I'm new at Spring Security. I've read the docs and I have two questions, in order to integrate it in my webapp:
(1) I use Hibernate. Is it better to config the authentication customizing the authentication provider by implementing the UserDetailsService, accessing the Dao?
Or is it better to config it with a JDBC-user-service referencing the database connection and specifying the querys on the user and user_roles tables?
I think using Hibernate Dao is more difficult, but it would be a more database independent solution, isn't it?
(2) In either of both cases above (Hibernate vs JDBC), do I have to implement in the presentation layer the methods to login and logout? Or Spring Security framework dooes it automatically for me? I know I can use the UserDetails to know the info about the current user logged in, in order to use it in the views, for example to show or not the links for login/logout depending on wether the user is logged in or not. But what about the methods?
Any help would be appreciate. Thank you very much in advanced.
As far as I understand, implementing the UserDetailsService is more for user customization . If you can get the data by a straightforward query, use JDBC-user-service .
You do not need to implement the methods . Spring will take care of login and logout depending on your configuration. For clogoff ,you could wrap the link with 'j_spring_security_logout'
<c:url value="/j_spring_security_logout"/>">
Check the form-login element for more info . A sample is as below.
<form-login login-page="/login.jsp"
default-target-url="/welcome.jsp"
always-use-default-target="true"
authentication-failure-url="/login.jsp?error=true" />
Related
I have been trying to implement an authorisation scenario in my loopback architecture, I am well aware of the default authorisation that is being provided by loopback, but I'm using auth0 as my user management platform.
I am having user type in the auth0 metadata and now I want to allow certain HTTP methods on those particular loopback entities based on the attribute in the user object.
There might also be scenarios where for certain users I will have to hide a few properties of a model while open them up and show in case of others. If there is any other framework that might serve my purpose I am happy to restructure the whole system. Any suggestions would be helpful.
I want to avoid the user authentication part (at least for a few REST-API). How can I achieve it?
Edit SecurityConfiguration java class in your generated project and use permitAll() on the few URLs you want to unprotect:
.antMatchers("/api/myresource").permitAll()
Refer to Spring security docs for details.
I am trying to implement custom authentication using the new ASP.NET Identity in an MVC 5 project.
I have a single username and password that I want to use to restrict which pages of the website the user can see via [Authorize] tags on controllers and views. (Easy)
I am migrating from a FormsAuthentication model whereby this was as simple as putting the credentials in the web.config.
Because I only have a single username and password I don't want to use a database as the UserStore, instead I want ASP.NET Identity to retrieve the username and password from a custom configurationsection in the web.config (don't worry about that part).
After much search, I can't find a code sample that doesn't rely on a database for ASP.NET Identity authentication.
So i'm looking for a code sample that at the point of authentication, the user can put in custom code to check the username & password against the credentials in the custom ConfigurationSection of the web.config.
Can someone please point me in the right direction thanks.
Update : I've tried looking at this code sample but it doesn't even compile out of the box.. poor.
http://code.msdn.microsoft.com/Simple-Aspnet-Identiy-Core-7475a961
Update : The reason that I don't want to use FormsAuthentication is that I am writing a NuGet package that will be installed into a web application. One of the things the NuGet package will do is create a custom ConfigurationSection in the web.config that includes (among other things) a single username and password. I thought this would be safer as it wouldn't alter any existing FormsAuthentication settings currently in the target web application.
Update : I think I have got it working. Will post findings soon.
-- Lee
You don't have to migrate to Identity framework, FormsAuthentication still works. And Andrew is correct, using Identity framework makes little sense here, since it is all about managing users.
However, if you insist on using it, you can implement your own UserManager and IUserStore. Some guidance can be found in Scott K. Allen blog post. See the links on the bottom - samples of implementations - you can take some of these and convert to your needs.
I would imagine your IUserStore will be simple, because there is only one user and most of the methods don't have to be implemented. And for the ones required (I think you'll need FindUserById and related) you'll need to reach to web.config via ConfigurationManager
I'm struggling with a custom authentication mechanism for Symfony2.
What I want to do:
I need a modified behaviour of the regular UsernamePasswordForm based authentication. The only modification required is, that the credentials aren't checked against the database, but some custom unix auth deamon. The users themselves are still located in the database.
What I did:
I played around will a full fledged custom authentication provider based on this Symfony cookbook entry and will most parts just extending the different UsernamePassword classes, but it didn't work out yet. I had especially some problems setting up the AuthenticationListener in the service configuration as the UsernamePasswordFormAuthenticationListener has a lot of required parameters. Currently I'm not sure if it will work out at the end, cause I've got some issues with our database setup.
What I need:
Is there a simpler way to modified the default login form without the complete requirement of a full AuthenticationProvider? Imho it's a quite common issue to have some custom modifications in the default behaviour.
Would be happy about any ideas or hints.
I have not tried this myself but you should be able to insert your own AuthenticationProvider by setting a paramter:
security.authentication.provider.dao.class:
..Security\Core\Authentication\Provider\MyDaoAuthenticationProvider
Your provider would extend the Dao and overide checkAuthentication.
Again, I have not actually done this and the security system is very touchy so it may or may not work.
Answering my own question: I finally managed to solve my issue thanks to this blog post showing a solution. The basic idea is to extend the default form login authentication and "steal" its listener. This way you can reuse most of the existing code. The critical parts are the creation and configuration of an AuthenticationProvider and a SecurityFactory. And don't miss to use your own provider key instead of form_login in the security.yml.
In the blog post the author creates his own UserProvider, but it's working with just the default database one, too.
I've been a little puzzled with this as I have not seen many examples that gave me the complete picture. The best explanation I found so far is this.
By defining a security role in web.xml such as "admin" for example, and having my login form with all the necessary fields (i.e j_security_check as action, and fields j_username, j_password), how/where does the actual authentication occur?
I plan to use a custom authentication using username/passwords (hashes) stored in the database. When the user submits the form, how do I make the Java EE Web Container invoke my sevlet/bean method do perform the actual authentication? I didn't notice any place to add a hook to my code in web.xml which would do the actual authentication.
By defining a security role in web.xml such as "admin" for example, and having my login form with all the necessary fields (i.e j_security_check as action, and fields j_username, j_password), how/where does the actual authentication occur?
In the servlet implementation, the servletcontainer. In Tomcat for example, it's done by the AuthenticatorBase class (source code here).
I plan to use a custom authentication using username/passwords (hashes) stored in the database. When the user submits the form, how do I make the Java EE Web Container invoke my sevlet/bean method do perform the actual authentication? I didn't notice any place to add a hook to my code in web.xml which would do the actual authentication.
If you'd like to keep using container managed authentication, but instead want to check the login against a database, then you need to configure the so-called "realm" accordingly. It's unclear which servletcontainer you're using, but in for example Tomcat, the documentation is available here: Tomcat 6.0 Realm HOW-TO.
If you really want to have your own homegrown authentication system invoked instead, then you need to drop the container managed security and homegrow it further. Which is not recommended.
The actual authentication is doing via either two ways:
Via a Server Proprietary way, e.g. the *LoginModules in JBoss, or the Tomcat one BalusC mentioned. These are different for each Server.
Via JASPIC, which was introduced in Java EE 6.
JASPIC pretty much has standardized the proprietary methods, but it's a fairly low-level API and unfortunately only available for full profile Java EE 6 and 7 implementations.
See Implementing container authentication in Java EE with JASPIC for more details.