I tried to integrate spring security and spring social. The problem is when I try to create account for him in my system. I would like to avoid creating user with id "anonymousUser".
For expected behaviour when I analyzed code from spring-social-security I expected to call method JdbcUsersConnectionRepository.findUserIdsWithConnection(Connection connection) for creating user and entry in the system. But when I run my code I find out this is not true. Before this action is calling implementation of SocialConfigurer.getUserId(). Great... If we have anonymous user it will be cached... But anyway getUserId is called before anything so authorization doesn't work. So I wrote my own implementation to this thing:
#Configuration
#EnableSocial
public class SocialConfig implements SocialConfigurer {
#Autowired
private DataSource dataSource;
#Autowired
private CustomerService customerService;
#Autowired
private CustomerProviderRepository customerProviderRepository;
#Autowired
private PasswordEncoder passwordEncoder;
#Override
public void addConnectionFactories(ConnectionFactoryConfigurer connectionFactoryConfigurer, Environment environment) {
}
#Override
public UserIdSource getUserIdSource() {
return () -> {
Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
if (authentication == null || authentication.getName().equals("anonymousUser")) {
throw new IllegalStateException("Unable to get a ConnectionRepository: no user signed in");
}
return authentication.getName();
};
}
#Override
public UsersConnectionRepository getUsersConnectionRepository(ConnectionFactoryLocator connectionFactoryLocator) {
JdbcUsersConnectionRepository repository = new JdbcUsersConnectionRepository(dataSource, connectionFactoryLocator, Encryptors.noOpText());
repository.setConnectionSignUp(new SocialConnectionSignUpService(customerService, customerProviderRepository, passwordEncoder));
return repository;
}
}
Implementation of SocialCOnnectionSignUpService
public class SocialConnectionSignUpService implements ConnectionSignUp {
private final CustomerService customerService;
private final CustomerProviderRepository customerProviderRepository;
private final PasswordEncoder passwordEncoder;
public SocialConnectionSignUpService(CustomerService customerService, CustomerProviderRepository customerProviderRepository, PasswordEncoder passwordEncoder) {
this.customerService = customerService;
this.passwordEncoder = passwordEncoder;
this.customerProviderRepository = customerProviderRepository;
}
#Override
public String execute(Connection<?> connection) {
ConnectionKey connectionKey = connection.getKey();
UserProfile profile = connection.fetchUserProfile();
Customer customer = customerService.findBy(profile.getEmail());
if(customer == null) {
customer = new Customer();
customer.setEmail(profile.getEmail());
customerService.add(customer);
}
SocialKey key = new SocialKey();
key.setUserId(customer.getId().toString());
key.setProviderUserId(connectionKey.getProviderUserId());
key.setProviderId(connectionKey.getProviderId());
CustomerProvider customerProvider = new CustomerProvider();
customerProvider.setKey(key);
customerProvider.setDisplayName(profile.getName());
customerProviderRepository.save(customerProvider);
return customerProvider.id();
}
}
And configuration of spring security:
#Configuration
#EnableWebSecurity
public class SecurityContext extends WebSecurityConfigurerAdapter {
#Autowired
private DataSource dataSource;
#Autowired
private CustomerRepository customerRepository;
#Override
protected void configure(HttpSecurity http) throws Exception {
http
.formLogin()
.loginPage("/login")
.loginProcessingUrl("/login/authenticate")
.permitAll()
.and()
.rememberMe()
.and()
.authorizeRequests()
.antMatchers("/signup/social").authenticated()
.antMatchers("/**").permitAll()
.and()
.apply(new SpringSocialConfigurer().postLoginUrl("/signup/social").alwaysUsePostLoginUrl(true))
.and()
.csrf().disable();
}
#Bean
public SocialUserDetailsService socialUserDetailsService() {
return new SocialUserDetailsServiceImpl(customerRepository);
}
}
Do you have any workaround or solution how to pass the problem?
Related
I'm working on the course "Information System" and follow the operation of the prof, but it turns a strange error:
The dependencies of some of the beans in the application context form a cycle:
here's my classes:
#Service
public class UsersService implements UserDetailsService {
#Autowired
private UsersRepository _usersDb;
#Autowired
private BCryptPasswordEncoder _passwordEncoder;
public boolean registerNewUser(String username, String password, Role role) {
Optional<User> oldUser = _usersDb.findByUsername(username);
if(oldUser.isPresent()) {
return false;
}
String encodedPassword = _passwordEncoder.encode(password);
User newUser = new User(null, encodedPassword, username, role);
_usersDb.save(newUser);
return true;
}
public List<User> getAllUsers() {
return _usersDb.findAll();
}
#Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
Optional<User> user = _usersDb.findByUsername(username);
if(!user.isPresent()) {
throw new UsernameNotFoundException("User not found");
}
return user.get();
}
public boolean isAdminNotExists(String adminUsername) {
return _usersDb.findAll((r, q, b) -> b.or(
b.equal(r.get("role"), Role.ADMIN),
b.equal(r.get("username"), adminUsername)
)).isEmpty();
}
then:
#Configuration
#EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter{
#Autowired
private UsersService _usersService;
#Override
protected void configure(HttpSecurity httpSec) throws Exception {
httpSec.csrf()
.disable()
.authorizeRequests()
.antMatchers("/registration").not().fullyAuthenticated()
.antMatchers("/admin/**").hasRole("ADMIN")
.antMatchers("/dishes/**").hasAnyRole("USER", "MANAGER")
.antMatchers("/", "/resources/**").permitAll()
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/login")
.defaultSuccessUrl("/")
.permitAll()
.and()
.logout()
.permitAll()
.logoutSuccessUrl("/");
}
protected void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(_usersService).passwordEncoder(bCryptPasswordEncoder());
}
#Bean
public BCryptPasswordEncoder bCryptPasswordEncoder() {
return new BCryptPasswordEncoder();
}
}
and this:
#Component
public class IsProjectAppDataInitializier implements ApplicationListener<ContextRefreshedEvent>{
private boolean _alreadyInitialized = false;
private final UsersService _usersSvc;
public IsProjectAppDataInitializier(UsersService usersSvc) {
_usersSvc = usersSvc;
}
#Override
public void onApplicationEvent(ContextRefreshedEvent event) {
if(!_alreadyInitialized) {
_alreadyInitialized = true;
this.initializeApp();
}
}
private void initializeApp() {
if (_usersSvc.isAdminNotExists("admin")) {
_usersSvc.registerNewUser("admin", "password", Role.ADMIN);
}
}
#Autowired works in the video of prof, but not works on mine....
Really need guys your help!
Your problem is same as this video tutorial I learned from. Search for the Soham Karmakar's comment. He asked this problem and below this comment it might be your solution as well.
I would tell you solution, but I can not see your UserServiceImplementation class.
Basicly your solution might be here:
remove private UsersRepository _usersDb; (UsersService.class)
change your passwordEncoder.encode(... to new BCryptPasswordEncoder().encode(.. (Your UserServiceImplementation.class)
For your WebSecurityConfig.class change
auth.userDetailsService(_usersService).passwordEncoder(bCryptPasswordEncoder());
to `
auth.userDetailsService(_usersService);
auth.setPasswordEncoder(new BCryptPasswordEncoder());
`
Try, it should work.
I have spring web mvc project with Spring Security 4.1.0.RELEASE
In spring controller i try fetch the user from the context
#RestController
public class Test {
#RequestMapping(value="test", method = RequestMethod.POST)
public ResponseEntity<Void> test() {
ContextUser user = (ContextUser) SecurityContextHolder.getContext().getAuthentication().getPrincipal();
}
}
user is an instance with id = 0, login = null .... It is empty instance.
org.springframework.security.core.Authentication isAuthenticated = true, list of Collection<? extends GrantedAuthority> are correct This behaviour is occurred periodically. It is not every time for this request. I catch this issue only for that request
My configurations
#Configuration
#ComponentScan(basePackages={"com.test.app"},
excludeFilters=#ComponentScan.Filter(type=FilterType.REGEX, pattern={"com.test.app.web.*"}))
#PropertySource(value = { "classpath:application.properties" })
#EnableAspectJAutoProxy
public class AppConfig {
#Autowired
private DataSource dataSource;
//My beans
}
#Component
public class TestUserDetailsService implements UserDetailsService{
#Autowired
private TestUserService service;
#Override
public UserDetails loadUserByUsername(String userName)
throws UsernameNotFoundException {
User user = service.findByLogin(userName);
if (user == null) {
throw new UsernameNotFoundException("Error");
}
return new ContextUser(user);
}
}
public class ContextUser extends User implements UserDetails {
//...
}
#Configuration
#EnableWebSecurity
#EnableAsync
#EnableGlobalMethodSecurity(securedEnabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter
{
#Autowired
private TestAuthenticationEntryPoint testAuthenticationEntryPoint;
#Autowired
private TestSimpleUrlAuthenticationSuccessHandler testSimpleUrlAuthenticationSuccessHandler;
#Autowired
private TestSimpleUrlAuthenticationFailureHandler testSimpleUrlAuthenticationFailureHandler;
#Autowired
private LogoutSuccessHandler logoutSuccessHandler;
#Autowired
private TestUserDetailsService testUserDetailsService;
#Bean
#Override
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
#Override
protected void configure(AuthenticationManagerBuilder registry) throws MyException {
registry.userDetailsService(testUserDetailsService).passwordEncoder(new TestEncoder());
}
#Override
protected void configure(HttpSecurity http) throws Exception {
http.addFilterBefore(new CorsFilter(), ChannelProcessingFilter.class);
http.csrf()
.disable()
.exceptionHandling()
.authenticationEntryPoint(testAuthenticationEntryPoint)
.and().sessionManagement().sessionFixation().migrateSession().maximumSessions(-1).sessionRegistry(sessionRegistry()).and()
.and()
.authorizeRequests()
.antMatchers("/").access("hasAuthority('TEST')")
.anyRequest().authenticated()
.and()
.formLogin()
.successHandler(testSimpleUrlAuthenticationSuccessHandler)
.failureHandler(testSimpleUrlAuthenticationFailureHandler)
.and()
.logout().logoutSuccessHandler(logoutSuccessHandler)
.and()
.headers().cacheControl().disable().frameOptions().sameOrigin();
}
#Bean
public SessionRegistry sessionRegistry() {
return new SessionRegistryImpl();
}
#Override
public void configure(WebSecurity web) {
web.ignoring().antMatchers("/resources/**");
}
}
Are any ideas why this behaviour is happened?
I am working on authentication service part of cloud app and I created the following security config class.
#Configuration
#EnableWebSecurity
public class JwtSecurityConfig extends WebSecurityConfigurerAdapter {
private final PasswordEncoder encoder;
private final UserService userService;
private final JwtConstant jwtConstant;
#Autowired
public JwtSecurityConfig(PasswordEncoder encoder, UserService userService, JwtConstant jwtConstant) {
this.encoder= encoder;
this.userService = userService;
this.jwtConstant = jwtConstant;
}
#Bean
public DaoAuthenticationProvider getAuthenticationProvider() {
DaoAuthenticationProvider authenticationProvider = new DaoAuthenticationProvider();
authenticationProvider.setPasswordEncoder(encoder);
authenticationProvider.setUserDetailsService(userService);
return authenticationProvider;
}
#Override
protected void configure(AuthenticationManagerBuilder auth) {
auth.authenticationProvider(getAuthenticationProvider());
}
#Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.addFilter(getAuthenticationFilter())
.authorizeRequests()
.antMatchers(HttpMethod.PUT, "/signup").permitAll()
.anyRequest()
.authenticated();
}
private AuthenticationFilter getAuthenticationFilter() throws Exception {
return new AuthenticationFilter(authenticationManager(), jwtConstant);
}
}
I am not sure about the chain methods of configure(HttpSecurity http) method. The authentication service will only receive "login" and "signup" requests.
Should I remove authorizeRequests() method as I do not authorize anything?
I am not sure about anyRequest().authenticated() part either if I really need it?
there are a couple of things that have to be changed, but first of all, you have to define a method that will provide jwt for each request and every request should provide an AuthRequest object that contains username and password :
#RestController
public class WelcomeController {
#Autowired
private JwtUtil jwtUtil;
#Autowired
private AuthenticationManager authenticationManager;
#PostMapping("/signup")
public String generateToken(#RequestBody AuthRequest authRequest) throws Exception {
try {
authenticationManager.authenticate(
new UsernamePasswordAuthenticationToken(authRequest.getUserName(), authRequest.getPassword())
);
} catch (Exception ex) {
throw new Exception("inavalid username/password");
}
return jwtUtil.generateToken(authRequest.getUserName());
}
}
and in the UserDetailsService you can make authentication as below :
#Service
public class UserDetailsService implements org.springframework.security.core.userdetails.UserDetailsService {
#Autowired
private final UserRepository userRepository;
#Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
System.out.println("tried to loging : " + username);
if(!Objects.isNull(username) && !"".equals(username)){
Optional<User> user = userRepository.findUserByUserName(username);
System.out.println(user.get());
if(user.isPresent()){
User userParam = user.get();
return new org.springframework.security.core.userdetails.User(userParam.getUserName(),
userParam.getPassword(), new ArrayList<>());
}
}
throw new UsernameNotFoundException("user does not exists or empty !!");
}
}
and for the configuration side :
#Configuration
#EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
#Autowired
private final UserDetailsService userDetailsService;
#Autowired
private final JwtFilter jwtFilter;
#Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailsService).passwordEncoder(passwordEncoder());
}
#Bean
public PasswordEncoder passwordEncoder(){
return new BCryptPasswordEncoder(10);
}
#Bean(name = BeanIds.AUTHENTICATION_MANAGER)
#Override
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
#Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable()
.authorizeRequests().antMatchers("/signup").permitAll()
.anyRequest().authenticated()
.and().exceptionHandling().and()
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS);
http.addFilterBefore(jwtFilter, UsernamePasswordAuthenticationFilter.class);;
}
}
for further information, you can follow my Github branch Authnticaition sample
I struggle to understand how to test the Spring Boot application with the Spring Security layer.
I have asked similar questions How to enforce Spring Security with MockitoJUnit runner? and How to mock customer user service details in Spring Security layer?
I have a custom implementation for UserDetailsService which take data from the database, so naturally, I want to take it from somewhere else during unit-testing phase
I want to test my web-layer to see if Spring Security works and if all other use-cases work as well.
How can I achieve both tasks above?
SecurityConfig class:
#Configuration
#EnableGlobalMethodSecurity(securedEnabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {
private static final String[] AUTH_WHITELIST = {
// -- swagger ui
"/",
"/csrf",
"/swagger-resources",
"/swagger-resources/**",
"/configuration/ui",
"/configuration/security",
"/swagger-ui.html",
"/webjars/**"
};
#Autowired
#Qualifier("customUserDetailsService")
private UserDetailsService userDetailsService;
private final static Integer bCryptEncryptionLevel = 8;
#Bean
public BCryptPasswordEncoder bCryptPasswordEncoder() {
return new BCryptPasswordEncoder(bCryptEncryptionLevel);
}
public SecurityConfig() {
super();
}
#Autowired
public void configureGlobalSecurity(AuthenticationManagerBuilder authManagerBuilder) throws Exception {
authManagerBuilder.authenticationProvider(authenticationProvider());
authManagerBuilder.userDetailsService(userDetailsService)
.passwordEncoder(bCryptPasswordEncoder());
}
#Bean
public DaoAuthenticationProvider authenticationProvider() {
DaoAuthenticationProvider authenticationProvider = new DaoAuthenticationProvider();
authenticationProvider.setUserDetailsService(userDetailsService);
authenticationProvider.setPasswordEncoder(bCryptPasswordEncoder());
return authenticationProvider;
}
#Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable()
.authorizeRequests()
.antMatchers(AUTH_WHITELIST).permitAll()
// allow default swagger docket
.regexMatchers("\\A/v2/api-docs\\Z").permitAll()
// require auth for any other swagger docket
.regexMatchers("\\A/v2/api-docs?.*\\Z").authenticated()
.antMatchers("/**").authenticated()
.and()
.httpBasic()
.and()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
}
}
CustomUserDetailsService class:
#Service("customUserDetailsService")
#Profile("!test")
public class CustomUserDetailsService implements UserDetailsService {
private final static Logger logger = LoggerFactory.getLogger(CustomUserDetailsService.class);
private StringRedisTemplate redisTemplate;
private RedisProperties redisProperties;
#Autowired
public CustomUserDetailsService(RedisProperties redisProperties, StringRedisTemplate redisTemplate) {
this.redisProperties = redisProperties;
this.redisTemplate = redisTemplate;
}
#Override
public UserDetails loadUserByUsername(String email) throws UsernameNotFoundException {
// Do queries to DB and return user if such user exists
}
}
I also added CustomUserDetailsServiceTest class for the unit-testing purpose only into the same package but under src/test/java:
#Service("customUserDetailsService")
#Profile("test")
public class CustomUserDetailsServiceTest implements UserDetailsService {
#Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
#SuppressWarnings("serial")
Map<Object, Object> entries = new HashMap<Object, Object>(){{
put("username", username);
put("password_hash", "$2a$08$YjMcOsLmbbUB4DYPxqSAxOa3STLjEDovwd2..Uidwp.asyhSi8Y5u");
put("role", "ADMIN");
}};
UserEntity user = new UserEntity(entries);
return new HiccasoftApiUser(user);
}
}
How can I use custom implementation for customUserDetailsService in unit-tests while testing web-layer?
The problem is, BCryptPasswordEncoder is not encrypt the password on login process therefore login fails, let's say password is 123 and stored in db as hashed, when the post the password 123 returns invalid_grants, but when the hashed password is sent from client, returns the access token. It is also ok when the password when password encoder is commented.
App.java
#SpringBootApplication
public class App {
#Bean
BCryptPasswordEncoder getPasswordEncoder() {
return new BCryptPasswordEncoder();
}
public static void main(String[] args) throws Exception {
SpringApplication.run(App.class, args);
}
#Autowired
public void authenticationManager(AuthenticationManagerBuilder authenticationManagerBuilder, final UserRepository userRepository, UserService userService) throws Exception {
if(userRepository.count() == 0) {
User user = new User();
Role role = new Role();
role.setName("SA");
user.setEmail("test");
user.setPassword("123");
user.setRoles(Arrays.asList(role));
user.setBlocked(false);
user.setEnable(true);
userService.save(user);
}
authenticationManagerBuilder.userDetailsService(email -> {
return userService.loadUserByUsername(email);
});
}
}
WebSecurityConfiguration.java
#Configuration
#EnableWebSecurity
#EnableGlobalMethodSecurity(prePostEnabled=true)
public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {
static final String SIGNING_KEY = "kKSMJ92Mknk38njs9HJ8KNALiuc938FH";
static final int ENCODING_STRENGTH = 256;
static final String SECURITY_REALM = "Task Manager";
#Autowired
private BCryptPasswordEncoder passwordEncoder;
#Autowired
private UserDetailsService userDetailsService;
#Autowired
private DataSource dataSource;
#Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth
.userDetailsService(userDetailsService)
.passwordEncoder(passwordEncoder)
.and()
.authenticationProvider(authenticationProvider())
.jdbcAuthentication()
.dataSource(dataSource);
}
#Override
protected void configure(HttpSecurity http) throws Exception {
http.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.authorizeRequests()
.antMatchers("/sign-up", "/sign-in", "/").permitAll()
.antMatchers("/api/**").authenticated()
.and()
.httpBasic()
.realmName(SECURITY_REALM)
.and()
.csrf()
.disable();
}
#Bean
public UserDetailsService userDetailsService() {
return super.userDetailsService();
}
#Bean
public DaoAuthenticationProvider authenticationProvider() {
DaoAuthenticationProvider authenticationProvider = new DaoAuthenticationProvider();
authenticationProvider.setUserDetailsService(userDetailsService);
authenticationProvider.setPasswordEncoder(passwordEncoder);
return authenticationProvider;
}
UserService.java
#Service
public class UserService implements UserDetailsService {
#Autowired
private UserRepository userRepository;
#Autowired
private BCryptPasswordEncoder passwordEncoder;
public void save(User user) {
user.setPassword(passwordEncoder.encode(user.getPassword()));;
userRepository.save(user);
}
#Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
User user = this.userRepository.findUserByEmail(username);
if (user == null) {
throw new UsernameNotFoundException(username);
}
return new CustomUserDetails(user);
}
}
The problem might be here. Remove the lines that are commented out.
#Autowired
public void authenticationManager(AuthenticationManagerBuilder authenticationManagerBuilder, final UserRepository userRepository, UserService userService) throws Exception {
if(userRepository.count() == 0) {
User user = new User();
Role role = new Role();
role.setName("SA");
user.setEmail("test");
user.setPassword("123");
user.setRoles(Arrays.asList(role));
user.setBlocked(false);
user.setEnable(true);
userService.save(user);
}
// authenticationManagerBuilder.userDetailsService(email -> {
// return userService.loadUserByUsername(email);
// });
}
You are overriding all the multiple configurations that you have done in your configuration classes, and as a result the password encoder is never applied to your AuthenticationManagerBuilder.