In this picture I have tree structure and I want to give permission to any role above nodes.
Who can give me tips about this?
I believe what you are searching is "authorization" instead of "authentication". If you are using Spring, Spring Security is here to help you with your security needs. You can have roles and authorities to help you define what the user can access or do.
Using spring security, you can secure the endpoints using annotations like
#PreAuthorize(“hasAuthority('READ_AUTHORITY')")
or
#PreAuthorize(“hasRole('ADMIN')")
Related
I am working under login to Google via OAuth2 spring-security
I was successfully login via oauth2 and received Principal, but in my project requirements, I need also set to user principal access token, how can I do this?
Thank you, for you help
If you can explain your scenario more, I can help better. But generally in Spring Security you have to specify the Authorities for each of your system roles to have that user access the specified level.
I am trying to implement simple JWT security with token refresh in my web app. Probably, the question has been asked numerous times and I am digging for an answer but can't seem to find it after a month of searching.
I have two models for the user in the database and they should have different role type ADMIN and USER. ADMIN type needs to access his url endpoints and USER his own upon successful email and password login.
I am trying to avoid oauth because I do not need enterprise like implementation.
Could anyone refer me to a good guide that explains how stuff works or just explain by himself with a code sample? You would help me alot! Thanks.
You may want to try JJWT if you're looking for a simple to use JWT library for Java. It's well documented and easy to integrate into Spring Boot apps.
At the very least, you'll need to write your own service for generating tokens (using JJWT), a filter for pre-processing the request and generating an Authentication, and an AuthenticationProvider for performing the actual processing/validation of the token content (again with JJWT) and to populate roles/authorities or any other information that might be required by your Authentication implementation.
This method of implementing JWT based authentication does not require any components from Spring's OAuth2 implementation.
https://github.com/jwtk/jjwt
https://stormpath.com/blog/jjwt-how-it-works-why
I'm currently looking into securing jax-rs web services.
The following URL is very interesting: https://docs.oracle.com/cd/E24329_01/web.1211/e24983/secure.htm#RESTF256.
I am especially looking at the annotations-based security of web services. Defining per method the roles that are allowed looks very straightforward.
I have however 4 questions related to this topic:
defining and mapping roles
I'm wondering: where does one define the roles of users and how does one make the mapping of users to roles when using annotation-based security?
If someone could point me to an example with code, that would be great, I'm not having a lot of luck finding one.
Libraries/frameworks
Are there any libraries/frameworks that you know of that could be used for securing jax-rs services? I don't have the impression e.g. that Apache Shiro is really suited for web services? I would prefer not using Spring security, it's a bit too heavy for what I'm doing.
Database design
Also, for an authentication/authorization scheme using RBAC, with users having roles and roles having assigned permissions, how do you design this on a database level?
Permissions
When looking at the RBAC principle, you have permissions assigned to roles. However, using annotation based security, you only define "access" to methods on a role level. How do you check if a user has permissions? Or do you just use roles and ignore permissions altogether when using an RBAC principle?
Thanks for any input you can provide!
UPDATE1: Am I correct in assuming that, if you define your users and what roles they have yourself in a database instead of e.g. in web.xml, that it is probably easier/better to use SecurityContext for checking if users are in roles, instead of web.xml or annotations?
This would allow you to use your own securitycontext object which can make calls to a database for validating role membership?
Current Spring app requires to add additional authentication checking from a POJO library. The POJO library includes several customized authentication module to choose. Some can be quite simple, like check the username and encrypted password within a URL from database, or from a file, others can be LDAP authentication or Web Service authenticate.
The tricky part is current application has its own authentication method within security.xml, and we don't want to compromise either one.
My goal is make this work based on minimal change.
I think there might be several solutions for this but trying to get a good practice:
Customize a Spring authentication provider to handle the pojo authentication for the authentication manager
Customize a Spring pre-authentication(or something alike) bean for pojo and let app security do the next.
Extends a filter class and register in web.xml, so this can make minimal change to the existing spring security context, but I am not sure how to make this handle the LDAP and WS authentication.
and many other options if anyone can give a better hint. Thanks in advance.
Create a custom Spring Authentication manager that extends the one that already exists. Call super.authenticate() and if that goes through then add the extra authentication logic.
In my current project I need to authenticate and authorize users via Spring security.
Our directory is LDAP.
I have basic ldap knowledge.
I am trying to understand how in the ldap side I suppose to manage and create users in order to provide them roles and permissions to be used in my Spring security app.
Any ref/tutorials/small explanation would be greatly welcome.
thanks,
ray.
You can check this out StackOverFlow thread where is explained that:
The roles in the beans.xml must be an exact match of the CN (common name) of the memberOf value attribute.
With one good example.
Also this two examples MVC + LDAP about the structure of beans.xml in relation with LDAP config.
This links is based on MVC + InMemory Authentication where is described the way to code a custom simple login for Spring. This way you can adapt the code in MVC + LDAP example.
Hope this help.