I have a basic SpringBoot app. using Spring Initializer, JPA, embedded Tomcat, Thymeleaf template engine, and package as an executable JAR file.
I have this config file defined.
#Configuration
#EnableWebSecurity
#EnableGlobalMethodSecurity(prePostEnabled = true)
public class ApiWebSecurityConfig extends WebSecurityConfigurerAdapter {
#Autowired
private JwtAuthenticationEntryPoint unauthorizedHandler;
#Autowired
private JwtTokenUtil jwtTokenUtil;
#Autowired
private JwtUserDetailsService jwtUserDetailsService;
#Value("${jwt.header}")
private String tokenHeader;
#Value("${jwt.route.authentication.path}")
private String authenticationPath;
#Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth
.userDetailsService(jwtUserDetailsService)
.passwordEncoder(passwordEncoderBean());
}
#Bean
public PasswordEncoder passwordEncoderBean() {
return new BCryptPasswordEncoder();
}
#Bean
#Override
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
#Override
protected void configure(HttpSecurity httpSecurity) throws Exception {
httpSecurity
// we don't need CSRF because our token is invulnerable
.csrf().disable()
.exceptionHandling().authenticationEntryPoint(unauthorizedHandler).and()
// don't create session
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()
.authorizeRequests()
// Un-secure H2 Database
.antMatchers("/h2-console/**/**").permitAll()
.antMatchers("/auth/**").permitAll()
.anyRequest().authenticated();
// Custom JWT based security filter
JwtAuthorizationTokenFilter authenticationTokenFilter
= new JwtAuthorizationTokenFilter(userDetailsService(), jwtTokenUtil, tokenHeader);
httpSecurity
.addFilterBefore(authenticationTokenFilter, UsernamePasswordAuthenticationFilter.class);
// disable page caching
httpSecurity
.headers()
.frameOptions().sameOrigin() // required to set for H2 else H2 Console will be blank.
.cacheControl();
}
#Override
public void configure(WebSecurity web) throws Exception {
// AuthenticationTokenFilter will ignore the below paths
web
.ignoring()
.antMatchers(
HttpMethod.POST,
authenticationPath
)
// allow anonymous resource requests
.and()
.ignoring()
.antMatchers(
HttpMethod.GET,
"/",
"/*.html",
"/favicon.ico",
"/**/*.html",
"/**/*.css",
"/**/*.js"
)
// Un-secure H2 Database (for testing purposes, H2 console shouldn't be unprotected in production)
.and()
.ignoring()
.antMatchers("/h2-console/**/**");
}
}
But when I start the app. using Eclipse IDE I got this error in the console:
***************************
APPLICATION FAILED TO START
***************************
Description:
Field passwordEncoder in com.bonanza.backend.service.UserService required a bean of type 'org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder' that could not be found.
Action:
Consider defining a bean of type 'org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder' in your configuration.
Even the bean is clearly defined in the config file..
I also tried using this other definiton with the same resut
#Bean
public PasswordEncoder passwordEncoderBean() {
String idForEncode = "bcrypt";
// This is the ID we use for encoding.
String currentId = "pbkdf2.2018";
// List of all encoders we support. Old ones still need to be here for rolling updates
Map<String, PasswordEncoder> encoders = new HashMap<>();
encoders.put("bcrypt", new BCryptPasswordEncoder());
//encoders.put(currentId, new Pbkdf2PasswordEncoder(PBKDF2_2018_SECRET, PBKDF2_2018_ITERATIONS, PBKDF2_2018_HASH_WIDTH));
encoders.put(currentId, new Pbkdf2PasswordEncoder());
//return new DelegatingPasswordEncoder(idForEncode, encoders);
return new DelegatingPasswordEncoder(idForEncode, encoders);
}
Try Autowiring PassswordEncoder in your com.bonanza.backend.service.UserService
may be solves the issue.
#Autowired
private PasswordEncoder bCryptPasswordEncoder;
Edited
In your config file First add
#Bean
public DaoAuthenticationProvider authenticationProvider() {
DaoAuthenticationProvider authenticationProvider = new DaoAuthenticationProvider();
authenticationProvider.setUserDetailsService(jwtuserDetailsService);
authenticationProvider.setPasswordEncoder(passwordEncoderBean());
return authenticationProvider;
}
and then replace auth.passwordencode(passwordencodebean()) to auth.authenticationProvider(authenticationProvider());in configureGlobal() method
Try it..this will work sure.
Related
I created a password encoder bean and I am just calling passwordEncoder.encode() method in UserService -> createUser() method. But how spring is understanding that "I have to use password encoder when login request came". I am not passing passwordEncoder as an argument anywhere.
#Configuration
#EnableWebSecurity
#EnableGlobalMethodSecurity(prePostEnabled = true)
#RequiredArgsConstructor
public class SecurityConfig {
private final JwtFilter jwtFilter;
private final JwtAuthenticationEntryPoint authenticationEntryPoint;
private final JWTAccessDeniedHandler accessDeniedHandler;
#Bean
public BCryptPasswordEncoder bCryptPasswordEncoder() {
return new BCryptPasswordEncoder();
}
#Bean
public AuthenticationManager authenticationManager(final AuthenticationConfiguration authenticationConfiguration) throws Exception {
return authenticationConfiguration.getAuthenticationManager();
}
#Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
return http
.headers().frameOptions().disable().and()
.csrf().disable()
.cors().and()
.authorizeRequests(auth -> {
auth.antMatchers("/api/admin").hasAuthority("ADMIN");
auth.antMatchers("/api/user").hasAnyAuthority("ADMIN", "USER");
auth.anyRequest().authenticated();
})
.formLogin().disable()
.httpBasic().disable()
.exceptionHandling().accessDeniedHandler(accessDeniedHandler)
.authenticationEntryPoint(authenticationEntryPoint)
.and()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.addFilterBefore(jwtFilter, UsernamePasswordAuthenticationFilter.class)
.build();
}
#Bean
public WebSecurityCustomizer webSecurityCustomizer() {
return (web) -> web.ignoring().antMatchers("/api/public", "/h2-console/**", "/api/auth/login");
}
#Bean
public WebMvcConfigurer corsConfigurer() {
return new WebMvcConfigurer() {
#Override
public void addCorsMappings(CorsRegistry registry) {
registry.addMapping("/**")
.allowedMethods("*");
}
};
}
}
The default password encoder in Spring delegates to any defined beans of type org.springframework.security.crypto.password.PasswordEncoder. So Spring is simply delegating to the bean that you provided.
If you see the code here
https://github.com/spring-projects/spring-security/blob/main/config/src/main/java/org/springframework/security/config/annotation/authentication/configuration/AuthenticationConfiguration.java#L332
You would see that Spring actually injects the bean PasswordEncoder from the current applicationContext
So as you see creating this bean is what the Spring security calls when encoding the password coming into the AuthenticationManager
I am currently working on a Spring project, where I got the Security already implemented.(University) But I occurred the following problem: If I want to register a new user to the system, I logically do not have a JWT to authenticate the new user. I just get Invalid authorization header or token back from Spring, if I try to register a new user. So, I think the Security is not right configured:
#EnableWebSecurity
#EnableGlobalMethodSecurity(securedEnabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {
private final UserService userService;
private final PasswordEncoder passwordEncoder;
private final RequestMatcher whiteListedRequests;
private final SecurityProperties securityProperties;
private final JwtTokenizer jwtTokenizer;
#Autowired
public SecurityConfig(UserService userService,
PasswordEncoder passwordEncoder,
SecurityProperties securityProperties, JwtTokenizer jwtTokenizer) {
this.userService = userService;
this.securityProperties = securityProperties;
this.passwordEncoder = passwordEncoder;
this.jwtTokenizer = jwtTokenizer;
this.whiteListedRequests = new OrRequestMatcher(securityProperties.getWhiteList().stream()
.map(AntPathRequestMatcher::new)
.collect(Collectors.toList()));
}
#Override
protected void configure(HttpSecurity http) throws Exception {
http.cors().and()
.csrf()
.disable();
http.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.authorizeRequests()
.antMatchers("/api/v1/users/sign-up")
.permitAll();
http.authorizeRequests().anyRequest()
.authenticated();
http.addFilter(new JwtAuthenticationFilter(authenticationManager(), securityProperties, jwtTokenizer));
http.addFilter(new JwtAuthorizationFilter(authenticationManager(), securityProperties));
}
#Override
public void configure(WebSecurity web) {
web.ignoring().requestMatchers(whiteListedRequests);
}
#Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userService).passwordEncoder(passwordEncoder);
}
#Bean
public CorsConfigurationSource corsConfigurationSource() {
final List<String> permitAll = Collections.unmodifiableList(Collections.singletonList("*"));
final List<String> permitMethods = List.of(HttpMethod.GET.name(), HttpMethod.POST.name(), HttpMethod.PUT.name(),
HttpMethod.PATCH.name(), HttpMethod.DELETE.name(), HttpMethod.OPTIONS.name(), HttpMethod.HEAD.name(),
HttpMethod.TRACE.name());
final CorsConfiguration configuration = new CorsConfiguration();
configuration.setAllowedHeaders(permitAll);
configuration.setAllowedOrigins(permitAll);
configuration.setAllowedMethods(permitMethods);
final UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
source.registerCorsConfiguration("/**", configuration);
return source;
}
}
Does anyone has a tip, how I can change the securityconfig, that a user can register himself against my Endpoint? (/api/v1/users/sign-up) I am kind of lost at this, and trying for several hours to manage the wanted behavior!
Thanks in Advance!
EDIT:
I just figured that my application.yml holds a whitelist:
security:
auth:
header: Authorization
prefix: "Bearer "
login-uri: /api/v1/authentication
white-list:
# Browser requests
- /
- /favicon.ico
- /csrf
- /v2/api-docs
- /swagger-resources/**
- /webjars/**
- /swagger-ui.html
# H2
- /h2-console/**
# Registration
- /api/v1/registrations/
If I add the URI here, it works properly. But is there a solution to just add it via Code?
the registration uri must not request a token, it must be allowed access from the outside.
it must be enabled at the antMatcher
Here is an exemple
#Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf()
.disable();
http.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.authorizeRequests()
.antMatchers("/regitration/**")
.permitAll();
http.authorizeRequests().anyRequest()
.authenticated();
http.addFilter(new JWTAuthenticationFilter(authenticationManager(),userRepository,iLdapService,cryptoHelper));
http.addFilterBefore(new JWTAutorizationFilter(),UsernamePasswordAuthenticationFilter.class);
}
Please I need help on a project I'm working on. It's a Spring Boot project and I've implemented Spring Boot Security OAuth2 and everything works just fine when the OAuth2 is mounting on the root (http://localhost:8080/oauth/token) but I need everything to be accessed via (http://localhost:8080/cranoo/api/v1/oauth/token) so I read online that I have to alter the mappings of the AuthorizationServerEndpointsConfigurer bean which I did. After I did that, the OAuth2 worked fine but other endpoints like the user accounts endpoints do not work. So I found a way to configure all endpoints using a ServletRegistrationBean and those endpoints work but the OAuth2 token endpoints stop to work and return 401. I expected that when the ServletRegistrationBean is configured with mapping everything coming from the app should be mounted on those mappings but it is not so.
Below is my code for the Dispatcher servlet.
#Bean
public ServletRegistrationBean dispatcherServletRegistration() {
Collection<String> mappings = new ArrayList<String>();
mappings.add("/cranoo/api/v1/*");
ServletRegistrationBean registration = new ServletRegistrationBean(dispatcherServlet());
registration.setName(DispatcherServletAutoConfiguration.DEFAULT_DISPATCHER_SERVLET_REGISTRATION_BEAN_NAME);
registration.setUrlMappings(mappings);
return registration;
}
This is expected to make all endpoints accessed via http://localhost:8080/cranoo/api/v1 but when I use postman to access http://localhost:8080/cranoo/api/v1/oauth/token it returns 401 Unauthorized "Full authentication is required to access this resource"
But when I visit http://localhost:8080/cranoo/api/v1/cities it works and I get a list of all cities.
Below is my WebSecurityConfigurerAdapter bean.
#Configuration
#EnableWebSecurity
#EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {
static final String SIGNING_KEY = "anietie100THjjj";
static final Integer ENCODING_STRENGTH = 256;
static final String SECURITY_REALM = "Sprinb Boot JWT Example Realm";
#Autowired
private UserDetailsService userDetailsService;
#Bean
public BCryptPasswordEncoder bCryptPasswordEncoder() {
return new BCryptPasswordEncoder();
}
#Bean
#Override
protected AuthenticationManager authenticationManager() throws Exception {
return super.authenticationManager();
}
#Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailsService)
.passwordEncoder(new ShaPasswordEncoder(ENCODING_STRENGTH));
}
#Override
protected void configure(HttpSecurity http) throws Exception {
http
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.authorizeRequests()
.antMatchers(HttpMethod.OPTIONS).permitAll()
.antMatchers("/metrics/**", "/actuator/**", "/api-docs/**", "/login", "/register", "/oauth/token").permitAll()
.and()
.httpBasic()
.realmName(SECURITY_REALM)
.and()
.csrf()
.disable();
}
#Bean
public JwtAccessTokenConverter accessTokenConverter() {
JwtAccessTokenConverter converter = new JwtAccessTokenConverter();
converter.setSigningKey(SIGNING_KEY);
return converter;
}
#Bean
public TokenStore tokenStore() {
return new JwtTokenStore(accessTokenConverter());
}
#Bean
public DefaultTokenServices tokenServices() {
DefaultTokenServices defaultTokenServices = new DefaultTokenServices();
defaultTokenServices.setTokenStore(tokenStore());
defaultTokenServices.setSupportRefreshToken(true);
return defaultTokenServices;
}
}
Below is my AuthorizationServerEndpointsConfigurer code.
#Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
TokenEnhancerChain enhancerChain = new TokenEnhancerChain();
String context = "/cranoo/api/v1";
enhancerChain.setTokenEnhancers(Arrays.asList(accessTokenConverter));
endpoints.pathMapping("/oauth/token", context + "/oauth/token");
endpoints.pathMapping("/oauth/authorize", context + "/oauth/authorize");
endpoints.pathMapping("/oauth/confirm_access", context + "/oauth/confirm_access");
endpoints.pathMapping("/oauth/check_token", context + "/oauth/check_token");
endpoints.pathMapping("/oauth/token_key", context + "/oauth/token_key");
endpoints.pathMapping("/oauth/error", context + "/oauth/error");
endpoints.tokenStore(tokenStore)
.accessTokenConverter(accessTokenConverter)
.tokenEnhancer(enhancerChain)
.authenticationManager(authenticationManager);
}
My thinking is that since I've configured the mapping for the entire application at the DispatcherServlet I shouldn't have to put these endpoints mapping again on the AuthorizationServerEndpointsConfigurer, and yet even if I remove all the mappings above it still doesn't work. It still returns 401. Please I need help as I've spent about four days on this and no progress.
All I want is to be able to access the token endpoint at (http://localhost:8080/cranoo/api/v1/oauth/token and other endpoints at (http://localhost:8080/cranoo/api/v1/{endpoint}
I want to use OAuth2 for my REST spring boot project. Using some examples I have created configuration for OAuth2:
#Configuration
public class OAuth2Configuration {
private static final String RESOURCE_ID = "restservice";
#Configuration
#EnableResourceServer
protected static class ResourceServerConfiguration extends
ResourceServerConfigurerAdapter {
#Override
public void configure(ResourceServerSecurityConfigurer resources) {
// #formatter:off
resources
.resourceId(RESOURCE_ID);
// #formatter:on
}
#Override
public void configure(HttpSecurity http) throws Exception {
// #formatter:off
http
.anonymous().disable()
.authorizeRequests().anyRequest().authenticated();
// #formatter:on
}
}
#Configuration
#EnableAuthorizationServer
protected static class AuthorizationServerConfiguration extends
AuthorizationServerConfigurerAdapter {
private TokenStore tokenStore = new InMemoryTokenStore();
#Autowired
#Qualifier("authenticationManagerBean")
private AuthenticationManager authenticationManager;
#Autowired
private UserDetailsServiceImpl userDetailsService;
#Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints)
throws Exception {
// #formatter:off
endpoints
.tokenStore(this.tokenStore)
.authenticationManager(this.authenticationManager)
.userDetailsService(userDetailsService);
// #formatter:on
}
#Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
// #formatter:off
clients
.inMemory()
.withClient("clientapp")
.authorizedGrantTypes("password", "refresh_token", "trust")
.authorities("USER")
.scopes("read", "write")
.resourceIds(RESOURCE_ID)
.secret("clientsecret")
.accessTokenValiditySeconds(1200)
.refreshTokenValiditySeconds(3600);
// #formatter:on
}
#Bean
#Primary
public DefaultTokenServices tokenServices() {
DefaultTokenServices tokenServices = new DefaultTokenServices();
tokenServices.setSupportRefreshToken(true);
tokenServices.setTokenStore(this.tokenStore);
return tokenServices;
}
}
}
This is my SecurityConfiguration class:
#Configuration
#EnableWebSecurity
#Order(1)
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
#Autowired
private UserDetailsService userDetailsService;
#Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable();
http
.authorizeRequests().antMatchers("/api/register").permitAll()
.and()
.authorizeRequests().antMatchers("/api/free").permitAll()
.and()
.authorizeRequests().antMatchers("/oauth/token").permitAll()
.and()
.authorizeRequests().antMatchers("/api/secured").hasRole("USER")
.and()
.authorizeRequests().anyRequest().authenticated();
}
#Override
#Bean
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
#Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
}
I tried to check my application with 2 simple requests:
#RequestMapping(value = "/api/secured", method = RequestMethod.GET)
public String checkSecured(){
return "Authorization is ok";
}
#RequestMapping(value = "/api/free", method = RequestMethod.GET)
public String checkFree(){
return "Free from authorization";
}
Firstly I checked two requests:
/api/free returned code 200 and the string "Free from authorization"
/api/secured returned {"timestamp":1487451065106,"status":403,"error":"Forbidden","message":"Access Denied","path":"/api/secured"}
And it seems that they work fine.
Then I got access_token (using credentials from my users database)
/oauth/token?grant_type=password&username=emaila&password=emailo
Response:
{"access_token":"3344669f-c66c-4161-9516-d7e2f31a32e8","token_type":"bearer","refresh_token":"c71c17e4-45ba-458c-9d98-574de33d1859","expires_in":1199,"scope":"read write"}
Then I tried to send a request (with the token I got) for resource which requires authentication:
/api/secured?access_token=3344669f-c66c-4161-9516-d7e2f31a32e8
Here is response:
{"timestamp":1487451630224,"status":403,"error":"Forbidden","message":"Access Denied","path":"/api/secured"}
I cannot understand why access is denied. I am not sure in configurations and it seems that they are incorrect. Also I still do not clearly understand relationships of methods configure(HttpSecurity http) in class which extends WebSecurityConfigurerAdapter and in another which extends ResourceServerConfigurerAdapter.
Thank you for any help!
If you are using spring boot 1.5.1 or recently updated to it, note that they changed the filter order for spring security oauth2 (Spring Boot 1.5 Release Notes).
According to the release notes, try to add the following property to application.properties/yml, after doing that the resource server filters will be used after your other filters as a fallback - this should cause the authorization to be accepted before falling to the resource server:
security.oauth2.resource.filter-order = 3
You can find a good answer for your other questions here: https://stackoverflow.com/questions/28537181
I'm trying to setup CAS authentication using Spring Security for my web application. I've followed the documentation and managed to convert the XML configuration examples to Java config. However, I'm not sure I did everything correctly and given the sensitiveness of security, I'd like someone to confirm that there are no mistakes.
For example, how can I be sure there are not default configurations anymore (like liberal permissions on URLs, different authentication managers and/or providers, etc...)?
Is the way I retrieved the current AuthenticationManager correct?
Is configuring the EntryPoint like I did the correct way?
I find understanding how to use WebSecurityConfigurerAdapter rather confusing...
This is my #Cofiguration class:
#EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
#Bean(name="authenticationManager")
#Override
public AuthenticationManager authenticationManagerBean() throws Exception {
// TODO Auto-generated method stub
return super.authenticationManagerBean();
}
#Bean
public ServiceProperties serviceProperties() {
final ServiceProperties serviceProperties = new ServiceProperties();
serviceProperties.setService("http://localhost:8088/webapp/login/cas");
return serviceProperties;
}
#Bean
public AuthenticationUserDetailsService<CasAssertionAuthenticationToken> authenticationUserDetailsService() {
return new MyCasAssertionUserDetailsService();
}
#Autowired
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
super.configure(auth);
final CasAuthenticationProvider casAuthenticationProvider = new CasAuthenticationProvider();
casAuthenticationProvider.setServiceProperties(serviceProperties());
casAuthenticationProvider.setAuthenticationUserDetailsService(authenticationUserDetailsService());
casAuthenticationProvider.setTicketValidator(new Cas20ProxyTicketValidator("https://my.cas.server.com/cas"));
casAuthenticationProvider.setKey("MY-KEY");
auth.authenticationProvider(casAuthenticationProvider);
}
#Bean
public CasAuthenticationEntryPoint casEntryPoint() {
final CasAuthenticationEntryPoint casEntryPoint = new CasAuthenticationEntryPoint();
casEntryPoint.setServiceProperties(serviceProperties());
casEntryPoint.setLoginUrl("https://my.cas.server.com/cas/activateAndLogin");
return casEntryPoint;
}
// filter to invoke the CAS server when the user click on "Logout from CAS" in the local logout success page
#Bean
public LogoutFilter requestSSOLogoutToCASServerLogoutFilter() {
final LogoutFilter logoutFilter = new LogoutFilter("https://my.cas.server.com/cas/logout", new SecurityContextLogoutHandler());
logoutFilter.setFilterProcessesUrl("/logout/cas");
return logoutFilter;
}
// filter that receives the request to logout from the CAS server
#Bean
public SingleSignOutFilter singleSignOutFilter() {
return new org.jasig.cas.client.session.SingleSignOutFilter();
}
#Override
protected void configure(HttpSecurity http) throws Exception {
final CasAuthenticationFilter casAuthenticationFilter = new CasAuthenticationFilter();
casAuthenticationFilter.setAuthenticationManager(authenticationManager());
http
.exceptionHandling().authenticationEntryPoint(casEntryPoint())
.and()
.logout()
.logoutSuccessUrl("/cas-logout") // which page to redirect the User after the local log-out succeeded
.permitAll() // all users can logout
.and()
.authorizeRequests()
.anyRequest().authenticated()
.and()
.addFilter(casAuthenticationFilter)
.addFilterBefore(requestSSOLogoutToCASServerLogoutFilter(), LogoutFilter.class)
.addFilterBefore(singleSignOutFilter(), CasAuthenticationFilter.class)
;
}
}