In my current project, I have a scenario where user will login into portal and authenticated via TAM(Tivoli). After login into portal there will be a link from which user will be redirected to our application (spring mvc) hosted on JBOSS.
Now the information we have is, user role and group info will be available within our container and we have to make JAAS api call to retrieve user roles and group info which further will be used by spring security for authorization purpose.
I can imagine that this will be a spring pre-authentication scenario where user will already been authenticated (SSO) and for authorization we need to retrieve his role and group info .
Could you please assist me to correct my understanding and how to get those user role/group from JBOSS container using JAAS API?
Any code snippet or link (spring implementation) will be helpful.
Thanks,
CD
It seems you need to create a SSO structure, isn't the Spring documentation useful enough?
You can find the SSO part here: Spring Security Reference: Chapter 9
What ApplicationServer are you using? Can you do a more specific question on some implementation instead?
Related
I have a Java Spring MVC application (note that its not spring boot).
We have a requirement to implement SSO for the users of our application. I did some research, the identity provider (IDP) in our case is Azure AD. The service provider would be my application in this case. I am thinking of using SAML protocol for SSO.
Also note - The application is http based (not HTTPS)
What I've done so far -
I've created an Enterprise Application on Azure and configured entityId and replyURL. I also added a user for this application.
Where I'm stuck -
Although I did read the related Spring documentation to achieve this, since I'm a newbie here, I still don't have a clear path as to how can I take this forward in my application. I found some solutions, they seem to be examples for spring boot. Can someone please help me with guides as to how this can be done in Java Spring? Which maven dependency I could use and any sample example to start working with SAML? A step by step explanation would be highly appreciated, thankyou.
Also, any other options than SAML would also be fine.
The Spring Security SAML extension (https://docs.spring.io/spring-security-saml/docs/1.0.0.RELEASE/reference/html/index.html) had an example web app. You may read the referenced doc and apply it to Spring Security SAML. It should not be too much difference.
I’m very glad to register the flow in the event of implementing Azure AD B2C OIDC/OAuth protocol with existing Spring MVC architecture.
Below Spring docs reveal that how was our existing project's spring-security layer being served in the context of filter-chain.
Pre-requisites
Authentication Filter - Form Based Login with Legacy IDP
Authentication Manager – Providing the user details authorities along with http session object
For accomplishing this Azure B2C Integration, we've gone thro' lot of repos but most of them are relying with Java config based but we were interested on Spring namespace with limited code/architectural change.
Then finally we came to the conclusion that how to extend the spring default auth-filter/manager for getting valid session object from security context based on the Azure provided (id/access) token after the successful user authentication.
Customizing Spring-Security
The detailed documentation on how to extend auth-filter/manager is available here with © reserved by terasoluna.org
We customized the spring security in such a manner that auth-filter will carry the token_validation against the given token from Azure and authentication manager will extract user details such as roles/privileges w.r.t to the object-id mapped in our DB's user entity.
Once the Spring security customization is done then we can able to integrate the Authorization-server [Azure in our case] and Resource-server [Existing Spring Application] by following the conventional methods.
im developing a .net core mvc application with authentication against azure active Directory. My Problem is, that i have two different azure avtice directories which are undepentandend to eachother. Based on the user Input (mail or employenumber) i will decide which active Directory should used.
Any idea or reference?
Thank You!
You're describing a multi-tenant application where the AAD common endpoint is used as the entry point to the application rather than a specific AAD login page. You can configure your application to trust more than one AAD instance. It's rather involved, but MS had good documentation on how to adopt a single tenant app to multi-tenant. I'd also highly recommend Vittirio's blog as a place to learn about AAD auth, and while you're at it, his book titled 'Modern Authentication with Azure Active Directory for Web Applications'
Once you've turned on multitenancy for your application, you'll want to handle AAD validation yourself by checking the tenant id in the incoming SSO request. You do this by overriding SecurityTokenValidated in UseOpenIdConnectAuthentication. You can refer to this example where the code validates against a database.
There are other considerations such as admin consent where an AAD admin has to grant access to restricted permissions to your application. Good explaination here.
There is a very good reliable open-source project for that (Identity Server)
https://github.com/IdentityServer/IdentityServer4
And also you can check that (openiddict)
https://github.com/openiddict/openiddict-core
I am new to Spring world and with the help of lots of information available online, I have pretty much developed Spring MVC Application I am working on currently.
Last piece I have to implement is to integrate OAM SSO in my application to use as authentication.
I searched a lot on web but couldn't find single example of implementing third party Authentication provider.
I finally realized that I have to use PreAuthentication but I am not sure how I would implement it.
I am unable to share my code because any thing I tried until now is not working and I feel that I haven't got right path yet.
Any help would be much appreciated.
To give you brief idea about OAM, OAM authenticates user ID and Passwords and sends you authenticated requests with a cookied, OBSSOCookie. Using this cookies, you need to contact OAM and get User ID and password and also User Roles (Authorities). Any request coming to your application is already authenticated so you do not need to authenticate again. all you need to do is, using this cookie, need to retrieve user Authorities.
For Spring MVC, you could use the spring-webmvc-pac4j security library, instead of Spring Security. Use a CookieClient to deal with the OBSSOCookie and create your own Authenticator to check this cookie against OAM.
I'm new in spring security. In my actual application no spring, it has some methods of authetification, for example, some systems are authenticated by xml document, other systems are authenticated by url with parameters, other system are authenticated by webservices and other system are authenticated by json documents . In my new spring security application at the moment only authetification by login form, but I try bypass login form, to implement the others authentification, but at the moment i don't know to do it. Can anybody help me how to implement the others authentifications?
Best Regards
You need "Multiple Authentication Provider". Have a look to these documents, it explains how to authenticate using Login Form and Restful:
Spring security for both web services and users
https://blog.codecentric.de/en/2012/07/spring-security-two-security-realms-in-one-application/
Spring security with multiple authentication providers - UsernameNotFoundException
http://www.networkedassets.com/configuring-spring-security-for-a-restful-web-services/
4th link works for me, when i set in my navigator http://localhost:8080/rresclick/apiloginuser?username=username&password=password I authenticate well and not show login form. After authentificate, it went to controller.
Now i want to do not show login form when I recive a xml document with user and password. it has do the same.
I've got a webapp which is using Grails with Spring Security plugin for it's authentication and authorisation.
I have a new requirement from the business that they want to force all users upon login to the system, to be displayed our current license agreement or t&cs, the user needs to accept these before being allowed further into the system.
Clearly, once they accept the license/t&cs, then we don't ask them again on future logins.
Does Spring Security support this in any way? Or can you recommend another grails plugin?
One way of doing this would be to add a new field to your User class (e.g. hasAcceptedLicense), redirect the user to a defaultUrl at login (http://docs.spring.io/spring-security/site/docs/3.2.3.RELEASE/apidocs/org/springframework/security/web/authentication/SavedRequestAwareAuthenticationSuccessHandler.html) where they need to read and accept a license, and then have a AccessDecisionVoter (http://grails-plugins.github.io/grails-spring-security-core/v3/index.html#voters) that makes sure they did so.