OpenEdge AppServer Spring Security - spring-security

I would like to use the Spring security framework that OpenEdge has bundled with REST services. I have a table called os_user for users and would like to use this to validate credentials.
Does anyone know how to do this or have any experience with the Spring framework in OpenEdge?

Thanks to the article posted by Jensd (http://knowledgebase.progress.com/articles/Article/What-are-the-basic-steps-to-authenticate-REST-clients-against-the-OpenEdge-database-User-table) Following the steps there allowed me to create a custom class, which then runs as part of the spring authentication.
Implementing the appSecurity-form-oerealm option for Progress, under the OERealmUserDetails section has an XML property node with a name of "realmClass". In this property you specify the name of your custom class, which tells the spring framework to run this to validate credentials.
A ValidateUser method and ValidatePassword method must be in this class. These methods allow you to run any OE code you like to access your database and validate user credentials.
*Note that this method of authentication is for older "Classic" AppServers, and an older version of spring. Progress have now released PAS for OpenEdge which works differently.

Related

Asp.NET Core Authorization from database

We are starting a new ASP.NET Core web site and the customer would like to handle the authorization using the database. So they want to configure custom roles and the actions to be configured in the database.
I have been trying to find an example or something to help me implement this, but could not find. Can this be achieved using the Authorize attribute from framework or a custom filter needs to be implemented?
EDIT:
I should probably mention that the application is an intranet so Windows Authentication is used for authentication
Short answer Yes.
Long answer...
This can all be achieved from the database you can configure up using existing methods with Identity, and from there create all the custom roles and even policies that you want to have and be able to assign, to each user individually or via roles.. Authorize attribute will work just fine with cookies. My only recommendation is that you try not handle security yourself but let the framework handle this for you.

How do I customize the credentials check in the Grails Spring Security Core plugin?

I'm currently creating a new application that requires users to login. I want to use the Spring Security Core plugin for this, but the only problem is that the credentials of the users are stored in a centralized system, and not locally in the database. This system can only be accessed by an API, and will tell me whether the credentials are correct or not.
Is there any way to override the credentials check of the Spring Security Code plugin, so I can check the credentials myself? Or in case this is not possible, is there any other workaround?
It belongs on what your system looks like.
You can write your own Authentication Provider.
Here is answer.
You can create your own User class with datasource set on your centralized system database.
Or you can use Spring Security CAS Plugin

Grails Spring Security plugin Access Control/Authorization without Authentication?

My problem:
I would love to use the Spring Security plugin's access control/authorization mechanism with my Grails application without having to use the plugin's authentication mechanism. The various Grails Spring Security plugin examples (like this one) I've found combine these two functions. Is there an easy way to just do access control?
Background:
I would like to add roles-based access control to my existing app. I would love to either just annotate my controllers or use the Config.groovy map approach for setting up the access control.
My app already has a user domain class.
The user domain class already handles encrypting passwords using BCrypt.
The app does not have a "role" domain class.
I already have controller actions, views and business logic for handling logging in and logging out. I have no interest in replacing this with the plugin's implementation.
On the right track, but not quite helpful:
I know this is possible to do, as explained in this other question: BUT, that questions and its answers explains how to do it in a Java app using the raw Spring Security framework. I would love for someone to lay out how to do this in a way that is compatible with the latest version (1.2.7.3 as of this writing) of the Grails Spring Security plugin. I don't want to reinvent wheels that have already been taken care of by the plugin.
In addition, this example explains how to do some of this, but it appears to be outdated because it is based on an older version of the plugin that uses Spring Security 2.x. It also only uses custom authentication for one piece of the app, while it looks like it still uses the Spring Security plugin's domain classes elsewhere.
How to do it?
Can someone lay out an approach for me?
I assume I need to create my Role domain class.
After that I assume it will involve custom Authentication objects and the like. But how do I hook them into use the plugin's existing code?
You could go with a custom authentication provider and I have an updated version that I did as part of a recent talk. See this blog post which has a sample app and link to a video of the talk: http://burtbeckwith.com/blog/?p=1090
It would be simple to use a custom UserDetailsService - this is the most common customization done for the plugin and it so has its own chapter in the docs: http://grails-plugins.github.com/grails-spring-security-core/docs/manual/guide/11%20Custom%20UserDetailsService.html
Basically you need to create a Spring Security User instance and Spring Security (and the plugin) doesn't care how you get the data. So your custom UserDetailsService just needs to be a bridge between your current auth scheme and Spring Security.
I ended up creating my own access control/authorization mechanism rather than using the Spring Security plugin. I never could figure out how to separate the plugin's authentication mechanism from the authorization mechanism. Doing the work myself was very easy.
I did the following:
Created a new Role domain class.
Added a Set property and hasMany relationship to my User domain class.
Created a new AuthorizationFilters filter. This is where I put in my authorization rules. In this filter I can check to see if a user has the role necessary to access the given URL and redirect to a login page, redirect to a "not authorized page" or allow them to pass.
This doesn't have the nice syntactic sugar of the plugin and isn't quite as concise either, but it was very easy to implement and understand.

How to achieve authentication using an XML users file in grails?

Being a newbie to grails, I want to learn how to authenticate users using an XML users file? For ex: A user is able to login only when the credentials(username & password) match with the one in XML file. Can anyone please help giving a simple example. I basically want to know what additonal classes are to be written or require modifications. Please guide!!!
The Spring Security Core plugin has pluggable support for the source of user authentication data. Neither the plugin nor Spring Security care where you get the data, just that you implement the required interface so the other classes can use it.
All you'd need to do is create a UserDetailsService implementation that parses the XML and creates a GrailsUser instance from there. See section "11 Custom UserDetailsService" in the documentation for an example customized class and description of how to wire things up.
why do you want to authenticate against a xml file containing user information? the easiest and quickest way would be to integration spring security by using the grails plugin http://www.grails.org/plugin/spring-security-core. the user is stored in the database and you can configure lots of things like crypto, acls, ...

Spring 3 - Custom Security

I am in the process of converting a legacy application from proprietary technology to a Spring based web app, leaving the backend system as is. The login service is provided by the backend system through a function call that takes in some parameter (username, password plus some others) and provides an output that includes the authroizations for the user and other properties like firstname, lastname etc.
What do I need to do to weave this into Spring 3.0 security module. Looks like I need to provide a custom AuthenticationProvider implementation (is this where I call the backend function?). Do I also need a custom UserDetails and UserDetailsService implementation which needs loadUserByName(String userName)?
Any pointers on good documentation for this? The reference that came with the download is okay, but doesn't help too much in terms of implementing custom security.
You only need to implement a UserDetailService, only when you like to make available some User details that's don't fit in the standard Spring User details class: org.springframework.security.core.userdetails.User you need to implement one for you're selves.
A good example you find here (just replace the hibernate stuff, with what ever you use for communicating with the backend).

Resources