Is it possible to use Kerberos in an Angular 2 application? We are using Spring which hosts our REST service and also protects the Angular 2 resources with Kerberos. We want to add roles and define what funtionality in the Angular2 application is available for certain roles. There seems to be little information around on how to do this since most of the people seem to have gone to use JWT or OAuth.
Would it be possible to use Kerberos for the initial authentication and then generate a JWT which is sent back to the browser?
At the moment I am thinking about setting up a REST endpoint /user which returns all the information about the currently logged-in user including his/her permissions. In Angular I can then read those permissions and manipulate the UI and the routes accordingly. The data coming from the server would already be protected by Kerberos and Spring. So if the user can still alter their local Angular to visit some of the protected routes, they would not see any data.
2 Answers
Answers 1
You are absolutely correct in what you have said. You would want to handle authentication through the back-end, be it Kerberos, OAuth, or whatever. Upon successful login, the backend would return a metadata response that allows the UI to configure itself appropriately. Since the backend is where the protected resources are, the UI doesn't really need to be "protected", but more so "dynamically configured" to be appropriate for a given user.
You have to decide how you want to do it, and where you want to write most of your logic. For instance, the back-end could return something as simple as a role or experience identifier (ex. Admin, User, Guest). From there, the UI would know which activities should/could be performed, which resources are available, etc. The UI would know for example that a Guest cannot add a new user, but, because Mr. Guest could get curious, the most important thing is that the back-end indeed does not allow him to modify user accounts.
Answers 2
This would be a perfect use case for JWT tokens. Once you are authenticated at server end backend service can create a JWT token with the roles of a particular user and return back the same to Angular2 app. Angular app can configure UI depending on the roles of the user. On every consecutive server calls the angular app can sends back this token, so that this token is used to find the roles of the user. Spring security allows to add the custom filter before Authentication which can be used to validate the token.
@Configuration public class WebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http.addFilterAfter(new TokenFilter(), BasicAuthenticationFilter.class); } } Inside TokenFilter the JWT token can be parsed for finding the user roles and allowing the access for a particular protected resource. If anybody tries to modify the token or request a forbidden protect resource the JWT token validation would fail.
public class TokenFilter extends GenericFilterBean { @Override public void doFilter(ServletRequest request, ServletResponse response,FilterChain chain) throws IOException, ServletException { // Validate Token her for the requested url if(validateToken(request.getHeader("auth")){ chain.doFilter(request, response); }else{ // return 403 response } } 
0 comments:
Post a Comment