I'm in the process of implementing a REST service with Spring MVC and Spring Security (both 3.0.5). I'm using the security namespace not defining the Spring beans by hand.
I'm having some difficulties with the login process. What I'm trying to achive is this:
a POST to a /login URL would begin the authentication process.
There should be no actual form, so I'm not using the form-login... element. Without this element, the UsernamePasswordAuthenticationFilter isn't present on the security chain, so I thought I'd add it via a custom-filter... element and go on from there.
That's the gist of it, not for the questions:
is this a good way to implement authentication?
how exactly should I add this filter and on what position in the filter chain?
is it enough to add this filter or do I need something else as well?
Any feedback is appreciated.
Thanks.
In general, if you want to customize your authentication, you should use the bean configuration. I found the namespace based configuration suitable only for demo-apps. Here are my answers to your questions:
1) As I said above, you should use beans. Check this article for more information:
http://blog.springsource.com/2010/03/06/behind-the-spring-security-namespace/
But what you are going after will also work, with the requirements you have mentioned so far.
2) It should be added like this:
<http>
<custom-filter position="FORM_LOGIN_FILTER" ref="myFilter" />
</http>
<beans:bean id="myFilter" class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter"/>
3) Note that this filter would also perform default redirection to the original request. So if you do not need any redirection and just simple HTTP 200 should be returned back to client, you should implement your own AuthenticationProcessingFilter.
I hope it helps.
Related
I am new in apache camel. I want to do a GET REST call to get data and then I want to mapping these data to my Java bean. How can I do that with camel? I want to do it in a spring MVC web application.
I know how to do it with RestTemplate for example, but I want to use apache camel.
I've checked this documentation http://camel.apache.org/cxfrs.html but still I don't know how to set up for accomplishing this.
Please if you can provide some examples will be great.
There are a few different options. I'll walk through one...
First, define your rest configuration with bindingMode=auto
restConfiguration()
.component("jetty").host("0.0.0.0").port(9000)
.bindingMode(RestBindingMode.auto);
Next, when you define your particular rest service, specify a type (this is the type of the incoming body:
rest("/")
.put("/A/{subpath1}/{subpath2}")
.type(MyPojo.class)
.to("direct:XYZ");
That's it! The unmarshalling will be magical ;)
Alternatively, you can unmarshal things yourself.
If you'd like to see a working example of the above, check out this program: it has a main() to test it. https://github.com/DariusX/CamelSandbox/blob/master/CamelSandbox/src/main/java/com/zerses/camelsandbox/rest/RestConsumerBindingTest.java
I am setting authentication manually in my application using PreAuthenticatedAuthenticationToken. But I keep getting error as follows,
No bean named 'org.springframework.security.authenticationManager' is defined: Did you forget to add a gobal element to your configuration (with child elements)?
I don't have a UserDetailsService as it is not required for me. Please help me on how to configure authentication manager ?
You are missing an <authentication-manager> element. You need to have one which processes the PreAuthenticatedAuthenticationToken, usually adding any relevant roles for the user. If you want it to be a no-op operation, then that's fine, but it still has to be there, so you can either implement a simple UserDetailsService which just returns a user object with a fixed role, or you can implement AuthenticationProvider directly and create the final token in its authenticate method, however you want to do it. Either way, the configuration would be similar to the one described in the user manual.
I'm working with the use case published on http://wso2.com/library/articles/2010/10/using-xacml-fine-grained-authorization-wso2-platform/ and it works well but I need to customize the XACML query with Action, Resource and Subject fields.
When I add the Entitlement Mediator to ESB I am not able to add these arguments (which are stored in properties elements on ESB). How can I specify Action, Resource and Subject to construct the XCAML query before sending to IS?
Thanks in advance,
Joan
In entitlement mediator has call back handler where you can implement a way to pick those Action, Resource and so on. By default handler, picks as following
Resource --> Incoming message "To" soap header
Subject ---> if your proxy service is secured with UT and Basic auth, it would pick the authenticated user name
But you can write your own handler and plug it with entitlement mediator, there are some available handler implementations. You can refer this [1] for more details
[1] http://nallaa.wordpress.com/2013/07/25/entitlement-mediator-with-wso2-enterprise-service-bus-esb/
It is fine to use ESB 4.8.0 it would be release soon. However there is no UI in 4.7.0 to configure them. But you can do it using synapse configuration. Say you want to add new custom call back class. you can add it as follows
I created a WCF project with one simple method that returns a pdf in a byte[] and a int (id #) and has username+password with a custom validator for message security and a SSL for transport security. Now the client tells me that he was assuming I was going to create a RESTful API instead. I don't have any experience with REST, but I've seen that you can create a REST project in WCF (which is what I'd prefer for interaction with the rest of my solution).
First, can you deliver a pdf the same way in a RESTful API? I set the int as an out parameter in order to return it to the client, can I assume an out parameter will function the same as well?
Second, can I use the same kind of security setup? I'm assuming the SSL will still protect the transport, but I cannot seem to find a good example or tutorial on basic security. I can use a different method of security if needed.
REST is different than SOAP or even WCF in that you aren't using cumbersome "envelopes" unfortunately those envelopes provide you with functionality like the authentication scheme you're using (and out params, etc.)
See Best Practices for securing a REST API / web service
You can go /w basic authentication + SSL for authentication. You must encrypt basic authentication though or else it is insecure. As for the out parameter, it seems that a composite XML based result like the following is one way to go:
GET
could return XML like:
<result>
<intValue>4</intValue>
<pdfByteString><![CDATA[bytestring...etc.]]></pdfByteString>
</result>
It actually does look like WCF does have some built-in functionality to help you out, this white paper should provide a decent intro:
http://msdn.microsoft.com/en-us/library/ee391967.aspx#Y1720
I'm trying to create a flexible security infrastructure for our WCF services on our intranet, but I'm not quite sure where I should be putting this code... there are so many different ways to extend WCF that I don't know for sure where to begin...
The basic idea: every time my service is called - for any operation - I want some code to run that does a custom access check using our existing security infrastructure to see if the user has access to perform the operation. If the user isn't authorized, I want it to throw an exception or something (not sure what it should do really) and prevent the call from ever making it to my service code.
Thoughts?
Thanks
I think that this will be a good starting point for implementing a custom authorization strategy.
I ended up having to use a MessageInspector in conjunction with a ParameterInspector to make it work how I needed.