I am currently migrating from Struts1/EJB3 to Spring MVC 4.0.4/EJB3. Application server is JBoss 4.2.3 (JBoss 7.x in the works).
My current security roles are stored in the database (for instance: administrator, validator and officer). For each role, admins can check or uncheck features (use cases) they want members to have access to (add a new file, update a file, delete a file, etc.). I also have a "method" table in which all my "secured" features are stored (add a new file, update a file, delete a file, etc.).
My application must have a user management and a role management, so application owners (admins) can add user and roles, and also make changes to existing roles if necessary.
There is no login form. Login sequence goes like this:
Create an HTTP Session.
Gather current user ID from JCIFS.
Search user in Active Directory.
If found in AD, look for a user record in the user table.
If found in database, sync user details with AD (from step 4).
Gather roles from database and set them into user's session.
Redirect to application's home page.
I would like to get the benefits from Spring Security and at the same time offer the flexibility my clients are used to have with their applications.
Any hints would be much appreciated.
Thank you
Related
Building a customer relationship management system.
A particular company can buy our product to manage their customers
Once the company buys our product they will be assigned with username and password for logging into the application.
company: is the main admin to the application they can also add new admins to monitor their customers
How to Design a login system with multiple roles?
Company as main admin ex: XYZ solutions(Username:xyz#gmail.com, Password: Xyz123) can log in and can also add new admin say for example sub-admin:Santhosh#xyz.com.
now Santhosh#xyz.com (SUB ADMIN) should also be able to log in.
also need to limit the admins to 5: any idea how to achieve this?.
How to design the login system to this scenario and how should be my database, to save usernames and passwords of both admin and sub admin?
using java 8 with spring has my framework and MySQL as backend
Define company/Users/Role/Permissions. Your roles would be pretty abstract buts its the permissions that will define the role of the user. For example, User with SystemAdmin role can do almost anything because the permissions that will define the system admin role will allow her to do it. On the other hand regular user will have limited selection of permissions like, execute transactions, access certain UI but will not be able to change configurations etc. Basically your permission will define what roles can have and then use attach or assign those roles to the users created under the company. You question basically seems more from the roles and permission rather than login. Hope this helps and let me know if you need more clarifications.
We have recently switched to Keycloak to handle the login to our website.
It's still possible to register and Keycloak has a user registration page, but I basically need to change the definition of 'registrating'.
By default it means "insert a new user in the DB with the info given by the user through the registration form". But that's not what we want, we already have all the users that CAN register in our DB, and registrating as a user pretty much means updating a record in our DB.
I have already made changes to the a few classes and redeployed them by packaging them and then adding the Jar to the \deployments directory. But I can't seem to find the classes that I have to change to get the registration page to behave the way I want.
How can I change the default behavior of the registration page? What classes do I have to change?
I've never do this, but i'd take a look to the user store SPI and authenticator SPI.
I suggest you in writing directly in the Keycloak discourse forum (https://keycloak.discourse.group/) . They will surely give you a hand.
PS: with SPI you'll add features to Keycloak, but in your case i think that you'll need also to change the GUI. See Keycloak Themes in the official doc.
I have a requirement where I need to develop a Login flow for an Enterprise application that is a Spring MVC application integrated with Spring Security.
The requirement is I should be restricting the user to one session:
Example: I have users two groups A and B.
CASE A: (WHEN THERE ARE NO SESSIONS)
Users from group 'A' have a specific role, but when they log in and when they don't have a previous session, they should be given two options to select from as their existing role (or) another role (SPECIAL ROLE) that I should be updating in the application on the fly.
Users from group 'B' just log in and get to the dashboard without any choices.
CASE B: (WHEN THERE IS ALREADY AN ACTIVE SESSION)
Both the users from the two groups should get an options form to choose from if they want to log out the previous session and log in here (OR) just go back to the user login page. When they select log out and log in here other session would be terminated (invalidated).
If they choose to go back to login page previous session is not affected.
CASE C: (WHEN THERE IS ALREADY AN ACTIVE SESSION FOR A USER FROM GROUP 'A' WHO CHOSE THE SPECIAL ROLE)
When any user from Group 'A' is logging in should get a choice to log out the other user session and log in here with the SPECIAL ROLE or just log in as with his actual role.
I am trying to develop this requirement with Spring security but when I configure session management the framework just logs out the other user and invalidates the old session. I should be giving custom implementation to ConcurrentSessionFilter or may be at some other filter level (I am confused) where I can show the choices to the user and do the things.
AND
also when I use custom Concurrent Strategy classes the sessionRegistry.getAllPrincipals() is giving me an empty list but when I configure the Spring security sessionManagement().sessionRegistry(new SessionRegistryImpl()); I am able to get the populated principals.
I also tried custom success handler and tried to redirect based on his roles it works fine but it doesn't complete my requirement and I am sure that I should be doing some custom implementation to a specific Spring Security filter chain to implement it but I am just getting lost after days of reading and lack of resources on session management using Spring Security.
I am stuck here, any help would be appreciated. This is the first time I am working with Spring Security and implementing session management.
Thanks in Advance :)
using Spring Security, MVC, Core 4 Java config
I'm working on implementing a role-based authorization service under WS Liberty.
There are two main goals:
if the user without the correct user group tries to open a restricted url, show an error page
the user should see a menu, listing all pages available for him
My question is: are there best practices to implement this behaviour? Should I create the first part in server.xml AND the second part in the appropriate view?
(this way the "logic" will be stored in two different parts of the code, and for example if I have to add a new URL, I have to insert it into two different places)
So is there a way to store this role-URL mapping in one place?
Thanks,
krisy
In you application you can protect links checking roles (pseudo code, some frameworks have already custom tags for it):
if(request.isUserInRole("roleX")) {
// render menu item for roleX
}
By default, if user is already logged in and tries to access page that is restricted for him, he will receive 403 Not authorized, you can provide error page for that code via web.xml configuration.
In the server.xml via Application binding element you provide only mapping from your application roles to groups defined in the registry. Depending on the registry type you will be able to add/remove users to the given group granting or rejecting them right for example via server.xml or LDAP management tool in case of LDAP registry.
In my web application, there are times when an authenticated admin might want to impersonate another valid user of a system without having to know that user's password.
How can I use Spring Security to give admin users the ability to impersonate normal (non-admin) users of the system?
The Spring Security documentation is silent on this and I can't find anything anywhere. Surely someone must have solved this.
Thanks!
It's in the Spring Security 3 and Spring Security 4 docs aptly named, "Run-As Authentication Replacement."
The AbstractSecurityInterceptor is able to temporarily replace the Authentication object in the SecurityContext and SecurityContextHolder during the secure object callback phase.
I believe the recommended way to do this in Spring Security is with the Domain Access Control lists, see GrantedAuthoritySid #
http://static.springsource.org/spring-security/site/docs/3.1.x/reference/domain-acls.html
However, impersonating another user is more than just having a "delegate identity", you should also consider the implications on logging:
Do you want your logging to appear as Original User or Impersonated User (or both?)
Do you want the "impersonation" to show only what the impersonated user sees, or the superset of permissions of the Original User and Impersonated User?
Yet another possibility is to create a "log in as" feature, which essentially changes the principal identity of the current session - or starts a new session with the impersonated identity.
In all of the above, you may inadvertantly open up a security issue - so I think this is why impersonate-style features are not that common place. Rather, designs trend towards Role Based Access Control (RBAC) or Attribute Based Access Control (ABAC). Using RBAC / ABAC, you could create a delegate style feature where you create delegate attributes/roles - and in the special cases where you need to show the source/target of the delegation (e.g. for audit logs), you handle those as corner cases.
If you want an admin user to be able to impersonate another user (eg for QA/Testing purposes), have a look at the SwitchUserFilter
A decent example of the XML config you need is provided here