Which concrete filters, provided by Spring Security components, to be responsible for the 'doFilter' work for the JSESSIONID and CSRF-Token respectively? E.g. UsernamePasswordAuthenticationFilter to handle Login Form posted from client.
Related
For example, you have TWO different folders on your web site, /folderA and /folderB
You can set the common loginURL for both of these pages in Spring Security.
I use Spring SAML. It aal
Spring Security: Once users try to get /folderA or /folderB, they will be redirected to the "local" LoginURL first (domain.com/auth).
Spring SAML: LoginURL page (domain.com/auth) will redirect the user to the remote SAML SSO provider (for example, myapp.okta.com). The endpoint is specified in metadata.xml.
SAML SSO provider redirects the user to SSO url (configured in OKTA, let's say sso.domain.com/auth/sso).
I want to use the original requested URL (in this case, /folderA or /folder) in the SSO controller (sso.domain.com/auth/sso). I want to make the logic dependent on the requested URL.
So my question is
How to inject these folder URLs into the request to SAML SSO Provider using Spring SAML?
I know how to implement it without Spring SAML. So I am looking how to configure Spring SAML for it.
I think that RELAY_STATE is used for it. But I can’t understand on how to retrieve it at the steps (1) and/or (2)
Relay state is passed as query parameter along with SAMLRequest. Passing relay state depends on the toolkit you use so you would need to check their documentation to see how it can be done. I found this useful thread online http://forum.spring.io/forum/spring-projects/security/saml/125415-spring-saml-integration-authentication-extended-info-relaystate
Also, you can follow this link once session is established via SAML (in that case you can skip passing session token) http://developer.okta.com/use_cases/authentication/session_cookie#initiate-a-saml-sso-with-the-session-token. You can use the single sign on url from Sign on Tab -> View Setup instructions and make a GET request to that passing in the RelayState. That will initiate take you to relay state.
We have CSRF issue reported in our web application with mutiple forms in the application. Our application is running on front end (AEM), and we have sso layer for single sign in using SAML and we also have seperate database layer, which they expose all the data's via web services and AEM will consumer the same for displaying and updating the data. If we have to implement CSRF token in AEM on all ajax requests like below, How this needs to be handled at DB level. Where do we get the CSRF token from which layer.
jQuery.ajaxPrefilter(function(options, _, xhr) {
if ( !xhr.crossDomain )
xhr.setRequestHeader(CSRF_HEADER, securityToken);
});
I am going to take a guess at your application architecture as this.
AEM Web App ---> Webservice Hosting App ---> DB.
Additionally, there is an IDP for SAML based authentication. Post the SSO authentication, all the interactions of the user is with the AEM web app.
Assuming the above, I'll say this is a regular AEM website. You can use OOTB AEM CSRF protection documented here.
Using Spring Security, how can I forward (server-side redirect) to login page instead of redirect to it?
Same question for session management and invalid session url.
I agree with #holmis83 that it is not a good idea to switch from redirect to forward.
Spring Security API documentation indicates that this can be done by using the setUseForward method. You can instantiate a LoginUrlAuthenticationEntryPoint in your configuration, set forward to true and the pass this instance to the Spring Security HTTP element.
I have a form of user registration inside a dialog. Because some information of the form is sensitive (personal information and password) I would like to secure the connection just for submitting the form, but I couldn't find anything about securing just a form post.
Anyone knows how to do this?
btw, I'm using spring and spring security
Thanks
I think you can change the action of a form to modify the protocol (normal HTML).
But if you are already using Spring Security with session-based security (the default), or even stateless HTTP Basic authentication, you already need SSL for all requests.
Need some suggestions to find out if its possible in Camel for the below scenario.
We are trying use Apache Camel for integration testing of a web application. Application has to accessed through rest service calls. Each Application requests is filtered through shiro security. When I make a restful call or a http call to this application, I need to set up the necessary shiro authentication information in the header and make sure the camel request is processed successfully. Is there a way to do this in camel - "invoking a http or rest calls to access the application whose requests are secured by apache shiro" ? I see Camel has a shiro security component which is more like either authorizing camel routes or defining the security for the camel routes and I dont see I can use them for this purpose?
I did try setting up the shiro authentication tokens in the header in different possible ways (For eg: using Exchange's Authentication property) but it doesnt work. Any suggestions please?
UPDATES:
Shiro maintains its own session and looks for userId and his/her Permissions (referred to as Shiro Subject) to make sure its an authenticated and authorized request. Whenever we send a request to a Shiro secured application, it filters the request, validate the request to find out if its authorized to access to application functions and then allow us in.If the user information is not available in the Shiro session, it will take you to the login screen. Our web application has exposed the functionalities as rest services.Is it feasible in Camel to make a call to such an application which is embedded with Apache Shiro security? Basically I am should mock the Shiro subject and set in the HTTP header to make it look like a Shiro Authenticated request.
I tried making http calls with Shiro Authentication token set up in the exchange headers. But its failing. Is this possible in Camel or am I going in the wrong direction? Any suggestion or help in this regard is very much appreciated. Below is a subset of code I have been playing around with.
// wrap it in a Subject
Subject subjectUnderTest = new Subject.Builder(getSecurityManager())
.principals(new SimplePrincipalCollection("Username", "RealmName")).authenticated(true).buildSubject();
MockEndpoint OutEndpoint = getMockEndpoint("mock.out");
OutEndpoint.expectedMessageCount(1);
Endpoint InEndpoint = context.getEndpoint("direct.in");
Map<String, Object> headers = new HashMap<String, Object>();
headers.put(Exchange.HTTP_METHOD, "GET");
headers.put(Exchange.AUTHENTICATION, subjectUnderTest);
template.sendBodyAndHeaders(InEndpoint, "test body", headers);
Thanks Viggy
I think you should use below code to set up user name and password. Set CamelContext with these config.
HttpConfiguration config = new HttpConfiguration();
config.setAuthMethod(AuthMethod.Basic);
config.setAuthUsername("donald");
config.setAuthPassword("duck");
HttpComponent http = context.getComponent("http", HttpComponent.class);
http.setHttpConfiguration(config);