4

Is it possible to use Kerberos in an Angular 2 application? We are using Spring which hosts our REST service and also protects the Angular 2 resources with Kerberos. We want to add roles and define what funtionality in the Angular2 application is available for certain roles. There seems to be little information around on how to do this since most of the people seem to have gone to use JWT or OAuth.

Would it be possible to use Kerberos for the initial authentication and then generate a JWT which is sent back to the browser?

At the moment I am thinking about setting up a REST endpoint /user which returns all the information about the currently logged-in user including his/her permissions. In Angular I can then read those permissions and manipulate the UI and the routes accordingly. The data coming from the server would already be protected by Kerberos and Spring. So if the user can still alter their local Angular to visit some of the protected routes, they would not see any data.

Mistalis
  • 17,793
  • 13
  • 73
  • 97
merlino
  • 273
  • 1
  • 3
  • 8

3 Answers3

0

You are absolutely correct in what you have said. You would want to handle authentication through the back-end, be it Kerberos, OAuth, or whatever. Upon successful login, the backend would return a metadata response that allows the UI to configure itself appropriately. Since the backend is where the protected resources are, the UI doesn't really need to be "protected", but more so "dynamically configured" to be appropriate for a given user.

You have to decide how you want to do it, and where you want to write most of your logic. For instance, the back-end could return something as simple as a role or experience identifier (ex. Admin, User, Guest). From there, the UI would know which activities should/could be performed, which resources are available, etc. The UI would know for example that a Guest cannot add a new user, but, because Mr. Guest could get curious, the most important thing is that the back-end indeed does not allow him to modify user accounts.

Brian
  • 4,921
  • 3
  • 20
  • 29
0

This would be a perfect use case for JWT tokens. Once you are authenticated at server end backend service can create a JWT token with the roles of a particular user and return back the same to Angular2 app. Angular app can configure UI depending on the roles of the user. On every consecutive server calls the angular app can sends back this token, so that this token is used to find the roles of the user. Spring security allows to add the custom filter before Authentication which can be used to validate the token.

@Configuration
public class WebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.addFilterAfter(new TokenFilter(), BasicAuthenticationFilter.class);
    }
}

Inside TokenFilter the JWT token can be parsed for finding the user roles and allowing the access for a particular protected resource. If anybody tries to modify the token or request a forbidden protect resource the JWT token validation would fail.

public class TokenFilter extends GenericFilterBean {

    @Override
    public void doFilter(ServletRequest request, ServletResponse response,FilterChain chain) throws IOException, ServletException {
        // Validate Token her for the requested url
       if(validateToken(request.getHeader("auth")){
            chain.doFilter(request, response);
       }else{
            // return 403 response
    }
}
Praneeth Ramesh
  • 3,434
  • 1
  • 28
  • 34
0

You choice of auth technology on backend side shouldn't influence your decisions on frontend side much, be it OAuth, JWT, Kerberos, or something custom made.

You will need to authenticate user in your backend using Kerberos, keep ticket (auth token) somewhere on frontend side (e.g. in cookie or local storage), and when use that ticket to authenticate future requests. This will require some custom made code and basic knowledge of Kerberos protocol (http://www.roguelynn.com/words/explain-like-im-5-kerberos/, Kerberos authentication in Node.js https.get or https.request), since I don't see any existing implementation for Kerberos protocol in Angular2 (shouldn't be too hard, though).

You can use JWT over Kerberos, but this will require additional layer between endpoint and frontend. IMHO, it will be easier to stick with only one technology that you are already using (Kerberos).

Then, you can implement custom guards in Angular2 to protect routes from unauthorized access (see https://blog.thoughtram.io/angular/2016/07/18/guards-in-angular-2.html).

Community
  • 1
  • 1
metamaker
  • 2,307
  • 2
  • 19
  • 18