I'd like to move away from the keycloak adapters as they will be deprecated in the long run. Unfortunately I cannot figure out how to do this after >1d of work. I created a minimal not working example here. I have the issue that
The Login with OAuth 2.0 page is empty although everything is present in the application.yaml
I'd like to get automatically redirected to Keycloak. Just like the normal adapter.
The minimal working example contains an endpoint /hello that is secured by spring boot security. The goal is to authenticate with Keycloak and then navigate to this url. If this configuration also works in applications like Postman that would be awesome.
Here are pictures of the keycloak configuration (It worked previously with the adapter):
Update: I managed to get the resource server working but the client seems to be inactive.
Your sample controller is a #RestController => your application is a resource-server but you're trying to configure it as a client (that won't work).
Refer to this answer for detailed solution: https://stackoverflow.com/a/74572732/619830
Related
I have a Spring Boot Cloud Gateway application running on a k8s POD. That application have no page, no endpoint at all, just receive the traffic from Ingress and redirect for a Vue Web Application with just static pages on another POD.
That Gateway is also a OAuth2 Client, authentication on GitHub, over a authentication code mode. Everything works fine, except I can't access the authenticated user. I'd like to apply my own validations, besides the GitHub IDP itself.
I tried used the Spring Security 5 Custom Configuration, but it just doesn't works. Maybe because I have no Controller, no endpoint aside the Gateway redirects. I haven't tried everything: with WebSecurityConfigurerAdapter, without it... All I got it just dependencies error and even I overcame them, it just doesn' run...
So, I quit Spring Security 5 Custom and tried use the Gateway Filters (AbstractGatewayFilterFactory) that I knew already that works, in order to read SecurityContextHolder.getContext().getAuthentication(), waiting to read the GitHub OAuth2 authenticated user over it. However, I just got null reference...
All my logs are turned on and I know the Spring is reading user-info endpoint from GitHub. I just want to get access to that information and negate access on Gateway Filters, based on my own rules.
Anyone have an idea about how can I read the Oauth2 authenticated principal in Gateway Filters?
Thanks at advance.
I have a Java Spring MVC application (note that its not spring boot).
We have a requirement to implement SSO for the users of our application. I did some research, the identity provider (IDP) in our case is Azure AD. The service provider would be my application in this case. I am thinking of using SAML protocol for SSO.
Also note - The application is http based (not HTTPS)
What I've done so far -
I've created an Enterprise Application on Azure and configured entityId and replyURL. I also added a user for this application.
Where I'm stuck -
Although I did read the related Spring documentation to achieve this, since I'm a newbie here, I still don't have a clear path as to how can I take this forward in my application. I found some solutions, they seem to be examples for spring boot. Can someone please help me with guides as to how this can be done in Java Spring? Which maven dependency I could use and any sample example to start working with SAML? A step by step explanation would be highly appreciated, thankyou.
Also, any other options than SAML would also be fine.
The Spring Security SAML extension (https://docs.spring.io/spring-security-saml/docs/1.0.0.RELEASE/reference/html/index.html) had an example web app. You may read the referenced doc and apply it to Spring Security SAML. It should not be too much difference.
I’m very glad to register the flow in the event of implementing Azure AD B2C OIDC/OAuth protocol with existing Spring MVC architecture.
Below Spring docs reveal that how was our existing project's spring-security layer being served in the context of filter-chain.
Pre-requisites
Authentication Filter - Form Based Login with Legacy IDP
Authentication Manager – Providing the user details authorities along with http session object
For accomplishing this Azure B2C Integration, we've gone thro' lot of repos but most of them are relying with Java config based but we were interested on Spring namespace with limited code/architectural change.
Then finally we came to the conclusion that how to extend the spring default auth-filter/manager for getting valid session object from security context based on the Azure provided (id/access) token after the successful user authentication.
Customizing Spring-Security
The detailed documentation on how to extend auth-filter/manager is available here with © reserved by terasoluna.org
We customized the spring security in such a manner that auth-filter will carry the token_validation against the given token from Azure and authentication manager will extract user details such as roles/privileges w.r.t to the object-id mapped in our DB's user entity.
Once the Spring security customization is done then we can able to integrate the Authorization-server [Azure in our case] and Resource-server [Existing Spring Application] by following the conventional methods.
We had an web application that already using form-login provided by spring-security, say, ERP. Now we are considering make ERP as an oauth2 authorization server to authorize other internal services.
The ERP still serving its business and all access are required to be authorized, but doesn't based on access token so I think it is not an oauth2 client. It does NOT serve as an Resource Server, neither.
I have read many article about how to setup oauth2 authorization server and develop an application using it. According to this comment I feel it is possible to make ERP authorizing other services without explicit setup a standalone authorization server (it's our final goal but not now):
Within the context of OAuth2, we can break things up according to the component you're implementing:
Client app: it's likely that server based OAuth2 Client app already uses HttpSession and therefore it makes sense to use Spring Session and benefit from all the goodies it brings
Resource Server app: since this component provides a stateless API that's authenticated against using an Access Token as a bearer, the HttpSession is not used and therefore Spring Session isn't suitable as well
Authorization Server app: it's highly likely that this already uses HttpSession so similarly like with OAuth2 Client app, it makes sense to use Spring Session and benefit from all the goodies it brings
What I'm going to do is add the #EnableAuthorizationServer into config, but I have no idea what's the next step.
My question is can I convert an existing application into an authorization server while keeping its original service unchanged? Where and How should I start?
I just found it's not that hard to integrate OAuth2 into existing system, below is what I did to make it work.
In short: EnableAuthorizationServer won't break anything exists, but they don't coming from nothing, either.
When I put on the EnableAuthorizationServer, spring-security-oauth2 gives me following endpoing:
/oauth/authorize
/oauth/check_token
/oauth/token
/oauth/confirm_access
/oauth/error
Those endpoints provide necessary functions to make OAuth2 works, and I just need to apply access control onto those endpoints with existing form login mechanism (probable not the check_token one).
Since this system didn't act as resource-server role, the authorization part is done.
I'm trying to use Spring Security CAS extension to authenticate users on my applications. Earlier there was only one application, so SSO was not needed. Now there is one more application and I want the user to log in once and use all the applications without having to go through authentication again (SSO, basically). I've a bunch of questions like these -
All the applications I have are part of a single tomcat container and will be served via same domain. I checked Tomcat SSO Valve, but it seems to need container based authentication, I'm not really sure if I would want to use that for authentication / authorization. I'm using spring security form-based login. Do I really need something like Jasig CAS or will it be an overkill?
Spring Security and CAS deployerContext Configuration - http://pastie.org/8408976 and http://pastie.org/8408967
I set up Spring Security CAS with Jasig server and SSO seems to work as logging in to any of the applications suffices to access the other application. I've modified the deployerConfigContext.xml to replace the inMemoryServiceRegistryDaoImpl with JPA / Hibernate one. But I always see the below line in my logs. Though the tables have been created (SERVICETICKET and so on) in my db. These tables are always empty when I try logging in and out.
2013-10-17 16:41:18,882 INFO [org.jasig.cas.services.DefaultServicesManagerImpl] - <Loaded 0 services.>
When I try to access URL https://localhost/cas/services, it returns an error "This website has a redirect loop". and I see the below piece repeating n number of times in the logs (with different ticket numbers)-
http://pastie.org/8408940
I don't have any REST or stateless services accessing authenticated resources, do I need proxy tickets at all?
Note: I'm using Spring Security 3.1.4.RELEASE and CAS server 3.5.2 version.
Any pointers will be helpful.
I set up Spring Security CAS with Jasig server and SSO seems to work
as logging in to any of the applications suffices to access the other
application. I've modified the deployerConfigContext.xml to replace
the inMemoryServiceRegistryDaoImpl with JPA / Hibernate one. But I
always see the below line in my logs. Though the tables have been
created (SERVICETICKET and so on) in my db. These tables are always
empty when I try logging in and out.
When I try to access URL `https://localhost/cas/services`, it returns an error "This website has a redirect loop". and I see the
below piece repeating n number of times in the logs (with different
ticket numbers)
I figured out the solution to this. This was happening as filterProcessesUrl in CAS server configuration had the string "acegi" (old name for Spring Security), which didn't match to "spring", hence the problem. Modifying that helped. Not sure why old name was hardcoded there. Also, it didn't pick up this string from cas.properties, so figuring it out was a little more difficult.
I hope to get answers for other questions.
I am creating an MVC application with Forms authentication. I have set the application up to authenticate against Active Directory. This works successfully.
I now need my application to consume a Web Api web service within my Domain. When I use Impersonation, the service is never called and object inspection shows the following: The remote name could not be resolved. This is the case for HttpClient, RestSharp and WebClient. If I remove the Impersonation, the code runs successfully (but not as the logged in user).
This throws up a couple of questions:
Can I perform WindowsIdentity Impersonation in a Forms Auth application if the Forms Auth application authenticates against Active Directory?
What is happening to prevent the code from finding my web service when Impersonation is used and how do I resolve this?
Thanks for any help.
Found the answer to my question so posting in case others are stuck with the same issue.
To perform Impersonation when Forms Auth is used you need Protocol Transition with Constrained Delegation. This article is excellent at talking you through the steps required to set this up. Once this is correctly implemented, Impersonation works as expected and the Service URL is correctly resolved.