How to secure REST services (OAuth) with Spring Boot?
The closest I can get is:
http://spring.io/guides/gs/securing-web/
http://spring.io/guides/gs/authenticating-ldap/
You could add the OAuth2AuthenticationProcessingFilter pretty easily to a Boot app. The closest sample would probably be the spring-boot-sample-secure, since it explicitly adds a WebSecurityConfigurerAdapter, which is what you'd have to do. There is no native autoconfiguration support for OAuth in Spring Boot yet (but please feel free to add it). It is on the roadmap, but unlikely to get a lot of attention unless more people ask for it.
Related
I am creating a new React SPA. Users of a legacy app need be able to use the new app without re-authenticating. So I need to support SSO.
It's important to note that it is also required that users of other (currently unspecified) apps should also be able to use the new app without re-authenticating, so whatever approach I take needs to be sufficiently decoupled to potentially allow this.
The legacy app supports authentication via Shibboleth, the new app currently has no authentication method, but uses JWT for authorisation.
I'm wondering if anyone has any experience of such a scenario? It seems to me that I probably need to be create an OAuth2 authorisation server for the new app to talk to and I need to somehow bring Shibboleth into the mix for the authentication, maybe with the authorisation service acting as a Shibboleth Service Provider. Googling around hasn't revealed much useful info.
Is what I've described along the right lines? I know it's very high level and woolly, but I'm really not sure of the approach to take. Any advice, information or experience in this area would be gratefully received!
GOALS
It's a little bit of a subjective question, but the main goals are usually as follows:
Focus on building your UI and API security in a future facing manner
Also provide good Login Usability
Also deliver on non functional requirements such as availability / reliability
AUTHORIZATION SERVER
On the first point, the modern option is to integrate UIs and APIs with an Authorization Server - perhaps as in My Tutorial. Your architecture is then good, but the migration is not trivial.
FEDERATING TO SHIBBOLETH
The Authorization Server can then redirect to Shibboleth and talk SAML2.0 to achieve Single Sign On, as you suggest. It is a complex solution though, and may be a backwards step in some ways.
AVAILABILITY
This is usually a big concern, and most companies use a cloud provider such as Azure / AWS due to its high availability / low maintenance / low cost. Would this be a better option for you?
I have two set of RestAPIs used for same application developed on two different frameworks.
One on SpringBoot secured using OAuth 2. Second set of APIs developed on Jooby microframework of RestAPIs.
Since the services on Jooby are not secure how can i do that? So that both set of APIs are secured.
The Login is working in conjunction with SpringBoot App and OAuth 2.0 and same user credentials should be used for jooby apis as well. Does it make sense to put some sort of gateway common for both the set of apis?
Well, security is a broad topic and frameworks implement security guidelines and support when becoming mature. Even I don't have any prior experiences with Jooby, after referring their documents I found a couple of support libraries and extensions.
Moreover, you can follow this great Github repo as a checklist and implement what relevant to your context.
If you can provide more implementation details about your login, I can give a more specific answer. But it seems common gateway isn't really necessary and you can use authentication credentials such as tokens directly with your Jooby API's as well. See pac4j which is listed under Jooby documents.
I got a Spring Boot 2 Reactive Web Application that currently has a JWT-based authentication system. Now I would like to add a LDAP backend for authentication and allow Single-Sign On (SSO) via Kerberos.
It seems Kerberos and LDAP support is currently limited to webmvc and no dedicated reactive version is available.
Since documentation about integrating all 3 components (WebFlux, LDAP + Kerberos) together in one application is quiet rare I would like to ask if someone of you already took the attempt to set-up such an infrastructure and is willing to share an example how to do.
I ran into the same issues with SAML. I haven't seen any progress on porting these sub projects to be supported in a webflux environment. The obvious approach seems to me to rewrite all servlet filters to WebFilters.
I am using spring security in my application for authenticating. I want to fail all logins which happened within a specific time period since session start(e.g 150ms). I can write code to achieve this. I wanted to know if spring security has this functionality built in where I can specify a timeperiod and all login request within that specified time fails.
Thanks,
I think there is no such built-in mechanism in spring for this usecase. Your requirement seems not really a common requirement and therefore could not be expected to find something like this in a general programming framework.
Our existing customer base is in peoplesoft and we are developing lot of mobile applications. Hence, we would like to use oauth 2.0 for authentication and authorization, but i cannot find any way to integrate the two.
Does PS implement OAuth? If they don't then you'll be out of luck. A quick search indicates they support SAML for SSO (on their web sites). You will probably have to describe a little bit more what you are doing, and why you think OAuth is the way to go.
Note that being mobile doesn't necessarily mean you have to implement OAuth.
This is a very late answer, but as of PeopleTools 8.58, PeopleSoft applications support OAuth2 for REST services. The caveat is that only Oracle IDCS is able to be used as an authorization server. There may be a plan in the future to support other authorization servers.
Cf. https://blogs.oracle.com/peopletools/what-peoplesoft-is-doing-with-oauth2-in-858 and https://support.oracle.com/knowledge/PeopleSoft%20Enterprise/2621182_1.html for more information.