Spring Boot 2, Cloud Netflix and username/password authentication architecture - spring-security

This is an architecture question. I want to implement an application that processes two kinds of users (admin and clients). Each role can register in the following ways:
admin: username/password registration
client: Facebook/Google/username&password registration
Based on the user's role each of them has a specific action to which he's authorized.
From a technology stack, I want to use Java 8, Spring Cloud Netflix and later on Docker and Kubernetes (in order to have auto-heal and auto-scale).
I've implemented Eureka discovery, Config server, Zuul Gateway and I have two microservices for each role (to get me started). I don't know at all how to approach the user's authentication/authorization, from what I see Spring Security 5 is no longer supporting Authorization server and I am supposed to use Keycloack? Should the gateway be the authorization server or should I create another component that is responsible for authentication? What do I use, how to implement, how to approach redirection between my authorization server and the business microservice?
I can't really find a proper documentation that uses username/password, social login and Spring Cloud Netflix, together with Spring Security 5.

Your gateway shouldn't be responsible for handling authentication.
One possibility is using the cas project. It can run as a micro service to handle the whole authentication process. It can handle multiple auth methods like database (for username / password) and social media like Google or Facebook.
It comes with a basic setup having a login page and a configured DockerFile. You can customize everything. Just add the related dependency and add the config in the application.properties. You can customize the frontend.
https://apereo.github.io/cas/6.1.x/planning/Getting-Started.html
By the way: if you use kubernetes you don't need a gateway or service discovery with eureka. Kubernetes does this for you.

For api security, after moving to #Kubernetes, you can use Envoy or similar solution
For authentication and authorisation, you need an identity management system (like #Okta or PingFederate or an open source version like #OpenIAM) and then integrate using Spring & OAUTH2.

Related

Keycloak and spring security usage

I have used spring security in the past and understand that most of the features of keycloak can be achieved by using spring security ( ldap integration etc ).
Apart from easy social media login validation, are there any other unique features in key cloak which cannot be done using spring security?
With spring-security you would have to create Spring authentication server and explicitly configure/code certain things for integration with LDAP, OAuth2/OIDC providers.
Keycloak is already OAuth2/OIDC/SAMPL compliant IAM provider. It provides features like User Federation with options like LDAP, integration with other OIDC provider etc.
Keycloak provides SPI integration points where you can customize the request flow, use OTP, perform two factor authentication, add google CAPTCHA, or even your CAPTCHA. It provides role based authorization too if you need.
It also provides event handling integration points for events like Login, logout, refresh token, etc.
Keycloak Community will keep adding new features or keep supporting it w.r.t. changes in OAuth2, OIDC, SAML. You don't need to worry about updating your code time to time. Along with this, security updates will be there.
There are many more features.
Most importantly, why reinvent the wheel, if you get these many features and good support.
Keycloak allows you:
to use multiple user storage and get users from multiple LDAP/AD or Kerberos or use without any LDAP.
to login once (SSO) and forget about to login from another application with GUI;
to use one authorization server for multiple application by separation them by realms. One thing should be noted: keycloak could be installed on multiple nodes for better reliability; This also could helpful when application become big and once you decide to separate it on multiple.
to add user additional attributes and fields during get user info without coding (trivial example - set phone number) or specific roles (on realm or even client level) or groups and use all this on the top of an AD attributes;
to configure password rules like password expiration, e-mail validation and so on;
to set up 2-factor authorization with SMS or Email.
These things I think could be implemented using Spring Security, but it takes more time than Keycloak installation and configuration. Personally, I am using Keycloak in multiple commercial projects and could claim that Keycloak is good.

Java Spring Application - Integration with Azure AD for SSO

I have a Java Spring MVC application (note that its not spring boot).
We have a requirement to implement SSO for the users of our application. I did some research, the identity provider (IDP) in our case is Azure AD. The service provider would be my application in this case. I am thinking of using SAML protocol for SSO.
Also note - The application is http based (not HTTPS)
What I've done so far -
I've created an Enterprise Application on Azure and configured entityId and replyURL. I also added a user for this application.
Where I'm stuck -
Although I did read the related Spring documentation to achieve this, since I'm a newbie here, I still don't have a clear path as to how can I take this forward in my application. I found some solutions, they seem to be examples for spring boot. Can someone please help me with guides as to how this can be done in Java Spring? Which maven dependency I could use and any sample example to start working with SAML? A step by step explanation would be highly appreciated, thankyou.
Also, any other options than SAML would also be fine.
The Spring Security SAML extension (https://docs.spring.io/spring-security-saml/docs/1.0.0.RELEASE/reference/html/index.html) had an example web app. You may read the referenced doc and apply it to Spring Security SAML. It should not be too much difference.
I’m very glad to register the flow in the event of implementing Azure AD B2C OIDC/OAuth protocol with existing Spring MVC architecture.
Below Spring docs reveal that how was our existing project's spring-security layer being served in the context of filter-chain.
Pre-requisites
Authentication Filter - Form Based Login with Legacy IDP
Authentication Manager – Providing the user details authorities along with http session object
For accomplishing this Azure B2C Integration, we've gone thro' lot of repos but most of them are relying with Java config based but we were interested on Spring namespace with limited code/architectural change.
Then finally we came to the conclusion that how to extend the spring default auth-filter/manager for getting valid session object from security context based on the Azure provided (id/access) token after the successful user authentication.
Customizing Spring-Security
The detailed documentation on how to extend auth-filter/manager is available here with © reserved by terasoluna.org
We customized the spring security in such a manner that auth-filter will carry the token_validation against the given token from Azure and authentication manager will extract user details such as roles/privileges w.r.t to the object-id mapped in our DB's user entity.
Once the Spring security customization is done then we can able to integrate the Authorization-server [Azure in our case] and Resource-server [Existing Spring Application] by following the conventional methods.

What is the best way to authenticate your springboot application?

I was wondering about the best way to secure your spring boot application in a dynamic way,
I am using my own authorization server using spring security with one client (app) now I should configure again to have dynamic clients,
It's not that hard but it made me questioning whether the spring auth server is the best option or I should go to Keycloak for example ?
best way to secure your spring boot application
The best way to use authentication in spring based application is using spring security. Now it depends on your use-case that you should authenticate user from application database, LDAP or Active Directory, in-memory authentication.
using my own authorization server using spring security with one client (app) now I should configure again to have dynamic clients
I believe you meant authentication instead of authorization in above line. You can stick to spring security by building admin console for user management. Both authentication and authorization can be managed from admin console. But as said before it is completely your use-case.
If your usecase says that app-users are already logging in
centralized Active Directory and they dont need to login again for
your application, implement Spring security with LDAP and SSO.
If your usecase say that there is no centralized authentication server and appuser details are very specific to you application, implement Spring securirty with database authentication

Use oauth2 authentication for the main app and basic auth for the management endpoints in spring boot?

I'm using Spring Boot to build a REST Api which I can secure with Oauth2 (using spring-security-oauth2).
I want to manage a separate authentication and authorization schema for the actuator management endpoints (metrics, health, etc.).
And I want the management endpoints to run on a different port (management.port=8081 in application.properties)
I've been reading quite a lot but couldn't find a way to do it.
Thanks
That's because you can't separate endpoints by port. If the actuator management endpoints and the management endpoints are on the same component, the Spring Boot container (Tomcat) will launch that whole component on one port.
What you are saying can maybe be achieved by a proxy. You would map some urls on the proxy to internally correspond with the urls on your component.

Service to Service authentication , service identity and access rights management

I am currently developing a distributed application using Ruby, Ruby on Rails, Sinatra and pure Rack web services.
I will have few services (RESTful , not SOAP based) which will communicate using JSON and I would need a way to secure and verify the identity of each of those services during the communication between them, so no one could pretend to be a service and make requests to the other services.
The core idea is to treat other services as "users" and be able to verify their identity and limit their access to data if necessary.
So the question is how to do this using only Ruby and how to manage effectively the service identities and their access rights.
Should I build some additional authentication service usable by the services ?
Should I build internal gems to provide some connection middleware with keys/shared secrets ?
Is there maybe some other way to do this?
I would generate an application id and secret that you could pass with each request. Since you are not dealing with other users and just applications try looking into authentication tokens with devise.
I think OAuth is a protocol that is commonly used for web service - to - web service runtime authentication, especially with RESTful APIs.

Resources