I'm working with a cas implementation and want to extend it by adding a separate spring-webflow. The webflow will be used to manage user specific data that is hosted in a separate web-service. This webflow will be restricted such that a user must first be authenticated in order to access it.
I've added a new flow to cas-servlet.xml as follows:
<webflow:flow-registry id="flowRegistry" flow-builder-services="builder">
...
<webflow:flow-location id="profile" path="/WEB-INF/profile-webflow.xml" />
...
</webflow:flow-registry>
The first state in my profile-webflow.xml is a view to a page that should display the users username ...
<view-state id="accessView" view="profileAccessView" />
The profileAccessView refers to profileAccessView.jsp which I want to display the username of the CAS authenticated user.
<h2>USERNAME</h2>
Is there a way to display the logged in users username here?
I've tried accessing and binding the user info via spring, but I get a null result, i.e. ...
SecurityContextHolder.getContext().getAuthentication()
In the CAS server, users are not authenticated by Spring Security. This question has been asked several times on the CAS mailing lists, I advice you to seek through them, like this one : https://groups.google.com/forum/#!searchin/jasig-cas-dev/username/jasig-cas-dev/-vMzR51b5S0/wbjpdMItHLMJ.
Related
I am working on an application with several roles. Changing this role to admin user should log out the target user.
My first lead was to set up data tables to retrieve the list of active tokens by taking an example from this site:
https://javadeveloperzone.com/spring-boot/spring-boot-oauth2-jdbc-token-store-example/#3_Source_Code
Except that at the connection, the data information is not saved in my tables.
Is it possible to log out a user "by force"?
Yes, there are several ways how you do it.
At the end of the day it invalidates the Authentication object in Spring's security context.
first post here, hope im doing right.
In a project, we have a scenario where we have a single web application with multiple entities. Currently, the login is managed via default JDBC Spring Security provider, working fine.
For a new requirement, we need that each entity can have their own login method (currently 2 methods would be available, the JDBC one, which is the current one, and the second method would be authentication via SAML, with each entity defining their own IdP, but this is another story)
I need some guidelines on how this can be achieved, I have done some search and I have found providers for different URL's, etc... But not different login methods for the same app and url's depending on the user type or entity.
Is a good approach to have a custom single entry point where we can check the entity user and then use the suitable authentication provider?
Kind regards,
Alex
As each of your users might be using a different IDP you will in any case need to determine the username before proceeding with initialization of the authentication process - but you already know this.
One approach to take (similar to what Microsoft is using with the Office 365 for corporate users) is:
display a login page with fields for standard username + password
once user enters username and blurs the input field, you make an AJAX call (to your custom API made for this purpose) and fetch information about authentication type + IDP to use for this user
in case the type is password you simply let user continue with filling in the password field and POST to the same place as you're used to for processing with the JDBC provider
in case the type is federated authentication you initialize authentication with the correct IDP by redirecting to /saml/login?idp=xyz and continue with the SAML flow
It's possible to avoid any APIs by submitting the form once user enters the username, or let user click a "Continue" button. It would then make sense to use a custom EntryPoint which:
redirects user to the main login page in case it wasn't provided with a username
displays either login page with username/password or redirects to the correct IDP, once username was provided
[JEE, MVC-JSP+Servlets, TomEE]
Using form based declarative authentication (container managed). Is it possible to explicitly set UserPrincipal? (to log some user in).
I know I can check whether there is logged in user or not with request.getUserPrincipal()!=null.
Actually I am facing following situation: I have a register.jsp that is being used for new users registration. So data from this jsp are sent to servlet where new user object is created and persisted to database. So, now when user has registered, he/she should be automatically logged in. So, I was thinking how can I implement this automatic login after registration.
If you are on Servlet 3.0 and above, use HttpServletRequest.login().
I am using Spring Security 3.0.3 for a project.My user info is loaded from the database. I have following interceptor
<intercept-url pattern="/admin/**" access="ROLE_ADMIN"/>
<intercept-url pattern="/**" access="ROLE_USER"/>
I want to add interceptor to user data. When I logging with user1(requester as role) he can see only specific user1 data.
http://localhost:7009/Test/requester//30351?menuId=app.requester.new
but when I logging with another user2(requester as role) and Enter above URL in browser.
http://localhost:7009/Test/requester//30351?menuId=app.requester.new.
he can see user1 data.
How can I add interceptor so that it restrict another user data.
Following is scenario
1>
login with user1 and he can see following list of data
101
102
103
when i clicks on 102 data it opens details of 102 data.
http://localhost:7009/Test/requester//102?menuId=app.requester.new.
2> login with user2 and he can see following list of data
104
105
106
when i clicks on 105 data it opens details of 105 data.
http://localhost:7009/Test/requester//105?menuId=app.requester.new.
but when i copy user1 link
http://localhost:7009/Test/requester//102?menuId=app.requester.new.
and paste into browser . user2 can see details of user1 data.
You don't filter everything in the spring security configuration but rather do it in view or controller. Here is a very good tutorial which shows you how to use spring security in your case.
http://static.springsource.org/spring-security/site/petclinic-tutorial.html
If you use JSP for your view, you can use spring security taglib to handle the view of user own data and, for other user's data, you will need to put the filtering logic inside the controller and pass them as model to the view. However, the exact solution depends on your application.
One option to do this is to use the Spring Expression Language and a custom Permission Evaluator. Here's what we did to implement a department/sub-department authorization scheme how to control the user authentication using spring mvc. This will allow you to create custom logic to identify what user1 is allowed to see, etc.
Check out http://static.springsource.org/spring-security/site/docs/3.0.x/reference/el-access.html. Take a look at the #PostFilter annotation - if your data set is returned as a collection or an array Spring Security can automatically filter out data elements based on your custom Permission Evaluator.
I have an application deployed on WebLogic 10.3.2 (11g), in which the user logs in through SSO. In other words, if the user is not logged in, he is redirected to SSO, where he logs in, and then is redirected back to the application. The whole redirection takes place by an the Oracle HTTP Server (a modified apache), which makes sure that only SSO-authenticated users can see the applciation.
So, when the user finally sees the application, he is already logged in.
Is there a way to use Seam security with this scenario? What I would like is to use the roles of the Subject to restrict access to certain pages and components.
A way I thought of, but for which I am not sure, is to use the subject that is populated by the SSO authentication provider of WebLogic, and use it to populate the Identity component of Seam. That would take place in the authentication method, which will always return true (since the user is already logged in). Inside the method, the credentials and roles of the Subject will be "transfered" inside the Seam identity.
Is this feasible at all?
Cheers!
You could write your own authenticate method, or override the Identity class and the login() method to achieve this. I've done something similar with a reverse proxy that performed our authentication. In the scenario, the proxy sent back the user ID of the authenticated user and all the groups they were a member of as header values. I wrote a filter to intercept the headers and then used my custom Identity class to do the rest.