I'm writing an Angular app which has Grails with Spring Security as a backend. I don't want to couple frontend with backend, so I don't use any gsp's, the communication goes only through REST requests.
Now the question comes which authentication to use.
Form authentication could be useful, but spring security redirects to the default form page and my login page is outside of Grails (in Angular project). I don't need a form page from spring security, I just need a URL where I can do my post request with credentials and get a cookie back.
So I started with Basic authentication which is easy enough, but then we have to add Authorization header to each request, which is annoying and not secure.
Spring security allows remember me cookie, but it is coupled to form authentication, so it is not possible (or difficult) to use it with basic authentication.
Stateless token authentication (for example, JWT) sounds great, but it is not clear how to configure it with Grails. The documentation for Security plugin has no mention about stateless authentication: http://grails-plugins.github.io/grails-spring-security-core/guide/index.html
So what is the best way to do authentication from Angular in Spring Secirity?
You are using default behavior of spring security. If you want stateless authentication, you will have to override the default behavior. Please go through this wiki page and also see this sample app for angular backend.
Related
Most of the tutorials on the internet are using React JS in a Spring Project, therefore it will be a server-side render like thymeleaf. But in my project, spring boot (REST API Backend) and ReactJS (SPA) are separated.
I have a monolithic app so I think I don't have to use JWT (moreover spring oauth2 authorization project is deprecated).
Is it possible to use Spring Security session authentication (Jsessionid) with a SPA such as react js?
How do I login, what is the endpoint for it? Is it just a POST
request to /login endpoint with a payload of username and password?
For the other endpoint, does the React only have to include the cookie of Jsessionid whenever make a REST API Call to spring boot so it can be authenticated?
Typically jsp, xhtml, jsf pages are rendered in server side and converted into html in server so If you want to use react js and do not use JWT how can clients side ui will depends to security layer? If you want to use hybrid ui, you can use it but if you want to use full client side rendering it won't happen.
You can use Spring MVC for login mechanism and you have to manage session. Your configuration of server side has to depend on session management. When you send request to rest endpoint, Security filters will be triggered and checks the session is valid or not. You can specify your custom filters as well.
But the best approach is using JWT and react together. Also you are using spring boot and create static folder in resources and deploy your react app to that location. There will be some html files like login.html, index.html, main.html etc.
Each html file can be small react applications but managed with Spring MVC.
I am trying to implement Azure AD authentication in a SPA application.
I am using an OWIN Startup.cs file in the WEB API and ADAL.js file in the angularjs front end application. (as per most of the tutorials suggestion)
My application does not have WebAPI and UI hosted in different domains/port. Basically, the WebAPI is referenced in the UI application project. (So no need for enabling CORS).
Now I have registered the applications on the Azure AD separately.
i.e. ClientApp -> Reply URL: http://localhost:90/ and
WebAPI -> APPID SignOn URL: http://localhost:90/Api/V1/
I have configured the ADAL.js and also getting the login page when trying to access the application from the UI. Also, I am able to retrieve the id.token generated after logging through the URL redirection. Also have decorated the web api controllers with the [Authorize] attribute.
My main concern here is that, if I try to call the WebAPI directly using tools like postman, I am getting access denied/Unauthroized Access (401). Can someone pls explain how can I test on my local env. with this scenario?
My sample request is: http://localhost:93/Api/V1/User/Preference (GET)
I am adding the token in the Authroization property of the Headers in the web api call.
Also a side note, I don't think I require OWIN/Startup.cs file for securing the WebAPI. The way I tried is that I got the token value send through the headers and got the AudienceID using JwtSecurityToken and parsing the contents of the Authroization property. Is this approach right as per security or I should stick to the OWIN implementation.
All of the ADAL JS tutorials have the backend API and the UX hosted on the same domain and port, with no need for CORS. See for example https://azure.microsoft.com/en-us/resources/samples/active-directory-javascript-singlepageapp-dotnet-webapi/. Those samples demonstrate that you need only ONE Azure AD registration, as the JS layer is in effect the exact same app as the web API.
We do have some samples demonstrating how to call an external API as well, and those do require CORS- but only for the extra API. The logic for calling the app backend remains the same (just one Azure AD app registration, no need for CORS).Postman doesn't offer any opportunity to pop out UX, hence one strategy you can follow is to obtain the tokens you need beforehand.
The use of OWIN allows you to centralize the auth setup; if you add auth in the controller, you'll need to repeat that logic for every new controller you add. Also, maintaining the code will be harder as you might use API surface that requires code changes when you update the assemblies, while that's less likely to happen if you use the standard middleware setup
I'm writing an AngularJS SPA application which calls Rest full web service. Back-end is being written on JAX-RS, deployed on Tomcat 7. I'm using HTTPS, SSL for transferring data from SPA to JAX-RS
requirements
I have to make LDAP authentication. (I will send username & password to web service and it should make authentication)
I have to do user's session management (because, when authenticated user sends request to web service, user doesn't have to authenticate again)
problems
I think there are two options for doing LDAP authentication:
Make LDAP authentication using core java http://docs.oracle.com/javase/jndi/tutorial/ldap/security/ldap.html
Use Spring security (I'm not familiar with it and not sure if it's possible. I think I should send username & password to rest service. Rest service will have spring security library injected and it'll be possible to use authentication functionality. Am I right?)
Manage user sessions. Once user is authenticated, it should be saved somewhere, so that user can do operations until its logon is not expired.
How can I do it?
Which way should I choose? How should I make LDAP authenticating and session management?
Can anyone give any suggestion or example links?
So,
LDAP Authentication using JNDI works just fine, you could also use the neat UnboundID LDAP Java API. A simple LDAP Bind example can be found here: https://code.google.com/p/ldap-sample-code/source/browse/trunk/src/main/java/samplecode/bind/SimpleBindExample.java .
Note also that you could use a Node.JS module as your backend, the Passport.JS Authentication framework for example, provides lots of features/capabilities relative to authentication and Federation (i.e., do things like 'Login with Google', etc...). See: passportjs.org.
On the Angular/frontend side,your best bet is to use a JWT token. It's all explained in detail with examples here: http://code.tutsplus.com/tutorials/token-based-authentication-with-angularjs-nodejs--cms-22543.
In essence:
your backend Authentication REST should return a JWT Token in the response, once the user successfully binds to LDAP. This Token would contain some user data, and should be encrypted (see link above).
Your Angular App should set that token as a cookie on the client Browser ("set-cookie" response header) upon successful login (so in the Controller of your Login view).
The Client will then present that cookie/JWT Token on every request it makes to your app.
Your app will then need to validate the token presented on every request (in the controller of your SPA). You may also want to add the user authentication data to your $scope so you can use it in your view.
Hope it helps...
Any help, advice and experience is welcome.
Im currently having a separate AngularJS SPA on a Apache HTTP Server and a Spring Backend on a Tomcat 7 Servlet. The backend serves as a Rest API for the SPA.
Some rest resources will require a user to have a certain role.
I've been searching the internet for days on what and how to implement the best security strategy:
Basic Auth
Digest
oAuth
Stateless, Cookies? Sessions? Tokens? CSRF?
How would you go about communicating Spring Security in Json or XML to your SPA to show the user an authentication page or an "your successfully authenticated page"?
Any help is appreciated.
I finally figured out how to make the SPA authenticate with my Rest Backend.
In spring security I created a
Custom SimpleUrlAuthenticationFailureHandler which returns a HTTP-Unauthorizated if a login attempt fails.
Custom SavedrequestAwareAuthenticationSuccessHandler which returns Http-Oke if a login attempt is successful.
Custom AuthenticationEntryPoint which returns Http-Unauthorizated instead of a redirect.
Custom LogoutSuccessHandler which returns Http-OK.
I disabled CSRF.
If anyone needs more help feel free to let me know or message me.
I highly recommend watching this Spring's introductory video. It explains usage of Spring Security from ground up using Java configuration. Apart basic configuration, authentication and CLRF token usage also dive into field security. Uses templating on server with Thymeleaf though, but can provide a lot of wisdom for REST based app also.
I have an angular app that I need to secure. We have a central SSO app in our organisation.
This central app provides a login page and sets cookie after authenticating the user.
Now I need to redirect user from my angular app to this central login page in case authentication cookie is missing/expired.
Can someone please help, how can I redirect to a different page using angular routing ? It seems angular always redirect only relative to base url.
I also tried to use spring mvc and security to restrict access to index.html from server end, but I am not able to set the mapping for showing index.html file (outside web-inf) from dispatcher servlet.
angular's routing is for routing within the page.
Use native location.href for this.
It sounds to me that you are trying to have partial AngularJS page and partial Spring MVC web application. I have also tried this, but then things did not go so well.
If you want to build a web application using AngularJS, I suggest you to start using AngularJS fully as Single Page Web Application and use your Spring MVC as a RESTful web service which is secured by Spring Security.
Read this article: restful-web-service-with-spring-security
The custom AuthenticationEntryPoint must return an HTTP status which AngularJS will process further in $http.success or $http.error. In case of $http.error you force user to go to the login page maybe something like $location.url("/login");
To make all $http.error points to the login page, you can use AngularJS http interceptors.
NB: You should secure your whole web application on the web server level by permanently redirect from http to https. Example: Apache HTTPD