I have a web application which exposes CXF JAX WS SOAP Services and also an OData REST Service.
As i understand from the spring documentations, in order to authenticate the JAX WS requests we need to create a Interceptor and write our own code to call the spring security Authentication Manager to authenticate the request. This i am able to achieve in my application. But in order to use spring security with JAX WS i have to disable the csrf for the endpoint urls.
Hence i dont want to use spring security for authentication and instead wants to use the container managed security where i can do the check in web.xml itself.
But there are certain roles i want to check at method levels and i find spring security pretty helpful at method level security.
So my question is whether i can use container manage authentication and for authorizations spring security ? Do you see any security issues here ?
and in case i want to enable the csrf for the jax WS endpoints then how can we pass the csrf token for a service call?
Regards,
Soumya Ranjan
Related
Spring Boot Security,
My Application is already running using Spring Security. Now I want to authenticate the users through OAuth. Is there any way to build a custom servlet to achieve this?
You can add a new Filter to intercept and authenticate OAuth requests in which it should call the authenticationManager.authenticate method and save the result of the authentication token in the SecurityContextHolder. This way the user is fully authenticated.
Note, that this way you don't "override" or "bypass" the Spring Security. You just use it to perform a different authentication.
I was wondering about the best way to secure your spring boot application in a dynamic way,
I am using my own authorization server using spring security with one client (app) now I should configure again to have dynamic clients,
It's not that hard but it made me questioning whether the spring auth server is the best option or I should go to Keycloak for example ?
best way to secure your spring boot application
The best way to use authentication in spring based application is using spring security. Now it depends on your use-case that you should authenticate user from application database, LDAP or Active Directory, in-memory authentication.
using my own authorization server using spring security with one client (app) now I should configure again to have dynamic clients
I believe you meant authentication instead of authorization in above line. You can stick to spring security by building admin console for user management. Both authentication and authorization can be managed from admin console. But as said before it is completely your use-case.
If your usecase says that app-users are already logging in
centralized Active Directory and they dont need to login again for
your application, implement Spring security with LDAP and SSO.
If your usecase say that there is no centralized authentication server and appuser details are very specific to you application, implement Spring securirty with database authentication
I'd like to implement a Single Sign-on (SSO) authentication layer in my Spring-based application with the aim of supporting authentication and authorization from different security domains.
I've chosen Shibboleth as IdP, but I have yet to identify what I will use for the SP.
The choices are:
Spring Security SAML Extension: component enables both new and existing applications to act as a Service Provider in federations based on SAML 2.0 protocol and enable Web Single Sign-On. Spring Security Extension allows seamless combination of SAML 2.0 and other authentication and federation mechanisms in a single application. All products supporting SAML 2.0 in Identity Provider mode (e.g. ADFS 2.0, Shibboleth, OpenAM/OpenSSO, RM5 IdM or Ping Federate) can be used to connect with Spring Security SAML Extension.
Shibboleth (also as SP): Shibboleth is a web-based technology that implements the HTTP/POST, artifact, and attribute push profiles of SAML, including both Identity Provider (IdP) and Service Provider (SP) components.
So, I've some questions:
Is it a good idea to use directly Spring SAML as SP in terms of
scalability and maintainability?
It is possible to use an external SP together with Spring Security? How have I to configure my application and/or my application sever (JBoss 8.0 - WildFly)?
Where do I define the roles (for each scenario)?
Which is the worthwhile choice?
Best regards, V.
The main difference between the two is deployment scenario:
Shibboleth SP plugins are deployed directly to the Apache/IIS web server.
Spring SAML is embedded in your application.
Both have pros and cons.
Is it a good idea to use directly Spring SAML as SP in terms of scalability and maintainability?
Spring SAML
Offers great control over how authentication is performed and how the authentication process interacts with your application. You can e.g. create your own configuration UIs and dynamically add IDPs, create custom login screens as part of your application, have complete and easy control over error handling, easily support multiple IDPs, dynamically configured details of the SSO (requested AuthnContexts, NameIDs, bindings, authentication forcing).
Easily parse received SAML attributes in various formats, support multiple authentication methods in the same application.
Dynamically generate SP metadata, it provides limited multi-tenancy and supports profiles not available in all other options (e.g. Single Logout, Holder of Key, IDP Discovery).
Seamlessly interacts with Spring Security which brings a set of benefits of its own. With Spring SAML you can also configure complete authentication and authorization policy directly in your application (e.g. which pages require authentication or not and when, role based access control to content, authentication step-up on dynamic conditions, ...).
Allows you to deploy the application on any application server or container and behind any reverse proxy or web server with no affect on functionality.
Shibboleth plugins
These are statically configured and typically interact with your application through HTTP headers. They decouple authentication logic from the application itself, so the only thing you need to take care of is acceptance of the headers and initialization of your application session with correct security context. The definition of which pages are secured is present on the IIS/Apache server and based on URL patterns which means that authentication and authorization policy is partly defined outside of your application.
You need to make sure that the application can only be accessed through the web server (= prohibit all direct access) as that would allow forging of the headers.
Doesn't require many changes to the application itself and can therefore typically be easily used with legacy systems.
It is possible to use an external SP together with Spring Security? How have I to configure my application and/or my application sever
(JBoss 8.0 - WildFly)?
Yes, it is possible, but it will require effort. You could e.g. configure WildFly to set a shared domain cookie in encrypted format and verify the cookie in your Spring Security configuration.
Where do I define the roles (for each scenario)?
With Spring SAML you define roles when processing the SAML Response by e.g. parsing of the SAML attributes. This is done by implementing SAMLUserDetailsService interface and plugging in to the samlAuthenticationProvider.
With Shibboleth you can forward attributes received from IDP to your application with headers and parse them in your application.
WildFly (probably) allows you to define security context and roles directly in SP with no need to configure this in your application. Such configuration might not be portable across application servers.
Which is the worthwhile choice?
All options will enable you to perform WebSSO with SAML 2.0. People typically choose based on their requirements (e.g. customization needs), environment (used web server, application server), preferred development methodology (Java, .NET, other), used frameworks, legacy code. Both Spring SAML and Shibboleth plugins are used by many customers.
I have question related to authorization and spring security. To implement authorization checks in one of my services (under a Service Oriented Architecture environment), I was trying to see if I can use Spring-Security. While going through the Spring Security documentation, I read here that spring security uses spring's AOP internally.
Ref: You can elect to perform method authorization using AspectJ or Spring AOP, or you can elect to perform web request authorization using filters. You can use zero, one, two or three of these approaches together. The mainstream usage pattern is to perform some web request authorization, coupled with some Spring AOP method invocation authorization on the services layer.
We are already using Spring AOP in our service implementations. In my case, the requests that will be coming to my RESTful service will carry a custom built token object that should be processed to perform authorization checks.
Based on this, I would like to understand if I can simply use Spring and create an Aspect to catch an inbound request, extract and process the associated (custom built) token and continue/reject the request based on the result ? Do I need spring-security, given that the communication channel is already secured using HTTPS ?
Thanks,
SGSI
For a similar situation we did the following a long time back:
Used an HTTP filter to extract a token from HTTP headers for each request.
Stored the extracted header to thread context.
Added an aspect around service method calls to check the thread context for the token.
This strategy worked well for us. For last many years I have been using Spring Security since it has a more tested and comprehensive implementation for such problems.
If you wish to write your own token-passing implementation, you can check the source code for the Spring Security class SecurityContextHolder that provides multiple ways of passing security information on the execution thread.
I successfully completed login module of my application using spring security's inbuilt authentication & authorization mechanism.But later i was told to check if i can integrate WSO2 (SOA solution as external Authorization mechanism) with Spring security so that i can use Spring security's authentication mechanism alone and WSO2 for authorization instead of using Spring security provided Authorization.
I did search & read the documentation and i could get details about using External authentication with Spring security & nothing about External authorization.I would like to know if i can do the same and also how i can do it.Any pointers will be really helpful for me.