I have two applications: Spring MVC one and Dropwizard microservice. They communicate through Kafka. I have configured simple Spring security in MVC and have no security in microservice yet.
I need to implement SSO, so when I sign in on one application, I don't need to do it again on another.
My plan is to use LDAP. Maybe you'll recomend smth better?
Any advices on how to start, helpful links?
Thanks!
You should take a look at Keycloak. Users authenticate with Keycloak, which can use LDAP as a back end. Keycloak generates signed authentication tokens which the user forwards on each request. Each service can independently verify the token.
Related
I’m developing a spring boot application where users can register into the system by providing the necessary information. The platform should provide users to authenticate with their registered user credentials or social media login credentials (google/Facebook).
For simple user authentication, I want to create a simple post request to the server with the user name and password and after validating, the server returns a token. I do not want to use the spring security form login here.
But for social media logic, I believe I have to go with oAuth.
I’m new to spring Boot and spring security. Do I need to integrate both JWT authentication and OAuth authentication for this scenario? A suggestion would be highly appreciated
What you. describe about user management (user registration, login, logout) are standard features of OAuth2 / OpenID authorization-servers. You should pick one "from the shelf" either on premise (like Keycloak) or in the cloud (like Auth0, Amazon Cognito, and many others). Many solutions include "social" identities federation.
REST APIs are resource-servers. See those tutorials for security configuration and tests with mocked identities.
UIs are clients. You should use an OAuth2 client lib to handle OAuth2 flows. Find one for your framework Spring has one if your UI is generated on server with Thymeleaf or alike, but there are libs for Angular, React and other frameworks running in browsers.
Spring OAuth2 client libs can also be used in BFF (backend for front-end) scenario when browser client is not OAuth2 (it is secured with session, not access-token) and talks to an app on the server which is the OAuth2 client (spring-cloud-gateway is a sample but you could also write your own app with spring-boot-starter-oauth2-client). This app translates the request with session into into one with access-token before forwarding it to resource-server. The aim is to hide tokens from Javascript in the browser.
Does any of you have some example of Custom Spring Security Login form using REST Api? I am actually trying to create my own, and the problems I'm facing are:
How should be named classes, is it User and Role? Cuz I seen many different versions of it.
Where should I post JSON file with login and password?
How should it look like?
Thanks in advance for all answers and examples of your code (github or something).
REST APIs are usually stateless. It does not know something about a session. So i think you're looking for an basic auth to protect your API.
Or you could use openid connect and check the roles based on a token. This would give you more flexibility for pre conditions and post conditions processing a service call.
Here is a good example of openid connect with spring boot and google implementation. Other provider are adaptable. Baeldung - Spring Security openid connect
If you're just looking for a simple solution with basic auth, take a look here
Baeldung - Spring Security basic auth
yes, you can use form login and rest API together, but that means that your rest API isn't going to be stateless, it means that a session will be created and rest APIs are usually stateless, that's why you have to use basic auth, jwt, etc when creating a rest API, but if you really want to use rest API with form-based authentication, I made an example for you, check this link
This example uses Spring Boot, Spring MVC, H2, Spring Security with custom form login, Spring Data Jpa, but again it's not recommended to use form login for rest API.
Regarding to your questions
How should be named classes, is it User and Role? Cuz I seen many different versions of it.
It's up to you
Where should I post JSON file with login and password?
If you are using spring security form-based authentication, there no need to post a json
How is SSO with SAML 2.0 typically implemented for a Spring MVC application?
My application is required to implement SSO so the users can log in without creating a new account with my application.
My understanding is that, and correct me if I'm wrong, I need a Service Provider to communicate with the Identity Provider the third party uses in order to exchange the metadata. But how do I go about to achieve this process?
Also, what is required on the Spring MVC application side?
Thanks in advance :D
https://github.com/spring-projects/spring-security-saml implements the SAML SP and integrates into the web app via servlet filters. For SAMLv2 SSO overview look at http://www.oasis-open.org/committees/download.php/27819/sstc-saml-tech-overview-2.0-cd-02.pdf
I am new to spring security
I have a front end application built using vuejs which calls spring rest api to interact with the backend system.
I have a login page where user enters the password. I want to be able to authorise the user if his login is correct and for the subsequent request authorise him with rememberMe token.
I know there is a lot of information available on the topic but
What is the right way to implement?
Should i use basic authentication ? If I am using basic authentication , how should i set up remember me along with basic authentication?
Should the authentication be handled in post call instead of using a auth filter?
Here are two scenario
If your front-end is built on any frontend framework and it's not dependent on any Server Pages(e.g JSP, Freemarker, velocity) or you want your frontend application to connect to your backend application through web services(Rest web service or SOAP web service) then you need to implement your own token base authentication with help of spring security instead of Basic Authentication of Spring security.
Else you should go with Spring Security Basic authentication, for implement Remember-me with spring security, Spring Security provides two implementations for Remember-Me :
1: Simple Hash-Based Token Approach: It uses hashing to preserve the security of cookie-based tokens
2: Persistent Token Approach: It
uses a database or other persistent storage mechanism to store the
generated tokens
Here is spring remember-me doc for it
I have requirement for our application where we need to implement Spring SAML within our app to enable federated SSO for one customer. However we need to maintain existing login flow using spring-security for other customer.
So my question is can we have two security mechanism for an web application so that it will be treated as multi-tenancy.
Can i implement OAuth and SAML in same application.
thanks in advance..
Yes, you can combine your existing password authentication with SAML. See the sample application of Spring SAML for details - it contains both of the methods combined. It is also possible to include OAuth use-cases, but I'm not aware of any guide for it.