I'm trying to integrate Spring Security in my web application. It seems pretty easy to do as long as you integrate the whole process of authentication and authorization.
However, both authentication and authorization seem so coupled that it's being very time-consuming for me to understand how I could split these processes, and get authentication independently of authorization.
The authentication process is external to our system (based on single sign-on) and this cannot be modified. Nevertheless, once the user succeeds this process, it's loaded in the session, including roles.
What we are trying to achieve is to make use of this information for the authorization process of Spring Security, that's to say, to force it to get the roles from the user session instead of picking it up through the authentication-provider.
Is there any way to achieve this?
If your authentication is already done using an SSO service, then you should use one of spring security's pre-authentication filters. Then you can specify a UserDetails service (possibly custom) that will use the pre-authenticated user principle to populate the GrantedAuthority's
SpringSecurity includes several pre-authentication filters including J2eePreAuthenticatedProcessingFilter and RequestHeaderPreAuthenticatedProcessingFilter. If you can't find one that works for you, its also possible, and not that hard to write your own, provided you know where in the request your SSO implementation stuffs the data. (That depends on the implementation of course.)
Just implement the Filter interface and do something like this in the doFilter method:
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException, ServletException {
// principal is set in here as a header or parameter. you need to find out
// what it's named to extract it
HttpServletRequest req = (HttpServletRequest) request;
if (SecurityContextHolder.getContext().getAuthentication() == null) {
// in here, get your principal, and populate the auth object with
// the right authorities
Authentication auth = doAuthentication(req);
SecurityContextHolder.getContext().setAuthentication(auth);
}
chain.doFilter(request, response);
}
Yes, it's possible. Spring Security (like most of the rest of Spring) is interface-driven so that you can plug in your own implementations selectively for different parts of the framework.
Update: Spring's authorisation and authentication mechanisms work together - the authentication mechanism will authenticate the user and insert various GrantedAuthority instances in the security context. These will then be checked by the authorisation machinery to allow/disallow certain operations.
Use nont's answer for the details on how to use pre-existing authentication. The details of how you get the details from your session (e.g. roles ) will of course depend on your specific setup. But if you put in the GrantedAuthority instances derived from the roles pre-populated in your session by your SSO system, you will be able to use them in your authorisation logic.
From the reference documentation (slightly edited, with my emphasis):
You can (and many users do) write
their own filters or MVC controllers
to provide interoperability with
authentication systems that are not
based on Spring Security. For example,
you might be using Container Managed
Authentication which makes the current
user available from a ThreadLocal or
JNDI location. Or you might work for a
company that has a legacy proprietary
authentication system, which is a
corporate "standard" over which you
have little control. In such
situations it's quite easy to get
Spring Security to work, and still
provide authorization capabilities.
All you need to do is write a filter
(or equivalent) that reads the
third-party user information from a
location, build an Spring
Security-specific Authentication
object, and put it onto the
SecurityContextHolder. It's quite easy
to do this, and it is a
fully-supported integration approach.
The server that handles the authentication should redirect the user to the application passing to it some kind of key (a token in CAS SSO). Then the application use the key to ask to the authentication server the username and roles associated. With this info create a security context that is passed to the authorization manager. This is a very simplified version of a SSO login workflow.
Take a look to CAS SSO and CAS 2 Architecture.
Tell me if you need more information.
we have had the same requirement where we had to use spring security for authorization purpose only. We were using Siteminder for authentication. You can find more details on how to use authorization part of spring security not authentication here at http://codersatwork.wordpress.com/2010/02/13/use-spring-security-for-authorization-only-not-for-authentication/
I have also added source code and test cases at http://code.google.com/p/spring-security-with-authorization-only/source/browse/
I am trying to understand CAS authentication with our own Authorization and was getting confused since the User object in Spring Security always expects the password to be filled in and we don't care about that in our scenario. After reading Surabh's post, it seems that the trick is to return a custom User object without the password filled in. I will try that out and see if it works in my case. Hopefully no other code in the chain will be expecting the Password in the User object.
I use the authorization by this:
Inject the authorization related bean into my own bean:
#Autowired
private AccessDecisionManager accessDecisionManager;
#Autowired
FilterSecurityInterceptor filterSecurityInterceptor;
Use this bean by this:
FilterInvocation fi = new FilterInvocation(rundata.getRequest(), rundata.getResponse(), new FilterChain() {
public void doFilter(ServletRequest arg0, ServletResponse arg1) throws IOException, ServletException {
// TODO Auto-generated method stub
}
});
FilterInvocationDefinitionSource objectDefinitionSource = filterSecurityInterceptor.getObjectDefinitionSource();
ConfigAttributeDefinition attr = objectDefinitionSource.getAttributes(fi);
Authentication authenticated = new Authentication() {
...........
public GrantedAuthority[] getAuthorities() {
GrantedAuthority[] result = new GrantedAuthority[1];
result[0] = new GrantedAuthorityImpl("ROLE_USER");
return result;
}
};
accessDecisionManager.decide(authenticated, fi, attr);
I too did spent lot of hours investigating on how to implement custom authorization without authentication.
The authentication process is external to our system (based on single sign-on).
I have done it, as mentioned below and it Works!!! (I am sure there are many other ways to it better, but this way just suits my scenario well enough)
Scenario : User is already authenticated by external system and all information needed for authorization is present in the request
1.
Security config need to be created, enabling global method security as below.
#Configuration
#EnableWebSecurity
#EnableGlobalMethodSecurity(securedEnabled = true, prePostEnabled = true)
class SpringWebSecurityConfig extends WebSecurityConfigurerAdapter {
#Override
protected void configure(final HttpSecurity http) throws Exception {
}
}
2.) Implement Spring PermissionEvaluator to authorize whether the request should be allowed or rejected
#Component
public class CustomPermissionEvaluator implements PermissionEvaluator {
public boolean authorize(final String groups, final String role) {
boolean allowed = false;
System.out.println("Authorizing: " + groups + "...");
if (groups.contains(role)) {
allowed = true;
System.out.println(" authorized!");
}
return allowed;
};
#Override
public boolean hasPermission(final Authentication authentication, final Object groups, final Object role) {
return authorize((String) groups, (String) role);
};
#Override
public boolean hasPermission(final Authentication authentication, final Serializable targetId, final String targetType, final Object permission) {
return authorize((String) targetId, (String) permission);
};
}
3.) Add MethodSecurityConfig
#Configuration
#EnableGlobalMethodSecurity(prePostEnabled = true)
public class MethodSecurityConfig extends GlobalMethodSecurityConfiguration {
#Override
protected MethodSecurityExpressionHandler createExpressionHandler() {
DefaultMethodSecurityExpressionHandler expressionHandler = new DefaultMethodSecurityExpressionHandler();
expressionHandler.setPermissionEvaluator(new CustomPermissionEvaluator());
return expressionHandler;
}
}
4.) Add #PreAuthorize in your controller as shown below. In this example, all the groups of the user are present in request header with key 'availableUserGroups'.
This is then passed on to the CustomPermissionEvaluator to verify authorization. Please note that spring automatically passes Authentication object to the method 'hasPermission'.
So in case if you want to load user and check using spring 'hasRole' method, then this can be used.
#PreAuthorize("hasPermission(#userGroups, 'ADMIN')")
#RequestMapping(value = "/getSomething")
public String getSomething(#RequestHeader(name = "availableUserGroups") final String userGroups) {
return "resource allowed to access";
}
Handling Other Scenarios :
1.) In scenario where you want to load the user before you can perform the authorization. You can use spring pre-authentication filters, and do it in a similar way.
Example link : http://www.learningthegoodstuff.com/2014/12/spring-security-pre-authentication-and.html
Related
I've got a web service which makes use of JWT based authentication. In some samples i have seen that permissions are added to the claims identity and then queried in the AuthorizationHandler.
Is this the way to go for production level solutions too? Since the permissions are encoded in the JWT token i am concerned with the performance implications of having a very big JWT token.
Given that at some point you could end up with a JWT token of 1mb+ and above, this may lead to very bad performance if the web api client has insufficient upload speed.
Are there best practices to deal with a large amount of permissions? (Currently i am thinking that the way to go probably would be doing cached db queries to access permission grants)
As you've noticed, shoving too many claims into a JWT brings problems with it. Some servers will stop parsing the headers if they exceed a certain size. In our tests, IIS stopped accepting requests after ~150 scope claims (~2KB of JWT), so you don't have a lot of room to play with.
You should limit the usage of JWT to authentication. If the application has access to authorization data, you can use the token to fetch the permission claims for that user from the database or some authorization/policy service.
ASP.NET Core provides an interface for these kinds of scenarios. If you implement an IClaimsTransformation and register it, ASP.NET Core will call it when it authenticates the user. Then you'll have a chance to populate the ClaimsPrincipal with the authorization claims for the user.
One thing you need to look out for is that it is called every time an authentication occurs, so you need to check if you've already populated the claims to prevent duplicating claims. If you do it right, you'll need to perform a single query for every request to fetch the authorization claims for the user.
A sample implementation:
public class LoadUserClaimsTransformer : IClaimsTransformation
{
private AppDbContext _db;
public LoadUserClaimsTransformer(AppDbContext db)
{
_db = db;
}
public async Task<ClaimsPrincipal> TransformAsync(ClaimsPrincipal principal)
{
// check if we've already populated the claims
if (principal.HasClaim(c => c.Type == "permission"))
{
return principal;
}
if (principal.Identity is ClaimsIdentity identity)
{
var userId = principal.FindFirstValue(ClaimTypes.NameIdentifier);
var permissions = await _db.Set<Permission>().Where(it => it.UserId == userId).ToListAsync();
foreach (var permission in permissions)
{
identity.AddClaim(new Claim("permission", permission.Key));
}
}
return principal;
}
}
public void ConfigureServices(IServiceCollection services)
{
services.AddScoped<IClaimsTransformation, LoadUserClaimsTransformer>();
// ...
}
Once the claims are added to ClaimsPrincipal, you can use [Authorize] annotations for declarative checks, or IAuthorizationService for imperative ones, or for resource-based authorizations.
Resources:
https://sdoxsee.github.io/blog/2020/01/06/stop-overloading-jwts-with-permission-claims
https://learn.microsoft.com/en-us/aspnet/core/security/authorization/resourcebased?view=aspnetcore-5.0
https://learn.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.authentication.iclaimstransformation?view=aspnetcore-5.0
https://learn.microsoft.com/en-us/aspnet/core/security/authorization/claims?view=aspnetcore-5.0
I need to access the user's password in a Jetty application after authentication, and can't figure out how.
I am migrating a set of web pages away from basic authentication in an embedded Jetty servlet application. I cannot, however, completely remove basic authentication from all of the services that these pages call, so I need to forward the user credentials in some cases, which means storing and later retrieving the user's password.
I introduced forms authentication to the root context via the standard markup in web.xml, which works fine but I can find no way of getting the user credentials programatically. As far as I can tell there is no way to place a Filter on j_security_check to intercept and store the form parameters in the session state. Jetty provides all the user credentials in the session state but this is in a container-specific key and although the application is currently tied to Jetty I would strongly prefer a container-agnostic solution. Here are some specific questions that I've tried to formulate after going down a number of seemingly dead-end streets:
How can I obtain the user's password after login? Even if I moved the services away from basic authentication I would still need to perform some secondary action such as obtaining a token, in which case I would still need their credentials under my control for a brief period.
Assuming I can't obtain the user's password directly, perhaps I can leverage something in the container to store the credentials. I can implement my own LoginService that wraps the actual implementation, but that class does not have access to the HttpSession or Request objects. Where is the proper place to do this?
If I need to implement a custom login solution, I'm not quite sure where to start...the FormAuthenticator has a lot of complicated session state management that I would like to preserve and not reproduce willy-nilly, and I would still prefer to defer to the container standard as much as possible. Is there some standard method for extending or overriding the j_security_check logic?
I finally found one solution, for anyone else attempting similar - and I've found quite a few other posts from confused devs, and some badly hacked together workarounds. I believe this one is correct, although you must do the URL filtering yourself and it leaves open the question as to why this is possible, if indeed j_security_check should be exempt from this type of interception for security reasons, as is claimed many places online. Perhaps I am merely exploiting an unknown gap in the Jetty security measures, so I will leave this question open for a while to see if there is a more robust or explicit solution.
ServletRequestListener allows you to latch onto the j_security_check post request before it is fully initialized. There you can get both the form parameters and the session object. So in the end it was just a matter of exhausting every possible servlet-related class in Jetty until I found one that would give me access to the j_security_check request. Some code:
public class PreAuthenticationRequestListener implements ServletRequestListener {
public static final String USERNAME_KEY = "USERNAME";
public static final String PASSWORD_KEY = "PASSWORD";
#Override
public void requestDestroyed(ServletRequestEvent sre) {
}
#Override
public void requestInitialized(ServletRequestEvent sre) {
HttpServletRequest request = (HttpServletRequest)sre.getServletRequest();
if (request.getRequestURI().contains("j_security_check")) {
final String username = request.getParameter("j_username");
final String password = request.getParameter("j_password");
HttpSession session = request.getSession();
session.setAttribute(USERNAME_KEY, username);
session.setAttribute(PASSWORD_KEY, password);
}
}
}
I am already using a custom authentication provider in my ServiceStack based web services application.
I'm overriding the Authenticate method, and validating my user against one of multiple backend tenant databases. I currently determine the tenant database by matching an API key to a database string.
public override object Authenticate(
IServiceBase authService,
IAuthSession session,
Auth request) // <- custom object here, MyCustomAuth request
{
// ...
}
This works when each application is for a single tenant (a tenant/customer can build their own application and use that API key). Moving forward I want to build a multi-tenant mobile application. Thus the API key method cannot be used because I can't expect each user to type it in, hence I can't determine which tenant is using the application.
I wanted to alter the Auth object so that I could include the TenantId (provided by the user on login). However, I can't see how I can customize that object.
Is there anyway to customize that Auth object, or do I have to find an alternative solution?
You can't modify the built-in Authenticate Request DTO used, but you can use its Dictionary<string, string> Meta property to send additional metadata with the Authenticate request, e.g:
client.Post(new Authenticate {
...
Meta = new Dictionary<string,string> {
{"TenantId", tenantId},
}
}
Alternatively you can send additional info in the QueryString or HTTP Headers and access the IRequest with:
var tenantId = authService.Request.QueryString["TenantId"];
WCF function
public void SetSession(string name)
{
HttpContext.Current.Session["abc"]=name;
}
public string GetSession(string name)
{
return HttpContext.Current.Session["abc"].ToString();
}
Proxy
using (ServiceReference1.BlackjackClient proxy = new ServiceReference1.BlackjackClient())
{
proxy.SetSession("Hello");
}
my problem is when multiple clients are accessing the service then last set session is accessed by the each client. Session are not browser request based and not recognizing the client. Which client has sent which request. What should i do to make them specific to each client. means each client must have his own session.
Please help
The service can not know which client is calling the service. Regular asp.net use of Session uses a cookie, that identifies each request and makes some internal voodoo to map the request to the correct session.
In your case, you would have to either use login from the clients to ensure that the service could identify requests, but this would not in it self solve the problem.
Since you have access to the service implementation the simplest solution would probably be to store a session identifier (a Guid) in the client, and then send this along each request to the web service thus altering
public void SetSession(string name)
{
HttpContext.Current.Session["abc"]=name;
}
public string GetSession(string name)
{
return HttpContext.Current.Session["abc"].ToString();
}
to something like
public void SetSession(string name, Guid sessionId)
{
HttpContext.Current.Session[sessionId + "_abc"]=name;
}
public string GetSession(string name, Guid sessionId)
{
return HttpContext.Current.Session[sessionId + "_abc"].ToString();
}
Modifying the method signature like this is rather ugly though, but the idea would be, that the client aids the server in identifying the caller and thus the session.
It would be cleaner to use the transport protocol to identify the caller, so if you are creating a HTTP service, you could use some http header (perhaps authorization) to contain the session identifier. If you are using SOAP the message header could contain identical information.
The session identifier could also be created at the service by a new method named something like Guid CreateSession(). But a Guid could as well be created in the client.
But again: You will need to store some unique session id or user credentials in the client and communicate them to the server in each request.
Hey all,
I'm using Tomcat 6.0.14 and would like to know to implement a system that would allow us to send users a link say mysite.com?token=12345678912334333(long string continued) but that would allow the user to be logged in automatically.
Unless you have other reasons specific to Tomcat, or you are unable to modify your web application, then it might be easiest to use a custom filter to do the authentication (JAAS or otherwise). For example:
http://www.kopz.org/public/documents/tomcat/jaasintomcat.html
http://securityfilter.sourceforge.net/
With a custom filter, you could authenticate in whatever way you wanted to in a relatively straightforward way.
public void doFilter(ServletRequest request,
ServletResponse response,
FilterChain chain)
throws IOException, ServletException {
String token = request.getParameter("token");
if (token != null) {
doAuthentication(token);
}
chain.doFilter(request, wrapper);
}
You tagged with JAAS. That's different than just authenticating with a simple token, but if that's what you are looking for, are you familiar with Tomcat's JAASRealm? You would just have to write your own LoginModule to authenticate the token.
http://tomcat.apache.org/tomcat-7.0-doc/realm-howto.html#JAASRealm
It probably goes without saying that using token based login via E-mail is inherently insecure, and so is not appropriate for all types of applications.
I guess you have to implement the logic by yourself, i.e. the link guide the user to a servlet or something like that which recognize that link, join it with the user, create a session object and redirect the user inside your app.
Hope this helps