Here is my specific question:
There is a project which contains a lot of pages which uses Spring Framework on Java.
There is some kind of Admin users and department users.
The problem is that an admin user should see all kind of users(all information).
Sometimes an admin might delete some users: This method should be accomplished.
My project leader told me to look at the session properties access and search if there is a framework for that which should work with Spring.
How could I manage that?
Is there a framework for that? If not what is the best way ?
You can by using Acegi security framework, it integrates with Spring framework. To solve your issue, you have to set current user into Http Session (Spring-Acegi has a specified class for this) and read current user whenever needed.
Spring + Acegi has more features like :
Multiple level security by multiple level filters
Concurrent session support, which limits the number of simultaneous logins permitted by a principal.
Support ACL (Access Control List) and Object Domain Security.
Support authentication&Authorization.
and a lot more
It has a lot of useful utilities and structures.
You can see more information at the following links:
http://en.wikipedia.org/wiki/Spring_Security
http://www.tfo-eservices.eu/wb_tutorials/media/SpringAcegiTutorial/HTML/SpringAcegiTutorial-1_1-html.html
To add Spring Security to existing Spring app follow next example:
http://www.mkyong.com/spring-security/spring-security-hello-world-example/
And I recommend you to read their documentation. Spring have really good documentation.
Another example
Related
Our project consists of Java back end(spring web application) and iOS and Android client applications. Now we need to add an authentication for client applications to Java back end. The idea is to register user for the first time using an external web service. At this step user provides full credentials(login and "big" password) and chooses some PIN for further authorization. After that primary step is complete successfully, user should be able to authenticate using his login and PIN(which he chose previously himself). Those login and pin should be stored in our DB. We should also be able to destroy that "session" and PIN whenever is necessary. We expect web application to have up to 10 000 registered users with up to 1000 users being online simultaneously.
We also don't plan to use any separate Authentication server, we plan to embed security into web application(back end) itself.
I've been investigating 2 different approaches. First is usual spring #EnableWebSecurity approach. This seems pretty straight forward, but some people say it will create "sessions", which are bad for the server. Session will consume lots of memory, and overall impact on performance will be bad. Is it true?
The other approach is to use Spring Oauth2 implementation. I didn't have time to study it properly, this seems to be a little bit of an overkill to me. Is it worth to study for our needs? (we are running out of time btw).
I also need to have some proper DB sctructure for the security needs.
So the question is, what is the best approach for our situation? Are there any open source projects, solving similar issue? I would appreciate any help.
Thank you.
Whatever technology you use for authentication, you will require sessions to maintain the state of authenticated user. You can use Spring security alone or with Oauth2 .
I'll suggest for simplicity you can go with Spring Security with Token functionality.
However you can find an good blog over Spring Security and Oauth.
Securing REST Services with Spring Security and OAuth2
For more clarification you can also visit here
Sessions should only take up allot of memory if you were to store large amounts of data in the session. So long as you don't do that there won't be any problem. You will need to make your own authentication decision based on your acceptable levels for security and user experience, there is no one 'right' answer. Spring security and sessions have already been talked about here How can I use Spring Security without sessions?.
I want to implement aerospike on my Spring MVC website to cache user sessions.
I could implement Redis caching, but it as it does not support distributed cache, I want to start to use aerospike, but I cannot find any lib or examples on how to implement Spring Session in aerospike, allowing me to turn off one of my machines and keep all active users still logged in.
The closest I could get to any implementation was this github repository, but it seems it was abandoned:
https://github.com/vlad-aleksandrov/spring-session-aerospike
This was the tutorial I've followed to implement User Session with redis:
http://docs.spring.io/spring-session/docs/current/reference/html5/guides/httpsession.html
You should take a look at Aerospike play plugin. At the heart of it is the session store. The play plugin is a wrapper on top of it. The session store is available as an independent repo under mvn/gradle. It is an official one. So, you should be able to report issues and get help. You can reuse the session store component or write your own based on it.
I've created my own JDBC realm (using WildFly 8.2) as described at paragraph 50.3 of the JavaEE 7 tutorial. My understanding is that JDBC realm authentication implies that user credentials are read and checked by the server, the application doesn't even know the coordinates for the auth-reserved DB.
For a "new user sign up", the only thing I can imagine is to implement a classic solution from the inside of my application: accessing auth DB, check if chosen username is already present, insert row in the table... but doesn't this violate the whole paradigm of "container managed authentication", and maybe insert security holes?
Is there some server-implemented mechanism that I ignore?
but doesn't this violates the whole paradigm of "container managed authentication", and maybe insert security holes?
Yes, more or less. The container managed security concept, where the application is totally unaware of the authentication mechanism and the identity store (location where the user data is actually stored) doesn't really take the use case into account where an application has its own user sign up/register functionality.
The idea seems to be more intended for integrating externally obtained applications (e.g. say a Sonar or JIRA instance) into an existing enterprise structure. There the users are created by an admin using a central system like LDAP, or in some situations even an admin UI of the application server.
Unfortunately many of your typical public web applications aren't of this variety. They are standalone apps (don't integrate with existing internal enterprise infrastructure) and they effectively manage their own users.
The classical concept is an ill fit there, and that's why the Java EE Security EG is currently exploring how to best address this.
You basically have three "solutions" in the mean time:
Just define your DB connection details twice, once at the server level, once at the app. It looks like you were indeed already doing this.
Use JASPIC, which is a container provided authentication API which has the option to let the application contain the auth module. It can use the exact same data source and possible JPA entity manager and such that the application is also using.
Do your security using an external security framework, e.g. DeltaSpike Security or Shiro, that's totally implemented in "user space".
From a Java EE perspective, none is really ideal. The first has the duplicate definition and indeed somewhat violates the principle, the second is by itself okay, but JASPIC is a tad low level, and the second is a rich solution but doesn't integrate well with existing Java EE security.
I am currently trying to implement a single sign on solution across multiple JVM based (Grails, Servlets) web applications currently all deployed in the same servlet container (currently Tomcat, but don't want to limit my solution to just Tomcat). All web applications share a common database.
I've looked at various options from using CAS or other third party libraries to creating a new web service to handle Single Sign On, but none seem to really satisfy the business. My current implementation involves creating a new jar library which has a common implementation of AuthenticationProviders, and Pre-Authentication Filters based on Spring Security.
In this approach I have multiple AuthenticationProviders (currently Active Directory, and Database) for the application to authenticate against. Upon successful authentication a row would be inserted in a session table that contains the user, an expiration time, and a token. The token would be also stored as a cookie on the user's machine and that would be used to validate they have a current session in the Pre-Authentication Filters.
Having never done this before I want to make sure I'm not creating a huge security problem, and I'd also like to know what I would need to create the token? At this point a simple GUID seems to be sufficent?
Currently we are working on Spring Security 3.0.x, and haven't upgraded to 3.1 yet.
Thanks in advance.
I ended up solving this problem by doing the following:
I created a AuthenticationSuccessHandler which would add a cookie to the user's session which had identifying information as well as the hostname to try to secure it as much as possible. (The application was running internally at most customer sites so the risks here were determined to be minimal, but be careful about cookie jacking.)
Then on each application that needed to have SSO I implemented a AbstractPreAuthenticatedProcessingFilter, and placed in before the authentication filter which would pull the cookie out and create an Authentication object. Lastly I created an AuthenticationProvider which validated the information from the cookie.
Hopefully that helps someone else in the future for this type of request.
There are extensions available for KERBEROS, OAuth and SAML available on the Spring Security Extensions website. Here is the blog entry which provides an example: SpringSource Blog
If you are using NTLM as your SSO Provider, take a look at the jespa-spring project.
Or you might want to look at the Java Open Single Sign-On Project
I want to protect my JSF pages in a Java EE 6 app.
I want to store users and roles in the DB and have privileged users administer them via a web tool. The privileged users would add users to roles and set certain pages to require certain roles for access.
It seems to me that container managed security won't let me do that. Would JAAS be the way forward?
Any suggestions and links to examples would be appreciated.
The short answer is yes. JAAS will allow you manage security against a database use a LoginModule(many container implementations JBoss offer these pre-canned out of the box) and you can check out this article(http://weblogs.java.net/blog/2006/03/07/repost-using-jaas-jsf) or this book(http://www.java.net/external?url=http://purl.oclc.org/NET/jsfbook/) for more specifics how to authenticate Users and determine authorization parameters with JAAS and JSF.
For your second requirement, I can't see any reason why you can then create a separate tool that has access to those tables to modify credential information. Though this seems like a problem that has already been solved by using an LDAP provider with any one of a number of free and open source web interfaces.
Another nifty feature because of the clear separation of concerns is that you can later easily migrate to LDAP or third party services with little effort.
I recommend that you take a look at Spring Security.
Spring Security is a powerful and highly customizable authentication and access-control framework.
Here is an article that explains using Spring Security with JSF.