Can i use antmatcher without using
KeycloakWebSecurityConfigurerAdapter
Instead I will use WebSecurityConfigurerAdapter provided by spring is it possible?
Related
I am trying to implement TLS based authentication, basically SSL certificate based authentication, when two-way SSL is enabled in Geode cluster. Authentication is performed based on certificate DN. Lets say client/peer node configured with two-way ssl of certificate "cn=example.com,ou=org,location=us", authentication and authorization should only be successful if "example.com" is valid cert and authorize accordingly. I see that Geode authentication implementation is based on security-username/password and security Manager Geode implementation does not provide better way to access connection peer certificates. I was not able to find related documentation, any direction on this kind of requirement would be helpful.
Thanks.
As you may already be familiar based on the comments in your question above, I encourage you to first re-review the section on SSL in the Security chapter of Apache Geode's documentation. SSL would be a prerequisite for everything I am about to suggest below.
Apache Geode's Security implementation of Authentication (as well as Authorization) is based on Apache Geode's SecurityManager interface as well as the AuthInitialize interface.
The SecurityManager is used on the server-side to authenticate clients (or additional peers joining the P2P cluster as a member). An implementation of the AuthInitialize interface is used by clients (or other peers joining the P2P cluster as a member) to supply the credentials.
The supplied SecurityManager implementation is configured with the [gemfire.]security-manager property. The AuthInitialize implementation is configured with the [gemfire.]security-client-auth-init property (or the [gemfire.]security-peer-auth-init property).
While Apache Geode's documentation commonly refers to username/password-based authentication for Geode nodes (clients and peers), the fact of the matter is, the Properties returned by the (client-side) AuthInitialize.getCredentials(..) (Javadoc) method and processed on the server-side, SecurityManager.authenticate(:Properties) (Javadoc) could contain the appropriate certificate and evidence as described (for example) here.
It is not uncommon for Password-based authentication to be used with Certificate-based authentication (both over SSL).
In which, case you could do the following. On the client-side:
package example.app.geode.security.client.auth;
import org.apache.geode.security.AuthInitialize;
class CertificateBasedAuthInitialize implements AuthInitialize {
public static CertificateBasedAuthInitialize create() {
new CertificateBasedAuthInitialize();
}
public Properties getCredentials(Properties securityProperties, DistributedMember member, boolean isServer) {
Properties credentials = new Properties(securityProperties);
// Load PrivateKey from KeyStore using java.security API.
PrivateKey privateKey = ...
Certificate clientCertificate = privateKey.getCertificate();
// Sign the some randomly generated data with the PrivateKey.
Object signedEvidence = ...
credentials.put("certificate", clientCertificate);
credentials.put("evidence", signedEvidence);
// optional...
credentials.put(AuthInitialize.SECURITY_USERNAME, username);
credentials.put(AuthInitialize.SECURITY_PASSWORD, password);
return credentials;
}
}
Then configure your client with:
# Spring Boot application.properties
spring.data.gemfire.security.client.authentication-initializer=\
example.app.geode.security.client.auth.CertificateBasedAuthInitialize.create
...
The server-side, custom SecurityManager implementation would then use the credentials to authenticate the client.
package example.app.geode.security.server.auth;
import org.apache.geode.security.SecurityManager;
class CertificateBasedSecurityManager implements SecurityManager {
public Object authenticate(Properties securityProperties) {
Certificate certificate = securityProperties.get("certificate");
Objected signedEvidence = securityProperties.get("evidence");
// verify the client's cert and use the PublicKey to verify the "evidence".
}
}
If the servers's in the Apache Geode cluster were configured and bootstrapped with Spring, then you would configure your custom SecurityManager implementation using:
# Spring Boot application.properties
spring.data.gemfire.security.manager.class-name=\
example.app.geode.security.server.auth.CertificateBasedSecurityManager
If you used Gfsh to start the Locators and Servers in your cluster, then refer to Apache Geode's documentation to configure properties on startup.
As you may also be aware (based on your tags), Apache Geode integrates with Apache Shiro. Unfortunately, I did not find any support in Apache Shiro for Certificate-based Authentication (here), which introduces the concept of Realms for auth, where the available Realms provided by Apache Shiro are here (you can see support for ActiveDirectory, JDBC, JNDI, LDAP, and text-based Realms).
Of course, you could also devise an implementation of Apache Geode's SecurityManager interface along with the AuthInitialize interface, integrated with Spring Security and follow the general advice in Baeldung's blog post.
Hopefully this gives you enough to think about and some ideas on how to go about implementing Certificate-based Authentication between clients and servers (and peers?) in your [Spring] Apache Geode application/cluster.
I've been trying to set up a quarkus server to validate tokens from Azure Active Directory with quarkus-oidc. I noticed that under the hood quarkus-oidc uses vert.x oauth2 implementation, which has support for Azure Active Directory amongst other providers but unfortunately there seems to be no way to configure quarkus-oidc. The keycloak provider seems to be hardcoded in the class OidcRecorder. Is there a way to bypass it? replace it? or configure it properly?
I have managed to set up a Keycloak server embedded in a Spring Boot Application successfully, following this tutorial:
Keycloak Embedded in a Spring Boot Application
in order to avoid setting it up manually.
Since I am dealing with an old implementation that already has it's own DB, I decided to use Keycloak's User Storage SPI to connect to an external postgresql DB and use this for authentication instead of Keycloak DB.
To do this, I followed the tutorial on Keycloak documentation, but it envolves a standalone Keycloak server, creating a .jar with the custom provider and injecting it to <pathToKeycloak>/standalone/deployments/.
I have created an implementation that works with a standalone Keycloak server, but now I want to include it to the embedded one. Is it possible to use a Keycloak server Embedded in a Spring Boot Application and also have an embedded custom User Storage Provider, to avoid setting up manually?
If you have already implemented the provider and the provider factory, you only need to declare the provider factory class in the resources/META-INF/services/org.keycloak.storage.UserStorageProviderFactory file.
Then you can log in to the administration console and enable user storage provider on the User Federation page.
I am current using spring security oauth2 and configured the oauth2 as using the clients from inMemory, how to get the client id/client secret from mongodb and use mongodb as the store for the client details and how to configure spring oauth2 using that.
One approach I was thinking was to use mongo template to read the client details and configure the inMemory client details using those values. Will this be a way to go about this?
Is there another way to get client details from mongodb and configure the clients for spring security oauth2?
Try
this link. You will have to create custom client details storage along with custom access and refresh token implementation.
Our current application uses JSF/JPA technology and is deployed on Weblogic 12.1.2 and does the following:
Authenticates a user through an IDP
The IDP after authenticating the user sends back the Groups the user belong to
Using Web.xml and WebLogic.xml we map the Groups to Roles
Our Application Scoped roles are very granular and it helps us do the following:
Hide UI pages or components on UI
use RolesAllowed annotation on methods
Since Group to Role mapping is in Weblogic.xml, our application users can't change the groups to roles mapping and this is the problem that I have to solve.
My goal is to do the following:
Authenticate a user through our IDP
The IDP will send us the Groups user belongs to
Define the roles in web.xml
Define tables that our application will read to find Group to Role mapping
Use Weblogic API to do Group to Role Mapping
Create a UI to allow our users to change the Group to Role mapping
The problem that i am running into is that i can't find how to do Group to Role Mapping dynamically using WebLogic since i can't get access to WebLogic API that will allow me to change Group to Role mapping in my deployed application. Has anyone done this before?
I have looked at creating a custom Role mapper but i am not sure how to get the handle to this custom Role Mapper in our deployed application.
As of Java EE 7, this is not possible based on this thread
dynamic roles on a Java EE server
If someone does want this feature added to Java EE 8 then please vote for the following two open feature requests in Java EE 8
https://java.net/jira/browse/JAVAEE_SECURITY_SPEC-8
https://java.net/jira/browse/JASPIC_SPEC-22
Not really a concrete answer, but it can be done using a Weblogic specific solution.
See examples in:
https://docs.oracle.com/cd/E13212_01/wles/docs42/dvspisec/examples.html
You have to implement the getRoles method:
import weblogic.security.spi.RoleMapper;
import weblogic.security.spi.RoleProvider;
public final class MyRoleMapperProviderImpl implements RoleProvider, RoleMapper
{
public Map getRoles(Subject subject, Resource resource,
ContextHandler handler)
{
...
}
}
You can generate a MBean for it as well to establish automatic loading:
https://docs.oracle.com/middleware/1213/wls/DEVSP/generate_mbeantype.htm#DEVSP617
java -DMDF=xmlfile -Dfiles=filesdir -DcreateStubs=true
weblogic.management.commo.WebLogicMBeanMaker
The result can be added as a jar to the server classpath and the implementation is available on server startup.