I'm new to Spring Roo and would like to know how to implement user authentication and authorization. I followed the tutorial and focused on Spring Security but it doesn't really do what I want. I'd like to present the user with a login page where they enter their email and password. The email and password will then be compared to a 'User' table in MySQL and if it exists, present the user with a different user interface depending on the 'role' attribute in the table (e.g, a doctor user has a different user interface and a patient user has a different interface). What would be the proper steps to doing this?
I can connect to MySQL fine, I'm just not sure how to go about creating the login page and creating some kind of active session.
Chapter 8 in this book (highly recommended!) goes into some detail how to set up spring security using a database in spring roo. Reading that chapter will also show you how to customize the UI based on the role. Alternatively, this blog gives some pointers in setting up a database for credentials with roo.
If you want more than just customizing the UI based on the role, for example, if you want to redirect users based on their role to different parts of the site after login, then this link presents two options.
Related
I am developing an case management application.I have created login page and landing page other pages as well.
i have used the spring mvc 4,oracle database.
A used logged into the application and then went to admin page.copy the admin page url ,logout from the application.when the user directly copy and paste the admin page url into another user user he is able to open that page.how can i restrict the user. when user perform any crud operation how can validate user's credentials every time.
Please suggest.
If you are using Spring framework, the best practice case you can implement is to integrate Spring Security.
Regarding the session handling within your system, you might use JWT tokens which allows you to control the user flow easily. You can read this complete tutorial.
I need to create an application with authentication and authorization using Java EE 6 (Glassfish Server). I read a lot about Java EE 6 security and just wanted to ask if my concept is correct:
Every user in the company has an account according to "X123456". I want to use this for LDAP Authentication:
Application ---> LDAP
So, I can use the company's infrastructure to authorize the user.
However I want to be in control of the roles in my application. So, I want to define my own roles using JACC. Therefore I will create a database with a user-to-role mapping,
Example: "X123456 -> ADMIN".
The benefits would be:
I don't need to store any password
I can create a kind of admin panel in my application where I can set the existing roles to users dynamically
Do you think this would be technically possible and good practice?
Alternative: Would it be possible to define the roles (Admin, User) in Active Directory and query it via LDAP? So I could outsource my user-to-role mapping into active directory.
Update:
For authentication I currently use a LDAP-Realm (user, password).
For authorization I want to use a database (rolename, user). However I don't know how to tell my application to use the database for authorization. If I would use a JDBC-Realm, I could specify the Group/Role table and column. Is there a way to tell my application to just use the JDBC-Realm for authorization?
I'm creating a spring mvc (spring 4) with spring security 3.2. I have a login page which works fine, with custom UserDetailsService. I want to add on website a new functionality, adding some demands. When someone add a demand, he will receive an email with a button through he can manage this demand, including the creation of a session for the website. I want to create him an account.. and give him authetincation from this button's url which will be handled by a controller. How should i do that? create an account with some hardcoded password? and how about the authentication provider? User with demand couldn't login through normal login page.
In database that type of accounts will have a different status than the normal accounts. Hope you understand what i need...
You can try creating a common user for all such use cases (called guest or similar). If you have validated a user using the trusted url which they have provided, you can query the database using the hard coded username (guest), and get the authentication details like passoword, roles etc. Then you can programatically authenticate the user. In such a way, user only has to provide you a url, and your code can fetch a real authentication detail from the db.
For the authentication part, you may refer to the below link.
stackoverflow.com/a/15119876/3981536
We are using Spring Security and it is working fine in the single web application. Now, I need to create another Web application with Spring security. In the first application the user can sell his/her stuff (e.g. EBay). The second app which I am creating now, it is for general users where he can save his general preferences, searches, save some items he looked at etc. He may/may not be the existing user. So the difference between the two users are:
User 1 (existing user): Can post his stuff for sale.
User 2: He/she should be able to login. Save his general activities etc. & if he/she wants to sell his/her item, he/she needs to go thru the additional steps for verification.
All this cannot be done in just one application due to some reasons. My question is on how to handle the security? Should I create separate security filters for each applications or is there a way to use common security implementation who can manager both of these application. Please provide your feedback, I would really appreciate it.
if you wrap both components in two different webapps, each will have his own spring security web filter infrastructure.
So in principle there will be a security session for each web application, to be backed by whatever authentication system you use.
If you use JDBC then the user would have to login twice.
If you want your customers to only login once, you can for example use a token based system.
When you cross link from webapp 1 to webapp 2, you could hook the links up to a redirect servlet.
The servlet then generates a token, persists it in a database and forwards the user with the token in the url to the other webapp.
In spring security you can then implement your own PRE_AUTH_FILTER which reads out the token, verifies if it is persisted in the Database.
For security reasons you should make these tokens only one use.
I'm writing web app using JSF2 and primefaces with Glassfish 3.1.2. I want to start with login/logout mechanism but i'm not sure about solution.
What I want to achieve:
Three main goals:
web application in JSF 2.1
this application will use many databases (but every db will have the same user, password and "security table" with application login and password). So user during authentication must give database name, user and password.
I want to be able to logout and login on different user without closing browser.
What authentication method will be the best in that case ? I cannot just create a new Realm with database name because it is not const in my situation.
I thought about web-services, which will take db_name, app_login and app_password as parameters and return whether it is ok or not.. And then create a simple managed bean, which will tell me whether user is logged. But i want to totally separate login logic from other stuff.. and I want to check whether user is logged before I view every page in application.
Thanks for your tips,
Regards
I don't know if you already have taken a look at the Seam Security functionalities, but I think it may fit your needs considering the Identity Manager:
http://docs.jboss.com/seam/2.1.1.GA/reference/en-US/html/security.html#d0e8804