I am building two separate project , Rest services using spring 4.0 and a dynamic website using ZK and Spring .
I want to secure both Rest Services and the Website so user need to be authorized before browsing the website or requesting the Rest Services .
I am wondering if we can have one place for authorization , is this possible and how to share the identity of user between both sites ?
I am thinking of Shiro ?
Any Ideas
BR
Shahbour
Check out Spring Security, it integrates really easily with Spring (as the name would suggest). As far as how to keep user signed in across both apps, there are a few options. The simplest would probably be to have a central database where user information is stored that both apps can access. Add Spring Security to both apps. Web app would require user to authenticate and then any time it calls the REST service it provides current user's username/password. REST service would accept username/password and authenticate the user again. This approach would also work if you ever wanted to use your REST services directly without your Web UI.
Related
I have an Admin Dashboard React Bootstrap Template and I want to create the backend for it.
I have built a separated REST API on a separate port using Spring that queries a Postgres DB. The frontend just fetches the API.
The problem is that I want to have different user roles: different Navbar items, different page content, etc. based on permissions/role.
I've tried using spring-security and it works when accessing API, but I don't know how to connect it to the front.
How can I implement RBAC for a separate React Front, Spring API Back web app?
Spring Security doesn't have any direct support for front-ends, though Spring does have a few blog posts that describe how a JavaScript front-end can coordinate with a Spring Security-protected back-end.
The key insight is a /user endpoint for transmitting the user's details to the front-end.
I have an app which allows users to sign in and then passes their sign in information to the app of their choice. All the apps are written in Java and use Struts 2 and run on Websphere. What is the most secure way to pass in the sign in information? I can pass it in the URL using HTTPS but that still leaves the information available in the browser history.
EDIT:
The sign-in app actually calls a web service which registers the user which collects their personal information, verifies their identity and passes the information back to the sign-in app. The web service stores all of the registration information. I would like to pass all of the registration information to the app so the user does not have to reenter it and to insure the information stored by the web service is identical to the information stored in the app.
You should configure both apps to use Single Sign On.
Here's a tutorial for Websphere.
http://www.redbooks.ibm.com/redpapers/pdfs/redp4192.pdf
If you pass sign in information via https it's secure way. Don't pass it in url however. Use http post method to submit this information to the application. But because you use a web service to register/authenticate a user then you need invoke this web service from you application using http client, etc. If you invoke the service from the client you application never know if the user is registered/authenticated.
Recommended to use some security framework i.e. Spring Security which allows to use different methods for authentication/registration/authorization. It requires integration struts2 with spring via spring plugin.
For the rest see How to integrate Spring Security and Struts2. Or read the book Spring Security 3.x Cookbook by Anjana Mankale.
I have a webapp that provides rest based end points built using jersey. I have a frontend in Angular material that consumes these stateless rest endpoints. Now I have a requirement for authentication in which I need to integrate the app with okta for SSO in particular moderation pages. Any idea on how I can proceed as I only have stateless services with me and I do not want to store authentication info with angular.
Correct me if I'm wrong, but this sounds like you have something similar to a single page web app (meaning an app running in the browser) that calls a backend REST API.
If that's your situation, I would suggest you to go with OpenID Connect and the Implicit Flow. You can find code samples at https://github.com/jpf/okta-oidc-beta (which will leverage the Okta Sign In Widget) and at https://github.com/mcguinness/okta-oidc-sample (which is using the Okta Authentication JavaScript SDK).
The Okta Sign In Widget is an order of magnitude easier to use so I would recommend you to go that route first (+ it provides full support for password resets, multi factor authentication, etc...).
You will also find some good information and resources on our OpenID Connect page for developers, which you will find at http://developer.okta.com/docs/api/resources/oidc.html.
I have a spring-mvc and spring-security + spring-security-social webapplication which I would like to provide restful login to allow a rest client to interact via this application. Let me explain a little bit more:
For the web application, everything is working fine. Login, roles, Facebook login, without any xml using Spring-Core version 4 and Spring-Security version 3.
Requirement
Provide a restful service in which will allow the user to sign in on the application and provide its user all the access like the web login.
I've been searching over the web, but I can only find old examples using older spring versions and with xml code.
REST is stateless. With that in mind, are you looking to still have authentication/authorization for the services in a RESTful fashion? To do this, you will have to authenticate the user on EVERY call. You can use Basic authentication to stick to strict REST principles or you can violate REST slightly by using OAuth yourself.
RESTful services are typically developed for other developers to incorporate in their code. They're not meant to be exposed directly to a user of a service.
If you need to provide client like functionality (login, allow user to access features/services, etc), then there is no need to develop a RESTful service. You can use Spring MVC in combination with Spring Security for that.
I am working on writing a private REST API with Play! that I will make calls to from a mobile application and I am confused about how to keep it secure.
When working through the Yet Another Blog Engine example in Play!'s documentation, I worked through their authentication example, and it deals with logging in through a browser. From what I understand about Play!'s Secure module, it helps with browser sessions. Additionally, every StackOverflow question I have seen has been involved with an administration module on the web and the questions have been pertaining to sessions as well.
Does the Play! framework have any built in mechanism to prevent session hijacking?
Enforce Https routing for login with play framework
My current understanding of how the security should work:
The mobile app "logs in" to the web app and obtains some kind of token
With each subsequent call the token is appended to the end of the API call
If the mobile user "logs out" or the token expires, the web app removes the token
Every API call uses HTTPS in order to maintain security
Is it possible for me to make an HTTP request from the mobile application to the web application I create using Play! Framework while keeping it secure?
Am I approaching the whole situation incorrectly?
This is the first Play! app I have created and this is the first time I have used Heroku. I am not too far in that I would be opposed to switching to something else if it were significantly easier/more efficient/better suited to solve this problem.
EDIT: Also, in Play!'s YABE tutorial, it seems like they check the password in plain text. Just from a general standpoint, how is that not a security issue?
EDIT 2: I have looked over OAuth provider information and it seems to solve the problem. My only apprehension with it is that v2.0 has known security flaws and v1.0 seems complicated to implement for a situation where all I need is a secure connection between a mobile app and a web app. If I were to make every call require SSL, could I make each Play method just take username and password as parameters and disregard OAuth completely?
Your example of having a mobile application authorize itself with a web application is achieved with an authorization framework like OAuth. This allows the web app to let the user login then issue an access token to the mobile app for making requests as that user, without the mobile app having to deal with the user's password.
Have a look at an OAuth provider module for Play. If you Google, you might find an OAuth client module for Play, but that's for the other side of OAuth, allowing your web app to authorize against a 3rd party provider. You'd then use an OAuth client library in your mobile app to deal with acquiring an access token.
It could even be a generic Java libary for OAuth - the Play 2.0 documentation for OAuth states that it hasn't provided an OAuth 2.0 module because it's simple enough not to even need a library. However there are a few Java libraries available.
Here's a project where somebody's put together some OAuth provider stuff with Play (referenced from this forum post):
https://github.com/mashup-fm/playframework-oauthprovider