Search code examples
javaspringspring-bootspring-securityaccess-token

How to configure HttpSecurity for this situation (Spring Boot)

Criteria:

  • Unauthenticated users request token from /oauth/token
  • Unauthenticated users can also access swagger docs at /swagger-ui.html
  • All other endpoints should be secured i.e. require a valid token to use.

What I've Tried:

SecurityConfig.java - Possibly the source of the problem

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    private CustomAuthenticationProvider customAuthenticationProvider;

    @Override
    protected void configure(AuthenticationManagerBuilder authenticationManagerBuilder) throws Exception {
        authenticationManagerBuilder.authenticationProvider(customAuthenticationProvider);
    }

    @Override
    public void configure(WebSecurity web) throws Exception {
        web
                .ignoring()
                .antMatchers("/v2/api-docs", "/configuration/ui", "/swagger-resources/**", "/configuration/**", "/swagger-ui.html", "/webjars/**");

    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
                .csrf().disable()
                .antMatcher("/oauth/token")
                .addFilterBefore(new RESTAuthenticationTokenProcessingFilter(), BasicAuthenticationFilter.class)
                .authorizeRequests()
                .antMatchers("/**").permitAll()
                .anyRequest().authenticated();

    }
}

CustomAuthenticationProvider.java

@Component
public class CustomAuthenticationProvider implements AuthenticationProvider {

    final
    UserService userService;

    final
    TokenService tokenService;

    @SuppressWarnings("SpringJavaAutowiredMembersInspection")
    @Autowired
    public CustomAuthenticationProvider(TokenService tokenService, UserService userService) {
        this.tokenService = tokenService;
        this.userService = userService;
    }

    @Override
    public Authentication authenticate(Authentication authentication) throws AuthenticationException {
        String username = authentication.getName();
        Object credentials = authentication.getCredentials();
        if (!(credentials instanceof String)) return null;
        String password = credentials.toString();
        // TODO implement hashing and salting of passwords
        UserDetails user = userService.loadUserByUsername(username);
        if (!user.getPassword().equals(password)) throw new NotAuthorisedException(AuthorisationFailureTypes.INVALID_REQUEST);

        TokenModel tokenModel = tokenService.allocateToken(user.getUsername());
        authentication.setAuthenticated(true);
        return authentication;
    }

    @Override
    public boolean supports(Class<?> authentication) {
        return TokenRequestModel.class.isAssignableFrom(authentication);
    }
}

RESTAuthenticationTokenProcessingFilter.java

@Component
public class RESTAuthenticationTokenProcessingFilter extends GenericFilterBean {

    public RESTAuthenticationTokenProcessingFilter() {
    }

    public RESTAuthenticationTokenProcessingFilter(UserService userService, String restUser) {
        this.userService = userService;
        this.REST_USER = restUser;
    }

    @Autowired
    private TokenService tokenService;
    private UserService userService;
    private String REST_USER;
    private Logger log = LoggerFactory.getLogger(this.getClass());

    @Override
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
        HttpServletRequest httpRequest = getAsHttpRequest(request);
        String authToken = extractAuthTokenFromRequest(httpRequest);
        if (authToken == null) throw new NotAuthorisedException(AuthorisationFailureTypes.INVALID_REQUEST);

        String[] parts = authToken.split(" ");

        if (parts.length == 2) {
            String tokenKey = parts[1];
            if (validateTokenKey(tokenKey)) {
                TokenModel token = tokenService.getTokenById(tokenKey);
                //List<String> allowedIPs = new Gson().fromJson(token.getAllowedIP(), new TypeToken<ArrayList<String>>() {}.getType());
                //if (isAllowIP(allowedIPs, request.getRemoteAddr())) {
                if (token != null) {
                    if (token.getExpires_in() > 0) {
                        UserDetails userDetails = userService.loadUserByUsername(REST_USER);
                        TokenRequestModel authentication = new TokenRequestModel(null, null, userDetails.getUsername(), userDetails.getPassword());
                        authentication.setDetails(new WebAuthenticationDetailsSource().buildDetails(httpRequest));
                        SecurityContextHolder.getContext().setAuthentication(authentication);
                        log.info("Authenticated " + token.getAccess_token() + " via IP: " + request.getRemoteAddr());
                    } else {
                        log.info("Unable to authenticate the token: " + authToken + ". Incorrect secret or token is expired");
                        throw new NotAuthorisedException(AuthorisationFailureTypes.INVALID_REQUEST);
                    }
                    //} else {
                    //log.info("Unable to authenticate the token: " + authToken + ". IP - " + request.getRemoteAddr() + " is not allowed");l
                }
            }
        } else {
            log.info("Unable to authenticate the token: " + authToken + ". Key is broken");
            throw new NotAuthorisedException(AuthorisationFailureTypes.INVALID_REQUEST);
        }
        chain.doFilter(request, response);
    }

    private boolean validateTokenKey(String tokenKey) {
        String[] parts = tokenKey.split("-");
        return parts.length == 5;
    }

    private HttpServletRequest getAsHttpRequest(ServletRequest request) {
        if (!(request instanceof HttpServletRequest)) {
            throw new RuntimeException("Expecting an HTTP request");
        }

        return (HttpServletRequest) request;
    }


    private String extractAuthTokenFromRequest(HttpServletRequest httpRequest) {
    // Get token from header

    String authToken = httpRequest.getHeader("authorisation");

    // If token not found get it from request parameter

    if (authToken == null) {
        authToken = httpRequest.getParameter("access_token");
    }

    return authToken;
    }
}

This has the result of any user that makes a request with the "Authorisation" header being able to access all resources. And users without the Authorisation header cannot request a token to be used.

I've spent a lot of time trying to pull from other examples, and reading through the Docs from the HTTPSecurity class, and its related classes, but I cannot understand how this configuration can be achieved.

Any help would be greatly appreciated!

EDIT --

Due to the nature of the project, I've had to follow a protocol which involves a slightly reduced version of oauth2. Unfortunately that has meant implementing a lot of what is already supplied in Spring Security (i.e. I'm not able to use Spring-Security-oauth2 or Spring Security 5). to fit my specific needs. I'd really appreciate any advice you would have.

Solution

  • I found a solution from a tutorial that involved implementing my own version of the entire authorisation process. But it works!

    My SecurityConfig.java class became:

    @Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

private final AuthenticationSuccessHandler loginSuccessfulHandler;
private final AuthenticationFailureHandler loginFailureHandler;
private final AccessDeniedHandler customAccessDeniedHandler;
private final AuthenticationEntryPoint customAuthenticationEntryPoint;

@Autowired
public SecurityConfig(AuthenticationSuccessHandler loginSuccessfulHandler, AuthenticationFailureHandler loginFailureHandler, AccessDeniedHandler customAccessDeniedHandler, AuthenticationEntryPoint customAuthenticationEntryPoint) {
    this.loginSuccessfulHandler = loginSuccessfulHandler;
    this.loginFailureHandler = loginFailureHandler;
    this.customAccessDeniedHandler = customAccessDeniedHandler;
    this.customAuthenticationEntryPoint = customAuthenticationEntryPoint;
}

@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
    auth.inMemoryAuthentication()
            .withUser("user").password("password").roles("USER")
            .and()
            .withUser("admin").password("password").roles("ADMIN");
}

@Override
protected void configure(HttpSecurity http) throws Exception {
    http
            .csrf().disable() // disable CSRF for this application
            .formLogin() // Using form based login instead of Basic Authentication
            .loginProcessingUrl("/oauth/token") // Endpoint which will process the authentication request. This is where we will post our credentials to authenticate
            .successHandler(loginSuccessfulHandler)
            .failureHandler(loginFailureHandler)
            .and()
            .authorizeRequests()
            .antMatchers("/oauth/token").permitAll() // Enabling URL to be accessed by all users (even un-authenticated)
            .antMatchers("/swagger-ui.html").permitAll()
             //.antMatchers("/secure/admin").access("hasRole('ADMIN')") // Configures specified URL to be accessed with user having role as ADMIN
            .anyRequest().authenticated() // Any resources not mentioned above needs to be authenticated
            .and()
            .exceptionHandling().accessDeniedHandler(customAccessDeniedHandler)
            .authenticationEntryPoint(customAuthenticationEntryPoint)
            .and()
            .anonymous().disable(); // Disables anonymous authentication with anonymous role.
}

    And so I had to implement my login(success/failure)handler etc, by impleneting the existing interface. Now I just need to implement my own AuthenticationMangager instead of the in-memory config currently being used.

    @dur thanks for helping! :)