I'd like to secure a simple rest web service developed using Jersey using Spring OAuth v1.0a, and I have a questions about it. First, a brief doubt: I've found some examples involving Spring-MVC, is it mandatory to include it? As I'm trying to make my application as light as possibile, it would be nice if I could leave Spring-MVC out.
Apart from that, my biggest issue is about token handling, and particularly about dealing with the steps that lead a user to access an OAuth protected area. From what I got to understand, trying to access a protected area automatically triggers the token generation process, starting from the creation of the unauthorized request token. Unfortunately, this workflow doesn't fit my needs as the scenario I have to deal with involves a user which is already in possess of an authorized access token, and only needs to provide it in order to be granted access to a protected resource. Would it be possibile to override the token generation mechanism with a token retrieval (from a POST/GET for instance) and verification process?
Thank you very much for your effort.
EDIT: (trying to explain things more clearly)
Assume this is the part in my XML where I describe my resource:
<oauth:resource id="OAuthExperimentsRestrictedArea"
key="thisIsExactlyTheConsumerKey"
secret="...andThisIsExactlyTheSecret"
request-token-url="http://localhost:8080/OauthExperiments/oauth/request_token"
user-authorization-url="http://localhost:8080/OauthExperiments/oauth/confirm_access"
access-token-url="http://localhost:8080/OauthExperiments/oauth/access_token" />
What I can't really get to understand is how or where should I pass an already valid access token in case I had it. By trying to directly access the resource via a simple direct link not providing any token, my application would begin the token creation process redirecting me first to request-token-url, next to user-authorization-url and finally to access-token-url. What I need to achieve is the possibility to skip this when I already have a valid token, but what I'm missing is how to do that, where to pass the token (is there a default bean for that? should I pass it as a parameter with a particular name?).
My goal is to have the possibility to delegate even external services for token verification, so what I'm ultimately trying to find is some kind of hook for such procedure. I hope I've explained the whole scenario clearly enough.
That's 2 questions?
Spring MVC is not needed for securing a resource (it's all Spring Security via Servlet Filters).
The second question is about what to do if you have a valid access token and as a consumer you want to send valid requests and access protected resources. A new token would not need to be generated if the request is already authorized.
The answer to the second question is that you need to populate the OAuthSecurityContext (via a thread local managed by OAuthSecurityContextHolder). Obviously you need to be careful to clear it when you are finished. Normally this context is populated by a filter (OAuthConsumerContextFilter) so you can see how that manages the context and copy it. I can't say I like this model much, but that's the way it was implemented (the OAuth2 implementation changed quite a while ago, before 1.0).
Related
I'm working on a web application using React on the frontend and Java on the backend. From the frontend, I call different resources from the backend, where I have various classes providing #GET methods.
For every method, I'm always using the same check to determine if the user is authorized based on their session ID. That's a very repetitive way to accomplish this. This is especially true when creating a new #GET method, as I have to always remember to add this isUserAuthorized check.
My first thought was using an abstract class for the resources to centralize some of the code, but here I'd still have to add the check to each method.
Is there a way I can implement the authorization check for all HTTP requests, without needing to repeat this code?
I want to refresh a JWT every time a controller method is called without having to add a method to every single controller call. Is there a method I can override?
I'm using a Java API.
I want to refresh a JWT every time...
This should be avoided unless you really know what you are going to do.
Use Refresh Tokens Only to refresh your JWT Access Tokens. For more information, read this article and this question & answer (both)
If the primary concern is only about refreshing the tokens, then server should not be bothered about this mechanism intuitively. Such request must be raised from client applications/client of server/web clients/etc.. that they want to refresh the token.
For Eg, If JWT access Token is having 10min lifetime, and refresh token is having 720hrs of lifetime,
then client must call a refresh token request silently before the expiration time. (in this case, each 8-9 mins should be ok)
or else, if you don't want to make calls after every 8-9 mins since the user might not be actively using, then you can write some interceptors which checks the expiry of token before making HTTP calls, if token is expired (or about to expire) then they should call refresh token API first, get new token and then continue the normal HTTP call, all this on client side.
This stackoverflow question is kind of doing similar thing with respect to angular framework ( at client side).
That's okay.. but, Still I want to do it on server side, What are the choices?
You can use Aspect Oriented Programming model for this kind of stuff, and happy part is, it's available in Spring Framework.
Read this for basic idea to start over.
Or
Use Filter Interceptors of HttpServlets to manipulate requests/responses.
Read this nice article to get some idea about it.
Hope it helps, at least, in learning. :)
Here and here are good examples of best practices on dealing with REST token-based authentication.
But in my case I am worried about one user using his own token to modify another user's data. The problem arises when we just verify if a user has a valid token and if positive, then execute any operation the user asked for.
Of course the most simple way to defeat this is to check if the authorized user id is the same as the one in the Request JSON (e.g. user_id). But this is tedious (all endpoints need this logic) and error prone (we might forget to do it for one endpoint).
Are there any ways to automate this?
I'm writing the back end for a web app in Spring. It uses Rest to communicate with the front end. The front end is browser based, so it can't contain a private key.
I've been trying to figure out what type of security I need to meet the following conditions:
1) The user logs in and I create a token that corresponds to a user object
2) I reply to the login request with this token
3) the token is attached by the front end to every request that I get so that I know what user is making that request.
Whenever I read up on Spring security I find two things, which are oauth2 and basic authentication, which I keep seeing people say is insecure. It seems like I can accomplish what I want with oath2, but it gets really confusing when I actually try to implement it.
What I want seems simple enough that I could just do all the work myself, but that seems like a terrible idea, since I have no experience with security. Could I, for example, have a local map of authentication tokens to user objects and redirect any request that has an invalid token to a login page? Taking into account repeated invalid request and expiry of tokens over time.
Or would I be missing a bunch of important security features by doing this? What specific words can I research to answer some of these questions on my own?
I have been working on a GWT application, which is a variation of an issue tracking system. There are some projects, which have some tickes(tasks or issues) assigned to some users. One of the requirements is to provide the administrator with an option to give access to a certain non-user person, to a specific task of a specific project. This can be a read or read/write access.
So, the question is, what are some best practices to achieve this, especially in a GWT application? Are there some specific protocols, or frameworks etc to be used.
My understanding is to generate a unique(non-guessable) url token, map it to the ticket(task, issue). And also, map the token to an access type(read, read/write). Then, load the mapped ticket, with the right access type.
But, i am wondering if there is a out of the box solution to this?
AFAIK there is no ready-solution in GWT.
Basically you will create a history token (i.e. http://MyGWTApp.com/tasks/#!SOME_LONG_UID).
When the user navigates to this URL, you have to check on the backend if the UID is valid. You can do this by using either RPC, RequestBuilder, or rf. Conveniently you can return the access type (red/write) back to the client.
With the access type you can then disable some UI interface elements.
Some things to keep in mind:
For each task/action that goes to the backend you have to check if the UID allows the access pattern (= never trust the client). So you also have to send along the UID with each request.
You can also have to make sure on the backend that when the anonymous users can only carry out the tasks (read/write) that are allowed (= whitelist).