I have configured two authentication providers in my Spring Security config:
<security:authentication-manager>
<security:authentication-provider ref="XProvider" />
<security:authentication-provider ref="YProvider" />
</security:authentication-manager>
Does spring security evaluate both providers? Or does it stop to evaluate if one of them fails? If not, How to make it stop?
Thanks.
You can specify as many providers as you want. They will be checked in the same order you declared them inside the authentication-manager tag.
Once a successful authentication is made, it will stop polling the providers. If any provider throws an AccountStatusException it will also break the polling.
Related
I have a project which has some controllers as well as a list of REST APIs(starting with url '/api/') in the same project. Now I have to apply spring security oauth to only the REST APIs. I couldn't find any documentation on applying the same. Is there any built-in functionality in spring security oauth or should we go for some kind of filter that would filter oauth requests and return some possible error codes for URLs(controller urls and others) other than the REST APIs(/api/) Any help is greatly appreciated.
Thank you.
There is dedicated OAuth project for spring security. You can apply it only to some URLs using multiple http config elements. It may looks like this:
<!-- REST API -->
<http pattern="/api/**">
....
<custom-filter ref="oauth2ProviderFilter" before="PRE_AUTH_FILTER"/>
....
</http>
<http pattern="/login.htm*" security="none"/>
<!-- Additional filter chain for normal users -->
<http>
<intercept-url pattern='/**' access='ROLE_USER' />
<form-login .../>
</http>
<oauth:resource-server id="oauth2ProviderFilter" .../>
Using spring-security-oauth2 to secure my resources against a SSO endpoint that can act as an authorization server. I'm a bit confused when the documentation states:
The provider role in OAuth 2.0 is actually split between Authorization Service and Resource Service, and while these sometimes reside in the same application, with Spring Security OAuth you have the option to split them across two applications, and also to have multiple Resource Services that share an Authorization Service.
But I don't think I have found an example of this happening. In sparklr/tonr the authorization server and the resource server reside in the same application. The only example I've seen from searching is this spring-servlet.xml, which requires this custom implementation of ResourceServerTokenServices to work.
I'd like to avoid writing a custom implementation of ResourceServerTokenServices if at all possible. Is there another way to support an external authorization server in a resource server? Something along the lines of:
<bean class="com.example.ExternalAuthorizationServerTokenServices"
p:remote-url="https://my-oauth-compatible-sso.com"
p:token-endpoint="/oauth/access_token"
p:authorize-endpoint="/oauth/authorize" />
Is this possible?
*EDIT: I'll add that as a workaround (or maybe this is the intended solution) I'm using a jdbc token store and relying on the fact that both servers happen to have access to that database.
You can separate open resources and protected resources in the spring-security.xml
Pattern /api/** will be protected and other resources will be open.
<!-- Protected resources -->
<http pattern="/api/**" create-session="never" use-expressions="true"
entry-point-ref="oauthAuthenticationEntryPoint"
access-decision-manager-ref="accessDecisionManager"
xmlns="http://www.springframework.org/schema/security">
<anonymous enabled="false" />
<intercept-url pattern="/api/**"
access="hasAnyRole('ROLE_USER','ROLE_ADMIN')" />
<custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
<!-- <access-denied-handler ref="oauthAccessDeniedHandler"/> -->
<access-denied-handler ref="oauthAccessDeniedHandler" />
</http>
for someone that might be interested there is as well another example for separating the authentication server and resources server found here: https://github.com/sharmaritesh/spring-angularjs-oauth2-sample
Is it possible to setup session concurrency programmatically?
It is easy to do that using XML configuration like
<session-management>
<concurrency-control max-sessions="1" error-if-maximum-exceeded="true" />
</session-management>
but what I need is that base on some property in database I want to allow/prohibit concurrent session.
You may use Spring 3.1 java configuration for spring security enabling you own concurrency control implementation instead of ConcurrentSessionControlStrategy. See this SO answer for java config example.
I am using spring security 3.0.5 in my web application based on Spring MVC. We need to check four parameters for the authentication i.e. username, password, company and organization.
For this I have written my own custom authentication token which encapsulates these four fields. I also have a custom user details service.
Normal UserDetails service has loadUserByUsername(username) but in my case I need this method to accept all the four parameters. For this I have decided to provide custom implementation of UserDetailsByNameServiceWrapper which calls loadUserByUsername(username).
In my custom implementation I will pass whole authentication object instead of just the username.
I am not getting how do i plugin my custom UserDetailsByNameServiceWrapper in the spring security xml file.
Please help.
Instead of creating 'your own' UserDetailsByNameServiceWrapper you'll want to implement AuthenticationUserDetailsService instead. This class can then be injected with the following Spring Security configuration:
<bean id="preAuthAuthProvider" class="org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider">
<property name="preAuthenticatedUserDetailsService" ref="yourAuthenticationUserDetailsService" />
</bean>
I have 2 web applications running under 2 tomcats. Both these applications use the same UserDetailsService for authentication and same database. I am kinda of confused on how would I be able to autologin the user to the other application running in the same browser or cross browser once he has authenticated himself in one of the application.
Will this help ?
<session-management session-fixation-protection="none">
<concurrency-control max-sessions="2" />
</session-management>
The snippet posted above will not work. All it tells spring security is to allow two sessions for the specified user at a time.
What you need is a single sign on for both the applications. You may want to explore spring security's CAS support.