I want to authenticate my web service in Spring with an Active Directory lookup at both the producer and the consumer - under the Principal that that each are executing under (ie Service Accounts).
I'm assuming I have to use
JaasPlainTextPasswordValidationCallbackHandler
and
JaasCertificateValidationCallbackHandler
and set up my
jaas.config
file.
Can anyone give me a code example of where to go from here? I'm guessing the Service Account names will need to go into the jaas.config file - but if so - I'd like that to be automatically populated.
You shouldn't need JAAS at all. A simple LDAP authentication scheme should work fine for Spring Security and Active Directory; Active Directory exposes an LDAP interface (typically port 389).
http://static.springframework.org/spring-security/site/docs/2.0.x/reference/ldap.html
Related
There are two server applications deployed in Tomcat.
OAuth2 Authentication Server
OAuth2 Resource Server
The OAuth2 Server authenticates and authorizes the usage of Resource server. This setup is working fine and there are no issues regarding this.
Now I m in need to implement session tracking mechnism in the resource server, so that i can store and retreive session attributes between different api calls in the resource server.
To acheive the above I have configured and implemented session storage as such with the below code
spring.session.store-type=jdbc
spring.session.jdbc.initialize-schema=always
and the above configuration created the required tables in the db and the session_attributes are storing just fine.
The problem is between every api call new session is created indefinite of weather I use different configurations like below
request.getSession()
request.getSession(true)
request.getSession(false)
request.getSession(false) => only using this line makes the code to fail as it prevents from creating a new session even if there are no sessions.
Anyhow, after reading numerous technical documents it seems like we need to implement the said mechnism with either HeaderHttpSessionStrategy or CookieHttpSessionStrategy, but there are no clear documentation available and the dependency is not getting resolved for spring-session which contains the required classes.
<dependency>
<groupId>org.springframework.session</groupId>
<artifactId>spring-session</artifactId>
<version>x.x.x/version>
</dependency>
I tried this, but in vain
Help me with a solution. Thanks in Advance
I have multiple microservices which communicates with each other through REST calls.
I have used spring boot and spring rest and have configured the URLS of the rest end points in application.properties file.
Now the problems is if the URL for one end point changes then I to have to manually modify all the property files of the services which are calling that particular end point which has got changed.
Is there a workaround for this so that the URLS can be somehow placed in a centralized location so that any modification does not impacts the other services which are using it.
You can use spring-cloud to achieve this. Usual way used in spring-cloud is by configuring the required properties in a git repo. And then those properties can be accessed by any micro-service you want with minimal configurations. You can refer projects in this repo
limits-services acts as a client that needs certain properties those are configured in spring-cloud-config-server. Hope this helps.
In case with microservices you can use Spring Cloud Config (Spring Cloud Config, Spring Cloud Config Server). It's very usefull and you can update your configuration at runtime.
Spring Cloud Config provides server and client-side support for externalized configuration in a distributed system. With the Config Server you have a central place to manage external properties for applications across all environments. The concepts on both client and server map identically to the Spring Environment and PropertySource abstractions, so they fit very well with Spring applications, but can be used with any application running in any language. As an application moves through the deployment pipeline from dev to test and into production you can manage the configuration between those environments and be certain that applications have everything they need to run when they migrate.
As others have mentioned you can use Spring Cloud Config Server to remotly load your application configuration. All you need is git repository containing your configuration.
Spring cloud configuration supporst Git, database as your store for configuration.
Idea is to create an spring-boot app that can provide configuration to other applications.
#SpringBootApplication
#EnableConfigServer
public class ConfigServer {
public static void main(String[] args) {
SpringApplication.run(ConfigServer.class, args);
}
}
You can configurae port and provide your git repository using key spring.cloud.config.server
server.port: 8888
spring.cloud.config.server.git.uri: file://${user.home}/config-repo
At client side, if you have spring-config in your classpath, application will try to connect to an application runnign at port 8888 to retrieve configuration.
More information can be found here.
may put configuration inside a database.
after that need have one centralize cache service that used by other services, can be .jar service,
then the values can be load inside a cache class in this service,
then in the front end side need have update button for updating the cache after modify the URL value in the database, so then all impacted services can use new value.
and also to be easier may have stand alone UI for update those configuration rather than updating database directly.
You can use Microconfig.IO to manage your service configuration and it's placeholders functionality to reference configuration values of certain services from others. So in your case you configure your deploy url in your server and put placeholders on it in your clients. This allows you to edit value only in one place and then everyone who depend on it will get it automatically.
I am using Spring Cloud Embedding Config Server to get the configuration from Git while server startup. Its working fine. Below is my config.
bootstrap.properties
spring.application.name= "credentialInfo"
spring.cloud.config.server.bootstrap= "true"
spring.cloud.config.server.git.uri= "https://11111#bitbucket.global.company.com/scm/~11111/spring-cloud-config.git"
spring.cloud.config.server.git.username= "aaaa"
spring.cloud.config.server.git.password= "bbbb"
Now I have to get the properties from Git repo for each request with username and password collected from Customers.How can I achieve this ..?
Normally client application get properties from git though config server when startup and when call to "actuator/refresh" endpoint.
I'm that the requirement as you state its doesn't work well with Spring Boot.
When configurations are read (no matter from where, including the configuration service) they are used to configure spring beans during the startup.
For example, if you have a configuration of, say, db host, this configuration is supposed to be used by bean responsible for database connectivity (DataSource)
The point is that by the time that Application Context starts, beans are already configured.
Its true that some beans having refreashable scope define a custom logic to get "re-initialized" as a consequence of calling /refresh endpoint, but this is not what you're asking for (at least as far as I understood)
Instead you say, that the client does something during the application startup and this action should lead to beans change. This is potentially a very expensive operation and I don't think you should go in this direction. Usually beans are not re-created during runtime (of scope singleton, and the chances are that most of the beans are of this scope)
i have the following setup.
server1: i am using spring security v3.1.4 in one application. this application is running on its own server (e.g. tomcat at server1.mydomain.com).
server2: i have another 3rd party web application running on a different server (e.g. tomcat at server2.mydomain.com). this applicaton is pluggable in that it allows me to install jars to dynamically modify behavior at runtime. its purpose is to serve content.
users and resource access are managed on server1. content is delivered by server2. on server2, if a resource request comes in, i need to ask server1 if the user is logged in. is this possible to do with spring security? i imagine i would pass in the username with the resource request (e.g. http://server2.mydomain.com?getFileId=1&username=johndoe#gmail.com).
i read a little bit on the spring security website and SSO seems to be the way to go (e.g. using Central Authentication Service). but that seems like an overkill. our architecture already has several servers running.
integration (e.g. the webapp using spring security)
media (e.g. the 3rd party webapp)
elastic search (a cluster)
mysql (a cluster)
if possible we would like to have a minimalist system (but our system isn't small, given our investments and assumptions using rdbms/IR clusters).
any help is appreciated.
One possible way of achieving this - although it's not something I've tried myself - could be to expose Spring Security's SessionRegistry in server1 via a simple REST based controller. That would then allow server2 to remotely query authenticated users in server1 by making a simple HTTP GET request.
It's probably worth having a read of the Session Management section of the Spring Security docs to determine how to access the SessionRegistry. The basic setup I think is to specify a <session-management> tag inside the <http> section of your config on server1.
<security:session-management>
<security:concurrency-control session-registry-ref="sessionRegistry"/>
</security:session-management>
<bean id="sessionRegistry" class="org.springframework.security.core.session.SessionRegistryImpl"/>
You would also need to add a listener to the web.xml of server1
<listener>
<listener-class>org.springframework.security.web.session.HttpSessionEventPublisher</listener-class>
</listener>
The controller that you would need to create on server1 could then be autowired with the SessionRegistry
#Autowired
private SessionRegistry sessionRegistry
From there, you can use sessionRegistry.getAllSessions() to determine whether a username (principal) passed in a request to the controller is logged in on server1.
More of an idea than a concrete answer - but may give you an avenue to explore.
We have a tomcat webapp which provides webservices which are protected using Spring Security. The client makes a call to a specific authenticationService method which we wrote to authenticate them and create an authToken which is then used to register them with Spring Security as so:
SecurityContextHolder.getContext().setAuthentication( authToken )
That's all fine and good. However, we also have the requirement that authenticated users be able to access static content which is served by Apache (httpd) on the same server. Is there a way to enforce the requirement that the user has been authenticated (by Java/Spring) before they can download the static content? It seems like Apache and Tomcat would have to somehow share the SecurityContext.
OR - alternatively it seems like Tomcat could serve the static content itself since it already has access to the SecurityContext. If that is the best solution, could anyone provide a pointer to how we would get tomcat to do that (serve static content after checking that the user has been authenticated).
Thanks.
Yes, Tomcat is going to have to serve the static content.
mvc:resources can be helpful here. After that is set up protect those mappings using the standard intercept-url configuration.