I am working under login to Google via OAuth2 spring-security
I was successfully login via oauth2 and received Principal, but in my project requirements, I need also set to user principal access token, how can I do this?
Thank you, for you help
If you can explain your scenario more, I can help better. But generally in Spring Security you have to specify the Authorities for each of your system roles to have that user access the specified level.
Related
I would appreciate any guidance you can provide for the following situation:
I have a Vue.js app with a Java-SpringBoot backend.
I want to allow users to log in using the SSO of office-365.
So authentication will be done by office-365.
However, once a user is authenticated, the permissions are set by the application itself. All permissions for different aspects of the applications are stored and handled by my application.
How can I achieve this? Is the SSO done only on the front side in Vue.js?
If so, what is returned after the SSO completes successfully and the user is authenticated? How can I set the permissions?
Do I need to perform some backend operation to ensure the user is authenticated correctly?
Thanks
any information and explanations I can get would be apricated as I'm new to SSO
I would use Keycloak. There you can choose Microsoft as an Identity provider. It manages everything for you and it's very easy to handle.
If you need a good tutorial:
In this picture I have tree structure and I want to give permission to any role above nodes.
Who can give me tips about this?
I believe what you are searching is "authorization" instead of "authentication". If you are using Spring, Spring Security is here to help you with your security needs. You can have roles and authorities to help you define what the user can access or do.
Using spring security, you can secure the endpoints using annotations like
#PreAuthorize(“hasAuthority('READ_AUTHORITY')")
or
#PreAuthorize(“hasRole('ADMIN')")
I am trying to implement simple JWT security with token refresh in my web app. Probably, the question has been asked numerous times and I am digging for an answer but can't seem to find it after a month of searching.
I have two models for the user in the database and they should have different role type ADMIN and USER. ADMIN type needs to access his url endpoints and USER his own upon successful email and password login.
I am trying to avoid oauth because I do not need enterprise like implementation.
Could anyone refer me to a good guide that explains how stuff works or just explain by himself with a code sample? You would help me alot! Thanks.
You may want to try JJWT if you're looking for a simple to use JWT library for Java. It's well documented and easy to integrate into Spring Boot apps.
At the very least, you'll need to write your own service for generating tokens (using JJWT), a filter for pre-processing the request and generating an Authentication, and an AuthenticationProvider for performing the actual processing/validation of the token content (again with JJWT) and to populate roles/authorities or any other information that might be required by your Authentication implementation.
This method of implementing JWT based authentication does not require any components from Spring's OAuth2 implementation.
https://github.com/jwtk/jjwt
https://stormpath.com/blog/jjwt-how-it-works-why
I would like to secure our REST API with user token.
User does an initial request to the API to obtain an access token (must provide own credentials - login and password)
Service find the user by provided credentials
If is a user found, service creates an unique token with time expiration and returns it back to the user (token expiration can be defined as now() + 15minutes - is it enough? What is a standard expiration time for such tokens?)
User must provide this token in all his requests OR asks for new token when is expiring and API process original request
I would like to ask you - is there in Spring framework native support for such authentication flow - I'll be happy with some simple example or URL to Spring doc? If so, what do I need to use? I have studied Spring docs and read many tutorials, and It seems there is a support for everything and I need to know what is the best for my issue.
For token-based authorisation to resources, one framework that will inevitably come-up will be oAuth
oAuth will help you achieve exactly the workflow that you desire e.g. that a user can authenticate and then be given a token to access a defined set of resources via an API. It is however fairly heavyweight and it is definitely worth taking the time to understand how it works and that it exactly fits the picture of your requirements.
The "official" site is here. There are two versions of oAuth, so again this will help you to understand which the the right one for you.
As for Spring Security integration, there is a Spring Security oAuth project. The documentation for this is pretty good both at the level of how the integration works with Spring Security, but also in terms of helping you understand that oAuth is the right solution for your project.
In my current project I need to authenticate and authorize users via Spring security.
Our directory is LDAP.
I have basic ldap knowledge.
I am trying to understand how in the ldap side I suppose to manage and create users in order to provide them roles and permissions to be used in my Spring security app.
Any ref/tutorials/small explanation would be greatly welcome.
thanks,
ray.
You can check this out StackOverFlow thread where is explained that:
The roles in the beans.xml must be an exact match of the CN (common name) of the memberOf value attribute.
With one good example.
Also this two examples MVC + LDAP about the structure of beans.xml in relation with LDAP config.
This links is based on MVC + InMemory Authentication where is described the way to code a custom simple login for Spring. This way you can adapt the code in MVC + LDAP example.
Hope this help.