I have developed a simple Spring boot and spring security for form login with the below configuration
#Configuration
#EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
#Autowired
private UserDetailsService userDetailsService;
#Bean
public BCryptPasswordEncoder bCryptPasswordEncoder() {
return new BCryptPasswordEncoder();
}
#Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/resources/**", "/registration").permitAll()
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/login")
.permitAll()
.and()
.logout()
.permitAll();
http.csrf().disable();
}
#Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailsService).passwordEncoder(bCryptPasswordEncoder());
}
I have also created custom userDetailsService Implementation to get the user.
Now, When I login in from a web page using a login form, I am able to login successfully and able to access secured endPoints as well(I am able to see JSESSIONID as well in subsequent response.
But when I try to login via a different service(An Android app) using httpPost with url : http://localhost:9090/login, I can see that the user is authenticated.
But I am then unable to access the secured endPoints from the android app. The response returns back a HTML string(The login page data).
I can also not see the JSESSIONID in the response.
Overall, My configuration is working fine for web pages, but unable to get it worked from other api's.
It works when you use the web page login form because your UI and server are in the same domain. When Spring Security authenticates a user I believe it adds a session id to the cookie header so it is able to authenticate every request after you login. When hitting your Spring API from another domain, in this case your Android App, it is no longer in the same domain, so Spring Security won't add the session id to the cookie header. So to do what you want to do I believe you have to write your own authentication filter to add a cookie or header to the request. Here is a link that uses JSON Web Tokens to authenticate an api using spring boot.
https://auth0.com/blog/implementing-jwt-authentication-on-spring-boot/
Related
I need to determine if a request is for a sandbox or production environment in a WSO2 custom handler? How can I get that information?
public class CustomHandler extends AbstractHandler {
#Override
public boolean handleRequest(MessageContext messageContext) {
//GET Environment info...
Assume it is an unauthenticated request and it doesn't contain an access token.
The environment is always decided based on the access token. If the API is open it's by default sent to the production environment. See [1].
[1] https://github.com/wso2/carbon-apimgt/blob/6.x/components/apimgt/org.wso2.carbon.apimgt.gateway/src/main/java/org/wso2/carbon/apimgt/gateway/handlers/security/oauth/OAuthAuthenticator.java#L197
My application is integrated with WSO2 Identity Server 5.3 with SAML 2.0 using spring security saml extention, and working fine. Now I need to print user's IP address in the logs of WSO2 Identity server. Any idea how to achieve this?
Note: I have created custom authenticator and custom user store to customize the authentication process.
Solved the problem by extending BasicAuthenticator. This class has a method with parameter HttpServletRequest. Rest was easy, I got the IP and other client information and called a web services to save the same in DB.
protected void processAuthenticationResponse(HttpServletRequest request,
HttpServletResponse response, AuthenticationContext context)
I have simple method in controller class.
Class TrainingController{
def getTrainingsJson(){
def trainingList = Training.list()
println "called===="
//render trainingList as JSON
render "${params.callback}(${trainingList as JSON})"
}
}
Which gets the list of training, In my HTML page I have request as follows
<script type="text/javascript">
$(function(){
$.getJSON('http://localhost:8080/training/getTrainingsJson?callback=?',
function(data) {
console.log("success");
alert(data);
});
});
</script>
The request is served only after the login. Without the login the response will be login page HTML format.
The request is across the servers (from php to grails).
I want to ensure that secure communication must be established, So how to authenticate
through json using spring security in grails.
And How to ensure that Nobody can forge the request and get the response from the server.
And Do need to follow the REST Or Can i write the methods in existing controllers OR Do i need to create a separate controller/service for this kind of requests.
If all access is through the browser, then spring authentication will take care of it - just secure the url accordingly. All requests (including ajax) will go through the spring auth
To prevent snooping consider implementing SSL
The Spring Security plugin docs has more information on securing your application. In particular read about Authentication, IP Address restriction and Session Fixation Prevention
I am using Worklight Adapters and using Authentication based adapter, which verify credential via a third party webservice (grails server).
When testing with one user, every thing is fine, but once I start using multiple users accounts, I found that all users connect to the same session, with the same Cookie JSESSIONID
I think worklight adapter is adding cookies from previous requests, and that's equivalent to a browser connecting to différent accounts, without removing old cookies / logging out.
When debugging, I can see that I have in the authentication request response headers, when the first user login:
"Set-Cookie":"JSESSIONID=63850CB333E7C279DC6D5B1D973B21E7; Path=/"
and when the second user login, there is no longer "Set-Cookie" header in the response.
Anyone have a solution, or workarounds ?
How can I force worklight to remove existing cookies when connecting to the authentication webserver ?
In your adapter procedure you should add the attribute connectAs="endUser". This way each user will create a unique connection to the authentication backend and they will not share the same session ID.
I force a logout on window close. Something like this:
function wlCommonInit() {
window.onbeforeunload = function() {
WL.Logger.debug("logging out");
WL.Client.logout();
};
}
I have a custom salesfoce webservice, but to access that webservice we need to login from salesforce enterprise wsdl. but i dont want to add that wsdl file. Is there any way to add login function on custom webservice or login with out that wsdl webservice???
Yes, see SOAP request to APEX webservice without requiring authentication.
go into the site detail page in setup, click Public Access Settings,
and then add the Apex Class there. This is effectively granting your
anonymous running user account (guest license) the ability to directly
access this class.
There are more detailed instructions at Public Web Services via Apex and Force.com Sites.
Note that your data exposed via this web service will no longer be secure.
As you mention, you need to authenticate, the login method is not included in the custom apex WSDL, you have lots of choices, depending on exactly what sort of app you're building.
Add either the enterprise or partner WSDL to your app and call login from there.
Use an interactive OAuth flow which will result in you getting an access token & instance Url, which you can then use with the apex WSDL.
Use a programamtic OAuth flow (username/password), again resulting in an access token * instance Url which you can then use with the apex WSDL.
if you have a web based app, you can create a custom link/tab in salesforce to pass you an existing serverUrl/sessionId info.
For the OAuth flows, you would pass the received access token in your apex requests as the sessionId (just like if you got it from login), and you would combine the host name from the instance URL with the path from the apex WSDL to set the endpoint URL of your stub.