From 0292a78f91082b86c14ddf7280b444875a4e9b49 Mon Sep 17 00:00:00 2001 From: Vladimir Stankovic Date: Sat, 2 Dec 2017 14:17:28 +0100 Subject: [PATCH] Refactor --- .../auth/jwt/JwtAuthenticationProvider.java | 4 +- ...wtTokenAuthenticationProcessingFilter.java | 2 +- .../security/config/WebSecurityConfig.java | 81 ++++++++++--------- .../endpoint/RefreshTokenEndpoint.java | 2 +- src/main/resources/logback.xml | 2 +- 5 files changed, 48 insertions(+), 43 deletions(-) diff --git a/src/main/java/com/svlada/security/auth/jwt/JwtAuthenticationProvider.java b/src/main/java/com/svlada/security/auth/jwt/JwtAuthenticationProvider.java index ed85761..350faa3 100644 --- a/src/main/java/com/svlada/security/auth/jwt/JwtAuthenticationProvider.java +++ b/src/main/java/com/svlada/security/auth/jwt/JwtAuthenticationProvider.java @@ -46,8 +46,8 @@ public class JwtAuthenticationProvider implements AuthenticationProvider { String subject = jwsClaims.getBody().getSubject(); List scopes = jwsClaims.getBody().get("scopes", List.class); List authorities = scopes.stream() - .map(authority -> new SimpleGrantedAuthority(authority)) - .collect(Collectors.toList()); + .map(SimpleGrantedAuthority::new) + .collect(Collectors.toList()); UserContext context = UserContext.create(subject, authorities); diff --git a/src/main/java/com/svlada/security/auth/jwt/JwtTokenAuthenticationProcessingFilter.java b/src/main/java/com/svlada/security/auth/jwt/JwtTokenAuthenticationProcessingFilter.java index e4b9dd1..eeea4dd 100644 --- a/src/main/java/com/svlada/security/auth/jwt/JwtTokenAuthenticationProcessingFilter.java +++ b/src/main/java/com/svlada/security/auth/jwt/JwtTokenAuthenticationProcessingFilter.java @@ -43,7 +43,7 @@ public class JwtTokenAuthenticationProcessingFilter extends AbstractAuthenticati @Override public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException, IOException, ServletException { - String tokenPayload = request.getHeader(WebSecurityConfig.JWT_TOKEN_HEADER_PARAM); + String tokenPayload = request.getHeader(WebSecurityConfig.AUTHENTICATION_HEADER_NAME); RawAccessJwtToken token = new RawAccessJwtToken(tokenExtractor.extract(tokenPayload)); return getAuthenticationManager().authenticate(new JwtAuthenticationToken(token)); } diff --git a/src/main/java/com/svlada/security/config/WebSecurityConfig.java b/src/main/java/com/svlada/security/config/WebSecurityConfig.java index 7d71bb3..211bca7 100644 --- a/src/main/java/com/svlada/security/config/WebSecurityConfig.java +++ b/src/main/java/com/svlada/security/config/WebSecurityConfig.java @@ -36,33 +36,32 @@ import com.svlada.security.auth.jwt.extractor.TokenExtractor; @Configuration @EnableWebSecurity public class WebSecurityConfig extends WebSecurityConfigurerAdapter { - public static final String JWT_TOKEN_HEADER_PARAM = "X-Authorization"; - public static final String FORM_BASED_LOGIN_ENTRY_POINT = "/api/auth/login"; - public static final String TOKEN_BASED_AUTH_ENTRY_POINT = "/api/**"; - public static final String TOKEN_REFRESH_ENTRY_POINT = "/api/auth/token"; - + public static final String AUTHENTICATION_HEADER_NAME = "Authorization"; + public static final String AUTHENTICATION_URL = "/api/auth/login"; + public static final String REFRESH_TOKEN_URL = "/api/auth/token"; + public static final String API_ROOT_URL = "/api/**"; + @Autowired private RestAuthenticationEntryPoint authenticationEntryPoint; @Autowired private AuthenticationSuccessHandler successHandler; @Autowired private AuthenticationFailureHandler failureHandler; @Autowired private AjaxAuthenticationProvider ajaxAuthenticationProvider; @Autowired private JwtAuthenticationProvider jwtAuthenticationProvider; - + @Autowired private TokenExtractor tokenExtractor; - + @Autowired private AuthenticationManager authenticationManager; - + @Autowired private ObjectMapper objectMapper; - - protected AjaxLoginProcessingFilter buildAjaxLoginProcessingFilter() throws Exception { - AjaxLoginProcessingFilter filter = new AjaxLoginProcessingFilter(FORM_BASED_LOGIN_ENTRY_POINT, successHandler, failureHandler, objectMapper); + + protected AjaxLoginProcessingFilter buildAjaxLoginProcessingFilter(String loginEntryPoint) throws Exception { + AjaxLoginProcessingFilter filter = new AjaxLoginProcessingFilter(loginEntryPoint, successHandler, failureHandler, objectMapper); filter.setAuthenticationManager(this.authenticationManager); return filter; } - - protected JwtTokenAuthenticationProcessingFilter buildJwtTokenAuthenticationProcessingFilter() throws Exception { - List pathsToSkip = Arrays.asList(TOKEN_REFRESH_ENTRY_POINT, FORM_BASED_LOGIN_ENTRY_POINT); - SkipPathRequestMatcher matcher = new SkipPathRequestMatcher(pathsToSkip, TOKEN_BASED_AUTH_ENTRY_POINT); - JwtTokenAuthenticationProcessingFilter filter + + protected JwtTokenAuthenticationProcessingFilter buildJwtTokenAuthenticationProcessingFilter(List pathsToSkip, String pattern) throws Exception { + SkipPathRequestMatcher matcher = new SkipPathRequestMatcher(pathsToSkip, pattern); + JwtTokenAuthenticationProcessingFilter filter = new JwtTokenAuthenticationProcessingFilter(failureHandler, tokenExtractor, matcher); filter.setAuthenticationManager(this.authenticationManager); return filter; @@ -73,35 +72,41 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter { public AuthenticationManager authenticationManagerBean() throws Exception { return super.authenticationManagerBean(); } - + @Override protected void configure(AuthenticationManagerBuilder auth) { auth.authenticationProvider(ajaxAuthenticationProvider); auth.authenticationProvider(jwtAuthenticationProvider); } - + @Override protected void configure(HttpSecurity http) throws Exception { - http - .csrf().disable() // We don't need CSRF for JWT based authentication - .exceptionHandling() - .authenticationEntryPoint(this.authenticationEntryPoint) - - .and() - .sessionManagement() - .sessionCreationPolicy(SessionCreationPolicy.STATELESS) + List permitAllEndpointList = Arrays.asList( + AUTHENTICATION_URL, + REFRESH_TOKEN_URL, + "/console" + ); - .and() - .authorizeRequests() - .antMatchers(FORM_BASED_LOGIN_ENTRY_POINT).permitAll() // Login end-point - .antMatchers(TOKEN_REFRESH_ENTRY_POINT).permitAll() // Token refresh end-point - .antMatchers("/console").permitAll() // H2 Console Dash-board - only for testing - .and() - .authorizeRequests() - .antMatchers(TOKEN_BASED_AUTH_ENTRY_POINT).authenticated() // Protected API End-points - .and() - .addFilterBefore(new CustomCorsFilter(), UsernamePasswordAuthenticationFilter.class) - .addFilterBefore(buildAjaxLoginProcessingFilter(), UsernamePasswordAuthenticationFilter.class) - .addFilterBefore(buildJwtTokenAuthenticationProcessingFilter(), UsernamePasswordAuthenticationFilter.class); + http + .csrf().disable() // We don't need CSRF for JWT based authentication + .exceptionHandling() + .authenticationEntryPoint(this.authenticationEntryPoint) + + .and() + .sessionManagement() + .sessionCreationPolicy(SessionCreationPolicy.STATELESS) + + .and() + .authorizeRequests() + .antMatchers(permitAllEndpointList.toArray(new String[permitAllEndpointList.size()])) + .permitAll() + .and() + .authorizeRequests() + .antMatchers(API_ROOT_URL).authenticated() // Protected API End-points + .and() + .addFilterBefore(new CustomCorsFilter(), UsernamePasswordAuthenticationFilter.class) + .addFilterBefore(buildAjaxLoginProcessingFilter(AUTHENTICATION_URL), UsernamePasswordAuthenticationFilter.class) + .addFilterBefore(buildJwtTokenAuthenticationProcessingFilter(permitAllEndpointList, + API_ROOT_URL), UsernamePasswordAuthenticationFilter.class); } } diff --git a/src/main/java/com/svlada/security/endpoint/RefreshTokenEndpoint.java b/src/main/java/com/svlada/security/endpoint/RefreshTokenEndpoint.java index e3dbe42..1170f40 100644 --- a/src/main/java/com/svlada/security/endpoint/RefreshTokenEndpoint.java +++ b/src/main/java/com/svlada/security/endpoint/RefreshTokenEndpoint.java @@ -51,7 +51,7 @@ public class RefreshTokenEndpoint { @RequestMapping(value="/api/auth/token", method=RequestMethod.GET, produces={ MediaType.APPLICATION_JSON_VALUE }) public @ResponseBody JwtToken refreshToken(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException { - String tokenPayload = tokenExtractor.extract(request.getHeader(WebSecurityConfig.JWT_TOKEN_HEADER_PARAM)); + String tokenPayload = tokenExtractor.extract(request.getHeader(WebSecurityConfig.AUTHENTICATION_HEADER_NAME)); RawAccessJwtToken rawToken = new RawAccessJwtToken(tokenPayload); RefreshToken refreshToken = RefreshToken.create(rawToken, jwtSettings.getTokenSigningKey()).orElseThrow(() -> new InvalidJwtToken()); diff --git a/src/main/resources/logback.xml b/src/main/resources/logback.xml index d322b22..e4308da 100644 --- a/src/main/resources/logback.xml +++ b/src/main/resources/logback.xml @@ -4,5 +4,5 @@ - + \ No newline at end of file