I am trying to get user id in open method of websocket, and for this I am using shiro, but I get null for Subject,Here is my method:
#OnOpen
public void open(final Session session, #PathParam("room") final String room) {
Subject currentUser = SecurityUtils.getSubject();
long id = currentUser.getPrincipals().oneByType(model.Users.class)
.getId();
log.info("session openend and bound to room: " + room);
session.getUserProperties().put("user", id);
}
Does anybody have any idea what I should do?
After a day I solved it, I changed class of open method to this:
#ServerEndpoint(value = "/chat/{room}", configurator = GetHttpSessionConfigurator.class, encoders = ChatMessageEncoder.class, decoders = ChatMessageDecoder.class)
public class ChatEndpoint {
private final Logger log = Logger.getLogger(getClass().getName());
#OnOpen
public void open(final Session session,
#PathParam("room") final String room, EndpointConfig config) {
log.info("session openend and bound to room: " + room);
Principal userPrincipal = (Principal) config.getUserProperties().get(
"UserPrincipal");
String user=null;
try {
user = (String) userPrincipal.getName();
} catch (Exception e) {
e.printStackTrace();
}
session.getUserProperties().put("user", user);
System.out.println("!!!!!!!! "+user);
}}
and GetHttpSessionConfigurator class:
public class GetHttpSessionConfigurator extends
ServerEndpointConfig.Configurator {
#Override
public void modifyHandshake(ServerEndpointConfig config,
HandshakeRequest request, HandshakeResponse response) {
config.getUserProperties().put("UserPrincipal",request.getUserPrincipal());
config.getUserProperties().put("userInRole", request.isUserInRole("someRole"));
}}
and Implement my user model from Principal and override getName() method to get id:
#Override
public String getName() {
String id=Long.toString(getId());
return id;
}
A simpler solution could be to use javax.websocket.Session.getUserPrincipal() which Returns the authenticated user for this Session or null if no user is authenticated for this session Like so,
#OnOpen
public void open(final Session session, #PathParam("room") final String room) {
Principal userPrincipal = session.getUserPrincipal();
if (userPrincipal == null) {
log.info("The user is not logged in.");
} else {
String user = userPrincipal.getName();
// now that your have your user here, your can do whatever other operation you want.
}
}
Subsequent methods like onMessage can also use the same method to retrieve the user.
Related
I implemented a Userstorage SPI for Keycloak and I see that when I try to have my tokens, it uses both the getUserByUsername() and getUserById() method (https://www.keycloak.org/docs-api/13.0/javadocs/org/keycloak/storage/user/UserLookupProvider.html):
I try to have my tokens like this:
I implemented the methods here (I know the logging message is not the best, this is just a tutorial project):
public class UserStorageProviderImpl implements UserStorageProvider, UserLookupProvider, CredentialInputValidator, UserQueryProvider {
...
#Override
public UserModel getUserByUsername(String username, RealmModel realm) {
log.info("------------------- username = " + username);
User user = UserRepository.findByName(username, realm, model, session);
AbstractUserAdapterImpl um = Mapper.toUserModel(session, realm, model, user);
return um;
}
private static final Logger log = LoggerFactory.getLogger(UserStorageProviderImpl.class);
#Override
public UserModel getUserById(String id, RealmModel realm) {
log.info("------------------- id = " + id);
StorageId sid = new StorageId(id);
String name = sid.getExternalId();
User user = UserRepository.findByName(name, realm, model, session);
return Mapper.toUserModel(session, realm, model, user);
}
}
As you can see, both log messages can be seen (------------------ username = and -------------------- id = )
My question is: why? Sadly I did not find any information in the documents about the flow it works. How each methods following eachother.
I am trying to implement this spring application that I got from Github. I am still in the learning process so this might be a basic question. what parameters do I need to pass in the postman body for this update user method? I wrote { "id":1,"password":"1234"} in the postman body but its showing me 400 bad syntax error.
public void updateUser(int id, String parameter, String update)
{
Session session=sessionFactory.openSession();
Transaction tx=session.beginTransaction();
//System.out.print(mail);
List<User_org> userList = userList();
for(User_org i: userList)
{
User_org u= i;
if(u.getId()==id)
{
if(parameter.equalsIgnoreCase("mail"))
{
u.setEmail(update);
session.update(u);
break;
}
if(parameter.equalsIgnoreCase("phone_no"))
{
u.setPhone_num(Integer.parseInt(update));
session.update(u);
break;
}
if(parameter.equalsIgnoreCase("password"))
{
u.setPassword(update);
session.update(u);
break;
}
}
}
session.flush();
tx.commit();
//return id;
}
In controller
public void updateUser(#RequestBody int id,String parameter, String updateToBe)
{
service.updateUser(id,parameter, updateToBe);
}
Create an Entity or DTO with all fields
eg.
class User{
int id,
String parameter,
String updateToBe
// getters and setters
}
public void updateUser(#RequestBody User user)
{
service.updateUser(user);
}
From Postman send JSON object
I am trying to validate the string email to check if it already appears within my MYSQL database, when I execute with an email thats already used I get the following error:
java.lang.IllegalStateException: Invalid target for Validator [co2103.hw2.controller.TestResultsValidator#62b41c6]: org.springframework.validation.BeanPropertyBindingResult: 1 errors
Field error in object 'testResults' on field 'email': rejected value [abc#le.ac.uk]; codes [email.testResults.email,email.email,email.java.lang.String,email]; arguments []; default message [is already provided by a different user! Please user another one!]
Here is the validator code
public class TestResultsValidator implements Validator{
private TestResultsRepository TrRepo;
private HomeTestRepository HTRepo;
public TestResultsValidator (TestResultsRepository TrRepo, HomeTestRepository HTRepo) {
this.TrRepo = TrRepo;
this.HTRepo = HTRepo;
}
#Override
public boolean supports(Class<?> clazz) {
return TestResults.class.equals(clazz);
}
#Override
public void validate(Object target, Errors errors) {
TestResults tr = (TestResults) target;
for(TestResults t : TrRepo.findAll()) {
//SAME EMAIL
if (tr.getEmail().equals(t.getEmail())) {
errors.rejectValue("email", "email", "is already provided by a different user! Please user another one!");
System.out.println("Email is already taken by a different user, please try another username");
break;
}
The controller code
//Add new results
#RequestMapping(value = "/addResults",method = {RequestMethod.POST , RequestMethod.GET})
public String newHotel(#Valid #ModelAttribute TestResults results, BindingResult result, Model model) {
if (result.hasErrors()) {
model.addAttribute("errors", result);
return "start";
}
else {
trRepo.save(results);
return "Submitted";
}}
You need to register you validator to spring.
First ad Component Annotation to your validtor.
#Component
public class TestResultsValidator implements Validator{
.....
}
Register it in the controller.
#Controller
class TestResultController {
#Autowired
TestResultsValidator testResultsValidator ;
#InitBinder("testResultsValidator")
protected void initMessageBinder(WebDataBinder binder) {
binder.addValidators(testResultsValidator );
}
}
I have an existing code at a class which is extended from javax.ws.rs.core.Application
...
Context childContext = component.getContext().createChildContext();
JaxRsApplication application = new JaxRsApplication(childContext);
application.add(this);
application.setStatusService(new ErrorStatusService());
childContext.getAttributes().put("My Server", this);
...
ChallengeAuthenticator challengeGuard = new ChallengeAuthenticator(null, ChallengeScheme.HTTP_BASIC, "REST API Realm");
//Create in-memory users with roles
MemoryRealm realm = new MemoryRealm();
User user = new User("user", "user");
realm.getUsers().add(user);
realm.map(user, Role.get(null, "user"));
User owner = new User("admin", "admin");
realm.getUsers().add(owner);
realm.map(owner, Role.get(null, "admin"));
//Attach verifier to check authentication and enroler to determine roles
challengeGuard.setVerifier(realm.getVerifier());
challengeGuard.setEnroler(realm.getEnroler());
challengeGuard.setNext(application);
// Attach the application with HTTP basic authentication security
component.getDefaultHost().attach(challengeGuard);
I don't have a web.xml at my code. I would like to add authorization to my code. This: https://restlet.com/technical-resources/restlet-framework/guide/2.3/core/security/authorization does not apply to me since I don't have restlet resources.
How can I implement jax rs authorization into my code?
EDIT 1: Existing code uses restlet JAX-RS extension: https://restlet.com/technical-resources/restlet-framework/guide/2.2/extensions/jaxrs
I've tried that at my jax-rs resource class:
#GET
#Path("/")
public String getStatus() {
if (!securityContext.isUserInRole("admin")) {
throw new WebApplicationException(Response.Status.FORBIDDEN);
}
...
}
However, it throws 403 even I log in with admin user.
EDIT 2:
When I check here: https://restlet.com/technical-resources/restlet-framework/guide/2.2/extensions/jaxrs There is a piece of code:
this.setRoleChecker(...); // if needed
This may solve my issue but I don't know how to set a role checker.
PS: I use jersey 1.9 and restlet 2.2.3.
It's not really clear (at least to me :-) ) what you are trying to achieve.
If you have a class which is a subclass of javax.ws.rs.core.Application, you should be able to simply add #RolesAllowed("user") as an annotation to your resource classes, as shown in https://jersey.java.net/documentation/latest/security.html
#Path("/")
#PermitAll
public class Resource {
#RolesAllowed("user")
#GET
public String get() { return "GET"; }
#RolesAllowed("admin")
#POST
public String post(String content) { return content; }
#Path("sub")
public SubResource getSubResource() {
return new SubResource();
}
}
Accessing that resource should prompt you for your credentials. If that doesn't work, then you need to provide a small code sample, which compiles and doesn't do what you want it to do. Then it's easier to see where the problem is and what needs to be done to make it work
I could make it work like that:
Application class:
...
application.setRoles(getRoles(application));
...
public static List<Role> getRoles(JaxRsApplication application) {
List<Role> roles = new ArrayList<>();
for (AuthorizationRoleEnum authorizationRole : AuthorizationRoleEnum.values()) {
roles.add(new Role(application, authorizationRole.toString()));
}
return roles;
}
...
Authorization enum:
public enum AuthorizationRoleEnum {
USER("user"),
ADMIN("admin");
private final String value;
AuthorizationRoleEnum(String value) {
this.value = value;
}
#Override
public String toString() {
return value;
}
}
At my resource classes:
...
#Context
SecurityContext securityContext;
...
allowOnlyAdmin(securityContext);
...
public void allowOnlyAdmin(SecurityContext securityContext) {
if (securityContext.getAuthenticationScheme() != null
&& !securityContext.isUserInRole(AuthorizationRoleEnum.ADMIN.toString())) {
throw new WebApplicationException(Response.status(Response.Status.FORBIDDEN)
.entity("User does not have required " + AuthorizationRoleEnum.ADMIN + " role!").build());
}
}
...
You need to implement your RoleChecker using this interface.
As the doc says:
Because the Restlet API does not support its own mechanism for role checks (as e.g. the Servlet API), you must use this inteface if you need role checks in a JAX-RS application.
This interface is used to check, if a user is in a role. Implementations must be thread save.
so as an example of implementation you can do smth like this:
public class MyRoleChecker implements RoleChecker {
public boolean isInRole(Principal principal, String role) {
return principal.getRole().equals(role);
}
}
Edited:
On the other hand as you use the new API, you need to implement SecurityContext and inject it using #Context in your resource methods.
Then you fetch roles list from the storage by username. The storage implementation is up to you. Please refer to this example
#Priority(Priorities.AUTHENTICATION)
public class AuthFilterWithCustomSecurityContext implements ContainerRequestFilter {
#Context
UriInfo uriInfo;
#Override
public void filter(ContainerRequestContext requestContext) throws IOException {
String authHeaderVal = requestContext.getHeaderString("Auth-Token");
String subject = validateToken(authHeaderVal); //execute custom authentication
if (subject!=null) {
final SecurityContext securityContext = requestContext.getSecurityContext();
requestContext.setSecurityContext(new SecurityContext() {
#Override
public Principal getUserPrincipal() {
return new Principal() {
#Override
public String getName() {
return subject;
}
};
}
#Override
public boolean isUserInRole(String role) {
List<Role> roles = findUserRoles(subject);
return roles.contains(role);
}
#Override
public boolean isSecure() {
return uriInfo.getAbsolutePath().toString().startsWith("https");
}
#Override
public String getAuthenticationScheme() {
return "Token-Based-Auth-Scheme";
}
});
}
}
}
I'm using Tapestry-Security which uses Apache Shiro
I have a custom realm which handles authorization and authentication. Our authentication technically happens using a remote service, which returns a username and a set of roles. I just pass the username into my custom AuthenticationToken which allows me to query our local db and set the SimpleAuthenticationInfo.
I can't figure out how to populate the AuthorizationInfo doGetAuthorizationInfo method using the list of roles returned to me from our remote service. Below is the code I'm using to populate the realm.
Login.class
//Remote authentication service
RemoteLoginClient client = new RemoteLoginClient();
RemoteSubject authenticate = client.authenticate(username, password);
//tapestry security authentication
Subject currentUser = SecurityUtils.getSubject();
CustomAuthenticationToken token = new
CustomAuthenticationToken(authenticate.getUsername());
System.out.println("roles" + authenticate.getRoles());
currentUser.login(token);
AuthorizationInfo method inside customRealm
public class CustomRealm extends AuthorizingRealm {
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
CustomAuthenticationToken upToken = (CustomAuthenticationToken ) token;
String email = upToken.getUsername();
ApplicationUser applicationUser = (ApplicationUser) session.createCriteria(ApplicationUser.class)
.add(Restrictions.like("email", email + "%"))
.uniqueResult();
if (applicationUser == null) {
throw new UnknownAccountException("User doesn't exist in EPRS database");
}
return buildAuthenticationInfo(applicationUser.getId());
}
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
//Not sure how to populate the principle or
//read the principle to populate the SimpleAuthorizationInfo
return new SimpleAuthorizationInfo(roleNames);
}
Extending AuthorizingRealm is a good place to start if you need both authentication and authorization. Also, as PepperBob has already said, while you're at it, the Account interface and its SimpleAccount implementation support both authentication and authorization in a single interface, so you don't need much separate code for doGetAuthenticationInfo() and doGetAuthorizationInfo() and can just return the same object from both methods.
To get the authorization information, you need to do two things:
Get an available principal from the principal collection passed as a parameter (which, in most cases, just contains one principal anyway) via the getAvailablePrincipal() method (neatly predefined in AuthorizingRealm).
Load your roles and pass them to setRoles() on your account object.
...and you're done.
Edited to add:
This would be a very simple way to store the roles until you need them. Note that the actual authentication is done in the realm, which has a dependency on RemoteLoginClient.
public class MyRealm extends AuthorizingRealm {
private RemoteLoginClient client = ...;
private final Map<String, Set<String>> emailToRoles = new ConcurrentHashMap<>();
#Override
protected AuthenticationInfo doGetAuthenticationInfo(
AuthenticationToken token) {
final UsernamePasswordToken userPass = (UsernamePasswordToken) token;
final RemoteSubject authenticate = this.client.authenticate(
userPass.getUserName(), userPass.getPassword());
if (authenticate != null) { //assuming this means success
this.emailToRoles.put(userPass.getUserName(), authenticate.getRoles());
return new SimpleAuthenticationInfo(...);
} else {
return null;
}
}
#Override
protected AuthorizationInfo doGetAuthorizationInfo(
PrincipalCollection principals) {
final String username = (String) principals.getPrimaryPrincipal();
final Set<String> roles = this.emailToRoles.get(username);
return new SimpleAuthorizationInfo(roles);
}
}
I answered my own question and wanted to post this in case someone else needed help or for possible improvement on my solution.
Login.class method
Object onSubmit() {
try {
//Remote Authentication
RemoteLoginClient client = new RemoteLoginClient ();
RemoteSubject authenticate = client.authenticate(formatUsername(username), password);
//tapestry security authentication
Subject currentUser = SecurityUtils.getSubject();
CustomAuthenticationToken token = new CustomAuthenticationToken(authenticate.getUsername(), authenticate.getRoles());
currentUser.login(token);
} //catch errors
}
//Custom token used to hold username and roles which are set from remote authentication service.
public class CustomAuthenticationToken implements AuthenticationToken {
private String username;
private Set<String> roles;
public CustomAuthenticationToken(String username, Set<String> roles) {
this.username = username;
this.roles = roles;
}
getters/setters
//Custom Realm used to handle local authentication and authorization.
public class CustomRealm extends AuthorizingRealm {
//Hibernate Session
private final Session session;
public static final String EMPTY_PASSWORD = "";
public CustomRealm(Session session) {
this.session = session;
setCredentialsMatcher(new AllowAllCredentialsMatcher());
setAuthenticationTokenClass(CustomAuthenticationToken.class);
}
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
CustomAuthenticationToken customToken = (CustomAuthenticationToken) token;
String email = customToken.getUsername();
User user = (User) session.createCriteria(User.class)
.add(Restrictions.like("email", email+ "%"))
.uniqueResult();
if (user == null) {
throw new UnknownAccountException("User doesn't exist in local database");
}
return new SimpleAuthenticationInfo(new CustomPrincipal(user, customToken.getRoles()), EMPTY_PASSWORD, getName());
}
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
return new SimpleAuthorizationInfo(((CustomPrincipal) principals.getPrimaryPrincipal()).getRoles());
}
}
//Custom principal used to hold user object and roles
public class CustomPrincipal {
private User user;
private Set<String> roles;
public CustomPrincipal() {
}
public CustomPrincipal(User user, Set<String> roles) {
this.user = user;
this.roles = roles;
}
getters/setters