I successfully completed login module of my application using spring security's inbuilt authentication & authorization mechanism.But later i was told to check if i can integrate WSO2 (SOA solution as external Authorization mechanism) with Spring security so that i can use Spring security's authentication mechanism alone and WSO2 for authorization instead of using Spring security provided Authorization.
I did search & read the documentation and i could get details about using External authentication with Spring security & nothing about External authorization.I would like to know if i can do the same and also how i can do it.Any pointers will be really helpful for me.
Related
I've got an Authorization Server running using Spring boot security and spring-security-oauth2-autoconfigure shim jar.
I would like to implement the openid scope and provide identity tokens back to my clients.
Is there a way to do this currently using Spring libraries?
thanks
I'm currently working through a spring application which is using stateless session and JWT based mechanism for authentication & authorizations.
A new requirement arrived: using CAS v4.0 SSO solution to replace the authentication system. I went through the CAS documentation and the spring security documentation and saw no sign of "stateless mode". Trying to set the spring security session policy to stateless is breaking my CAS integration.
My intuition would tell me to totally drop the JWT mechanism and switch on classic statefull based sessionid mode to avoid issues. Is there some resource trying to adress a CAS + stateless client? Has someone had experience with it?
Is it possible to use Spring OAuth2 as a pure authorization solution while providing external authentication for it? Or is Spring OAuth2 even supposed to be used in such a manner? If yes then what are the injection points for that kind of configuration?
If your are familiar with Kong then it's basically how the OAuth plugin works:
here Login Webapp (which is responsible for authentication) is an external application to Kong OAuth.
Currently we have web app which uses spring Security for role based Authentication and Authorization.
Since we want to use SSO I see this example to integrate Spring with Openam https://wikis.forgerock.org/confluence/display/openam/OpenSSO+Spring+Security+%28Acegi%29+Integration
so it's like
My Web app (using spring to talk to openam) <===> IDP Proxy <====> IDP
But when I use the SAML tracer (The plugin for Firefox to track SAML requests/Responses) I don't see any SAML payloads between My web app and IDP proxy.
Is it that Spring is using SOAP request to talk to IDP proxy by picking urls from AMConfig.properties ?
I thought of using Fedlet but reading the saml response from Fedlet and integrating that with Spring Security is not feasible.
If Spring security3 doesn't use SAML2 is it a good idea to use spring framework to talk to openam ?
Any inputs ?
Thanks in advance
Ram
Ok folks we got our JSF2 web app working by integrating with Spring SAML extension and Spring Security along with open am.
Spring SAML extension is here - (https://github.com/SpringSource/spring-security-saml)
So now we are pulling all user roles from LDAP using Openam as IDP and the saml request and response is processed by spring saml extension. The role based access within application is controlled by Spring Security.
I would like to thank
Vladimir Schaefer - Author of Spring Saml ,
Stefan - from opensaml team,
Peter Major- from Openam # forge rock.
Wanted to add this note to let others know that the integration can be done to JSF app or any other web app and it uses Spring security SAML extension (which uses SAML 2.0 end to end) .
We finally have single sign on working finally.
I will put up an article on this shortly and will update this post.
I was able to add some more notes please see my articles on
generic info related to Openam concepts
http://reddymails.blogspot.com/2013/03/sso-for-java-or-net-web-based.html
Steps to integrate JSF 2 web application with Openam using Spring SAML extension and Spring Security.
http://reddymails.blogspot.com/2013/06/integrating-jsf-web-applicataion-with.html
Thanks
Ram
I don't see any SAML payloads between My web app and IDP proxy
According to the page, the integration is very similar to a normal agent approach. This probably means that you app talks to OpenAM using SOAP and OpenAM talks to the IDP using SAML.
But when I use the SAML tracer (The plugin for Firefox to track SAML
requests/Responses) I don't see any SAML payloads between My web app
and IDP proxy. Is it that Spring is using SOAP request to talk to IDP
proxy by picking urls from AMConfig.properties ?
If things are working correctly you should see a SAML authentication request when you are forwarded to the IDP.
What you should do is probably start plowing through the OpenAM debug logs.
Especially the Federation log.
I thought of using Fedlet but reading the saml response from Fedlet
and integrating that with Spring Security is not feasible. If Spring
security3 doesn't use SAML2 is it a good idea to use spring framework
to talk to openam ? Any inputs ?
There is an spring extension that allows you to use SAML directly.
http://static.springsource.org/spring-security/site/extensions/saml/index.html
You could have a look at that.
Does Spring Security integrates with WSO2 Identity Server? If yes, then is there any sample or tutorial available for this?
Did you had any luck?? If so, could you point me in the right direction?
I'm researching on the same topic, you should take a lookt at:
Spring Security Extensions
Spring Security Extensions Git Web Interface
You could use either SAML2 or Kerberos to authenticate against WSO2 Identity Server, although I have not tested this yet, but should work.
If this is related Spring Security OAuth2 Integration with WSO2 IS.
Actually, there are 2 different ways to integrate Spring OAuth with WSO2 Identity Server:
using the WSO2 IS admin web services like OAuthAdminService, OAuth2TokenValidationService
sharing the database (not recommended, your application shouldn't have access to the identity provider database)
It's quite easy to integrate Spring OAuth with WSO2 Identity Server, of course, you could reimplement all TokenStore methods or the DefaultTokenServices to provide even more functionality and make the integration as transparent as you like but this sample is meant to show the very first steps.
You can refer the below blog https://www.yenlo.com/blog/wso2-spring-oauth2-integration-with-identity-server