Who Are You?

In the Domino world we had the NAB (Notes Address Book) or Domino Directory as it eventually became known as. The NAB stored everything, from server configurations to policy setups and of course People and Groups. Each individual NSF had its own Access Control List (ACL) that would list who had access to the NSF and what level of access they had, also in the ACL was a mechanism to assign roles against the people and groups listed in the ACL. The NAB specified who you were and the ACL specified what you were allowed to do.

When you look at replacing this functionality you need to break it down in to multiple parts… Directory, Authentication and Authorization.

Directory is where you store a list of all the people that are allowed access your applications. If you are only building internal applications then you probably already have a directory which is either AD if you are a Microsoft house or some other LDAP directory if you are not. If you are developing applications that anybody can register to use then AD/LDAP may not be the best idea and you may need to keep that person data in its own separate database.

Authentication is the process of logging a user in to your system against the directory of your choice. Does the person exist, did they identify themselves correctly with the right password or other identification method, Do they need to register as a new user etc.

Authorization is determining if the person who has authenticated has access to the application and if so what roles they are assigned in that application, keeping in mind that they may have access to many different apps in your organization so your directory needs to be able to store all that info for you.

None of these things are supplied for you out of the box regardless of which backend and frontend you decide to use. You will either have to roll your own and hope it is secure or you can go with a third party solution.

The two that I recommend looking at are StormPath and Auth0. Both of these services can hook in to your in-house directory and can also supply a credentials store for external people to register against. They both provide application roles capabilities so people can have different roles in different apps, and they can both do two factor authentication and sso etc. They both allow sign in using facebook, twitter, google credentials etc. They both integrate with Spring Security which is something that we will be using as part of Spring Boot. They are both great products.

We went with Auth0 as our authentication provider. Auth0 can hook in to Azure AD which is where our corporate directory exists allowing us to provide a single sign on solution to our staff. We will, in the future, need user registration for some external facing apps and Auth0 can easily handle this for us and store the data for it. if you don’t need the Azure AD integration then StormPath has some fantastic Spring Boot starters with Thymeleaf support that can help you get going very quickly.