The task that one asks to me seems to me really impossible.
We use Spring, and Swagger UI to test the Back-End Spring.
We have a Rest controller with a method for the login presenting 2 parameters annotated #RequestParameter (one for the login, and the second one for the password).
#PostMapping("/login")
public JSONObject login(#RequestParam(name = "username")String username, #RequestParam(name = "password")String password ){
return null;
// controller for Swagger-UI
// managed by Spring security
}
Necessarily, we send to the server an HTTP request with the password as plaintext :
https://myserveraddress:8443/MyApplication/login?password=mySecretPassword&username=myLogin
One asks me to "hide" in the URL the password, to hide the value of the parameter called password sent to the Backend server, without changing the signature of this method.
I need an advice.
It seems to me impossible.
I have no idea.
Even by replacing #RequestParameter by #RequestHeader, the value of the password will be sent to the server (hopefully) and see.
I am within inches of saying it's not possible.
Thanks a lot for your help to confirm or infirm by giving me a miraculous solution.
Related
I am using spring boot, specifically spring-boot-starter-oauth2-client dependency for google login. Everything is working fine except that I need to send some details in the request and then retrieve them back from the response so that I can use those details. I did some research and found that I can do that by using state parameter while sending the Oauth Request. I can successfully set the "state" value in my custom OAuth2AuthorizationRequestResolver as below:
private OAuth2AuthorizationRequest customizeAuthorizationRequest(OAuth2AuthorizationRequest req,
HttpServletRequest request) {
String state = Base64.getEncoder().encodeToString("test".getBytes());
return OAuth2AuthorizationRequest.from(req).state(state).build();
}
This is all working fine! However, I'm not sure how to retrieve this value from the response. I can see there is OidcAuthorizationCodeAuthenticationProvider.java which is doing all the magic of creating the user after the authentication. I thought I could somehow override it and get the state value but I can't seem to figure out how to do it. I'm also thinking there maybe an easier way. What do you think?
I need to access a jwt sent in authorization header. I also have to disable the proactive auth check. How can I get the token?
I have this class which used to work when proactive auth was enabled:
#RequestScoped
public class AccessRights {
#Inject
JsonWebToken accessToken;
public boolean validateAccess() {
if(accessToken.getRawToken() == null)
throw new AccessDeniedException("Invalid Access Token");
JsonObject claim = accessToken.getClaim("claim");
// ... do some validation ...
}
}
When I set quarkus.http.auth.proactive=false it stops working. The accessToken is always null. Now that is expected since its documented here https://quarkus.io/guides/security-jwt#proactive-authentication and here https://quarkus.io/guides/security-built-in-authentication#proactive-authentication. I tried to use the alternative way suggested in the docs, but I cannot get it to run.
Problem: I don't know how to get a JsonWebToken from the suggested workaround
Problem: Even when I try to use securityIdentity instead, it is always null. Plus I don't know yet how to actually use it for validation.
#RequestScoped
public class AccessRights {
#Inject
CurrentIdentityAssociation currentIdentityAssociation;
public boolean validateAccess() {
SecurityIdentity identity = identities.getDeferredIdentity().await().indefinitely();
// identity is always null
}
}
EDIT:
To add more context: I have a graphQL API and the initial problem was, that if I receive an expired token, the framework will respond with a 401 unauthorized error. However as is best practice in graphQL, I need to respond with a 200 with json body that describes the error. The proactive auth check prevents the graphql error handler to kick in. That is why I disabled it, effectively making things worse.
Here is how the whole auth process in my application works:
The API receives a request that should contain a bearer token (JWT) in the authorization header. The token is acquired somewhere else. My application needs to validate the issuer and expiration time. This part used to be handled by the pro-active auth check. After that my custom validateAccess() method will extract some roles from the token. If those roles are not present, I will call an external api, providing the raw token, to get back some more detailed access rights.
I believe you missed something important here.
Docs says that :
By default, Quarkus does what we call proactive authentication. This means that if an incoming request has a credential then that request will always be authenticated (even if the target page does not require authentication).
Which implicitly means : if you disable proactive auth, you need to require auth to be done before accessing resource.
That may be part of your problem, as you disabled proactive auth, you'll have to explicitly restrict access to resources to authenticated clients. Otherwise, no auth is performed and thus SecurityIdentity is null.
If you already tried that, please add more code and context. I'll gladly edit my response.
EDIT 1 :
I see 2 distinct problems in informations you added :
You got to validate token (if proactive auth is disabled)
You got to get response code 200 with error details instead of 401
But as you clearly stated, token validation works out of the box with proactive enabled.
So, I would suggest you to let proactive auth do its job. Then, I would add an ExceptionMapper.
This way, you can write custom code for Exception unfolding, and you can respond what you want for every situation.
See ExceptionMappers documentation for more
In my Spring MVC application I am using spring security. It works fine so far, but I have to admit, I do not understand all the details.
In the same application the user can call some controller functions by rest api. When the user (lets say Tom) does this, his authentication is lost. Instead the controller is called by user anonymous.
I tracked down that "user switch" to the code below. Variable restCall contains an url to my application. That call would work for user Tom, if he would place it in the browser directly. Using the restcall, the user changes to anyonymous.
1) Can I prevent that, when the calling User (Tom) was already logged in?
2) As those services should be called by a user that is not already browsing the web interface of the application, I would have to find a way to login by the rest call itself.
private void callWebservice(HttpServletRequest req, String restCall) {
RestTemplate restTemplate = new RestTemplate();
ResponseEntity<String> response
= restTemplate.getForEntity(restCall, String.class);
logger.debug(response.toString());
//assertThat(response.getStatusCode(), equalTo(HttpStatus.OK));
}
You need, for example, a JSON Web Token (JWT) Authentication.
Steps are the following:
1) Client does an authentication, a post request with username and password
2) If authentication is successful, server returns a token in which is coded the user
3) In your next call, GET or POST, you add JWT to your header, this way the server will know who you are, because server can decode the token, and can grant also the right authorities and functionalities
A HTML5 UI is connected to the backend (REST Jersey to business logic to Hibernate and DB). I need to create and maintain a session for each user login until the user logs out.
I am clueless on how to approach this problem.
I followed this approach
Initially when the User is successfully logs in , i am setting attribute under session as shown below
HttpSession session = request.getSession(true);
session.setAttribute("islogged", "islogged");
String value = (String)session.getAttribute("islogged");
System.out.println("****************** The User Logge in Value"+value);
Later in a different page i am checking if the user is logged in or not this way
public String checkIfUserLoggedIn() throws JSONException,ClassNotFoundException, SQLException
{
HttpSession session = request.getSession();
String value = (String)session.getAttribute("islogged");
if(value==null)
{
// always its coming here only
}
}
I agree with francesco foresti, please do not rely on HTTP session without Auth. this is unsafe, and quite dangerous for your app.
Have you been implementing a specific session mecanism ?
If not, jersey as it is will not store session data as it. Every call that you will make will give you a session id that is different from yours.
You have to make authentication & use the auth token in order to identify you session.
use JAX-RS
Please do use an auth mecanism as defined : https://jersey.java.net/documentation/latest/security.html
#Path("authentication")
#Singleton
public static class MyResource {
// Jersey will inject proxy of Security Context
#Context
SecurityContext securityContext;
#GET
public String getUserPrincipal() {
return securityContext.getUserPrincipal().getName();
}
}
or use another framework : Spring, Shiro.... etc.
I really prefer that solution, since another framework will implement a lot of stuff for you. You gain a lot of time doing so.
Please take a look to official jersey doc: https://jersey.java.net/documentation/latest/index.html
I wouldn't rely on the http session. My approach would be to put an "Authorization" field in the header of the response that the server returns when the user logs in, and ask the user to put the very same header in each suqsequent call. In this header you put the informations that help the server find the identity of the user
(take a look at what twitter does as an example : https://dev.twitter.com/oauth/overview/authorizing-requests). The server could save the informations about the logged in user in the database, or You could create a Map in a Singleton that would serve as the "authorization gatekeeper" for your services.
I have been working on this for several days, and hope someone can help me.
There are three requirements for the authentication processing.
Authentication using OpenID, login page is login.jsp. After login is successfully, display the username and email address at login-succ.jsp
There is a input field in the login.jsp, I also need to display the value of mymessage in the login-succ.jsp if login is successfully
After login successfully, user is in the login-succ.jsp, with his username email address and mymessage value. If user refresh the login-succ.jsp page, these three values should be display again.
I have tried to achieve these three requirements using CustomOpenIDAuthenticationFilter at my another post, but if I save the message into session and there are two instances of login.jsp, the two instances will overwrite the message values to each other after refresh action. I do not know if I am doing everything wrong. So can anyone please give me some suggestions about how to meet these three requirements using Spring security and Spring MVC.
Thanks.
To me, this feels like a design that is begging for some type of injection attack (taking a URL parameter that is displayed blindly on the page to the user is a really bad idea).
Instead, I would stick the message in the HttpSession prior to the user being redirected to OpenID login, and retrieve the message after they are successfully redirected. Obviously, you would need code to clear the message from the session upon failure, logout, etc.