I have an Admin Dashboard React Bootstrap Template and I want to create the backend for it.
I have built a separated REST API on a separate port using Spring that queries a Postgres DB. The frontend just fetches the API.
The problem is that I want to have different user roles: different Navbar items, different page content, etc. based on permissions/role.
I've tried using spring-security and it works when accessing API, but I don't know how to connect it to the front.
How can I implement RBAC for a separate React Front, Spring API Back web app?
Spring Security doesn't have any direct support for front-ends, though Spring does have a few blog posts that describe how a JavaScript front-end can coordinate with a Spring Security-protected back-end.
The key insight is a /user endpoint for transmitting the user's details to the front-end.
Related
Im working on an Spring Boot application which should have two parts: One Admin UI-Part done in Vaadin and one part consisting of REST-API Endpoints for a native application to consume.
Authentication of the Admin UI (Form-Login) should be completely different from the REST API (e.g. Basic Auth with a fixed token, or a token from the database).
What would be the best way to achive this? Since it's basically two different applications having the Data-access in common would it make sense / be possible two instanciate two spring application contexts? Or is it enough to configure spring security in a special way for example? Just adding a RestController and excluding the URL from SpringSecurity already brings me halfway to the solution, but what if I also want authentication for my REST-API? But completely different with its own application provider basically.
Spring supports role based authorization and multiple authentication providers. So essentially you can give you admin users a special role and require this role in your Vaadin views to prevent ordinary users accessing the admin UI. You can also have separate authentication mechanisms in the same application, for example you could have your users authenticated via LDAP and you admins via a database. You shouldn't need to do separate application contexts.
I want to use keycloak as a broker server for Identity and Access Management and I don't want to use login screen provided in keycloak as I have different clients like Android, IOS and web application using the same backend server.
I wan't to know if it is possible to create user, accept terms and conditions, send two factor authentication using SMS, have custom fields in login like adding adress using a POSTMAN/ RESTFul API. I know keycloak have provided API guide but they have not included anything about accepting terms and conditions, adding SMS based validations.
Following would be an opinion based question but, if these features are not available in keycloak, what are the other identify broakers I can use and it should be open source with capability to use my own database.
Edit:
I have checked auth0.com, okta/ stormpath but they are not open source and for custom database like in auth0 its requires enterprise edition.
I have an app which allows users to sign in and then passes their sign in information to the app of their choice. All the apps are written in Java and use Struts 2 and run on Websphere. What is the most secure way to pass in the sign in information? I can pass it in the URL using HTTPS but that still leaves the information available in the browser history.
EDIT:
The sign-in app actually calls a web service which registers the user which collects their personal information, verifies their identity and passes the information back to the sign-in app. The web service stores all of the registration information. I would like to pass all of the registration information to the app so the user does not have to reenter it and to insure the information stored by the web service is identical to the information stored in the app.
You should configure both apps to use Single Sign On.
Here's a tutorial for Websphere.
http://www.redbooks.ibm.com/redpapers/pdfs/redp4192.pdf
If you pass sign in information via https it's secure way. Don't pass it in url however. Use http post method to submit this information to the application. But because you use a web service to register/authenticate a user then you need invoke this web service from you application using http client, etc. If you invoke the service from the client you application never know if the user is registered/authenticated.
Recommended to use some security framework i.e. Spring Security which allows to use different methods for authentication/registration/authorization. It requires integration struts2 with spring via spring plugin.
For the rest see How to integrate Spring Security and Struts2. Or read the book Spring Security 3.x Cookbook by Anjana Mankale.
I'm new at Spring MVC framework i want to learn how to fully separate frontend(html,js etc.) and backend(java).
I'm going to use RESTfull services, play with JSONs.
I think i'm going to build Single Page Application.
Most of tutorials shown in jsp pages which i dont like.
I saw my friends company project(Using Spring MVC) they used Embedded Jetty server and in server configuration they assigned two different paths for frontend and backend paths.
I saw frontend codes there was only html javascripts etc. on the backend side the approach was the same.(Fully Separated !!!)
My question is:'How they pass requests from frontend to backend and get results from backend and update frontend'.
Also they were using Maven backend and frontend defined as modules in the root.
Could you share tutorials so i can understand playing with codes ?
'How they pass requests from frontend to backend and get results from
backend and update frontend'
They probably use HTTP[S] as the transport and JSON as the data representation format. Browsers support AJAX which allows you to make HTTP connections without reloading the page.
Could you share tutorials so i can understand playing with codes ?
No, that's not what this site is for.
Comments:
JSP is still very useful for generating HTML on the server. This is pretty close to necessary if you want Google to crawl your site.
Check out Spring Data REST for a framework for quick REST APIs.
Also check out ExtJS or Dojo for good Single Page App frameworks.
I am building two separate project , Rest services using spring 4.0 and a dynamic website using ZK and Spring .
I want to secure both Rest Services and the Website so user need to be authorized before browsing the website or requesting the Rest Services .
I am wondering if we can have one place for authorization , is this possible and how to share the identity of user between both sites ?
I am thinking of Shiro ?
Any Ideas
BR
Shahbour
Check out Spring Security, it integrates really easily with Spring (as the name would suggest). As far as how to keep user signed in across both apps, there are a few options. The simplest would probably be to have a central database where user information is stored that both apps can access. Add Spring Security to both apps. Web app would require user to authenticate and then any time it calls the REST service it provides current user's username/password. REST service would accept username/password and authenticate the user again. This approach would also work if you ever wanted to use your REST services directly without your Web UI.