Starter

Spring security multi-authentication

License	License CDDLv1.0
Categories	Categories Security
GroupId	GroupId com.forgerock
ArtifactId	ArtifactId spring-security-multi-auth-starter
Last Version	Last Version 0.0.24
Release Date	Release Date Oct 10, 2019
Type	Type jar
Description	Description Starter Spring security multi-authentication

Download spring-security-multi-auth-starter

Filename	Size
spring-security-multi-auth-starter-0.0.24.pom
spring-security-multi-auth-starter-0.0.24.jar	43 KB
spring-security-multi-auth-starter-0.0.24-sources.jar	24 KB
spring-security-multi-auth-starter-0.0.24-javadoc.jar	562 KB
Browse

How to add to project

Apache Maven

<!-- https://jarcasting.com/artifacts/com.forgerock/spring-security-multi-auth-starter/ -->
<dependency>
    <groupId>com.forgerock</groupId>
    <artifactId>spring-security-multi-auth-starter</artifactId>
    <version>0.0.24</version>
</dependency>

Gradle Groovy

// https://jarcasting.com/artifacts/com.forgerock/spring-security-multi-auth-starter/
implementation 'com.forgerock:spring-security-multi-auth-starter:0.0.24'

Gradle Kotlin

// https://jarcasting.com/artifacts/com.forgerock/spring-security-multi-auth-starter/
implementation ("com.forgerock:spring-security-multi-auth-starter:0.0.24")

Apache Buildr

'com.forgerock:spring-security-multi-auth-starter:jar:0.0.24'

Apache Ivy

<dependency org="com.forgerock" name="spring-security-multi-auth-starter" rev="0.0.24">
  <artifact name="spring-security-multi-auth-starter" type="jar" />
</dependency>

Groovy Grape

@Grapes(
@Grab(group='com.forgerock', module='spring-security-multi-auth-starter', version='0.0.24')
)

Scala SBT

libraryDependencies += "com.forgerock" % "spring-security-multi-auth-starter" % "0.0.24"

Leiningen

[com.forgerock/spring-security-multi-auth-starter "0.0.24"]

Dependencies

compile (6)

Group / Artifact	Type	Version
org.springframework.boot : spring-boot-starter-security	jar	2.1.5.RELEASE
org.apache.httpcomponents : httpmime	jar	4.5.9
org.apache.httpcomponents : httpasyncclient	jar	4.1.4
org.projectlombok : lombok	jar	1.18.10
com.nimbusds : nimbus-jose-jwt	jar	7.3
com.forgerock : forgerock-eidas-psd2-cert-sdk	jar	1.12

provided (1)

Group / Artifact	Type	Version
javax.servlet : servlet-api	jar	2.5

Project Modules

There are no modules declared in this project.

Spring security multi-auth

Motivation of this project

Spring security offers authentication configurer by default, like X509, rememberMe, etc. Their goal is to collect the user credential from the request. This is why in this project, we renamed them 'Authentication Collector', as they collect authentication information. Defining a new authentication collector in Spring security is possible but requires a configurer and a filter. The first objective of this project is to offer you an easier way to implement authentication collector.

After the lack of easy customisation of authentication collector, the second issue we met was the lack of multiple authentication method. It's quite common for a micro-services to offers endpoints consumable from different services, some can authenticate using certificates (MATLS), some using cookie and some using token bearer. In our case, we wanted to offer APIs accessible from micro-services but also SPA. This project offers a way to add multiple authentication collector, which would be evaluated in the order of declaration. This way, you can define MATLS auth and Cookie Auth for the same endpoints.

Another issue we met, is the lack of distinction between authentication and authorisation. This becomes blatant when we talk about access token. Access token are really about access and not authentication. You would expect to use a different authentication method associated with an access token. One of the usual way is to offer MATLS with access token based. With token biding, you can actually verify that the client certificate matches the access token. This is why we decided to separate the concept of authentication, by introducing authorisation collector.

As we did separate the authorisation from the authentication, we did also add the possibility to have multiple authorisation collectors.

Features

Easier way to add authentication collector
separating authentication to authorisation
Add multiple authentication and authorisation available.
out of the box auth collector:
- Access token
- Stateless access token
- Custom cookie
- Custom cookie as JWT
- PSD2 collector
- X509 collector

How to use?

We did include samples spring boot apps, that will show you an example of usage of the APIs.

ForgeRock

These repositories are provided by the community of ForgeRock users. They are in no way supported or tested by ForgeRock.

Versions

Version
0.0.24 Oct 10, 2019
0.0.16 Oct 8, 2019
0.0.15 Sep 30, 2019
0.0.14 Sep 30, 2019
0.0.9 Sep 25, 2019
0.0.6 Sep 25, 2019

Starter

License

Categories

GroupId

ArtifactId

Last Version

Release Date

Type

Description