I'm using Spring security to authenticate login, I configure the Spring security in securityContext.xml
<http auto-config="false" use-expressions="true">
<intercept-url pattern="/**" access="hasRole('ROLE_DEV-TEAM')" />
<intercept-url pattern="/customerMgt/customers/admin/**" access="hasRole('ROLE_ADD-COMPANY')" />
<form-login login-page="/login" default-target-url="/main" always-use-default-target="true" authentication-failure-url="/login?error=1"/>
<session-management />
<logout logout-success-url="/login"/>
<!--remember-me /--> <!-- AlexR: I did not have much luck with it in the past and IMO it presents security risk under strict DOD, etc. requirements -->
</http>
<beans:bean name="passwordEncoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder"/>
<authentication-manager>
<ldap-authentication-provider
user-search-filter="(uid={0})"
user-search-base="ou=Users"
group-search-filter="(uniqueMember={0})"
group-search-base="ou=Groups"
group-role-attribute="cn"
role-prefix="ROLE_">
The Ldap will be replace by Database
Instead of setting the token in session and redirect the client i want to create a custom JWT with Token and send it back to the client
Spring Security does not have out-of-the-box support for token authentication. It is however very much doable. You will need to provide your own implementation of the following:
TokenAuthenticationFilter - authenticates JWT token provided in a request header for every request. Replace BasicAuthenticationFilter with it.
LoginController - authenticates given credentials and places a JWT token in the response header
JWTAuthenticationService - handles token creation, encryption, decryption and validity check. Used by the two above.
When using token authentication, your security context should be stateless and each request gets authenticated by the TokenAuthenticationFilter. Therefore, configure http security to stateless session management and a http403forbiddenentrypoint.
How about to use the spring-security-jjwt https://github.com/wnameless/spring-security-jjwt.
BTW, I am the author of this library. It provides the JWT security service which meets your requirements.
Related
I am looking for binding information (for WCF service) to consume EWS asmx (exchange web service) with authentication OAuth 2.0.
I am having WCF service which calls EWS asmx web service to do outlook exchange operation. This set up works fine with Outlook Exchange OnPrem set up.
Now I want to migrate this for exchange online. Authentication mechanism is by using OAuth 2.0. https://learn.microsoft.com/en-us/exchange/client-developer/exchange-web-services/how-to-authenticate-an-ews-application-by-using-oauth
I am able to generate token using my AppId & TenantID and call EWS without any issues from my console application. Same way I am able to generate token in my WCF service as well which calls EWS asmx however, strugging with specifying binding information in the web.config file.
I have tried all the possible options here but getting different exceptions all the time like
-"The http request is unauthorized with client authentication scheme 'ntlm'. The authentication header received from server was 'Basic Realm=""'.
"The http request is unauthorized with client authentication scheme 'Negotiate'. The authentication header received from server was 'Basic Realm=""'.
Just one example of binding I tried
<binding name="XXXX" ....useDefaultProxy="true">
<security mode="Transport">
<transport clientCredentialsType="Windows" proxyCredentialsType="Basic" realm="*" />
<message clientCredentialsType="UserName" algorithmSuite="Default" />
</security>
</binding>
Can anyone suggest what should be the binding information in wcf service to call asmx which has OAuth2.0 authentication mechanism ?
Thanks,
Your error is most likely that you did not enable authentication, you can find your service in iis, and then open it in Authentication.
You need to turn off Anonymous Authentication and enable Windows Authentication.
I have .net mvc application which is integrated with Azure B2C using Owin Middleware. Azure AD B2C is setup with a custom signup only policy.
After Signup, id_token is been returned to the .net application. But session cookie is not created. I noticed If click on login again and redirect user B2C,session cookie is created and logged in to the application.
My policy includes following user journey. Do I need to include any additional steps to pass the session cookie to the application after Signup?
<UserJourney Id="SignUp">
<OrchestrationSteps>
<OrchestrationStep Order="1" Type="ClaimsExchange">
<ClaimsExchanges>
<ClaimsExchange Id="SignUpWithLogonEmailExchange" TechnicalProfileReferenceId="LocalAccountSignUpWithLogonEmail" />
</ClaimsExchanges>
</OrchestrationStep>
<OrchestrationStep Order="2" Type="ClaimsExchange">
<ClaimsExchanges>
<ClaimsExchange Id="AADUserReadWithObjectId" TechnicalProfileReferenceId="AAD-UserReadUsingObjectId" />
</ClaimsExchanges>
</OrchestrationStep>
<OrchestrationStep Order="3" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="JwtIssuer" />
</OrchestrationSteps>
<ClientDefinition ReferenceId="DefaultWeb" />
</UserJourney>
"state" property was the key to the solution. Owin middleware maintains the state=OpenIdConnect.AuthenticationProperties%3dHxxxx in the URL.
When the user clicked on the signup link. it was a JavaScript redirect to b2c signup page without the state properties. We had ignored the state property that was auto-generated by the middleware.
After signup when the user was redirected back to the home page. Owin middleware will not create the session as it did not find the original state property it had added in the request.
Its nowhere mentioned that's how OpenIdConnect middleware creates a cookie session. This comment was a bit of clue
I want to enable App Service Authentication to protect development environment from public access.
The App Service authentication itself is working fine, only people from our company Azure AD are allowed, all good.
But it is conflicting with the authentication of the website itself, after authenticating through Azure AD the website sees you as you are already logged in.
And I don't understand how exactly it ends up conflicting, we are using Forms authentication, I've tried explicitly naming the cookie that forms auth should look for, and setting it to always use cookies for authentication, yet it's still conflicting.
<authentication mode="Forms">
<forms name=".ASPXAUTH" loginUrl="~/sign-in" timeout="2880" requireSSL="true" cookieless="UseCookies" />
</authentication>
After logging in through microsoft, I see there's no .ASPXAUTH cookie, only AppServiceAuthSession, yet Forms auth sees me as logged in.
I think you can solve this by removing the auth setting in web.config and use OWIN to inject a middleware (CustomMiddleware) before Authentication of the website itself. If user is authenticated by your CustomMiddleware, you carry on with your regular flow otherwise short circuit the request flow. In CustomMiddleware you can inspect the request headers, body etc to have authenticated cookie etc. I guess you have MVC style pipeline in your application. There are number of resources on internet which you can explore. One example is below.
https://www.tutorialsteacher.com/core/how-to-add-custom-middleware-aspnet-core
I have a use case where a web application needs to let users authenticate in two different ways but using the same user data store (aka IDP) via SAML.
User's browser is redirected to IDP and redirected back with SAML assertion (aka WebSSO Profile).
User makes request to SP providing their credentials via Basic Authentication. SP would then need to send the user's credentials to the IDP and the IDP would provide an assertion all through a back channel (server to server).
I'm using Spring Security SAML extension. The sample application in Spring SAML contains both basic authentication with username and password and SAML-based authentication but the Basic Auth portion uses local accounts defined in the securityContext.xml file. I need to use the user accounts on the IDP. Is this possible? If so, how do I configure Spring SAML?
There is no standard SAML WebSSO mechanism which would allow SP to request assertion for a specific user by providing her credentials. You might want to look into WS-Trust standard which covers such use-cases using its Request security token methods (RST/RSTR calls). Another quite standardized way to do this is Client Credentials grant of OAuth 2.0. Both are out of scope for Spring SAML, but can be combined with it.
Is it possible to use Spring Security SAML module for enabling SAML 2.0 Service Provider functionality with CAS? Native SAML support in CAS does not support this. We have a web application which already uses CAS for authentication and now there is a requirement to enable SAML SP and IdP Initiated federated SSO into this application. CASShib makes this possible but we would have to use Shibboleth in addition to CAS and there are also some issues with CASShib.
If you want to use Shibboleth as your SAML Idp, you can use CAS for authenticating users using this method: https://github.com/Unicon/shib-cas-authn2