How replacement authentication using a custom form in spring security developed by external authentication ( System that handles authenticated) communication between the two systems is performed using Oauth 2. Spring ?
I currently have functional example TONR of the spring security oauth2 modified to a protected resource application requires external authentication . The problem is that to access the resource have to go through the custom form Springsecurity and land later by the form of the external system.
Related
How to add custom claims for an application group of type "Web browser accessing a web application - Client-Server application" in the provided token?
I'm building a web app using an Angular client and .NET Core Backend. I've managed to authenticate the client, but i can't use explicit authorization roles for controllers since the token doesn't provide those roles, e.g.
[Authorize(Roles="Admin")]
Yes - you have to augment the id_token as per this.
But in order to do the "Roles=Admin", you have to have a claims rule that sends the groups as a claim type of "Role".
We want to build one spring MVC based application which will support below use case:
User access the application URL to login into application.
Once the valid credentials are entered to login into application, the user can access any of the service provider application for performing SSO.
On the access of any service provider application the SAML response should be generated and post to the Service provider ACS(Assertion consumer service) URL.
Also in addition to IDP initiated SSO, it should also support SP initiated SSO where the authentication request will we posted to the application login page, after valid credentials are entered by user, the application should redirect to service provider(which have posted the authentication request).
The application should have its own login page and authentication mechanism, it should not redirect to any other identity provider for authentication.
Should we use normal Spring MVC based application which will generated the SAML response using open SAML library, or any other SAML builder can be used for satisfying the above use case.
This basically means
- your app bundles a SAMLv2 compliant IdP (please don't try to build one yourself based on some SAML lib)
- your app calls an API of the IdP for authentication and issues a session token the IdP will recognize later on (otherwise authentication will always happen again when another application (acting as SAMLv2 SP) wants to perform SSO
Issue with the latter: The "token" will most likely be a cookie and then the restrictions of the cookie spec apply. This means you can only use host-based cookies (which security mandates) if your app and the IdP are deployed behind the same 'FQDN' (e.g. by using an HTTP reverse-proxy)
Another issue: How does your app know when the show the 'login screen' if the user actually has a valid session with the IdP because SSO was started at a different SP?
SAML way: You would first have to do a 'passive AuthnRequest' to check this.
Conclusion: Your use case can be achieved, but the effort seems quite high. I'm not aware that there is some lib/framework, which would offers this at the moment OOTB.
I am new on a client project, which was created via oasp4j, and which relies on Spring Boot.
The client project, uses Spring Security, Spring MVC and the login is based on LDAP AD, the project works;
My task is to set up a single user authentication (SSO), and for now I can not find a good track to start it.
I had read articles about CAS, SAML, OAuth2, Waffle, SSOCircle and Kerberos, and I can not really pick one of them, and how to set it up with the Spring-Boot configuration.
https://spring.io/guides/tutorials/spring-boot-oauth2/
http://docs.spring.io/autorepo/docs/spring-security-saml/1.0.x-SNAPSHOT/reference/htmlsingle/
https://spring.io/blog/2015/02/03/sso-with-oauth2-angular-js-and-spring-security-part-v
Any idea how to proceed if I want to implement them with Spring Boot configuration and wich solution is better and simpliest than others ?
secondly Is what if I choose CAS as authentication server, after that, will my users be able to access the other application of the company that uses another authentication server ?
thank you
When using an SSO, it's the SSO system which will be connected to the LDAP AD and your web applications will be connected to the SSO. The CAS SSO server can handle that.
To secure your webapps, you can use the spring-webmvc-pac4j security library for Spring MVC or the spring-security-pac4j security library built on top of String Security, both working with the CAS protocol.
I have an angularJS application that communicates with a Symfony2 REST server
both of the app & server is under my responsibility I am wondering how to login a specific user using the FOSUserBundle.
I thought about the following scenario:
Login action that will get username & password from the AngularJS application and will return to it some kind of an access_token string that will have a timeout of let's say 12 hours.
after reciving the access_token the angularJS application will use it in every single request to identify the user.
Now I wonder if this is how I should do this kind of authentication
and also how could I implement it using FOSUserBundle in Symfony2? what would be the "BEST Practice"?
For future people that ends here googling , check :
https://gist.github.com/tjamps/11d617a4b318d65ca583
that's the way to go .
Basic RESTful API with Symfony 2 + FOSRestBundle (JSON format only) + FOSUserBundle + FOSOauthServerBundle
The API we are creating in this gist will follow these rules :
The API only returns JSON responses
All API routes require authentication
Authentication is handled via OAuth2 with password
Grant Type only (no need for Authorization pages and such).
API
versioning is managed via a subdomain (e.g. v1.api.example.com)
I have created web service and uploaded on to the server .Now I want to authenticate web service to avoid use of service by other users . How can i apply username and password to block use of service from other users?
I think you should use
[WebMethod(EnableSession=true)]
On your web method. If you are accessing from the same application.
Other wise you can ask some credential in the message body.
You can user soap Header to authenticate user.
Here is a good link
If you are working with WCF, there's an easy way to implement security using X509 certificates. Implementing a binding with security mode 'Message' and clientCredentialType 'Username' it's possible to guarantee this security in a automated way.
The validation can be made through a class wich overrides a method Validate.
How to: Use a Custom User Name and Password Validator
Building Secure Web Services
Securing Your ASP.NET Application and Web Services
OR
you can use of SOAP header to make secure your web service.
Refer below link for SOAP header example.
Authentication for Web Services (using SOAP headers)
I hope it will help you.