Commit b7e3424a authored by Matija Obreza's avatar Matija Obreza
Browse files

OAuth2 fixes for JWT

- Using accessTokenConverter with userTokenConverter with UserDetailsService instance to obtain proper Principal
- OAuth2ServerConfig uses the actual ClientDetailsService
parent 5bd083ef
......@@ -15,6 +15,8 @@
*/
package org.genesys.catalog.server.config;
import java.util.Arrays;
import org.genesys.blocks.oauth.service.OAuthServiceImpl;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
......@@ -38,19 +40,29 @@ import org.springframework.security.oauth2.provider.ClientDetailsService;
import org.springframework.security.oauth2.provider.approval.ApprovalStore;
import org.springframework.security.oauth2.provider.approval.TokenApprovalStore;
import org.springframework.security.oauth2.provider.error.OAuth2AccessDeniedHandler;
import org.springframework.security.oauth2.provider.token.DefaultAccessTokenConverter;
import org.springframework.security.oauth2.provider.token.DefaultTokenServices;
import org.springframework.security.oauth2.provider.token.DefaultUserAuthenticationConverter;
import org.springframework.security.oauth2.provider.token.TokenEnhancer;
import org.springframework.security.oauth2.provider.token.TokenEnhancerChain;
import org.springframework.security.oauth2.provider.token.TokenStore;
import org.springframework.security.oauth2.provider.token.store.JwtAccessTokenConverter;
import org.springframework.security.oauth2.provider.token.store.JwtTokenStore;
import java.util.Arrays;
@Configuration
public class OAuth2ServerConfig {
private static final String APPLICATION_RESOURCE_ID = "genesyscatalog";
@Value("${default.oauth.accessToken.validity}")
private int accessTokenValiditySeconds;
@Value("${default.oauth.refreshToken.validity}")
private int refreshTokenValiditySeconds;
@Autowired
@Qualifier("userService")
private UserDetailsService userDetailsService;
@Bean
public OAuthServiceImpl oauthService() {
return new OAuthServiceImpl();
......@@ -72,6 +84,17 @@ public class OAuth2ServerConfig {
public JwtAccessTokenConverter accessTokenConverter() {
JwtAccessTokenConverter converter = new JwtAccessTokenConverter();
converter.setSigningKey(APPLICATION_RESOURCE_ID);
// This blob is required to convert from JWT token to proper Principal
DefaultUserAuthenticationConverter userTokenConverter = new DefaultUserAuthenticationConverter();
userTokenConverter.setUserDetailsService(userDetailsService);
DefaultAccessTokenConverter accessTokenConverter = new DefaultAccessTokenConverter();
accessTokenConverter.setUserTokenConverter(userTokenConverter);
converter.setAccessTokenConverter(accessTokenConverter);
// Done blob
return converter;
}
......@@ -90,22 +113,23 @@ public class OAuth2ServerConfig {
@Override
public void configure(final HttpSecurity http) throws Exception {
http
// Since we want the protected resources to be accessible in the UI as well we need
// session creation to be allowed (it's disabled by default in 2.0.6)
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
// cors
.and().cors()
// Since we want the protected resources to be accessible in the UI as well we
// need
// session creation to be allowed (it's disabled by default in 2.0.6)
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
// cors
.and().cors()
.and().requestMatchers().antMatchers("/api/**", "/google/verify-token", "/token")
.and().requestMatchers().antMatchers("/api/**", "/google/verify-token", "/token")
.and().authorizeRequests().antMatchers("/api/**", "/google/verify-token", "/token").authenticated()
.and().authorizeRequests().antMatchers("/api/**", "/google/verify-token", "/token").authenticated()
.and().exceptionHandling().accessDeniedHandler(new OAuth2AccessDeniedHandler());
.and().exceptionHandling().accessDeniedHandler(new OAuth2AccessDeniedHandler());
}
@Override
public void configure(ResourceServerSecurityConfigurer config) {
config.tokenServices(tokenServices()).resourceId(APPLICATION_RESOURCE_ID).stateless(false);
config.tokenServices(tokenServices()).resourceId(APPLICATION_RESOURCE_ID).stateless(true);
}
}
......@@ -113,13 +137,6 @@ public class OAuth2ServerConfig {
@EnableAuthorizationServer
protected class AuthorizationServerConfiguration extends AuthorizationServerConfigurerAdapter {
@Value("${access_token.validity_period}")
int accessTokenValiditySeconds = 3600;
@Autowired
@Qualifier("userService")
private UserDetailsService userDetailsService;
@Autowired
@Qualifier("authenticationManagerBean")
private AuthenticationManager authenticationManager;
......@@ -136,6 +153,7 @@ public class OAuth2ServerConfig {
@Bean
public JwtAccessTokenConverter accessTokenConverter() {
JwtAccessTokenConverter converter = new JwtAccessTokenConverter();
// FIXME This must be a secret!
converter.setSigningKey(APPLICATION_RESOURCE_ID);
return converter;
}
......@@ -146,18 +164,17 @@ public class OAuth2ServerConfig {
DefaultTokenServices defaultTokenServices = new DefaultTokenServices();
defaultTokenServices.setTokenStore(tokenStore());
defaultTokenServices.setSupportRefreshToken(true);
defaultTokenServices.setAuthenticationManager(authenticationManager);
defaultTokenServices.setClientDetailsService(clientDetailsService);
defaultTokenServices.setAccessTokenValiditySeconds(accessTokenValiditySeconds);
defaultTokenServices.setRefreshTokenValiditySeconds(refreshTokenValiditySeconds);
defaultTokenServices.setTokenEnhancer(tokenEnhancer());
return defaultTokenServices;
}
@Override
public void configure(final ClientDetailsServiceConfigurer clients) throws Exception {
clients.inMemory()
.withClient("my-trusted-client")
.authorizedGrantTypes("password", "client_credentials")
.scopes("read", "write", "trust")
.resourceIds(APPLICATION_RESOURCE_ID)
.secret("my-secret-client")
.accessTokenValiditySeconds(accessTokenValiditySeconds);
clients.withClientDetails(clientDetailsService);
}
@Override
......
......@@ -25,7 +25,6 @@ import org.springframework.security.config.annotation.method.configuration.Enabl
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
......
......@@ -37,17 +37,17 @@ public class SpringAclConfig {
@Override
public boolean hasPermission(Authentication authentication, Object domainObject, Object permission) {
for (GrantedAuthority authority : authentication.getAuthorities()) {
if (UserRole.ADMINISTRATOR == authority) {
if (authority.getAuthority().equals(UserRole.ADMINISTRATOR.getAuthority())) {
return true;
}
}
return super.hasPermission(authentication, domainObject, permission);
}
@Override
public boolean hasPermission(Authentication authentication, Serializable targetId, String targetType, Object permission) {
for (GrantedAuthority authority : authentication.getAuthorities()) {
if (UserRole.ADMINISTRATOR == authority) {
if (authority.getAuthority().equals(UserRole.ADMINISTRATOR.getAuthority())) {
return true;
}
}
......
......@@ -15,7 +15,7 @@ db.driverClassName=com.mysql.jdbc.Driver
db.username=root
db.password=
db.hibernate.dialect=org.hibernate.dialect.MySQL5InnoDBDialect
db.showSql=true
db.showSql=false
# Connection pool
db.pool.initialSize=5
db.pool.maxActive=10
......@@ -30,6 +30,9 @@ default.admin.password=Admin123!
default.oauthclient.clientId=my-trusted-client
default.oauthclient.clientSecret=my-secret-client
default.oauth.accessToken.validity=21600
default.oauth.refreshToken.validity=604800
#google properties
google.consumerKey=
google.consumerSecret=
......@@ -56,8 +59,6 @@ s3.prefix=
CLAMD_HOSTNAME=
CLAMD_PORT=
access_token.validity_period=3600
#Hazelcast
hazelcast.instanceName=hz-genesyscatalog-instance1
# Hazelcast cluster configuration
......
......@@ -28,6 +28,8 @@ default.admin.password=Admin123!
default.oauthclient.clientId=my-trusted-client
default.oauthclient.clientSecret=my-secret-client
default.oauth.accessToken.validity=21600
default.oauth.refreshToken.validity=604800
#file repository
......@@ -44,8 +46,6 @@ s3.prefix=
CLAMD_HOSTNAME=
CLAMD_PORT=
access_token.validity_period=3600
#Hazelcast
Hazelcast instance name
hazelcast.instanceName=hz-genesyscatalog-instance1
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment