Does anyone over here has experience integrating TAM with Grails spring security for single sign on. If so can you help me get a quick start or point to any tutorials.
Thanks
You would probably want to use Spring Security's pre authentication feature and examine the header sent from TAM. To do so you would write your own authentication provider which is really simple and just looks for the header. See this for some more information
Related
I am new to Spring world and with the help of lots of information available online, I have pretty much developed Spring MVC Application I am working on currently.
Last piece I have to implement is to integrate OAM SSO in my application to use as authentication.
I searched a lot on web but couldn't find single example of implementing third party Authentication provider.
I finally realized that I have to use PreAuthentication but I am not sure how I would implement it.
I am unable to share my code because any thing I tried until now is not working and I feel that I haven't got right path yet.
Any help would be much appreciated.
To give you brief idea about OAM, OAM authenticates user ID and Passwords and sends you authenticated requests with a cookied, OBSSOCookie. Using this cookies, you need to contact OAM and get User ID and password and also User Roles (Authorities). Any request coming to your application is already authenticated so you do not need to authenticate again. all you need to do is, using this cookie, need to retrieve user Authorities.
For Spring MVC, you could use the spring-webmvc-pac4j security library, instead of Spring Security. Use a CookieClient to deal with the OBSSOCookie and create your own Authenticator to check this cookie against OAM.
Spring session seems like a very interesting project but I have not been able to find much information on how to properly incorporate it in a spring security application. The readme on project github page has some information but I dont think thats applicable to spring security. Another example thats mentioned on the same page is to utilize this mechanism for REST access. Thats another use case that i think can benefit from an example. I would appreciate if some information on the subject can be shared. Thanks.
You can use Spring Session with Spring Security by simply ensuring to place the Spring Session Filter before Spring Security's filter. There is also an security sample project that demonstrates the use of Spring Session with Spring Security within the distribution. You can run it by cloning the repository and running the following:
./gradlew :samples:security:tomcatRun
The application will be available at http://localhost:8080/
What options do I have to enforce authentication/authorization in a java web app ?
From my research, there's:
JAAS
JNDI
Spring security
Any others ? Does JEE5 or JEE6 have anything new ?
if you do not want to implement the identity-provider by yourself, you can consider using OpenID. This way, you can use any OpenID provider to provide the authentication/authorization.
In addition, you can consider OAuth2.
Do not mix between the two, there are many posts here that can explain the differences...
See Securing Web Applications chapiter for JEE6. Also you can consider Apache Shiro as alternative for Spring Security. If you already use Spring Framework then just go with Spring Security.
I am trying to make spring security with oauth2 work but there is really no good tutorial out there. The tonr and sparkl example apps magically work but I won't have a spring client which maybe does some magic. So does anyone have a valid spring3 oauth2 config and/or tutorial plus the client config?
Thanx!
I cannot find a complete example anywhere of a Spring Security Web App with Open Id registration similar to stackoverflows.
I would say I'm pretty techy guy but I find Spring Security extremely intimidating with its weird Spring XML DSL.
I have found bits and pieces of how one would do the good ole' stackoverflow registration using:
Spring Security Open ID sample WAR
Hillerts Blog 3 part blog posting
Spring Security Official Doc on OpenId (the email attributes are wrong see next link)
Stackoverflow posting about email attributes
JQuery OpenId library for picking your OpenId provider Stackoverflow has a modified one that seems to include Facebook
Best Article on the subject but a little long winded
Another example like previous one for Google App Engine
But no complete examples (WAR). Does anyone know or have a working example (ie WAR) that does more than just authenticate with an in-memory openid urls?
UPDATE: The latest version of Spring Social does a very good job of managing Oauth registration. We ended up using it instead. Although its not OpenId I have grown to prefer Oauth over OpenId. For those interested in there is a project to use OpenId with spring social: https://github.com/molindo/spring-social-openid
Have you looked at the latest version of the sample code (for the 3.1 release)?
It has several improvements to make it simpler to use Google and Yahoo authentication together (with different attribute exchange configurations simultaneously), uses a similar login dialog to stack overflow and performs simple registration in the case of users who have not previously accessed the app.
See this issue https://jira.springsource.org/browse/SEC-1431 (and the linked one) for more information.
I know this is not really helpful in answering your Question but I am currently building a Grails based web application and initailly started using Spring Security but also found it difficult to setup.
I then changed to Apache Shiro and it is much simpler to implement. But it doesn't have support for openid out of the box, but the nimble grails plugin does so you may be able to use that as an example to write your own.
Yes,
There is a war to download on http://repo1.maven.org/maven2/org/springframework/security/spring-security-samples-openid/3.0.1.RELEASE/
Maybe it can help you.
It's not exactly OpenID, it uses Facebook Connect, but checkout Spring's GreenHouse. That's great code written by the guys from Spring you can use to jumpstart your app.
Yes, In spring application, user can authenticate into your application with open ID provider.
1) Here is the sample example of spring open ID login application.
2) Here is the sample example of spring security social login application and blog here.