I am trying to get spring-boot-starter-security to work along with spring-boot-starter-web and spring-boot-starter-tomcat. I tried following the guide from spring-boot-sample-secure and spring-boot-sample-web-secure however I did not get it to work.
I am trying to build a REST application without any ui interactions. Hence I found both samples are not fully suitable for my purpose. Currently my solution is by using AOP.
ControllerMonitor.java:
#Before("execution(* my.zin.rashidi.openshift.tomcat.controller.*.*(..)) && args(authorization, ..)")
public void authenticate(String authorization) {
if (!isEmpty(authorization)) {
SecurityContextHolder.getContext().setAuthentication(
new UsernamePasswordAuthenticationToken("user", "N/A",
AuthorityUtils.commaSeparatedStringToAuthorityList("ROLE_USER"))
);
}
}
UserController.java:
#RequestMapping(method = GET)
public ResponseEntity<User> get(#RequestHeader String authorization, #RequestBody User user) {
HttpStatus status = OK;
User returnObject = null;
try {
returnObject = service.get(user);
} catch (AuthenticationCredentialsNotFoundException e) {
status = UNAUTHORIZED;
}
return new ResponseEntity<User>(returnObject, status);
}
The solutions is working for me. However I would like to know if this is a good solution. I'm curious if there is a better solution.
Thanks in advanced for your helps!
I wouldn't want to add an optional parameter to every controller method, and because it's optional the risk of forgetting is quite high. You asked for an opinion, and I think a better solution is to use a more normal Spring Security approach with a filter (standard basic auth if that's good enough, or maybe a custom filter like a pre-auth, for instance, if it doesn't meet your needs). You get http basic security out of the box in a Spring Boot app, so you don't really need to do anything at all to get started.
Related
I implemented a basic JPA authentication following this tutorial.
I wanted to create an endpoint /mydetails to display user information (profile info).
What I've tried:
#GetMapping("/mydetails")
public Optional<User> getUser(HttpServletRequest request) {
Optional<User> foundUser = Optional.ofNullable(userRepo.getUserByUsername(request.getUserPrincipal().getName()));
return foundUser;
}
Outcome:
{
"id":1,
"username":"name.surname#companyname.com",
"password":"$2a$10$7YzUO6scaC06LV6IgOsSXetFm4/U0WM.UZykhRfQcJBzKacyZFMK",
"first_name":"John",
"last_name":"Walker",
"organization_name":"ABC",
"role":"Admin",
"credibility_rating":"100"
}
The problem is that this literally takes out all the information and I want everything except the password.
How could I stop the response from sending the password information?
I am totally new to Spring and have not used Java for many years.
Any insight would be highly appreciated.
It seems you are talking about a REST controller that returns JSON. With the default configuration, Spring Boot uses Jackson to transform objects to JSON. The most simple fix would be to tell Jackson to ignore the password field in your User class:
public class User {
...
#JsonIgnore
private String password;
...
}
See this article for more information.
I'm trying to configure a Spring Boot application with Keycloak to have an endpoint that is both accessible for authenticated and unauthenticated users. For authenticated users, I want to return some extra information. Here is a simple example of what I'm trying to achieve:
#RestController
public class HelloController {
#GetMapping("/")
public String index(Principal principal) {
KeycloakPrincipal keycloakPrincipal = (KeycloakPrincipal) principal;
if (keycloakPrincipal != null) {
return "Hello " + keycloakPrincipal.getKeycloakSecurityContext().getToken().getPreferredUsername();
} else {
return "Hello";
}
}
}
application.properties:
keycloak.securityConstraints[0].authRoles[0] = *
keycloak.securityConstraints[0].securityCollections[0].name = Hello
keycloak.securityConstraints[0].securityCollections[0].patterns[0] = /*
So far, I only got it to work for one of both cases. If I protect the endpoint using the security constraint above, the endpoint is only accessible to authenticated users. If I remove the security constraint, the endpoint is accessible for everyone, but then the principal will always be null.
Is it possible to achieve the intended behavior?
Have you tried something like Principal principal = SecurityContextHolder.getContext().getAuthentication();?
I believe the Principal as method parameter is only populated on secured endpoints but am unsure if it would exist in the SecurityContext. If not, you need to add a Filter to add it yourself.
I was able to solve the problem by calling the authenticate() method on the HttpServletRequest object. This will trigger the authentication process and will populate the user principal whenever possible. From the docs:
Triggers the same authentication process as would be triggered if the
request is for a resource that is protected by a security constraint.
To avoid triggering an authentication challenge, I pass in a dummy response object to the authenticate() call.
I have a Java project with various #RequestMapping annotations.I want to make a new project which can use this #RequestMapping,is that possible
Of course you can.
If I understand your question correctly, do you want to use the data provided by a Spring application in another application?
It's not that hard, you just have to keep a few things in mind.
The applications have to run on different ports, of course both applications have to be started.
For example, App1 has a #RequestMapping #GetMapping for personal data.
The path is e.g. http://localhost:8080/persondata
In the second application, you only need to address the API endpoint if you need this data.
This can be done with RestTemplate, for example.
#RestController
#RequestMapping("/persondata")
class PersonDataRestController {
private final Service personService;
public PersonDataRestController(Service personService) {
this.personService = personService;
}
#GetMapping
public ResponseEntity<Collection<?>> getAllPersonData() {
return ResponseEntity.ok(personService.allPersonData());
}
}
You just have to replace the Service with your PersonService or whatelse.
in the second application you can call the REST endpoint with RestTemplate for example
RestTemplate template = new RestTemplate();
try{
ResponseEntity<ArrayList<?>> response = template.exchange("http://localhost:8080/persondata", HttpMethod.GET, null, new ParameterizedTypeReference<ArrayList<?>>() {});
In terms of the specific application, you may need a DTO object.
For this topic i can suggest you this website
I hope I could answer your question
I'm implementing an application that has a variety of ways to login, most importantly via a request header for pre-auth purposes and normal username/password. Currently everything works, but I've been requested to redirect the user to an error page if they attempted to use the pre-auth filter and it "failed".
From what I can tell, if pre-auth returns null it just assumes non-authed and continues the flow. I'm looking for a way to redirect or raise an exception, but I can't seem to hit my AuthenticationFailureHandler from the pre-auth filter. Is there a better way to do this? Do I need to hack something together that optionally treats the principal as an Exception. Should I be using a different authentication mechanism?
I'm by no means am Spring Security expert, so any help is welcome.
I cannot share the code due to contractual agreements, but here's an example:
#Override
protected Object getPreAuthenticatedPrincipal(HttpServletRequest request) {
Object principal = null;
// Try login stuff if token exists...
String token = request.getHeader("the-token-key");
if (token != null && !token.empty()) {
...
// If successful, correctly set principal
principal = ...;
// Else login failed, redirect or throw exception??
}
return principal;
}
I know this is usually an issue that happens the other way around, so I am caught a little of guard here :D
I have built a user-management backend that provides a UI with data. When this architecture is deployed on our dev-server, everything works beautifully. However, as soon as I try to run the integration tests (which we do using a maven cargo tomcat) or if I use the war file in a local tomcat, the exception handlers aren't used at all. Spring simply displays a standard 500 response with the exception transformed into the body.
Perusing SO for similar issues has only resulted in the advice that I should use #EnableWebMVC, but that is neither applicable to what my backend is trying to accomplish, nor does it change anything.
How should I go about looking for the solution to this issue? Specifically, can I somehow observe if my controlleradvice is even scanned, and is there a reason why it might not be?
EDIT: These are the relevant files:
SpringConfiguration:
#Configuration
#ComponentScan(basePackageClasses = {UserManagementSpringConfiguration.class})
#EnableWebSecurity
public class UserManagementSpringConfiguration {
#Configuration
public static class ResourceMappingConfig implements WebMvcConfigurer {
#Override
public void addViewControllers(ViewControllerRegistry registry) {
registry.addViewController("/ui/*/usermanagement").setViewName("forward:/usermanagement-ui/index.html");
// registry.addViewController("/ui/*/*/generator/").setViewName("forward:/generator-ui/index.html");
registry.addViewController("/ui/*/usermanagement/*").setViewName("forward:/usermanagement-ui/index.html");
}
#Override
public void addResourceHandlers(ResourceHandlerRegistry registry) {
// cache setting, otherwise fonts are not loaded in IE over https
CacheControl cacheControl = CacheControl.noCache().mustRevalidate();
registry.addResourceHandler("/ui/**/*").addResourceLocations("/usermanagement-ui/")
.setCacheControl(cacheControl);
}
}
}
ControllerAdvice:
#ControllerAdvice
public class CustomResponseEntityExceptionHandler {
public static final Logger LOG = EISLoggerFactory.getLogger(CustomResponseEntityExceptionHandler.class);
#PostConstruct
public void postConstruct() {
LOG.debug("CustomExceptionHandler loaded and ready for use");
}
#ExceptionHandler(PasswordMismatchException.class)
public final ResponseEntity<ErrorDetails> handlePasswordChangeMismatch(
PasswordMismatchException ex,
WebRequest request) {
ErrorDetails errorDetails = new ErrorDetails(
new Date(),
ex.getMessage(),
request.getDescription(false),
MessageKeys.mismatchedPassword);
return new ResponseEntity<>(errorDetails, HttpStatus.BAD_REQUEST);
}
}
It turns out that one of the modules that we wrote and that my project contains defines an ExceptionHandler for Throwable.class. On my machine, this ControllerAdvice is registered before my own ControllerAdvice, which causes Spring to look there first. Since Throwable fits the bill, Spring asks no further questions and just uses that handler.
The solution to my immediate problem was to add #Order(Ordered.HIGHEST_PRECEDENCE) to my ControllerAdvice. Since the exceptions I define within are quite specific, this will not cause any issues.
I have yet to find an explanation for why the order in which the two ControllerAdvice classes are registered is so consistently different between my machine and our dev server. Will update if I find anything. For now, I consider this issue to be answered.
This SO question was essential to solving this particular problem. Perhaps it helps someone in the future to link it here: Setting Precedence of Multiple #ControllerAdvice #ExceptionHandlers
Thanks to ValentinCarnu for pointing me to it!