I am working on providing single sign on feature to the applications I have. I am using CAS for this along with spring. I am able to make it working for all the applications. But one doubt I have is, Is it possible to restrict user for any one application for which he is not having access? I mean is there a way to provide application level authorization using CAS?
Thanks
You can customize CAS to return a complex object including the role of user só then the each APP be responsible for authorization. Herecwe do this using Spring Security
Related
Im working on an Spring Boot application which should have two parts: One Admin UI-Part done in Vaadin and one part consisting of REST-API Endpoints for a native application to consume.
Authentication of the Admin UI (Form-Login) should be completely different from the REST API (e.g. Basic Auth with a fixed token, or a token from the database).
What would be the best way to achive this? Since it's basically two different applications having the Data-access in common would it make sense / be possible two instanciate two spring application contexts? Or is it enough to configure spring security in a special way for example? Just adding a RestController and excluding the URL from SpringSecurity already brings me halfway to the solution, but what if I also want authentication for my REST-API? But completely different with its own application provider basically.
Spring supports role based authorization and multiple authentication providers. So essentially you can give you admin users a special role and require this role in your Vaadin views to prevent ordinary users accessing the admin UI. You can also have separate authentication mechanisms in the same application, for example you could have your users authenticated via LDAP and you admins via a database. You shouldn't need to do separate application contexts.
I have several multi module spring web application each application like below, each of them differently develop no inter - connection.
war
|...webModule
|...coreModule
I want to integrate them with one admin module with security settings.
How can i do that?? is their any frameworks for that??
I go through the OSGI approach but it has lot migration work. What about component based (I never do that)... Can any one suggest some way to create my integration application which can handle common login & security for other sub application ? (need single sign on multiple war solution)
I strongly advise reading up on the Angular JS and Spring Security series, especially related is the https://spring.io/blog/2015/01/20/the-resource-server-angular-js-and-spring-security-part-iii
The approach that they describe seems completly viable for you. Key points
Spring Security uses the HttpSession to store authentication data by
default. It doesn’t interact directly with the session though: there’s
an abstraction layer (SecurityContextRepository) in between that you
can use to change the storage backend.
After authenticating through your admin module you should store your authentication data into a storage accessible to all your other modules, and using a session id as a key for the data. You can easily achieve this with a help of Spring Session where you can use an out-of-the-box supported Redis as your shared storage for authentication data.
Finally, the key will be set inside a custom header of the requests that target other modules, which will use this custom header and a changed session strategy to pull the authentication data from the storage and authenticated the user
There are quite a few details behind the approach, but the series come with the sample implementation so you should be able to find your way
Am developing a web application using Springs. To make a scalability for my application am in need of user management system. In application having different groups each groups having different users.Every user having different roles.
To implement access control mechanism any API's available?
How to assign role for every users?
I think Spring Security domain-acls is a good choice for you. You can take a look at Contacts sample first to decide whether it is fit for you.
I am learning Java Security JCE/JAAS. I am not able to get a example where we need to implement JAAS login module in real word webapplication.
Can any one please guide me where I can implement JAAS in my web application. as much i know this is authentication and authorization service.
///
If my understanding is correct now, it means if there is any service(Like LDAP) is running in our webserver or any other webserver, and if we want to consume that service then we need to implement JAAS to authenticate our application.
JAAS is one way of implementing login on a container. JAAS main benefits come from the facts that it is a standard framework integrated in the JRE - so you get plenty of information, samples, connectors, etc - and that it properly separates the various concerns of user authentication.
In particular, it clearly separates authentication (validating the supplied credentials) and authorization (role and permissions granted to the user).
While authentication is very often "generic" or "external", for instance using an LDAP server, authorization is often tightly coupled with you application: roles and permissions are usually specific to the business problem the application addresses.
Implementing your own JAAS module is a simple way of addressing this issue, while staying within the boundaries of a well-defined framework and without having to provide a low level implementation to inject the module with the login cycle and session management of the container.
You don't need to implement your own JAAS login module with standard servlet containers unless you want to modify its standard behaviour as they provide you with several standard means to achieve it.
Here you will find a tutorial showing how to use the form login with Tomcat (no need for rolling you own LoginModule):
http://www.avajava.com/tutorials/lessons/how-do-i-use-form-authentication-with-tomcat.html
Generally, you, as the application developer, do not implement JAAS modules. instead, you choose which JAAS module you need to use for your application from pre-existing modules included in the app server you are using. most application servers come with a variety of implementations which allow you to do common things like authenticate using info from a database, ldap, active directory, kerberos, etc. you would determine which authentication source you need to use and configure your application appropriately.
The main advantage of JAAS is that its pam that is pluggable authentication module.. thus if an application wants to be separated from the authentication and authorization system you can use JAAS. moreover JAAS unlike java general security not only verifies the code source but also the person using the code source to access.. so thus if a web app needs pam and the authorization should be of code source as well as code handler then JAAS is better.
I'm writing a java application which needs to perform an unusual login procedure. One of my problems is that the user needs to supply more than a simple username/password combination. Specifically, a username/password/domain combination is required.
Another problem is that my application enforces some password lifetime rules (eg: a password becomes invalid after 90 days). The authentication server that I use will refuse authentication when a password is expired and forces the user to choose a new one. Therefore my login process must be able to handle that.
Unfortunately the standard j_security_check servlet does not allow me to do any of that. Is there any way to create a custom and safe login procedure for a java web application.
Note: the problem with supplying the domain can be worked around by having users enter username\domain instead of just username in the j_username field and then let a custom realm decode that. This is however a bit kludgy and doesn't solve the second problem anyway.
Are you considering Spring security? These are some suggestions regarding password expiration.
The JAAS security interface allows you to create a custom login module. This lobby module will allow you to have any security checking that you like. I suggest that you look at the information on JAAS.
0
Here are some of the links I used to help understand JAAS:
http://www.owasp.org/index.php/JAAS_Tomcat_Login_Module
http://www.javaworld.com/jw-09-2002/jw-0913-jaas.html
http://www.jaasbook.com/
http://roneiv.wordpress.com/2008/02/18/jaas-authentication-mechanism-is-it-possible-to-force-j_security_check-to-go-to-a-specific-page/
Also have a look at the Apache tomcat realms configuration how-to:
http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html