I have problem with listening to AuthenticationSuccessEvent and AuthenticationFailureBadCredentialsEvent, none of this event is triggered. Here's my code:
#Component
#RequiredArgsConstructor
public class AuthenticationFailureListener {
private final LoginAttemptService loginAttemptService;
#EventListener
public void onAuthenticationFailure(AuthenticationFailureBadCredentialsEvent event) {
Object principal = event.getAuthentication().getPrincipal();
if (principal instanceof String) {
String username = (String) principal;
loginAttemptService.addUserLoginAttemptCache(username);
}
System.out.println("onAuthenticationFailure");
}
}
Second class
#Component
#RequiredArgsConstructor
public class AuthenticationSuccessListener {
private final LoginAttemptService loginAttemptService;
#EventListener
public void onAuthenticationSuccess(AuthenticationSuccessEvent event) {
Object principal = event.getAuthentication().getPrincipal();
if (principal instanceof UserPrincipal) {
UserPrincipal user = (UserPrincipal) principal;
loginAttemptService.evictUserFromLoginAttemptCache(user.getUsername());
}
System.out.println("onAuthenticationSuccess");
}
}
and I added this to Security Configuration
#Bean
public AuthenticationEventPublisher authenticationEventPublisher(ApplicationEventPublisher applicationEventPublisher) {
return new DefaultAuthenticationEventPublisher(applicationEventPublisher);
}
But my fail and successful login don't trigger any listener :disappointed: I'm using spring security 5.7.6. I've checked and all these beans are created. What's maybe a reason for that behavior ?
Related
I have set the following property
server.servlet.session.timeout=30s
in my application properties but the session time out is not triggerd.
but after setting
server.servlet.session.cookie.max-age=30s
the session time out got trigger but following code for updating logout time is not getting triggerd.
#Component
public class LogoutListener implements ApplicationListener<SessionDestroyedEvent> {
#Override
public void onApplicationEvent(SessionDestroyedEvent event)
{
List<SecurityContext> lstSecurityContext = event.getSecurityContexts();
UserDetails ud;
for (SecurityContext securityContext : lstSecurityContext)
{
ud = (UserDetails) securityContext.getAuthentication().getPrincipal();
us.findAllUsersByEmail(ud.getUsername()).get(0).setLastLogout(LocalDateTime.now());
System.out.println("lastloginspec : " + ud.getUsername() + " : 00 : " + LocalDateTime.now());
}
}
}
#Bean
public ServletListenerRegistrationBean<HttpSessionEventPublisher> httpSessionEventPublisher() {
return new ServletListenerRegistrationBean<HttpSessionEventPublisher>(new HttpSessionEventPublisher());
}
Could any one Help me out ?
I have implemented the session listener by following way.
Create a custom http session listener.
#Component
public class CustomHttpSessionListener implements HttpSessionListener{
private static final Logger LOG= LoggerFactory.getLogger(Test.class);
#Override
public void sessionCreated(HttpSessionEvent se) {
LOG.info("New session is created.");
UserPrincipal principal = (UserPrincipal) SecurityContextHolder.getContext().getAuthentication().getPrincipal();
}
#Override
public void sessionDestroyed(HttpSessionEvent se) {
LOG.info("Session destroyed.");
UserPrincipal principal = (UserPrincipal) SecurityContextHolder.getContext().getAuthentication().getPrincipal();
}}
Invoke new ServletListenerRegistrationBean and add CustomHttpListener to it and annotate it as #Bean.
#Autowired private CustomHttpSessionListener customHttpSessionListener;
#Bean
public ServletListenerRegistrationBean<CustomSessionListner>sessionListenerWithMetrics() { ServletListenerRegistrationBean<CustomSessionListner>
listenerRegBean = new ServletListenerRegistrationBean<>();
listenerRegBean.setListener(customHttpSessionListener);
return listenerRegBean;
}
Adding a property to application.properties
server.servlet.session.timeout = 15m
This is not a full answer, but a step to isolate and troubleshoot. Replace your LogoutListener with and see when you start the application if it is printing any events. If it is not printing your issue is not specific SessionDestroyedEvent instead generic to your listener.
#Component
public class LogoutListener
implements ApplicationListener<ApplicationEvent> {
#Override
public void onApplicationEvent(ApplicationEvent event)
{
System.out.println("event caught at LogoutListener: " + event);
}
}
And also add this to application.properties to see if event is fired as it should log Publishing event:
logging.level.org.springframework.security.web.session.HttpSessionEventPublisher=DEBUG
in my controller I have a custom annotation like:
#GetMapping("/apikey")
#Secured(apiKeys = { ApiKey.APP_1}) // <- Custom annotation
public ResponseEntity startApiKey() {
return ResponseEntity.status(HttpStatus.OK).body("ApiKey approved");
}
In my Spring Security Config I have added a Filter for checking the apikey and authentication:
public class ApiKeyAuthenticationFilter extends AbstractPreAuthenticatedProcessingFilter {
#Override
protected Object getPreAuthenticatedPrincipal(HttpServletRequest request) {
return request.getHeader(ApiKeyHeadername.DEFAULTHEADERNAME.getHeadername());
}
#Override
protected Object getPreAuthenticatedCredentials(HttpServletRequest request) {
return "N/A";
}
#Override
public void setAuthenticationManager(AuthenticationManager authenticationManager) {
super.setAuthenticationManager(authentication -> {
String principal = (String) authentication.getPrincipal();
if (!ApiKey.APP_1.getApiKey().equals(principal))
{
throw new BadCredentialsException("The API key was not found or not the expected value.");
}
authentication.setAuthenticated(true);
return authentication;
});
}
}
Before the custom annotation was proccessed within a AspectJ class:
#Component
#Aspect
#Scope(value = "request", proxyMode = ScopedProxyMode.TARGET_CLASS)
public class SecurityAspect {
#Autowired
private IPrincipal principal;
#Autowired
private AuthorizationManager authorizationManager;
#Pointcut("#annotation(my.demo.application.security.aspect.Secured)")
public void methodAnnotatedWithSecured() {
}
#Around("methodAnnotatedWithSecured()")
public Object userAdvice(ProceedingJoinPoint joinPoint) throws Throwable {
MethodSignature signature = (MethodSignature) joinPoint.getSignature();
Method method = signature.getMethod();
Secured securedAnnotation = method.getAnnotation(Secured.class);
Authorized securityInformation = new Authorized(securedAnnotation.apiKeys(), securedAnnotation.roles(),
securedAnnotation.usernames());
if (authorizationManager.authorizeUserPrincipal(principal,
securityInformation) == AuthorizationState.UNAUTHORIZED) {
throw DefaultNotAuthorizedExceptionFactory.createNotAuthorizedException();
}
return joinPoint.proceed();
}
}
How can I process the annotation informations in the AbstractPreAuthenticatedProcessingFilter, or how can i get the annotation by Reflection in this Filter. Or can I inject something to get it?
Thank you in advice
For learning purposes, I have made a custom authentication system where I pass a token from the client to the server through the Authorization header.
In the server side, I'd like to know if it's possible to create in the interceptor, before the request reaches a method in the controller, an User object with the email from the token as a property, and then pass this user object to every request where I require it.
This what I'd like to get, as an example:
#RestController
public class HelloController {
#RequestMapping("/")
public String index(final User user) {
return user.getEmail();
}
}
public class User {
private String email;
}
Where user is an object that I created in the pre-interceptor using the request Authorization header and then I can pass, or not, to any method in the RestController.
Is this possible?
#Recommended solution
I would create a #Bean with #Scope request which would hold the user and then put the appropriate entity into that holder and then take from that holder inside the method.
#Component
#Scope(value = "request", proxyMode = ScopedProxyMode.TARGET_CLASS)
public class CurrentUser {
private User currentUser;
public User getCurrentUser() {
return currentUser;
}
public void setCurrentUser(User currentUser) {
this.currentUser = currentUser;
}
}
and then
#Component
public class MyInterceptor implements HandlerInterceptor {
private CurrentUser currentUser;
#Autowired
MyInterceptor(CurrentUser currentUser) {
this.currentUser = currentUser;
}
#Override
public boolean preHandle(
HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception {
this.currentUser.setCurrentUser(new User("whatever"));
return true;
}
}
and in the Controller
#RestController
public class HelloController {
private CurrentUser currentUser;
#Autowired
HelloController(CurrentUser currentUser) {
this.currentUser = currentUser;
}
#RequestMapping("/")
public String index() {
return currentUser.getCurrentUser().getEmail();
}
}
#Alternative solution
In case your object that you would like to have, only contains one field, you can just cheat on that and add that field to the HttpServletRequest parameters and just see the magic happen.
#Component
public class MyInterceptor implements HandlerInterceptor {
#Override
public boolean preHandle(
HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception {
//TRY ONE AT THE TIME: email OR user
//BOTH SHOULD WORK BUT SEPARATELY OF COURSE
request.setAttribute("email", "login#domain.com");
request.setAttribute("user", new User("login#domain.com"));
return true;
}
}
You can use a local thread context object as follows - which will be handling one parameter per request thread (thread safe):
public abstract class LoggedUserContext {
private static ThreadLocal<User> currentLoggedUser = new ThreadLocal<>();
public static void setCurrentLoggedUser(User loggedUser) {
if (currentLoggedUser == null) {
currentLoggedUser = new ThreadLocal<>();
}
currentLoggedUser.set(loggedUser);
}
public static User getCurrentLoggedUser() {
return currentLoggedUser != null ? currentLoggedUser.get() : null;
}
public static void clear() {
if (currentLoggedUser != null) {
currentLoggedUser.remove();
}
}
}
Then in the interceptor prehandle function:
LoggedUserContext.setCurrentLoggedUser(loggedUser);
And in the interceptor postHandler function:
LoggedUserContext.clear();
From any other place:
User loggedUser = LoggedUserContext.getCurrentLoggedUser();
I'm trying to implement logging system in a Spring boot application. There are requests coming into the system which have one or more responses.
Requests and responses must be logged into the database in a separate thread, not in the worker thread.
This is my idea.
tables in mysql - "request" with required columns, and "response" with request_id as foreign key
relation between resquest and response - one to many.
A separate thread in LogService is started in #PostContruct to save the data in the DB.
I'm sure there are better solutions to this problem. Please guide with some suggestions.
#Service
public class LogServiceImpl implements LogService {
private final BlockingQueue<Object> logQueue = new LinkedBlockingQueue<>();
private volatile boolean done;
// repositories
#Autowired
private RequestRepository requestRepository;
#Autowired
private ResponseRepository responseRepository;
#Async
#Override
public void log(Object obj) {
try {
logQueue.put(obj);
} catch (InterruptedException e) {
throw new RuntimeException(e);
}
}
#PostContruct
private saveToDb(){
new Thread(() -> {
while(!done){
String object = logQueue.poll(5, TimeUnit.SECONDS)
if(object != null){
if(object instanceof Request){
requestRepository.save((Request)object);
}
if(object instanceof Response){
responseRepository.save((Response)object);
}
}
}
}).start();
}
public void stop() {
done = true;
}
}
class Request{
.....
}
class Response{
......
}
#Service
public class SomeService1 {
#Autowired
private LogService logService;
public void someMeth1(Request request) {
....
logService.log(request);
}
}
#Service
public class SomeService2 {
#Autowired
private LogService logService;
public void someMeth2(Response response) {
....
logService.log(response);
}
}
Have been struggling with a test case where a service is dependent on having a session scoped bean being in the session fails;
The class producing #SessionScoped User:
public class LoginService {
private User user;
public void login(String name) {
if ("userA".equals(name)) {
user = new User(name, "permissionA");
} else if ("userB".equals(name)) {
user = new User(name, "permissionB");
} else {
user = new User("anonymous", "");
}
}
#Produces
#LoggedIn
#SessionScoped
public User getLoggedIn() {
return this.user;
}
}
The service using the #LoggedIn User:
public class MediaService {
#Inject
#LoggedIn
private User user;
public void updateImage(){
if("permissionA".equals(user.getPermission())) {
System.out.println("user can update image");
} else {
System.out.println("user can not update image");
}
}
}
And the test:
#RunWith(Arquillian.class)
public class ServiceTest {
#Deployment
public static WebArchive deployment() {
return ShrinkWrap
.create(WebArchive.class, "test.war")
.addClass(LoggedIn.class)
.addClass(LoginService.class)
.addClass(MediaService.class)
.addClass(User.class)
.addAsWebInfResource(EmptyAsset.INSTANCE, "beans.xml");
}
#Inject
private LoginService lservice;
#Inject
private MediaService mservice;
#Test
public void testLogin() {
lservice.login("userA");
}
#Test
public void testUpdateImage(){
mservice.updateImage();
}
}
Testing with the arquillian remote container, first test (testLogin) passes and the testUpdateImage fails with null User in session.
WELD-000052 Cannot return null from a non-dependent producer method: [method] #Produces #LoggedIn #SessionScoped public org.arg.service.LoginService.getLoggedIn()
Thanks