What is the utility of remember me to spring security. Is that it is already known by spring security like j_password variable and j_username?
Spring Security Remember-Me Authentication
Remember-me or persistent-login authentication refers to web sites
being able to remember the identity of a principal between sessions.
This is typically accomplished by sending a cookie to the browser,
with the cookie being detected during future sessions and causing
automated login to take place. Spring Security provides the necessary
hooks for these operations to take place, and has two concrete
remember-me implementations. One uses hashing to preserve the security
of cookie-based tokens and the other uses a database or other
persistent storage mechanism to store the generated tokens.
I have nothing to add to that.
The server will send the browser a cookie that will be returned (until it expires). When the server sees a request with that cookie, it doesn't pop up the login page as it would otherwise do automatically with Spring Security.
Related
I use Spring boot security for my server.
I added new filter that extends from OncePerRequestFilter and (according to many tutorials from the web) after validating the jwt save Authentication object into SecurityContext.
What I don't understand is why do I need to save the Authentication in SecurityContext? after all I validate the jwt from the client in each request and don't need spring's to call isAuthenticated() on Authentication object.
Do I miss something?
Spring Security Authentication basically works by storing it in the SecurityContext. There is a SecurityContextHolder class which stores the SecurityContext and is used to many places where Authentication/Authorization decisions needs to be made by retrieving the Authentication. Even though you have validated the JWT to check the Authentication is success, Spring Security still needs Authentication object to make other decisions for example to evaluate hasRole(), hasAnyRole(), etc.
Spring Boot Security,
My Application is already running using Spring Security. Now I want to authenticate the users through OAuth. Is there any way to build a custom servlet to achieve this?
You can add a new Filter to intercept and authenticate OAuth requests in which it should call the authenticationManager.authenticate method and save the result of the authentication token in the SecurityContextHolder. This way the user is fully authenticated.
Note, that this way you don't "override" or "bypass" the Spring Security. You just use it to perform a different authentication.
From the Spring Session Rest sample: http://docs.spring.io/spring-session/docs/current/reference/html5/guides/rest.html
I have deployed the sample on Cloud Foundry and it works.
I am wondering how the session is working with Spring Security AuthenticationManager to authenticate the x-auth-token in the second request.
I checked the code in the Spring Session, but not found any details.
To my understanding, the authentication manager will look for the session in the SessionRepository by the x-auth-token.
Can someone show me how the authentication in the Spring Session Rest works?
Actually as far as Spring Security is concerned there's nothing different in this sample compared to an application that doesn't use Spring Session (i.e. uses Servlet container's internal session storage and JSESSIONID cookie).
Spring Session uses org.springframework.session.web.http.SessionRepositoryFilter to replace Servlet container's HttpSession implementation with a custom implementation backed by Spring Session. This filter also provides HttpSessionStrategy (either cookie based or, like in your sample, HTTP request header based) to correlate the information your provided (again, either via cookie or header) to the session stored in SessionRepository implementation of your choice. After that, it's all up to how your application uses the session.
Note that Spring Security's AuthenticationManager simply handles authentication requests for the provided Authentication token. It does not have any knowledge of session, or anything else web/Servlet API related.
I am using Spring security for Authentication and Authorization in my application. I am using Neo4j database as backend and implemented userDetailsService for authentication.
However, whenever my application restarts, user is forced to login once again.
To overcome this, i am thinking to store session information in redis database and load the data to Spring security Context whenever application gets started.
Kindly pass on if there are any articles and pointers to implement the same.
I am thinking of following implementation for it,
1) For every successful authentication, store user details and session details in redis.
This must be implemented in loadUserByUsername() method of UserDetailsService implementation
2) Remove the data from redis, whenver user logs out, Where can i do this information? Is there any spring security function where i can call this
3) Load all the data from redis to spring security whenever application restarts, again where do i need to write this logic?
Please let me know if i have missed any information.
All you need to do is to implement a
SecurityContextRepository that handles security context storage to reds
Eventually a custom filter that retrieves/ stores session information (GenericFilterBean)
I think it is possible to just give the standard filter a different repository, but I am not sure, I needed my own implementation anyway...
Store session in a redis is out-of the box functionality now
http://docs.spring.io/spring-session/docs/current/reference/html5/guides/httpsession.html
You need to configure remember-me feature of Spring Security.
Remember-me or persistent-login authentication refers to web sites being able to remember the identity of a principal between sessions. This is typically accomplished by sending a cookie to the browser, with the cookie being detected during future sessions and causing automated login to take place. Spring Security provides the necessary hooks for these operations to take place, and has two concrete remember-me implementations. One uses hashing to preserve the security of cookie-based tokens and the other uses a database or other persistent storage mechanism to store the generated tokens.
More information available in Spring Security documentation:
http://static.springsource.org/spring-security/site/docs/3.1.x/reference/remember-me.html
You can use out of box implementations or inject your own (aforementioned redis).
As Luke Taylor said, Tomcat's default action is serialize/deserialize sessions on container restart.
Here
pathname attribute of standard manager is the name of the serialization file. If you dont specify a path name attirbute the default is SESSIONS.SER
If you dont want to have sesssions back when restarted, you need to specify it as empty string value..
i am writing an asp.net mvc c# site which will not use sessions... What are my options for prividing login functionality without sessions?
System.Web.Security.FormsAuthentication uses cookies:
FormsAuthentication.SetAuthCookie(userName, rememberMe);
No session is used there. Of course, if you want more than a username and isAuthenticated, you'll need some other way to store that state. Your only real alternatives are cookies or the URL, neither one of which are generally acceptable for other reasons.
Session is not evil, especially given your options to host session data on a shared server or on a SQL Server instance.
Session can certainly be abused and your scalability will suffer, but I would not eschew session completely unless there were other overriding concerns.
If you must toss out session entirely, you will have to either recreate state on each call, an expensive proposition generally, or you will have to create your own state storage mechanism which brings us back to standard ASP.NET session storage alternatives.
You basically have 3 options, that I can think of, to authenticate HTTP requests.
1) Cookies only, where you set a cookie on the users machine with the necessary information you need to identify them on their next request
2) Sessions. Session will typically also use cookies (to store session information), but don't have to (see http://msdn.microsoft.com/en-us/library/aa479314.aspx)
3) Stateless authentication. This is really only used for non-browser HTTP clients calling webservices. This includes the client signing the http request with a public/private key combination that the server can then authenticate. An example of a stateless HTTP authentication protocol is OAuth (though OAuth as a spec is really geared towards authorization, but authorization by it's nature requires authentication).
See Web authentication state - Session vs Cookie vs? for additional discussion on Cookies and Sessions.
The common approach is to use cookies. See Securing and ASP.NET MVC Application.