I'm transitioning for Spring to Quarkus and wanted to try to code a simple login/register backend. The registration part works perfectly, but I have no clue how I can manually log in the user. Using spring I just used to have an endpoint that received the username and the password:
public void login(HttpServletRequest req, String user, String pass) {
var authReq = new UsernamePasswordAuthenticationToken(user, pass);
var auth = authManager.authenticate(authReq);
var sc = SecurityContextHolder.getContext();
sc.setAuthentication(auth);
var session = req.getSession(true);
session.setAttribute(SPRING_SECURITY_CONTEXT_KEY, sc);
}
But with Quarkus there doesn't seem to be a way to do that. What am I supposed to do? What I have so far:
new AuthenticationBuilder().addUsername(username).addPassword(password).build().digest(AuthenticationDigest.forRepository());
But I have no clue how to continue
As far as I know, there is no implementation of session-based authentication (SBA) in Quarkus. In the official security documentation of the framework there are no references to SBA.
Related
I want to implement user login/signup using username, password and project (additional field). It is working with username and password but unable to implement to add additional field (project) since I am new to spring security.
I am able to signup with email, username, password and project.
I have added Project in UserPrincipal as shown in below code.
I need to implement custom authentication to add project during login but I am unable to figure out how to proceed further. Can anybody help please? i have already checked other solutions but did not figure out to implement.
If I understood correctly, you want to just add this project info to a User, during login/sign-up.
As #HarshVerma pointed out, in Spring it's only the login and the password you need to autheticate.
You could implement user's project as a JWT claim:
Jwts.builder()
.setSubject(Long.toString(userPrincipal.getId()))
.claim("project", myProject)
.setIssuedAt(new Date())
.setExpiration(expiryDate)
.signWith(SignatureAlgorithm.HS512, jwtSecret)
.compact();
and then retreive it to authorize accordingly:
Claims claims = new DefaultClaims();
try{
claims = Jwts.parser().setSigningKey(jwtSecret).parseClaimsJws(jwt).getBody();
} catch (SignatureException e){
// signature exception
}
Make the following changes to the auth controller. Check if username owns the project before setting the authentication in the context. This feels a little hacky though :
public class AuthController {
...
#PostMapping("/signin")
public ResponseEntity<?> authenticateUser(#Valid #RequestBody LoginRequest loginRequest) {
Authentication authentication = authenticationManager.authenticate(
new UsernamePasswordAuthenticationToken(
loginRequest.getUsernameOrEmail(),
loginRequest.getPassword()
)
);
// checking if user owns the project
if (usernameOwnsProject(username, project)) {
SecurityContextHolder.getContext().setAuthentication(authentication);
String jwt = tokenProvider.generateToken(authentication);
return ResponseEntity.ok(new JwtAuthenticationResponse(jwt));
} else {
// throw error
}
}
...
}
I'm new to spring-security. I understood basics of spring-security about authentication-manager and other stuff.
I'm using angularjs as front end, and spring 3.0.5 as backend.
I want to add spring security for role based authorization to my existing project.
I also want to authenticate user using office 365. So, i created application in https://apps.dev.microsoft.com/ and given redirect URI as my localhost action.
Using my code, I'm able to authenticate using office 365 and able to get username in redirected action.
#RequestMapping(value="/getCodeAndProcess", method=RequestMethod.POST)
private ModelAndView getCodeAndProcess(#RequestParam("code") String code, HttpServletRequest request) throws Exception {
HttpSession session = null;
try {
session = request.getSession(false);
session.setMaxInactiveInterval(45*60);
String username = helper.processCodeAndGetUsername(code); //this is I'm getting using office 365.
String userRole = helper.getUserRoleBasedOnUsername(username);
System.out.println("================userRole================="+userRole);
if(username != "") {
session.setAttribute("username", username);
session.setAttribute("userRole", userRole);
}else {
session.invalidate();
throw new Exception("username not found");
}
return new ModelAndView("redirect:/adminDashboard/showDashboard");
}catch(Exception e) {
log.error("Error while processing on users authentication.",e );
session.invalidate();
return new ModelAndView("redirect:/login/loginPage");
}
}
Now, I don't get how to configure username and roles in security-context.xml, so that i can use #PreAuthorize("hasRole('ROLE_USER')") , isAuthenticated(), <sec:authorize in my application. (What to add in security-context.xml? So, that it bind username with role as it doing in form login scenario.)
Can you please help to understand this workflow?
I've got the following set up:
Central auth server written with spring boot that is currently working (I can curl and receive an access token, jdbc token store, etc)
Multiple applications owned by the same developer, sharing the same customer base on different domains. IE: John Doe for app1 is the same as John Doe for app2.
I have an existing application (app1 above) that is jsf 2.2 with spring security configured for login purposes. That application works stand alone right now, with it's own user base.
This is the flow I am trying to obtain:
Resource Owner Password Credential OAuth Flow
So we would want:
User goes to app1
User enters user and password into app1 login page
User hits "login"
Some sort of configuration in Spring would then take the loginByUsername request, get access token from the central oauth server
We now have app1 access - the user could have one of three roles (ADMIN, USER, SUPERUSER).
When they go to (say) app1/views/createEntry.xhtml, we would confirm the access token we currently have is still active on the auth server.
The resource server would technically be the resources on the app1 server (right?)
I'm new to this oauth2.0 process (and spring really), but I think this is the flow I want. How do I set this up with Spring Security? I've seen a security setting called oauth2login() that I think is what we COULD want, but I think that is more authorization code flow.
I haven't found a very good example of this using the password flow.
I do trust each of the applications in this process, hence the password flow. We control the network that maintains traffic between the auth server and the other applications.
Edit: SSO isn't an option because of requirements and our customer base. The applications are unique enough that it doesn't make sense, but the user should be able to log into any of our applications with those credentials.
Edit 2: Sorry for second edit. I would like to add that I've added a resource configuration on app1 and it actually seems like it works - I've secured anything /views/* and when I attempt to go their, I get the expected "Full Authentication required" message.
Edit 3: I think I am making some progress -
First, I created a spring component that implements AuthenticationProvider and then overwrote the authenticate method so that I created a ResourceOwnerPasswordResourceDetails object with all my properties (client id, client secret, grant type, scope, etc) and called the authorization server to get a token. My excitement to see my log refresh for the authorization server was high.
Next step I need to figure out is how to generate an extension of org.springframework.security.core.userdetails.User so that I can store the privileges for the user.
Also - I can't quite figure out yet how the token is stored. I know the auth server generates a token and stores in jdbc, but where/how does the token get stored on the client side?
For those that were curious, here is how I set up the authentication provider on my client (app1). I still have issues with the resource server (ill ask a separate question), but here is what I did:
Custom authenticator:
#Component
public class CustomAuthenticationProvider implements AuthenticationProvider {
#Autowired
private AppUserDAO appUserDAO;
private String accessTokenUri = "http://localhost:8080/oauth/token";
private String clientId = "clientid";
private String clientSecret = "clientsecret";
public AccessTokenProvider userAccessTokenProvider() {
ResourceOwnerPasswordAccessTokenProvider accessTokenProvider = new ResourceOwnerPasswordAccessTokenProvider();
return accessTokenProvider;
}
#Override
public Authentication authenticate(Authentication authentication) throws AuthenticationException {
final String username = authentication.getName();
final String password = authentication.getCredentials().toString();
List<String> scopes = new ArrayList<String>();
scopes.add("read");
final ResourceOwnerPasswordResourceDetails resource = new ResourceOwnerPasswordResourceDetails();
resource.setUsername(username);
resource.setPassword(password);
resource.setAccessTokenUri(accessTokenUri);
resource.setClientId(clientId);
resource.setClientSecret(clientSecret);
resource.setGrantType("password");
resource.setScope(scopes);
// Generate an access token
final OAuth2RestTemplate template = new OAuth2RestTemplate(resource, new DefaultOAuth2ClientContext(new DefaultAccessTokenRequest()));
template.setAccessTokenProvider(userAccessTokenProvider());
OAuth2AccessToken accessToken = null;
try {
accessToken = template.getAccessToken();
System.out.println("Grabbed access token from " + accessTokenUri);
}
catch (OAuth2AccessDeniedException e) {
if (e.getCause() instanceof ResourceAccessException) {
final String errorMessage = String.format(
"While authenticating user '%s': " + "Unable to access accessTokenUri '%s'.", username,
accessTokenUri);
throw new AuthenticationServiceException(errorMessage, e);
}
throw new BadCredentialsException(String.format("Access denied for user '%s'.", username), e);
}
catch (OAuth2Exception e) {
throw new AuthenticationServiceException(
String.format("Unable to perform OAuth authentication for user '%s'.", username), e);
}
// Determine roles for user
List<GrantedAuthority> grantList = ...
// Create custom user for the principal
User user = .....
UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(user, null /*dont store password*/, grantList);
return token;
}
#Override
public boolean supports(Class<?> authentication) {
return authentication.equals(UsernamePasswordAuthenticationToken.class);
}
}
Security configuration:
#Configuration
#EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
#Autowired
private CustomAuthenticationProvider authProvider;
....
#Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth.authenticationProvider(authProvider);
}
}
I am trying to get Auth0 integrated into my web app which uses the spark-java framework.
The problem is while the authentication works perfectly, including the callback(I see the new user created on Auth0's website and my website gets redirected), I can't access the logged in user info. I've tried several methods like SessionUtils.getAuth0User(request.raw()) and none of them are working.
For example in the provided tutorial here: https://github.com/auth0-samples/auth0-servlet-sample/tree/master/01-Login
they access the logged in user info like so:
#Override
protected void doGet(HttpServletRequest req, HttpServletResponse res) throws ServletException, IOException {
final Auth0User user = SessionUtils.getAuth0User(req);
if (user != null) {
req.setAttribute("user", user);
}
req.getRequestDispatcher("/WEB-INF/jsp/home.jsp").forward(req, res);
}
I've tried doing something similar with Spark but since the get works a bit differently in Spark I do this:
port(Integer.valueOf(System.getenv("PORT")));
staticFileLocation("/spark/template/freemarker");
String clientId = System.getenv("AUTH0_CLIENT_ID");
String clientDomain = System.getenv("AUTH0_DOMAIN");
get("/", (request, response) ->
{
Map<String, Object> attributes = new HashMap<>();
Auth0User user = SessionUtils.getAuth0User(request.raw());
if(user != null) {
attributes.put("user", user);
attributes.put("loggedIn" , true);
}
else
attributes.put("loggedIn" , false);
attributes.put("clientId" , clientId);
attributes.put("clientDomain" , clientDomain);
return new ModelAndView(attributes, "index.ftl");
}, new FreeMarkerEngine());
The code is always reporting the user as null even though the user is created and stored in the database and the signin works properly with no runtime or console errors. The other methods I tried I replaced the line where I set the user variable and wrote the following.
Alternate Method 1:
Auth0User user = (Auth0User) request.session().attribute("auth0User");
Here auth0User is the same string literal Auth0 uses in their implementation of SessionUtils as shown in their source code referenced here: https://github.com/auth0/auth0-java-mvc-common/blob/master/src/main/java/com/auth0/SessionUtils.java
Alternate Method 2:
Auth0User user = (Auth0User) request.raw().getUserPrincipal();
In addition this is my javascript code running client side for the authentication:
var lock = new Auth0Lock('${clientId}', '${clientDomain}', {
auth: {
redirectUrl: 'http://localhost:5000/build',
responseType: 'code',
params: {
scope: 'openid user_id name nickname email picture'
}
}
});
$(document).ready(function()
{
$('.signup').click(function()
{
doSignup();
});
});
function doSignup() {
lock.show();
}
I have no idea why user is being evaluated to null every time and I would love some feedback on what I'm doing wrong. Thanks.
In order for you to get a non null user instance from SessionUtils.getAuth0User(req) some piece of code must first call SessionUtils.setAuth0User. This should be done when you receive confirmation that the user authenticated with success.
In the auth0-servlet-sample you were using as reference this is done by configuring an Auth0ServletCallback that will handle requests performed to /callback endpoint. Since the Auth0ServletCallback calls (see code below) the set user for you, in the servlet example you can then get the user with success.
protected void store(final Tokens tokens, final Auth0User user, final HttpServletRequest req)
{
SessionUtils.setTokens(req, tokens);
SessionUtils.setAuth0User(req, user);
}
At the moment the available samples (auth0-servlet-sample, auth0-servlet-sso-sample, auth0-spring-mvc-sample, auth0-spring-security-api-sample and auth0-spring-security-mvc-sample) don't include one for spark-java so I can't refer you to any sample.
In order to solve this you have to include additional logic to process the result of the authentication operation in your spark-java application and in case of success call the SessionUtils.setAuth0User yourself if you then want to use the corresponding SessionUtils.getAuth0User method.
For general guidance on integrating a web application with Auth0 check Integrating a Web App with Auth0.
I wrote functionality using Spring Security SwitchUserFilter. In application I can switch user using /j_spring_security_switch_user?j_username=xxx URL and go back to previous using /j_spring_security_exit_user.
I also implemented several methods that depends on fact of switching user, so I want to write unit tests for them.
Therefore my question is how can I switch user in jUnit tests environment?
I wrote method which is preparing user with SwitchUserGrantedAuthority and log him in. It seems working fine for my testing purposes, but any tips and comments would be very appreciated.
#SuppressWarnings({ "rawtypes", "unchecked" })
private User logAdminAsUser(User admin, String roleName) {
SecurityContextHolder.getContext().setAuthentication(
new TestingAuthenticationToken(admin, null, "ROLE_ADMIN"));
Authentication adminAuth = SecurityContextHolder.getContext().getAuthentication();
SwitchUserGrantedAuthority switchUserGrantedAuthority =
new SwitchUserGrantedAuthority("ROLE_ADMIN", adminAuth);
List authorities = new LinkedList();
authorities.add(switchUserGrantedAuthority);
User user = populator.storeUser("ROLE_USER");
SecurityContextHolder.getContext().setAuthentication(
new TestingAuthenticationToken(user, null, authorities));
return user;
}
If you want an integrational test, you should consider using a custom http client, or if your test logic depends on it, even GUI drivers like Selenium.
If we are talking about unit tests, refer to Springs
http://spring.io/blog/2014/05/07/preview-spring-security-test-method-security
documentation, they support testing heavily, #WithMockUser annotation appears to be what you are looking for, it allows you to specify with which role or user this test should be runned.
I used this:
private void switchUser(User user, String roleName)
{
Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
Collection<GrantedAuthority> authorities =
new ArrayList<>();
GrantedAuthority ga = new SimpleGrantedAuthority(roleName);
authorities.add(ga);
Authentication result = new UsernamePasswordAuthenticationTokenExt(
user,
authentication.getCredentials(),
null,
System.currentTimeMillis()
);
SecurityContextHolder.getContext().setAuthentication( result );
}
where User is the new user, and the roleName is the new authority to set (of course this method can be modified get more params, etc.)