Is there a way to configure Spring Security for supporting multi-factor authentication?
I want to first ask the user name and the password from the user and then ask security answer of the security question.
Thanks
Rosh
Could you be clearer about whether or not you need the security question to be on a second page?
If having the security question on the same page as the username and password would work for your situation, there are several ways to do this. One of the easiest is to extend the UsernamePasswordAuthenticationFilter to support a second field and then to modify your UserDetailsService.loadUserByUsername() method to extract the second field.
Here is an article that outlines the steps for doing so.
Related
I've got a webapp which is using Grails with Spring Security plugin for it's authentication and authorisation.
I have a new requirement from the business that they want to force all users upon login to the system, to be displayed our current license agreement or t&cs, the user needs to accept these before being allowed further into the system.
Clearly, once they accept the license/t&cs, then we don't ask them again on future logins.
Does Spring Security support this in any way? Or can you recommend another grails plugin?
One way of doing this would be to add a new field to your User class (e.g. hasAcceptedLicense), redirect the user to a defaultUrl at login (http://docs.spring.io/spring-security/site/docs/3.2.3.RELEASE/apidocs/org/springframework/security/web/authentication/SavedRequestAwareAuthenticationSuccessHandler.html) where they need to read and accept a license, and then have a AccessDecisionVoter (http://grails-plugins.github.io/grails-spring-security-core/v3/index.html#voters) that makes sure they did so.
am trying to implement the code using spring security with database there I found this topic but seriously i didn't understand this concept.why they add post method within this 'j_spring_security_check'
so please anyone explain me with example.
It's a preconfigured URL in spring security to authenticate via form input.
It can be configured in your spring security configuration to point to another URL if needed.
If a form submits to this URL it needs to have the relevant parameters for the AuthenticationManager to use, such as j_username and j_password
These were changed in later versions to use username and password.
The best example of this using Spring MVC is in the Spring Docs.
I am using spring security core plugin in my grails application. but now I have a custom requirement.
I need to re-authenticate the user for some secret screens each time before opening these, even user is signed in already.
On re-authentication auth screen, I also want to add a secret pin code after username and password.
What will be the best way to implement this or is there any plugin available with this functionality ?
As far as I know there isn't any plugin that would address this for you. However, Glen Smith posted a few years ago how to implement your own custom authentication for specific URIs using the Grails Spring Security core plugin.
What he outlines there is very similar to what you will need to do:
Create a custom authentication object to hold the request.
Create a custom authentication provider to authenticate the request.
Create a custom security filter to apply to your URIs.
You should also note Burt's comment on the mentioned post about how to register custom authentication filters. This eliminates some of the code Glen provided.
Your implementation will be slightly more complex since you will need an additional filter to catch an authentication failure and route the user to the special login page. This is where things get quite tricky, but with the information above you should be able to get started and ask questions as you hit roadblocks.
I am using Spring security core & Spring security UI in my project. I have a requirement in which i need to create 2 different type of users: Sellers and Buyers. When user goto home page he can select what type of account he wants to create either buyer or seller.
What i have to do it make it work with spring security UI plugin. Do i have to create different Registration pages for different type of users. But then how i can assign roles at the time of registration.
I checked various questions posted before posting this question and could not find the right answer. I am new to Grails and will appreciate if Grails experts can help me with this issue.
I hope I have understood your question, I was a bit confused about mixing login with registration in your question.
Once you have created your user create UserRole based on the selected role, either ROLE_BUYER or ROLE_SELLER. This can be done in UserController create method.
As for login you don't need to have two different logins, you can always create a filter, interceptor, or any aspect oriented technique to intercept the request and redirect user to the proper section of your site. This way you're authorization is loosely coupled. Imho, there is no need to use Spring Security UI for authorization specific goals. Spring Security Core does much better job wrt url mapping/annotations.
I have some question that depends on initegration Spring Security 3 and CAS technology.
I know that SS gives me abilities to setup CAS auth with some providers and filters. But I didnt see examples that describe how can I use my custom login form or page.
CAS gives options to setup custom design of login page, but this solution isnt for me.
I need to implement pop-up login form in my applications. This is requirement and I can`t change anything.
So, my question is:
How can I integrate Spring Security and CAS with my custom login form/page?
Give me some examples or thematic links about this question, please.
Or maybe I mustn`t use CAS. Maybe some OpenId techonology?
Thanks!
One of basic principles of CAS: actual application does not know anything about user password. So if you absolutely want to have login page with password then consider using some other technology. For example if you can add for each your application a sub domain then authentication based on domain coockie will be good enough (consider Google with docs.google.com, mail.google.com, etc...)