I am using spring security in my application for authenticating. I want to fail all logins which happened within a specific time period since session start(e.g 150ms). I can write code to achieve this. I wanted to know if spring security has this functionality built in where I can specify a timeperiod and all login request within that specified time fails.
Thanks,
I think there is no such built-in mechanism in spring for this usecase. Your requirement seems not really a common requirement and therefore could not be expected to find something like this in a general programming framework.
Related
We have an existing Jetty Application using Shiro that we are moving to Spring Boot, and were wondering which is more straightforward to integrate with our Spring Application, Apache Shiro or Spring Security? We're looking into implementing OAuth2 soon, and we were recommended Spring Security since we were moving this to Spring Boot. Does anyone have any input they could give us?
As you already have Apache Shiro as your security framework. It would be wise to let it be as is. Shiro easily integrates with spring and works with OAuth2 (https://github.com/zhangkaitao/shiro-example/blob/master/shiro-example-chapter17-client/src/main/java/com/github/zhangkaitao/shiro/chapter18/oauth2/OAuth2Realm.java). In case you swith to spring security you will have to reconsider everything again and a large changeset.
If you have a rather small application with not too many users and roles and don’t need to use any overly advanced features, feel free to use Java EE Security. It provides a solid base just for that. Java EE Security possibilities are quickly exhausted though. For example, you can specify only one authentication mechanism for the whole application. Also, if the application needs to be portable, one should definitely use one of the other two frameworks.
Now if there is need for a largely independent, lightweight and extensible security solution, Apache Shiro is the way to go. The downside, however, is that it might take some time to overcome problems. One might also have to implement some features by themselves. Shiro’s design (interface-driven and POJO-based) facilitates this, however.
At last, if the application is already Spring-based, one might as well stay on the train and use Spring Security, there aren’t any real downsides in this case (beside Spring Security being somewhat harder to implement). This is different for spring-less applications, even more if one never has worked with Spring before. Implementation of advanced features is even harder at first and annotations cannot be used unless Spring itself or AspectJ are included. Also, if there is need for Spring OAuth2, one must use spring-mvc, instead of Jersey or RESTeasy, to create REST resources.
With this, our comparison comes to an end. Again, a small reminder about the relativity of our observation. Experiment with the frameworks by yourself and use the one that suits your needs best.
How to secure REST services (OAuth) with Spring Boot?
The closest I can get is:
http://spring.io/guides/gs/securing-web/
http://spring.io/guides/gs/authenticating-ldap/
You could add the OAuth2AuthenticationProcessingFilter pretty easily to a Boot app. The closest sample would probably be the spring-boot-sample-secure, since it explicitly adds a WebSecurityConfigurerAdapter, which is what you'd have to do. There is no native autoconfiguration support for OAuth in Spring Boot yet (but please feel free to add it). It is on the roadmap, but unlikely to get a lot of attention unless more people ask for it.
I am in an early stage of a small Spring-based project which utilizes Spring Data Neo4j with an embedded database (but possibly could use a server instance in a later development , too).
My data model and relationships have been designed, Spring Security (with Neo4j), MVC and tiles are set up and also seem to be fully functional.
Now I have the additional requirement to allow login with social networks.
I'm really stuck with trying to integrate Spring Social with my above mentioned setup. Basically I have a rough idea that I need to make use of the cross-store Neo4j component but have no real clue, how I could start with it.
I tried to find something useful for my case (SDN Neo4j + Spring Social Security) on github but was not really successful with that either.
Can anyone provide me an example configuration or even point me to some examples (I obviously didn't find before) ... any help is highly appreciated.
I don't think there is a Spring Social connector yet, but it shouldn't be too hard to write (there is one for Mongo). If nothing else, you can use the https://code.google.com/p/google-api-java-client/ directly form a service, exposing the google oauth callback from a Spring Controller, should work too.
https://code.google.com/p/google-api-java-client/
Neo4j connection repository for Spring social has been implemented here using neo4j-ogm. You can reuse that. https://github.com/maciossek/spring-social-neo4j
My problem:
I would love to use the Spring Security plugin's access control/authorization mechanism with my Grails application without having to use the plugin's authentication mechanism. The various Grails Spring Security plugin examples (like this one) I've found combine these two functions. Is there an easy way to just do access control?
Background:
I would like to add roles-based access control to my existing app. I would love to either just annotate my controllers or use the Config.groovy map approach for setting up the access control.
My app already has a user domain class.
The user domain class already handles encrypting passwords using BCrypt.
The app does not have a "role" domain class.
I already have controller actions, views and business logic for handling logging in and logging out. I have no interest in replacing this with the plugin's implementation.
On the right track, but not quite helpful:
I know this is possible to do, as explained in this other question: BUT, that questions and its answers explains how to do it in a Java app using the raw Spring Security framework. I would love for someone to lay out how to do this in a way that is compatible with the latest version (1.2.7.3 as of this writing) of the Grails Spring Security plugin. I don't want to reinvent wheels that have already been taken care of by the plugin.
In addition, this example explains how to do some of this, but it appears to be outdated because it is based on an older version of the plugin that uses Spring Security 2.x. It also only uses custom authentication for one piece of the app, while it looks like it still uses the Spring Security plugin's domain classes elsewhere.
How to do it?
Can someone lay out an approach for me?
I assume I need to create my Role domain class.
After that I assume it will involve custom Authentication objects and the like. But how do I hook them into use the plugin's existing code?
You could go with a custom authentication provider and I have an updated version that I did as part of a recent talk. See this blog post which has a sample app and link to a video of the talk: http://burtbeckwith.com/blog/?p=1090
It would be simple to use a custom UserDetailsService - this is the most common customization done for the plugin and it so has its own chapter in the docs: http://grails-plugins.github.com/grails-spring-security-core/docs/manual/guide/11%20Custom%20UserDetailsService.html
Basically you need to create a Spring Security User instance and Spring Security (and the plugin) doesn't care how you get the data. So your custom UserDetailsService just needs to be a bridge between your current auth scheme and Spring Security.
I ended up creating my own access control/authorization mechanism rather than using the Spring Security plugin. I never could figure out how to separate the plugin's authentication mechanism from the authorization mechanism. Doing the work myself was very easy.
I did the following:
Created a new Role domain class.
Added a Set property and hasMany relationship to my User domain class.
Created a new AuthorizationFilters filter. This is where I put in my authorization rules. In this filter I can check to see if a user has the role necessary to access the given URL and redirect to a login page, redirect to a "not authorized page" or allow them to pass.
This doesn't have the nice syntactic sugar of the plugin and isn't quite as concise either, but it was very easy to implement and understand.
I mean need different:
Login URL
Login out url
session time url
authentication provider
error page
css
for different entry point.
Is this possible?
From 3.1.0 (which is currently beta) it will support multiple <http> elements in the namespace.
So short answer:
In 3.1.x yes.
In 3.0.5.RELEASE no.
Longer aswer:
Here is additional info, check the links in the comments also.
I had a similar problem once, since I had multiple entry points.
A good way IMO would be to make a new login page which decides which login page to redirect to or even calls the logic of the other entry points. Then you can point spring to the new page.
I'm pretty sure this can be done inside the filter chain, but I wouldn't recommend it since you will need a lot of manual coding and bean definitions. Generally I don't think 3.0.5 was designed for multiple entry points.
With multiple <http../> elements, you can achieve most of what you want but the authentication manager is going to be common and that means authentication providers are going to be common. See the issue faced by #David Parks in the post Spring Security 3.1.0.RC1: With multiple elements why can I only register one authentication manager?.
You can see my answers to similar questions such as Configuring Spring Security 3.x to have multiple entry points and Authenticate user using external webservice in grails to develop custom code to execute entry point specific authentication providers. This can be implemented in 3.0.5 as well.
You can implement solution in 3.0.5 without multiple <http../> elements but you will be need to develop custom code to handle logout and error pages.
There is org.springframework.security.web.authentication.DelegatingAuthenticationEntryPoint
since 3.0.2.
It might help.