This week's book giveaway is in the XML and Related Technologies forum.
We're giving away four copies of Java XML & JSON and have Jeff Friesen on-line!
See this thread for details.
Win a copy of Java XML & JSON this week in the XML and Related Technologies forum!

Puspender Tanwar

Ranch Hand
+ Follow
since Apr 21, 2015
Puspender likes ...
Java
Cows and Likes
Cows
Total received
2
In last 30 days
0
Total given
0
Likes
Total received
27
Received in last 30 days
0
Total given
24
Given in last 30 days
0
Forums and Threads
Scavenger Hunt
expand Ranch Hand Scavenger Hunt
expand Greenhorn Scavenger Hunt

Recent posts by Puspender Tanwar

I am sending a GET request for Basic authentication, to which the server(the backend API) would return(if the authentication is successful) a cookie. This is working fine for POSTMAN, but in browser cookie is not being set.

Here is my application flow:

1. Browser/POSTMAN login using basic authentication. Send credentials using Authorization Basic xxxxxx== header.
2. Server reads the authentication details, and if correct it creates a cookie named auth and send it back with the response(above code). For security layer, I am using Spring security.
3. For further requests, that cookie will automatically be sent with each request. Now I had to take that cookie and extract the authentication details from that. After that, I had to add Authorization Basic xxxxxx== to that request(Because now the Authorization not sent by the client, only cookie sent). For this I created the Filter which will run before Spring's BasicAuthenticationFilter.class

Step 2 is working for POSTMAN, but not for the browser. In POSTMAN, the server sent response contains Set-Cookie →auth=Basic xxxxxxxx=; Domain=localhost; HttpOnly.

curl -i -u pu@gmail.com:password@ http://localhost:8085/api/v1/login

HTTP/1.1 200
Set-Cookie: auth=Basic xxxxxxxx==; HttpOnly
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Frame-Options: DENY
Content-Length: 0
Date: Tue, 12 Feb 2019 05:59:33 GMT


The response header in browser:
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: http://localhost:3007
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Content-Length: 0
Date: Tue, 12 Feb 2019 11:52:10 GMT
Expires: 0
Pragma: no-cache
Vary: Origin, Access-Control-Request-Method, Access-Control-Request-Headers
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block


What additional configuration do I need to do here?

3 days ago
JSESSIONID won't work for me, because I am using the RESTful, the stateless API. So, no space for JSESSIONID.
However, creating an authentication cookie will maintain the statelessness of the application, because there will be no state maintained by the server, only the client would save a cookie which will be carried with each request.

Yes, sending credentials in URL is a terrible idea.
1 week ago
I am securing my REST API using Basic-Auth. I came to know that for a stateless API, the backend should send a cookie(with 'httpOnly' & 'secure' flag) for basic authentication, which then will be carried with each request. But I have few doubts here:

1.  What should be the name of that cookie?
2.  How to set the cookie?
3.  How Spring security layer identifies and extracts the Base64 encoded credentials from that cookie?

As of now, this is my security config:

And since I have no Idea from where to set that authentication cookie, I am trying this:

http://localhost:8080/login is a URL which is basic auth protected, if the user provides correct credentials, then it sends the authentication cookie with the response.

But again, I have no idea where to bring the username password for this current user.
1 week ago

So it's better if your ReST application contains its own authentication mechanism (or better, a pre-debugged non-container one, like maybe Spring Security). The simplest way to do that is to have a ReST call that sends userID and password as an encrypted request and receives a token (basically, a "jsessionid" from the app instead of the container). This would then be used for the duration of the conversation as an add-on to the ReST calls. The main difference is that the authentication environment wouldn't be in the webapp or the webapp server, but in whatever common backend all the webapps in the cluster shared.  


Yes, it's a REST api secured using Spring Security.
But, what additional benefit does JSESSIONID adds, if still, I need to send the credentials for each request over the wire. What is the whole purpose of maintaining a session(using JSESSIONID) if the backend server can't remember the user? My apology if I am missing something.
1 month ago
I am using basic authentication for my REST api. I don't understand the use case of JSESSIONID cookie if we are sending the credentials with each request, like the way we did it in stateless basic authentication.
How JSESSIONID helps here? Does the server doesn't check for username password if the JSESSIONID is valid?
1 month ago
I have written the frontend of an application using React.js and whose backend REST API is built using Spring boot.
I am successful is in integrating the "social login for Facebook" from frontend and now I have this information returned from facebook


Now, my requirement is to create an account of this user into my own application(own Database) using the user's email as the primary key for his/her account. This user will have its own content(likes, interests, feeds).
But I have no idea where should I start now, what would be the flow of the backend API and the complete application.

Can someone please guide.
Thanks
1 month ago
I gone through some resources for OAuth2.0
Each says OAuth is for authorization and not for authentication.
But, using Spring's `OAuth` server, didn't we get a Authentication token(e.g JWT)? And that token is used for authentication.
Can someone please clarify this?
2 months ago
I have a REST API secured with OAuth2.0 I am able to get the access-token using http://localhost:8085/auth/token?grant_type=password&username=22@gmail.com&password=mypass(along with username pass basic auth).
But when I am trying to access http://localhost:8085/signup , API returns a 401 unauthorized error.
Though I have used antMatchers("/signup").permitAll(), why API is expecting a access-token to access this resource? Passing access-token along with this request would signup a user.
This is my resource server configuration
2 months ago

Stephan van Hulst wrote:How did you get your assumptions?


I am following a Spring Security course where the Author said this:

using form­based authentication and using cookies to drive the security of our APIs is an option, but definitely not the best way to go. Driving authentication with cookies has well­known issues and so we're going to move past form­based authentication really quickly and we're going to make our way towards better solutions. The next option is basic authentication and basic authentication is a very simple algorithm. It's very mature and very well supported in clients. However, of course, this simplicity is also the reason why it's not very secure and not very flexible either............
...In Basic Auth, each interaction is essentially going to resend the credentials over the wire. So this is where token­based solutions come in. And the first solution we're going to discuss is of course OAuth.
 

3 months ago

Stephan van Hulst wrote:Anyway, you can use HTTP Basic and let the browser handle the login prompt, or you can just create your own login form and send the credentials like you would in any other POST request.

If I am not wrong, the Basic Authenticate and Login prompt window are two different concepts in spring security.
The one where the login prompt comes is called Form-Login and is handled by .formLogin() API of spring security. The credentials are then stored in cookies which is why Form-Login is unsafe.
Whereas, the Basic Authentication is all about resending the credentials for each request to the API.

Correct me if I am wrong. If I understood it right, then login is not applicable for Basic Authentication. Because login means I just need to send the credentials once, not with each request.
3 months ago
Hey Shiksha, question is not for social logins. Question is - Can we use Oauth for authorization of a user using his credentials. Their is no third party application involved
3 months ago
So the idea of using OAuth is only for accessing or giving access to third-party application? Otherwise application use the classic Basic Authentication for login a user who has already signup up their detail. Am I on the right track now?
3 months ago

Stephan van Hulst wrote:Do users need to provide their credentials somewhere or does your client application have a "hardcoded" secret with which it authenticates itself without the user having to do anything?


It's a kind of social networking platform. User logins using their original credential.
I am exposing the API using Spring-Boot and then consuming that API using the front-end framework REACT.js

It's generally the same idea, user Signup using there Email and password and then login using those same credentials. So, I have a login form. I am stuck here from a few days, where that login form submit button should point, should I create REST endpoint for this, like the signup have a separate endpoint "api/signup" ?
3 months ago
I read a lot of articles about OAtuh2, and they all show that OAuth is for social logins.
But what if I want to develop a web app and want to secure the API using OAuth. What I mean is, for authentication, I don't want to use Basic Authentication(which is less secure of course), I want to login using the OAuth. No third party client or api,  I am just accessing an API developed from a client, which(API) is exposed to be used by that client only.

Is it the correct use case of OAuth? How to implement it using Spring-Security(Boot)?
3 months ago
Thanks.
I have a doubt, suppose one day the Bcrypt would no more be secure enough(like the few others), how the large existing application handles migrating the already created user? How they decrypt the passwords using the new algorithm?
3 months ago