In my shiro application, I want to define a AuthenticationFilter for all paths except REST.
ie /rest/... doesnt go through it but everything else would.
I'm using Shiro-Guice so my filter setups are of the form
addFilterChain("/rest/**" ,restFilter)
addFilterChain("/**", filter) //I want this one to work on everything except my rest filter
I looked at this question about Ant path pattern style but there doesnt seem to be support for regexes.
You can't do it like that. The way shiro works is that it checks the filters in the order they are configured. It first checks the first filter, if it can't authenticate, it will move on to the next. There is no exclusion pattern for that.
You can write your own custom shiro filter that will deny authrorization on de rest url.
I don't know how it will work in guice, but in shiro.ini you can do something like:
[main]
myfilter = UrlBasedAuthzFilter
restFilter = YourRestFilterClass
[urls]
/rest/** = restFilter
/** = myfilter
And the filter class:
public class UrlBasedAuthzFilter extends AuthorizationFilter {
#Override
public boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue) throws IOException {
if (request.getServletContext().getContextPath().startsWith("/rest"){
return false;
}
return super.isAccessAllowed(request, response, mappedValue);
}
}
#Bean("shiroFilter")
public ShiroFilterFactoryBean factory(DefaultWebSecurityManager securityManager) {
ShiroFilterFactoryBean factoryBean = new ShiroFilterFactoryBean();
Map<String, Filter> filterMap = new LinkedHashMap<>();
filterMap.put("adminLoginFilter", new AdminLoginFilter());
filterMap.put("jwtAdminAuthcFilter", new JwtAdminAuthcFilter());
factoryBean.setFilters(filterMap);
factoryBean.setSecurityManager(securityManager);
factoryBean.setUnauthorizedUrl("/401");
Map<String, String> filterRuleMap = new LinkedHashMap<>();
filterRuleMap.put("/admin/auth/login","adminLoginFilter");
filterRuleMap.put("/admin/**", "jwtAdminAuthcFilter");
filterRuleMap.put("/401", "anon");
factoryBean.setFilterChainDefinitionMap(filterRuleMap);
return factoryBean;
}
Related
I've been following this tutorial in order to create an Authentication Server, but I'm facing some problems regarding the concepts, I guess.
Look, when I register a Client in Repository, I have to define some parameters, like its id, secret, authentication method, grant types, redirection uris and scopes:
#Bean
public RegisteredClientRepository registeredClientRepository() {
RegisteredClient registeredClient = RegisteredClient.withId(UUID.randomUUID().toString())
.clientId("articles-client")
.clientSecret("{noop}secret")
.clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC)
.authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE)
.authorizationGrantType(AuthorizationGrantType.REFRESH_TOKEN)
.redirectUri("http://127.0.0.1:8080/login/oauth2/code/articles-client-oidc")
.redirectUri("http://127.0.0.1:8080/authorized")
.scope(OidcScopes.OPENID)
.scope("articles.read")
.build();
return new InMemoryRegisteredClientRepository(registeredClient);
}
When I'm back to my Resource Server, I find that my client was successfully logged in and it returns with an "articles.read" scope. Everything is fine here, supposing that I want to protect my endpoints with the Client's scope, but this is not my case.
In my situation, I want to protect my endpoints according to my User's role in database.
I'll give you an example, so you don't have to read the whole Baeldung's website:
I try to access: http://localhost:8080/articles.
It redirects to: http://auth-server:9000, where a Spring Security Login Form appears.
When you submit the proper credentials (which are compared from a database using the default Spring Security schema), it basically gets you back to: http://localhost:8080/articles.
Well, in that point, I have an Authorization Token with the Client scope, but not the logged User role.
Is there an standard way to configure my project to achieve this or, do I have to think of a creative way to do so?
Thank you in advance.
For role based authentication you should map authorities in Oauth token.
OAuth2AuthenticationToken.getAuthorities() is used for authorizing requests, such as in hasRole('USER') or hasRole('ADMIN').
For this you need to implement the userAuthoritiesMapper, something like this:
#Configuration
public class AppConfig extends WebSecurityConfigurerAdapter {
#Override
protected void configure(HttpSecurity http) throws Exception {
http.oauth2Login().userInfoEndpoint().userAuthoritiesMapper(this.userAuthoritiesMapper());
//.oidcUserService(this.oidcUserService());
super.configure(http);
}
private GrantedAuthoritiesMapper userAuthoritiesMapper() {
return (authorities) -> {
Set<GrantedAuthority> mappedAuthorities = new HashSet<>();
authorities.forEach(authority -> {
if (OidcUserAuthority.class.isInstance(authority)) {
OidcUserAuthority oidcUserAuthority = (OidcUserAuthority)authority;
OidcUserInfo userInfo = oidcUserAuthority.getUserInfo();
if (userInfo.containsClaim("role")){
String roleName = "ROLE_" + userInfo.getClaimAsString("role");
mappedAuthorities.add(new SimpleGrantedAuthority(roleName));
}
} else if (OAuth2UserAuthority.class.isInstance(authority)) {
OAuth2UserAuthority oauth2UserAuthority = (OAuth2UserAuthority)authority;
Map<String, Object> userAttributes = oauth2UserAuthority.getAttributes();
if (userAttributes.containsKey("role")){
String roleName = "ROLE_" + (String)userAttributes.get("role");
mappedAuthorities.add(new SimpleGrantedAuthority(roleName));
}
}
});
return mappedAuthorities;
};
}
}
I'm using spring security in my spring boot app to provide user functionality. I've spent quiet some time searching for an answer to the problem, but did only find solutions for people using xml-based configurations.
My set-up is very similar to this: http://www.baeldung.com/spring-security-track-logged-in-users (alternative method at the bottom).
This is my SecurityConfiguration:
#Override
protected void configure(HttpSecurity http) throws Exception {
http.formLogin().defaultSuccessUrl("/home.html", true)
//.and().exceptionHandling().accessDeniedPage("/home")
.and().authorizeRequests().antMatchers("/editor").hasAnyAuthority("SUPERUSER")
.and().authorizeRequests().antMatchers("/editor").hasAnyAuthority("ADMIN")
.and().authorizeRequests().antMatchers("/").permitAll().anyRequest().authenticated()
.and().formLogin().loginPage("/login").permitAll()
.and().authorizeRequests().antMatchers("/static/**").permitAll()
.and().logout().permitAll().logoutSuccessUrl("/login").logoutUrl("/logout").deleteCookies("JSESSIONID")
.and().csrf().disable();
http.sessionManagement().invalidSessionUrl("/login").maximumSessions(1).sessionRegistry(sessionRegistry()).expiredUrl("/login");
}
This is where i call the sessionRegistry:
public List<String> getAllLoggedUsernames() {
final List<Object> allPrincipals = sessionRegistry.getAllPrincipals();
// System.out.println("All Principals: " + sessionRegistry.getAllPrincipals());
List<String> allUsernames = new ArrayList<String>();
System.out.println(allUsernames.size());
for (final Object principal : allPrincipals) {
if (principal instanceof SecUserDetails) {
final SecUserDetails user = (SecUserDetails) principal;
//Make sure the session is not expired --------------------------------------------------▼
List<SessionInformation> activeUserSessions = sessionRegistry.getAllSessions(principal, false);
if (!activeUserSessions.isEmpty()) {
allUsernames.add(user.getUsername());
System.out.println(user.getUsername());
}
}
}
return allUsernames;
}
Now when I try to get the currently logged-in user i get it correctly like that:
Authentication auth = SecurityContextHolder.getContext().getAuthentication();
String username = auth.getName();
My sessionRegistry is defined as a Bean the following way:
#Bean
public SessionRegistry sessionRegistry() {
return new SessionRegistryImpl();
}
It is left to say that I call the getAllLoggedUsernames() from a controller via a service much like this:
#Autowired
private SecUserDetailService service;
And later in a #RequestMapping function:
service.getAllLoggedUsernames();
And the list received there is always empty, no matter how many users are actually logged in.
Now my guess from other questions asked here would be that somehow my application gets loaded twice or that my bean setup is messed up. I kind of think that the #Autowired does not work, since I think the Service needs some kind of context information?
I'm really new to Dependency injection though, so it's kinda hard to get everything correct.
Thanks for any help in advance!
Edit - Minor clarifications
Solved: There was a type error, the if statement in the getAllLoggedUsers() method always resolved to false as the Object is not an instance of my own UserDetails class, but of org.springframework.security.core.userdetails.User!
I am writing unittests and I've stumbled across something I can't find a solution for that fits my needs or code I already have.
The User first comes at a page where they have to choose (from a dropdown list) what brand they want to make a configuration for. After they click 'submit', it takes them to a page where all the appropriate settings are listed per category.
Now, the choosing of the brand is a form and it's submitted to this method:
// Display a form to make a new Configuration
#PostMapping("/addConfig")
public String showConfigurationForm(WebRequest request, Model model) {
// Get the ID of the selected brand
Map<String, String[]> inputMap = request.getParameterMap();
for (Entry<String, String[]> input : inputMap.entrySet()) {
if (input.getValue().length > 0
&& input.getKey().startsWith("brand")) {
brandId = Integer.parseInt(input.getValue()[0]);
}
}
// Load the view
model.addAttribute("categoryResult",
databaseService.getCategories(brandId));
model.addAttribute("configItemsMap",
databaseService.getAddConfigItems(brandId));
return "addConfig";
}
I want to unittest this method to see if the model has the attributes we expect it to.
This is the unit test I have now:
#RunWith(SpringRunner.class)
#SpringBootTest(webEnvironment = WebEnvironment.RANDOM_PORT)
#ActiveProfiles("test")
public class AddConfigurationTest {
#Autowired
AddConfigurationController addConfigurationController;
#MockBean
DatabaseService databaseServiceTest;
#Mock
WebRequest webRequest;
#Before
public void setup() {
// Make Categories
List<ItemCategory> defaultCategories = new ArrayList<>();
defaultCategories.add(new ItemCategory(1, 1, "GPS settings"));
// Mock it
Mockito.when(this.databaseServiceTest.getCategories(1)).thenReturn(
defaultCategories);
}
#Test
public void configurationFormShouldContainCategories() {
// TODO: Still needs param for webrequest
// Make a model
Model model = new ExtendedModelMap();
addConfigurationController.showConfigurationForm(webRequest, model);
// Get the list from the model
#SuppressWarnings("unchecked")
List<ItemCategory> categoryList = (List<ItemCategory>) model.asMap()
.get("categoryResult");
System.out.println(categoryList);
}
}
The System.out.println now outputs: []
I am sure it has to do with the WebRequest, because as I have it now this WebRequest does not have the input from a form the showConfigurationForm method needs.
My question is: how can I add the right data to WebRequest so the test will return a List? Or is there another way around that I have not figured out?
Just configure your Mock WebRequest object before executing the test:
#Before
public void setup()
{
Map<String, String[]> mockParameterMap = new HashMap<>();
mockParameterMap.put("brand00", new String[]{"value01"});
// add all the parameters you want ...
Mockito.when(webRequest.getParameterMap())
.thenReturn(mockParameterMap);
}
That should be enough for the example you described.
It is also possible to use MockHttpServletRequest.html to set-up the http request in the way you want.
MockHttpServletRequest servletRequest = new MockHttpServletRequest();
servletRequest.setServerName("www.example.com");
servletRequest.setRequestURI("/v1/someuri");
servletRequest.addParameter("brand1", "value1");
servletRequest.addParameter("brand2", "value2");
servletRequest.addParameter("another-param", "another-value");
ServletWebRequest servletWebRequest = new ServletWebRequest(servletRequest);
assertThat("brand names ", servletWebRequest.getParameterMap(), hasEntry("brand1", "value1"));
It is particularly useful in cases such as ServletWebRequest whose 'getRequestURI()' method, for instance, is a final method and hence cannot be mocked. So, instead of mocking we can simply pass in a web request that we built, like the one above.
I'm using a very simple httpServer in Java for an api rest with GET, POST, PUT and DELETE. I'm using Basic Authentication and I have a couple classes Authentication.java and Authorisation.java which I use to authenticate and check permissions for the users.
So, the thing is that I want all users (authenticated) to be able to GET information from my api rest, but only users with certain privileges to be able to POST, PUT and DELETE. So how can I do that?
This is what I got
public class Server {
private static HttpServer server;
public static void start() throws IOException {
server = HttpServer.create(new InetSocketAddress(8000), 0);
HttpContext ctx = server.createContext("/users", new UserHandler());
ctx.setAuthenticator(new ApiRestBasicAuthentication("users"));
server.start();
}
}
And this is my ApiRestBasicAuthentication
public class ApiRestBasicAuthentication extends BasicAuthenticator {
private UserAuthentication authentication = new UserAuthentication();
public ApiRestBasicAuthentication(String realm) {
super(realm);
}
#Override
public boolean checkCredentials(String user, String pwd) {
int authCode = authentication.authenticate(user, pwd);
return authCode == UserAuthentication.USER_AUTHENTICATED;
}
}
As this is now, check credentials is only checking if the user is authenticated.
But I'd like to check, if the method is POST, DELETE or PUT I should also check the specific credentials. But how can I get the method in my ApiRestBasicAuthentication? I'm doing that in my handler class
public void handle(HttpExchange httpExchange) throws IOException {
String method = httpExchange.getRequestMethod();
if ("post".equalsIgnoreCase(method)) {
createUser(httpExchange);
} else if ("get".equalsIgnoreCase(method)) {
readUsers(httpExchange);
} else if ("put".equalsIgnoreCase(method)) {
updateUser(httpExchange);
} else if ("delete".equalsIgnoreCase(method)) {
deleteUser(httpExchange);
}
}
Maybe this is supposed to be done some other way.
Any ideas?
Many thanks.
A simple way to do it would be to change your
ApiRestBasicAuthentication like:
public class ApiRestBasicAuthentication extends BasicAuthenticator {
private UserAuthentication authentication = new UserAuthentication();
public ApiRestBasicAuthentication(String realm) {
super(realm);
}
#Override
public Authenticator.Result authenticate(HttpExchange exch) {
Authenticator.Result result=super.authenticate(exch);
if(result instanceof Authenticator.Success) {
HttpPrincipal principal=((Authenticator.Success)result).getPrincipal();
String requestMethod=exch.getRequestMethod();
if( ADD SOME LOGIC HERE FOR PRINCIPAL AND REQUEST METHOD) {
return new return new Authenticator.Failure(401);
}
return result;
}
}
#Override
public boolean checkCredentials(String user, String pwd) {
int authCode = authentication.authenticate(user, pwd);
return authCode == UserAuthentication.USER_AUTHENTICATED;
}
}
And add some logic there for requests/users that you want to fail the authenticator. I have shown you here how to get the method in the authenticate method but you need to specify the types of credentials.
Another solution would be if you check the source code of BasicAuthenticator you can see how it implements authenticate method and you can create your own implementation in a similar way instead of extending BasicAuthenticator and use the get method instead of just the username and password. You can see the source code here and I am sure you will be able to find your way around ;)
Usually in enterprise application you can use some external security management system - for example if you use Spring (the de facto standard in the current java web apps) you can use spring security and do such security patterns and filters in a more declarative way
While the above answers might be valid for you, I think you should also consider using defined roles and security-constraints which can be defined in your web.xml and used in the REST Resource using #RolesAllowed annotation. This then allows you to specifically allow permissions for methods individually or at the REST resource/class level.
In web.xml, this looks something like this:-
<security-role>
<role-name>SERVERTOSERVER</role-name>
</security-role>
<security-constraint>
<web-resource-collection>
<web-resource-name>REST API description</web-resource-name>
<url-pattern>/<path name>/*</url-pattern>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<description>Only allow users
from following roles</description>
<role-name>SERVERTOSERVER</role-name>
</auth-constraint>
</security-constraint>
The following links have some examples: Purpose of roles tags in tomcat-users.xml? ,
https://www.thecoderscorner.com/team-blog/hosting-servers/17-setting-up-role-based-security-in-tomcat/
In case helpful, here is another type of solution for a Jersey based application: https://howtodoinjava.com/jersey/jersey-rest-security/
There might be many ways to solve this issue. Here is one of my proposal:
Create a User Object with fields that you want and one field called something like "role". Lets say only "admins" are allowed to do make Http requests other than "GET" while "regular" users can only do "GET". Many ways to do this but one way is to make the "role" field String and assign values to it using an ENUM, so that it's easy to change later and only specific terms are used. But you don't have to do that. Write get and set method for the fields you create and that you might need later, and definitely for role.
You need to make sure that class containing the handle(HttpExchange httpExchange) is able to see the currently logged in user, and refer to the User object associated with them. Then you need to modify the method so that
if(loggedInUser.getRole().equals("admin")){
//allow whatever method
} else {
// allow "GET" or give some denied permission error
}
Since other implementations have not been provided, I can't give a more detailed answer or be sure that this will work for you.
I think what you should create an AuthenticationInterceptor and by-pass GET the requests there and correspondingly apply authentication mechanism for rest non-GET requests.
public class AuthenticationInterceptor extends HandlerInterceptorAdapter {
#Autowired
private ApiRestBasicAuthentication apiRestBasicAuthentication;
public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception {
switch (request.getMethod()) {
case "GET" :
// by-passing all GET requests
return true;
default :
return apiRestBasicAuthentication.checkCredentials(username, password);
}
}
}
We are using a very simple setup of #RepositoryRestResource on top of a PagingAndSortingRepository connected to a postgres database. Also we have configured spring.jackson.property-naming-strategy=SNAKE_CASE to return pretty json. It was all fine and dandy until we started sorting. As we have discovered - sorting requires us to provide the actual class field names (which we of course have in camel case):
get("/thing?sort=dateCreated,desc")
And when we try to do javascript friendly
get("/thing?sort=date_created,desc")
it fails miserably because jpa tries to split the parameter by the underscore.
Is there a simple way to have the path params the same format as we have them in the json that we are returning?
There is a bug for this - DATAREST-883. It was fixed and released. But then, due to regressions (DATAREST-909) this has been dropped in the very next release. I asked them on Github if they plan to have this again as this has bitten me in the past as well. We'll see what they have to say about this.
For now you can:
leave it be
go with the camel case property names
work around this (e.g. go with Alan Haye's answer) - this seems fragile IMHO, but probably will do in a short term.
The status of the feature in the spring-boot versions I've tested with:
1.4.0 (spring-data-rest 2.5.2): not yet implemented
1.4.1 (spring-data-rest 2.5.3): works -> code
1.4.2 (spring-data-rest 2.5.5): dropped
It is unclear whether you can do this in some Spring Data Rest specific way however you should be able to handle it by means of a standard Servlet filter which would look something like the below:
public class SortParameterConversionFilter extends GenericFilterBean {
// as we are extending Spring's GenericFilterBean
// you can then *possibly* inject the RepositoryRestConfiguration
// and use RepositoryRestConfiguration#getSortParamName
// to avoid hard coding
private static final String SORT_PARAM_KEY = "sort";
#Override
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
throws IOException, ServletException {
HttpServletRequest request = (HttpServletRequest) req;
if (shouldApply(request)) {
chain.doFilter(new CollectionResourceRequestWrapper(request), res);
} else {
chain.doFilter(req, res);
}
}
/**
*
* #param request
* #return True if this filter should be applied for this request, otherwise
* false.
*/
protected boolean shouldApply(HttpServletRequest request) {
return request.getServletPath().matches("some-pattern");
}
/**
* HttpServletRequestWrapper implementation which allows us to wrap and
* modify the incoming request.
*
*/
public class CollectionResourceRequestWrapper extends HttpServletRequestWrapper {
public ResourceRequestWrapper(HttpServletRequest request) {
super(request);
}
#Override
public String getParameter(final String name) {
if (name.equals(SORT_PARAM_KEY)) {
String [] parts = super.getParameter(SORT_PARAM_KEY).split(",");
StringBuilder builder = new StringBuilder();
int index = 0;
for (String part : parts) {
// using some mechanism of you choosing
// convert from underscore to camelCase
// Using the Guava library for example
String convertedPart = CaseFormat.LOWER_UNDERSCORE.to(
CaseFormat.LOWER_CAMEL, part);
++index;
builder.append(convertedPart).append(index < parts.length ? "," : "");
}
return builder.toString();
}
return super.getParameter(name);
}
}
}