Attribute statement in Spring SAML extension generated metadata - spring-security

I am hoping to use the Spring SAML extension as the means to provide SAML authentication for an existing applications. These applications typically expect various attributes to be provided by the IdP generated assertion. These attributes ought to be specified in the SP metadata.
Since I do not see a method in org.springframework.security.saml.saml2.metadata.ServiceProviderMetadata to access the attribute statement element, I assume, that the attribute statement has to be added manually to the generated SP metadata, rather than configured in securityContext.xml.
Is that a correct assumption?
Thank you.

Related

Extending User Entity using Keycloak in JHipster

I want to add additional info when I register a new JHipster User with Keycloak. I already created an ExtendedUser entity with an one-to-one Relationship to the default User. Now i want to "extend" the registration form provided by Keycloak (adress, city,etc.) and safe these values in the ExtendedUser. is this possible? I cant seem to find any info on this. Also the registration form itself isn't in the gateway (like the default), but on the "keycloak-side", so i dont know if i can access the added values. My first guess would be to add the additional fields to the registration form, and then add the values to the token claims, which i could use to create an ExtendedUser in the background.
I´m using the default Keycloak implementation provided by JHipster (docker).
If this is not possible are there any other ways this could work (maybe switching to the JWT security implementation)? I also tried using the UAA server, but this isn't working for me because of other reasons.

Spring native support for OIDC workflow

I am trying to enable OIDC authN and authZ workflow for my spring-java-web application. Ideally I wanted to do it in a IDP agnostic way.i.e.This application could be integrated with only and any one of the Azure AD,OKTA,AWS SSO,Google-auth by deployment admin.And I want users to be redirected to whatever provider the application is integrated with.
With OIDC as a standard, my understanding is i should be able to write a OIDC auth processing filter that should work with any of the providers. The necessary config that varies per provider ( auth url,client id,secret,JWKS url to get the provider keys etc) will be passed to this filter/rest template as parameters.
Q.1 Is it possible to implement provider agnostic OIDC filter? Can someone give any pointers?
I am aware that Spring natively provides Oauth2 libraries/apis like AuthorizationCodeResourceDetails, OAuth2ClientAuthenticationProcessingFilter . However I do not see any OIDC native processing filter in built. Is there any?
I tried and understood the workflow as given in https://www.baeldung.com/spring-security-openid-connect .However when i try to tweak this code to make it work with Azure AD it fails. Thats because Azure AD requires
The response_type parameter must include id_token.
The request must include nonce parameter to be set in request.
AuthorizationCodeResourceDetails does not support such param. Given that OIDC is a common standard ,
Q-2. I fail to understand why every provider still has different requirements? Doesn't it defeat the purpose of OIDC . Infact I read that google throws error if you pass nonce
Q-3. Are there any spring native ways to configure these additional provider specific params like nonce , promt, additional response-type ,preferable with examples?
I think your problems with Spring Security OIDC are that you're using the legacy OAuth library (at least that's what the baeldung article is illustrating). OAuth2 and OIDC are part of Spring Security 5.x now and not a separate project. There's an OIDC client "login-client" in this example: https://github.com/jgrandja/oauth2-protocol-patterns that might show different. Yes, OIDC should allow you to swap providers in and out although not all OIDC providers will implement everything (e.g. discovery, etc.)

OpenEdge AppServer Spring Security

I would like to use the Spring security framework that OpenEdge has bundled with REST services. I have a table called os_user for users and would like to use this to validate credentials.
Does anyone know how to do this or have any experience with the Spring framework in OpenEdge?
Thanks to the article posted by Jensd (http://knowledgebase.progress.com/articles/Article/What-are-the-basic-steps-to-authenticate-REST-clients-against-the-OpenEdge-database-User-table) Following the steps there allowed me to create a custom class, which then runs as part of the spring authentication.
Implementing the appSecurity-form-oerealm option for Progress, under the OERealmUserDetails section has an XML property node with a name of "realmClass". In this property you specify the name of your custom class, which tells the spring framework to run this to validate credentials.
A ValidateUser method and ValidatePassword method must be in this class. These methods allow you to run any OE code you like to access your database and validate user credentials.
*Note that this method of authentication is for older "Classic" AppServers, and an older version of spring. Progress have now released PAS for OpenEdge which works differently.

Spring boot security, JWT auth server to server

I want to secure my application with JWT. This application is only accessed by other server applications that know the secret key before hand. I do not need to add a token generation since the key is already known between the applications. I tried to find some samples for this, but all the examples are complicated (I'm new to spring security) and moreover they do not include anything simple that would fit my use case (known secret key and algorithm, so no provider and storing of the token is needed).
Basically what I want is to decode the token sent by the fellow server, check the secret key, check the sender and check the time (the fellow server will always generate a new token so if that token is stollen then it will be invalid in a small amount of time).
I've thought of implementing this with a custom filter (or interceptor) plus this library and remove spring security entirely, since I can't find any use for it. But I would prefer to use spring security in order to have it available for any future needs and in general achieve what I want by doing it the spring way.
The JWTFilter from JHipster may be a good start!

How to store spring security session information in redis?

I am using Spring security for Authentication and Authorization in my application. I am using Neo4j database as backend and implemented userDetailsService for authentication.
However, whenever my application restarts, user is forced to login once again.
To overcome this, i am thinking to store session information in redis database and load the data to Spring security Context whenever application gets started.
Kindly pass on if there are any articles and pointers to implement the same.
I am thinking of following implementation for it,
1) For every successful authentication, store user details and session details in redis.
This must be implemented in loadUserByUsername() method of UserDetailsService implementation
2) Remove the data from redis, whenver user logs out, Where can i do this information? Is there any spring security function where i can call this
3) Load all the data from redis to spring security whenever application restarts, again where do i need to write this logic?
Please let me know if i have missed any information.
All you need to do is to implement a
SecurityContextRepository that handles security context storage to reds
Eventually a custom filter that retrieves/ stores session information (GenericFilterBean)
I think it is possible to just give the standard filter a different repository, but I am not sure, I needed my own implementation anyway...
Store session in a redis is out-of the box functionality now
http://docs.spring.io/spring-session/docs/current/reference/html5/guides/httpsession.html
You need to configure remember-me feature of Spring Security.
Remember-me or persistent-login authentication refers to web sites being able to remember the identity of a principal between sessions. This is typically accomplished by sending a cookie to the browser, with the cookie being detected during future sessions and causing automated login to take place. Spring Security provides the necessary hooks for these operations to take place, and has two concrete remember-me implementations. One uses hashing to preserve the security of cookie-based tokens and the other uses a database or other persistent storage mechanism to store the generated tokens.
More information available in Spring Security documentation:
http://static.springsource.org/spring-security/site/docs/3.1.x/reference/remember-me.html
You can use out of box implementations or inject your own (aforementioned redis).
As Luke Taylor said, Tomcat's default action is serialize/deserialize sessions on container restart.
Here
pathname attribute of standard manager is the name of the serialization file. If you dont specify a path name attirbute the default is SESSIONS.SER
If you dont want to have sesssions back when restarted, you need to specify it as empty string value..

Resources