跳至主要内容

博文

Secures your applications with Spring Security 5 and Keycloak

Spring Security 5 brought new OAuth2/OIDC client instead of the legacy client support in the old Spring Security OAuth sub project. The new OAuth2 umbrella modules in the core project will replace the old Spring Security OAuth, Spring Social etc. In the further 5.1, OAuth2 authorization server and resource server are planned to implement, check the OAuth2 related issues on Github .
Spring Security 5 OAuth2 client has built-in supports for facebook, github, okta, Google etc, unlike Spring Social, in this new client, Spring Security 5 provides a generic solution for client registration, thus you can configure any OAuth2/OIDC providers without codes.
A new oauth2login sample is added in Spring Security source codes to demonstrate the newest OAuth2 client.
In this post, we will fork this sample, and try to start up a local keycloak server and configure it as a custom OAuth2/OIDC provider in our project.
Setup local keycloak server To simplify the work, I prepared a docker-com…
最新博文

Build a Reactive application with Angular 5 and Spring Boot 2.0

I have created a post to describe Reactive programming supports in Spring 5 and its subprojects, all codes of this article are updated the latest Spring 5 RELEASE, check spring-reactive-sample under my Github account.
In this post, I will create a simple blog system, including:
A user can sign in and sign out.An authenticated user can create a post.An authenticated user can update a post.Only the user who has ADMIN role can delete a post.All users(including anonymous users) can view post list and post details.An authenticated user can add his comments to a certain post. The backend will be built with the latest Spring 5 reactive stack, including:
Spring Boot 2.0, at the moment the latest version is 2.0.0.M7Spring Data MongoDB supports reactive operations for MongoDBSpring Session adds reactive support for WebSessionSpring Security 5 aligns with Spring 5 reactive stack The frontend is an Angular based SPA and it will be generated by Angular CLI.
The source code is hosted on Github, …

Java EE Security API 1.0: SecurityContext

SecurityContext In Java EE 7 or earlier versions, other specfications, such as Servelt, EJB, JAX-RS, JAX-WS, etc. have their own specific APIs to query current security context.
Servlet - HttpServletRequest#getUserPrincipal, HttpServletRequest#isUserInRoleEJB - EJBContext#getCallerPrincipal, EJBContext#isCallerInRoleJAX-WS - WebServiceContext#getUserPrincipal, WebServiceContext#isUserInRoleJAX-RS - SecurityContext#getUserPrincipal, SecurityContext#isUserInRoleJSF - ExternalContext#getUserPrincipal, ExternalContext#isUserInRoleCDI - @Inject PrincipalWebSockets - Session#getUserPrincipal In Java EE 8, you can use the new SecurityContext introduced in Java EE Security 1.0 instead.
A default implementation should be available at runime, you can inject it in CDI beans.
@InjectSecurityContext securityContext; The new SecurityContext provides similiar methods with the one in other specfications.
Principal getCallerPrincipal(); <T extends Principal> Set<T> getPrincipalsByType(Cl…

Java EE Security API 1.0: IdentityStore

There are two built-in IdentityStore implementations provided in Glassfish v5, Database or Ldap.
An example of using built-in @DatabaseIdentityStoreDefinition to setup database based IdentityStore.
@DatabaseIdentityStoreDefinition( dataSourceLookup="${'java:global/MyDS'}", callerQuery="#{'select password from caller where name = ?'}", groupsQuery="select group_name from caller_groups where caller_name = ?", hashAlgorithm=Pbkdf2PasswordHash.class, priorityExpression="#{100}", hashAlgorithmParameters= { "Pbkdf2PasswordHash.Iterations=3072", "${applicationConfig.dyna}" } // just for test / example ) @ApplicationScoped@NamedpublicclassApplicationConfig { publicString[] getDyna() { returnnewString[]{"Pbkdf2PasswordHash.Algorithm=PBKDF2WithHmacSHA512", "Pbkdf2PasswordHash.SaltSizeBytes=64"}; } } Initializes database with the initial u…

Java EE Security API 1.0: HTTP authentication

HTTP authenticationHttpAuthenticationMechanism allow customsize your own HTTP authentication mechanism.
An examples for custom HttpAuthenticationMechanism.
@ApplicationScopedpublicclassTestAuthenticationMechanismimplementsHttpAuthenticationMechanism { @InjectprivateIdentityStoreHandler identityStoreHandler; @OverridepublicAuthenticationStatusvalidateRequest(HttpServletRequestrequest, HttpServletResponseresponse, HttpMessageContexthttpMessageContext) throwsAuthenticationException { finalString name = request.getParameter("name"); finalString pwd = request.getParameter("password"); if (name !=null&& pwd !=null ) { // Get the (caller) name and password from the request// NOTE: This is for the smallest possible example only. In practice// putting the password in a request query parameter is highly// insecurePassword password =newPassword(pwd); // Delegate the {credentials in -> identity data out} …