I'm using Spring Boot OAuth Authorization Server (old stack) and implementing my own versions of ClientDetailsService and UserDetailsService, using Oauth2 password flow.
Our JpaClientDetailsService implements loadClientByClientId and returns a ClientDetails, with the details of the client that is being authenticated.
#Service
public class JpaClientDetailsService implements ClientDetailsService {
#Override
public ClientDetails loadClientByClientId(String clientId) throws ClientRegistrationException {
BaseClientDetails baseClientDetails = new BaseClientDetails(...);
//do processing....
return baseClientDetails;
}
}
After that, the method loadUserByUsername of our implementation of JpaUserDetailsService is called, receiving the username of user that is trying to authenticate:
#Service
public class JpaUserDetailsService implements UserDetailsService {
#Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
return null;
}
}
My question is:
How could I access the current ClientDetails, returned by JpaClientDetailsService.loadClientByClientId inside JpaUserDetailsService.loadUserByUsername?
Thanks!
I realized that SecurityContextHolder.getContext().getAuthentication() contains information about the client that is being authenticated. So, I was able to get the client's name and load it's data as follow:
#Service
public class JpaUserDetailsService implements UserDetailsService {
#Autowired
private OAuthClientsRepository oAuthClientsRepository;
#Override
public org.springframework.security.core.userdetails.UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
//Gets the Authentication from SecurityContextHolder
Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
//ClientId is 'Principal's' Username
var clientId = ((User) authentication.getPrincipal()).getUsername();
//Gets clientDetails from JPA Repository. This would execute another Roundtrip to Database, but since we have 2nd level cache configured, this
//problema is minimized.
ClientDetails authClient = oAuthClientsRepository
.findByClientId(clientId)
.orElseThrow(() -> new NoSuchClientException(String.format("ClientId '%s' not found", clientId)));
//....
}
}
That's it.
Related
Given is a Spring Boot application with a custom ProviderManager:
#Component
public class CustomProviderManager extends ProviderManager {
public CustomProviderManager(
AuthenticationProvider internalAuthenticationProvider,
AuthenticationProvider devUserAuthenticationProvider) {
super(internalAuthenticationProvider, devUserAuthenticationProvider);
}
}
The SecurityFilterChain is setup with a custom UsernamePasswordAuthenticationFilter:
#Bean
public SecurityFilterChain mvcFilterChain(HttpSecurity http) throws Exception {
return http
//....
.addFilterAt(internalUsernamePasswordAuthenticationFilter, UsernamePasswordAuthenticationFilter.class)
//....
}
And here the custom UsernamePasswordAuthenticationFilter:
#Component
public class InternalUsernamePasswordAuthenticationFilter extends UsernamePasswordAuthenticationFilter {
private final SecurityContextRepository securityContextRepository;
private final AuthenticationFailureHandler authenticationFailureHandler;
private final AuthenticationSuccessHandler authenticationSuccessHandler;
#PostConstruct
private void setup() {
super.setUsernameParameter("identifier");
super.setPasswordParameter("password");
super.setFilterProcessesUrl("/authenticate");
super.setSecurityContextRepository(securityContextRepository);
super.setAuthenticationFailureHandler(authenticationFailureHandler);
super.setAuthenticationSuccessHandler(authenticationSuccessHandler);
super.afterPropertiesSet();
}
public InternalUsernamePasswordAuthenticationFilter(
AuthenticationManager customProviderManager,
SecurityContextRepository delegatingSecurityContextRepository,
AuthenticationFailureHandler authenticationFailureHandler,
AuthenticationSuccessHandler authenticationSuccessHandler) {
this.securityContextRepository = delegatingSecurityContextRepository;
this.authenticationFailureHandler = authenticationFailureHandler;
this.authenticationSuccessHandler = authenticationSuccessHandler;
super.setAuthenticationManager(customProviderManager);
}
#Override
public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException {
//....
}
}
What I want to do now is testing the authentication logic. But instead of using the authentication providers of the application, I want to use a special UserDetailsManager for testing only. The current TestConfiguration class containing a TestUserDetailsManager looks like that:
#TestConfiguration
public class TestUserDetailsManagerConfig {
#Bean
#Primary
public UserDetailsManager testUserDetailsManager() {
User.UserBuilder users = User.builder();
UserDetails testUser = users
.username("test-user#example.com")
.password("test-user")
.roles("USER")
.build();
UserDetails testAdmin = users
.username("test-admin#example.com")
.password("test-admin")
.roles("ADMIN")
.build();
return new InMemoryUserDetailsManager(testUser, testAdmin);
}
}
And finally, a test method that should authenticate against the TestUserDetailsManager:
#SpringBootTest
#Import(TestUserDetailsManagerConfig.class)
public class InternalAuthenticationTest {
#Autowired WebApplicationContext context;
MockMvc mvc;
#BeforeEach
void setup() {
mvc = MockMvcBuilders
.webAppContextSetup(context)
.apply(SecurityMockMvcConfigurers.springSecurity())
.build();
}
#Test
void form_login_redirects_role_admin_to_page_admin_after_authentication() throws Exception {
MvcResult result = mvc
.perform(SecurityMockMvcRequestBuilders
.formLogin()
.loginProcessingUrl("/authenticate")
.user("identifier", "test-admin#example.com")
.password("password", "test-admin"))
.andExpect(MockMvcResultMatchers.redirectedUrl(AUTH_LOGIN_SUCCESS_ADMIN_REDIRECT_URL))
.andExpect(SecurityMockMvcResultMatchers.authenticated()
.withUsername("test-admin#example.com").withRoles("ADMIN")
.withAuthentication(auth -> assertThat(auth).isInstanceOf(UsernamePasswordAuthenticationToken.class)))
.andReturn();
}
}
My naive approach unfortunately does not work, and as the log shows, the authentication checks are done against the application provider, but not against the TestUserDetailsManager:
Invoking InternalUsernamePasswordAuthenticationFilter (7/12)
Authenticating request with InternalAuthenticationProvider (1/2)
Failed to find user credential for email 'test-admin#example.com'
Authenticating request with $Proxy157 (2/2)
Failed to find user 'test-admin#example.com'
Failed to process authentication request
-> Bad credentials
My question now:
How can I inject the TestUserDetailsManager into the CustomProviderManager so that the authentication (not authorization) tests work with special test users?
edit:
The question somewhat more generally:
How can I test the authentication of a Spring Boot application using a special UserDetailsManager for test cases only?
Many thanks in advance
I'm trying to add OAuth2 login to an existing form login application. So far I've added the required configuration to get Google auth working and the goal is to enable existing username/password users (or new users) to login both ways.
All my controllers rely on my UserDetails implementation:
public class User implements UserDetails {
private Long id;
private String email;
private String password;
private String googleAccessToken;
// ...
And I can get the logged user in controllers like this:
#GetMapping
public String index(#AuthenticationPrincipal User user, Model model) {
So what I've done is to implement my custom OAuth2UserService to fetch the existing user from the database but I can't find the way to set the User as the principal.
In previous versions of the OAuth2 integration it seemed to exist a simpler solution based on PrincipalExtractor but it is no longer available.
#Service
#RequiredArgsConstructor
public class OAuth2UserDetailsService implements OAuth2UserService<OidcUserRequest, OidcUser> {
private final UsersRepository usersRepository;
#Override
public OidcUser loadUser(OidcUserRequest userRequest) throws OAuth2AuthenticationException {
final OidcUserService delegate = new OidcUserService();
User user;
// Delegate to the default implementation for loading a user
OidcUser oidcUser = delegate.loadUser(userRequest);
switch (userRequest.getClientRegistration().getClientName()) {
case "google":
user = usersRepository.findOneByGoogleAccessToken(userRequest.getAccessToken());
break;
default:
throw new OAuth2AuthenticationException(new OAuth2Error("invalid_token"));
}
// here I should return my user principal
return new DefaultOidcUser(null, null);
}
Any ideas?
Finally solved this returning an instance of OidcUser:
public class UserPrincipal implements UserDetails, OidcUser {
// ...
}
And in the OAuth2UserService:
#Override
public OidcUser loadUser(OidcUserRequest userRequest) throws OAuth2AuthenticationException {
final OidcUserService delegate = new OidcUserService();
User user;
// Delegate to the default implementation for loading a user
OidcUser oidcUser = delegate.loadUser(userRequest);
// ...
return new UserPrincipal(user, oidcUser);
}
Iam trying to get introduce on OAuth2 by using this working tutorial https://www.devglan.com/spring-security/spring-boot-security-oauth2-example
This tutorial is very good explained, but we have to define on two places User/Password, but why?
This is what I do not understand...
First place in AuthorizationServerConfig :
configurer
.inMemory()
.withClient(CLIEN_ID)
.secret(CLIENT_SECRET)
.authorizedGrantTypes(GRANT_TYPE_PASSWORD, AUTHORIZATION_CODE, REFRESH_TOKEN, IMPLICIT )
.scopes(SCOPE_READ, SCOPE_WRITE, TRUST)
.accessTokenValiditySeconds(ACCESS_TOKEN_VALIDITY_SECONDS).
refreshTokenValiditySeconds(FREFRESH_TOKEN_VALIDITY_SECONDS);
especially for
.withClient(CLIEN_ID)
.secret(CLIENT_SECRET)
Second place in the DB:
#Service(value = "userService")
public class UserServiceImpl implements UserDetailsService, UserService {
#Autowired
private UserDao userDao;
public UserDetails loadUserByUsername(String userId) throws UsernameNotFoundException {
User user = userDao.findByUsername(userId);
if(user == null){
throw new UsernameNotFoundException("Invalid username or password.");
}
return new org.springframework.security.core.userdetails.User(user.getUsername(), user.getPassword(), getAuthority());
}
first, i've read/re-read (repeat 10 times), at least 6 books on spring and spring security and have googled my brains out trying to figure it all out.
after working w/ spring for 10 years, i still find that there is so much annotation-defined, injected, component, config annotation magic going on that i have 0 confidence that i understand my applications as i should.
examples online are either xml-config, not complete, done n diff. ways, overly simplistic, using older spring, conflicting and just simply not built to handle a basic realistic use-case.
as an example, the following code is trying to handle a simple logon, authenticated to db table using an encoder for passwords.
form post includes a "client" to which one authenticates to, a persisted IP address and some url path info for deep linking post logon.
(all really basic stuff for today's single-page web apps)
i originally had this working using xml config, but javaConfig has me stuck.
i have no idea how the userDetailsService, AuthenticationManagerBuilder and PasswordEncoder interact in SecurityConfiguration. I get logon data to the service, but am not sure where or when a spring authenticationProvider is applied or if i even need one.
my User implements UserDetails and holds the required fields.
i populate those and granted authorities in my CustomUserDetailsService.
how/when/why do i need an auth.authenticationProvider(authenticationProvider()), if i check db using logon/password in my service?
my UserDetailsService seems to be executing twice now.
how does spring take the submitted password, encode it and compare to that stored in the db?
how does it know to use the same salt as that used when the p/w was created/persisted when the user was created?
why does configureGlobal() define both auth.userDetailsService and auth.authenticationProvider when authenticationProvider() also sets the userDetailsService?
why is my brain so small that i cannot make sense of this ? :)
#Service
public class CustomUserDetailsService implements UserDetailsService {
#Autowired
private ClientDAO clientDAO;
#Autowired
private UserDAO userDAO;
public UserDetails loadUserByUsername(String multipartLogon) throws UsernameNotFoundException, DataAccessException {
Boolean canAccess = false;
Long clientId = null;
String userLogon = null;
String password = null;
String id = null;
String entryUrl = null;
String ipAddress = null;
String urlParam = null;
String[] strParts = multipartLogon.split(":");
try {
userLogon = strParts[0];
password = strParts[1];
id = strParts[2];
entryUrl = strParts[3];
ipAddress = strParts[4];
urlParam = strParts[5];
} catch(IndexOutOfBoundsException ioob) { }
Client client = new Client();
if (!"".equals(id)) {
clientId = IdUtil.toLong(id);
client = clientDAO.getClient(clientId);
}
//BCryptPasswordEncoder passwordEncoder = new BCryptPasswordEncoder();
//String encodedPassword = passwordEncoder.encode(password);
//String encodedPassword = "$2a$22$6UiVlDEOv6IQWjKkLm.04uN1yZEtkepVqYQ00JxaqPCtjzwIkXDjy";
User user = userDAO.getUserByUserLogonPassword(userLogon, password); //encodedPassword?
user.isCredentialsNonExpired = false;
Set<GrantedAuthority> authorities = new HashSet<GrantedAuthority>();
for (UserRole userRole : userDAO.getUserRolesForUser(user)) {
if (userRole.getRole().getActiveStatus()) {
authorities.add(new SimpleGrantedAuthority(userRole.getRole().getRoleName()));
user.isCredentialsNonExpired = true;
}
}
user.setAuthorities(authorities);
user.setPassword(password); //encodedPassword?
user.setUsername(user.getUserLogon());
user.isAccountNonExpired = false;
user.isAccountNonLocked = false;
List<ClientUser> clientUsers = clientDAO.getClientUsersForUser(user);
for (ClientUser clientUser : clientUsers) {
if (clientUser.getClient().getClientId().equals(client.getClientId())) {
canAccess = true;
break;
}
}
user.isEnabled = false;
if (user.getActiveStatus() && canAccess) {
user.isAccountNonExpired = true;
user.isAccountNonLocked = true;
user.isEnabled = true;
Session session = userDAO.getSessionForUser(user);
if (session == null) { session = new Session(); }
session.setUser(user);
session.setDateLogon(Calendar.getInstance().getTime());
session.setClient(client);
session.setEntryUrl(entryUrl);
session.setUrlParam(urlParam);
session.setIPAddress(ipAddress);
session.setActive(true);
userDAO.persistOrMergeSession(session);
}
return user;
}
}
#Configuration
#EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
#Autowired
CustomUserDetailsService customUserDetailsService;
#Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(customUserDetailsService);
auth.authenticationProvider(authenticationProvider());
}
#Bean
public BCryptPasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
#Bean
public DaoAuthenticationProvider authenticationProvider() {
DaoAuthenticationProvider authenticationProvider = new DaoAuthenticationProvider();
authenticationProvider.setUserDetailsService(customUserDetailsService);
authenticationProvider.setPasswordEncoder(passwordEncoder());
return authenticationProvider;
}
#Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
.authorizeRequests()
.antMatchers("/conv/a/**").access("hasRole('ROLE_ADMIN') or hasRole('ROLE_COURT_ADMIN')")
.antMatchers("/conv/u/**").access("hasRole('ROLE_USER') or hasRole('ROLE_ADMIN') or hasRole('ROLE_COURT_ADMIN')")
.antMatchers("/**").permitAll()
.and()
.formLogin()
.loginPage("/conv/common/logon")
.usernameParameter("multipartLogon")
.loginProcessingUrl("/conv/common/logon")
.defaultSuccessUrl("/conv/")
.failureUrl("/conv/common/logon?error=1")
.and()
.logout()
.logoutUrl("/conv/common/logout")
.logoutSuccessUrl("/conv/")
.permitAll()
.and()
.rememberMe()
.key("conv_key")
.rememberMeServices(rememberMeServices())
.useSecureCookie(true);
}
#Override
public void configure(WebSecurity web) throws Exception {
web.ignoring()
.antMatchers("/common/**")
.antMatchers("/favicon.ico");
}
#Bean
public RememberMeServices rememberMeServices() {
TokenBasedRememberMeServices rememberMeServices = new TokenBasedRememberMeServices("conv_key", customUserDetailsService);
rememberMeServices.setCookieName("remember_me_cookie");
rememberMeServices.setParameter("remember_me_checkbox");
rememberMeServices.setTokenValiditySeconds(2678400); //1month
return rememberMeServices;
}
}
my User implements UserDetails and holds the required fields. i
populate those and granted authorities in my CustomUserDetailsService.
how/when/why do i need an
auth.authenticationProvider(authenticationProvider()), if i check db
using logon/password in my service?
I think what you want is:
#Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(customUserDetailsService).passwordEncoder(passwordEncoder());
}
The userDetailsService method is a shortcut for creating DaoAuthenticationProvider bean! You should not need both, its just two different ways to configure the same thing. The authenticationProvider method is used for more custom setups.
how does spring take the submitted password, encode it and compare to
that stored in the db? how does it know to use the same salt as that
used when the p/w was created/persisted when the user was created?
If you are using BCrypt, the salt is stored in the encoded password value. The salt is the first 22 characters after the third $ (dollar) sign. The matches method is responsible for checking the password.
why does configureGlobal() define both auth.userDetailsService and
auth.authenticationProvider when authenticationProvider() also sets
the userDetailsService?
See above. This is likely why user details are loaded twice.
Update: It is weird that you get password and other details into your UserDetailsService. This should only load user based on username, something like:
User user = userDAO.getUserByUserLogonPassword(userLogon);
The returned User object should contain the encoded (stored) password, not the entered password. Spring Security does the password checking for you. You should not modify the User object in you UserDetailsService.
Wow, ok that's a lot of questions. I'll speak to this one:
"I have no idea how the userDetailsService, AuthenticationManagerBuilder and PasswordEncoder "
The UserDetailsService sets up the User which you can access from Spring. If you want more user information stored in the context on the user, you need to implement your own user and set that up with your custom user details service. e.g.
public class CustomUser extends User implements UserDetails, CredentialsContainer {
private Long id;
private String firstName;
private String lastName;
private String emailAddress;
....
And then, in your custom UserDetailsService, you set the properties:
#Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
DatabaseEntity databaseUser = this.userRepository.findByUsernameIgnoreCase(username);
customUser customUser = databaseUser.getUserDetails();
customUser.setId(databaseUser.getId());
customUser.setFirstName(databaseUser.getFirstname());
.....
The password encoder, is the mechanism Spring uses to compare the plain-text password to the encrypted hash in your database. You can use the BCryptPasswordEncoder:
#Bean
public PasswordEncoder passwordEncoder(){
return new BCryptPasswordEncoder();
}
Aside from passing that to your auth provider, you do need to do any more.
Finally, configureGlobal is where you wire things up. You define your user details service Spring is to use and the authentication provider.
In my case, I use a custom authentication provider to limit failed login attempts:
#Component("authenticationProvider")
public class LimitLoginAuthenticationProvider extends DaoAuthenticationProvider {
And then I wire everything up:
#Autowired
#Qualifier("authenticationProvider")
AuthenticationProvider authenticationProvider;
#Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
LimitLoginAuthenticationProvider provider = (LimitLoginAuthenticationProvider)authenticationProvider;
provider.setPasswordEncoder(passwordEncoder);
auth.userDetailsService(customUserDetailsService()).passwordEncoder(passwordEncoder);
auth.authenticationProvider(authenticationProvider);
}
So, how can I get the user's id from a current logged user from any social providers?
Well I know I can build a custom SocialUser, the same I do for User, but in the case there is no getter on SocialUserDetails and the method I got just accepts userDetails, instead of a normal "Person" entity.
public class SocialUsersDetailServiceImpl implements SocialUserDetailsService {
private UserDetailsService service;
public SocialUsersDetailServiceImpl(UserDetailsService service) {
this.service = service;
}
#Override
public CSocialUserDetails loadUserByUserId(String username) throws UsernameNotFoundException, DataAccessException {
UserDetails userDetails = (UserDetails) service.loadUserByUsername(username);
return new CustomSocialUser(userDetails.getUsername(), userDetails.getPassword(), userDetails.getAuthorities(), userDetails.getUserIdentifier()??);
}
}
But there is no ".getUserIdentifier()" method on UserDetails, there is some workaround for this?
The way I do for User:
#Service
public class UserDetailsServiceImpl implements CUserDetailsService {
#Resource
private PersonRepository respository;
#Override
public CUserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
Person p = repository.findByUsername(username);
return new CUser(p.getUsername(), p.getPassword(), p.grantedAuthorities(), p.getIdPerson());
}
}
and the CUser:
public class CUser extends User{
private Number identifier;
public CUser(String username, String password, Collection<? extends GrantedAuthority> authorities, Number identifier) {
super(username, password, authorities);
this.identifier = identifier;
}
public Number getUserIdentifier() {
return identifier;
}
}