I am using spring boot security and MySQL db, completed role base permission but need help for Same Role with different actions for different users
Related
I was wondering about the best way to secure your spring boot application in a dynamic way,
I am using my own authorization server using spring security with one client (app) now I should configure again to have dynamic clients,
It's not that hard but it made me questioning whether the spring auth server is the best option or I should go to Keycloak for example ?
best way to secure your spring boot application
The best way to use authentication in spring based application is using spring security. Now it depends on your use-case that you should authenticate user from application database, LDAP or Active Directory, in-memory authentication.
using my own authorization server using spring security with one client (app) now I should configure again to have dynamic clients
I believe you meant authentication instead of authorization in above line. You can stick to spring security by building admin console for user management. Both authentication and authorization can be managed from admin console. But as said before it is completely your use-case.
If your usecase says that app-users are already logging in
centralized Active Directory and they dont need to login again for
your application, implement Spring security with LDAP and SSO.
If your usecase say that there is no centralized authentication server and appuser details are very specific to you application, implement Spring securirty with database authentication
I found no documentation for management.security.roles configuration. What are the actual differences between these valuse?
These are just examples, there's nothing specific in Spring Boot about these.
The only thing is that the management security role defaults to ADMIN. So if your user happen to have that role, then you'll be able to access the secured actuator endpoints. You can change that value to anything you want and that's where the SUPERUSER role came from (it's just an example).
I want to get the list of all users in a specific group of an LDAP directory, and also I'm using Spring Security LDAP; and I cant find any thing that could solve my issue.
I'm already have Spring Security LDAP and I can get context and principal and so on.
I also read my Spring Security LDAP plugin functions but found nothing to get list of all users.
What should I do? Did I have to make a query? If yes, how?
In context of spring security, the framework only aims to find the LDAP user and then verifies if the passwords are correct.
The loading of roles can be done multiple ways, but usually boils down to:
Specifying which LDAP User attributes should be loaded as Roles
Provide your own custom 'role' mapper, as described in Handling roles when authenticated to active directory with spring security 3.1
If you want to do some plain LDAP Search outside of the Spring security context, I would suggest you take a look at the example in chapter 1.2 of the Spring LDAP Reference guide.
http://docs.spring.io/spring-ldap/docs/current-SNAPSHOT/reference/#traditional-java-ldap-v-s-ldaptemplate
Spring security gurus,
I am new to spring security so please bear with me if my questions are not clear.
I am trying to implement role based access control using spring security 3.x. Individual users are stored in Windows AD without groups so we cannot simply map groups to authorities as some samples demonstrated.
So my plan is to use Windows AD for authentication purpose only, but the user <-> roles relationship to be maintained by Spring security itself.
However, mapping individual user to roles would be very tedious so my question is if possible to configure users <-> groups <-> roles in spring security but the authentication part has to be done by Windows AD?
As spring security is highly flexible I believe my requirements are achievable. Can someone give some pointers on where I should look at please?
The more details the better for newbies like me :=)
Thank you in advance.
Aaron Li
EDIT 1: To add onto my question in particular, can I utilize the Spring database tables authorities, groups, group_authorities, group_members to implement a simple role based authroization logic? But I can't use "users" table as ealier explained the user details will have to be stored in Windows AD so the authentication of the users need to be done using Windows AD.
Any advices?
Thanks
Aaron
First some clarification on the terminology: Authorities, usually consisting of roles in Spring Security, are application-wide permissions. ACLs (Access Control Lists) on the other hand, specify permissions on specific domain objects. Just as you understand the difference. AD usually contains authorities/roles, but not ACLs.
If you don't want to use the authorities from AD, you can do your own implementation of UserDetailsContextMapper and inject it in your instance of ActiveDirectoryLdapAuthenticationProvider. See the Spring Security reference documentation how to specify a custom authentication-provider.
If you want to use the tables (authorities etc) of reference schema, you can use JdbcDaoImpl to load the user details. You then have to insert the users in the users table but not any passwords since authentication is done through AD. If you want to get rid of the users table however, you must customize the implementation.
We have a website with 2 user groups: the admin group and the customer group. The groups have different restrictions set up hence the admin group sees one set of products and the customer groups sees another. We're using a custom server based on Tomcat 6.0.29. We're also using Spring Security.
Is it possible with Spring to allow the admin to see a page from the customer group's perspective without forcing a log out of the admin user? If so, is there a link available showing the spring code?
Thanks! :)
Krt_Malta
I found my answer over here:
Different user restrictions in same session
The SwitchUserFilter in Spring Security allows switching of users without a logout :)