In the Spring Boot Reference Guide it is mentioned that Spring Boot Actuator can be used "to implement lock-out policy based on authentication failures".
Is there any code example how to do it?
No there isn't. You would need to implement an AuditListener or an AuditEventRepository (easier the latter) and use it to count successive authentication failures.
Related
Could anyone describe what is difference between openfeign/feign and spring cloud openfeign? I see spring cloud openfeign depends on openfeign/feign, but I couldn't get specific differences.
Is it always recommendable to use spring cloud openfeign rather than vanilla feign when I use spring framework?
https://github.com/OpenFeign/feign
https://github.com/spring-cloud/spring-cloud-openfeign
OpenFeign/feign is a complete http client binder solution which can use multiple different libraries
Spring Cloud Openfeign
provides OpenFeign integrations for Spring Boot apps through
autoconfiguration and binding to the Spring Environment and other
Spring programming model idioms.
"Spring Cloud Openfeign" is only for spring, "OpenFeign" can work without spring environment.
Conclusion, if you are using spring go with "Spring Cloud Openfeign"
PS:https://youtu.be/3NcmlrumSOc this video explains with all details.
I have a Java Spring MVC application (note that its not spring boot).
We have a requirement to implement SSO for the users of our application. I did some research, the identity provider (IDP) in our case is Azure AD. The service provider would be my application in this case. I am thinking of using SAML protocol for SSO.
Also note - The application is http based (not HTTPS)
What I've done so far -
I've created an Enterprise Application on Azure and configured entityId and replyURL. I also added a user for this application.
Where I'm stuck -
Although I did read the related Spring documentation to achieve this, since I'm a newbie here, I still don't have a clear path as to how can I take this forward in my application. I found some solutions, they seem to be examples for spring boot. Can someone please help me with guides as to how this can be done in Java Spring? Which maven dependency I could use and any sample example to start working with SAML? A step by step explanation would be highly appreciated, thankyou.
Also, any other options than SAML would also be fine.
The Spring Security SAML extension (https://docs.spring.io/spring-security-saml/docs/1.0.0.RELEASE/reference/html/index.html) had an example web app. You may read the referenced doc and apply it to Spring Security SAML. It should not be too much difference.
I’m very glad to register the flow in the event of implementing Azure AD B2C OIDC/OAuth protocol with existing Spring MVC architecture.
Below Spring docs reveal that how was our existing project's spring-security layer being served in the context of filter-chain.
Pre-requisites
Authentication Filter - Form Based Login with Legacy IDP
Authentication Manager – Providing the user details authorities along with http session object
For accomplishing this Azure B2C Integration, we've gone thro' lot of repos but most of them are relying with Java config based but we were interested on Spring namespace with limited code/architectural change.
Then finally we came to the conclusion that how to extend the spring default auth-filter/manager for getting valid session object from security context based on the Azure provided (id/access) token after the successful user authentication.
Customizing Spring-Security
The detailed documentation on how to extend auth-filter/manager is available here with © reserved by terasoluna.org
We customized the spring security in such a manner that auth-filter will carry the token_validation against the given token from Azure and authentication manager will extract user details such as roles/privileges w.r.t to the object-id mapped in our DB's user entity.
Once the Spring security customization is done then we can able to integrate the Authorization-server [Azure in our case] and Resource-server [Existing Spring Application] by following the conventional methods.
I have a web application which exposes CXF JAX WS SOAP Services and also an OData REST Service.
As i understand from the spring documentations, in order to authenticate the JAX WS requests we need to create a Interceptor and write our own code to call the spring security Authentication Manager to authenticate the request. This i am able to achieve in my application. But in order to use spring security with JAX WS i have to disable the csrf for the endpoint urls.
Hence i dont want to use spring security for authentication and instead wants to use the container managed security where i can do the check in web.xml itself.
But there are certain roles i want to check at method levels and i find spring security pretty helpful at method level security.
So my question is whether i can use container manage authentication and for authorizations spring security ? Do you see any security issues here ?
and in case i want to enable the csrf for the jax WS endpoints then how can we pass the csrf token for a service call?
Regards,
Soumya Ranjan
Spring session seems like a very interesting project but I have not been able to find much information on how to properly incorporate it in a spring security application. The readme on project github page has some information but I dont think thats applicable to spring security. Another example thats mentioned on the same page is to utilize this mechanism for REST access. Thats another use case that i think can benefit from an example. I would appreciate if some information on the subject can be shared. Thanks.
You can use Spring Session with Spring Security by simply ensuring to place the Spring Session Filter before Spring Security's filter. There is also an security sample project that demonstrates the use of Spring Session with Spring Security within the distribution. You can run it by cloning the repository and running the following:
./gradlew :samples:security:tomcatRun
The application will be available at http://localhost:8080/
I have question related to authorization and spring security. To implement authorization checks in one of my services (under a Service Oriented Architecture environment), I was trying to see if I can use Spring-Security. While going through the Spring Security documentation, I read here that spring security uses spring's AOP internally.
Ref: You can elect to perform method authorization using AspectJ or Spring AOP, or you can elect to perform web request authorization using filters. You can use zero, one, two or three of these approaches together. The mainstream usage pattern is to perform some web request authorization, coupled with some Spring AOP method invocation authorization on the services layer.
We are already using Spring AOP in our service implementations. In my case, the requests that will be coming to my RESTful service will carry a custom built token object that should be processed to perform authorization checks.
Based on this, I would like to understand if I can simply use Spring and create an Aspect to catch an inbound request, extract and process the associated (custom built) token and continue/reject the request based on the result ? Do I need spring-security, given that the communication channel is already secured using HTTPS ?
Thanks,
SGSI
For a similar situation we did the following a long time back:
Used an HTTP filter to extract a token from HTTP headers for each request.
Stored the extracted header to thread context.
Added an aspect around service method calls to check the thread context for the token.
This strategy worked well for us. For last many years I have been using Spring Security since it has a more tested and comprehensive implementation for such problems.
If you wish to write your own token-passing implementation, you can check the source code for the Spring Security class SecurityContextHolder that provides multiple ways of passing security information on the execution thread.