I'm working on Spring based application with Spring Security. I have users with different roles and would like to implement access denial handling depending on the role. More specifically the desired effect would be the following: when user tries to access a resource that he is not allowed to, I would like to distinguish between the case when the denial is because the user is not authenticated and the case when it is due to insufficient privileges (wrong role). The users who are not authenticated can be directed to the regular 403 page, but the ones with just a wrong role I would like to redirect to a form in which they could request granting appropriate role.
I'm thinking about either adding the "<access-denied-handler error-page="/xyz">" and implementing the xyz controller or somehow (not yet sure how) implement this as a custom filter.
How would you tackle the problem? Is there any best practice for that? Was trying to google for some examples as I would consider this as a quite common pattern, but no success.
Thanks a lot.
How would you tackle the problem?
I would try to implement my custom AccessDeniedHandler and try to "register" it in the org.springframework.security.web.access.ExceptionTranslationFilter (read its class JavaDoc!)
Related
As the question states, my goal is to hide a GET route in Spring Boot from being accessed from the public. I originally took a CORS approach, but that doesn't solve the actual view problem. Pretty much anyone could go to, say... https://my-api-url.com/employee/all and see a JSON record of all employees in my database.
END GOAL: I only want my front-end to have access to my API for displaying that information to an authorized user who is signed in, but I do NOT want just anyone to have access to the API. CORS policy can handle the ajax requests, but it doesn't seem like I can stop the overall viewing of the GET url.
How can I solve this problem?
You can use OAuth to register clients(frontend/postman/whatever you are using to test the API) that can access your resource server, but it might be overkill. For now, if you worry someone can view your API by typing it in the address bar(if that is your question) then you can allow access for authenticated users only.
If you want to restrict usage and make it inconvenient for abusers to call your API, you can issue a token on page load (CSRF token) and require that token to be present in the request to the API - that way the API will be callable from a browser that initiated a page load.
You can refer this link https://security.stackexchange.com/questions/246434/how-can-i-ensure-my-api-is-only-called-by-my-client
If your frontend is currently handling authentication, i‘d suggest moving to Springs Authenticationserice. That way you could prevent unauthenticated users from accessing that specific API endpoint.
I am currently designing a REST API for a social networking application.
I am trying to decide how I can go about locking access to a specific resource for each user. For example I have the following URL's
https://social-network.com/api/user?id=2/someUpdateOrPostOp
(or https://social-network.com/api/user/id=2/someUpdateOrPostOp)
https://social-network.com/api/user?id=3/someUpdateOrPostOp
What I need of course is for a user with id=2 not to be able to change their id to 3 in the url and perfom an operation on the data of user with id 3.
Note: I am using JAX-RS with Tomcat and the Client consuming the API is an Android device.
What is the technique I need to research to achieve this? I feel like I am missing something with all this.
Thanks for any help you can offer, this is confusing me greatly!
You need two things:
logic that confirms the identity of the caller i.e. you know the caller is Alice. That can happen through OAuth, Open ID Connect or other protocols. You could use more basic authentication e.g. HTTP BASIC Auth but that leads to the password anti-pattern whereby you share your password with the API.
logic that given the user, determines what that user can do. This is referred to as authorization or access control. Given you are in JAX-RS, you could use a message interceptor to look at the user ID and then look at the requested object or the parameters of the call and then decide to deny access if the authenticated user doesn't correspond to the requested profile. You could even use externalized authorization with XACML. Given your simple use case, though, that would be too much.
You can read more on JAX-RS interceptors here.
I have my company resource for authentication, since this is part of its security policy.
Basicly, it works this way: requesting a desired url, we receive a login/password prompt for authentication. Since we've been validated, the server returns a bean filled with some session attributes which we can inspect and programatically render components and/or grant access for a requested page.
I'm looking for some way to work with this scenario along with Glassfish Security (JEE7 roles and groups), so I can delegate the access control indirectly and use EJB for access control instead of the progamatically way.
Does anyone knows how can I do it? I also appreciate any book, site and/or link addressing to this scenario.
Thanks in advance.
I'm trying to get Spring Security to handle authorization via GET variables. All the examples I've been able to find focus pretty much entirely on role-based authorization, which doesn't really work for my application. The way the authentication/authorization process needs to work is as follows:
User authenticates through external system, gets a session ID.
User passes two GET parameters to my application, sessionId and objectId.
Application verifies that session is valid (already figured this part out)
Application verifies that the object is visible to the user (need help here)
Application returns object information to the user
All the examples I've seen have been demonstrating how powerfully Spring Security can check a granted authority on a URL pattern or a Java method. But I need to implement a custom check on step 4 to make sure that the user has the correct permissions in the backend (users can be granted object-specific rights, so a role approach won't work here).
I am new to Spring Security, so it could be that my thought process is just all sorts of wrong. If I am, feel free to correct me!
You need to use ACL feature or you can emulate the same thing via some custom code (for example via custom web security expression). See this post for details.
I think you need to look at the Pre-Authentication Scenarios section in the documentation. In particular, you will probably need to implement a AbstractPreAuthenticatedProcessingFilter to pre-authenticate the user based on the GET parameters.
I am using the Spring Security default login page and if my user get to a page that he should not be getting to based on role and url he gets the following error on the screen:
org.springframework.security.access.AccessDeniedException: Access is denied to login
How can I make it some Spring goes to the default login with or without a error. please help me out
As documented in the <access-denied-handler> element in the documentation's Appendix B, you can set the errorPage attribute to forward to a custom JSP. This could be your login page or whatever else you want. Keep in mind that at this point, the user is already logged in, so forwarding them to the login page (again) may be confusing.
As Raghuram suggested, you can also implement AccessDeniedHandler yourself, but I'd hold off on doing that unless you really need to.
I don't have the info in front of me, but if I remember correctly when you setup spring security you can give it url patterns to apply the security to. It sounds like your setup is including the login page in the patterns that security is applying to. You need to make sure that it is not. Go back to the spring security doco and you should be able to work this out. Also the spring logs are usually very good at helping with this sort of thing.
What you probably need to do is to override the default AccessDeniedHandlerImpl as documented here.