I'm using JWT (Json Web Token) to secure my Spring boot application.
There's a class which doesn't accept any bean.
First, I thought maybe the bean I want to inject is not defined. So I decided to print the list of beans names using spring ApplicationContext. But I found out that even ApplicationContext can not be injected into this class:
Any idea why this happens ?
import com.fasterxml.jackson.databind.ObjectMapper;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.ApplicationContext;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.util.Arrays;
public class JWTLoginFilter extends AbstractAuthenticationProcessingFilter {
#Autowired
private TokenAuthenticationService tokenAuthenticationService;
#Autowired
private ApplicationContext applicationContext;
public JWTLoginFilter(String url, AuthenticationManager authManager) {
super(new AntPathRequestMatcher(url));
setAuthenticationManager(authManager);
}
#Override
public Authentication attemptAuthentication(HttpServletRequest req,
HttpServletResponse res) throws AuthenticationException,
IOException, ServletException {
CustomUserDetails creds = new ObjectMapper().readValue(
req.getInputStream(), CustomUserDetails.class);
return getAuthenticationManager().authenticate(
new UsernamePasswordAuthenticationToken(creds.getUsername(),
creds.getPassword()));
}
#Override
protected void successfulAuthentication(HttpServletRequest req,
HttpServletResponse res, FilterChain chain, Authentication auth) {
java.util.List s = Arrays.asList(applicationContext.getBeanDefinitionNames());
System.out.println(s);
tokenAuthenticationService.addAuthentication(res, auth.getName());
}
}
The JWTLoginFilter has to be a bean as well to allow Spring to inject other beans into. Currently, Spring doesn't have any control over this. Marking the class with the #Component / #Service / #Repository annotations (depends on what role your filter plays, I assume the #Component is a good choice) is going to resolve the issue.
EDIT 1:
JWTLoginFilter required a bean of type java.lang.String that could not be found. Can a component have a constructor?
The problem: Spring tried to use a two-argument constructor to create a bean and was expected that these two arguments are its beans. But it's not true because there is no bean with the String class.
The solution: You should define a non-argument constructor to allow Spring to make an untuned instance without issues. Then create setters to provide methods which Spring will use to inject needed dependencies.
EDIT 2:
The workaround is to define a String bean (in a #Configuration class) which will be injected into the JWTLoginFilter constructor, but I'm not sure that your filter needs to have some external dependencies.
#Bean
public String getStringPatternBean() {
return "pattern";
}
Well, I finally decided to change how these classes are designed. I made methods inside TokenAuthenticationService static.
Related
I already try to search through stackoverflow, and I don't think I find the solution I want...
Also I try to use answer https://stackoverflow.com/questions/45970442/spring-boot-value-returning-null and still doesn't work...
Here is my controller class
package com.vincent.springoauth.controller;
import com.vincent.springoauth.model.GiftCardRequest;
import com.vincent.springoauth.model.GiftCardResponse;
import com.vincent.springoauth.service.InCommGiftCardServiceImpl;
import org.springframework.web.bind.annotation.*;
#RestController
#RequestMapping("/api/gift-card")
public class GiftCardController{
#PostMapping("/activate")
public #ResponseBody
GiftCardResponse activate(GiftCardRequest request) {
GiftCardServiceImpl giftCardService = new GiftCardServiceImpl("");
return giftCardService.activate(request);
}
}
And here is my service class
package com.vincent.springoauth.service;
import com.vincent.springoauth.model.GiftCardRequest;
import com.vincent.springoauth.model.GiftCardResponse;
import lombok.extern.log4j.Log4j2;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.stereotype.Service;
#Service
#Log4j2
public class GiftCardServiceImpl {
private final String baseEndpoint;
public GiftCardServiceImpl( #Value("${webserviceurl}")String baseEndpoint){
this.baseEndpoint = baseEndpoint;
}
public String accessToken() {
log.info("Access oauth token url address: " + baseEndpoint);
// will be use that base endpoint to manipulate stuff later
return "abcdefg";
}
public GiftCardResponse activate(GiftCardRequest request) {
log.info("Calling token ...");
accessToken();
log.info("Incomm Pre Auth Service");
// Generate preAuth request;
//RetailTransactionGenericRequestWrapper retailTransactionGenericRequest = buildRequest(request);
//log.info("RetailTransactionGenericRequest: " + retailTransactionGenericRequest);
GiftCardResponse response = GiftCardResponse.builder().responseCode("0").responseMessage("Success").build();
return response;
}
}
And in my application.properties I have following line webserviceurl=https://localhost/giftcard
The issue that in my service class the webserviceurl return null. How can I fix this?
In your controller you are creating your own instance of the service and so Spring is unaware of it and cannot inject the value. Your service class is annotated as a Service so Spring will create an instance, which will have the value injected but that is not the instance that your controller is using.
Instead you should declare that service as an instance variable in your controller and use either Autowire annotation on that instance variable or use constructor autowiring to ensure that the bean created by Spring is the one that is used by your controller.
#RestController
#RequestMapping("/api/gift-card")
public class GiftCardController{
private GiftCardServiceImpl giftCardService;
#Autowired
public GiftCardController(GiftCardServiceImpl giftCardService) {
this.giftCardService = giftCardService;
}
#Value annotation uses for injecting values into fields in Spring-managed beans. In your example, you create GiftCardServiceImpl on your own and Spring cannot control the creation and inject the webserviceurl value from application.properties. You can change GiftCardController to allow Spring to do this.
package com.vincent.springoauth.controller;
import com.vincent.springoauth.model.GiftCardRequest;
import com.vincent.springoauth.model.GiftCardResponse;
import com.vincent.springoauth.service.InCommGiftCardServiceImpl;
import org.springframework.web.bind.annotation.*;
#RestController
#RequestMapping("/api/gift-card")
public class GiftCardController{
private final GiftCardServiceImpl giftCardService;
public GiftCardController(GiftCardServiceImpl giftCardService) {
this.giftCardService = giftCardService;
}
#PostMapping("/activate")
public #ResponseBody
GiftCardResponse activate(GiftCardRequest request) {
return giftCardService.activate(request);
}
}
Try to inject GiftCardServiceImpl via Spring DI like in the example below
package com.vincent.springoauth.controller;
import com.vincent.springoauth.model.GiftCardRequest;
import com.vincent.springoauth.model.GiftCardResponse;
import com.vincent.springoauth.service.InCommGiftCardServiceImpl;
import org.springframework.web.bind.annotation.*;
#RestController
#RequestMapping("/api/gift-card")
public class GiftCardController{
#Autowired
private GiftCardServiceImpl giftCardService;
#PostMapping("/activate")
public #ResponseBody
GiftCardResponse activate(GiftCardRequest request) {
return giftCardService.activate(request);
}
}
The #Value annotation only works for Spring Beans, when you create the class via simple new keyword. Spring doesn't catch that should inject property in the constructor.
i'm trying to inject services in Web service Class like this
package com.mobinets.web.nep.backend.soapControllers;
import javax.jws.WebMethod;
import javax.jws.WebParam;
import javax.jws.WebService;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Service;
import org.springframework.web.context.support.SpringBeanAutowiringSupport;
import com.mobinets.web.nep.backend.data.entity.Router;
import com.mobinets.web.nep.backend.data.entity.Version;
import com.mobinets.web.nep.backend.services.RouterService;
import com.mobinets.web.nep.backend.services.VersionService;
#Service
#WebService
public class RouterSoapService extends SpringBeanAutowiringSupport{
#Autowired
private RouterService routerService;
#Autowired
private VersionService versionService;
#WebMethod
public String getRouter(#WebParam int objectId, #WebParam String versionName) {
Version version = versionService.findByName(versionName);
Router router = routerService.findByObjectIdAndVersion(objectId, version.getId());
return router.getName();
}
}
I extended the class from SpringBeanAutowiringSupport and add #Service annotation,
it keeps giving me null on versionService and routerService,
am I missing something ?
Only reason I can think of would be if either of the services
are missing one of the #Component stereotypes (you say they both have #Service
so this should be fine) or
if they rely on any other components which aren't autowired for example if
either has a repository which has been instantiated with the new keyword
they would be excluded from autowiring
I'd like to be able to instantiate a request-scoped bean which is also immutable by using constructor parameters.
Something like the following (which of course doesn't work):
RequestContextFactory.java
package org.springframework.samples.mvc.requestscope;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.web.context.annotation.RequestScope;
#Configuration
public class RequestContextFactory {
#Bean
#RequestScope
public RequestContext getRequestContext(TestBean bean) {
return new RequestContext(bean);
}
}
MyController.java
package org.springframework.samples.mvc.requestscope;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.ResponseBody;
#Controller
public class MyController {
#Autowired
RequestContextFactory requestContextFactory;
#RequestMapping("/my")
public #ResponseBody String simple(TestBean bean) {
RequestContext requestContext = requestContextFactory.getRequestContext(bean);
return "Hello world!";
}
}
Spring complains that it cannot autowire a TestBean bean to create RequestContext.
How can I achieve immutability of a request-scoped bean which needs constructor parameters only known in the controller?
I'd like to be able to inject RequestContext into other beans (either request scope or other scopes). Is this an antipattern? Should something like RequestContext (or any other object with request lifecycle) be in the signature of all call hierarchy under the controller?
Note:
I thought of as a solution like for example having a RequestContext with default constructor and an init(...) method which can be called only once (would throw the second time). I don't like it.
I'm struggling with testing access control on URLs protected by Spring Security.
The configuration looks like this:
http
.authorizeRequests()
.antMatchers("/api/user/**", "/user").authenticated()
.antMatchers("/api/admin/**", "/templates/admin/**", "/admin/**").hasAuthority("ADMIN")
.anyRequest().permitAll();
And the test class looks like this:
package com.kubukoz.myapp;
import com.kubukoz.myapp.config.WebSecurityConfig;
import org.junit.Before;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.test.SpringApplicationConfiguration;
import org.springframework.security.web.FilterChainProxy;
import org.springframework.test.context.ActiveProfiles;
import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
import org.springframework.test.context.transaction.TransactionConfiguration;
import org.springframework.test.context.web.WebAppConfiguration;
import org.springframework.test.web.servlet.MockMvc;
import org.springframework.test.web.servlet.setup.MockMvcBuilders;
import org.springframework.web.context.WebApplicationContext;
import javax.transaction.Transactional;
import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
#RunWith(SpringJUnit4ClassRunner.class)
#SpringApplicationConfiguration(classes = {MyApplication.class, WebSecurityConfig.class})
#WebAppConfiguration
#TransactionConfiguration(defaultRollback = true)
#Transactional(rollbackOn = Exception.class)
public class MyApplicationTests {
#Autowired
private WebApplicationContext context;
private MockMvc mockMvc;
#Autowired
private FilterChainProxy filterChainProxy;
#Before
public void setUp() {
mockMvc = MockMvcBuilders.webAppContextSetup(context)
.dispatchOptions(true)
.addFilters(filterChainProxy)
.build();
}
#Test
public void testAnonymous() throws Exception {
mockMvc.perform(get("/api/user/account")).andExpect(status().is3xxRedirection());
}
#Test
public void testUserAccessForAccount() throws Exception{
mockMvc.perform(get("/api/user/account")).andExpect(status().isOk());
}
}
What's the easiest way to make the last two tests pass?
#WithMockUser didn't work.
You should not add the FilterChainProxy directly. Instead, you should apply SecurityMockMvcConfigurers.springSecurity() as indicated by the reference. An example is included below:
mockMvc = MockMvcBuilders
.webAppContextSetup(context)
.apply(springSecurity())
.build();
The result of this is:
the FilterChainProxy is added as a Filter to MockMvc (as you did)
the TestSecurityContextHolderPostProcessor is added
Why is TestSecurityContextHolderPostProcessor necessary? The reason is that we need to communicate the current user from the test method to the MockHttpServletRequest that is created. This is necessary because Spring Security's SecurityContextRepositoryFilter will override any value on SecurityContextHolder to be the value found by the current SecurityContextRepository (i.e. the SecurityContext in HttpSession).
Update
Remember anything that contains role in the method name automatically prefixes "ROLE_" to the string that was passed in.
Based on your comment, the problem is you need to either update your configuration to use hasRole instead of hasAuthority (since your annotation is using roles):
.authorizeRequests()
.antMatchers("/api/user/**", "/user").authenticated()
.antMatchers("/api/admin/**", "/templates/admin/**", "/admin/**").hasRole("ADMIN")
.anyRequest().permitAll();
Alternatively
You in Spring Security 4.0.2+ you can use:
#WithMockUser(authorities="ADMIN")
Okay, figured it out.
mockMvc.perform(get("/api/user/account")
.with(user("user")))
.andExpect(status().isOk());
It works now.
I've got a session scoped CDI bean, and I need to somehow access the HttpServletRequest object in this bean's #PostConstruct method. Is it possible? I've tried to Inject such an object, but it results in:
WELD-001408 Unsatisfied dependencies for type [HttpServletRequest] with qualifiers [#Default] at injection point [[field] #Inject ...]
As I understood while googling, the Seam framework has such a functionality, but I have a standard Java EE application on a GlassFish server.
Is it even possible to somehow pass the request to a CDI bean's #PostConstruct method?
As per your comment, you want access to the user principal. You can just inject it like this: #Inject Principal principal; or #Resource Principal principal;, see Java EE 6 Tutorial.
Update
I'll answer your direct question. In Java EE 7 (CDI 1.1) injection of HttpServletRequest is supported out of the box. In Java EE 6 (CDI 1.0) however, this is not supported out of the box. To get it working, include the class below into your web-app:
import javax.enterprise.inject.Produces;
import javax.servlet.ServletRequest;
import javax.servlet.ServletRequestEvent;
import javax.servlet.ServletRequestListener;
import javax.servlet.annotation.WebListener;
#WebListener
public class CDIServletRequestProducingListener implements ServletRequestListener {
private static ThreadLocal<ServletRequest> SERVLET_REQUESTS = new ThreadLocal<>();
#Override
public void requestInitialized(ServletRequestEvent sre) {
SERVLET_REQUESTS.set(sre.getServletRequest());
}
#Override
public void requestDestroyed(ServletRequestEvent sre) {
SERVLET_REQUESTS.remove();
}
#Produces
private ServletRequest obtain() {
return SERVLET_REQUESTS.get();
}
}
Note: Tested only on GlassFish 3.1.2.2
When using the code from rdcrng be aware of the following:
* The producer-method obtain is dependent-scoped, thus is only called once for application scoped beans (and will resolve to problems for every other request except the first)
* You can solve this with #RequestScoped
* When RequestScoped annotated, you will only get a proxy, and thus you cannot cas it to HttpServletRequest. So you maybe want a producer for HttpServletRequest.
Also note: As per CDI specification link passage 3.6, java ee beans are NOT consideres managed beans. Thus you will end up with two instances of CDIServletRequestProducingListener - one managed by the Java EE container, one managed by the CDI-container. It only works because SERVLET_REQUESTS is static.
Following the modified code for your convenience.
import javax.enterprise.context.RequestScoped;
import javax.enterprise.inject.Produces;
import javax.servlet.ServletRequest;
import javax.servlet.ServletRequestEvent;
import javax.servlet.ServletRequestListener;
import javax.servlet.annotation.WebListener;
import javax.servlet.http.HttpServletRequest;
#WebListener
public class CDIServletRequestProducingListener implements ServletRequestListener {
private static ThreadLocal<ServletRequest> SERVLET_REQUESTS = new ThreadLocal<ServletRequest>();
#Override
public void requestInitialized(ServletRequestEvent sre) {
SERVLET_REQUESTS.set(sre.getServletRequest());
}
#Override
public void requestDestroyed(ServletRequestEvent sre) {
SERVLET_REQUESTS.remove();
}
#RequestScoped
#Produces
private HttpServletRequest obtainHttp() {
ServletRequest servletRequest = SERVLET_REQUESTS.get();
if (servletRequest instanceof HttpServletRequest) {
return (HttpServletRequest) servletRequest;
} else {
throw new RuntimeException("There is no HttpServletRequest avaible for injection");
}
}
}