I am developing a single page application in AngularJS. The backend uses Spring2.8. The application communicates with backend via Rest.
I want to implement session management in my application. The idea is to create a unique token for each user and check it in every request.
Is there any way to do with spring2.8 without any database access.
You can implement spring security and define roles for each user.
http://docs.spring.io/spring-security/site/docs/current/guides/html5//
Related
I am new to spring security
I have a front end application built using vuejs which calls spring rest api to interact with the backend system.
I have a login page where user enters the password. I want to be able to authorise the user if his login is correct and for the subsequent request authorise him with rememberMe token.
I know there is a lot of information available on the topic but
What is the right way to implement?
Should i use basic authentication ? If I am using basic authentication , how should i set up remember me along with basic authentication?
Should the authentication be handled in post call instead of using a auth filter?
Here are two scenario
If your front-end is built on any frontend framework and it's not dependent on any Server Pages(e.g JSP, Freemarker, velocity) or you want your frontend application to connect to your backend application through web services(Rest web service or SOAP web service) then you need to implement your own token base authentication with help of spring security instead of Basic Authentication of Spring security.
Else you should go with Spring Security Basic authentication, for implement Remember-me with spring security, Spring Security provides two implementations for Remember-Me :
1: Simple Hash-Based Token Approach: It uses hashing to preserve the security of cookie-based tokens
2: Persistent Token Approach: It
uses a database or other persistent storage mechanism to store the
generated tokens
Here is spring remember-me doc for it
I am building two separate project , Rest services using spring 4.0 and a dynamic website using ZK and Spring .
I want to secure both Rest Services and the Website so user need to be authorized before browsing the website or requesting the Rest Services .
I am wondering if we can have one place for authorization , is this possible and how to share the identity of user between both sites ?
I am thinking of Shiro ?
Any Ideas
BR
Shahbour
Check out Spring Security, it integrates really easily with Spring (as the name would suggest). As far as how to keep user signed in across both apps, there are a few options. The simplest would probably be to have a central database where user information is stored that both apps can access. Add Spring Security to both apps. Web app would require user to authenticate and then any time it calls the REST service it provides current user's username/password. REST service would accept username/password and authenticate the user again. This approach would also work if you ever wanted to use your REST services directly without your Web UI.
I currently have a web application that is using the Spring Framework for authentication and authorization. I have a customer base that is wanting to implement Oracle Access Manager for authentication and authorization. Does anyone have any ideas how complex this migration will be given my current web application setup below?
Current Web Application:
uses custom Spring based filter for Single Sign On authentication
uses Spring form based security
web application currently uses MySQL and implements the Spring org.springframework.security.core.userdetails.UserDetailsService to authenticate a user against a MySQL table that has a username and encrypted password
UI is written in JSF/Facelets and uses Hibernate JPA implementation for all CRUD operations to MySQL
I've done a reverse migration once, from Sun Access Manager to plain Spring Security.
From what I've seen in legacy AM access code, your problem may be solved with single custom Spring Security filter, that accesses AM for authentication and authorization using this API (link may be outdated). So customer will be able to manage users and roles in Access Manager, but no architectural changes will be required for application itself.
AM access snippet (not tested):
SSOToken adminToken = (SSOToken) AccessController.doPrivileged(AdminTokenAction.getInstance());
AMIdentityRepository repo = new AMIdentityRepository(adminToken, "realm_name");
IdSearchResults res = rep.searchIdentities(IdType.USER, uid, new IdSearchControl());
I've never done such integration myself, so maybe more proper ways exist.
I have an external SOAP web service that attaches to our services layer inside the application. For the Web 2.0 application, the services layer uses the session to store the user's "key chain" or the things a user can do in the system.
Now I'm trying to figure out how to do the same thing with my web service client to our services layer. The problem is that the web service URL can't contain a cookie that holds the session ID. (If I'm wrong, please say how and I'll do it that way.)
When the web service client connects the first time, I require a login and generate a security key that uniquely identifies that user and will expire within a certain period requiring them to login again.
I'd like to find a way in my endpoints to re-attach to the proper session for that security key and then the security will work automatically.
My endpoints are currently being served from tomcat.
How can I get there from here?
All input appreciated.
I ended up using REST to come back into our webapp through the URL so that I have a session. I connected to it that way.
I have an application runs on Java Spring 3. My application uses RESTful services and Spring Security for security. It has a user table and checks user credentials from it. I implemented web service capability to my application(one of customer's wanted web services instead of RESTful services). If possible I want same authentication mechanism and want to look up that database and allow just one user (for now-to admin) to communicate with my web service server.
Should I follow the same way as like my RESTful authentication or is there any authentication and security mechanism for Java Web Services at Spring (i.e. how to deal with logout, how to enable logout mechanism for a client-server web services communication)
PS: I use Apache-CXF.
Two potential ways:
Put a BasicAuthenticationFilter or DigestAuthenticationFilter in front of your CXF Servlet.
Use a WS-Security UsernamePasswordToken with CXF and write a CallbackHandler that a) creates a UsernamePasswordAuthenticationToken, b) calls authenticationManager.authenticate() and c) stores the authentication in the SecurityContextHolder.
Note that the above doesn't cover the concept of logout since login sessions are generally implemented with cookies and the above are stateless approaches. If you really need logout then you should consider using OAuth because you can implement logout by invalidating access tokens.
You could put a security token in the HTTP header you are sending to the REST which the REST decodes and verifies it's coming from an administrative location.