I have a question about spring security and it´s regarding to:
<authentication-manager>
<authentication-provider>
<user-service>
I need that user´s name can make some operations that it´s not same to other operations for other user, that is,
User Admin can make: create, read, delete, update.
User A can make: create, read, update.
User B can make: read, delete.
Each user is a different profile with different operations.
Can I make with spring-security?
In database is similar to:
Both users go to same pages but with different oprations, for example, www.myApp.com/pageOperation.
Thanks.
In Spring Security, permission for some action invoking is stored as GrantedAuthority object within current Authentication object in "authorities" collection
So, you should provide different authorities collection for different users by checking user name. You can hardcode them into <user-service> section or provide own implementation of UserDetailService, which resolve user authorities basing on user name. UserDetailsService has method loadUserByUsername which acepts username and returns UserDetails entity which contains user authorities collection. You can check user authority while he invoking some action by applying #PreAuthorize annotation to target method or by interception appropriate url. Hope this helps.
Related
I am working on an application with several roles. Changing this role to admin user should log out the target user.
My first lead was to set up data tables to retrieve the list of active tokens by taking an example from this site:
https://javadeveloperzone.com/spring-boot/spring-boot-oauth2-jdbc-token-store-example/#3_Source_Code
Except that at the connection, the data information is not saved in my tables.
Is it possible to log out a user "by force"?
Yes, there are several ways how you do it.
At the end of the day it invalidates the Authentication object in Spring's security context.
first post here, hope im doing right.
In a project, we have a scenario where we have a single web application with multiple entities. Currently, the login is managed via default JDBC Spring Security provider, working fine.
For a new requirement, we need that each entity can have their own login method (currently 2 methods would be available, the JDBC one, which is the current one, and the second method would be authentication via SAML, with each entity defining their own IdP, but this is another story)
I need some guidelines on how this can be achieved, I have done some search and I have found providers for different URL's, etc... But not different login methods for the same app and url's depending on the user type or entity.
Is a good approach to have a custom single entry point where we can check the entity user and then use the suitable authentication provider?
Kind regards,
Alex
As each of your users might be using a different IDP you will in any case need to determine the username before proceeding with initialization of the authentication process - but you already know this.
One approach to take (similar to what Microsoft is using with the Office 365 for corporate users) is:
display a login page with fields for standard username + password
once user enters username and blurs the input field, you make an AJAX call (to your custom API made for this purpose) and fetch information about authentication type + IDP to use for this user
in case the type is password you simply let user continue with filling in the password field and POST to the same place as you're used to for processing with the JDBC provider
in case the type is federated authentication you initialize authentication with the correct IDP by redirecting to /saml/login?idp=xyz and continue with the SAML flow
It's possible to avoid any APIs by submitting the form once user enters the username, or let user click a "Continue" button. It would then make sense to use a custom EntryPoint which:
redirects user to the main login page in case it wasn't provided with a username
displays either login page with username/password or redirects to the correct IDP, once username was provided
I'm working with a cas implementation and want to extend it by adding a separate spring-webflow. The webflow will be used to manage user specific data that is hosted in a separate web-service. This webflow will be restricted such that a user must first be authenticated in order to access it.
I've added a new flow to cas-servlet.xml as follows:
<webflow:flow-registry id="flowRegistry" flow-builder-services="builder">
...
<webflow:flow-location id="profile" path="/WEB-INF/profile-webflow.xml" />
...
</webflow:flow-registry>
The first state in my profile-webflow.xml is a view to a page that should display the users username ...
<view-state id="accessView" view="profileAccessView" />
The profileAccessView refers to profileAccessView.jsp which I want to display the username of the CAS authenticated user.
<h2>USERNAME</h2>
Is there a way to display the logged in users username here?
I've tried accessing and binding the user info via spring, but I get a null result, i.e. ...
SecurityContextHolder.getContext().getAuthentication()
In the CAS server, users are not authenticated by Spring Security. This question has been asked several times on the CAS mailing lists, I advice you to seek through them, like this one : https://groups.google.com/forum/#!searchin/jasig-cas-dev/username/jasig-cas-dev/-vMzR51b5S0/wbjpdMItHLMJ.
Is it possible to allow users to access a specific page in Alfresco Share? Which user or user group can access to which page for example.
Not really, unless you can map your users to the fixed set of (site independent) roles (none, guest, user, admin) baked into spring surf.
These roles are wired into various classes (i.e. org.springframework.extensions.surf.mvc.PageView,org.springframework.extensions.webscripts.connector.User,org.springframework.extensions.webscripts.Description).
If you can map your users to these roles, just set the authentication value accordingly in the pages xml descriptor.
For example:
To see the document-library, share requires you to be logged in, and hence, in site-data/pages/documentlibrary.xml it reads <authentication>user</authentication>.
If you cannot map your users in this way, things can get a bit messy.
I am using spring security 2.x (+spring + struts2) and would like to enable add authority to user dynamically after user submits a form.
I have a protected directory (/protected/dir/) which is protected by ROLE_USER
<sec:intercept-url pattern="/protected/dir/**" access="ROLE_USER, ROLE_ADMIN" />
Which user can access after they login.
I want to make this accessible to the user who submitted the form (without logging in) by adding a temporary ROLE_TEMP to the principal (which may not even exist, since user hasn't been login, so I may have to add that too to the securityContext)
I have tried to access SecurityContext and add new Principal in my controller/action class. but I am unable to get SecurityContext. (I think SecurityContext only run on its own thread and you cannot pass it around, that's why I got NPE)
So what is the best way of doing this?
Please advise
Thanks
One way to support anonymous users is to add this filter:
/**
* Detects if there is no Authentication object in the SecurityContextHolder,
* and populates it with one if needed.
*/
org.springframework.security.providers.anonymous.AnonymousProcessingFilter
The filter has this attribute that will force the filter to remove the anonymous session after the request is complete:
public void setRemoveAfterRequest(boolean removeAfterRequest);