Landing on Spring security is really an stucky path.
I need to implement an authentication mechanism in order to pick jwt token and extract authentication.
It's really complicated to be sure whether I'm using best approach in order to implement it.
I need to implement and JWTAuthenticationFilter
Questions:
Why do I need to extend from BasicAuthenticationFilter? All exemples over there extends from it to implement a JWTAuthenticationFilter! What does it have to do with BASIC mechanism?
Also I saw over there JWTAuthorizationFilter. Why ...AuthorizationFilter instead of ...AuthenticationFilter?
Which is the best approach about to get my goal?
You don't need to provide a custom filter for that, you can use spring-security-oauth2-resource-server dependency and configure Spring Boot, like so:
spring:
security:
oauth2:
resourceserver:
jwt:
issuer-uri: https://idp.example.com/issuer
By doing this, Spring Security will go to the identity provider and retrieve the JWT keys to validate the token provided in the request. If you need to customize the behavior you can override Spring Boot auto-configuration, see the documentation.
Related
I use Spring boot security for my server.
I added new filter that extends from OncePerRequestFilter and (according to many tutorials from the web) after validating the jwt save Authentication object into SecurityContext.
What I don't understand is why do I need to save the Authentication in SecurityContext? after all I validate the jwt from the client in each request and don't need spring's to call isAuthenticated() on Authentication object.
Do I miss something?
Spring Security Authentication basically works by storing it in the SecurityContext. There is a SecurityContextHolder class which stores the SecurityContext and is used to many places where Authentication/Authorization decisions needs to be made by retrieving the Authentication. Even though you have validated the JWT to check the Authentication is success, Spring Security still needs Authentication object to make other decisions for example to evaluate hasRole(), hasAnyRole(), etc.
Spring Boot Security,
My Application is already running using Spring Security. Now I want to authenticate the users through OAuth. Is there any way to build a custom servlet to achieve this?
You can add a new Filter to intercept and authenticate OAuth requests in which it should call the authenticationManager.authenticate method and save the result of the authentication token in the SecurityContextHolder. This way the user is fully authenticated.
Note, that this way you don't "override" or "bypass" the Spring Security. You just use it to perform a different authentication.
I have a web application in which Authorization is handled by Apache Shiro. Now we need to convert it to restful service and need to add an authentication mechanism . I am looking for a possibility to keep Shiro itself for authorization, so that code changes are minimal, and JWT for authentication. Please suggest me how can I achieve it. Is there any framework available for it?
I made a library to achieve this.
https://github.com/panchitoboy/shiro-jwt
You only have to implement UserDefault and UserRepository with your bussines logic.
It's based on apache-shiro, i have created a filter based on the shiro AuthenticatingFilter.
Regards,
We need to expose a REST endpoint to the outside world to be called by an external service which we don't control. The people responsible for this external service seem to be security experts (not), and so instead of using at the very least HTTP Basic Auth or any other real authentication mechanism, they authenticate themselves using a fixed secret. It goes like this:
GET /endpoint?secret=WE_ARE_THE_TRUE_GUYS
As we're already using spring-security-oauth2, we'd like to integrate this authentication flow with our existing flow so that we can specify rules for this endpoint the same way we do for every other enpoint on our ResourceServer, get the same error handling behaviour and etc. How shall we go about implementing a custom authentication filter - or whatever it may be - that will grab the secret parameter from the query string, transform it into some kind of "client credentials" for a pre-configured client on the AuthorizationServer and integrate seamlessly with the rest of the OAuth2 flow?
If you can transform "WE_ARE_THE_TRUE_GUYS" into a valid OAuth2Authentication then all you need is an authentication filter that does that (and sticks it in the SecurityContext). Then the downstream filters and handlers will behave just as if it was a real OAuth2 authentication. If I were you I would put some very tight conditions in that filter to match the request to one that is on the allowed resources from this highly unusual and not very secure authentication channel.
I'd like to setup a central authentication / authorization server using Spring Security from where I could fetch JWT token which I could then use for accessing restricted resources on another Spring Security backed up REST server.
Here's my flow:
1) HTML JS / Mobile etc client authenticates on auth server to get the JWT token
2) Client sends this token in HTTP header to REST server to gain access to secured resources
I thought JWT would suite best for this scenario because it can contain all the relevant data and REST server could be fully stateless and simply decode the token to get all necessary data (role, clientid, email...) on REST server.
Is Oauth2 right choice for this and if so could someone kindly point me to right direction? If JWT isn't the right bet, I'm open to other solutions :) I should mention that in my case it's also possible to load client information from database also on REST server, but it should not be responsible for authenticating the user (meaning no username/password check, just the token decoding/validating...)
The Cloudfoundry UAA is an open source OAuth2 Identity Managemennt Solution (Apache 2) which issues JWT tokens. You could look at the way it is implemented, or just use it yourself, either as a server or just the JARs. It implements a bunch of existing strategies in Spring OAuth. It also optionally has its own user database, or you can implement your own. There are lots of options and extension points and many people using it in various ways (not all with Cloudfoundry) because it was designed to be generic.
Spring OAuth 2.0 also has support for JWT tokens as well, but it isn't released yet (the bulk of the implementation is drawn from the UAA).
However, since you say you don't mind opaque tokens (and a database loookup) you might prefer just to use the JDBC support in Spring OAuth 1.0. It was in use in Cloudfoundry for quite some time before we moved to JWT, so I can vouch for it in production.
As to whether OAuth2 is a good choice for your use case: you are in the best position to decide that. Nothing you said so far makes me think it would be a bad idea. Here's a presentation I did if it helps (you can probably find it on YouTube in the SpringSource channel if you like that sort of thing).
Alvaro Sánchez have developed a plugin with jwt compatibility. http://alvarosanchez.github.io/grails-spring-security-rest/1.5.0.RC4/docs/guide/tokenStorage.html#jwt
Install the current version in BuildConfig.groovy:
compile ":spring-security-rest:1.5.0.RC4", {
excludes: 'spring-security-core'
}
You only must to change the secret option in Config.groovy
grails.plugin.springsecurity.rest.token.storage.jwt.secret = 'YourSecretKey'
And set a chainMap to separate security managed with traditional mode from new rest stateless security.
grails.plugin.springsecurity.filterChain.chainMap = [
'/yourApi/**': 'JOINED_FILTERS,-exceptionTranslationFilter,-authenticationProcessingFilter,-securityContextPersistenceFilter,-rememberMeAuthenticationFilter', // Stateless chain
'/**': 'JOINED_FILTERS,-restTokenValidationFilter,-restExceptionTranslationFilter' // Traditional chain
]
You can to manage authorization and authentication within your application with the spring-security-core plugin.