In my current project I need to authenticate and authorize users via Spring security.
Our directory is LDAP.
I have basic ldap knowledge.
I am trying to understand how in the ldap side I suppose to manage and create users in order to provide them roles and permissions to be used in my Spring security app.
Any ref/tutorials/small explanation would be greatly welcome.
thanks,
ray.
You can check this out StackOverFlow thread where is explained that:
The roles in the beans.xml must be an exact match of the CN (common name) of the memberOf value attribute.
With one good example.
Also this two examples MVC + LDAP about the structure of beans.xml in relation with LDAP config.
This links is based on MVC + InMemory Authentication where is described the way to code a custom simple login for Spring. This way you can adapt the code in MVC + LDAP example.
Hope this help.
Related
In this picture I have tree structure and I want to give permission to any role above nodes.
Who can give me tips about this?
I believe what you are searching is "authorization" instead of "authentication". If you are using Spring, Spring Security is here to help you with your security needs. You can have roles and authorities to help you define what the user can access or do.
Using spring security, you can secure the endpoints using annotations like
#PreAuthorize(“hasAuthority('READ_AUTHORITY')")
or
#PreAuthorize(“hasRole('ADMIN')")
Does any of you have some example of Custom Spring Security Login form using REST Api? I am actually trying to create my own, and the problems I'm facing are:
How should be named classes, is it User and Role? Cuz I seen many different versions of it.
Where should I post JSON file with login and password?
How should it look like?
Thanks in advance for all answers and examples of your code (github or something).
REST APIs are usually stateless. It does not know something about a session. So i think you're looking for an basic auth to protect your API.
Or you could use openid connect and check the roles based on a token. This would give you more flexibility for pre conditions and post conditions processing a service call.
Here is a good example of openid connect with spring boot and google implementation. Other provider are adaptable. Baeldung - Spring Security openid connect
If you're just looking for a simple solution with basic auth, take a look here
Baeldung - Spring Security basic auth
yes, you can use form login and rest API together, but that means that your rest API isn't going to be stateless, it means that a session will be created and rest APIs are usually stateless, that's why you have to use basic auth, jwt, etc when creating a rest API, but if you really want to use rest API with form-based authentication, I made an example for you, check this link
This example uses Spring Boot, Spring MVC, H2, Spring Security with custom form login, Spring Data Jpa, but again it's not recommended to use form login for rest API.
Regarding to your questions
How should be named classes, is it User and Role? Cuz I seen many different versions of it.
It's up to you
Where should I post JSON file with login and password?
If you are using spring security form-based authentication, there no need to post a json
I am trying to implement simple JWT security with token refresh in my web app. Probably, the question has been asked numerous times and I am digging for an answer but can't seem to find it after a month of searching.
I have two models for the user in the database and they should have different role type ADMIN and USER. ADMIN type needs to access his url endpoints and USER his own upon successful email and password login.
I am trying to avoid oauth because I do not need enterprise like implementation.
Could anyone refer me to a good guide that explains how stuff works or just explain by himself with a code sample? You would help me alot! Thanks.
You may want to try JJWT if you're looking for a simple to use JWT library for Java. It's well documented and easy to integrate into Spring Boot apps.
At the very least, you'll need to write your own service for generating tokens (using JJWT), a filter for pre-processing the request and generating an Authentication, and an AuthenticationProvider for performing the actual processing/validation of the token content (again with JJWT) and to populate roles/authorities or any other information that might be required by your Authentication implementation.
This method of implementing JWT based authentication does not require any components from Spring's OAuth2 implementation.
https://github.com/jwtk/jjwt
https://stormpath.com/blog/jjwt-how-it-works-why
I am currently working on a Spring MVC web application which calls separate AuthServer (resource owner password credentials). My question is it ok for the Spring MVC web app to implement and handle its own login interface while it needs to be integrated with the separate AuthServer. Any idea on how to handle it using Spring Security? I wonder if is it possible to put authentication (OAuth password grant) in WebSecurityConfigurerAdapter. BTW, AuthServer is on the same server but different application, not on a separate server like Facebook or Google AuthServer.
I have done my research but did not found an answer on the possibility. Hope someone could help me on this. Thanks in advance.
I have implemented such a thing. I am not sure if this is the best way to do it, but it is maybe the fastest. So in the WebSecurityConfigurerAdapter- authenticate method - just work with your other authorization server and handle the exceptions there- you can wrap the other server responses and exceptions with your own corresponding to your structure. That worked for me.
I'm currently looking into securing jax-rs web services.
The following URL is very interesting: https://docs.oracle.com/cd/E24329_01/web.1211/e24983/secure.htm#RESTF256.
I am especially looking at the annotations-based security of web services. Defining per method the roles that are allowed looks very straightforward.
I have however 4 questions related to this topic:
defining and mapping roles
I'm wondering: where does one define the roles of users and how does one make the mapping of users to roles when using annotation-based security?
If someone could point me to an example with code, that would be great, I'm not having a lot of luck finding one.
Libraries/frameworks
Are there any libraries/frameworks that you know of that could be used for securing jax-rs services? I don't have the impression e.g. that Apache Shiro is really suited for web services? I would prefer not using Spring security, it's a bit too heavy for what I'm doing.
Database design
Also, for an authentication/authorization scheme using RBAC, with users having roles and roles having assigned permissions, how do you design this on a database level?
Permissions
When looking at the RBAC principle, you have permissions assigned to roles. However, using annotation based security, you only define "access" to methods on a role level. How do you check if a user has permissions? Or do you just use roles and ignore permissions altogether when using an RBAC principle?
Thanks for any input you can provide!
UPDATE1: Am I correct in assuming that, if you define your users and what roles they have yourself in a database instead of e.g. in web.xml, that it is probably easier/better to use SecurityContext for checking if users are in roles, instead of web.xml or annotations?
This would allow you to use your own securitycontext object which can make calls to a database for validating role membership?