After I successfully run the request to http://IP:port/oauth/ token to get the authorization token from oauth using spring framework, the response body looks something like this:
{
access_token = jsjxjdnjf .... some_acces_token,
token_type: bearer,
(....) more fields
}
The client to acces this endpoint is a simple Java app using org.springframework.web.client.RestTeplate
My question is:
Is there a predefined class that allows me to encapsulate(map) that information and access it through getters?
Or I have to implement it myself, which would look like this:
public class OauthTokeWrapper {
private String access_token;
(...)//getters,constructors...
}
It is not recommended to read access tokens in the OAuth Client, which should just treat the token as an opaque string to be sent to APIs. Access tokens are not always JWT format and reading tokens in the client could lead to future problems.
Instead it is typical to work with the API claims in a back end API. One option for doing this is via the Nimbus libraries. Here is some example API code of mine in case useful.
Related
My goal is to build a set of REST apis using aws api gateway, back with java Lambda functions and DynamoDB. The payload of the requests and responses is json. I want to avoid tedious field level mapping code between json and java and between java and dynamodb so am trying to use gson to map json to java objects the enhance dynamodb client so I can use java pojos as inputs and outputs of dynamodb queries. This all works fine when testing the functions stand alone.
The issue I am having is passing json between the Gateway and Lambda when trying to integrate gateway apis to the functions. I've tried the two interfaces of Lambda functions, RequestHandler and RequestStreamHandler. I can each of these to do half of what I need, but with RequestHander I have an get runtime errors when returning the response body as json, with RequestStreamHandler I can successfully set the response body as json, but I have problems receiving the request body as json.
It seems that something in the aws gateway framework is converting the body json into an escaped string and then another part of the framework is trying to convert the escaped string into json and failing.
What I am trying to do would seem the most basic REST api use case for aws gateway and Lambda, but I can't find any code examples in aws documentation beyond the trivial "hello world" type. Aws documentation seems pretty thin too, so has anyone out there been successfully in building REST apis with json payloads using aws gateway and Lambda who could share the secret of success?
Here's a bit of background as to what I've tried:
API Gateway:
I've created gateway apis using Lambda proxy integration to my Lambda functions. I've not specified any models to validate the input. I've just taken the default settings. I am passing a json object as the body of my HTTP requests to test the apis.
Lambda Functions
Coded in java using V2 of the SDK.
RequestHandler function - I have created a class the implements the RequestHandler interface specifying the input parameter as a HashMap and output as String. I have successfully got the body of the HTTP request from the hashmap and used Gson to convert the body to my Java pojo. All good.
However I fail trying to include json as the body of the response. I've used both Gson and org.json to construct my http response and include json as the body. I can unit test the function successfully, but when integrated with my gateway api I get an error in the gateway (not that the response has been escaped):
Tue Jan 12 11:12:23 UTC 2021 : Endpoint response body before transformations: "{"body":{"message":"hello world"},"isBase64encoded":false,"statusCode":200}"
Tue Jan 12 11:06:59 UTC 2021 : Execution failed due to configuration error: Malformed Lambda proxy response
RequestStreamHandler
The signature of the handleRequest method is:
public void handleRequest(InputStream input, OutputStream output, Context context)
In this case, I can successfully create a json response using gson and write it to the output stream and the api gateway is fine with it.
However I have a problem with the input. I have tried to use gson to parse the input stream and extract the body. This is fine, but the body is not json, it is an escaped json string, for example:
"{\r\n "id": "10",\r\n "title": "Ski trips",\r\n "owner": "captain",\r\n "locations": \r\n [\r\n {"latitude": 55, "longitude":-2 }\r\n ]\r\n}"
I can't use Gson to parse this nor use Gson to convert it to a pojo. If I try then I get runtime exceptions. To get round this I have used org.apache.commons.text.StringEscapeUtils to remove the escape characters and then removed the leading and trailing quotes round the string. I can then use Gson to convert the resultant string to my pojo class. This is tedious in the extreme.
I've tried changing the classes used for the inputs and outputs of the handleRequest methods, for example to return a JsonObject to see if that changed what I receive but to no avail. If the body contains just a string rather than json, then there is no problem. So just returning "hello world" as the body is fine as per the examples I've found.
I must be missing something, possible in the definition of the gateway api or in the types of the input and output parameters of the Lambda functions but without documentation it really is just wandering around in the dark. Hey all I want to do is to take a json object from the body of a rest request and write it as a json document to a nosql database, getting tripped up by conversion and mapping is really frustrating.
Thanks to anyone who can help me.
Lets say this is our Hander class with ApiGatewayRequest and ApiGatewayProxyResponse are request and response class names.
public class MyHandler implements RequestHandler<ApiGatewayRequest, ApiGatewayProxyResponse> {
#Override
public ApiGatewayProxyResponse handleRequest(ApiGatewayRequest request, Context context) {
}
}
Request Class
public class ApiGatewayRequest {
private String body;
private Map<String, String> headers;
private Map<String, String> queryStringParameters;
private Map<String, String> pathParameters;
private boolean isBase64Encoded;
}
Response Class
public class ApiGatewayProxyResponse {
private int statusCode;
private Map<String, String> headers;
private String body;
}
Json string should be sent in body with com.fasterxml.jackson.databind.ObjectMapper something like
String body = new ObjectMapper().writeValueAsString(ouputObject)
necessary headers ex: Access-Control-Allow-Credentials, Access-Control-Allow-Origin or Content-Type
I have solved my own problem. In aws gateway I had chosen my api to be of type Rest, which seemed the obvious choice for creating Rest services accessed over HTTP. I created a new api of type Http to integrate with the same Lambda function and to cut a long story short that solved the problem. The body of my post request as passed to the Lambda function is not escaped and can be process as json, and likewise the body in my response is not escaped or rejected before being returned to an http client. However I found this out through trial and error rather than by following clear documentation or working examples. My next step is to implement examples of get, post, put and delete HTTP methods to understand how parameters are passed in the case of path variables and query strings, as well as completing the integration with dynamodb. I'll post my working code once done.
I am calling below API to get bearer access token.
POST https://idcs-xxxx.identity.c9dev2.oc9qadev.com/oauth2/v1/token
Once the token is retrieved i will use the same token in below APIs. These APIs are part of single transaction. But every time I call these APIs,I have to pass the token for authorization. I dont want to generate token again and again because It is valid for 60 min. How can I check whether token is expired or not. .If it is expired then only I want to generate again, else i want to use the existing one. I am not using any framework to call the APIs in java.I am using HttpUrlConnection.
GET https://idcs-xxxx.identity-t0.data.digitalassistant.oci.oc-test.com/api/v1/skills
GET https://idcs-xxxx-t0.data.digitalassistant.oci.oc-test.com/api/v1/skills/dynamicEntities
POST https://idcs-xxxx.identity-t0.data.digitalassistant.oci.oc-test.com/api/v1/bots/xxx/v2/yyy
PATCH https://idcs-xxxx.identity-t0.data.digitalassistant.oci.oc-test.com/api/v1/bots/xxx
PUT https://idcs-xxxx.identity-t0.data.digitalassistant.oci.oc-test.com/api/v1/bots/xxx/DONE
Possible concept: Write a Helper class to do the API request (e.g. MyAPIClient.class). Most APIs will return a 401 HTTP error when the token is expired. Check this behaviour for this specific api. If this is the case, get a new token within this helper class and repeat the request with the new token. Cache this token for 60min after you got it (different Java Frameworks have different kind of Cache providers you can use for this). Use the helper class everywhere you want to access the api
In my server application, I want to consume some third party API using a MicroProfile REST client. To do so, I need to send an Authorization Header with a bearer token.
I don't want to always get a token before I make any call so I need a mechanism to only retrieve a new token if there is no token yet or if the token expired. The token could then be stored and used in each call until it expires. The next call to the API which would cause a HTTP 401 Unauthorized shall then cause a new token to be obtained.
Unfortunately so far I wasn't able to find any resources on how to consume OAuth secured APIs using the MicroProfile REST client. I hope anybody can give me any tips. I'm using Kotlin and Quarkus but Java related documentation would be fine as well. Anything helps.
Here is my rather simple client:
#RegisterRestClient
#Produces(MediaType.APPLICATION_JSON)
interface SomeThirdPartyApiClient {
#POST
#Path("/some/random/url")
fun someRandomUrl(body: SomeJsonRequestObject, #HeaderParam("Authorization") bearer: String): SomeJsonResponseObject
}
As discussed with iabughosh, there seems to be no automatic way of doing what I want to do. Instead I have written the code myself as suggested by iabughosh. I went with the route of catching errors in the call. If the error has a 401 status, then I retrieve a new token and retry the call.
When the application starts and has no token yet, the first call always causes a 401 and then I get the first token. The next 401 appears only when the token expires (or was removed by a server admin prematurely) so then I simply get the token and do the call again.
As for now this seems to work just fine. I'll have to see how it turns out in production when there are a lot of (parallel) calls. If I find a better solution, I'll try to remember this question and update it accordingly.
There isn't any way to pass it at annotation level, through eclipse microprofile configuration, the only way to pass a dynamic token is by adding
#HeadParameter("Authorization") authString
in your rest call, in case you are using jwt, usually you can inject the JsonWebToken and do all the checks with this object, so you wouldn't need that parameter, however, you can add it and just ignore, than in your rest client method declaration you have to add it too (as I seen your case you did it already, just assure the order of parameters is the same), and the restclient will be able to pass the token though the header (you need to pass "Bearer "+tokenString), but you need to access to the code of your rest service.
I am very much new to web services. I have exposed some REST services using Jersey 2 in integration with Spring. Now I need to secure those rest services using authentication with username/password. I am told not to use Spring Security.
I have no idea of how to do this. I did search on the net but various links show various implementation and I am unable to decide how to proceed with it.
A common way for authenticating with username and password is to use Basic Authentication. Basically the client needs to send a request header Authorization, with the the header value as Basic Base64Encoded(username:password). So is my username is peeskillet and my password is pass, I, as a client, should set the header as
Authorization: Basic cGVlc2tpbGxldDpwYXNz
In a servlet environment, the container should have support for Basic authentication. You would configure this support on the web.xml. You can see an example in 48.2 Securing Web Applications of the Java EE tutorial. You will also notice in an example
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
That is for SSL support. This is recommended for Basic Authentication.
If you don't want to deal with the hassle of working with security domains and login modules, realm, and such, that would be required to customize the servlet support, or if you're just not in a servlet environment, implementing Basic Auth in a ContainerRequestFilter is really not too difficult.
You can see a complete example of how this could be done at jersey/examples/https-clientserver-grizzly. You should focus on the SecurityFilter
The basic flow in the filter goes something like this
Get the Authorization header. If it doesn't exist, throw an AuthenticationException. In which case the AuthenticationExceptionMapper will send out the header "WWW-Authenticate", "Basic realm=\"" + e.getRealm() + "\", which is part of the Basic Auth protocol
Once we have the header, we parse it just to get the Base64 encoded username:password. Then we decode it, then split it, then separate the user name and password. If any of this process fails, again throw the WebApplicationException that maps to a 400 Bad Request.
Check the username and password. The example source code just checks if the username is user and the password is password, but you will want to use some service in the filter to verify this information. If either of these fail, throw an AuthenticationException
If all goes well, a User is created from the authenticate method, and is injected into an Authorizer (which is a SecurityContext). In JAX-RS, the SecurityContext is normally used for authorization`.
For the authorization, if you want to secure certain areas for certain resources, you can use the #RolesAllowed annotation for your classes or methods. Jersey has support for this annotation, by registering the RolesAllowedDynamicFeature.
What happens under the hood is that the SecurityContext will be obtained from the request. With the example I linked to, you can see the Authorizer, it has an overridden method isUserInRole. This method will be called to check against the value(s) in #RolesAllowed({"ADMIN"}). So when you create the SecurityContext, you should make sure to include on the overridden method, the roles of the user.
For testing, you can simply use a browser. If everything is set up correctly, when you try and access the resource, you should see (in Firefox) a dialog as seen in this post. If you use cURL, you could do
C:/>curl -v -u username:password http://localhost:8080/blah/resource
This will send out a Basic Authenticated request. Because of the -v switch, you should see all the headers involved. If you just want to test with the client API, you can see here how to set it up. In any of the three cases mentioned, the Base64 encoding will be done for you, so you don't have to worry about it.
As for the SSL, you should look into the documentation of your container for information about how to set it up.
So this is really a matter what you would like to achieve. My case was to get this thing running with mobile and a One-Page-App JavaScript.
Basically all you need to do is generate some kind of header that value that will be needed in every consecutive request you client will make.
So you do a endpoint in which you wait for a post with user/password:
#Path("/login")
public class AuthenticationResource {
#POST
#Consumes("application/json")
public Response authenticate(Credentials credential) {
boolean canBeLoggedIn = (...check in your DB or anywher you need to)
if (canBeLoggedIn) {
UUID uuid = UUID.randomUUID();
Token token = new Token();
token.setToken(uuid.toString());
//save your token with associated with user
(...)
return Response.ok(token).type(MediaType.APPLICATION_JSON_TYPE).build();
} else {
return Response.status(Response.Status.UNAUTHORIZED).build();
}
}
}
Now you need to secure resource with need for that token:
#Path("/payment")
#AuthorizedWithToken
public class Payments {
#GET
#Produces("application/json")
public Response sync() {
(...)
}
}
Notice the #AuthorizedWithToken annotation. This annotaation you can create on your own using special meta annotation #NameBinding
#NameBinding
#Target({ElementType.METHOD, ElementType.TYPE})
#Retention(RetentionPolicy.RUNTIME)
public #interface AuthorizedWithToken {}
And now for the filter that implements checking of the header:
#AuthorizedWithToken
#Provider
public class XAuthTokenFilter implements ContainerRequestFilter {
private static String X_Auth_Token = "X-Auth-Token";
#Override
public void filter(ContainerRequestContext crc) throws IOException {
String headerValue = crc.getHeaderString(X_Auth_Token);
if (headerValue == null) {
crc.abortWith(Response.status(Response.Status.FORBIDDEN).entity("Missing " + X_Auth_Token + " value").build());
return;
}
if(! TOKEN_FOUND_IN_DB) {
crc.abortWith(Response.status(Response.Status.UNAUTHORIZED).entity("Wrong " + X_Auth_Token + " value").build());
return;
}
}
}
You can create any number of your own annotations checking for various things in the http request and mix them. However you need to pay attention to Priorities but that actually easy thing to find. This method needs using https but that is obvious.
Security comes in two main flavours :
Container Based
application based
the standard way to secure spring applications is to use Spring Security (formerly Acegi).
It would be interesting to know why you're not being allowed to use that.
You could use container based security, but I'm guessing that your use of spring precludes that option too.
Since the choice of Spring is usually to obviate the need for the use of a full J2EE container (Edit : though as pointed out below by others, most ordinary servlet containers do allow you to implement various container based security methods)
This really only leaves you with one option which is to roll your own security.
Your use of Jersey suggests that this might be a REST application.
In which case you really ought to stick with standard HTTP Authentication methods that
comes in the following flavours in reverse order of strength :
BASIC
Digest
Form
Certificate
REST applications are usually supposed to be 'stateless', which essentially rules out form based authentication (because you'd require the use of Session)
leaving you with BASIC, Digest and Certificate.
Your next question is, who am I authenticating. If you can expect to know the username AND the password of the user based on what URL they requested (say if it's one set of credentials for all users) then Digest is the best bet since the password is never sent, only a hash.
If you cannot know the Password (because you ask a third party system to validate it etc.) then you are stuck with BASIC.
But you can enhance the security of BASIC by using SSL, or better yet, combining BASIC with client certificate authentication.
In fact BASIC authentication over HTTPS is the standard technique for securing most REST applications.
You can easily implement a Servlet Filter that looks for the Authentication Header and validates the credentials yourself.
There are many examples of such filters, it's a single self contained class file.
If no credentials are found the filter returns 401 passing a prompt for basic auth in the response headers.
If the credentials are invalid you return 403.
App security is almost an entire career in itself, but I hope this helps.
As the former posts say, you could go with different options, with a varying overhead for implementation. From a practical view, if you're going to start with this and are looking for a comfortable way for a simple implementation, I'd recommend container-based option using BASIC authentication.
If you use tomcat, you can setup a realm, which is relatively simple to implement. You could use JDBCRealm, which gets you a user and password from specified columns in your database, and configure it via server.xml and web.xml.
This will prompt you for credentials automatically, everytime you are trying to access your application. You don't have any application-side implementation to do for that.
What I can tell you now is that you already did most of the 'dirty' job integrating Jersey with Spring. I recommend to you to go an Application-based solution, is it does not tie you to a particular container. Spring Security can be intimidating at first, but then when you tame the beast, you see it was actually a friendly puppy.
The fact is that Spring Security is hugely customizable, just by implementing their interfaces. And there is a lot of documentation and support. Plus, you already have a Spring based application.
As all you seek is guidance, I can provide you with some tutorials. You can take advantage from this blog.
http://www.baeldung.com/rest-with-spring-series/
http://www.baeldung.com/2011/10/31/securing-a-restful-web-service-with-spring-security-3-1-part-3/
I need to make a rest call to share a post in Linkedin and I am using Spring Social Linkedin module for that. Unfortunately I cannot simply use
org.springframework.social.linkedin.api.NetworkUpdateOperations.share(NewShare share)
method, I am working on a project that provides the raw rest template to the users, and users can make any rest call to any url using it. I am using Spring Social's Linkedin module just for the authentication part (and it works as it should).
So, I provide to users the rest template behind the Linkedin Spring Social Linkedin module. And they should be able to post a share to Linkedin with a given url and data in runtime. The request body should contain something like this (taken from here):
<share>
<comment>Check out the LinkedIn Share API!</comment>
<content>
<title>LinkedIn Developers Documentation On Using the Share API</title>
<description>Leverage the Share API to maximize engagement on user-generated content on LinkedIn</description>
<submitted-url>https://developer.linkedin.com/documents/share-api</submitted-url>
<submitted-image-url>http://m3.licdn.com/media/p/3/000/124/1a6/089a29a.png</submitted-image-url>
</content>
<visibility>
<code>anyone</code>
</visibility>
</share>
To share, I create a String with that xml and use the command postForObject. Like this:
String toShare = "<share><comment>Check out..." // the string of xml
Object result = linkedinRestTemplate.postForObject("https://api.linkedin.com/v1/people/~/shares", toShare, Object.class);
But this call fails with a response 400 Bad Request. It seems like rest template handling this xml string and not as an object, so it is not serialized and put to the request body properly.
Spring Social Linkedin does the same thing but only with a difference: It has a serializable class called NewShare which have the same structure of that xml. But when an instance of the NewShare is given as body to the request, it is successful. Like this:
NewShare share = new NewShare();
share.set... // set its properties, sub-classes, content etc.
Object result = linkedinRestTemplate.postForObject("https://api.linkedin.com/v1/people/~/shares", newShare, Object.class);
This call is successful.
But I cannot deserialize my String into NewShare because I am providing an API so I assume I have absolutely no information about the request body.
So how can I manage to make spring handle the string xml body correctly and make a proper service call?