The Spring Security – Kerberos Extension is listed as version 1.0M2 on the Spring Source web site. It was started in 2009.
Why hasn't it made a 1.0 release?
Is it suitable for production use?
If it is not suitable for production use, what is the best alternative to plug into Spring Security?
We use successfully Spring Security Kerberos/SPNego in production since more than one-year, and we are quite happy with it!
However, I can't say why 1.0 is not released.
Related
I got a Spring Boot 2 Reactive Web Application that currently has a JWT-based authentication system. Now I would like to add a LDAP backend for authentication and allow Single-Sign On (SSO) via Kerberos.
It seems Kerberos and LDAP support is currently limited to webmvc and no dedicated reactive version is available.
Since documentation about integrating all 3 components (WebFlux, LDAP + Kerberos) together in one application is quiet rare I would like to ask if someone of you already took the attempt to set-up such an infrastructure and is willing to share an example how to do.
I ran into the same issues with SAML. I haven't seen any progress on porting these sub projects to be supported in a webflux environment. The obvious approach seems to me to rewrite all servlet filters to WebFilters.
I have a Spring framework based app in which I have been instructed to add AES-256 encryption. I have added this using the standard Spring security Encryptors.textEncryptor(...)
When I ran it on our development servers I got errors which indicated issues with key lengths so I updated the server's Java with Java JCE's unlimited policy files from Oracle.
However when attempting to get the code deployed to our test servers, the server admins are refusing to update the Java installations.
After talking with security, they suggested down grading the encryption from AES-256 to AES-128 under the assumption that it will work without the unlimited policy files.
As you can tell I'm not greatly knowledgeable in this area.
I've looked online, but it appears that the Spring encryption cannot be downgraded to AES-128.
Does anyone know if this downgrade can be done? or am I have to roll my own encryption setup?
Ended up using the spring source code as a base for rolling our own. Not hard really.
I'm in the process of moving my application from Spring Security's CAS client to JASIG's Java CAS client. This was due to our security group adding some custom functionality to the JASIG version.
I've seen on JASIG's website the examples of how to configure the CAS client using Spring's configuration. I've used this example:
https://wiki.jasig.org/display/CASC/Using+the+CAS+Client+3.1+with+Spring+Security
I'm using STS and it complains about numerous lines being incorrect or deprecated. Also, when using the spring security CAS client I configured my roles as part of the <sec:http> block using intercept-url tags like this:
<sec:intercept-url pattern="/api/**" access="hasAnyRole('ROLE_OPERATOR', 'ROLE_ADMINISTRATOR')" method="GET" />
However, in the example the roles are configured in the FilterSecurityInterceptor bean and while it uses the sec:intercept-url tags the expressions don't work.
I believe the issue is that the example is from an earlier version of spring security but I'm using a newer version.
Does anyone know of an updated version of the configuration for the above sample? I know I need to upgrade my config from what the example shows but I'm not a full time security guy, just a developer tasked with doing this move, so I don't live an breath this stuff every day. Any help would be greatly appreciated.
My env:
Spring Source Framework v3.2.2
Spring Security v3.1.4
JASIG CAS Client v3.2.1
-Richard Ward
What options do I have to enforce authentication/authorization in a java web app ?
From my research, there's:
JAAS
JNDI
Spring security
Any others ? Does JEE5 or JEE6 have anything new ?
if you do not want to implement the identity-provider by yourself, you can consider using OpenID. This way, you can use any OpenID provider to provide the authentication/authorization.
In addition, you can consider OAuth2.
Do not mix between the two, there are many posts here that can explain the differences...
See Securing Web Applications chapiter for JEE6. Also you can consider Apache Shiro as alternative for Spring Security. If you already use Spring Framework then just go with Spring Security.
Java EE 6 security currently leaves much to be desired (for me that's just saying), I however stumbled upon Apache Shiro and Spring Security as more popular security frameworks for the Java enterprise.
I am more inclined to go the Spring Security direction because of non existent tag library for the Apache Shiro alternative.
However surprisingly, I cannot find any tutorial that details how to integrate spring security with the Java EE 6 stack. Do you have any recommendations?
As a variant: this filter wraps request implementing the servlet API security methods. So app level frameworks may work with requests security using standard API.
Weblogic AS has it's own guidelines for such integration.
I have decided to go the Apache Shiro partway. Tag library exists in www.github.com. And documentation seems appropriate enough