The DB user's status is BLOCKED, but this user can log in to the app. My UserDetails implementation is below:
class CustomUserDetails(val userDto: UserAuthResponse) : UserDetails, Serializable {
override fun isAccountNonLocked() = userDto.status != UserStatus.BLOCKED
override fun getAuthorities() = listOf(SimpleGrantedAuthority(userDto.role.name))
override fun isEnabled() = userDto.status != UserStatus.BLOCKED
override fun getUsername() = userDto.phoneNumber
override fun isCredentialsNonExpired() = userDto.status != UserStatus.BLOCKED
override fun getPassword() = userDto.password
override fun isAccountNonExpired() = userDto.status != UserStatus.BLOCKED
}
Related
I am trying to implement this: https://docs.spring.io/spring-security/site/docs/4.2.x/reference/html/el-access.html#el-access-web-path-variables but the teacher is explicitly telling us to use spring-security 4.0.4 (because of conflicting transitive dependencies with spring framework 4.2.5) and I've searched extensively on how to create an AccessDecisionVoter that can grab a path variable but so far this is the only thing that i came into what is the actual type of object parameter in vote method of spring security access decision voter which i don't know if it's indeed the best way to do it since this answer was intended for Spring Security 3.1.
Solved it by coding my own AccessDecisionVoter:
public class CourseVoter implements AccessDecisionVoter<FilterInvocation> {
#Autowired
private CourseService courseService;
#Autowired
private AuthFacade authFacade;
#Autowired
private FileService fileService;
static final Pattern GET_FILE_PATTERN = Pattern.compile("/files/(\\d+)");
static final Pattern UPLOAD_FILE_PATTERN = Pattern.compile("/course/(\\d+)/files");
static final Pattern UPLOAD_ANNOUNCEMENT_PATTERN = Pattern.compile("/course/(\\d+)/announcements");
static final Pattern GET_COURSE_PATTERN = Pattern.compile("/course/(\\d+)");
#Override
public boolean supports(ConfigAttribute attribute) {
return false;
}
#Override
public boolean supports(Class<?> clazz) {
return clazz.isAssignableFrom(FilterInvocation.class);
}
#Override
public int vote(Authentication authentication, FilterInvocation fi, Collection<ConfigAttribute> attributes) {
final String url = fi.getRequestUrl();
final String method = fi.getHttpRequest().getMethod();
Matcher getCourseMatcher = GET_COURSE_PATTERN.matcher(url);
Matcher getFileMatcher = GET_FILE_PATTERN.matcher(url);
Matcher uploadFileMatcher = UPLOAD_FILE_PATTERN.matcher(url);
Matcher uploadAnnouncementMatcher = UPLOAD_ANNOUNCEMENT_PATTERN.matcher(url);
if(getFileMatcher.find()) return voteFileAccess(authentication, getMappingValue(getFileMatcher));
if(method.equals("POST") && uploadAnnouncementMatcher.find()) return voteCoursePrivileges(authentication, getMappingValue(uploadAnnouncementMatcher));
if(method.equals("POST") && uploadFileMatcher.find()) return voteCoursePrivileges(authentication, getMappingValue(uploadFileMatcher));
if(getCourseMatcher.find()) return voteCourseAccess(authentication, getMappingValue(getCourseMatcher));
return ACCESS_ABSTAIN;
}
private Long getMappingValue(Matcher m) {
return Long.valueOf(m.group(1));
}
private boolean isAdminOrAnonymous(Authentication authentication) {
if(authentication instanceof AnonymousAuthenticationToken) return true;
User user = authFacade.getCurrentUser();
return user.isAdmin();
}
private int voteFileAccess(Authentication authentication, Long fileId) {
if(isAdminOrAnonymous(authentication)) return ACCESS_DENIED;
return fileService.hasAccess(fileId, authFacade.getCurrentUserId()) ? ACCESS_GRANTED : ACCESS_DENIED;
}
private int voteCourseAccess(Authentication authentication, Long courseId) {
if(isAdminOrAnonymous(authentication)) return ACCESS_DENIED;
return courseService.belongs(authFacade.getCurrentUserId(), courseId) ? ACCESS_GRANTED : ACCESS_DENIED;
}
private int voteCoursePrivileges(Authentication authentication, Long courseId) {
if(isAdminOrAnonymous(authentication)) return ACCESS_DENIED;
return courseService.isPrivileged(authFacade.getCurrentUserId(), courseId) ? ACCESS_GRANTED : ACCESS_DENIED;
}
}
Actually I´m working in a forum project built with Spring boot, Mongodb and Vue.js.
When I´m trying to post a new comment and get the user datails with the SecurityContextHolder and cast it to my UsersDetailImpl who implements from the UserDetails class provided by Spring boot, it throw the following error: org.springframework.security.web.authentication.webauthenticationdetails cannot be cast to .... UserDetailsImpl
I don´t really know the reason of this error becasuse if I test it from Postman does not report an error.
UserDetailsImpl.java
public class UserDetailsImpl implements UserDetails {
private static final long serialVersionUID = 1L;
private String id;
private String username;
private String email;
#JsonIgnore
private String password;
private Collection<? extends GrantedAuthority> authorities;
public UserDetailsImpl(String id, String username, String email, String password,
Collection<? extends GrantedAuthority> authorities) {
this.id = id;
this.username = username;
this.email = email;
this.password = password;
this.authorities = authorities;
}
public static UserDetailsImpl build(User user) {
List<GrantedAuthority> authorities = user.getRoles().stream()
.map(role -> new SimpleGrantedAuthority(role.getName().name()))
.collect(Collectors.toList());
return new UserDetailsImpl(
user.getId(),
user.getUsername(),
user.getEmail(),
user.getPassword(),
authorities);
}
#Override
public Collection<? extends GrantedAuthority> getAuthorities() {
return authorities;
}
public String getId() {
return id;
}
public String getEmail() {
return email;
}
#Override
public String getPassword() {
return password;
}
#Override
public String getUsername() {
return username;
}
#Override
public boolean isAccountNonExpired() {
return true;
}
#Override
public boolean isAccountNonLocked() {
return true;
}
#Override
public boolean isCredentialsNonExpired() {
return true;
}
#Override
public boolean isEnabled() {
return true;
}
#Override
public boolean equals(Object o) {
if (this == o)
return true;
if (o == null || getClass() != o.getClass())
return false;
UserDetailsImpl user = (UserDetailsImpl) o;
return Objects.equals(id, user.id);
}
}
CommentController.java
#CrossOrigin(origins = "*", maxAge = 3600)
#RestController
#RequestMapping("/comments")
public class CommentController {
#Autowired
CommentRepository commentRepository;
#Autowired
RoleRepository roleRepository;
#PostMapping("/ask")
public ResponseEntity<?> ask (#Valid #RequestBody AskRequest askRequest) {
Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
UserDetailsImpl userDetails = (UserDetailsImpl) authentication.getPrincipal();
HashSet<String> strRoles = userDetails.getAuthorities().stream()
.map(GrantedAuthority::getAuthority)
.collect(Collectors.toCollection(HashSet::new));
Set<Role> roles = new HashSet<>();
strRoles.forEach(role -> {
int cutPoint = role.indexOf("_");
role = role.substring(cutPoint + 1).toLowerCase();
findRole(roles, role, roleRepository);
});
User user = new User(userDetails.getUsername(), userDetails.getEmail(), roles);
ObjectId discussion_id = ObjectId.get();
String slug = new Slugify().slugify(askRequest.getTitle());
Comment comment = new Comment(discussion_id, askRequest.getTitle(),
askRequest.getText(),slug, "full_slug_test", Instant.now(),user);
String info = comment.getDiscussion_id().toString() + comment.getPosted() + comment.getTitle()
+ comment.getText() + comment.getAuthor().getUsername() + comment.getAuthor().getEmail()
+ comment.getAuthor().getId() + comment.getAuthor().getRoles();
commentRepository.save(comment);
return ResponseEntity.ok(new MessageResponse(info));
}
}
I´m new in all this technologies there may be serious errors. All the advices will be a great help to me because the project is academic.
If someone need more information just ask for it.
Thank you all :)
Change authentication.getDetails() to getAuthentication().getPrincipal()
You will have:
UserDetailsImpl userDetails = (UserDetailsImpl) authentication.getPrincipal();
Finally I found the error and it was in the front-end side. I was sending de headers with the JWT in this way.
import axios from 'axios';
import authHeader from './auth-header';
const API_URL = 'http://localhost:8080/comments/';
class CommentsService {
ask(post){
return axios.post(API_URL + 'ask', {
title: post.title,
text: post.text,
headers: authHeader()
});
}
}
export default new CommentsService();
and it is totally wrong so I found the manner to do it.
import axios from 'axios';
import authHeader from './auth-header';
const API_URL = 'http://localhost:8080/comments/';
class CommentsService {
ask(post){
return axios.post(API_URL + 'ask', {
title: post.title,
text: post.text
},{headers: authHeader()});
}
}
export default new CommentsService();
I also add the code to mount the headers.
export default function authHeader() {
let user = JSON.parse(localStorage.getItem('user'));
if (user && user.accessToken) {
return { Authorization: 'Bearer ' + user.accessToken };
} else {
return {};
}
}
I made this class UserPrincipal to get the user id of my custom Hibernate User class.
public class UserPrincipal extends org.springframework.security.core.userdetails.User {
public User getUser() {
return user;
}
public UserPrincipal(String username, String password, boolean enabled, boolean accountNonExpired,
boolean credentialsNonExpired, boolean accountNonLocked,
Collection<? extends GrantedAuthority> authorities, User user) {
super(username, password, enabled, accountNonExpired, credentialsNonExpired, accountNonLocked, authorities);
this.user = user;
}
private final User user;
}
However, when I use it like this:
Object principal = SecurityContextHolder.getContext().getAuthentication().getPrincipal();
User user = ((UserPrincipal) principal).getUser();
I get the following error:
java.lang.ClassCastException: org.springframework.security.core.userdetails.User cannot be cast to UserPrincipal
I think there's an error in the way I implemented the constructor, but I am not sure.
Or does it have to do with a mismatch with the way I log the user in? I am using Spring Security.
instead of extending user class from spring-security you better to implement UserDetails interface given from spring security. please read the below code. Provide custom userDetailsService implementation to your project. i hope this will help you- http://docs.spring.io/spring-security/site/docs/3.0.x/reference/technical-overview.html#d0e1613
public class LoggedUser implements UserDetails{
private User user;
// setter and getter of user
public LoggedUser (User user){
this.user=user;
}
public Collection<? extends GrantedAuthority> getAuthorities() {
List<SimpleGrantedAuthority> authorities=new ArrayList<SimpleGrantedAuthority>();
for (String role : user.getRoles()) {
authorities.add(new SimpleGrantedAuthority(role));
}
return authorities;
}
public String getPassword() {
return user.getPassword();
}
public String getUsername() {
// TODO Auto-generated method stub
return user.getUsername();
}
public boolean isAccountNonExpired() {
// TODO Auto-generated method stub
return true;
}
public boolean isAccountNonLocked() {
// TODO Auto-generated method stub
return true;
}
public boolean isCredentialsNonExpired() {
// TODO Auto-generated method stub
return true;
}
public boolean isEnabled() {
// TODO Auto-generated method stub
return true;
}
now User the below code to get User object:
LoggedUser principal = (LoggedUser)SecurityContextHolder.getContext().getAuthentication().getPrincipal();
User user = pricipal.getUser();
This is classic case of downcasting. To achieve this, do the following:
Let consider A is the super class and B is sub class:
1. Define this method in the subclass(B):
public static B method(A a) {
B b = null;
if (a instanceof A) {
b = (B) a;// downcasting
}
return b;
}
2. Now in your working class(e.g., Service, Controller etc), do the following
A b = new B(); // Initialize super class object with subclass
BeanUtils.copyProperties(a,b);//where a being the instance of A(user in your case), with values
B c = B.method(b);
just check the user ur logged in with ur security user DB.
given a scenario , there is a HTML contents OR some method in a controller, which only allow to be access by "a" role.
from above, we achieve by using #hasRole("a")
However, in my case, the role is dynamic:
Example, admin add a new role "b", and able to be access these content.
So how to do it?
I tried ACL, but that's only protect the domain object with an id.
there is an annotation called hasAuthority, but i cant search
anythings from internet.
there is an ObjectIdentityImpl, not really
how to implement.
EDIT: my solution
After study, ACL is more on secure list of object.
Example: u want to secure staff table, some staff record(like CEO,manager) are only accessible by higher management. the rest of staff record are view-able by all. This is what ACL to do.
However, when we need to protect some method,controller,url,static content.... the ACL is not suitable for this. we need to use hasAuthority or hasPermission or hasRole or ......
In some web systems, there are only few roles, admin and user. For this case, hasAuthority or hasRole is quite enough for this. u just annotate #hasRole('admin') for the resources u want to protect.
However,in some systems, there are dynamic role, for example: admin create a new role "temporary_user", but the contoller or method is annotate by #hasRole('user'), which not accessible by "temporary_user".
in this case, based on my understanding, there are few ways to do.
create many roles based on how many resources u want to protect. for example: assign 'role_getRecord' to getRecords(),assign 'role_writeRecord' to writeRecord(). this is a way to do without changing spring security mechanism, but will have a lot of roles on your database table, and more complex system, will have more.
#hasPermission - this is what i use right now. i create a CustomGrantedAuthority, in order to have more flexible implementation. and i do have a CustomUserDetailsService and CustomSpringSecurityUser, when user login will create CustomSpringSecurityUser with collection of CustomGrantedAuthority then return CustomSpringSecurityUser to CustomUserDetailsService. and also i do have a CustomPermission to verify the permission.
Please vote UP, if your think is useful, and please comment if i wrong or does havea better way to do it.
here is my code
CustomSpringSecurityUser
public class CustomSpringSecurityUser implements UserDetails, CredentialsContainer {
private static final long serialVersionUID = SpringSecurityCoreVersion.SERIAL_VERSION_UID;
private String password;
private final String username;
private final Set<GrantedAuthority> authorities;
private final boolean accountNonExpired;
private final boolean accountNonLocked;
private final boolean credentialsNonExpired;
private final boolean enabled;
public CustomSpringSecurityUser(String username, String password, Collection<? extends GrantedAuthority> authorities) {
this(username, password, true, true, true, true, authorities);
}
public CustomSpringSecurityUser(String username, String password, boolean enabled, boolean accountNonExpired,
boolean credentialsNonExpired, boolean accountNonLocked, Collection<? extends GrantedAuthority> authorities) {
if (((username == null) || "".equals(username)) || (password == null)) {
throw new IllegalArgumentException("Cannot pass null or empty values to constructor");
}
this.username = username;
this.password = password;
this.enabled = enabled;
this.accountNonExpired = accountNonExpired;
this.credentialsNonExpired = credentialsNonExpired;
this.accountNonLocked = accountNonLocked;
// this.authorities = Collections.unmodifiableSet(sortAuthorities(authorities));
this.authorities = new HashSet<GrantedAuthority>(authorities);
}
public Collection<GrantedAuthority> getAuthorities() {
return authorities;
}
public String getPassword() {
return password;
}
public String getUsername() {
return username;
}
public boolean isEnabled() {
return enabled;
}
public boolean isAccountNonExpired() {
return accountNonExpired;
}
public boolean isAccountNonLocked() {
return accountNonLocked;
}
public boolean isCredentialsNonExpired() {
return credentialsNonExpired;
}
public void eraseCredentials() {
password = null;
}
private static SortedSet<GrantedAuthority> sortAuthorities(Collection<? extends GrantedAuthority> authorities) {
Assert.notNull(authorities, "Cannot pass a null GrantedAuthority collection");
SortedSet<GrantedAuthority> sortedAuthorities =
new TreeSet<GrantedAuthority>(new AuthorityComparator());
for (GrantedAuthority grantedAuthority : authorities) {
Assert.notNull(grantedAuthority, "GrantedAuthority list cannot contain any null elements");
sortedAuthorities.add(grantedAuthority);
}
return sortedAuthorities;
}
private static class AuthorityComparator implements Comparator<GrantedAuthority>, Serializable {
private static final long serialVersionUID = SpringSecurityCoreVersion.SERIAL_VERSION_UID;
public int compare(GrantedAuthority g1, GrantedAuthority g2) {
if (g2.getAuthority() == null) {
return -1;
}
if (g1.getAuthority() == null) {
return 1;
}
return g1.getAuthority().compareTo(g2.getAuthority());
}
}
#Override
public boolean equals(Object rhs) {
if (rhs instanceof CustomSpringSecurityUser) {
return username.equals(((CustomSpringSecurityUser) rhs).username);
}
return false;
}
#Override
public int hashCode() {
return username.hashCode();
}
#Override
public String toString() {
StringBuilder sb = new StringBuilder();
sb.append(super.toString()).append(": ");
sb.append("Username: ").append(this.username).append("; ");
sb.append("Password: [PROTECTED]; ");
sb.append("Enabled: ").append(this.enabled).append("; ");
sb.append("AccountNonExpired: ").append(this.accountNonExpired).append("; ");
sb.append("credentialsNonExpired: ").append(this.credentialsNonExpired).append("; ");
sb.append("AccountNonLocked: ").append(this.accountNonLocked).append("; ");
if (!authorities.isEmpty()) {
sb.append("Granted Authorities: ");
boolean first = true;
for (GrantedAuthority auth : authorities) {
if (!first) {
sb.append(",");
}
first = false;
sb.append(auth);
}
} else {
sb.append("Not granted any authorities");
}
return sb.toString();
}
}
CustomGrantedAuthority
public class CustomGrantedAuthority implements GrantedAuthority{
private String role;
private String permission,action;
public String getPermission() {
return permission;
}
public void setPermission(String permission) {
this.permission = permission;
}
public String getAction() {
return action;
}
public void setAction(String action) {
this.action = action;
}
public String getRole() {
return role;
}
public void setRole(String role) {
this.role = role;
}
#Override
public String getAuthority() {
return role;
}
}
CustomeUserDetailsService
#Service
#Transactional(readOnly = true)
public class CustomUserDetailsService implements UserDetailsService {
#Autowired
private OcUserService userService;
private static final Logger logger = LoggerFactory.getLogger(CustomUserDetailsService.class);
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
try {
sg.com.xx.xx.table.OcUser u = userService.findByLoginname(username);
String pass = sg.com.xx.xx.table.OcUser.byteToHex(u.getPassword());
Collection<? extends GrantedAuthority> permissionList = userService.getPermissionByUserId(u.getId());
boolean enabled = true;
boolean accountNonExpired = true;
boolean credentialsNonExpired = true;
boolean accountNonLocked = true;
CustomSpringSecurityUser user = new CustomSpringSecurityUser(u.getLoginname(),
pass,
enabled,
accountNonExpired,
credentialsNonExpired,
accountNonLocked,
permissionList);
return user;
} catch (Exception e) {
logger.error("==============================================");
logger.error(e.toString());
return null;
}
}
}
CustomPermission
public class CustomPermission implements PermissionEvaluator {
#Override
public boolean hasPermission(Authentication authentication, Object targetDomainObject, Object permission) {
Collection<? extends GrantedAuthority> x = authentication.getAuthorities();
for(Object o : x)
{
CustomGrantedAuthority y = (CustomGrantedAuthority) o ;
if(y.getPermission().equals(targetDomainObject) )
if( y.getAction().equals(permission) )
return true;
}
return false;
}
#Override
public boolean hasPermission(Authentication authentication, Serializable targetId, String targetType, Object permission) {
int a = 5;
return true;
}
}
I don't know what you mean under resources, but I found that the best way to work with it in spring, is to grant users permissions (authorities) instead of roles, you still have roles, but they are there just to bundle up the permissions. After this is set up, you assign actual permissions for your views and methods. I found a data model here:
http://springinpractice.com/2010/10/27/quick-tip-spring-security-role-based-authorization-and-permissions/
What if you use Java Reflection to get every controller method, then you asign any of these methods to role relation to build a "dynamic role"? This way you could add or remove any action to any role at any moment. Maybe Spring Security is not required this way.
I cannot generate an appropriate GUI via roo for a one-to-many relationship. In particular, I would need a multiple choice element to select among the authorities (spring security) to associate to the user.
I created my RegisteredUser class:
#RooJavaBean
#RooToString
#RooJpaActiveRecord
public class RegisteredUser extends MyUser implements UserDetails,
CredentialsContainer {
private String password;
private String username;
private Boolean enabled = true;
private Boolean accountNonExpired = true;
private Boolean credentialsNonExpired = true;
private Boolean accountNonLocked = true;
#OneToMany(cascade = CascadeType.ALL, fetch = FetchType.LAZY)
private Set<MyBaseAuthority> authorities = new HashSet<MyBaseAuthority>();
#Override
public void eraseCredentials() {
password = null;
}
#Override
public Collection<? extends GrantedAuthority> getAuthorities() {
return authorities;
}
#Override
public String getPassword() {
return password;
}
#Override
public String getUsername() {
return username;
}
#Override
public boolean isAccountNonExpired() {
return accountNonExpired;
}
#Override
public boolean isAccountNonLocked() {
return accountNonLocked;
}
#Override
public boolean isCredentialsNonExpired() {
return credentialsNonExpired;
}
#Override
public boolean isEnabled() {
return enabled;
}
}
Then MyBaseAuthority class:
#RooJavaBean
#RooToString
#RooJpaActiveRecord
public class MyBaseAuthority extends ObjectWithId implements
GrantedAuthority {
private String authority;
#Override
public String getAuthority() {
return authority;
}
}
Then I had to manually create the controller for MyBaseAuthority, but not for RegisteredUser (generated by webmvc command):
#RequestMapping("/registeredusers")
#Controller
#RooWebScaffold(path = "registeredusers", formBackingObject = RegisteredUser.class)
public class RegisteredUserController {
}
#RequestMapping("/authorities")
#Controller
#RooWebScaffold(path = "authorities", formBackingObject = MyBaseAuthority.class)
public class MyBaseAuthorityController {
}
On the GUI, I can create and list all authorities and registered users. However, when creating a registered user, I can only set string fields and boolean fields, but not the one-to-many relationship. How can I fix that?
If I were trying to acomplish this task I would print out all of my checkboxes with the available options as array keys with a name like so:
<input type="checkbox" name="role[]" value="ROLE_ONE">
<input type="checkbox" name="role[]" value="ROLE_TWO">
Then, I would map these parameters to a String[] array like in this post
#RequestParam(value="myParam[]" String roles)
I would then loop over the strings and add create the MyBaseAuthority objects, attach your user and persist() them.