I am trying to build a small example with the reactive stack of spring. I want to write some kind of audit log for when somebody logged in and out or keep track of "active users", how would I do that? ServerHttpSecurity offers a authenticationSuccessHandler for formLogin and a logoutSuccessHandler for logout. But httpBasic seems to offer nothing alike. How would I get notified if a session would time out?
In classic spring I would have used the SessionRegistry for that, but that seems to be no longer available in the reactive stack.
Related
I'm working on a Spring web application (not Spring Boot) that uses Spring Security 5.3.3, Spring Security OAuth 2.5.0, and configures it like this:
http.authorizeRequests().
antMatchers(permitUrls).
permitAll().
anyRequest().
authenticated().
and().
oauth2ResourceServer().
jwt();
Our clients report occasional 401 responses which we can't find in our application logs, so we assume it's from the Spring Security itself. We would like to log authentication and authorization failures, but I'm confused as to what is the current preferred method to achieve that.
A quick search reveals 4 paths:
custom AuthenticationFailureHandler (seems like this one is only available in FormLoginConfigurer, which isn't our case)
custom AuthenticationEntryPoint (this one is available with JWT, but OAuth2AuthenticationEntryPoint which I was going to extend is deprecated with an unhelpful message). I could try using HttpStatusEntryPoint instead, but I'd like to avoid changing the current behavior of my app, just want to add logging.
custom Filter (probably, not the cleanest path)
AuditApplicationEvents — looks beautiful, but seems like it's for Spring Boot only.
Could anyone provide me with some guidance on this?
I suggest activating the logger of org.springframework.security by changing its log level to DEBUG.
Based on your log tools (log4j2, logback, ...) create a logger in your log configurations with name org.springframework.security and level DEBUG.
I am using Jetty 8 and currently have two instances set up and running behind a round robin load balancer. I have configured it use session replication via MongoDB. My application uses spring security. It is working great with two exceptions. I will include one here, and the other in another question.
Spring Security's "Remember Me" does not work correctly. If a user logs in and requests "Remember me", then it will work fine, assuming the users future authentication requests hit the particular node that was hit during the original login. However, if a future auth request hits a different node, that node appears to be ignorant of the "Remember me" request and therefore prompts the user for credentials.
Does anyone have any suggestions? I'm about to start digging into the implementation of spring security's remember me code and jetty-nosql, but would love it if someone could save me some time.
Additionally, I have tried both the cookie hash-based "remember me" token as well as the db persisted "remember me" token approach, and both have the same issue.
The solution is to use the db persisted "remember me" token approach. In our situation, we used org.springframework.security.web.authentication.rememberme.PersistentTokenBasedRememberMeServices.
It turns out that our first attempt at using the db persisted token approach was simply implemented in error. When we did it correctly, it worked fine and solved our remember me problem.
I'm new to Grails, and have jumped into version 2. I'm developing a project that uses Spring Security 3 - and this is working fine - but I want to use my organisations LDAP server (if / when it is available) to do the following:
authenticate users
update the local user data with details from LDAP
create the user if they don't exist
update the local users password (in case the LDAP server isn't available)
log that user in
I may have skipped a lot of fundamental stuff on my way to getting this working, like actually how Grails works - and I'm struggling to understand how to actually interrupt the Spring Security authentication process with an LDAP lookup, then how to get those details back in a way that I can use them to either update an existing user or create a new one...
I found a basic tutorial here: http://jamesjefferies.com/2011/01/06/grails-spring-security-ldap/ which means I can authenticate myself as a user from the LDAP server - although Spring Security still shows me as logged out, but will not let me log in either until I manually log out... so its kind of in a login-limbo.
The magic is doing my head in... at first I was amazed that I could build an entire web-app with a few commands and a few hours customization - but it's coming back to bite me now - as is the lack of useful examples... and the Spring Security LDAP plugin documentation is somewhat lacking (or maybe its my lack of understanding).
So, primarily I would like some help to complete the authentication so that it checks the user database for an existing user and updates them, or creates the user if they don't exist... but I would also love it if someone could give me a brief overview of the authentication process in Grails so I can understand whats actually happening, and where I should intercept things.
Cheers in advance for any help
Steve
There is a good example here that shows how to implement a custom user details mapper. I used that method on an LDAP login Grails 2.0 app successfully. Basically you have a CustomUserDetailsContextMapper that implements the UserDetailsContextMapper interface which you then use to override the default implementation by registering the bean in conf>spring>resources.groovy. Then inside your CustomUserDetailsContextMapper you check for a user(your domain class) with a matching username and if none exists you creates one using data from the ctx.originalAttrs which contains data from the ldap query results. You must then return a new org.springframework.security.core.userdetails.User. You can extend this class to add other fields that you want to be able to access directly from the principal object.
I'm writing a pair of aspects. The first is to trap usernames when users successfully authenticate against my web app and the other is to trap when they explicitly logout. I'm having trouble finding Spring framework methods which are called only once and which will therefore let me capture this information.
We are using a basic Spring Security 3.0 configuration, with our only additions being to provide our own UserDetailsService implementation.
Can anyone help?
It turns out that this was completely the wrong way to do this. Spring has a set of baked-in ApplicationEvent classes which you can create ApplicationListeners to catch. Strangely, there seems to be no "LogoutEvent" but there are the very useful AuthenticationSuccessEvent, AbstractAuthenticationFailureEvent, HttpSessionCreationEvent and HttpSessionDestroyedEvent. Most interesting of all is the RequestHandledEvent.
To catch these I created my own bean which implemented
org.springframework.context.ApplicationListener;
and overrode
public void onApplicationEvent(ApplicationEvent appEvent)
In this I just if/else my way through the various appEvent types and take the appropriate actions to track users and sessions.
How do I implement a "Remember Me" function in Grails so that the user can check it and he won't have to log in again for 2 weeks?
I'm using the jSecurity plugin and want to change the cookie's lifetime beyond the browser session.
JSecurity already supports RememberMe functionality. Take a look at the AuthorizationController, you'll find that it supports parameter "rememberMe."
To implement a two-week time-out, I'd add another cookie and modify AuthorizationController to behave accordingly. There may be that functionality in JSecurity, not sure about that - doesn't seem the controller respects it.
Spring security (formerly acegi security) has this built-in, if you can use that plugin.
otherwise, the other posted solutions work nicely.