I am developing an web application using java with Spring MVC and Sprin-Security. I can see, Spring Security does the authentication and security related tasks by itself which is OK. I was wondering how Spring Security detects the password field from database on which the authentication is made!!!
I have stored the user passwords in a column named 'xyz'. Now, how can I ask Spring-Security to look for user password in the column 'xyz'???? I tried to find a clear answer for this, but couldn't. So, if you guys please help me to make a clear concept about this.... I appreciate that!!
First, you need to setup JDBC Connectivity. For that you can use Spring JDBC so that the connections are spring managed.
Then, you need to override UserDetailsService of Spring Security to your own queries. An example is given here
Then wire your services either via programmatic configuration or via XML configuration, whichever way you have done it in your project.
Related
I have a Java application using Spring Security 5.2.1 and secured by Keycloak.
The client in Keycloak is a public openid-connect client.
It works fine.
I have now a requirement to use PKCE (Proof Key for Code Exchange).
As Client Support for PKCE has been added to Spring Security 5.2.0.M2 and as I use Spring Security 5.2.1, I can use Spring Security to implement it.
That's the good news.
The 'bad' news is that I found nearly nothing on the Web or in the Spring Security documentation on how I must implement it, practically.
Adding "enable-pkce": true in keycloak.json doesn't work, and I don't find any clear example of what to do.
Is there some documentation, website or whatever else, describing what to do to implementsthis ?
Thank you very much !
From the Spring Security reference documentation https://docs.spring.io/spring-security/site/docs/5.3.1.RELEASE/reference/html5/#initiating-the-authorization-request
PKCE will automatically be used when the following conditions are true:
client-secret is omitted (or empty)
client-authentication-method is set to "none" (ClientAuthenticationMethod.NONE)
I am using spring security on spring boot app and I cannot use the custom login page I made. I want to use custom login page by default without using configuration controller, instead I want to change configuration from application.properties. Also I want to deny access to other pages until login successful. Please help me to log out of the application.
The Spring Security Reference provides an extensive guide on how to implement your custom login page.
I put together a small example in this repo
Spring Security With Customn login Page
An example of spring security with custom login page is provided along with that sitemash+hibernate is also implemented you have to create a database dumb is given in the readme file.
I have written an application using java, camel, spring, shiro, c3p0 and jpa.
This application needs to connect to some web services and some db and it has now a static configuration using classic spring propertyplaceholders and .prop property files.
I inject properties in java classes using #Value annotations and I define datasources using spring with ${} placeholders.
In the configuration there are url,username,password for web services and database,url,username,password for datasource.
Now I need to do a dynamic/multi tenant configuration. I mean that each "customer" can have his set of passwords and that these login/passwords can change over time.
Using shiro I can add to the Subject some data, so I can add current properties to it and get them where I need.
But how can I continue to use #value annotations?
And, most important question, how can I change datasources parameters at runtime?
I see in c3p0 documentation that using getConnection(username,password) with a new pair of username and password creates a new pool and close the old. But I do not use getConnection because only the EntityManager uses datasource.
Please help me!
Thanks,
Mario
After a lot of searching I think I can do in this way:
for properties use DynamicCombinedConfiguration from commons configuration, but I do not know how to tell it to read the tenant id from Shiro Subject
for JPA use AbstractDataSource from spring, but again I do not know if I can read the tenant id from Shiro Subject
Can you tell me if I am pointing in the right direction?
Thanks again,
Mario
I am new to spring security so not getting how to proceed for making the Url's to be authenticated should come from database.
What things to be added in applicationContext-security.xml and what custom java classes will be needed?
Please help me with example.
Thanks
I got the same issue with you. The following links would be helpful.
http://static.springsource.org/spring-security/site/faq.html#faq-dynamic-url-metadata
http://forum.springsource.org/showthread.php?112799-How-to-dynamically-decide-lt-intercept-url-gt-access-attribute-value-in-Spring-Security
How to dynamically decide <intercept-url> access attribute value in Spring Security?
In a banking or similar application there are usually several roles defined and associated privileges required (for example a normal user could only do transactions but not post it while a supervisor can verify and post them, sort of maker/checker). We also need to add new roles and privileges in the system (not sure about the latter).
How do you achieve this Role Based access in a Spring/Hibernate application? Especially in terms of scaling up to add new roles/privileges. Can Acegi (I never used it) help? Any other idea would be appreciated that can help me achieve the above.
Thanks,
As duffymo mentioned, Acegi has been renamed to "Spring Security" and it's what I would recommend if you're already working with Spring.
There's more documentation online for Acegi than Spring Security, so if in doubt you can find useful information in the Acegi docs/tutorials as well as the more recent Spring stuff.
If you can design your user table to fit with Spring Security's concept (user name, password, roles, each with certain specified types and names) then you can use Spring Security's DAO classes right out of the box; if not, you build a tiny adapter class to hook up Spring Security to your database for the user query.
You can specify required roles per servlet/URL or even at the method level. It took me a day or two to wrap my head around the concepts involved, but after that configuring it was reasonably easy, and I was happy that they've already solved most of the kinds of problems that arise in connection with Web security.
Yes, Spring Security (formerly known as ACEGI) can do it.