I am building a microservice using Spring Cloud Gateway and OAuth2 Resource Server. The app aims at redirecting to other microservices after doing the security part. I am trying to setup a filter before AnonymousAuthenticationFilter and handle my custom exception from there but however the custom exception filter is never being invoked. Following the security config I have in the app:
#Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable().cors().disable()
.httpBasic().disable()
.formLogin().disable()
.addFilterBefore(customExceptionHandler, AnonymousAuthenticationFilter.class)
.authorizeRequests( auth -> auth.antMatchers(AUTH_WHITELIST).permitAll()
.antMatchers("/**").authenticated())
.oauth2ResourceServer(oauth2ResourceServer -> oauth2ResourceServer.jwt())
.sessionManagement(sessionManagement -> sessionManagement.sessionCreationPolicy(SessionCreationPolicy.STATELESS));
}
In my customExceptionHandler, I have the following code:
public class CustomExceptionHandler extends OncePerRequestFilter {
#Autowired
#Qualifier("handlerExceptionResolver")
private HandlerExceptionResolver resolver;
#Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
throws ServletException, IOException {
try {
filterChain.doFilter(request, response);
} catch (Exception e) {
log.error("Spring Security Filter Chain Exception:", e);
resolver.resolveException(request, response, null, e);
}
}
}
Also following is my build.gradle:
// Spring Boot
implementation 'org.springframework.boot:spring-boot-starter'
implementation 'org.springframework.boot:spring-boot-starter-actuator'
implementation 'org.springframework.boot:spring-boot-starter-web'
implementation 'org.springframework.boot:spring-boot-starter-oauth2-resource-server'
implementation 'org.springframework.boot:spring-boot-starter-data-jpa'
// Spring Cloud
implementation 'org.springframework.cloud:spring-cloud-starter-gateway'
I also have an #ExceptionAdvice class that handles all the exceptions. However, if I pass in an expired JWT or any other error scenario to the service, I always get handled by the following error message in my WWW-Authenticate header:
Bearer error="invalid_token", error_description="Jwt expired at 2022-06-16T19:58:09Z", error_uri="https://tools.ietf.org/html/rfc6750#section-3.1"
How do I throw a custom POJO instead of this message?
This error is coming from BearerTokenAuthenticationEntryPoint, so to override the behavior you can just easily provide a custom entryPoint
.oauth2ResourceServer(oauth2ResourceServer -> oauth2ResourceServer.jwt().and().authenticationEntryPoint(myCustomEntryPoint))
Related
I've read in Spring Security Reference that AuthorizationFilter supersedes FilterSecurityInterceptor. So I'm trying to migrate my application to this newer method.
I have something like
http.authorizeRequests()
.mvcMatchers("/")
.hasIpAddress("127.0.0.1")
According to the linked page I should be able to write something like
http.authorizeHttpRequests()
.mvcMatchers("/")
.access("hasIpAddress('127.0.0.1')")
but there's no access(String) method. I even tried to paste verbatim code from the documentation:
#Bean
SecurityFilterChain web(HttpSecurity http) throws Exception {
http
// ...
.authorizeHttpRequests(authorize -> authorize
.mvcMatchers("/resources/**", "/signup", "/about").permitAll()
.mvcMatchers("/admin/**").hasRole("ADMIN")
.mvcMatchers("/db/**").access("hasRole('ADMIN') and hasRole('DBA')")
.anyRequest().denyAll()
);
return http.build();
}
which does not compile for the same reason.
Here's compilation error:
Application.java:103:55
java: incompatible types: java.lang.String cannot be converted to org.springframework.security.authorization.AuthorizationManager<org.springframework.security.web.access.intercept.RequestAuthorizationContext>
How do I use authorizeHttpRequests with IP addresses or string expression? Is it issue with documentation?
I'm using Spring Boot 2.7.0 and Spring Security 5.7.1
This does appear to be an issue with the docs. There is not currently a built-in implementation providing the hasIpAddress(String) access check, but you can use the IpAddressMatcher class to implement an AuthorizationManager capable of performing it.
Here's an example configuration:
#EnableWebSecurity
public class SecurityConfiguration {
#Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
http
.authorizeHttpRequests((authorizeRequests) -> authorizeRequests
.mvcMatchers("/").access(hasIpAddress("127.0.0.1"))
.anyRequest().authenticated()
)
.formLogin(Customizer.withDefaults())
.httpBasic(Customizer.withDefaults());
return http.build();
}
private static AuthorizationManager<RequestAuthorizationContext> hasIpAddress(String ipAddress) {
IpAddressMatcher ipAddressMatcher = new IpAddressMatcher(ipAddress);
return (authentication, context) -> {
HttpServletRequest request = context.getRequest();
return new AuthorizationDecision(ipAddressMatcher.matches(request));
};
}
}
I am trying to authorize all preflight request in (/secure/**) without an authorization header(oauth token in my case). The JwkFilter is used to validate the oauth token passed in the authorization header. Any suggestion, where I am going wrong here.
#Override
protected void configure(HttpSecurity http) throws Exception {
JwtAuthFilter jwtAuthTokenFilter = new JwtAuthFilter(oauthConfig);
jwtAuthTokenFilter.setAuthenticationManager(getAuthManager());
http.cors().and().authorizeRequests().antMatchers(HttpMethod.OPTIONS, "/secure/**")
.permitAll();
http.requiresChannel().anyRequest().requiresSecure().and()
.addFilterBefore(requireProtocolFilter, ChannelProcessingFilter.class).sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS).and().anonymous().disable().csrf().disable()
.antMatcher("/**").authorizeRequests().anyRequest().permitAll().and()
.antMatcher(/secure/**")
.addFilterBefore(jwtAuthTokenFilter, BasicAuthenticationFilter.class).exceptionHandling()
.authenticationEntryPoint(authenticationEntryPoint()).and().authorizeRequests().anyRequest()
.authenticated();
}
public WebMvcConfigurer corsConfigurer() {
return new WebMvcConfigurerAdapter() {
#Override
public void addCorsMappings(CorsRegistry registry) {
registry.addMapping("/**")
.allowedMethods("*")
.allowedOrigins("*");
}
};
}
For preflight request with CORS, according to spring, they will execute before your jwtAuthTokenFilter (registered before BasicAuthenticationFilter filter) -> correct
The order was specified here (in spring code):
FilterComparator() {
Step order = new Step(INITIAL_ORDER, ORDER_STEP);
...
put(CorsFilter.class, order.next());
...
put(BasicAuthenticationFilter.class, order.next());
...
}
In CORS, for complex request (like using custom header Authorization header in your case), browser will send preflight request first to know whether the server allow client to access their resource or not before sending actual request.
The CORSFilter will execute like this (in spring code):
public class CorsFilter extends OncePerRequestFilter {
#Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response,
FilterChain filterChain) throws ServletException, IOException {
CorsConfiguration corsConfiguration = this.configSource.getCorsConfiguration(request);
boolean isValid = this.processor.processRequest(corsConfiguration, request, response);
if (!isValid || CorsUtils.isPreFlightRequest(request)) {
return;
}
filterChain.doFilter(request, response);
}
}
They will check whether for every preflight request (extends OncePerRequestFilter) comes to server, if processRequest is valid or is preflight request to terminate the chain.
Here is the default processor to check preflight request (in spring code):
public class DefaultCorsProcessor implements CorsProcessor {
#Override
public boolean processRequest(#Nullable CorsConfiguration config, HttpServletRequest request,
HttpServletResponse response) throws IOException {
...
boolean preFlightRequest = CorsUtils.isPreFlightRequest(request);
if (config == null) {
if (preFlightRequest) {
rejectRequest(new ServletServerHttpResponse(response));
return false;
}
else {
return true;
}
}
return handleInternal(new ServletServerHttpRequest(request), new ServletServerHttpResponse(response), config, preFlightRequest);
}
In your case, I think you are missing configuring for enabling CORS.
So the server reject the client request (by sending HttpStatus.FORBIDDEN code), so that the browser don't send actual request to the server.
And your JwtAuthTokenFilter has no chance to execute.
You can refer to this post for configuring cors. Hope it helps
Adding the below snippet in to the jwkAuthFilter did the trick.
if (CorsUtils.isPreFlightRequest(request)) {
response.setStatus(HttpServletResponse.SC_OK);
return;
}
I am attempting to replace CAS with Azure Active Directory SAML authentication (SSO) in a Spring Boot API. My version of Spring Security is 5.3.2. Spring boot is 2.3.0.
Documentation has been hard to find. I think this is explained by 8685. I found 8010 and attempted the workaround mentioned there, but my breakpoints there are not getting hit.
Given the current state of the transition from SAML Extension to Spring Security, should I be using the old SAML Extension? I can reach my "success" endpoint with a JSESSIONID and SAMLReponse, but it's encrypted. Is this something I need to do myself? (If so, how?) The SecurityContext / user details are not getting set. I see AccessDenied stack traces in my logs, but I think that's a symptom of the Anonymous user context.
Relevant code is below. I have application.yml and application.properties files, but all config is annotations-based. If you see anything way off base, please let me know! Any guidance would be appreciated.
Here is my SecurityConfig:
#EnableWebSecurity
#EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {
RelyingPartyRegistration getSaml2AuthenticationConfiguration() throws Exception {
// remote IDP entity ID
String idpEntityId = "https://sts.windows.net/xxxxxxxxxxxx/";
// remote WebSSO Endpoint - Where to Send AuthNRequests to
String webSsoEndpoint = "https://login.microsoftonline.com/xxxxxxxxxxxx/saml2";
// local registration ID
String registrationId = "xxxxxxxxxxxx";
// local entity ID - autogenerated based on URL
String localEntityIdTemplate = "xxxxxxxxxxxx.local";
// local signing (and decryption key)
Saml2X509Credential signingCredential = getSigningCredential(); //private method not included
// IDP certificate for verification of incoming messages
Saml2X509Credential idpVerificationCertificate = getVerificationCertificate(); //private method not included
String acsUrlTemplate = "https://xxxxxxxxxxxx.local/success"; //REST endpoint, see below
return RelyingPartyRegistration.withRegistrationId(registrationId)
.providerDetails(config -> config.entityId(idpEntityId))
.providerDetails(config -> config.webSsoUrl(webSsoEndpoint)).credentials(c -> c.add(signingCredential))
.credentials(c -> c.add(idpVerificationCertificate)).localEntityIdTemplate(localEntityIdTemplate)
.assertionConsumerServiceUrlTemplate(acsUrlTemplate).build();
}
#Override
protected void configure(HttpSecurity http) throws Exception {
// Just a test
OpenSamlAuthenticationProvider provider = new OpenSamlAuthenticationProvider();
http
.headers()
.frameOptions()
.sameOrigin()
.httpStrictTransportSecurity()
.disable()
.and()
.authorizeRequests()
//... more antMatchers and permitAlls
.antMatchers("/success").permitAll()
.antMatchers("/login").permitAll()
.antMatchers("/logout").permitAll()
.antMatchers("/error").permitAll().anyRequest().authenticated().and()
.csrf().disable()
.saml2Login(
saml2 -> {
try {
saml2
.authenticationManager(a -> {
// This code is never reached
Authentication result = provider.authenticate(a);
Saml2Authentication saml2Authentication = (Saml2Authentication) result;
return result;
}).relyingPartyRegistrationRepository(
new InMemoryRelyingPartyRegistrationRepository(getSaml2AuthenticationConfiguration())
)
.loginProcessingUrl("/login/{registrationId}");
} catch (Exception e) {
// It made me put this try/catch here... this isn't getting reached either
e.printStackTrace();
}
});
}
}
And my REST endpoint:
#RestController
public class HelloController {
#RequestMapping(value = "/success", method=RequestMethod.POST)
public String saml2Post(HttpServletRequest request) throws IOException {
String jSessionId = request.getHeader("cookie");
System.out.println(jSessionId);
String samlResponse = request.getReader().lines().collect(Collectors.joining(System.lineSeparator()));
System.out.println(samlResponse);
return "login success";
}
}
And my gradle dependencies (Gradle 6.5):
dependencies {
implementation 'org.springframework.boot:spring-boot-starter-security'
compile 'org.springframework.security:spring-security-config'
compile 'org.springframework.security:spring-security-saml2-service-provider'
compile 'org.springframework.boot:spring-boot-starter-thymeleaf'
compile 'org.springframework.boot:spring-boot-starter-web'
compile 'org.thymeleaf.extras:thymeleaf-extras-springsecurity5'
implementation 'org.springframework.boot:spring-boot-starter-freemarker'
implementation 'org.springframework.boot:spring-boot-starter-integration'
implementation 'org.springframework.boot:spring-boot-starter-jdbc'
implementation 'org.springframework.boot:spring-boot-starter-mail'
compile 'org.springframework.security:spring-security-oauth2-client'
compile 'org.springframework.security:spring-security-oauth2-jose'
implementation 'joda-time:joda-time:2.10.6'
implementation 'com.google.guava:guava:29.0-jre'
implementation 'com.opencsv:opencsv:5.2'
implementation 'org.apache.commons:commons-lang3:3.10'
implementation 'net.minidev:json-smart:2.3'
developmentOnly 'org.springframework.boot:spring-boot-devtools'
runtimeOnly 'com.microsoft.sqlserver:mssql-jdbc'
runtimeOnly 'org.hsqldb:hsqldb'
providedRuntime 'org.springframework.boot:spring-boot-starter-tomcat'
testImplementation('org.springframework.boot:spring-boot-starter-test') {
exclude group: 'org.junit.vintage', module: 'junit-vintage-engine'
}
testImplementation 'org.springframework.integration:spring-integration-test'
testImplementation 'org.springframework.security:spring-security-test'
}
I'm writing a filter that would intercept an Restful API call , extract a Bearer token and make a call to an Authorization Server for validation.
I couldn't find one in Spring Boot that does it out of the box, but I'm sure there is a cleaner way to do this.
here is what I have (pseudo code):
public class SOOTokenValidationFilter extends OncePerRequestFilter {
#Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
throws ServletException, IOException {
String xAuth = request.getHeader("Authorization");
// validate the value in xAuth
if(isValid(xAuth) == false){
throw new SecurityException();
}
// Create our Authentication and set it in Spring
Authentication auth = new Authentication ();
SecurityContextHolder.getContext().setAuthentication(auth);
filterChain.doFilter(request, response);
}
private boolean isValid (String token){
// make a call to SSO passing the access token and
// return true if validated
return true;
}
}
Lessons learned, Spring Security Oauth2 documentation is woefully inadequate, forget about trying to use the framework without fully combing through the source code. On the flip side the code is well written and easy to follow kudos to Dave Syer.
Here is my config:
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable();
http.authorizeRequests()
.antMatchers("/")
.permitAll()
.and()
.addFilterBefore(getOAuth2AuthenticationProcessingFilter(), UsernamePasswordAuthenticationFilter.class)
.exceptionHandling();
}
Here is my getOAuth2AuthenticationProcessingFilter method:
private OAuth2AuthenticationProcessingFilter getOAuth2AuthenticationProcessingFilter() {
// configure token Extractor
BearerTokenExtractor tokenExtractor = new BearerTokenExtractor();
// configure Auth manager
OAuth2AuthenticationManager manager = new OAuth2AuthenticationManager();
// configure RemoteTokenServices with your client Id and auth server endpoint
manager.setTokenServices(remoteTokenServices);
OAuth2AuthenticationProcessingFilter filter = new OAuth2AuthenticationProcessingFilter();
filter.setTokenExtractor(tokenExtractor);
filter.setAuthenticationManager(manager);
return filter;
}
I am having the following issue since the release of Spring boot 1.4
I have a custom Authentication Provider that manages the parsing of JWT tokens for Spring Security. Basically, I would throw a BadCredentialsException when the token was invalid or expired. I also have a AutenticationEntryPoint that reformats the message with a Unauthorized HttpServlet Response in JSON
#Override
public void commence(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationException e) throws IOException, ServletException
{
httpServletResponse.setContentType("application/json");
httpServletResponse.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
httpServletResponse.getOutputStream().println("{ \"error\": \"" + e.getMessage() + "\" }");
}
Here is the filter that manages the exception of the Authentication Provider
#Override
protected void doFilterInternal(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) throws ServletException, IOException
{
String authToken = httpServletRequest.getHeader("Authorization");
JwtToken token = new JwtToken(authToken);
try
{
Authentication auth = authenticationManager.authenticate(token);
SecurityContextHolder.getContext().setAuthentication(auth);
filterChain.doFilter(httpServletRequest, httpServletResponse);
}
catch(AuthenticationException ae)
{
SecurityContextHolder.clearContext();
unauthorizedHandler.commence(httpServletRequest, httpServletResponse, ae);
}
This was working fine in Spring Boot 1.3.6
Now I am getting the following error
java.lang.IllegalArgumentException: Principal must not be null
Stack trace:
java.lang.IllegalArgumentException: Principal must not be null
at org.springframework.util.Assert.notNull(Assert.java:115) ~[spring-core-4.3.2.RELEASE.jar:4.3.2.RELEASE]
at org.springframework.boot.actuate.audit.AuditEvent.<init>(AuditEvent.java:83) ~[spring-boot-actuator-1.4.0.RELEASE.jar:1.4.0.RELEASE]
at org.springframework.boot.actuate.audit.AuditEvent.<init>(AuditEvent.java:59) ~[spring-boot-actuator-1.4.0.RELEASE.jar:1.4.0.RELEASE]
at org.springframework.boot.actuate.security.AuthenticationAuditListener.onAuthenticationFailureEvent(AuthenticationAuditListener.java:67) ~[spring-boot-actuator-1.4.0.RELEASE.jar:1.4.0.RELEASE]
at org.springframework.boot.actuate.security.AuthenticationAuditListener.onApplicationEvent(AuthenticationAuditListener.java:50) ~[spring-boot-actuator-1.4.0.RELEASE.jar:1.4.0.RELEASE]
at org.springframework.boot.actuate.security.AuthenticationAuditListener.onApplicationEvent(AuthenticationAuditListener.java:34) ~[spring-boot-actuator-1.4.0.RELEASE.jar:1.4.0.RELEASE]
at org.springframework.context.event.SimpleApplicationEventMulticaster.invokeListener(SimpleApplicationEventMulticaster.java:166) ~[spring-context-4.3.2.RELEASE.jar:4.3.2.RELEASE]
at org.springframework.context.event.SimpleApplicationEventMulticaster.multicastEvent(SimpleApplicationEventMulticaster.java:138) ~[spring-context-4.3.2.RELEASE.jar:4.3.2.RELEASE]
at org.springframework.context.support.AbstractApplicationContext.publishEvent(AbstractApplicationContext.java:382) ~[spring-context-4.3.2.RELEASE.jar:4.3.2.RELEASE]
at org.springframework.context.support.AbstractApplicationContext.publishEvent(AbstractApplicationContext.java:336) ~[spring-context-4.3.2.RELEASE.jar:4.3.2.RELEASE]
at org.springframework.security.authentication.DefaultAuthenticationEventPublisher.publishAuthenticationFailure(DefaultAuthenticationEventPublisher.java:124) ~[spring-security-core-4.1.1.RELEASE.jar:4.1.1.RELEASE]
at org.springframework.security.authentication.ProviderManager.prepareException(ProviderManager.java:240) ~[spring-security-core-4.1.1.RELEASE.jar:4.1.1.RELEASE]
at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:233) ~[spring-security-core-4.1.1.RELEASE.jar:4.1.1.RELEASE]
at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:199) ~[spring-security-core-4.1.1.RELEASE.jar:4.1.1.RELEASE]
at org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter$AuthenticationManagerDelegator.authenticate(WebSecurityConfigurerAdapter.java:454) ~[spring-security-config-4.1.1.RELEASE.jar:4.1.1.RELEASE]
at com.icentia.tracking.security.JwtFilter.doFilterInternal(JwtFilter.java:49) ~[classes/:na]
This is coming from Spring Boot Actuator. If I remove it, it is working as before?!?
There seem to be a bug listed here, although not the same:
https://github.com/spring-projects/spring-boot/issues/6447
I want to have Actuator in production, any workaround I could use for this?
Thank you
Make sure the getName() method from the Principal interface returns a non null value in your JwtToken class.