In our last feign client security configuration we have this Bean:
#Bean
public RequestInterceptor oauth2FeignRequestInterceptor(
ClientCredentialsResourceDetails oauth2RemoteResource) {
return new OAuth2FeignRequestInterceptor(
new DefaultOAuth2ClientContext(),
oauth2RemoteResource
);
}
In 2.3 spring version OAuth2FeignRequestInterceptor is deprecated! But we cannot found the new one.
Anyone knows something about that?
You can create your own RequestInterceptor to add the Authorization header.
There's an example here:
https://developer.okta.com/blog/2018/02/13/secure-spring-microservices-with-oauth
I had the same problem, I needed a request interceptor to call through a Feign client to a another microservice.
The idea is very easy, The only thing that I needed to implement was a custom RequestInterceptor annonted with #Component that inject the current JWT from the security context to the Authorization Header.
You can view this component as follows:
#Component
#Slf4j
public class FeignClientInterceptor implements RequestInterceptor {
private static final String AUTHORIZATION_HEADER = "Authorization";
private static final String TOKEN_TYPE = "Bearer";
#Override
public void apply(RequestTemplate requestTemplate) {
log.debug("FeignClientInterceptor -> apply CALLED");
final Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
if (authentication != null && authentication instanceof JwtAuthenticationToken) {
final JwtAuthenticationToken jwtAuthToken = (JwtAuthenticationToken) authentication;
requestTemplate.header(AUTHORIZATION_HEADER, String.format("%s %s", TOKEN_TYPE, jwtAuthToken.getToken().getTokenValue()));
}
}
}
Next, I can use the feign client successfully
final APIResponse<ProcessedFileDTO> response = filesMetadataClient.getProcessedFileByName(uploadFile.getOriginalFilename());
if (response.getStatus() == ResponseStatusEnum.ERROR
&& response.getHttpStatusCode() == HttpStatus.NOT_FOUND) {
sendFileToSftp(uploadFile);
} else {
throw new FileAlreadyProcessedException();
}
Related
I have two microservices, lets name them A and B, behind a Spring Cloud Gateway. There is also an OAuthServer. When a users send a request to service A they have first to get a JWT token from the oAuthServer using the password flow.
The caveat is that service A needs to communicate with service B but for that it needs an access token. The idea is to use the JWT provided by the user when accessing service A by relaying it to service B thus making the request.
In previous versions of Spring Boot I would use OAuth2RestTemplate but now I need to use Webclient.
What I have done is to create a filter to extract the Bearer token from the incoming request in service A and then store it in a singleton class and add it manually to the outbound call.
#Component
public class JWTAuthorizationFilter extends OncePerRequestFilter {
private static final Logger log = LoggerFactory.getLogger(JWTAuthorizationFilter.class);
private final String HEADER = "Authorization";
private final String PREFIX = "Bearer ";
private TokenStore tokenStore;
#Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain)
throws ServletException, IOException {
if (checkJWTToken(request, response)) {
String token = extractToken(request);
if (token != null) {
log.info("*****RECEIVED REQUEST WITH TOKEN {}. ", token);
log.info("***** Will store it for future requests.");
tokenStore = TokenStore.getInstance();
tokenStore.setToken(token);
// setUpSpringAuthentication(token);
} else {
SecurityContextHolder.clearContext();
}
}
chain.doFilter(request, response);
}
private String extractToken(HttpServletRequest request) {
String jwtToken = request.getHeader(HEADER).replace(PREFIX, "");
return jwtToken;
}
private boolean checkJWTToken(HttpServletRequest request, HttpServletResponse res) {
String authenticationHeader = request.getHeader(HEADER);
if (authenticationHeader == null || !authenticationHeader.startsWith(PREFIX))
return false;
return true;
}
The TokenStore
public class TokenStore {
private static TokenStore instance;
private String token;
private TokenStore() {
}
public static synchronized TokenStore getInstance() {
if (instance == null) {
instance = new TokenStore();
}
return instance;
}
public String getToken() {
return token;
}
public synchronized void setToken(String token) {
this.token = token;
}
}
And finally the web client:
#Bean
#LoadBalanced
#Profile("!default")
public WebClient.Builder loadBalancedWebClientBuilder() {
final WebClient.Builder builder = WebClient.builder();
return builder;
}
Using it:
Mono<Map<Long, DrawDTO>> mono = getWebClient().get().uri(url)
.header("Authorization", "Bearer " + tokenStore.getToken()).retrieve().bodyToFlux(DTO.class)
.map(d -> Tuples.of(Long.parseLong(d.getUniqueId()), d))
.collectMap(tuple -> tuple.getT1(), tuple -> tuple.getT2()).log()
.onErrorMap(WebClientResponseException.class, ex -> handleException(ex)).timeout(Duration.ofSeconds(5));
However, I am pretty sure that the above is a mistake. TokenStore being a singleton if two requests come from users X and Y at the same time the second filter invocation will override the token of the first. So essentially service A will use user's Y token to complete the request of user X. So in case user's X access level is lower than Y this is a security issue.
Am I wrong about the above? If yes what can I do to fix it?
One solution I found was to use client credentials for intra-service communications but I am not 100% sure how to do it with Spring Boot 2.2.6 and Spring Security 5.
Is there a correct way to do what I initially intended?
In Springboot webflux, I can get the current principle using this code
Object principal = ReactiveSecurityContextHolder.getContext().getAuthentication().getPrincipal();
If the user is authenticated. But I have a case in which the JWT token will be sent as a query paramenter not as the authorization header, I know how to convert the token into Authentication object
How i can inject that Authentication object into the current ReactiveSecurityContextHolder
You can set your own Authentication and take the token from query params as follows:
#Component
public class CustomAuthentication implements ServerSecurityContextRepository {
private static final String TOKEN_PREFIX = "Bearer ";
#Autowired
private ReactiveAuthenticationManager authenticationManager;
#Override
public Mono<Void> save(ServerWebExchange serverWebExchange, SecurityContext securityContext) {
throw new UnsupportedOperationException("No support");
}
#Override
public Mono<SecurityContext> load(ServerWebExchange serverWebExchange) {
ServerHttpRequest request = serverWebExchange.getRequest();
String authJwt = request.getQueryParams().getFirst("Authentication");
if (authJwt != null && authJwt.startsWith(TOKEN_PREFIX)) {
authJwt = authJwt.replace(TOKEN_PREFIX, "");
Authentication authentication =
new UsernamePasswordAuthenticationToken(getPrincipalFromJwt(authJwt), authJwt);
return this.authenticationManager.authenticate(authentication).map((authentication1 -> new SecurityContextImpl(authentication)));
}
return Mono.empty();
}
private String getPrincipalFromJwt(String authJwt) {
return authJwt;
}
}
This is a simple code block demonstrating how can you achieve your goal. You can improve getPrincipalFromJwt() method to return a different object that you would like to set as principal. Or you can use a different implementation of Authentication (as opposed to UsernamePasswordAuthenticationToken in this example) altogether.
I have an oauth2 client that get a token from an authorization server successfully. (not always has been the case but now it is... :))
The client, the zuul gateway and the resource server are all registered in Eureka.
My client use a Proxy to access to a remote ressource service named microservice-files.
#RestController
#FeignClient(name = "zuul-server")
#RibbonClient(name = "microservice-files")
public interface ProxyMicroserviceFiles {
#GetMapping(value = "microservice-files/root")
FileBean getUserRoot();
}
So I'd like to relay the token to Zull and then to the resource server.
I can relay the token this way to contact Zuul and apparently the load balancing is managed too (I've just test I didn't know and it's great) also zuul can relay the token, but it's not very convenient I'd prefer the previous approach.
#EnableConfigurationProperties
#SpringBootApplication
#EnableFeignClients("com.clientui")
public class ClientUiApplication {
#Bean
public OAuth2RestOperations restOperations(
OAuth2ProtectedResourceDetails resource,
OAuth2ClientContext context) {
return new OAuth2RestTemplate(resource, context);
}
public static void main(String[] args) {
SpringApplication.run(ClientUiApplication.class, args);
}
}
here is the test controler
#Controller
public class ClientController {
#Autowired
private RestOperations restOperations;
#RequestMapping("/root")
public ResponseEntity userRootTest() {
String rootUrl = "http://localhost:9004/microservice-files/root";
return restOperations.getForEntity(rootUrl,FileBean.class);
}
}
If I correctly understand your problem then you can use a RequestInterceptor to add a token in each request by the feign. In order to do it you can use the next configuration:
#Bean
public RequestInterceptor oauth2FeignRequestInterceptor(OAuth2ClientContext oauth2ClientContext,
OAuth2ProtectedResourceDetails resource) {
return new OAuth2FeignRequestInterceptor(oauth2ClientContext, resource);
}
#Bean
protected OAuth2ProtectedResourceDetails resource() {
AuthorizationCodeResourceDetails resource = new AuthorizationCodeResourceDetails();
resource.setAccessTokenUri("http://127.0.0.1:9000/auth/login");
resource.setUserAuthorizationUri("http://127.0.0.1:9000/auth/authorize");
resource.setClientId("my-client");
resource.setClientSecret("my-secret");
return resource;
}
This is what I did to make it work.
#Bean(name = "oauth2RestTemplate")
#LoadBalanced
public OAuth2RestTemplate restTemplate(SpringClientFactory clientFactory) {
OAuth2RestTemplate restTemplate = new OAuth2RestTemplate(resourceDetails());
RibbonLoadBalancerClient ribbonLoadBalancerClient = new RibbonLoadBalancerClient(clientFactory);
LoadBalancerInterceptor loadBalancerInterceptor = new LoadBalancerInterceptor(ribbonLoadBalancerClient);
ClientCredentialsAccessTokenProvider accessTokenProvider = new ClientCredentialsAccessTokenProvider();
accessTokenProvider.setInterceptors(Arrays.asList(loadBalancerInterceptor));
restTemplate.setAccessTokenProvider(accessTokenProvider);
return restTemplate;
}
public ClientCredentialsResourceDetails resourceDetails() {
ClientCredentialsResourceDetails clientCredentialsResourceDetails = new ClientCredentialsResourceDetails();
clientCredentialsResourceDetails.setId("1");
clientCredentialsResourceDetails.setClientId("my-ms");
clientCredentialsResourceDetails.setClientSecret("123");
clientCredentialsResourceDetails.setAccessTokenUri("http://oauth-server/oauth/token");
clientCredentialsResourceDetails.setScope(Arrays.asList("read"));
clientCredentialsResourceDetails.setGrantType("client_credentials");
return clientCredentialsResourceDetails;
}
I have a Spring OAuth 2 server based on Spring Boot 1.5 (Spring Security v4) which generates customized tokens and a few resource servers who communicate with this authorization server, making use of /oauth/check_token endpoint by configuration of RemoteTokenServices.
All the logic related to storing/retrieving tokens on Authorization server side is done with JdbcTokenStore.
I am building a new Spring Boot 2 application which is build with Spring webflux module and trying to implement client_credentials flow with existing Authorization Server using Spring Security 5.1.1.
I found that support for resource servers was added in 5.1.0.RC1 (https://spring.io/blog/2018/08/21/spring-security-5-1-0-rc1-released#oauth2-resource-servers) and updated in 5.1.0.RC2 (https://spring.io/blog/2018/09/10/spring-security-5-1-0-rc2-released#oauth2-resource-server) but looks like it's only possible to configure it with JWT support.
I might be messing up with concepts here but looking for more info and a way to configure all these components together.
I'm in same situation as you.I solve that problem in next way, maybe it can help you:
spring-boot-starter-parent.version: 2.1.1
spring-cloud-dependencies.version: Greenwich.R1
Security configuration:
#EnableWebFluxSecurity
public class SecurityConfig {
#Autowired
private ReactiveAuthenticationManager manager; //custom implementation
#Bean
SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
return http
.authorizeExchange()
.pathMatchers("/role").hasRole("ADMIN")
.pathMatchers("/test").access(new HasScope("server")) //custom implementation
.anyExchange().authenticated()
.and()
.httpBasic().disable()
.oauth2ResourceServer()
.jwt()
.authenticationManager(manager)
.and().and()
.build();
}
}
ReactiveAuthorizationManager (HasScope) implementation:
Helper which allow search for scopes in authentication object
public class HasScope implements ReactiveAuthorizationManager<AuthorizationContext> {
public HasScope(String...scopes) {
this.scopes = Arrays.asList(scopes);
}
private final Collection<String> scopes;
#Override
public Mono<AuthorizationDecision> check(Mono<Authentication> authentication, AuthorizationContext object) {
return authentication
.flatMap(it -> {
OAuth2Authentication auth = (OAuth2Authentication) it;
Set<String> requestScopes = auth.getOAuth2Request().getScope();
boolean allow = requestScopes.containsAll(scopes);
return Mono.just(new AuthorizationDecision(allow));
});
}
}
ReactiveAuthenticationManager implementation:
That is the main component in configuration which create OAuth2Authentication. There is a problem with response for wrong access_token, it returns only status code without body response.
#Component
public class ReactiveAuthenticationManagerImpl implements ReactiveAuthenticationManager {
private final ResourceServerProperties sso;
private final WebClient.Builder webClient;
private final ObjectMapper objectMapper;
private AuthoritiesExtractor authoritiesExtractor = new FixedAuthoritiesExtractor();
public ReactiveAuthenticationManagerImpl(ResourceServerProperties sso,
#Qualifier("loadBalancedWebClient") WebClient.Builder webClient, ObjectMapper objectMapper) {
this.sso = sso;
this.webClient = webClient;
this.objectMapper = objectMapper;
}
#Override
public Mono<Authentication> authenticate(Authentication authentication) {
return Mono.just(authentication)
.cast(BearerTokenAuthenticationToken.class)
.flatMap(it -> getMap(it.getToken()))
.flatMap(result -> Mono.just(extractAuthentication(result)));
}
private OAuth2Authentication extractAuthentication(Map<String, Object> map) {
Object principal = getPrincipal(map);
OAuth2Request request = getRequest(map);
List<GrantedAuthority> authorities = authoritiesExtractor.extractAuthorities(map);
UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(principal, "N/A", authorities);
token.setDetails(map);
return new OAuth2Authentication(request, token);
}
private Object getPrincipal(Map<String, Object> map) {
if (map.containsKey("principal")) {
try {
//that is the case for user authentication
return objectMapper.convertValue(map.get("principal"), UserPrincipal.class);
} catch (IllegalArgumentException ex) {
//that is the case for client authentication
return objectMapper.convertValue(map.get("principal"), String.class);
}
}
return null;
}
#SuppressWarnings({"unchecked"})
private OAuth2Request getRequest(Map<String, Object> map) {
Map<String, Object> request = (Map<String, Object>) map.get("oauth2Request");
String clientId = (String) request.get("clientId");
Set<String> scope = new LinkedHashSet<>(request.containsKey("scope") ?
(Collection<String>) request.get("scope") : Collections.emptySet());
return new OAuth2Request(null, clientId, null, true, new HashSet<>(scope),
null, null, null, null);
}
private Mono<Map<String, Object>> getMap(String accessToken) {
String uri = sso.getUserInfoUri();
return webClient.build().get()
.uri(uri)
.accept(MediaType.APPLICATION_JSON)
.header("Authorization", "Bearer " + accessToken)
.exchange()
.flatMap(it -> it.bodyToMono(new ParameterizedTypeReference<Map<String, Object>>() {}))
.onErrorMap(InvalidTokenException.class, mapper -> new InvalidTokenException("Invalid token: " + accessToken));
}
I'd like to create a FactoryBean<RestTemplate> in order to avoid to create a RestTemplate each time a component, bean, service... requires it.
I mean, I need to inject a ResTemplate which it's already configured with Authorization header.
Up to now, I've been able to to create it, but I don't quite figure out what I need to write inside afterPropertiesSet:
#Component
public class RestTemplateFactory
implements FactoryBean<RestTemplate>, InitializingBean {
private RestTemplate restTemplate;
public RestTemplate getObject() {
return restTemplate;
}
public Class<RestTemplate> getObjectType() {
return RestTemplate.class;
}
public boolean isSingleton() {
return true;
}
public void afterPropertiesSet() {
//???
}
}
Also, I've implemented a service engaged to update current jwt token. Basiclly:
#Service
public class JWTService {
private String jwt;
public String getJwt() {
return jwt;
}
//JWT handling related code
}
Any ideas?