I have a requirement where I need to develop a Login flow for an Enterprise application that is a Spring MVC application integrated with Spring Security.
The requirement is I should be restricting the user to one session:
Example: I have users two groups A and B.
CASE A: (WHEN THERE ARE NO SESSIONS)
Users from group 'A' have a specific role, but when they log in and when they don't have a previous session, they should be given two options to select from as their existing role (or) another role (SPECIAL ROLE) that I should be updating in the application on the fly.
Users from group 'B' just log in and get to the dashboard without any choices.
CASE B: (WHEN THERE IS ALREADY AN ACTIVE SESSION)
Both the users from the two groups should get an options form to choose from if they want to log out the previous session and log in here (OR) just go back to the user login page. When they select log out and log in here other session would be terminated (invalidated).
If they choose to go back to login page previous session is not affected.
CASE C: (WHEN THERE IS ALREADY AN ACTIVE SESSION FOR A USER FROM GROUP 'A' WHO CHOSE THE SPECIAL ROLE)
When any user from Group 'A' is logging in should get a choice to log out the other user session and log in here with the SPECIAL ROLE or just log in as with his actual role.
I am trying to develop this requirement with Spring security but when I configure session management the framework just logs out the other user and invalidates the old session. I should be giving custom implementation to ConcurrentSessionFilter or may be at some other filter level (I am confused) where I can show the choices to the user and do the things.
AND
also when I use custom Concurrent Strategy classes the sessionRegistry.getAllPrincipals() is giving me an empty list but when I configure the Spring security sessionManagement().sessionRegistry(new SessionRegistryImpl()); I am able to get the populated principals.
I also tried custom success handler and tried to redirect based on his roles it works fine but it doesn't complete my requirement and I am sure that I should be doing some custom implementation to a specific Spring Security filter chain to implement it but I am just getting lost after days of reading and lack of resources on session management using Spring Security.
I am stuck here, any help would be appreciated. This is the first time I am working with Spring Security and implementing session management.
Thanks in Advance :)
using Spring Security, MVC, Core 4 Java config
Related
I've developed a solution based on Spring Boot. It's like 10 projects with many endpoints, and I'm using Eureka and Zuul too.
Now I'm dealing with the security issues I have to solve. Authentication and Authorization will be done using spring-security in the Zuul server plus annotations to the endpoints.
But one thing I don't know is how to filter the results based on who's logged in. In my case, I need to associate each user* to an entity called Enterprise. Then I have the entity FooBar that have a FK_ID column that associates to an Enterprise. When this user logs in and call the listAllFooBars endpoint it should answer only those associated to the Enterprise object associated to the user.
The same validation should happen during POST and PUT calls...
How to implement that??
'* by user I mean the pair name+password
This is exactly the use case of #PostFilter annotation from spring security. You can have expression that filters the collection based on current authentication object.
SAML2 support is the new addition to Spring Security library.
According to this:
https://github.com/spring-projects/spring-security/blob/master/docs/manual/src/docs/asciidoc/_includes/servlet/saml2/saml2-login.adoc
Saml 2 Login - Not Yet Supported
1. Mappings assertion conditions and attributes to session features (timeout, tracking, etc)
2. Single logout
3. Dynamic metadata generation
4. Receiving and validating standalone assertion (not wrapped in a response object)
it doesn't support single logout in the current version, which is essential for cases with multiple identity providers.
What would be the right workaround to enable single logout for multiple IDPs?
The single logout feature that Spring Security would provide would be to log out many SPs against one IdP, not multiple.
The typical flow for a user is to log in to some IdP and then be redirected to one or many SPs over the course of their session. When they click logout, it's to end the session they originally established with that IdP.
The way that this would be addressed in Spring Security is via a LogoutSuccessHandler. LogoutSuccessHandlers are invoked after the SP has successfully terminated their session (clicked the logout button). You can imagine a LogoutSuccessHandler that would either redirect to the IDP's SLO endpoint or hit a backend IDP logout endpoint.
It's not very common for an SP to try and merge a session initiated by a user logging into one IdP with one from that same user logging into another IdP, which is the use case I think you are describing. But feel free to add more detail if you feel like I'm missing something.
I am currently migrating from Struts1/EJB3 to Spring MVC 4.0.4/EJB3. Application server is JBoss 4.2.3 (JBoss 7.x in the works).
My current security roles are stored in the database (for instance: administrator, validator and officer). For each role, admins can check or uncheck features (use cases) they want members to have access to (add a new file, update a file, delete a file, etc.). I also have a "method" table in which all my "secured" features are stored (add a new file, update a file, delete a file, etc.).
My application must have a user management and a role management, so application owners (admins) can add user and roles, and also make changes to existing roles if necessary.
There is no login form. Login sequence goes like this:
Create an HTTP Session.
Gather current user ID from JCIFS.
Search user in Active Directory.
If found in AD, look for a user record in the user table.
If found in database, sync user details with AD (from step 4).
Gather roles from database and set them into user's session.
Redirect to application's home page.
I would like to get the benefits from Spring Security and at the same time offer the flexibility my clients are used to have with their applications.
Any hints would be much appreciated.
Thank you
Hi I am actually trying to get tips or ideas on a very specific problem. The technology context is
java web app with JSF 2.1 .
So I have a simple java ee app powered by JSF 2.1. The structure is the following
\webapp
\WEB-INF
\templates
header.xhtml
menu.xhtml
web.xml
\secured
\operation1
op1.xhtml
\operation2
op2.xhtml
\operation3
op3.xhtml
userhome.xhtml
login.xhtml
I have one #WebFilter that restricts the access to /secured/* in case the 'user' bean is not set (Actually a Session Scoped Bean).
At the same time upon login, I create a dynamic Menu depending on the user credential. this menu (MenuItems) point to one or more operations (xhtml pages).
So far so good, the user logins, the menu is dynamic, links are being generated and upon clicking he/she can navigate to whatever operations he/she is supposed to do.
My problem is that I can not decide on an elegant way on restricting access to the absolute url of these pages . If user1 is 'authorized' to execute operation1 but not operation2 or operation3, currently I can not find the most elegant way on checking his session state and applying a generic rule (navigation rule?), if the actual web user, writes on the url bar the absolute path of the operation.
'/secured/operation1/op2.xhtml'
What is the most JSF2 compatible way on achieve that kind of requirement?
I have tried the preRenderView on each separate opxx.xhtml page , unfortunately it did not work + i dont like repeating it on each operation
Many thanks for your tips.
Security in web applications is a more advanced topic. Basically you have two ways:
Container based: This means your servlet container like Tomcat does the job for you (recommended)
Application based: You have to do the job on your own
How to setup container based security is explained in detail here. To summarize it, you have to implement a simple form (no JSF form!) with a specific action and specific ids for the username and password field. Afterwards you can easily restrict access to specific URL patterns using your web.xml file. In the web.xml file you restrict access to certain URL patterns for certain user roles. The mapping from usernames to user roles is done by a security realm. How to setup a security realm is desribed e.g. for Tomcat here.
If you want to implement security on your own, you have to implement a ServletFilter that inspects all requested URLs and either forwards users that are not logged in to your login form or passes the request through if the user is authorized. If the user is not authorized to see the page, you will have to forward the user to your error page. As CDI injection does not work for ServletFilter, you will have to lookup the bean that stores the information about your user (logged in, rights) from the HttpSession.
In my web application, there are times when an authenticated admin might want to impersonate another valid user of a system without having to know that user's password.
How can I use Spring Security to give admin users the ability to impersonate normal (non-admin) users of the system?
The Spring Security documentation is silent on this and I can't find anything anywhere. Surely someone must have solved this.
Thanks!
It's in the Spring Security 3 and Spring Security 4 docs aptly named, "Run-As Authentication Replacement."
The AbstractSecurityInterceptor is able to temporarily replace the Authentication object in the SecurityContext and SecurityContextHolder during the secure object callback phase.
I believe the recommended way to do this in Spring Security is with the Domain Access Control lists, see GrantedAuthoritySid #
http://static.springsource.org/spring-security/site/docs/3.1.x/reference/domain-acls.html
However, impersonating another user is more than just having a "delegate identity", you should also consider the implications on logging:
Do you want your logging to appear as Original User or Impersonated User (or both?)
Do you want the "impersonation" to show only what the impersonated user sees, or the superset of permissions of the Original User and Impersonated User?
Yet another possibility is to create a "log in as" feature, which essentially changes the principal identity of the current session - or starts a new session with the impersonated identity.
In all of the above, you may inadvertantly open up a security issue - so I think this is why impersonate-style features are not that common place. Rather, designs trend towards Role Based Access Control (RBAC) or Attribute Based Access Control (ABAC). Using RBAC / ABAC, you could create a delegate style feature where you create delegate attributes/roles - and in the special cases where you need to show the source/target of the delegation (e.g. for audit logs), you handle those as corner cases.
If you want an admin user to be able to impersonate another user (eg for QA/Testing purposes), have a look at the SwitchUserFilter
A decent example of the XML config you need is provided here