I currently have a web application that is using the Spring Framework for authentication and authorization. I have a customer base that is wanting to implement Oracle Access Manager for authentication and authorization. Does anyone have any ideas how complex this migration will be given my current web application setup below?
Current Web Application:
uses custom Spring based filter for Single Sign On authentication
uses Spring form based security
web application currently uses MySQL and implements the Spring org.springframework.security.core.userdetails.UserDetailsService to authenticate a user against a MySQL table that has a username and encrypted password
UI is written in JSF/Facelets and uses Hibernate JPA implementation for all CRUD operations to MySQL
I've done a reverse migration once, from Sun Access Manager to plain Spring Security.
From what I've seen in legacy AM access code, your problem may be solved with single custom Spring Security filter, that accesses AM for authentication and authorization using this API (link may be outdated). So customer will be able to manage users and roles in Access Manager, but no architectural changes will be required for application itself.
AM access snippet (not tested):
SSOToken adminToken = (SSOToken) AccessController.doPrivileged(AdminTokenAction.getInstance());
AMIdentityRepository repo = new AMIdentityRepository(adminToken, "realm_name");
IdSearchResults res = rep.searchIdentities(IdType.USER, uid, new IdSearchControl());
I've never done such integration myself, so maybe more proper ways exist.
Related
Im working on an Spring Boot application which should have two parts: One Admin UI-Part done in Vaadin and one part consisting of REST-API Endpoints for a native application to consume.
Authentication of the Admin UI (Form-Login) should be completely different from the REST API (e.g. Basic Auth with a fixed token, or a token from the database).
What would be the best way to achive this? Since it's basically two different applications having the Data-access in common would it make sense / be possible two instanciate two spring application contexts? Or is it enough to configure spring security in a special way for example? Just adding a RestController and excluding the URL from SpringSecurity already brings me halfway to the solution, but what if I also want authentication for my REST-API? But completely different with its own application provider basically.
Spring supports role based authorization and multiple authentication providers. So essentially you can give you admin users a special role and require this role in your Vaadin views to prevent ordinary users accessing the admin UI. You can also have separate authentication mechanisms in the same application, for example you could have your users authenticated via LDAP and you admins via a database. You shouldn't need to do separate application contexts.
I have established connection between my Spring project and MySQL DB, I also have an existing HTML site with login and register templates. Can someone point me into the right direction on how to connect Spring with my existing HTML?
In order to implement login and register workflow you need to implement few things:
REST API http endpoints for login and register - you can use Spring for that
Data base of some sort to to store users data (that should be encrypted) - you can use MySQL for that
Some sort of mechanism to authenticate users - I recommend using JWT for that
Considering your tech stack, which include Spring (I guess it is Spring Boot), and MySQL I can suggest going through this great article which walks you through building login workflow using Spring boot, MySQL and JWT
I can also recommend using existing technology for managing user data, specifically I recommend KeyCloak which is a Open Source Identity and Access Management.
We have a requirement where we need to enable SAML authentication in our application for a customer that has ADFS as IDP.
After considering various options, I was able to get this working with Spring SAML security as provided in the documents.
Now the issue is to integrate the SAML security with our application.
Unfortunately, our application is still a leagacy java application using servlets and jsp and not spring based.
I was just wondering how can the 2 be integrated. The document mentions that this possible .However, i was unable to find any write up on it.
Can someone plz direct me to the relevant source that can provide guidelines for this approach.
Thanks.
Classes in package org.springframework.security.saml.websso contain the core of SAML processing functionality and are independent of Spring Security. They do contain few class imports from Spring, therefore Spring-core classes need need to be on the classpath, but the application itself doesn't need to use Spring/SpringSecurity.
You will need to re-implement yourself logic which is specific to Spring Security - package org.springframework.security.saml - e.g. SAMLEntryPoint, SAMLProcessingFilter, and call your implementation during your authentication lifecycle. Logic of these classes is simple, so enabling basic use-cases is pretty easy.
Thanks Vladimír for the guidance. This is how i integrated a standard legacy java app with spring security for saml based authentication:
Modified securityContext.xml
set idpDiscoveryEnabled=false
set forceAuthN= true to force user to login when saml token expires
updated defaulttargetURL in successHandler to authhandler.jsp page,present in spring security app, to redirect back to my application
I have a filter applied on all the web calls in my java app . This
filter redirects the call to /spring-security-saml2/saml/login
spring saml authenticates the user with ADFS.On successful authentication, user is redirected to authhandler.jsp
Authhandler.jsp is same as index.jsp but the retrieved claims are hidden fields here. These values in hidden fields are send back to my standarda java application.
Here my java application performs other application level authentication and proceeds as desired.
Would appreciate any suggestions for improvisation or identification of any flaws in the above approach
I am developing a single page application in AngularJS. The backend uses Spring2.8. The application communicates with backend via Rest.
I want to implement session management in my application. The idea is to create a unique token for each user and check it in every request.
Is there any way to do with spring2.8 without any database access.
You can implement spring security and define roles for each user.
http://docs.spring.io/spring-security/site/docs/current/guides/html5//
I have several multi module spring web application each application like below, each of them differently develop no inter - connection.
war
|...webModule
|...coreModule
I want to integrate them with one admin module with security settings.
How can i do that?? is their any frameworks for that??
I go through the OSGI approach but it has lot migration work. What about component based (I never do that)... Can any one suggest some way to create my integration application which can handle common login & security for other sub application ? (need single sign on multiple war solution)
I strongly advise reading up on the Angular JS and Spring Security series, especially related is the https://spring.io/blog/2015/01/20/the-resource-server-angular-js-and-spring-security-part-iii
The approach that they describe seems completly viable for you. Key points
Spring Security uses the HttpSession to store authentication data by
default. It doesn’t interact directly with the session though: there’s
an abstraction layer (SecurityContextRepository) in between that you
can use to change the storage backend.
After authenticating through your admin module you should store your authentication data into a storage accessible to all your other modules, and using a session id as a key for the data. You can easily achieve this with a help of Spring Session where you can use an out-of-the-box supported Redis as your shared storage for authentication data.
Finally, the key will be set inside a custom header of the requests that target other modules, which will use this custom header and a changed session strategy to pull the authentication data from the storage and authenticated the user
There are quite a few details behind the approach, but the series come with the sample implementation so you should be able to find your way