If I have multiple Spring Boot apps running that both import their authentication manager from the same source, how can I login to one app and then be able to access the second app without having to login again?
This is a Maven multi module project where the security config is contained in a shared module that each other module depends on.
Thanks
Even though they are importing the same authentication manager if these are separate apps running in separate jvms you will need something that they can all talk to.
I would suggest using CAS. With CAS when a user needs to login they will be redirected to cas for a login screen. After successfully logging in they will be redirected to your application. If the user is already logged in to CAS when redirected to it they will be immediately redirected to the app with out the user even noticing. There is some Spring Security documentation for using CAS However I will warn you it is not trivial to setup.
The other option I might suggest is Open ID. Which again there is Spring Security documentation for it however I have no experience with it.
Related
First of all I just want to mention that I haver really bad knowledge of this topic. But my problem is that I have an grafana-instance running in openshift that is using oauth-proxy for authentication.
On my company we are using a Kerberos-solution to automaticly authenticate users accessing company domains. The problem is that we want to manage what groups that have access to the grafana-instance and if possible authenticate in the background without the users having to enter any usernames/passwords.
As I understand the current kerberos solution works like this:
User -> company.com -> SSO-server -> [fetch user from LDAP] -> If Authenticated, Redirect to company.com
Is it somehow possible to do something similar:
User navigates to grafana.company.com
grafana.company.com redirects to sso-server
Magic kerberos authentication occurs
Redirects back to grafana.company.com
someway authenticates the user directly from grafana or oauth-proxy
It is possible; any web-based SSO system that asks you for username/password can instead ask for a Kerberos ticket at the same point. (The latter is done using HTTP-level "Negotiate" authentication, also known as "SPNEGO".) Once the SSO system has established your identity, it'll happily issue the same OIDC or SAML tokens regardless of what kind of authentication was used.
For example, the Keycloak OIDC IdP has built-in support for HTTP Negotiate; search the docs for "SPNEGO". Shibboleth IdP (for SAML) has SPNEGO support as well.
Also, any SSO system that supports getting the 'REMOTE_USER' assertion from the web server (instead of using its own credential prompts) can be used with Kerberos, using e.g. Apache mod_auth_gssapi or Nginx spnego-http-auth modules.
Is opening a browser to display a login page, which was generated from the site performing the authentication, built into the OAuth2 specification?
My requirements and constraints are going to prevent me from having a browser on the device. However, a request to authenticate the user against Azure Active Directory has been made. They are really looking for the desktop application to have fields in its own GUI for the username and password, and the ability to check if that's a registered user or not.
Is opening a browser to display a login page, which was generated from the site performing the authentication, built into the OAuth2 specification?
It is related to used OAuth2 flow specification, not to OAuth2 specification.
My requirements and constraints are going to prevent me from having a browser on the device.
That means you can't follow RFC8252 (where that browser is required).
So your only option is Resource Owner Flow/Direct Access Grant. But it isn't "secure", because app will have access to user credentials. Other cons: single sign-on won't be working, some IDPs may have also problem with multi factor authentication for this flow and security enterprise departments also don't like this flow at all usually.
I am new to Spring Boot and OpenID Connect. I am following this article and successfully authenticated the user and created the session in my Spring boot application. Now I am stuck on implementing these two requirements:
How do I use refresh token grant type to renew the access-token? Do I need to write one more filter to check every time if token is expired and renew the same?
In that case, how do I replace existing UsernamePasswordAuthenticationToken in session? Could you provide me some sample code?
Ho do I handle SSO? I am going to have multiple application on different platform, the requirement is to logout the user from all applications if he logs out from any application. In angular or any front end application, it can be done by following the OIDC specifications of session management. But my application is Spring boot, how do I achieve this?
We have a Vaadin / Spring Boot application which should be accessible via a browser and without login from intranet only.
We would like to implement SSO with the Windows login (Active Directory).
The goal is high security with least configuration as the application is sold to customers.
I came up with the following scenario:
receive the IP address of the client accessing the Vaadin-Application.
Look up in the Active directory / Domain controller, which is in RW mode and see which user is online with this IP address in this very moment.
check the rights of this user managed by the Active Directory Groups.
make application available with logged in user for the client requesting it.
IP spoofing is not possible (as the connection is bidirectional, also users have no access to network devices.)
this login process is only done once to initiate the session.
Am I correct with these thoughts? Can you see any security issues? Is it really necessary to use certificates?
What would you recommend if so? Kerberos, CAS, x509, SAML?
I have an application that uses Spring Security LDAP for User authentication.
What I'm trying to do is build a feature that requires the User to provide their password again for validation of credentials before performing an important process.
The user is already signed in, so I wouldn't want to kick the user out by killing their current session.
This sounds like it could be a tricky requirement to fill. I have one somewhat outside the box solution that could meet the requirement:
Create a sister Grails application that uses the same Grails/Spring Security/LDAP structure as your primary app.
Expose a /verifyLdapCredentials Service in the sister application to accept the user's LDAP credentials
Authenticate against LDAP
Sends a success/failure response back to the primary application
Unauthenticate from the sister application immediately to prepare for the next request
I ended up creating a separate service and controller to make a simple LDAP auth and lookup.
The service would login with the Spring config settings, then apply the username and supplied password and validate CN result.