In CAS Overlay, How to return user attributes other than name to the clients in JAVA. I am using CAS Overlay project and storing the user details in Database.
Finally I am able to fetch the User Attributes of the Logged in User from the CAS Server to the client.
I am using CAS Overlay project version 5.0.0.RC1 and Spring Security 4.1.3.RELEASE.
Spring Client Configuration in WebSecurityConfigurerAdapter:
#Bean
public ServiceProperties serviceProperties() {
ServiceProperties serviceProperties = new ServiceProperties();
serviceProperties.setService(serviceUrl);
serviceProperties.setSendRenew(false);
return serviceProperties;
}
#Bean
public CasAuthenticationProvider casAuthenticationProvider() {
CasAuthenticationProvider casAuthenticationProvider = new CasAuthenticationProvider();
casAuthenticationProvider.setAuthenticationUserDetailsService(authenticationUserDetailsService());
casAuthenticationProvider.setServiceProperties(serviceProperties());
casAuthenticationProvider.setTicketValidator(cas30ServiceTicketValidator());
casAuthenticationProvider.setKey("an_id_for_this_auth_provider_only");
return casAuthenticationProvider;
}
#Bean
public Cas30ServiceTicketValidator cas30ServiceTicketValidator() {
return new Cas30ServiceTicketValidator(casServer);
}
#Bean
public AuthenticationUserDetailsService authenticationUserDetailsService(){
String[] role ={"user_role"};
return new GrantedAuthorityFromAssertionAttributesUserDetailsService(role);
}
#Bean
public CasAuthenticationFilter casAuthenticationFilter() throws Exception {
CasAuthenticationFilter casAuthenticationFilter = new CasAuthenticationFilter();
casAuthenticationFilter.setAuthenticationManager(authenticationManager());
casAuthenticationFilter.setAuthenticationSuccessHandler(new CustomAuthenticationSuccessHandler());
casAuthenticationFilter.setAuthenticationFailureHandler(new CustomAuthenticationFailureHandler());
return casAuthenticationFilter;
}
#Bean
public CasAuthenticationEntryPoint casAuthenticationEntryPoint() {
CasAuthenticationEntryPoint casAuthenticationEntryPoint = new CasAuthenticationEntryPoint();
casAuthenticationEntryPoint.setLoginUrl(casServerLogin);
casAuthenticationEntryPoint.setServiceProperties(serviceProperties());
return casAuthenticationEntryPoint;
}
#Bean
public LogoutFilter requestSingleLogoutFilter (){
LogoutFilter logoutFilter = new LogoutFilter(casLogout,new SecurityContextLogoutHandler());
logoutFilter.setFilterProcessesUrl("/j_spring_cas_security_logout");
return logoutFilter;
}
#Bean
public SingleSignOutFilter singleSignOutFilter() {
SingleSignOutFilter filter = new SingleSignOutFilter();
filter.setCasServerUrlPrefix(casServer);
filter.setIgnoreInitConfiguration(true);
return filter;
}
Configured the Database attribute repository on the CAS Server side as I was storing the user details in Database.
<code>
cas.authn.attributeRepository.jdbc.singleRow=true
cas.authn.attributeRepository.jdbc.requireAllAttributes=true
cas.authn.attributeRepository.jdbc.caseCanonicalization=NONE
cas.authn.attributeRepository.jdbc.queryType=OR
cas.authn.attributeRepository.jdbc.sql=SELECT * FROM users WHERE {0}
cas.authn.attributeRepository.jdbc.username=username
cas.authn.attributeRepository.jdbc.healthQuery=SELECT 1
cas.authn.attributeRepository.jdbc.isolateInternalQueries=false
cas.authn.attributeRepository.jdbc.url=jdbc:postgresql://localhost:5432/casdb
cas.authn.attributeRepository.jdbc.failFast=true
cas.authn.attributeRepository.jdbc.isolationLevelName=ISOLATION_READ_COMMITTED
cas.authn.attributeRepository.jdbc.dialect=org.hibernate.dialect.PostgreSQLDialect
cas.authn.attributeRepository.jdbc.leakThreshold=10
cas.authn.attributeRepository.jdbc.propagationBehaviorName=PROPAGATION_REQUIRED
cas.authn.attributeRepository.jdbc.batchSize=1
cas.authn.attributeRepository.jdbc.user=postgres
cas.authn.attributeRepository.jdbc.ddlAuto=update
cas.authn.attributeRepository.jdbc.password=postgres
cas.authn.attributeRepository.jdbc.autocommit=false
cas.authn.attributeRepository.jdbc.driverClass=org.postgresql.Driver
cas.authn.attributeRepository.jdbc.idleTimeout=5000
cas.authn.attributeRepository.jdbc.pool.suspension=false
cas.authn.attributeRepository.jdbc.pool.minSize=6
cas.authn.attributeRepository.jdbc.pool.maxSize=18
cas.authn.attributeRepository.jdbc.pool.maxIdleTime=1000
cas.authn.attributeRepository.jdbc.pool.maxWait=2000
cas.authn.attributeRepository.attributes.last_name=last_name
cas.authn.attributeRepository.attributes.first_name=first_name
cas.authn.attributeRepository.attributes.user_role=user_role
</code>
After these changes I was able to fetch the user attributes from CAS Server.
Related
i want get the access token first and store the access token generated by keycloak during login... in my db. i am using spring boot .
this is the code that i tried for getting the access token ..but result is nothing.... have a better solution?
..
#RequestMapping(value = "/login", method = RequestMethod.GET)
public String getCustomers()
{
HttpServletRequest request =((ServletRequestAttributes)RequestContextHolder.currentRequestAttributes())
.getRequest();
KeycloakAuthenticationToken token = (KeycloakAuthenticationToken) request.getUserPrincipal();
KeycloakPrincipal principal = (KeycloakPrincipal) token.getPrincipal();
KeycloakSecurityContext session = principal.getKeycloakSecurityContext();
AccessToken accessToken = session.getToken();
String a = principal.getName();
String username = accessToken.getPreferredUsername();
String realmName = accessToken.getIssuer();
AccessToken.Access realmAccess = accessToken.getRealmAccess();
String s = session.getToken().toString();
System.out.println(s);
return realmName;
.. }
i expect to get the access token generated by keycloak and store it in db.
#KeycloakConfiguration class SecurityConfig extends
KeycloakWebSecurityConfigurerAdapter {
/**
* Registers the KeycloakAuthenticationProvider with the authentication manager.
*/
#Autowired public void configureGlobal(AuthenticationManagerBuilder auth)
throws Exception { KeycloakAuthenticationProvider
keycloakAuthenticationProvider=keycloakAuthenticationProvider();
keycloakAuthenticationProvider.setGrantedAuthoritiesMapper(new
SimpleAuthorityMapper());
auth.authenticationProvider(keycloakAuthenticationProvider); }
/**
* Defines the session authentication strategy.
*/
#Bean
#Override protected SessionAuthenticationStrategy
sessionAuthenticationStrategy() { return new
RegisterSessionAuthenticationStrategy(new SessionRegistryImpl()); }
#Bean public KeycloakConfigResolver keycloakConfigResolver() { return new
KeycloakSpringBootConfigResolver(); }
#Override protected void configure(HttpSecurity http) throws Exception {
super.configure(http); http .authorizeRequests()
.antMatchers("/login*").hasRole("springrole") .anyRequest().permitAll(); } }
this is my keycloak configuration..
U need login to keycloak, i see u just call custom "/login" and expect keycloak principal.
I am able to connect with ldap and getting response, But in my Principal object authorities size is zero in which the role details is available i guess.
What are the additional input i need to pass in order to get ldap role details?
#Override
public void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.ldapAuthentication()
.userDnPatterns("uid={0},ou=TestOu")
.contextSource()
.url("ldaps://XX:768");
}
i tried with DirContextOperations object also ,it contains many attributes except role, The role is defined in ldapit and i am able to get the role while running the ldap query,
the issue is only through spring security
Please help
A 'role' does not really mean anything for an LDAP Directory Server.
LDAPv3 knows only about static groups.
Some LDAP Directory Server products allows to retrieve group memberships from a 'dynamic attribute' at the entry level.
You may define 'role' as an attribute for entries.
Got it !!!!! implementing a custom AuthenticationProvider and LdapAuthenticator and it used BindAuthenticator. We have to set the following with BindAuthenticator
authenticator.setUserDnPatterns(new String[]{"XX"});
authenticator.setUserAttributes(new String[]{"nsrole"});
In Config
#Override
public void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.authenticationProvider(this.customLdapAuthenticationProvider());
}
#Bean(name = "ldapAuthenticationProvider")
public AuthenticationProvider customLdapAuthenticationProvider() {
LdapUserDetailsMapper userDetailsMapper = new UserMapper();
CustomLdapAuthenticationProvider provider = new CustomLdapAuthenticationProvider(this.ldapAuthenticator(),
new NullLdapAuthoritiesPopulator());
provider.setUserDetailsContextMapper(userDetailsMapper);
return provider;
}
#Bean(name = "ldapAuthenticator")
public LdapAuthenticator ldapAuthenticator() {
BindAuthenticator authenticator = new BindAuthenticator(this.contextSource());
authenticator.setUserDnPatterns(new String[] { "uid={0},ou=people" });
authenticator.setUserAttributes(new String[] { "nsrole" });
return authenticator;
}
#Bean(name = "contextSource")
public DefaultSpringSecurityContextSource contextSource() {
DefaultSpringSecurityContextSource contextSource = new DefaultSpringSecurityContextSource(ldapUrl);
return contextSource;
}
private class UserMapper extends LdapUserDetailsMapper {
#Override
public UserDetails mapUserFromContext(DirContextOperations ctx, String username,
Collection<? extends GrantedAuthority> authorities) {
List<GrantedAuthority> roles = new ArrayList<GrantedAuthority>();
Attributes attrs = ctx.getAttributes();
Sysout(attr)
UserDetails userDetails = super.mapUserFromContext(ctx, username, roles);
return userDetails;
}
}
I'm setting up CAS 5.3 to do Bind authentication agains an Oracle database. But I don't know how to setup a OracleDataSource while using WAR Overlay method. Any guidance would be appreciated, thanks.
Just setting up Driver and URL doesn't appear to work. It seems the HikariDataSource is used by default, and it doesn't implement the required getConnection(String username, String password).
#SneakyThrows
public static DataSource newDataSource(final AbstractJpaProperties jpaProperties) {
final String dataSourceName = jpaProperties.getDataSourceName();
final boolean proxyDataSource = jpaProperties.isDataSourceProxy();
if (StringUtils.isNotBlank(dataSourceName)) {
try {
final JndiDataSourceLookup dsLookup = new JndiDataSourceLookup();
dsLookup.setResourceRef(false);
final DataSource containerDataSource = dsLookup.getDataSource(dataSourceName);
if (!proxyDataSource) {
return containerDataSource;
}
return new DataSourceProxy(containerDataSource);
} catch (final DataSourceLookupFailureException e) {
LOGGER.warn("Lookup of datasource [{}] failed due to {} falling back to configuration via JPA properties.", dataSourceName, e.getMessage());
}
}
final HikariDataSource bean = new HikariDataSource();
if (StringUtils.isNotBlank(jpaProperties.getDriverClass())) {
bean.setDriverClassName(jpaProperties.getDriverClass());
}
bean.setJdbcUrl(jpaProperties.getUrl());
bean.setUsername(jpaProperties.getUser());
bean.setPassword(jpaProperties.getPassword());
bean.setLoginTimeout((int) Beans.newDuration(jpaProperties.getPool().getMaxWait()).getSeconds());
bean.setMaximumPoolSize(jpaProperties.getPool().getMaxSize());
bean.setMinimumIdle(jpaProperties.getPool().getMinSize());
bean.setIdleTimeout((int) Beans.newDuration(jpaProperties.getIdleTimeout()).toMillis());
bean.setLeakDetectionThreshold(jpaProperties.getLeakThreshold());
bean.setInitializationFailTimeout(jpaProperties.getFailFastTimeout());
bean.setIsolateInternalQueries(jpaProperties.isIsolateInternalQueries());
bean.setConnectionTestQuery(jpaProperties.getHealthQuery());
bean.setAllowPoolSuspension(jpaProperties.getPool().isSuspension());
bean.setAutoCommit(jpaProperties.isAutocommit());
bean.setValidationTimeout(jpaProperties.getPool().getTimeoutMillis());
return bean;
}
I would require that the bean created above, would be a OracleDataSource instance.
I'm creating a multi tenant spring boot - JPA application.
In this application, I want to connect to MySQL Databases using DB name which is sent through API request as header.
I checked many multi tenant project samples online but still can't figure out a solution.
Can anyone suggest me a way to do this?
You can use AbstractRoutingDataSource to achieve this. AbstractRoutingDataSource requires information to know which actual DataSource to route to(referred to as Context), which is provided by determineCurrentLookupKey() method. Using example from here.
Define Context like:
public enum ClientDatabase {
CLIENT_A, CLIENT_B
}
Then you need to define Context Holder which will be used in determineCurrentLookupKey()
public class ClientDatabaseContextHolder {
private static ThreadLocal<ClientDatabase> CONTEXT = new ThreadLocal<>();
public static void set(ClientDatabase clientDatabase) {
Assert.notNull(clientDatabase, "clientDatabase cannot be null");
CONTEXT.set(clientDatabase);
}
public static ClientDatabase getClientDatabase() {
return CONTEXT.get();
}
public static void clear() {
CONTEXT.remove();
}
}
Then you can extend AbstractRoutingDataSource like below:
public class ClientDataSourceRouter extends AbstractRoutingDataSource {
#Override
protected Object determineCurrentLookupKey() {
return ClientDatabaseContextHolder.getClientDatabase();
}
}
Finally, DataSource bean configuration:
#Bean
public DataSource clientDatasource() {
Map<Object, Object> targetDataSources = new HashMap<>();
DataSource clientADatasource = clientADatasource();
DataSource clientBDatasource = clientBDatasource();
targetDataSources.put(ClientDatabase.CLIENT_A,
clientADatasource);
targetDataSources.put(ClientDatabase.CLIENT_B,
clientBDatasource);
ClientDataSourceRouter clientRoutingDatasource
= new ClientDataSourceRouter();
clientRoutingDatasource.setTargetDataSources(targetDataSources);
clientRoutingDatasource.setDefaultTargetDataSource(clientADatasource);
return clientRoutingDatasource;
}
https://github.com/wmeints/spring-multi-tenant-demo
Following this logic, I can solve it now. Some of the versions need to be upgraded and the codes as well.
Spring Boot version have changed.
org.springframework.boot
spring-boot-starter-parent
2.1.0.RELEASE
Mysql version has been removed.
And some small changed in MultitenantConfiguration.java
#Configuration
public class MultitenantConfiguration {
#Autowired
private DataSourceProperties properties;
/**
* Defines the data source for the application
* #return
*/
#Bean
#ConfigurationProperties(
prefix = "spring.datasource"
)
public DataSource dataSource() {
File[] files = Paths.get("tenants").toFile().listFiles();
Map<Object,Object> resolvedDataSources = new HashMap<>();
if(files != null) {
for (File propertyFile : files) {
Properties tenantProperties = new Properties();
DataSourceBuilder dataSourceBuilder = DataSourceBuilder.create(this.getClass().getClassLoader());
try {
tenantProperties.load(new FileInputStream(propertyFile));
String tenantId = tenantProperties.getProperty("name");
dataSourceBuilder.driverClassName(properties.getDriverClassName())
.url(tenantProperties.getProperty("datasource.url"))
.username(tenantProperties.getProperty("datasource.username"))
.password(tenantProperties.getProperty("datasource.password"));
if (properties.getType() != null) {
dataSourceBuilder.type(properties.getType());
}
resolvedDataSources.put(tenantId, dataSourceBuilder.build());
} catch (IOException e) {
e.printStackTrace();
return null;
}
}
}
// Create the final multi-tenant source.
// It needs a default database to connect to.
// Make sure that the default database is actually an empty tenant database.
// Don't use that for a regular tenant if you want things to be safe!
MultitenantDataSource dataSource = new MultitenantDataSource();
dataSource.setDefaultTargetDataSource(defaultDataSource());
dataSource.setTargetDataSources(resolvedDataSources);
// Call this to finalize the initialization of the data source.
dataSource.afterPropertiesSet();
return dataSource;
}
/**
* Creates the default data source for the application
* #return
*/
private DataSource defaultDataSource() {
DataSourceBuilder dataSourceBuilder = DataSourceBuilder.create(this.getClass().getClassLoader())
.driverClassName(properties.getDriverClassName())
.url(properties.getUrl())
.username(properties.getUsername())
.password(properties.getPassword());
if(properties.getType() != null) {
dataSourceBuilder.type(properties.getType());
}
return dataSourceBuilder.build();
}
}
This change is here due to the DataSourceBuilder has been moved to another path and its constructor has been changed.
Also changed the MySQL driver class name in application.properties like this
spring.datasource.driver-class-name=com.mysql.jdbc.Driver
I am working on spring security with oauth2 authentication. Previously for client details service in authorization server I was using in-memory mechanism and it was working perfectly.And now I want to use database for client details service. I am using Mysql database. Kindly provide some solution for configuring client details service for database.
I am sharing my authorization server configuration class:
#SpringBootApplication
#Controller
#SessionAttributes("authorizationRequest")
#EnableResourceServer
public class AuthServerApplication extends WebMvcConfigurerAdapter {
#RequestMapping("/user")
#ResponseBody
public Principal user(Principal user) {
return user;
}
#Override
public void addViewControllers(ViewControllerRegistry registry) {
registry.addViewController("/login").setViewName("login");
registry.addViewController("/oauth/confirm_access").setViewName("authorize");
}
public static void main(String[] args) {
SpringApplication.run(AuthServerApplication.class, args);
}
#Configuration
protected static class CorsFilterConfig {
#Bean
public FilterRegistrationBean corsFilter() {
UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
CorsConfiguration config = new CorsConfiguration();
config.setAllowCredentials(true);
config.addAllowedOrigin("*");
config.addAllowedHeader("*");
config.addAllowedMethod("*");
source.registerCorsConfiguration("/**", config);
FilterRegistrationBean bean = new FilterRegistrationBean(new CorsFilter(source));
// we want this to run before the SpringSecurityFilterChain which we set at 50 in properties
// anything less than 50 will work
bean.setOrder(0);
return bean;
}
}
#Configuration
//#Order(-20)
protected static class LoginConfig extends WebSecurityConfigurerAdapter{
#Autowired
#Qualifier("authenticationManager")
private AuthenticationManager authenticationManager;
#Autowired
private CustomUserDetailsService userDetailsService;
/**
* '/oauth/authorize' is AuthorizationEndPoint and it's used to service requests for authorization.
* '/oauth/confirm_access' endpoint - User approval for Grants here.
* Authorization endpoint /oauth/authorize (or its mapped alternative) should be protected using Spring Security so that it is only accessible to authenticated users
* Authorization endpoint is used to grant authorization to client application
* The TokenEndPoint is protected by default by spring oauth in the #Configuration support using HttpBasicAuthentication of the client secret
*/
#Override
protected void configure(HttpSecurity http) throws Exception {
http
.formLogin() // Allows users to authenticate with form based login
.loginPage("/login") // location of log in page
.permitAll() // grant access to all users to access to our log in page
.and()
.requestMatchers()
.antMatchers("/login","/oauth/authorize", "/oauth/confirm_access") // These URL's any user can access
.and()
.authorizeRequests().anyRequest().authenticated(); // Any other request to our application requires the user to be authenticated
// .and()
// .rememberMe()
// .key("uniqueAndSecret")
// .tokenValiditySeconds(86400);
}
#Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth
.parentAuthenticationManager(authenticationManager)
.userDetailsService(userDetailsService);
// auth
// .inMemoryAuthentication()
// .withUser("roy").password("spring").roles("USER");
}
}
/*
* EnableAuthorizationServer annotation is used to configure the oauth2.0 Authorization Server Mechanism together with any beans that implement AuthorizationServerConfigurer
*
*/
#Configuration
#EnableAuthorizationServer
protected static class OAuth2AuthorizationConfig extends AuthorizationServerConfigurerAdapter {
#Autowired
#Qualifier("authenticationManager")
private AuthenticationManager authenticationManager;
#Autowired
private ApplicationContext context;
#Bean
public JwtAccessTokenConverter jwtAccessTokenConverter() {
JwtAccessTokenConverter converter = new JwtAccessTokenConverter();
KeyPair keyPair = new KeyStoreKeyFactory(
new ClassPathResource("keystore.jks"), "suleman123".toCharArray())
.getKeyPair("resourcekey");
converter.setKeyPair(keyPair);
return converter;
}
// #Bean
// public DataSource dataSource(){
// //jdbc:hsqldb:mem:testdb
// EmbeddedDatabaseBuilder builder = new EmbeddedDatabaseBuilder();
// EmbeddedDatabase db = builder.setType(EmbeddedDatabaseType.HSQL)
// .addScript("classpath:schema.sql")
// .addScript("classpath:data.sql")
// .build();
// return db;
// }
/*
* A configurer that defines the client details service.
* ClientDetailsServiceConfigurer is used to define an in-memory or JDBC implementation of the client details service.
*
* A authorization code is obtained by the OAuth client by directing the end-user to an authorization page where the user can enter
* his/her credentials, resulting in a redirection from the provider authorization server back to the OAuth client with the authorization code
*
* We registered the client and authorized for the 'authorization_code', 'refresh_token', 'password' grant types
*
*/
#Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
// clients.inMemory()
// .withClient("acme") //(required) the client id.
// .secret("acmesecret") //(required for trusted clients) the client secret, if any.
// .authorizedGrantTypes("authorization_code", "refresh_token",
// "password") // Grant types that the client is to use to obtain an access token
// .accessTokenValiditySeconds(5)
// .scopes("openid") // scope to which the client is limited
// .autoApprove(true);
DriverManagerDataSource dataSource = (DriverManagerDataSource)context.getBean("dataSource");
clients.jdbc(dataSource);
}
/**
* Defines the authorization and token end point and token services
*/
#Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints)
throws Exception {
endpoints.authenticationManager(authenticationManager)
.accessTokenConverter(jwtAccessTokenConverter());
}
/**
* defines the security constraints on the token end point
*/
#Override
public void configure(AuthorizationServerSecurityConfigurer oauthServer)
throws Exception {
//
oauthServer.tokenKeyAccess("permitAll()") // It open the access to public key exposed by the authorization server on the end point /oauth/token_key
.checkTokenAccess("isAuthenticated()"); // check it is authenticated or not
}
}
}