We have an existing application that uses Spring security. We need to have password expiry option for the users. We already have a column that has the passwordExpirationDate. What would be way to have my AuthenticationProvider/Manger to redirect to password reset page after the passwordExpirationDate
Related
I have implemented spring security for UsernamePassword based authentication.
Tables like oauth_access_token, oauth_client_details etc are created by spring.
Tokens generated by tokenEndpoint.postAccessToken(principal, parameters); are stored in oauth_access_token table.
Scenario:
I need to have both usernamPassword based authentication and Google OAuth support.
Now I have to integrate Google OAuth in my application.
I can't use Google's API for every request validation so once I get the user profile from Google I'm trying to generate the token using tokenEndPoint and give it to client (Mobile App/Front end).
Problem:
-> I can't use "password" as grant type, as there is no password in this case and if I use password as grant type then Spring security uses password in DB for password validation
Is my approach correct.? what should I do here to store tokens in oauth_access_token table?
What is the best practice to support Social login and generate custom token which will be shared with the client.?
I have an application that uses Spring Security LDAP for User authentication.
What I'm trying to do is build a feature that requires the User to provide their password again for validation of credentials before performing an important process.
The user is already signed in, so I wouldn't want to kick the user out by killing their current session.
This sounds like it could be a tricky requirement to fill. I have one somewhat outside the box solution that could meet the requirement:
Create a sister Grails application that uses the same Grails/Spring Security/LDAP structure as your primary app.
Expose a /verifyLdapCredentials Service in the sister application to accept the user's LDAP credentials
Authenticate against LDAP
Sends a success/failure response back to the primary application
Unauthenticate from the sister application immediately to prepare for the next request
I ended up creating a separate service and controller to make a simple LDAP auth and lookup.
The service would login with the Spring config settings, then apply the username and supplied password and validate CN result.
I have implemented UserDetailsService and overriden loadUserByUsername(String username), here i need User entered password.
I want to authenticate against LdapTemplate authenticate(username,password).
I have searched a lot but dint get it.
Please help me.
Either use spring-security-ldap for LDAP based authentication or implement your own AuthenticationProvider instead of DaoAuthenticationProvider.
There are multiple authentication scenarios when using Spring Security LDAP:
either you can retrieve the user entry via connection authenticated by the provided credentials (probably scenario you are looking for)
or you can authenticate via technical account (usually you need to make LDAP search to get user's DN)
For more information check Spring Security LDAP documentation.
How to stored the login form's value in cookies with spring security 3.
Customer requiredment↓
If you checked the [save password] checkbox in login page and next time the password will fill automatically.
I think i must stored the checkbox value when authorizated successfully.
And next login time,If the cookie's flag is true,i will fill the password.
But i didn't konw how to code.Please help me ,Thank you very much.
Other question,I didn't add remember-me element in the xml file.
Why it can be remember me ?
I think you should talk to the customer. Save password option is a bad idea from a web security perspective.
Spring security supports remember-me authentication, which allows a user to visit an protected website if he has logged in earlier and has not logged out. This it does by using a cookie, but not one containing the password.
Spring Security is not going to help you here. The remember me functionality in Spring Security is for auto login user and will not work to prefill password value in login form. You can customize a filter or loginSuccessHandler to add your own cookie. Please also see How should I store a user's LDAP password in a cookie? and similar posts on this site that recommend other ways to implement this instead of directly exposing password (even encrypted one) in a cookie.
I have an ASP.NET MVC2 application, and I'm using FormsAuthentication to manage the Auth Cookie. When the cookie expires and the page is access, I need to display the Username in the field and the Remember Me checked. How can I do this once the cookie expired and I don't have access to it?
You don't by default. Cookie expired means the client is a full new user to the system.
Possible solution: You might want to set a cookie with an expiration date in 2099 or something, and store the username in there after logging in. When a 'blank' user hits your authentication page, you can check whether the cookie exists, and prefill the username and the remember me checkbox.