I'm looking for a java package/spring user management package that is similar to django's auth application, which provides the database models such as User and Group out-of-the-box.
I have a standard spring/hibernate application (based on Spring ROO), and I would like to use an existing User/Group/Role implementation instead of reinventing it (the actual authentication can use spring's mechanism, but I'd like to save the time implementing the user management part).
Thanks for the help
The Emmet project may be of interest to you. Emmet includes a custom SpringSecurity UserDetailsStore and a webapp for user account management. Out of the box functionality includes basic user account details, roles, support for multiple identities, support password aging, self registration and password reset. You can use it in conjunction with SpringSecurity based authentication and access control, or (at a pinch) with other "stacks".
(Emmet also provides some custom SpringSecurity authentication components, and potted wirings, but you can ignore that aspect if you like.)
Disclaimer: I'm the lead developer for Emmet.
Spring Security is a full-featured and widely-used Java auth module. While it doesn't have data models right out of the box, there is documentation provided that gives you the DDL to create the most basic tables you'd need:
Spring Security Database Schema
in this period I've created a new Open Source project related the RBAC and a generic solution for the user management:
microservice-rbac-user-management
You can find an RBAC apis and model here ready to use and with all the documentation. Ready to be used also with Docker.
I hope this will help you.
Related
I have already set up a running application having:
an authentication server
several resource servers
a javascript-frontend
For the authentication I am using the oauth2-stack of Spring-Security to hand out JWT-tokens to successfully authenticated user's. The login-information is collected in the javascript-fronted which then asks the authentication-server for an auth-token and stores it. This all works well for my application.
What I want to do now is integrate third-party-login-services like Google or Facebook. Currently I am at a point where the process can be started from the javascript-frontend, then the authentication-server does it's magic and communication with the third-party-login-provider. I've gotten so far that the login process is successful and I get the needed information which actually is only the e-mail-address.
But now I'm stuck. I have the authentication information on the server but now I need to construct one of my own authentication-JWT-tokens and hand it to my javascript-frontend. Can anybody give me a hint on how to achieve that?
The JWT Login Sample in Spring Security Samples demonstrates how to create JWT tokens for your own purposes. The key is to ensure that authentication has already occurred, prior to provisioning said token (which in your example is already the case).
Note that the sample uses the com.nimbusds:nimbus-jose-jwt dependency as Spring Security already depends on this library internally. You may also consider using io.jsonwebtoken:jjwt-api or another library instead. jwt.io has a useful list of libraries that support creation of JWTs, and you can filter by Java and click through to the repository to get more information about any of them.
In any case, the sample should be easily adapted to your choice of library, and the out-of-the-box support for verifying JWTs in Spring Security should work.
I have some endpoints in my REST API (Java + Spring Boot under the hood). I am using SpringFox with Swagger-UI do have some documentation. But I have a problem now. I would like to show for endpoints for user related to his role.
So, for example, some user with role A should see only /endpoint-A1 and /endpoint-A2 and user with role B should see only /endpoint-B1 and /endpoint-B2, and admin role should see all the endpoints.
As far as I researched, it is not an option to achieve this with SpringFox. And I understand that because there is no place to interact between Spring Security and SpringFox on this field. Correct me if I'm wrong.
But I thought maybe you know an option, to use Spring Boot code and generate the documentation bases on it and export it somewhere - I do not need to host it as SpringFox is doing. I only need to have this generated to separate files based on user roles. Later I will manage the user roles somehow. Do you know such a tool? Or maybe you have any idea how to achieve that in another way?
when using a JDBC realm for authorization I usally have this tables:
User table
Role table
Group table
When I now login with username, password the security module makes a lookup in the table: give me all roles for user: username.
Can I somehow hook into the process and add another attribute? E.g.
give me all roles for user: username where UserTable.X = Y ?
Note: I must use pure Java EE
There are some possibilities to achieve the desired behavior.
The easiest solution would not be to customize the login process, but to use a manual lookup using perhaps a #WebFilter or some similar approach.
If you need or want to customize the login process itself have a look at JASPIC (relatively new). In the version 1.1 it is quite usable, but its support depends on the application server you are using. The idea is to write an own login process and pass a custom Principal back to Java EE. Here is a nice collection of links: Zeef
An older approach to customize the login process is to create an application server specific security realm. In other words you are writing or extending the JDBC Realm that is currently used by your application server. You can then also pass a custom security principal back to Java EE.
I want to have authorization in my Java EE application.
Online it describes how you should define the roles in sun-web.xml. However I would like to have all my roles, and groups defined in a database table.
That means, when I access a method for my application, the request needs to be intercepted to see if the user is allowed in the role.
Do I need to
create some kind of interceptor class that checks auth as user makes call to my web service method
create a custom Login Module that fishes out the group and role data from the database when a user first logs on
Any pointers would be really helpful.
First of all: I would strongly suggest using standard authorization mechanisms.
But for your use-case these standard mechanisms won't work, see this post: dynamic roles on a Java EE server
Roles have to be declared in the web.xml or sun-web.xml.
Frameworks
The next thing I would look into are frameworks, that could help you with that. The link will provide you with two suggested frameworks.
Building your own
If you don't need it for productive purposes, I would suggest the following:
use Filters to check for authorization and authentication: Filters a fairly easy to use ,very powerful and often used for security purposes: See http://docs.oracle.com/javaee/6/tutorial/doc/bnagb.html for more information about filter.
For the login, you could probably just stick with the standard form-based login.
I need to create a webapp that has a login system.
the user should authenticate against a database.
I want to save the userrole in session - or are there other (better) ways?
Furthermore there are areas for user access.
Guest area,
user area,
admin area.
The question now is.
How can I easily implement the authorization with jsf2.0?
I don't want to test on each site, if the user is permitted to acces the site or not.
Is there a configuration in web.xml or faces-config.xml that test the cases?
Can someone show me a tutorial or sample code?
Thanks and best regards
veote
You can also look at options (Framewroks)
Spring Security
Apache Shiro
Java EE Security Tutorial
As already suggested Application Server provided Authentication/Authorization.
Implement a Filter (Custom home grown logic for Authentication/Authorization)
Blogs covering AnA in JSF
User session filter
Access Control in JSF using a PhaseListener
Hope this helps
I am not familiar with Websphere, but since it is a Java EE 6 compliant application server, you can create a JDBCRealm for this purpose. See this chapter of the Java EE 6 tutorial.
You can try this approach, it uses PhaseListener to check if user has rights for accessing current site during the RESTORE_VIEW phase. It is quite easy to implement it and it's portable between different servers(opposite from realms)