Spring Boot Security,
My Application is already running using Spring Security. Now I want to authenticate the users through OAuth. Is there any way to build a custom servlet to achieve this?
You can add a new Filter to intercept and authenticate OAuth requests in which it should call the authenticationManager.authenticate method and save the result of the authentication token in the SecurityContextHolder. This way the user is fully authenticated.
Note, that this way you don't "override" or "bypass" the Spring Security. You just use it to perform a different authentication.
Related
I was wondering about the best way to secure your spring boot application in a dynamic way,
I am using my own authorization server using spring security with one client (app) now I should configure again to have dynamic clients,
It's not that hard but it made me questioning whether the spring auth server is the best option or I should go to Keycloak for example ?
best way to secure your spring boot application
The best way to use authentication in spring based application is using spring security. Now it depends on your use-case that you should authenticate user from application database, LDAP or Active Directory, in-memory authentication.
using my own authorization server using spring security with one client (app) now I should configure again to have dynamic clients
I believe you meant authentication instead of authorization in above line. You can stick to spring security by building admin console for user management. Both authentication and authorization can be managed from admin console. But as said before it is completely your use-case.
If your usecase says that app-users are already logging in
centralized Active Directory and they dont need to login again for
your application, implement Spring security with LDAP and SSO.
If your usecase say that there is no centralized authentication server and appuser details are very specific to you application, implement Spring securirty with database authentication
I'm currently working through a spring application which is using stateless session and JWT based mechanism for authentication & authorizations.
A new requirement arrived: using CAS v4.0 SSO solution to replace the authentication system. I went through the CAS documentation and the spring security documentation and saw no sign of "stateless mode". Trying to set the spring security session policy to stateless is breaking my CAS integration.
My intuition would tell me to totally drop the JWT mechanism and switch on classic statefull based sessionid mode to avoid issues. Is there some resource trying to adress a CAS + stateless client? Has someone had experience with it?
I have a web application which exposes CXF JAX WS SOAP Services and also an OData REST Service.
As i understand from the spring documentations, in order to authenticate the JAX WS requests we need to create a Interceptor and write our own code to call the spring security Authentication Manager to authenticate the request. This i am able to achieve in my application. But in order to use spring security with JAX WS i have to disable the csrf for the endpoint urls.
Hence i dont want to use spring security for authentication and instead wants to use the container managed security where i can do the check in web.xml itself.
But there are certain roles i want to check at method levels and i find spring security pretty helpful at method level security.
So my question is whether i can use container manage authentication and for authorizations spring security ? Do you see any security issues here ?
and in case i want to enable the csrf for the jax WS endpoints then how can we pass the csrf token for a service call?
Regards,
Soumya Ranjan
I have a web application using spring mvc and spring security.
Not-logged requests must be redirected to a external legacy system for authentication. The external system doesn't need any parameter from the spring webapp. The legacy system would (or not) authenticate the user and put a cookie/header/parameter on a new request. Then this request will be authenticated using this cookie, header or parameter against the spring webapp.
Is there a 'right' way to do this redirection? I am thinking of implementing a completely new AuthenticationEntryPoint that simply sendRedirect the request to the external system.
I'm unsure about which is the 'right' way to authenticate the already authenticated request against the spring webapp. Should I use the pre-authentication framework or am I right just implementing a filter that extract the credential and authenticates it?
Thanks in advance.
I successfully completed login module of my application using spring security's inbuilt authentication & authorization mechanism.But later i was told to check if i can integrate WSO2 (SOA solution as external Authorization mechanism) with Spring security so that i can use Spring security's authentication mechanism alone and WSO2 for authorization instead of using Spring security provided Authorization.
I did search & read the documentation and i could get details about using External authentication with Spring security & nothing about External authorization.I would like to know if i can do the same and also how i can do it.Any pointers will be really helpful for me.