I'm new in spring security. In my actual application no spring, it has some methods of authetification, for example, some systems are authenticated by xml document, other systems are authenticated by url with parameters, other system are authenticated by webservices and other system are authenticated by json documents . In my new spring security application at the moment only authetification by login form, but I try bypass login form, to implement the others authentification, but at the moment i don't know to do it. Can anybody help me how to implement the others authentifications?
Best Regards
You need "Multiple Authentication Provider". Have a look to these documents, it explains how to authenticate using Login Form and Restful:
Spring security for both web services and users
https://blog.codecentric.de/en/2012/07/spring-security-two-security-realms-in-one-application/
Spring security with multiple authentication providers - UsernameNotFoundException
http://www.networkedassets.com/configuring-spring-security-for-a-restful-web-services/
4th link works for me, when i set in my navigator http://localhost:8080/rresclick/apiloginuser?username=username&password=password I authenticate well and not show login form. After authentificate, it went to controller.
Now i want to do not show login form when I recive a xml document with user and password. it has do the same.
Related
I am new to Spring world and with the help of lots of information available online, I have pretty much developed Spring MVC Application I am working on currently.
Last piece I have to implement is to integrate OAM SSO in my application to use as authentication.
I searched a lot on web but couldn't find single example of implementing third party Authentication provider.
I finally realized that I have to use PreAuthentication but I am not sure how I would implement it.
I am unable to share my code because any thing I tried until now is not working and I feel that I haven't got right path yet.
Any help would be much appreciated.
To give you brief idea about OAM, OAM authenticates user ID and Passwords and sends you authenticated requests with a cookied, OBSSOCookie. Using this cookies, you need to contact OAM and get User ID and password and also User Roles (Authorities). Any request coming to your application is already authenticated so you do not need to authenticate again. all you need to do is, using this cookie, need to retrieve user Authorities.
For Spring MVC, you could use the spring-webmvc-pac4j security library, instead of Spring Security. Use a CookieClient to deal with the OBSSOCookie and create your own Authenticator to check this cookie against OAM.
I have a setup of IdentityServer with configuration of a client with hybrid flow. Is it possible to have an ASP.NET MVC app to use this instance of IdentityServer to log-in the user without looping to IdentityServer's log-in page? That is, use a custom log-in page on the client side to get user credentials and then make a server-side connection with IdentityServer to do the authorization? Is there any sample that demonstrates this? Thanks!
From how I interpret your question, the Resource Owner Password Credential Flow seems to fit your scenario.
See the FAQ-like answer here.
"Q. Which Flow Types designed to be used ONLY in trusted environment (like backend REST API/ micro-services isolated from internet, or owned servers/devices, in general: trusted OAuth2 clients)?
A.
Resource Owner Password Credential Flow (ROPCF) [it involve human: app show its own login page then pass user/pass... to STS].
Client Credential flow [machine to machine (API to API): supply client-id and secret]."
*Disclaimer - I understand you are currently using Hybrid flow- My answer simply implies you could change your solution. If that is not possible, then I would suggest looking into multiple OAuth implementations for an MVC app.
Since I didn't get an answer for this, I'm just posting what I've found so far.
It looks like it is not possible to bypass the IdentityServer's log-in page.
For more info about IdentityServer flows see: OIDC and OAuth2 Flows
I have some question that depends on initegration Spring Security 3 and CAS technology.
I know that SS gives me abilities to setup CAS auth with some providers and filters. But I didnt see examples that describe how can I use my custom login form or page.
CAS gives options to setup custom design of login page, but this solution isnt for me.
I need to implement pop-up login form in my applications. This is requirement and I can`t change anything.
So, my question is:
How can I integrate Spring Security and CAS with my custom login form/page?
Give me some examples or thematic links about this question, please.
Or maybe I mustn`t use CAS. Maybe some OpenId techonology?
Thanks!
One of basic principles of CAS: actual application does not know anything about user password. So if you absolutely want to have login page with password then consider using some other technology. For example if you can add for each your application a sub domain then authentication based on domain coockie will be good enough (consider Google with docs.google.com, mail.google.com, etc...)
This is a question regarding ASP.net MVC 4. You can assume SSL throughout.
I have a Web API which will be available to clients over SSL using HTTP Basic Auth.
I also have a CMS, on the same domain, which uses the Web API via jQuery.
The user logs into the CMS over Forms auth.
For this reason I would like that it be possible to login to the Web API using either HTTP Basic Auth or Forms auth.
I plan to implement this using a custom AuthorizeAttribute, which will first check the basic auth header against the database if present. If the basic auth header is not present, then it will delegate authorization to the base AuthorizeAttribute to handle Forms auth.
First of all, is this a good idea? Can anyone see any problems in allowing either type of auth? Can anyone see any implementation problems?
First of all, is this a good idea?
Yes, it seems like a good idea and I do not see anything wrong with implementing 2 types of authentication mechanisms:
Forms authentication for users that are already authenticated on the same domain
Basic authentication for users that are not yet authenticated but posses a username and password and want to directly invoke some method of your Web API
Ok, second try here.. hoping I phrase my question better to get a few responses.
I am currently working on a small project developed in Grails with the Spring Security plugin to handle account management and security. I want to intercept the login function and add some custom code. The goal is to have 2 options available to the end user for registration, the default spring security/application option and the other using facebook connect.
I did notice and read up on the facebook connect features in Spring Security but to me, it doesnt seem to fit my requirements exactly. I cannot assign permissions/roles to these facebook connect users if I were to use the default facebook connect features in Spring Security. Anyone else run into this?
How can I intercept the login function? There is an auth method in Login but thats not exactly where I think I need to inject my own custom business logic. Any help with this would be most appreciated.