What is appropriate way to integrate SpringSecurity with Capcha ?
I have following use case :
When user will tries to login, if we he failed to login N times, captcha will be displayed, so authentication will be using three parameters : username, password, captcha. But Spring Security doesn't support built in Captcha handling.
I just start thinking about implementation. And have following variants:
Adding separate security filter in Spring Security filter stack,
Entirely rewrite AuthenticationProcessingFilter to support some Captcha
Use some programmatic authentication with interception captcha logic and then transfering username and password to Spring Security
As a Captcha implementation I think about JCaptcha, but what your thougths?
As an alternative to using JCaptcha, if you'd like to use the reCAPTCHA Service on your site, then check out the free Section 4.4 (direct PDF link) of the new Spring in Practice book (currently in beta).
This shows you integration with Spring MVC and Spring Validation. Since the integration is on the front-end, w/external APIs, Spring Security doesn't really come into the picture here.
I am not sure what your use case is? Are you hoping to use captchas as an alternative to authentication to prove "human"-ness?
Take a look at this article: Spring Security 3: Integrating reCAPTCHA Service.
This uses two filters to make reCAPTCHA integration as seamless and unobstrusive as possible. That means your existing Spring Security implementation will not break. No need to touch existing classes
I've done integration with reCaptcha and Spring Security (Spring Web Flow + JSF) by defining custom security filter. Maybe it isn't most elegant, but works good.
You can look at my blog - unfortunately in polish, but maybe will help You or someone...
http://marioosh.net/blog/?p=1087
Kaptcha is easy to use.
Related
I'm trying to integrate my Spring app with governmental system responsible for user's authentication (SAML). The main concept is that "my" app is receiving already logged user with so called assertion. And the point is how can I customize Spring Security to recognize mentioned before assertion as proof that user is authenticated. Or maybe should I write my own filters instead of using Spring Security?
Unfortunately I can't share the code - company policy ;(
Any feedback is appreciated.
Maciek
If you receive a SAML assertion (it's easy to see, it's a whole XML packet), you absolutely need a library to deal with that complexity.
pac4j (security engine for Java) supports the SAML protocol. So either you keep Spring Security and use the pac4j extension for Spring Security: spring-security-pac4j or you directly use the pac4j security libraries for Spring MVC/Boot: spring-webmvc-pac4j or for J2E: j2e-pac4j for example.
Is it possible to forget the authentication, jwt login stuff and security for now and implement it later?
I choosed java for my restful service back-end for my game, but i'm having such a hard time setting up a simple login system with a mysql database, jwt authentication and spring boot. I followed a great tutorial, but it's only concerning Spring boot, not JWT security.
I would like to move forward and implement the security later if possible.
Right now i just gave up and i'm doing simple apis with just spring boot based on this architecture : https://github.com/djdjalas/SpringBootIn50/tree/master/src/main/java/com/yourname, i replaced the fake data with jdbc calls to the mysql database. Is it ok? Will it be hard to implement autentication later when i will have many services?
Thank you.
Spring Security itself is hard to understand and master in the way it should be done as it requires more understanding of the processes behind its configuration. Anyway, if you get familiar with it you won't have serious difficulties here. There will be no major changes to your code. You'll end up generally with one more configuration class/file and this is it.
Can't say anything about JWT but don't think it will be a problem either.
I have a similar question to this one however our application (which makes use of only Spring Beans & Annotations) currently does not use the Spring Security component/API. Would like to know if we can support the plain vanilla login (based on username password) mechanism for one set of users and support SAML based logins for another set of users (thereby using only Spring SAML extension). Or is there some basic Spring security config to incorporate before we use the SAML extension? Thanks in advance.
It is in fact possible to use Spring SAML extension without 'implementing' the Spring security aspect in the project. However the spring security jars are needed as a dependency.
I was wondering if it's possible to integrate Spring Security 3 into a GAE application without having to bring the whole Spring + Spring MVC stack with it. Every example I've seen so far has Spring Beans and / or Spring MVC in it
What I want to do is basically implement generic authentication (basic register, login, logout, reset password, etc), include OpenID, Google Authentication, Facebook Authentication, etc all in one place - Spring Security does this quite nice.
Or alternatively, I would prefer to have as few libraries as possible and roll my own, does anyone have a link or some great resource on setting up an authentication service that allows logging in with Custom Login, Google, Facebook, etc without the use of Spring Security?
You can not use Spring MVC, but anyway you need spring core.
Answer to this question is highlighted in spring security FAQ:
http://docs.spring.io/spring-security/site/faq/faq.html#faq-what-dependencies
More detailed about dependesies you can find here:
http://docs.spring.io/spring-security/site/docs/3.1.x/reference/springsecurity-single.html#appendix-dependencies
What is the best way to manage user authentication/sessions in a web app, ideally in a clustered environment, using Spring Framework/MVC?
I thought of creating a login bean that creates a jsession for authenticated users and then using AOP to check for the jsession before each controller method inovcation.
If there isn't a better way, what are some possible alternatives? Thanks.
The best would be to use Spring Security. See http://static.springsource.org/spring-security/site/start-here.html
Spring Security is good, it might be overkill for what you need. Have you considered the basic standard web.xml security (this will play just fine with Spring-MVC as it's just URL based).
Basic Tutorial Here
Many apologies if you knew about web.xml authorization already, it's just that it's often overlooked.