Is there a substitute for spring security in Node.js. I know of express and passport, but passport provides authentication only. It does not feature "forgot password", "reset password" or crud operations for User and Role.
In other words, passport lacks of a number of commonly used features that are provided by spring security. Is there any Node.js library that provides these features.
I know it's already mentioned in the question but for anyone else brand new to Node coming here from google and skipping right to the answers like I did:
http://www.passportjs.org
Looks like the most widely used free library that is somewhat comparable to Spring Security, although as the original question points out it is only focused on authentication so it doesn't cover every feature Spring Security has (like role based authorization).
https://auth0.com
https://stormpath.com
and tons of others. Just google "User Managment" node.js
Or at the end of the day write you own. Writing user management is sails takes about an hour and they have integration with things like Mandril for sending forgotten notices.
Although spring security is one of the bests open source security frameworks, the features: "forgot password" and "reset password" aren't implemented by default. You will need to create your views pages and controllers for it. The default User and Role are very basic models of security that are recommended just for a very basic web apps. In most cases you will need to save and manage it in your database and customize all features for reset and forgot password. It can become very complex as you customize your security rules.
For node there are so many options out there, I agree with #KPD the most equivalent of SpringSecurity is passportjs (18.7k stars on github), although it is much simpler than SpringSecurity, sometimes the secret to success lies in simplicity.
Related
I'm designing my user authentication system using Node.js/Express, and as I've been searching the web for authentication strategies, I noticed that a lot of developers recommend passport.js for helping with authentication.
My authentication will only ever use a username/password strategy with JSON web tokens. Under that assumption, it seems like I have to manage the entire authentication myself: I check the username and password against the database, and I check and attach JWTs. It seems like Passport only wraps my work inside it's own functions.
With only a username/password strategy, what use is Passport? What does Passport provide in this scenario that is of any real benefit over me just performing the authentication without it?
Passport give you more flexibility and scalability. Now, you need one specific strategy, but in future you can add additional or remove old one. Using modules like passport you cause that your application code is independent of some processes. It is almost like dependency injection, you inject strategy in opposite to hardcode this.
I thing, that good application should have as much as possible functions/modules, that allow to inject polices/strategies. Separate modules is also nodejs/express style.
If you code your authentication in same style, then it is super (but why reinventing the wheel).
Using passport you can inherit from base Strategy and create new one strictly for your needs and use it with other strategies.
Never. Ever. Implement. Your. Own. Security. Framework
Unless you actually want to implement a framework and you have all the resources in the world to do that, all the required knowledge and the key people ( like OWASP ) & etc etc.
Use existing lib for your project
Use a library, or a framework, that's open source and battle tested. Yes it will not be perfect and will have limitations. Yes it may not be the most secure code ever. BUT it will be much better than your own, especially if you're starting from scratch.
Then follow best practices for CSRF, XSS, DDoS & other kind of attack prevention.
I've developped a REST based service using Express and initially started implementing authentication myself. A simple username/password authentication where
passwords are encrypted using BCrypt
user info + hashed passwords are stored in a mongoDB
password verification checks are done.
authentication tokens (limited TTL) are generated / validated
I have some knowledge on Node.JS, but not nearly sufficient to make me feel comfortable about rolling out my own authentication (login/signup) mechanism.
For that reason I would like to replace my in-house mechanism with something else.
Something proven, extendable, pluggable and easy to use.
Given the amount of secure websites / REST APIs out there based on Node.JS, I'm sure there are out-of-the box solutions that people / companies have to offer that can get service implementors up and running very quickly, without having to worry about the security/user aspect.
I'm looking for an even higher level of abstraction than that of libraries like passport or everyauth. Something that provides out-of-the-box functionality, capable of fulfilling my requirements including :
providing a login page / signup page / profile page
different authentication modules (google,facebook,github,....)
storing user info (+credentials if required) in a datastore (mongoDB).
remember me
forgot password / reset password
So the question here is :
Are there out-of-the-box solutions like that available that offer a higher level of abstraction than passport/everyauth/... ?
If any, would you recommend some of these out-the-box solutions ?
Should I instead forget about the notion of outsourcing my user authentication and just start looking at passport and everyauth and start implementing my requirements using those libraries ?
Is it possible to focus on my business logic and not worry at all about any aspect regarding user authentication (writing login / signup pages , implementing forgot password / reset password flows, storing user info in the DB).
The service API should largely live independent of your authentication mechanism, so I'd recommend starting this behind a simple password protected folder or some such. In my opinion it would be better to make sure you're API works and can gain traction. Meaning it'll be more a long term project. Nothing kills a project quicker than focusing on the painful stuff right out of the box.
As far as what service to use? It's non-trivial to setup security well. So for a small startup project, it's probably more cost-effective to integrate with another service. Might take a look at Mozilla Persona. It's built on Node and pretty straight forward.
If you do try to roll your own get some outside expertise, and DON'T do stupid stuff like use a hashing algorithm like SHA1 to store passwords. Instead use something like bcrypt. Then there are other things like, don't store server logs on the server they're created. Pipe out all logs elsewhere so if there's an intrusion you have a forensics trail back to what happened.
I guess you could use https://stormpath.com/ . I'm looking for a free alternative myself..
For 90% of every security-related Grails tutorial, they tell you to store your User objects in a session-scoped variable. That's all nice and easy, but I wonder if it's too good to be true, especially with plugins like Spring Security that offer many times more features.
For the simple, "I am a user and therefore I am entitled to view/edit my own domain objects" applications that I develop, I store my User objects in a session. However, this got me thinking how Grails supports J2EE security and sessions in its own implementation (it does use a temporary session ID in the cookie, right?). Furthermore how vulnerable is it to attacks like cookie injection and cross-site/stray JS?
I don't want to actually invest the time in learning, integrating, and maintaining a plugin for an app that might not need it, so my question is, is Grails's session implementation secure enough for simple applications, and is there a very good reason I should use a security plugin even for these trivial tasks?
On a side-note, if anyone can point me to a good OpenID/Facebook login implementation, that would be terrific.
Regarding security concerns I would always suggest to prefer proven and widely adopted solutions over your own rolled security implementation. Spring Security was founded in 2003 under the name Acegi and brings you more than eight years of experience and development for your security concerns.
As you already pointed to the Grails Spring Security plugin you should have a look at the OpenID plugin Spring Security OpenID which extends the Spring Security Core and brings you the OpenID support.
reason I should use a security plugin even for these trivial tasks?
... on a basic level it's also trivial to use the plugin so what's there to lose? Screencast to get you started
I'm working on a web site and I plan to use strictly OAuth in for user authentication. I've never implemented session management/user authentication before; and so - naturally - I'm reading up on a lot of how tos to get this done.
The problem I'm running into is that a lot of examples out there for doing things like setting up your realm, authenticator, etc etc seem to rely on the user/password paradigm for authentication. The whole point of going for OAuth is to avoid this in the first place!
That being said; I'm actually not looking for examples of full OAuth implementations right now. I understand that I need to understand that for myself. BUT with a future OAuth implementation in mind; how should I structure my user authentication/session management FOR THE TIME BEING in a way that will allow me to move forward on developing the functionality on my site that I really care about? I suppose I could throw some stuff together for that; but I'm just afraid that down the road I will be shoe horning an OAuth implementation as opposed to do something now which allows me to lay down the basic framework for it and then move on to other things.
So; does anyone know of a good example of laying the groundwork for OAuth on Tomcat 7? For example, which authentication mechanism (Basic, digest, etc) I should use or how I should represent user credentials in my database?
I know that this is kind of a vague question; so I'm not expecting someone to come out and tell me all of the answers I need to know. I'm just looking to get pointed in the right direction here.
Perhaps Spring Security would be useful? Your webapp could leverage Spring Security and use whatever login mechanism you need (i.e., you could do the default form-based authentication or Basic Auth for now, and replace the login/auth piece with an OAuth implementation when you're ready), but still have Spring Security manage authorization to particular resources in your webapp.
Someone has also built OAuth for Spring Security, so it may be a useful addition to your web app all around.
Even though there are many good CMS tools out there, I've decided to roll my own tools for my website to get some hands on experience. The only thing that is currently eluding me is how to add authentication to secure the administrative tools.
I'm the only one who will be using the administrative tools, so I don't need something as complex as a full-blown log-in and registration system. However, I also don't want to rely on security-through-obscurity and use random page names and such to hide the tools.
What are my options?
OpenID is probably your best bet.
To utilize it for one person as you suggest, just check the username that is authenticated. Yeah, that would amount to hardcoding, but if we're creating a system with only one valid login name, there's no need for anything more complicated.
But creating the alternative shouldn't be that bad. You could also just create a table of roles, and do a query against that table to see if the currently logged in user is an admin. If you want to be fancier later, you can later add different users and roles.
How the users and roles get into the table is up to you.
1) Simply use "WWW-Authenticate: Basic" see Wikipedia for an idea and the related RFC for details.
2) Enable SSL to ensure your cleartext password is encrypted.
SSL is quite standard on web servers. You can even self-sign your certificate.
This will depend in part on what platform will be used by you and your web host. A given platform will likely offer one set of choices that will be easier to access than others.
For instance, ASP.NET running inside of IIS offers Forms, Basic and Windows (NTLM) authentication, as well as certificate-based authentication with the ability to map client certificates to Windows users.
You could certainly implement another authorization schema in an ASP.NET application, and many do. But there happen to be this set of out of the box authentication schemes that you would not have to implement if this were your platform. I expect this is true of any other platform, including the Linux-based platforms.
Be sure to find out what's available out of the box, and what can easily be added, before writing your own.