spring-security-multi-auth

Spring security multi-authentication

License

License

Categories

Categories

Security
GroupId

GroupId

com.forgerock
ArtifactId

ArtifactId

spring-security-multi-auth
Last Version

Last Version

0.0.24
Release Date

Release Date

Type

Type

pom
Description

Description

spring-security-multi-auth
Spring security multi-authentication
Source Code Management

Source Code Management

https://github.com/ForgeRock/spring-security-multi-auth-collector.git

Download spring-security-multi-auth

How to add to project

<!-- https://jarcasting.com/artifacts/com.forgerock/spring-security-multi-auth/ -->
<dependency>
    <groupId>com.forgerock</groupId>
    <artifactId>spring-security-multi-auth</artifactId>
    <version>0.0.24</version>
    <type>pom</type>
</dependency>
// https://jarcasting.com/artifacts/com.forgerock/spring-security-multi-auth/
implementation 'com.forgerock:spring-security-multi-auth:0.0.24'
// https://jarcasting.com/artifacts/com.forgerock/spring-security-multi-auth/
implementation ("com.forgerock:spring-security-multi-auth:0.0.24")
'com.forgerock:spring-security-multi-auth:pom:0.0.24'
<dependency org="com.forgerock" name="spring-security-multi-auth" rev="0.0.24">
  <artifact name="spring-security-multi-auth" type="pom" />
</dependency>
@Grapes(
@Grab(group='com.forgerock', module='spring-security-multi-auth', version='0.0.24')
)
libraryDependencies += "com.forgerock" % "spring-security-multi-auth" % "0.0.24"
[com.forgerock/spring-security-multi-auth "0.0.24"]

Dependencies

There are no dependencies for this project. It is a standalone project that does not depend on any other jars.

Project Modules

  • starter
  • samples

Build Status

Spring security multi-auth

Motivation of this project

Spring security offers authentication configurer by default, like X509, rememberMe, etc. Their goal is to collect the user credential from the request. This is why in this project, we renamed them 'Authentication Collector', as they collect authentication information. Defining a new authentication collector in Spring security is possible but requires a configurer and a filter. The first objective of this project is to offer you an easier way to implement authentication collector.

After the lack of easy customisation of authentication collector, the second issue we met was the lack of multiple authentication method. It's quite common for a micro-services to offers endpoints consumable from different services, some can authenticate using certificates (MATLS), some using cookie and some using token bearer. In our case, we wanted to offer APIs accessible from micro-services but also SPA. This project offers a way to add multiple authentication collector, which would be evaluated in the order of declaration. This way, you can define MATLS auth and Cookie Auth for the same endpoints.

Another issue we met, is the lack of distinction between authentication and authorisation. This becomes blatant when we talk about access token. Access token are really about access and not authentication. You would expect to use a different authentication method associated with an access token. One of the usual way is to offer MATLS with access token based. With token biding, you can actually verify that the client certificate matches the access token. This is why we decided to separate the concept of authentication, by introducing authorisation collector.

As we did separate the authorisation from the authentication, we did also add the possibility to have multiple authorisation collectors.

Features

  • Easier way to add authentication collector
  • separating authentication to authorisation
  • Add multiple authentication and authorisation available.
  • out of the box auth collector:
    • Access token
    • Stateless access token
    • Custom cookie
    • Custom cookie as JWT
    • PSD2 collector
    • X509 collector

How to use?

We did include samples spring boot apps, that will show you an example of usage of the APIs.

com.forgerock

ForgeRock

These repositories are provided by the community of ForgeRock users. They are in no way supported or tested by ForgeRock.

Versions

Version
0.0.24
0.0.16
0.0.15
0.0.14
0.0.9
0.0.6