backup/springboot-security-jwt
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Work on blog.

Browse Source
This commit is contained in:
svlada 2016-08-29 17:47:54 +02:00
parent 65fde485e8
commit f3d308cd49
1 changed files with 34 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

46
etc/blog.md
View File

@ -49,7 +49,7 @@ Overall project structure is shown below:
In the first part of this tutorial we'll implement Ajax authentication by following standard patterns found in Spring Security framework. In the first part of this tutorial we'll implement Ajax authentication by following standard patterns found in Spring Security framework.
When we talk about Ajax authentication we usually refer to process where user is supplying credentials through JSON payload sent as a part of XMLHttpRequest. When we talk about Ajax authentication we usually refer to process where user is supplying credentials through JSON payload that is sent as a part of XMLHttpRequest.
Following is the list of components that we'll implement: Following is the list of components that we'll implement:
@ -302,7 +302,7 @@ AuthenticationSuccessHandler interface provides contract for handling successful
AjaxAwareAuthenticationSuccessHandler class is providing custom implementation of AuthenticationSuccessHandler interface by creating AjaxAwareAuthenticationSuccessHandler class is providing custom implementation of AuthenticationSuccessHandler interface by creating
JSON payload with JWT Access and Refresh tokens. JSON payload with JWT Access and Refresh tokens.
``` ```language-java
@Component @Component
public class AjaxAwareAuthenticationSuccessHandler implements AuthenticationSuccessHandler { public class AjaxAwareAuthenticationSuccessHandler implements AuthenticationSuccessHandler {
private final ObjectMapper mapper; private final ObjectMapper mapper;
@ -369,7 +369,7 @@ We have created factory class(```JwtTokenFactory```) to decouple token creation
```JwtTokenFactory#createRefreshToken``` method creates signed JWT Refresh token. ```JwtTokenFactory#createRefreshToken``` method creates signed JWT Refresh token.
``` ```language-java
@Component @Component
public class JwtTokenFactory { public class JwtTokenFactory {
private final JwtSettings settings; private final JwtSettings settings;
@ -439,7 +439,7 @@ Please note that if you are instantiating Claims object outside of ```Jwts.build
AjaxAwareAuthenticationFailureHandler is invoked by ```AjaxLoginProcessingFilter``` in case of authentication failures. You can design specific error messages based on exception type that have occurred during the authentication process. AjaxAwareAuthenticationFailureHandler is invoked by ```AjaxLoginProcessingFilter``` in case of authentication failures. You can design specific error messages based on exception type that have occurred during the authentication process.
``` ```language-java
@Component @Component
public class AjaxAwareAuthenticationFailureHandler implements AuthenticationFailureHandler { public class AjaxAwareAuthenticationFailureHandler implements AuthenticationFailureHandler {
private final ObjectMapper mapper; private final ObjectMapper mapper;
@ -538,7 +538,7 @@ This filter has the following responsibilities:
Please ensure that ```chain.doFilter(request, response)``` is invoked upon successful authentication. You want processing of the request to advance to the next filter, because very last one filter ```FilterSecurityInterceptor#doFilter``` is responsible to actually invoke method in your controller that is handling requested API resource. Please ensure that ```chain.doFilter(request, response)``` is invoked upon successful authentication. You want processing of the request to advance to the next filter, because very last one filter ```FilterSecurityInterceptor#doFilter``` is responsible to actually invoke method in your controller that is handling requested API resource.
``` ```language-java
public class JwtTokenAuthenticationProcessingFilter extends AbstractAuthenticationProcessingFilter { public class JwtTokenAuthenticationProcessingFilter extends AbstractAuthenticationProcessingFilter {
private final AuthenticationFailureHandler failureHandler; private final AuthenticationFailureHandler failureHandler;
private final TokenExtractor tokenExtractor; private final TokenExtractor tokenExtractor;
@ -577,15 +577,39 @@ public class JwtTokenAuthenticationProcessingFilter extends AbstractAuthenticati
} }
``` ```
#### JwtHeaderTokenExtractor
Simple class used to extract Authorization token from header.
```language-java
@Component
public class JwtHeaderTokenExtractor implements TokenExtractor {
public static String HEADER_PREFIX = "Bearer ";
@Override
public String extract(String header) {
if (StringUtils.isBlank(header)) {
throw new AuthenticationServiceException("Authorization header cannot be blank!");
}
if (header.length() < HEADER_PREFIX.length()) {
throw new AuthenticationServiceException("Invalid authorization header size.");
}
return header.substring(HEADER_PREFIX.length(), header.length());
}
}
```
#### JwtAuthenticationProvider #### JwtAuthenticationProvider
JwtAuthenticationProvider has following responsibilities: JwtAuthenticationProvider has following responsibilities:
1. Perform signature validation of incoming Access token. 1. Signature validation of the Access token
2. Extract authorization claims from Access token and instantiate User Context to be used by application 2. Extract authorization claims and user identifier from Access token and use them to create UserContext
3. Authentication exception is thrown if Access token is malformed, expired or simply if token is not signed with appropriate signing key 3. If Access token is malformed, expired or simply if token is not signed with the appropriate signing key Authentication exception will be thrown
``` ```language-java
@Component @Component
public class JwtAuthenticationProvider implements AuthenticationProvider { public class JwtAuthenticationProvider implements AuthenticationProvider {
private final JwtSettings jwtSettings; private final JwtSettings jwtSettings;
@ -621,8 +645,6 @@ public class JwtAuthenticationProvider implements AuthenticationProvider {
#### SkipPathRequestMatcher #### SkipPathRequestMatcher
#### JwtHeaderTokenExtractor
#### BloomFilterTokenVerifier #### BloomFilterTokenVerifier
#### WebSecurityConfig #### WebSecurityConfig
@ -633,7 +655,7 @@ WebSecurityConfig class is where all security related configuration reside.
1. AjaxLoginProcessingFilter 1. AjaxLoginProcessingFilter
2. JwtTokenAuthenticationProcessingFilter 2. JwtTokenAuthenticationProcessingFilter
``` ```language-java
@Configuration @Configuration
@EnableWebSecurity @EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter { public class WebSecurityConfig extends WebSecurityConfigurerAdapter {