i am new to spring security.
can anybody provide me sample application for x509 certificate authentication with spring 2.0.4
You can use the basic <http> setup to get X509 authentication:
<http>
<x509: subject-principal-regex"(.*)" user-service-ref="myUserService"/>
<intercept-url pattern="/**" access="ROLE_USER" requires-channel="https"/>
</http>
Related
I have a Spring-SAML app with Okta as IDP. I'm doing IDP initiated flow and
get this exception :
org.opensaml.common.SAMLException: Endpoint with message binding urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST and URL https://<myCompanyUrl>.com/saml/SSO wasn't found in local metadata
When I look at my local metadata I see:
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://<server IP address> :<server port>/saml/SSO" index="0" isDefault="true"/>
Looks like it is trying to match a URL containing a hostname to a URL with a server IP address. The location field is auto-generated. Does anybody know what configuration option affects this?
UPDATE 1
here is my metadataGeneratorFilter config :
<bean id="metadataGeneratorFilter" class="org.springframework.security.saml.metadata.MetadataGeneratorFilter">
<constructor-arg>
<bean class="org.springframework.security.saml.metadata.MetadataGenerator">
<property name="entityId" value="https://myHostname/myApp"/>
</bean>
</constructor-arg>
</bean>
All right mystery solved:
Per Spring-SAML documentation , when you are in a reverse-proxy / load balancer set up you have to make sure to specify
<property name="entityBaseURL" value="https://www.myserver.com/spring-security-saml2-sample"/>
See SPRING-SAML documentation
10.1 Reverse proxies and load balancers
I'm migrating my APIs from an older system to WSO2 APIM 2.0.0 and am trying to make the switch transparent for my API users. I already migrated my existing consumer_key/secrets.
Is it possible to customize the /token API to something else?
In my old system, OAuth tokens are managed via a path like
/oauth/client_credential/accesstoken
Perhaps it's possible to map /oauth/client_credential/accesstoken to /token so that both can be used?
If you just want to change the base path of /token api, you can either use some reverse proxy (eg. nginx) in front of api manager or create a proxy api like this inside api manager itself.
<api xmlns="http://ws.apache.org/ns/synapse" name="_WSO2AMTokenAPIProxy_" context="/oauth/client_credential/accesstoken">
<resource methods="POST" url-mapping="/*" faultSequence="_token_fault_">
<inSequence>
<property name="uri.var.portnum" expression="get-property('https.nio.port')"/>
<send>
<endpoint>
<http uri-template="https://localhost:{uri.var.portnum}/token">
<timeout>
<duration>60000</duration>
<responseAction>fault</responseAction>
</timeout>
</http>
</endpoint>
</send>
</inSequence>
<outSequence>
<send/>
</outSequence>
</resource>
<handlers/>
</api>
You need to copy this to <APIM_HOME>/repository/deployment/server/synapse-configs/default/api/_WSO2AMTokenAPIProxy_.xml
The solution Bhathiya suggested works, just had to tweak the proxy endpoint
<api xmlns="http://ws.apache.org/ns/synapse" name="_WSO2AMTokenAPIProxy_" context="/oauth/client_credential/accesstoken">
<resource methods="POST" url-mapping="/*" faultSequence="_token_fault_">
<inSequence>
<send>
<endpoint>
<http uri-template="http://127.0.0.1:8280/token">
<timeout>
<duration>60000</duration>
<responseAction>fault</responseAction>
</timeout>
</http>
</endpoint>
</send>
</inSequence>
<outSequence>
<send/>
</outSequence>
</resource>
I'm trying to use spring security 4 with ldap. it works fine for the LDAP who as the basic authentication system. If I try to connect to a system that uses GSS no longer works. I think it is normal and should be specified using GSS somewhere. But where?
Below is the xml file security
<?xml version="1.0" encoding="UTF-8"?>
<beans:bean xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-4.1.xsd
">
<!-- This is where we configure Spring-Security -->
<http auto-config="true" use-expressions="true">
<intercept-url pattern="/" access="permitAll" />
<intercept-url pattern="/login" access="permitAll" />
<intercept-url pattern="/logout" access="isAuthenticated()" />
<intercept-url pattern="/user**" access="hasAuthority('1')" />
<access-denied-handler error-page="/403" />
<form-login
login-page="/login"
default-target-url="/planning"
authentication-failure-url="/login?error"
username-parameter="username"
password-parameter="password"
authentication-success-handler-ref="customLdapAuthenticationSuccessHandler"
/>
<logout logout-url="/logout" logout-success-url="/login?logout" />
</http>
<ldap-server url="ldap://192.168.2.100/DC=ciro,DC=local,DC=it?one?(objectClass=*)" manager-dn="cn=Administrator,dc=web-gate,dc=local,dc=it" manager-password="PLAIN PWD" />
<authentication-manager>
<ldap-authentication-provider
group-search-base="ou=groups">
</ldap-authentication-provider>
</authentication-manager>
</beans:bean>
Spring LDAP has never supported the GSSAPI SASL mechanism. Luckily, you can use my library to do that with Spring LDAP. The configuration is straight forward.
I use Fortify for scanning code and got this problem by recommend
Recommendations: Utilize Spring Security and SSL to provide authentication, authorization, confidentiality and integrity.
So I'm trying to fix this problem by implement Spring Security and basic authentication from the example guide
http://www.jayway.com/2008/09/30/spring-remoting-with-security-and-ssl/
I will get spring configuration like this
---- Server Side Configurations ---
remote-server.xml
<bean name="/testService" class="org.springframework.remoting.caucho.HessianServiceExporter">
<property name="service" ref="testService" />
<property name="serviceInterface" value="example.TestService" />
</bean>
security-server.xml
<security:http auto-config="true">
<security:http-basic/>
<security:intercept-url pattern="/**" access="ROLE_ADMIN" />
</security:http>
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider>
<security:user-service id="uds">
<security:user name="testUser" password="testPassword" authorities="ROLE_ADMIN, ROLE_MANAGER" />
</security:user-service>
</security:authentication-provider>
</security:authentication-manager>
web.xml
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy
</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
--- Client Side Configurations ---
remote-client.xml
<bean id="rcaRemotingService" class="org.springframework.remoting.caucho.HessianProxyFactoryBean">
<property name="serviceUrl" value="${endpoint.url}/testService"/>
<property name="serviceInterface" value="example.TestService"/>
<property name="username" value="${endpoint.user}"/>
<property name="password" value="${endpoint.password}"/>
</bean>
But it doesn't work, the tools always hilight the problem like this
Abstract: On line 5 of remoting-servlet.xml, the application exposes
spring beans as remote services. By default, these remote services do
not require authentication and information transferred to or from this
service is in clear text. This could allow an attacker to access
privileged operations or expose sensitive data.
Sink: remote-server.xml:5 null()
line 5: <bean name="/testService" class="org.springframework.remoting.caucho.HessianServiceExporter">
<property name="service" ref="testService" />
<property name="serviceInterface" value="example.TestService" />
</bean>
I have spring basic authentication working on tomcat.
When I loaded the application on WebLogic 12c it suddenly stopped working, some research suggested I put <enforce-valid-basic-auth-credentials>false</enforce-valid-basic-auth-credentials> in the config.xml file of the domain to stop WebLogic intercepting the AUTHENTICATE header.
It now works if I access via the ip address
//basic spring authentication works
http://123.456.789.111/mycontext
but not via localhost
//can no longer login to the application
http://localhost/mycontext
Does anyone know how I can fix this?
UPDATE - spring security configuration
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<http pattern="/resources/**" security="none"/>
<http pattern="/404" security="none"/>
<http auto-config="true">
<intercept-url pattern="/login" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<intercept-url pattern="/logout" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<intercept-url pattern="/endpoints/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<intercept-url pattern="/**" access="ROLE_USER" />
<logout logout-success-url="/logout"/>
<form-login
login-page="/login"
authentication-failure-url="/login?login_error=1"
default-target-url="/dashboard"
always-use-default-target='true'/>
</http>
<authentication-manager alias="authenticationManager">
<authentication-provider>
<user-service>
<user name="test" password="pass" authorities="ROLE_USER" />
</user-service>
</authentication-provider>
</authentication-manager>
</beans:beans>