I'm currently creating a new application that requires users to login. I want to use the Spring Security Core plugin for this, but the only problem is that the credentials of the users are stored in a centralized system, and not locally in the database. This system can only be accessed by an API, and will tell me whether the credentials are correct or not.
Is there any way to override the credentials check of the Spring Security Code plugin, so I can check the credentials myself? Or in case this is not possible, is there any other workaround?
It belongs on what your system looks like.
You can write your own Authentication Provider.
Here is answer.
You can create your own User class with datasource set on your centralized system database.
Or you can use Spring Security CAS Plugin
Related
I was wondering about the best way to secure your spring boot application in a dynamic way,
I am using my own authorization server using spring security with one client (app) now I should configure again to have dynamic clients,
It's not that hard but it made me questioning whether the spring auth server is the best option or I should go to Keycloak for example ?
best way to secure your spring boot application
The best way to use authentication in spring based application is using spring security. Now it depends on your use-case that you should authenticate user from application database, LDAP or Active Directory, in-memory authentication.
using my own authorization server using spring security with one client (app) now I should configure again to have dynamic clients
I believe you meant authentication instead of authorization in above line. You can stick to spring security by building admin console for user management. Both authentication and authorization can be managed from admin console. But as said before it is completely your use-case.
If your usecase says that app-users are already logging in
centralized Active Directory and they dont need to login again for
your application, implement Spring security with LDAP and SSO.
If your usecase say that there is no centralized authentication server and appuser details are very specific to you application, implement Spring securirty with database authentication
everybody!
In my project I use SSO with CAS. But what if the CAS-server is down?
I want a user to be able to login with a simple login/password form when CAS is not available.
Is it possible to configure Spring Security that way?
What should I do to achieve this?
Having said that you use SSO and wanting to use Spring Security as a backup when CAS is down, I am trying to understand how the SSO part will work with spring security. You can certainly implement your own version of single sign on with spring security using oauth2 services or your own implementation. If you did implement something like that, it brings up a question of redundant SSO services, managing them and maintaining them.
CAS, to my understanding, is primarily used for SSO purpose and has its own set of configuration. I am sure, you would have cassified your application for this purpose as well.
Is CAS server being down is an issue, I would suggest setting up a backup or standby for CAS server or building your own single sign on solution. I am trying to say that it is "either or" is more recommended than "having both"
I've got a webapp which is using Grails with Spring Security plugin for it's authentication and authorisation.
I have a new requirement from the business that they want to force all users upon login to the system, to be displayed our current license agreement or t&cs, the user needs to accept these before being allowed further into the system.
Clearly, once they accept the license/t&cs, then we don't ask them again on future logins.
Does Spring Security support this in any way? Or can you recommend another grails plugin?
One way of doing this would be to add a new field to your User class (e.g. hasAcceptedLicense), redirect the user to a defaultUrl at login (http://docs.spring.io/spring-security/site/docs/3.2.3.RELEASE/apidocs/org/springframework/security/web/authentication/SavedRequestAwareAuthenticationSuccessHandler.html) where they need to read and accept a license, and then have a AccessDecisionVoter (http://grails-plugins.github.io/grails-spring-security-core/v3/index.html#voters) that makes sure they did so.
I am using Spring security for Authentication and Authorization in my application. I am using Neo4j database as backend and implemented userDetailsService for authentication.
However, whenever my application restarts, user is forced to login once again.
To overcome this, i am thinking to store session information in redis database and load the data to Spring security Context whenever application gets started.
Kindly pass on if there are any articles and pointers to implement the same.
I am thinking of following implementation for it,
1) For every successful authentication, store user details and session details in redis.
This must be implemented in loadUserByUsername() method of UserDetailsService implementation
2) Remove the data from redis, whenver user logs out, Where can i do this information? Is there any spring security function where i can call this
3) Load all the data from redis to spring security whenever application restarts, again where do i need to write this logic?
Please let me know if i have missed any information.
All you need to do is to implement a
SecurityContextRepository that handles security context storage to reds
Eventually a custom filter that retrieves/ stores session information (GenericFilterBean)
I think it is possible to just give the standard filter a different repository, but I am not sure, I needed my own implementation anyway...
Store session in a redis is out-of the box functionality now
http://docs.spring.io/spring-session/docs/current/reference/html5/guides/httpsession.html
You need to configure remember-me feature of Spring Security.
Remember-me or persistent-login authentication refers to web sites being able to remember the identity of a principal between sessions. This is typically accomplished by sending a cookie to the browser, with the cookie being detected during future sessions and causing automated login to take place. Spring Security provides the necessary hooks for these operations to take place, and has two concrete remember-me implementations. One uses hashing to preserve the security of cookie-based tokens and the other uses a database or other persistent storage mechanism to store the generated tokens.
More information available in Spring Security documentation:
http://static.springsource.org/spring-security/site/docs/3.1.x/reference/remember-me.html
You can use out of box implementations or inject your own (aforementioned redis).
As Luke Taylor said, Tomcat's default action is serialize/deserialize sessions on container restart.
Here
pathname attribute of standard manager is the name of the serialization file. If you dont specify a path name attirbute the default is SESSIONS.SER
If you dont want to have sesssions back when restarted, you need to specify it as empty string value..
I am using grails/spring security/oauth plugins. However, when using an oauth provider the system still requires the user to create a username and password in system to complete the registration process. Is there any way to make the username/password not required if the user is using an oauth provider? Maybe by making the email address the username (another thing I would like to do but can not find an easy solution)?
Thanks
You need to bind the 3rd party authentication somewhere to your local security setup. This is what the SecUser class is for (see: spring-security-core plugin). You can generate this class and modify it to suit your needs. The OAuth bit I don't know much about but I assume there are some callback points where you can add the behaviour you want. (OAuth ID Class perhaps?)