I have users in my db and each user has IP address. I must give access to site only users whose IP address exist in my db. Users not have login and password. They have phone number, id, details and IP address. When user open web page I detect his IP address, faind in db and I give access or deny access. If access successfully I need save this user to session.
Can I use spring security for this?
When I tried use spring security I saw that need login and password for it. But my user not have login and password.
You can, but I am unsure whether you should.
First, for common use cases, using IP based authentication is really poor security practice: only one element, and any admin of a single machine on the network can change its IP address and pretend to be someone else.
Assuming you have a real reason to do that, Spring security can easily to it. You will have to setup a custom authentication processing filter that would use the IP address to build a valid Authentication. It could derive from AbstractAuthenticationProcessingFilter or AbstractPreAuthenticatedProcessingFilter.
The filter could do the heavy job and directly put a fully authenticated authentication token in the SecurityContext obtained from the static methods of the SecurityContextHolder class. But the Spring Security way would be to only put a WebAuthenticationDetails in a custom Authentication token, pass it to the AuthenticationManager and let a custom AuthenticationProvider builds the fully authenticated Authentication.
Related
I have implemented spring security with a restful API using spring boot and everything work perfectly.
I wan't to prevent multiple login with the same username and password from the same client. how can I do that ?
The only approach that I can think of is to identify the clients by their IP and then only allow one login per client. Here‘s a tutorial on how to block accounts after several login failed attempts from the same IP / client.
http://www.baeldung.com/spring-security-block-brute-force-authentication-attempts
Maybe it could give you an idea on how to solve your problem.
Please be aware that there are some problems coming with this, like dynamic IP addresses (the user gets a new IP address after disconnecting) and if more than one user uses the same proxy and therefore all of them have the same IP address.
Lets say that i would like to utilize two authentication provider for the same login request.
grails.plugins.springsecurity.providerNames = [
'customAuthenticationProvider',
'ldapAuthProvider',
'anonymousAuthenticationProvider',
'rememberMeAuthenticationProvider']
The scenario is that i first get authenticated with my customAuthenticationProvider, which grants/deny access. When this is done, it moves on to check if it is able to authenticate the user towards an LDAP server which in its turn grant/deny.
Is this the way that spring security will operate given for example the list of providerNames above? Or will it grant access if the first provider access/deny and behave accordingly.
Does all authentication attempts need to pass in order to be granted access?
The providers will be tried in the order listed until one authenticates successfully, or they all fail. When one authenticates, the process stops, and the remaining providers will not be tried.
I have a single URL accessible through a servlet that I have locked down using Spring Security's DaoAuthenticationProvider. I now have the requirement that certain incoming IP addresses must be whitelisted and so are not requested to authenticate.
I can hack around this easily enough by overriding DaoAuthenticationProvider's authenticate method and bypassing the superclasses's implementation if the IP address matches a known IP address but this then only works when the sender of the request supplies a username and password (even if it's nonsense). Otherwise the provider doesn't get called.
What would be the best way to do this? Should I be using a filter to bypass the authentication procedure if a known IP address is incoming?
Could you just use the hasIpAddress() expression? We're doing that for what appears to be a similar case.
<security:intercept-url pattern="/services/**" access="hasIpAddress('192.168.1.0/24')"/>
I think the idiomatic Spring Security way to do it is to implement a pre-authentication filter that would populate security context with a valid Authentication object when client is in the whitelist. You can implement such a filter from scratch (for example, as here) or use AbstractPreAuthenticatedProcessingFilter (though it seems to be overcomplicated for your task).
I am using Spring security in my application and wish to know if there is a way to "ask" spring to only remember the user-name of the user that comes to the application (by means of the remember-me checkbox).
What I could gather from the reference documentation is that Spring is able to save the userName and the password of the user, and directly log him/her in the next time. But what I want is that user be taken to the login page each time he comes back, but with his user-name already typed in.
Ofcourse if Spring doesn't have a way to do this, I would need to implement some cookie storage logic to take care of this requirement.
Many thanks for your answers as always.
So, you need to set a cookie containing the user name after authentication, and access it during rendering of the login page.
If you use Spring Security 3.x, the former can be done by subclassing AuthenticationSuccessHandler (SavedRequestAwareAuthenticationSuccessHandler is the default implementation) and setting a cookie with response.addCookie().
The latter is a regular cookie access (request.getCookies(), etc).
we have a lot of users on a VBulletin forum. now i want write few more apps on rails for the same userbase. Until now all the authentication and session management is being taken care of by VBulletin. What is the best way to provide SSO for my users both onVBulletin and on the rails apps i am writing
I am working on single sign-on process with v Bulletin and custom made application. i can logged in at Vb using cookies. i can access all. but when access send "Private Message". it says
"
You have turned off private messages. You may not send private messages until you turn them on by editing your options.
"
is there all permission are set at "datasource" table?..
Thanks
master
Ideally your two sites are subdomains of a common domain (e.g. forum.example.com and rails.example.com), or share the same domain (www.example.com.) One of the sites would be the primary authenticator, and set a cookie (for .example.com in the case of the common parent domain [notice the . before example.com] or www.example.com in the case of the shared domain, so that both applications can access it), where the cookie contains:
the user ID
a salt (random value calculated at login time), and
a SHA-2 signature computed over the triplet (user ID + salt + a shared secret key), where the shared secret key is a secret string known by both sites.
Each site would be able to retrieve the user ID and salt from the cookie, then use the shared secret key (known only by the two applications) to calculate a SHA-2 signature that must match the SHA-2 signature stored in the cookie.
If the SHA-2 signatures match then you can assume that the user is authenticated, otherwise force the user to log in again.
The cookie must be destroyed when logging off.
The small print
To protect against session hijacking, all requests made over the two sites should be encrypted over SSL (use https.) If this is not possible, a hash based on the client's IP address as well as browser type and version (User-agent) should probably be calculated at login time and also be stored in the cookie. It should be re-checked against the client's IP address and user agent before serving each request. The hash-based approach is security through obscurity, and can be fooled; moreover, a user accessing the internet from behind a pool of proxies or using TOR may be kicked out by your system every time a different proxy or exit node (with a different IP address) forwards a request.