I have a project which has some controllers as well as a list of REST APIs(starting with url '/api/') in the same project. Now I have to apply spring security oauth to only the REST APIs. I couldn't find any documentation on applying the same. Is there any built-in functionality in spring security oauth or should we go for some kind of filter that would filter oauth requests and return some possible error codes for URLs(controller urls and others) other than the REST APIs(/api/) Any help is greatly appreciated.
Thank you.
There is dedicated OAuth project for spring security. You can apply it only to some URLs using multiple http config elements. It may looks like this:
<!-- REST API -->
<http pattern="/api/**">
....
<custom-filter ref="oauth2ProviderFilter" before="PRE_AUTH_FILTER"/>
....
</http>
<http pattern="/login.htm*" security="none"/>
<!-- Additional filter chain for normal users -->
<http>
<intercept-url pattern='/**' access='ROLE_USER' />
<form-login .../>
</http>
<oauth:resource-server id="oauth2ProviderFilter" .../>
Related
I have a web app developed using spring mvc and spring security 3.2. I want my app using http basic authentication for restful service and form login authentication for other part. Below is my security configuration:
<http pattern="/services/**" create-session="stateless" use-expressions="true">
<intercept-url pattern="/**" access="hasRole('ROLE_REMOTE,ROLE_USER')"/>
<http-basic />
</http>
<http auto-config="true" use-expressions="true">
<intercept-url pattern="/static/**" access="permitAll" />
<intercept-url pattern="/**" access="hasRole('ROLE_USER')" />
<form-login login-page="/login.do" always-use-default-target="true" default-target-url="/main.do" />
<logout invalidate-session="true" logout-success-url="/login.do"
logout-url="/j_spring_security_logout" />
</http>
what I expect is: when a user login from the form, then it can invoke the restful service without go through basic authentication (Since it has been authenticated). My thought is that a user with role 'ROLE_USER' should also call the restful service. However, what I got is after I logined from the form, I was also prompted to do basic authentication trying to call the restful service from browser.
Is there anyway to get what I expect?
The answer could be in the description of the create-session attribute:
never - Spring Security will never create a session, but will make use of one if the application does.
stateless - Spring Security will not create a session and ignore the session for obtaining a Spring Authentication.
Since you chose stateless the auth object persisted in the session after the form-login is ignored. Try if never works as you expect.
Using spring-security-oauth2 to secure my resources against a SSO endpoint that can act as an authorization server. I'm a bit confused when the documentation states:
The provider role in OAuth 2.0 is actually split between Authorization Service and Resource Service, and while these sometimes reside in the same application, with Spring Security OAuth you have the option to split them across two applications, and also to have multiple Resource Services that share an Authorization Service.
But I don't think I have found an example of this happening. In sparklr/tonr the authorization server and the resource server reside in the same application. The only example I've seen from searching is this spring-servlet.xml, which requires this custom implementation of ResourceServerTokenServices to work.
I'd like to avoid writing a custom implementation of ResourceServerTokenServices if at all possible. Is there another way to support an external authorization server in a resource server? Something along the lines of:
<bean class="com.example.ExternalAuthorizationServerTokenServices"
p:remote-url="https://my-oauth-compatible-sso.com"
p:token-endpoint="/oauth/access_token"
p:authorize-endpoint="/oauth/authorize" />
Is this possible?
*EDIT: I'll add that as a workaround (or maybe this is the intended solution) I'm using a jdbc token store and relying on the fact that both servers happen to have access to that database.
You can separate open resources and protected resources in the spring-security.xml
Pattern /api/** will be protected and other resources will be open.
<!-- Protected resources -->
<http pattern="/api/**" create-session="never" use-expressions="true"
entry-point-ref="oauthAuthenticationEntryPoint"
access-decision-manager-ref="accessDecisionManager"
xmlns="http://www.springframework.org/schema/security">
<anonymous enabled="false" />
<intercept-url pattern="/api/**"
access="hasAnyRole('ROLE_USER','ROLE_ADMIN')" />
<custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
<!-- <access-denied-handler ref="oauthAccessDeniedHandler"/> -->
<access-denied-handler ref="oauthAccessDeniedHandler" />
</http>
for someone that might be interested there is as well another example for separating the authentication server and resources server found here: https://github.com/sharmaritesh/spring-angularjs-oauth2-sample
I am using spring security 3.1 with Hibernate and used a Custom UserdetailsService class and a custom login page for authentication.
Question is how can I get rid of using the standard spring security naming conventions in login form,
j_spring_security_check,
j_spring_security_logout,
j_username – Username,
j_password – Password
and use alternatives.
Spring security docs says that it is not a good practice to reveal these details.But I couldn't find any example on how to use custom urls for this purpose.
It will be greatly appreciated if someone could provide an example implementation.
They are configured in <form-login> and <logout> attributes:
<form-login username-parameter="" password-parameter="" login-processing-url="" />
<logout logout-url="" />
See the documentation: http://static.springsource.org/spring-security/site/docs/3.1.x/reference/springsecurity-single.html#nsa-http-children.
Is it possible to setup session concurrency programmatically?
It is easy to do that using XML configuration like
<session-management>
<concurrency-control max-sessions="1" error-if-maximum-exceeded="true" />
</session-management>
but what I need is that base on some property in database I want to allow/prohibit concurrent session.
You may use Spring 3.1 java configuration for spring security enabling you own concurrency control implementation instead of ConcurrentSessionControlStrategy. See this SO answer for java config example.
I have configured two authentication providers in my Spring Security config:
<security:authentication-manager>
<security:authentication-provider ref="XProvider" />
<security:authentication-provider ref="YProvider" />
</security:authentication-manager>
Does spring security evaluate both providers? Or does it stop to evaluate if one of them fails? If not, How to make it stop?
Thanks.
You can specify as many providers as you want. They will be checked in the same order you declared them inside the authentication-manager tag.
Once a successful authentication is made, it will stop polling the providers. If any provider throws an AccountStatusException it will also break the polling.