How can I bypass Apache Shiro authentication and just use the authorization scheme. The reason I would like to achieve this is because I am using an in house SSO Authentication written for our cloud application and I would not like to save user information on our application server apart from basic user id and roles.
Implement custom realm (e.g. extend JdbcRealm class) and override doGetAuthenticationInfo and authenticate user within tthat method in any way you want. Of course depending on your authentication method you might have to modify the authorization bit as well (e.g. change the authorization query or even whole DB structure).
Related
We are running some tests on Keycloak to implement it on our company and I am are wondering what is the best approach to make Keycloak interact with our legacy system.
In our scenario, we have a native login interface and we are going to use direct grant - we are not going to authorization code flow / redirect flow using a browser and we don't have any kind of social login.
The other point is: we must to keep our native interface.
Based on that, what is the best/right approach to implement this flow? I have set my client on Keycloak with direct grant but the problem is that every user must exists in Keycloak. Isn't possible to use Keycloak as a "token emissor" instead of IDP?
In case of Keycloak must be an IDP, what is the right approach to allow Keycloak log in legacy system? Should I implement a custom Identity Provider? Will mobile make a login request to Keycloak or to legacy system?
Keycloak must somehow be able to either authenticate the user or delegate the authentication of the user to a federated identity provider. A few options:
If you want to use Keycloak as an identity provider, you could do
this by migrating your user base to Keycloak, or by making use of
User Storage Federation, which means Keycloak will use your existing
user database as a source. In this case, the login interface will be
a Keycloak interface (which you can customize to your wishes). See:
https://www.keycloak.org/docs/latest/server_admin/#_user-storage-federation
Another option is to convert your legacy system into an identity
provider that complies with either the OIDC or SAML protocol, and
set it up as an identity provider for Keycloak. In this case you can
keep your existing login interface, but it will probably require
quite some changes to your legacy system. See:
https://www.keycloak.org/docs/latest/server_admin/#_identity_broker
I am new to Play framework and Scala. I know Json Web Tokens and concepts of authorization. I have done a Spring Boot app that does user role authorization with JWT. Basically, I put my custom key value pair while creating the JWT and it has something like this "authorizations":[role_employee, role_user]
When a request comes, I intercept it, parse the token, and create a spring security context and use the annotation on the spring controller method and the authorization works perfectly. I tried finding this concept in Play framework, most examples are talking about how to intercept the call and verify the validity of the token, but no one is talking about how to make sure the authorization is also correct. Basically, by merely verifying that token is fine, how do I create a binding that for a particular controller to be allowed to execute, what roles are permitted?
The most powerful framework for authorization in the Play environment is the Deadbolt
https://github.com/schaloner/deadbolt-2
You can also find simple authorization parts in the other frameworks. For example, I often use Pac4J for Play. It has authentification and simple authorization parts:
https://github.com/pac4j/play-pac4j
I have a web application that I would like to use authenticate using MembershipReboot for a subset of users but internally I would also like to use Active Directory.
What's the best practice of authenticating a single web application with two different authentication models? Any code samples would be great.
For this scenario you'll need a UserService for Membership Reboot. This will mean when users log in to Identity Server using the local username & password fields they will use Membership Reebot. You can find this UserService here.
To also use Active Directory you need to configure it as an external identity provider. This will then provide users with the option to log in using their AD credentials.
If you want to specify in your requests which provider to log the user into, check out the acr_values parameter of the Authorization endpoint or the IdentityProviderRestrictions property of the Client class.
I've set up an IdentityServer3 server with IdentityManager and MembershipReboot and have successfully managed to implement Bearer authentication across a few different ASP.NET Web API servers and a couple of Angular JS clients.
I'd like to be able to set up an endpoint on the IdentityServer3 Web API project itself that users can go to in order to edit their email-addresses, password, etc. In order to do this, I need to be able to use the [Authorize] attribute inside one of the controllers running on the IdentityServer3 server. I'm having trouble trying to find out how to do this.
In projects that use my IdentityServer3 server, I simply add something like:
app.UseIdentityServerBearerTokenAuthentication(...);
I wondered if I could just do the same in the server itself, but it wouldn't be Bearer token authentication in this case.
I just want to add an MVC page to the auth server that I can redirect to from the client applications to allow the user to modify their details. How can I achieve this?
There's an OWIN Context Environment extension in IdentityServer3, namely GetIdentityServerFullLoginAsync, which retrieves the logged in user (stored in a cookie).
I can create a new Action that uses this to retrieve the logged in user and display their details. I can also add endpoints for updating the password, etc, so long as I protect against CSRF in the usual MVC way.
I'm developing a mobile app, the server side is REST using Spring 3 MVC.
I was trying to integrate Spring Security with it to secure resources. I've read through a lot of material to get information on how to do it. I understand the architecture, however, when it comes to implementation I am still confused.
I referred a SO question; I have the same requirements. I understand the code, however, I am confused about when the first authenticate request comes in; at that time a token will not be present as the part of the header, so the same filter won't work.
So I was wondering how should I implement it. I was thinking of implementing it as follows:
A separate filter that authenticates user using username password from the request
After authentication the filter sets the authentication info in the context
And another filter that works with tokens for authentication for all API URLs
Is this the correct way to implement it?
No need to add another filter. Whatever the authentication result, the system will try to call handler for corresponding mapping, as you have chain.doFilter() outside if(validate_token).
You must tell Spring security that your request /login MUST NOT BE AUTHENTICATED. You can configure it in xml/java config.