is there a way to configure spring security to have a default user (with roles and such)? i want to use it for testing purposes in an embedded jetty environment.
i provided an InMemoryUserDetailsService but i am missing the part where i tell spring security to use which user.
thanks for your help
fabian
Do you mean an anonymous user?
If so, try this: http://static.springsource.org/spring-security/site/docs/3.0.x/reference/anonymous.html
("Spring Security's anonymous authentication just gives you a more
convenient way to configure your access-control attributes")
Related
everybody!
In my project I use SSO with CAS. But what if the CAS-server is down?
I want a user to be able to login with a simple login/password form when CAS is not available.
Is it possible to configure Spring Security that way?
What should I do to achieve this?
Having said that you use SSO and wanting to use Spring Security as a backup when CAS is down, I am trying to understand how the SSO part will work with spring security. You can certainly implement your own version of single sign on with spring security using oauth2 services or your own implementation. If you did implement something like that, it brings up a question of redundant SSO services, managing them and maintaining them.
CAS, to my understanding, is primarily used for SSO purpose and has its own set of configuration. I am sure, you would have cassified your application for this purpose as well.
Is CAS server being down is an issue, I would suggest setting up a backup or standby for CAS server or building your own single sign on solution. I am trying to say that it is "either or" is more recommended than "having both"
I'm currently creating a new application that requires users to login. I want to use the Spring Security Core plugin for this, but the only problem is that the credentials of the users are stored in a centralized system, and not locally in the database. This system can only be accessed by an API, and will tell me whether the credentials are correct or not.
Is there any way to override the credentials check of the Spring Security Code plugin, so I can check the credentials myself? Or in case this is not possible, is there any other workaround?
It belongs on what your system looks like.
You can write your own Authentication Provider.
Here is answer.
You can create your own User class with datasource set on your centralized system database.
Or you can use Spring Security CAS Plugin
Spring session seems like a very interesting project but I have not been able to find much information on how to properly incorporate it in a spring security application. The readme on project github page has some information but I dont think thats applicable to spring security. Another example thats mentioned on the same page is to utilize this mechanism for REST access. Thats another use case that i think can benefit from an example. I would appreciate if some information on the subject can be shared. Thanks.
You can use Spring Session with Spring Security by simply ensuring to place the Spring Session Filter before Spring Security's filter. There is also an security sample project that demonstrates the use of Spring Session with Spring Security within the distribution. You can run it by cloning the repository and running the following:
./gradlew :samples:security:tomcatRun
The application will be available at http://localhost:8080/
I am trying to add the spring security management console which is shown in the spring security ui documentation.
It does not however tell you how to access it.
any ideas?
A good entry point is the user controller (grails.plugins.springsecurity.ui.UserController). If you are using the default URL mappings you will be able to access it at http://localhost:8080/<appname>/user in development mode.
Does anyone over here has experience integrating TAM with Grails spring security for single sign on. If so can you help me get a quick start or point to any tutorials.
Thanks
You would probably want to use Spring Security's pre authentication feature and examine the header sent from TAM. To do so you would write your own authentication provider which is really simple and just looks for the header. See this for some more information