Spring Security is great when the developer wants to secure his web app.
However, what about creating the account? and "forgot password"? most login pages have these links as well as the username and password fields. Spring's default login-page does not have these links... in the good case, it can support "remember me"...
Does Spring supports these flows, of Create Account, Forgot Password and Change Password?
If the answer is yes, can you please point me to some documentations?
I've searched this issue but could not find anything.
Thanks!
You are completely right. AFAIK there is no "generic" package that implements these flows. I've searched a lot for this kind of code a while ago, and found nothing. I think that #luizcarlosfx is right, that each application has its own needs, therefore it is hard to write something generic that fits all needs.
EDIT:
I saw comments like "It's not so difficult to implement". True. But you have to make sure you take care of all cases. For example, what happens if a user tries to create account that is already exists? what happens if a user tries to create account that is already exists but inactive? what about the policy of the password? (too long/too short/how many capital etc) what about sending the email with the activation link to the user? how fo you create this link? how do you encrypt it? what about the controller that will receive the click on the link and activate the account? and more and more...
However, I took it a step forward and tried to code something that will answer most flows - registration, forgot-password, change password etc, and something that will be secured enough so applications will be able to use it without the fear that it will be easily hacked.
I have implemented a JAVA project for this use case. It is open source, based on Spring-Security. A release version is on Maven-Central, so you do not need to compile it, but instead you can fetch it as maven-dependency to your project!
<dependency>
<groupId>com.ohadr</groupId>
<artifactId>authentication-flows</artifactId>
<version>1.5.0-RELEASE</version>
</dependency>
I think it answers your question...
There are explanations for everything (and if something is missing - let me know...)
You can find here an example for a client application's code (i.e. the usage).
This is the main page of the project plus a demo, and another demo is here (but this is an app that after upgrading to version 1.6.1 requires login with email with "nice" domain - nice.com. so you cannot really use it for demo; use the first example).
This is a client web-app that uses the auth-flows, with the README with all explanations.
Hope that helps!
I think appfuse is a tool for what you want. This lines are from it's documentation:
AppFuse comes out of the box with features that many applications need, including:
Authentication and authorization
User management
Remember Me (which saves your login information so you don't
have to log in every time)
Password reminder
Signup and registration
SSL switching
E-mail
Extension-less URLs File upload
Generic CRUD backend
Full Eclipse, IDEA and NetBeans support
Fast startup and no deploy with Maven Jetty Plugin
Testable on multiple appservers and databases with Cargo and profiles
Related
I am doing a small RESTfull API tutorial project as an information portal. I wrote the front by myself (html + css + js + a little burstrap). Rest chose because of the increasing popularity, since studying, then learning what is needed at the current time.
In general, I will pass to the essence of the problem: a site is a few pages with articles, general information, pictures, etc. - in short, nothing supernatural, and there is no magic logic. I decided to implement an administrator, because someone has to edit these articles, and then I rested.
I don’t understand how to implement it correctly? All I found was about spring security and the distribution of roles to users, but I don't need any users, I only need the site admin. How is this implemented correctly? Which way should I look?
P.S. Several people advised me not to use spring for this, but to take something simpler, such as django or flask, but I am studying Java and would like to master spring.
How about considering spring boot admin https://codecentric.github.io/spring-boot-admin/current/ ?
I also used spring boot admin. it is powerful
Your question is not a coding question, it's an application design question.
The solution is actually embedded in your question,
All I found was about spring security and the distribution of roles to users
You can create a page from which the admin can log in and edit whatever needed, you will have to design the admin panel and stuff like that.
The users' creation and login mechanism is a well-documented subject.
check here for example.
Check this for the JWT solution.
I see no activity within the last couple of months in the project spring-cloud-aws. No issues get answered, no PRs get reviewed or merged. This is a problem for my team, because we're trying to use this module, as we're heavily relying on spring boot apps and on sqs queues, but there are new features which does not get included into the module anymore, for example list typed message attributes for SNS messages.
One of my colleagues even opened a PR fixing the above issue, but there is no reaction. I do not really know how to raise awareness of this problem within the spring team.
Is the Spring developer team even aware of this issue and just don't care or is it unknown for them? If someone could take ownership of the project, at least for approving PRs, that would be great. I personally, would not really want to write custom implementations for integrating with AWS, or use the raw API without spring.
Unfortunately this sort of thing happens often to OSS. You may want to re-upload this as a derivative so changes can be made by you and the community once more.
This project is under the Apache license so derivatives are perfectly OK.
I'm going to implement Access Control List using java.security.acl for displaying permitted items in a user account page.
For instance, there are some users and user groups and the users as well as the groups can have some permissions. There are some links in the user account page, they are add, delete, edit and view. The user account page is same for all users, but the links (add, delete, edit and view) will be displayed differently according to the user permission.
I can achieve this task with collection framework. I'm going to implement it with java.security.acl in an initial development of an ERP (enterprise application). I want to know whether there will be any security loop hole or something with this implementation (even in future). Why I doubt is that when I visited a site which says The use of this package is not recommended.
Is there any advantage of using this package instead of collection framework? Is there any case which needs the implementation of this package in a Java EE project? All your recommendations, suggestions and advices are welcome.
I guess it might be too late to provide an answer, but I came across the question and I had just been reading up things on ACL.
First of all, the classes in the java.security.acl have been superseded by the classes in the java.security packages As mentioned here. As a general policy, while doing new development, I prefer to use only the latest APIs.
Second; the classes in the java.security packages are probably meant only for securing the system resources like file I/O and network I/O or printers and so on. Securing your application's domain object is not what they were meant for, as mentioned in the last paragraph here.
You could look into spring-security-acl for this purpose, or roll your own solution (as you mentioned in the question).
Is there any advantage of using this package instead of collection framework?
Well, depends on what you are trying to achieve, but, in your case, the question is not relevant.
Is there any case which needs the implementation of this package in a Java EE project?
No, not required unless you need to access resources on the client-side, or planning to use custom socket-based communications with SSL/TLS.
I am creating a web site in which user will be registered and he/she will be redirected if he/she has account.
So I was thinking to use servlet to link form and database.
Is it safe to use from hacking.?
Which is the best language which has less chances to get hacked than servlets ?
Well I am quite exicited to create it but I really don't want hacking my site very easy task.
As long as you are using Java for web forms, at some point any framework you use is based on servlets. So if you use them properly, yes it is safe.
The main point to keep in mind to prevent cracking your authentication (if database based) is SQL injection. As long as you use Hibernate, JPA or prepared statements you should be safe.
If using Tomcat, you can also start with Tomcat native authentication.
Just like any other framework, it's reasonably safe from hacking and not totally immune. You will be vulnerable to:
mistakes in your code/logic;
vulnerabilities in Tomcat/your servlet runner as they are discovered;
vulnerabilities in the JVM as they are discovered;
vulnerabilities in the OS;
vulnerabilities in... well, you get the idea...
In other words, it's essentially not so different anything else you might decide to use (be it PHP etc). I personally prefer Java to e.g. PHP because I have more confidence that there isn't some random default setting that's going to put the app at risk. But that's also because I'm far more of an expert in Java than PHP-- "use the technology you know best" is also another strategy...
Main things to keep in mind, apart from keeping your infrastructure updated:
don't use "raw" SQL to access the DB: at least use prepared statements, and for good measure implement some sensible validation on user input;
look at the Servlet Session API;
you generally want to check the logged in user for every page request: not sure exactly what you meant by "redirection";
if possible, firewall off "raw" access to the database, so that only localhost/the app server (if hosting DB on a separate server-- guess you won't to start off with) can access your DB (if you need to access remotely, consider a VPN connection).
I also wouldn't necessarily just "dive in": have more of a read round the subject.
Currently I'm building my Java Web Application on Google AppEngine (GAE), but due to a lot of limitations they have I'm afraid that I'm going to have to switch from GAE to my own server which is running Glassfish (or I can setup any other server if needed). Also I'm planning to run Oracle or MySql databases. What do I need to do in order to switch from GAE to my server? Do I need to rewrite my code? Should I continue using Datanucleus or switch to something else? Anything else?
Why not follow the info given in the original Google campfire ? There was a presentation by IBM on how to run an AppEngine app using DB2. They simply dropped the datanucleus-rdbms jar in the CLASSPATH, changed the connection URL etc, and ran it. Like in this PDF
http://download.boulder.ibm.com/ibmdl/pub/software/dw/wes/hipods/GAE_Java_Interoperability.pdf
--Andy (DataNucleus)
We won't be able to give very good advice without knowing how you wrote your app. Did you create a data access layer that separates your datastore access from your business logic? Or do you pass app engine specific objects all over the place? Are you using the gae user service? or memcache?
The first thing you should do is look at all your import statements. Anytime you see a com.google.something in there, you know you need to change that. You didn't give much detail about how you wrote your app, but if you are asking about datanucleus you probably were using JDO or JPA, which means you may be able to reuse most of your data layer. You might have a bunch of Key fields which you'll have to change, and maybe a few gae specific annotations. You'll probably have to double check how you handle transactions, as that is likely to be different in a SQL database, which don't use entity groups like GAE does.
I haven't tried but there is an open source implementation of GAE called appscale http://code.google.com/p/appscale/