I am developing a web app using SpringMVC. The app should manage several users with these traditional operations (for each user) : registration- login - logout - update account - etc...
So, my questions are:
Is Spring Security enough to manage these operations for several users ?
What is the best way to proceed?
Many thanks
This is what spring security meant for, it will work like a charm.
Follow this link for a simple example.
http://websystique.com/springmvc/spring-mvc-4-and-spring-security-4-integration-example/
Related
I am developing a web application using Spring MVC. Since I am kind of done with the the basic functionality, I was going to add user management. By this I mean that I have to extend the logic of the application to support several users. However being new to Spring MVC I am lost... How and where to add session management? How to change my controllers? Could anyone please suggest a good resourse? Tutorials which I find on the Internet mainly deal with page access by using Spring Security. I need more than that. Thanks in advance!
This tutorial http://www.mkyong.com/spring-security/spring-security-form-login-using-database/ gives a good step by step direction on how to use spring security with a database based on user roles. I am not sure exactly what more you want that needs to be directly addressed in your question. The good thing with spring security is that you don't need to change your controllers. It uses a simple xml configuration and is independent of the platform you use.
I'm working on sample webapp that I'm supposed to show to my CTO.
It's basically a spring-mvc HelloWorld kind of thing whose only request is that users (in order to actually get to see "hello world!") need to login into it using their twitter account.
I find it amazingly hard to set it up.
I'm tangled among 2 different docs (spring-security and spring-social-twitter) and I'm now wondering whether I should actually go checkout spring social oauth.
Any help will be much appreciated.
There are a few projects on GitHub that you can use for example code. The first is "Spring Social Security":
https://github.com/socialsignin/spring-social-security
This is a library you can use for implementing Spring Security using Spring Social as basically the "back end" system for your webapp's user accounts and login. There is a demo webapp using it here:
https://github.com/socialsignin/spring-social-security-demo
You may be able to just drop this library in, though I haven't tried it yet so I'm not 100% sure.
I also have a demo webapp that integrates Spring Social and Spring Security but a little differently. The idea is to add in Spring Social to an existing app that already implements Spring Security with its own user accounts and login info stored in a database.
https://github.com/sdouglass/spring-security-social
I would like to know what's the best way to deal with authentication in Asp.NET MVC 3 from multiple sources like :
custom Form authentication social
networking (Facebook, twitter, etc.)
other ?
I found this link : Looking for a .NET library to do authentication that support multiple sources but would like to be sure if there is some more means to make authentication since that question was asked.
I don't want to be tightly coupled to one specific provider so maybe I should write some wrapper around it, but if you have some guidance, it could be nice to hear from your experience.
Thanks
The popular social networking sites (such as Facebook and Twitter) implement the OpenID functionality; and you can your own authentication to use OpenID. You could implement your own OpenID Membership Provider.
On a side note, it means you could authenticate users on StackOverflow too!
Let me know if I can help.
Matt
You might want to look into using Windows Identity Foundation
I started on Spring a few months back and the Security topic seems the most complex to me. With Acegi moving into Spring I could not find a single tutorial that tells step by step way to add security to a Spring app. Please help me. My requirements are as follows:
I have several roles in application, they are not hierarchical roles (meaning Role A not necessarily have all roles of Role B etc).
I want to integrate it to use my own User table where I would store Username, encrypted password (one way encryption) and I want to use either Hibernate or any Spring inbuilt component (read the class name JdbcDaoImpl somewhere, have no clue how to use it though) to access the DB data.
I probably don't want method level security because I want to use Spring taglibs to selectively show/hide menu items, however there should be way to prohibit unauthorized user to access a page directly through URL.
I don't want ready made code, (this tutorial for example confused me to hell, since it doesn't even have Spring security name-space declaration in security.xml), I would appreciate rather a step-by-step guide on how to achieve the above in a Spring2.5/Hibernate3 application using Spring security.
Thanks for your time.
Well without knowing what you've already read here are the articles I used to first start. Note that a lot of the Acegi Security articles are still relevant, Spring Security uses almost all the concepts from Acegi - the only thing they really added was simplifying [some] configurations - like the auto-config for security situations that exactly fit their use case.
Securing Java applications with Acegi
Acegi Security Fundamentals
Pathway from Acegi to Spring Security 2.0
Setup:
Multiple web servers with synchronized
forms authentication.
Multiple asp.net Applications running on these severs.
What's working:
SSO across all servers
Authorization using asp.net roles
What's not so good:
All roles are "global" - I have "admin-app1" and "admin-app2" etc.
Question:
I know this can be solved by defining different "ApplicationNames" for each of the different applications but what is the most easy way to compile a list of all the different applications a logged on user has a role in?
I would like to do something similar to: CurrentUser.Applications()
to get a list of "all applications in which the current user has any role".
Up to now I have used Roles.GetRolesForUser() to compile the list not very elegant or scalable.
Using the SqlRoleProvider I can hack inte the DB to get the complete list of Applications and then compile an application list for the user by query the different application's role providers. My best shot so far but it doesn't feel like the best solution...
Any hints or comments?
BR, Jens
I have come to the conclusion that this cannot be done using the framework.
Anyone who tries to do something similar e.g. buiding a dashboard of all asp.net applications hosted has either to maintain the list of applications separately or hack into the sql tables if you are using the SqlRoleProvider .
Happy hacking!
/Jens
I think ApplicationName is for completely separating applications while using the same database. Are you sure you can link users in one application name to roles in another?
Your best bet is probably to keep the same application name and implement a custom role provider.
http://msdn.microsoft.com/en-us/library/8fw7xh74.aspx