken when user is not known in your system).
I have something a bit like that in this tutorial (extra user data is retrieved from token private claims and not from a database, but you get the idea).

How to get Authorization (permissions) in keycloak JWT?

Objective: I am trying to add authorization details to the JWT using a custom mapper for Keycloak, so that when a user logs in using the login page, his token will also contain all the permissions that are applicable.
As an example, here's the following code (decoded from the JWT):
"authorization": {
"permissions": [
{
"scopes": [
"edit",
"buy"
],
"rsid": "af23b104-1d7e-41ab-7600-6d5bb405ad8e",
"rsname": "Custom Resource"
}
]}
To be more specific, I'm trying to obtain a similar result as if using grant_type=urn:ietf:params:oauth:grant-type:uma-ticket, but directly from the default Keycloak login page.
What I tried: I tried making a custom mapper based on this example: https://github.com/mschwartau/keycloak-custom-protocol-mapper-example
I looked in the base code of Keycloak, but there doesn't seem to be any way to include authorization data in the tokens using the default behaviour. From what I could find, the data might be in the KeycloakPrincipal, but I am not sure if this is true, because there doesn't seem to be a way to obtain that. I might be mistaken, though, since I'm not very experienced with Keycloak.
As a side note, using the grant_type=urn:ietf:params:oauth:grant-type:uma-ticket in a rest call works, but it is not an acceptable solution, unfortunately.
TLDR; This can't be done, Keycloak doesn't let's you and/or doesn't have a mechanism implemented for this.
This can't be done as the token containing the permissions ie RPT token, is actually provisioned by Keycloak with invoking the authorization endpoints, and that in turn requires a user access token in the first place.
This is how it's currently done and implemented - so what you can actually do is, implement on your client app a mechanism for fetching that RPT upon login. You'll have to make two requests to Keycloak, one obtaining the JWT and the other one obtaining the RPT.
But all in all, this isn't encouraged, as the general idea is not to return all permissions when a user logs in, but to actually require allowed scoped and permissions for specific resources - for a specific user.
All this is documented on Keycloak Authorization
It's a bit vague I agree, so hopefully, you'll perhaps find some more useful info here
Obtain RPT without having to invoke Keycloak API twice
Please note again
you aren't supposed to require permissions for all available resources, for a user, but to request one by one and possibly extend your RPT. E.g. You would send a request per each required resource.
If for any technical reason, you cannot do it like this and you still want to require all permissions at once - the best yo can achieve, as already said, is getting the RPT token once a user logs in (obtains a JWT token). But this is still (minimum) two requests to Keycloak
In theory you could extend Keycloak in such a way, it returns permissions in the JWT right away, but this wasn't done by anyone so far as it would require a lot of work and keycloak tweaking, and would still be in question whether it's possible to do so.

REST API Allow access to a URL only for the Owner of the Resource

I am currently designing a REST API for a social networking application.
I am trying to decide how I can go about locking access to a specific resource for each user. For example I have the following URL's
https://social-network.com/api/user?id=2/someUpdateOrPostOp
(or https://social-network.com/api/user/id=2/someUpdateOrPostOp)
https://social-network.com/api/user?id=3/someUpdateOrPostOp
What I need of course is for a user with id=2 not to be able to change their id to 3 in the url and perfom an operation on the data of user with id 3.
Note: I am using JAX-RS with Tomcat and the Client consuming the API is an Android device.
What is the technique I need to research to achieve this? I feel like I am missing something with all this.
Thanks for any help you can offer, this is confusing me greatly!
You need two things:
logic that confirms the identity of the caller i.e. you know the caller is Alice. That can happen through OAuth, Open ID Connect or other protocols. You could use more basic authentication e.g. HTTP BASIC Auth but that leads to the password anti-pattern whereby you share your password with the API.
logic that given the user, determines what that user can do. This is referred to as authorization or access control. Given you are in JAX-RS, you could use a message interceptor to look at the user ID and then look at the requested object or the parameters of the call and then decide to deny access if the authenticated user doesn't correspond to the requested profile. You could even use externalized authorization with XACML. Given your simple use case, though, that would be too much.
You can read more on JAX-RS interceptors here.

Java EE authorization using Roles defined in database, in Glassfish

I want to have authorization in my Java EE application.
Online it describes how you should define the roles in sun-web.xml. However I would like to have all my roles, and groups defined in a database table.
That means, when I access a method for my application, the request needs to be intercepted to see if the user is allowed in the role.
Do I need to
create some kind of interceptor class that checks auth as user makes call to my web service method
create a custom Login Module that fishes out the group and role data from the database when a user first logs on
Any pointers would be really helpful.
First of all: I would strongly suggest using standard authorization mechanisms.
But for your use-case these standard mechanisms won't work, see this post: dynamic roles on a Java EE server
Roles have to be declared in the web.xml or sun-web.xml.
Frameworks
The next thing I would look into are frameworks, that could help you with that. The link will provide you with two suggested frameworks.
Building your own
If you don't need it for productive purposes, I would suggest the following:
use Filters to check for authorization and authentication: Filters a fairly easy to use ,very powerful and often used for security purposes: See http://docs.oracle.com/javaee/6/tutorial/doc/bnagb.html for more information about filter.
For the login, you could probably just stick with the standard form-based login.

Struts2 Login Management and Authorization

I have developed a web application on Struts2 and used JSP. I want to develop a login system and so cookie management for my web application. Everybody can see every page and there is no authorization for my website.
My question is that what are the steps of my work.
1) Login system
2) Cookie management
3) Authorization
will be done but where I should start and is there any good documents of that steps(for every step of what should I do)?
You can implement this using Sessions, which means you won't have to work with cookies (at least directly). Also keep in mind the difference between authentication (checking identity of a user) and authorization (checking users access rights). I usually implement:
a Login action (which authenticates the user in some way, and saves something to the session which I can latter check to see if the user is logged in...eg. a User object)
an authorization interceptor (which filters each request and checks that user is logged in and has access rights for that particular request....if not forward to login form).
Also keep in mind that this is a do-it-yourself quick way to do it, if you plan anything more you are better off with a security framework/lib of some sorts.
The cookie managment in Struts2 is an orphaned feature. There are ways of reading them using the framework, but no way to write them. Since you have to go directly to the ServletResponse to write cookies, you may as well use the ServletRequest directly to read them.
Check out this: http://www.dzone.com/links/r/working_with_cookies_in_struts_2.html
In my applications I use JavaScript for handling cookies, is more practical, and works well for me.

Categories

Resources