I am working on a simple REST API using spring security with a JWT Filter. However, I am a little bit confused with how to update user info.
After loggin in I get a JWT that I use to make request on other endpoints. But how do I create a controller that create or update data?
I have my user table and my preferences table they are one to one related.
If I make a request like "/create/preferences" what do I put in the body in order for me to create a preference link to this user making the call to the api?
#PostMapping("/user/preferences")
public ResponseEntity<Preferences> getUserPreferences() {
/*
what to put here
*/
return new ResponseEntity<>(HttpStatus.OK);
}
Do I have to get the user from the token? Then I can create a preference object with this user id?
Thanks in advance
#RestController
#RequestMapping("/users")
public class UserController {
#Autowired
private UserService userService;
#PutMapping("/{id}")
public ResponseEntity<?> updateUser(#PathVariable Long id, #RequestBody User user) {
// Use Spring Security to get the authenticated user from the security context
Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
User authenticatedUser = (User) authentication.getPrincipal();
// Verify that the authenticated user is the same as the user being updated
if (!authenticatedUser.getId().equals(id)) {
return ResponseEntity.status(HttpStatus.UNAUTHORIZED).build();
}
// Update the user information
user.setId(id);
userService.updateUser(user);
return ResponseEntity.ok().build();
}
}
What do you think about this? UserService would be responsible for actually updating the user in the database. The controller simply handles the request, authenticates the user with JWT, and checks that the authenticated user is authorized to make the update.
You can change the ResponseEntity type as you like.
Related
I have a Spring Boot web application that expects all incoming requests to have a cookie with a valid JWT ID token. The ID token holds the email address of the user, which is used to query the database for the User entity. The User entity is then used by multiple services.
Currently, the controllers receive the raw ID token as a parameter, and then passes it down to the services:
#PostMapping()
void foo(#CookieValue String rawIdToken) {
myService.bar(rawIdToken);
}
Then each service is parsing the token and querying the database:
void bar(String rawIdToken) {
// Parse the ID token
IdToken idToken = IdToken.from("RAW_ID_TOKEN");
// Query the database
User user = userRepository.findByEmail(idToken.getEmail());
// Code that requires the User entity..
}
Is there a way to avoid having to do this every time, and instead automatically make the User entity available to all controllers? So that, for example, the sample controller above can become something like that:
#PostMapping()
void foo(User user) {
myService.bar(user);
}
And the service:
void bar(User user) {
// Code that requires the User entity..
}
Please let me know if I am looking at this the wrong way.
You can create a Filter. This Filter gets the User from DB and add it to session as attribute.
Then you can take the User object from session by httpRequest.getAttribute()
Here is about creating filter: https://www.baeldung.com/spring-boot-add-filter
It is about setting ang getting session object: Spring: how to pass objects from filters to controllers
I have to design a application for an organization where Authentication need to be happen Using SSO with Azure Directory using spring boot.
All the employee Information is stored in the AD. My custom application will have it's own users and their roles which are saved in the Database. Not every Employee in the organization will have access to this application. Admin will add user and their roles in Database(Mysql).
I am able to figure it out to do SSO with AD by adding relevant details in properties-file and configuring WebSecurify Config class
#EnableWebSecurity
#EnableGlobalMethodSecurity(prePostEnabled = true)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
#Autowired
private OAuth2UserService<OidcUserRequest, OidcUser> oidcUserService;
#Autowired
private AADAuthenticationFilter aadAuthFilter;
#Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable()
.authorizeRequests().antMatchers(HttpMethod.OPTIONS,
"/**").permitAll().anyRequest().authenticated()
.and()
.oauth2Login()
.userInfoEndpoint()
.oidcUserService(oidcUserService);
http
.addFilterBefore(aadAuthFilter, UsernamePasswordAuthenticationFilter.class);
http
.headers()
.frameOptions().sameOrigin()
.cacheControl();
http
.csrf().disable()
.authorizeRequests().antMatchers(HttpMethod.OPTIONS,
"/**").permitAll().anyRequest().authenticated()
}
}
Once the user is validated, In response i will get JWT token, Which i will use for all my further API requests. But the Problem is, Here i am allowing all the Employees to access the application since he is authenticated using AD. But, Once User is Authenticated i want to check whether user is available in the database or not, If he is not available, i need to send invalid user, if he is valid user to my application, i need to fetch roles and send it to front end as a Valid response.
I also want to do service level authorization for the user, I have used #PreAuthorize Annotation for most of my services.
#PreAuthorize("hasRole('ROLE_VIEWER') or hasRole('ROLE_EDITOR')")
Edit 1
public class UserDetailsServiceImpl extends OidcUserService implements
CustomUserDetailsService {
#Override
public OidcUser loadUser(OidcUserRequest userRequest) throws
OAuth2AuthenticationException {
OidcUser oidcUser;
String mail=userRequest.getClientRegistration().getRegistrationId();
Set<GrantedAuthority> grantedAuthorities = getAuthorities(mail);
oidcUser = new DefaultOidcUser(grantedAuthorities,
userRequest.getIdToken());
return oidcUser;
}
private Set<GrantedAuthority> getAuthorities(String email) {
List<RoleIdDetails>
roleIdDetails=usersRepository.getRoleIdDeatils(email);
final Set<GrantedAuthority> authorities =
roleIdDetails.stream().map(role -> new SimpleGrantedAuthority("ROLE_" +
role.getRoleName().toString().toUpperCase())).collect(Collectors.toSet());
return authorities;
}
}
I have updated With My Own Custom OidcUserService, But Still I'm not able to set the roles.
Per my understanding, you don't need to use Mysql database to store the user and their roles, we can implement this requirement just by Azure Active Directory.
First, we can create a group in Azure Active Directory by clicking "Groups" --> "New group" buttons on azure portal and select the members which you want to this group from the employee in you azure ad(shown as below screenshots):
Then go to your application in azure ad by clicking "App registrations" and click "Manifest" button.
You can also add more roles under the "appRoles" property in the screenshot above.
After that, in your application in azure ad, please click "Managed application in local directory".
Then click "Users and groups" --> "Add user".
Choose the group which we created just now and select a role for it.
Now you can do service level authorization for the user by the annotation you mentioned in your question(#PreAuthorize), you can also refer to this tutorial.
By the way, if we want to assign a role to a group in azure ad, we need to have Premium P1 or P2 plan for azure ad(Azure Active Directory pricing). If you don't have Premium plan, you can just assign a role to each user but not a group in the last screenshot.
How can I easily create spring user sessions based on information found in a mySQL database connected with JPA ?
As a simple example lets say I have 2 tables:
users
INT id
VARCHAR(30) username
VARCHAR(20) password
bookmark
INT id
VARCHAR(20) name
TEXT desctription
int user (FK)
Users will be able to view their bookmarks by requesting the following URL:
http://localhost:8080/bookmarks
In this manner I need separate user sessions (authentication not my main priority in this case) to be able to show bookmarks specific to the user.
Another way to go is by accessing bookmark information through:
http://localhost:8080/{userId}/bookmarks
In this case how can I prevent users from accessing another users' bookmark information ? (Such as preventing user id 1 from accessing user id 2s' bookmarks by using the url http://localhost:8080/2/bookmarks
If you would use Spring Security to secure your app, you can create custom UserDetailsService to read user data for each request from DB. Something like this:
#Component
public class CustomUserDetailsService implements UserDetailsService {
#Autowired
protected UserRepository userRepository;
#Override
public UserDetails loadUserByUsername(String email)
throws UsernameNotFoundException {
User user = userRepository.findByEmail(email);
if (user == null) {
throw new UsernameNotFoundException(String.format("User with email=%s was not found", email));
}
return user;
}
}
Of course assuming that you have JPA entity called User implementing UserDetails interface.
With this mechanism you can inject User instance into MVC controllers:
#GetMapping("/bookmarks")
public List<Bookmark> readBookmarks(Principal principal) {
User user = (User) principal;
// read bookmarks code
}
You can also read in anywhere in the app via:
Object principal = SecurityContextHolder.getContext().getAuthentication().getPrincipal();
User user = (User) principal;
REACTION ON COMMENT:
It is broad topic with a lot of decisions to make. e.g. you may consider using JWT, OAUTH2 or token based based authentication. If you are starting with Spring Security, I recommend to look at their Guides section. Especially Spting MVC guide is relevant for you.
I am trying to handle a situation when after an successful authentication with openId provider I discover that there is no account in my db associated with user openId identifier.
Can you tell me how should I handle the situation. Now, I am displaying register form and ask a user for creating an account. However, I have a problem with user authentication status, he is now being seen as authenticated by spring SecurityContext class.
How do I deauthenticate user in my controller action before redirecting to ''register new user page''? Is this approach a good one or should I do it in some other way?
Ok, so separating authentication from authorization as was mentioned in Samuel's post was really helpful. However there are still many gotchas and I found deauthentication still a must because there is no easy way in spring to add to user new roles. So the easiest way is to force user to login again and let spring handle role assignment during login.
In order to deauthenticate user in spring security you have to invoke:
SecurityContextHolder.clearContext();
as an alternative you can throw an exception in your UserDetailsService implementation (see below). It has the downside that you would deauthenticate user and lose user context data so it would be impossible to match new user accout with openid account during process of creating new local account. And you have to match those account after user login with traditional username and password. My solution was to deauthenticate user just after creating new account.
In order to grant user roles(privileges) you have to override UserDetailsService, in case someone find this useful here is my implementation:
public final class MyUserDetailsService implements UserDetailsService {
private final UsersDao usersDao;
#Autowired
public UserDetailsServiceImpl(final UsersDao usersDao) {
this.usersDao = usersDao;
}
#Override
public UserDetails loadUserByUsername(final String username) {
UserEntity user = usersDao.getUserByOpenIdIdentifier(username);
if (user == null) {
// there is no such user in our db, we could here throw
// an Exception instead then the user would also be deuthenticated
return new User(username, "", new ArrayList<GrantedAuthority>());
}
//here we are granting to users roles based on values from db
final Collection<GrantedAuthority> authorities = new ArrayList<GrantedAuthority>();
authorities.add(new SimpleGrantedAuthority(user.getUserType().toString()));
final UserDetails result = new User(username, "", authorities);
return result;
}
}
I think that you might be mixing two concepts: authentication and authorization. Authentication is knowing who the user is, authorization is the right to use access a resource of a feature.
In spring security, this two concepts are implemented by the authentication-manager and the access-decision-manager.
The fact that a user does not exist in your database is not a reason to deny him is identity: no deauthentication! But beeing authenticated can be a criterion in the access decision management. Example: the AuthenticatedVoter.
You should not touch at the authentication, but customize the access-decision-manager to apply the following rules:
A user who exists in your database has access to everything except account creation feature
A user who doesn't exist in your database has access only to the account creation feature.
This is all about access management, not authentication.
Read more at http://static.springsource.org/spring-security/site/docs/3.0.x/reference/ns-config.html#ns-access-manager
PS: The documentation is not exhaustive in spring security, but the source code is very readable. My advice is to check it out and look at the implementation of the elements you need to customize.
I have an application which uses spring-security. In my signup process, a new user entity gets persisted with the HASHED password, an email containing an activation token is the sent to the user. Clicking on this token directs the user to a UserActivationServlet which looks up the user by the token, activates the user and redirects them to the application. I would like to automatically log the user into the application and have included this method in my servlet to do this
private void authenticateUserAndSetSession(HttpServletRequest request, User u) {
UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(
u.getUsername(), u.getPassword()); //PROBLEM: THIS PASSWORD IS HASHED
// generate session if one doesn't exist
request.getSession();
token.setDetails(new WebAuthenticationDetails(request));
Authentication authenticatedUser = authenticationManager.authenticate(token);
SecurityContextHolder.getContext().setAuthentication(authenticatedUser);
request.getSession().setAttribute(HttpSessionSecurityContextRepository.SPRING_SECURITY_CONTEXT_KEY,
SecurityContextHolder.getContext());
}
The problem here is that that the password field on the User entity has been hashed when it was created. So the only other option I can think of is to pass the unhashed password as a request parameter to the servelet (nasty!)
Have I missed something, is there another way of pre-authenticating the user?
Thanks
The user has clicked on the activation link and we have looked him up so clearly we have a valid user, so there is no need to re-authenticate him with the authenticationManager and so no need to use credentials when creating the Token, just create it as follows:
PreAuthenticatedAuthenticationToken token = new PreAuthenticatedAuthenticationToken( p, null, p.getAuthorities());
If I understand you correctly SOA can help you.
You don't need to make a redirect to the login page, but rather call the service that logs the user in. Any login related logic residing in a controller (or somewhere above the service layer) should be moved 'down' and used by your servlet.
The service could look something like:
public interface LoginService {
// this will be called from the login page
public void login(String username, String hashedPass);
// this will only be visible to other services
// you can secure it with AOP and Spring security's method security
public void login(String username);
}
Then you can call loginService.login(username); from your servlet.
Or in your exact case pass your token without a password:
loginService.login(new UsernamePasswordAuthenticationToken(u.getUsername(), ""));