I'm creating a simple web app that has a user login. I'm trying to use Spring Security to manage authorization and I want to know if it is possible to use SS without setting up roles. There is no admin or special permissions, a user is either logged in or they aren't.
All tutorials I found make you setup a roles table and userroles join table in your database and the same entities in your files. This seems like overkill for what I want. Is it possible to just use SS to check a username and password and log the user in if they match what is in the database without doing all the role stuff?
You can use isAuthenticated(). See more in Spring documentation: http://docs.spring.io/spring-security/site/docs/3.0.x/reference/el-access.html
I do not think you have to setup roles in spring security.
And in my opinion, the role is for different page access, like you have admin and normal user, and you want to let the different roles go to different pages.
You can use authorities="ROLE_USER" everywhere, if you just have a small application.
Hope this can help you.
Related
Building a customer relationship management system.
A particular company can buy our product to manage their customers
Once the company buys our product they will be assigned with username and password for logging into the application.
company: is the main admin to the application they can also add new admins to monitor their customers
How to Design a login system with multiple roles?
Company as main admin ex: XYZ solutions(Username:xyz#gmail.com, Password: Xyz123) can log in and can also add new admin say for example sub-admin:Santhosh#xyz.com.
now Santhosh#xyz.com (SUB ADMIN) should also be able to log in.
also need to limit the admins to 5: any idea how to achieve this?.
How to design the login system to this scenario and how should be my database, to save usernames and passwords of both admin and sub admin?
using java 8 with spring has my framework and MySQL as backend
Define company/Users/Role/Permissions. Your roles would be pretty abstract buts its the permissions that will define the role of the user. For example, User with SystemAdmin role can do almost anything because the permissions that will define the system admin role will allow her to do it. On the other hand regular user will have limited selection of permissions like, execute transactions, access certain UI but will not be able to change configurations etc. Basically your permission will define what roles can have and then use attach or assign those roles to the users created under the company. You question basically seems more from the roles and permission rather than login. Hope this helps and let me know if you need more clarifications.
I have a requirement where I need to develop a Login flow for an Enterprise application that is a Spring MVC application integrated with Spring Security.
The requirement is I should be restricting the user to one session:
Example: I have users two groups A and B.
CASE A: (WHEN THERE ARE NO SESSIONS)
Users from group 'A' have a specific role, but when they log in and when they don't have a previous session, they should be given two options to select from as their existing role (or) another role (SPECIAL ROLE) that I should be updating in the application on the fly.
Users from group 'B' just log in and get to the dashboard without any choices.
CASE B: (WHEN THERE IS ALREADY AN ACTIVE SESSION)
Both the users from the two groups should get an options form to choose from if they want to log out the previous session and log in here (OR) just go back to the user login page. When they select log out and log in here other session would be terminated (invalidated).
If they choose to go back to login page previous session is not affected.
CASE C: (WHEN THERE IS ALREADY AN ACTIVE SESSION FOR A USER FROM GROUP 'A' WHO CHOSE THE SPECIAL ROLE)
When any user from Group 'A' is logging in should get a choice to log out the other user session and log in here with the SPECIAL ROLE or just log in as with his actual role.
I am trying to develop this requirement with Spring security but when I configure session management the framework just logs out the other user and invalidates the old session. I should be giving custom implementation to ConcurrentSessionFilter or may be at some other filter level (I am confused) where I can show the choices to the user and do the things.
AND
also when I use custom Concurrent Strategy classes the sessionRegistry.getAllPrincipals() is giving me an empty list but when I configure the Spring security sessionManagement().sessionRegistry(new SessionRegistryImpl()); I am able to get the populated principals.
I also tried custom success handler and tried to redirect based on his roles it works fine but it doesn't complete my requirement and I am sure that I should be doing some custom implementation to a specific Spring Security filter chain to implement it but I am just getting lost after days of reading and lack of resources on session management using Spring Security.
I am stuck here, any help would be appreciated. This is the first time I am working with Spring Security and implementing session management.
Thanks in Advance :)
using Spring Security, MVC, Core 4 Java config
In my web application, there are times when an authenticated admin might want to impersonate another valid user of a system without having to know that user's password.
How can I use Spring Security to give admin users the ability to impersonate normal (non-admin) users of the system?
The Spring Security documentation is silent on this and I can't find anything anywhere. Surely someone must have solved this.
Thanks!
It's in the Spring Security 3 and Spring Security 4 docs aptly named, "Run-As Authentication Replacement."
The AbstractSecurityInterceptor is able to temporarily replace the Authentication object in the SecurityContext and SecurityContextHolder during the secure object callback phase.
I believe the recommended way to do this in Spring Security is with the Domain Access Control lists, see GrantedAuthoritySid #
http://static.springsource.org/spring-security/site/docs/3.1.x/reference/domain-acls.html
However, impersonating another user is more than just having a "delegate identity", you should also consider the implications on logging:
Do you want your logging to appear as Original User or Impersonated User (or both?)
Do you want the "impersonation" to show only what the impersonated user sees, or the superset of permissions of the Original User and Impersonated User?
Yet another possibility is to create a "log in as" feature, which essentially changes the principal identity of the current session - or starts a new session with the impersonated identity.
In all of the above, you may inadvertantly open up a security issue - so I think this is why impersonate-style features are not that common place. Rather, designs trend towards Role Based Access Control (RBAC) or Attribute Based Access Control (ABAC). Using RBAC / ABAC, you could create a delegate style feature where you create delegate attributes/roles - and in the special cases where you need to show the source/target of the delegation (e.g. for audit logs), you handle those as corner cases.
If you want an admin user to be able to impersonate another user (eg for QA/Testing purposes), have a look at the SwitchUserFilter
A decent example of the XML config you need is provided here
I have an application using Acegi (earlier version of Spring Security) and LDAP for logins. Now, a specific scenario requires me to discover user's LDAP groups at arbitrary time (not at login time).
Is it possible to use already set up Acegi to handle this situation?
I'm thinking of using the configured LdapAuthProvider (or LdapAuthPopulator or whatever's appropriate) to get all the groups associated with a given username. Is this possible?
If yes, please, please, give some hints how it should be done...
You should use DefaultLdapAuthoritiesPopulator.getGroupMembershipRoles(String userDn, String username).
In a banking or similar application there are usually several roles defined and associated privileges required (for example a normal user could only do transactions but not post it while a supervisor can verify and post them, sort of maker/checker). We also need to add new roles and privileges in the system (not sure about the latter).
How do you achieve this Role Based access in a Spring/Hibernate application? Especially in terms of scaling up to add new roles/privileges. Can Acegi (I never used it) help? Any other idea would be appreciated that can help me achieve the above.
Thanks,
As duffymo mentioned, Acegi has been renamed to "Spring Security" and it's what I would recommend if you're already working with Spring.
There's more documentation online for Acegi than Spring Security, so if in doubt you can find useful information in the Acegi docs/tutorials as well as the more recent Spring stuff.
If you can design your user table to fit with Spring Security's concept (user name, password, roles, each with certain specified types and names) then you can use Spring Security's DAO classes right out of the box; if not, you build a tiny adapter class to hook up Spring Security to your database for the user query.
You can specify required roles per servlet/URL or even at the method level. It took me a day or two to wrap my head around the concepts involved, but after that configuring it was reasonably easy, and I was happy that they've already solved most of the kinds of problems that arise in connection with Web security.
Yes, Spring Security (formerly known as ACEGI) can do it.