I've got the Spring Security preauthentication sample configured and working with JBoss. The next step is to somehow get the user information into a flex client GUI.
What are some methods that will let me get the Authentication or UserDetails object that's created by spring-security on http access into the flex client? Since I'm logging in externally, I can't use channelset.login(), right? All the examples I've seen so far assume that the user logs in manually through the flex client, but the requirement is for container-based authentication.
Using flex3, spring 3.0.4, spring-security-3.0.3
If you use spring-flex together with blazeds for the flex to java http plumbing,
then what you have to do is to :
enable the Spring Security filter chain in web.xml
secure your blazeds service with your expected security constraints
make your spring-security AuthenticationProvider use your authentication mechanism
There is an article on Adobe DevNet covering this topic:
http://www.adobe.com/devnet/flex/articles/flex_security.html
Use PreAuthenticatedAuthenticationProvider as your authentication provider. Flex sessions will automatically map 1:1 with HTTP sessions, and you can access the authentication object using a session-scoped call to SecurityContextHolder.getContext().getAuthentication()
Related
I'm new to Vaadin Flow and I'm trying to port an android application, in which Firebase is used as the only authentication provider. My (dumb) problem is that I can't find any resource or binding to Firebase API. Have some of you succeeded in using Firebase auth in a flow project ?
I created this example application couple of weeks ago. It user Firebase Authentication and it's JavaScript library to do authentication. Then the JWT token is sent to the Vaadin Flow server, validated and stored so that it can be used to detect who the active user is.
https://github.com/mstahv/vaadin-firebase-auth-example
Are you using Spring for security, or your own solution?
If you're using a custom solution, maybe the reply in this thread is of use
Firebase user authentication for java application (Not Android)
The token can be saved in the session and used as you wish.
Here's a question that might be relevant if you're using Spring boot
How to use Firebase with Spring boot REST Application?
I am currently working with a liferay portlets. Spring security is used on the Rendering layer( in jsp pages). However, it is not safe, because my dispatch controllers and services do not have any security/authorization checks.
In my application, Spring-MVC controller receives the request, and passes to the Service Layer. Service Layer builds the result and passes it to the JSP pages. In jsp pages we have the security authorization using spring-security taglibs.
I want to know the following:
Best practises regarding implementing authorization for portlets.
Which is better choice to implement security either on Dispatch layer or Service layer?
How to implement security for dispatch layer or service layer?
Please consider that I have security in my application on use-case bases.
Thank you!
My favorite answer matches here: "it depends".
Here's what it depends on:
Liferay defaults to the *LocalService being without any permission checks - e.g. if you have access to the API, you get to do whatever you want. The remote services however are supposed to check permissions before they delegate the actual execution of a service to the local services.
If you want to use Liferay's permissionChecker (which is readily available and runtime-configurable), you should do this in the non-local service methods. I tend to recommend this, as you'll be able to tap into Liferay's permissioning system - and you already have the user identity, roles, memberships etc. managed by Liferay anyway. Create a custom role, grant custom permissions and you have everything configurable at runtime.
Secondly, while you definitely want to check the permissions in the backend services, you'll probably want to do it again on the UI layer: If a user is not allowed to manipulate some object, you don't want to display the button that suggests they can change it, only to get a "permission denied" reply.
That being said, I've never tied spring security (especially the taglibs) to Liferay's permission system.
I am confused about authentication with BlazeDS. Most of the few examples I have found for authentication and authorization in BlazeDS and consequently Java Servlets in general make use of HTTP basic and digest authentication and realms for authorization. These examples are very simplistic and involve XML files with the user credentials rather than using a database. My past experience in web applications used form based logins and sessions for authentication and authorization, but I am not sure how to do this with Flex apps with BlazeDS backends.
What I want to do is have some way to access some service on the backend to handle authentication like an HTML form and some way to store session data in a cookie for authorization, but I am having trouble finding relevant details using cookies in BlazeDS and Flex applications.
If HTTP authentication with either basic or digest authentication is the best way, then is there any resource to find out how to authentication users with the credentials stored in the database rather than an XML file?
I am not particularly interested in web frameworks since I would like to understand how to authenticate/authorize users with a plain Servlet and BlazeDS.
Authentication with BlazeDS and Flex is no different than with traditional web apps. Flex uses the same networking stack as the browser. So just follow instructions for securing your app server and then it should just work. If you want to have the login form in Flex then you can just send the credentials to j_security_check (for form based auth). Alternatively you can call login on the channelSet. Spring Security and Spring BlazeDS Integration M2 makes this very easy. Check out the Test Drive for a great sample (the usernames and passwords are still in an XML file but you can easily following the Spring documentation to move those to a database or LDAP server).
We can successfully consume a .NET 2.0 web service from a Flex/AS3 application. Aside from SSL, how else can we make the security more robust (i.e., authentication)?
You can leverage ASP.Net's built in session management by decorating your webmethods with
<EnableSession()>
Then, inside your method, you can check that the user still has a valid session.
If you're talking about securing the information going over the wire, you can use Web Service Extensions (WSE) to encrypt the body of the soap message so that you don't have to secure the channel. This way the message can get passed around from more than one endpoint (ie. it can get forwarded) and you don't need multiple https certs.
If you're talking abut autentication then you could do forms auth with either a password in the body or in the soap headers (once again either encrypt the body or the channel). Or one of the easiest ways to secure a webservice (if it's an internal set of services) is have IIS do it, turn on NTLM and do authentication there. You can do authorization later on in the pipeline with an HTTPModule that checks peoples credential against the code they're trying to call.
Consider using WebOrb to communicate with your service. Here is some information on WebOrb's authentication mecahnism. There is also an article on Adobe's developer site on using WebOrb and .Net for authentication.
You should be able to use asp.net's authentication (such as forms authentication) without much extra effort. Securing an asmx file is just like securing an aspx file. There's a ton of information on forms authentication out there, just search for 'asp.net forms authentication'
If you are using Microsoft technologies you could build a little Asp.Net/C# application that would ask for credentials before redirecting to the correct swf.
That way you could restrict the access and have different swf file depending on the user.
I am using Spring MVC project in the server to provide APIs to access data from both mobile-app and web-app.
Done research on security with Oauth 2.0 and thought Authorization code flow is suitable for both app's mentioned above, but little confusion on that. Can anyone tell which flow is best suitable for this type of scenario?
info:I need to implement Oauth 2.0 in server-side(Spring MVC project deployed in AWS).
If you are implementing your own authorization server and you already handle your consumerDB, I don't think you need an authorization code grant type of oAuth2. You can use Client Credential or ROPC. Authorization code is used when the log in is handled by a 3rd party (auth server).
There are 4 grant types in oAuth2 which is meant for different scenarios.. Refer : Securing an existing API with our own solution