We have a requirement where we need to enable SAML authentication in our application for a customer that has ADFS as IDP.
After considering various options, I was able to get this working with Spring SAML security as provided in the documents.
Now the issue is to integrate the SAML security with our application.
Unfortunately, our application is still a leagacy java application using servlets and jsp and not spring based.
I was just wondering how can the 2 be integrated. The document mentions that this possible .However, i was unable to find any write up on it.
Can someone plz direct me to the relevant source that can provide guidelines for this approach.
Thanks.
Classes in package org.springframework.security.saml.websso contain the core of SAML processing functionality and are independent of Spring Security. They do contain few class imports from Spring, therefore Spring-core classes need need to be on the classpath, but the application itself doesn't need to use Spring/SpringSecurity.
You will need to re-implement yourself logic which is specific to Spring Security - package org.springframework.security.saml - e.g. SAMLEntryPoint, SAMLProcessingFilter, and call your implementation during your authentication lifecycle. Logic of these classes is simple, so enabling basic use-cases is pretty easy.
Thanks VladimĂr for the guidance. This is how i integrated a standard legacy java app with spring security for saml based authentication:
Modified securityContext.xml
set idpDiscoveryEnabled=false
set forceAuthN= true to force user to login when saml token expires
updated defaulttargetURL in successHandler to authhandler.jsp page,present in spring security app, to redirect back to my application
I have a filter applied on all the web calls in my java app . This
filter redirects the call to /spring-security-saml2/saml/login
spring saml authenticates the user with ADFS.On successful authentication, user is redirected to authhandler.jsp
Authhandler.jsp is same as index.jsp but the retrieved claims are hidden fields here. These values in hidden fields are send back to my standarda java application.
Here my java application performs other application level authentication and proceeds as desired.
Would appreciate any suggestions for improvisation or identification of any flaws in the above approach
Related
I'm trying to implement my own IdP on Spring boot. I followed the documentation of Spring security SAML to give me a clear idea but there are no good examples of this. The only part I found is
You can test IDP initialized single sign-on with URL https://idp.ssocircle.com:443/sso/saml2/jsp/idpSSOInit.jsp?metaAlias=/ssocircle&spEntityID=replaceWithUniqueIdentifier, after replacing the service provider identifier with the one configured as entityId in your securityContext.xml. It is possible to provide relayState data sent to your SP with parameter RelayState.
But this example bases on ssocircle is the IdP and the sample Java project is the SP. So I can't see any of the ssocircle configurations (what endpoints I need and other configs) and really can't find any good example of this. In some part I read that with the Spring security SAML dependency I can make my application act as an IdP, then I reread the full document I noticed this
This chapter provides essential information needed to enable your application to act as a service provider and interact with identity providers using SAML 2.0 protocol. Later in this guide you can find information about detailed configuration options and additional use-cases enabled by this component.
Basically, this document does not cover what I'm trying to do, and right now I don't even know if this dependency will help me to reach my goal or I will need to move to another library like Shibboleth project. Have you faced this issue before?
Does any of you have some example of Custom Spring Security Login form using REST Api? I am actually trying to create my own, and the problems I'm facing are:
How should be named classes, is it User and Role? Cuz I seen many different versions of it.
Where should I post JSON file with login and password?
How should it look like?
Thanks in advance for all answers and examples of your code (github or something).
REST APIs are usually stateless. It does not know something about a session. So i think you're looking for an basic auth to protect your API.
Or you could use openid connect and check the roles based on a token. This would give you more flexibility for pre conditions and post conditions processing a service call.
Here is a good example of openid connect with spring boot and google implementation. Other provider are adaptable. Baeldung - Spring Security openid connect
If you're just looking for a simple solution with basic auth, take a look here
Baeldung - Spring Security basic auth
yes, you can use form login and rest API together, but that means that your rest API isn't going to be stateless, it means that a session will be created and rest APIs are usually stateless, that's why you have to use basic auth, jwt, etc when creating a rest API, but if you really want to use rest API with form-based authentication, I made an example for you, check this link
This example uses Spring Boot, Spring MVC, H2, Spring Security with custom form login, Spring Data Jpa, but again it's not recommended to use form login for rest API.
Regarding to your questions
How should be named classes, is it User and Role? Cuz I seen many different versions of it.
It's up to you
Where should I post JSON file with login and password?
If you are using spring security form-based authentication, there no need to post a json
I have requirement for our application where we need to implement Spring SAML within our app to enable federated SSO for one customer. However we need to maintain existing login flow using spring-security for other customer.
So my question is can we have two security mechanism for an web application so that it will be treated as multi-tenancy.
Can i implement OAuth and SAML in same application.
thanks in advance..
Yes, you can combine your existing password authentication with SAML. See the sample application of Spring SAML for details - it contains both of the methods combined. It is also possible to include OAuth use-cases, but I'm not aware of any guide for it.
I have a spring-mvc and spring-security + spring-security-social webapplication which I would like to provide restful login to allow a rest client to interact via this application. Let me explain a little bit more:
For the web application, everything is working fine. Login, roles, Facebook login, without any xml using Spring-Core version 4 and Spring-Security version 3.
Requirement
Provide a restful service in which will allow the user to sign in on the application and provide its user all the access like the web login.
I've been searching over the web, but I can only find old examples using older spring versions and with xml code.
REST is stateless. With that in mind, are you looking to still have authentication/authorization for the services in a RESTful fashion? To do this, you will have to authenticate the user on EVERY call. You can use Basic authentication to stick to strict REST principles or you can violate REST slightly by using OAuth yourself.
RESTful services are typically developed for other developers to incorporate in their code. They're not meant to be exposed directly to a user of a service.
If you need to provide client like functionality (login, allow user to access features/services, etc), then there is no need to develop a RESTful service. You can use Spring MVC in combination with Spring Security for that.
I am learning Java Security JCE/JAAS. I am not able to get a example where we need to implement JAAS login module in real word webapplication.
Can any one please guide me where I can implement JAAS in my web application. as much i know this is authentication and authorization service.
///
If my understanding is correct now, it means if there is any service(Like LDAP) is running in our webserver or any other webserver, and if we want to consume that service then we need to implement JAAS to authenticate our application.
JAAS is one way of implementing login on a container. JAAS main benefits come from the facts that it is a standard framework integrated in the JRE - so you get plenty of information, samples, connectors, etc - and that it properly separates the various concerns of user authentication.
In particular, it clearly separates authentication (validating the supplied credentials) and authorization (role and permissions granted to the user).
While authentication is very often "generic" or "external", for instance using an LDAP server, authorization is often tightly coupled with you application: roles and permissions are usually specific to the business problem the application addresses.
Implementing your own JAAS module is a simple way of addressing this issue, while staying within the boundaries of a well-defined framework and without having to provide a low level implementation to inject the module with the login cycle and session management of the container.
You don't need to implement your own JAAS login module with standard servlet containers unless you want to modify its standard behaviour as they provide you with several standard means to achieve it.
Here you will find a tutorial showing how to use the form login with Tomcat (no need for rolling you own LoginModule):
http://www.avajava.com/tutorials/lessons/how-do-i-use-form-authentication-with-tomcat.html
Generally, you, as the application developer, do not implement JAAS modules. instead, you choose which JAAS module you need to use for your application from pre-existing modules included in the app server you are using. most application servers come with a variety of implementations which allow you to do common things like authenticate using info from a database, ldap, active directory, kerberos, etc. you would determine which authentication source you need to use and configure your application appropriately.
The main advantage of JAAS is that its pam that is pluggable authentication module.. thus if an application wants to be separated from the authentication and authorization system you can use JAAS. moreover JAAS unlike java general security not only verifies the code source but also the person using the code source to access.. so thus if a web app needs pam and the authorization should be of code source as well as code handler then JAAS is better.