HMAC seems to be the ideal security for a stateless webapp, storing nothing in server sessions.
But is it possible to integrate HMAC auth with Spring Security auth ?
I am currently using Spring Security 3.1.0
Related
We have a large stateful Symfony 3.4 web app that stores sessions to the database.
We are looking to gradually move to microservices and we have started by creating an external authentication service in node.js
Part of the optimisation is to remove the user authentication/authorisation from the session in the Symfony app, and initially store the user authentication on the client browser using the JWT stored in a cookie on the client, with a view to potentially storing the user roles/authorisation in the JWT.
There seem to be a number of articles against implementation of JWT for this, and that we are susceptible to CSRF attacks etc, but these articles seem to be old and there are other guides insisting it is safe.
Are there alternatives to using JWT to achieve a stateless approach using Symfony, but still passing through Roles and other data?
Seems like SignalR only accepts Bearer/JWT tokens. Is there support for SAML?
If you implement SAML in your webapp, the webapp will issue a cookie based on successful authentication. SignalR will piggyback on that:
In a browser-based app, cookie authentication allows your existing
user credentials to automatically flow to SignalR connections. When
using the browser client, no additional configuration is needed. If
the user is logged in to your app, the SignalR connection
automatically inherits this authentication.
Is there a way to authenticate a user with SAML token using firebase as a backend? The company I am working with requires that SAML is used within the authentication system and I am not sure if this is possible with firebase as a backend.
Thanks
Maybe new GCP service "Cloud Identity for Customers and Partners" (in beta for now) could help you.
Cloud Identity for Customers and Partners (CICP) provides an identity platform that allows users to authenticate to your applications and services, like multi-tenant SaaS applications, mobile/web apps, games, APIs and more. CICP is built on an enhanced Firebase Authentication infrastructure, so it's perfect if you're building a service on Firebase, Google Cloud Platform (GCP), or on another platform, and need secure, easy-to-use authentication.
You can check SAML provider, Firebase is behind the scene.
This guide shows how to enable an existing web application for Security Assertion Markup Language (SAML) 2.0, with Cloud Identity for Customers and Partners (CICP). This will include accepting SAML assertions from identity providers (IdP) as a SAML service provider, verifying their contents, and producing a lightweight JWT that you can use in your application to verify authentication and perform authorization.
Hope it will help.
Updated on February 25th, 2020 :
I published a tutorial on how to integrate SAML authentication with Firebase and Angular app.
You can now use SAML provider with the new Cloud Identity platform. This platform works in combination with Firebase too.
Check Thierry's answer for more details.
Old/outdated answer below:
At the moment there is no built-in SAML provider for Firebase Authentication. See this discussion on the firebase-talk mailing list. From that post:
To support SAML authentication with Firebase Auth, you need to use custom authentication.
When the SAML response is posted to your server, your convert the SAML assertion to a custom token (minted via Firebase Admin SDK) and then pass that token to the client where you signInWithCustomToken. You can add any additional SAML claims to the custom token claims and they will propagate to the Firebase ID token JWT.
It's a valid feature request though, so I highly recommend to file a feature request.
I am new on a client project, which was created via oasp4j, and which relies on Spring Boot.
The client project, uses Spring Security, Spring MVC and the login is based on LDAP AD, the project works;
My task is to set up a single user authentication (SSO), and for now I can not find a good track to start it.
I had read articles about CAS, SAML, OAuth2, Waffle, SSOCircle and Kerberos, and I can not really pick one of them, and how to set it up with the Spring-Boot configuration.
https://spring.io/guides/tutorials/spring-boot-oauth2/
http://docs.spring.io/autorepo/docs/spring-security-saml/1.0.x-SNAPSHOT/reference/htmlsingle/
https://spring.io/blog/2015/02/03/sso-with-oauth2-angular-js-and-spring-security-part-v
Any idea how to proceed if I want to implement them with Spring Boot configuration and wich solution is better and simpliest than others ?
secondly Is what if I choose CAS as authentication server, after that, will my users be able to access the other application of the company that uses another authentication server ?
thank you
When using an SSO, it's the SSO system which will be connected to the LDAP AD and your web applications will be connected to the SSO. The CAS SSO server can handle that.
To secure your webapps, you can use the spring-webmvc-pac4j security library for Spring MVC or the spring-security-pac4j security library built on top of String Security, both working with the CAS protocol.
I am confused about authentication with BlazeDS. Most of the few examples I have found for authentication and authorization in BlazeDS and consequently Java Servlets in general make use of HTTP basic and digest authentication and realms for authorization. These examples are very simplistic and involve XML files with the user credentials rather than using a database. My past experience in web applications used form based logins and sessions for authentication and authorization, but I am not sure how to do this with Flex apps with BlazeDS backends.
What I want to do is have some way to access some service on the backend to handle authentication like an HTML form and some way to store session data in a cookie for authorization, but I am having trouble finding relevant details using cookies in BlazeDS and Flex applications.
If HTTP authentication with either basic or digest authentication is the best way, then is there any resource to find out how to authentication users with the credentials stored in the database rather than an XML file?
I am not particularly interested in web frameworks since I would like to understand how to authenticate/authorize users with a plain Servlet and BlazeDS.
Authentication with BlazeDS and Flex is no different than with traditional web apps. Flex uses the same networking stack as the browser. So just follow instructions for securing your app server and then it should just work. If you want to have the login form in Flex then you can just send the credentials to j_security_check (for form based auth). Alternatively you can call login on the channelSet. Spring Security and Spring BlazeDS Integration M2 makes this very easy. Check out the Test Drive for a great sample (the usernames and passwords are still in an XML file but you can easily following the Spring documentation to move those to a database or LDAP server).