├── etc ├── goals ├── docs │ ├── images │ │ ├── securityfilterchain.png │ │ ├── securityfilterchain.xcf │ │ ├── securitycontextholder.png │ │ ├── basicauthenticationfilter.png │ │ └── springsecuritylogo.svg │ ├── module_003.md │ ├── module_006.md │ ├── module_002.md │ ├── module_001.md │ ├── module_005.md │ ├── module_004.md │ ├── slides.md │ ├── architecture.html │ ├── css │ │ ├── cube.css │ │ ├── 3D-rotations.css │ │ └── impress-common.css │ ├── exercises.html │ └── intro.html ├── token-for ├── docker-compose.yml ├── get-csrf └── rewrite-hosts ├── .mvn └── wrapper │ ├── maven-wrapper.jar │ ├── maven-wrapper.properties │ └── MavenWrapperDownloader.java ├── src ├── main │ ├── java │ │ └── io │ │ │ └── jzheaux │ │ │ └── springsecurity │ │ │ ├── goals │ │ │ ├── GoalAuthorizer.java │ │ │ ├── UserRepositoryUserDetailsService.java │ │ │ ├── SecurityConfig.java │ │ │ ├── CurrentUsername.java │ │ │ ├── UserRepository.java │ │ │ ├── GoalsApplication.java │ │ │ ├── GoalRepository.java │ │ │ ├── UserService.java │ │ │ ├── CsrfHeaderAdvice.java │ │ │ ├── UserAuthority.java │ │ │ ├── Goal.java │ │ │ ├── GoalInitializer.java │ │ │ ├── GoalController.java │ │ │ ├── UserRepositoryOpaqueTokenIntrospector.java │ │ │ ├── UserRepositoryJwtAuthenticationConverter.java │ │ │ └── User.java │ │ │ ├── authzserver │ │ │ ├── UserController.java │ │ │ ├── AuthzApplication.java │ │ │ └── AuthorizationServerConfig.java │ │ │ ├── spa │ │ │ └── SpaApplication.java │ │ │ └── userprofiles │ │ │ └── UserProfilesApplication.java │ └── resources │ │ ├── application.yml │ │ └── static │ │ ├── goals.css │ │ ├── basic.js │ │ ├── bearer.js │ │ ├── basic.html │ │ ├── bearer.html │ │ ├── goals.js │ │ └── bearer-pkce.js └── test │ └── java │ └── io │ └── jzheaux │ └── springsecurity │ └── goals │ ├── GoalControllerTests.java │ ├── GoalsApplicationTests.java │ ├── ReflectedUserAuthority.java │ ├── ReflectionSupport.java │ ├── ReflectedUser.java │ ├── Module3_Tests.java │ ├── AuthorizationServer.java │ ├── Module6_Tests.java │ ├── Module4_Tests.java │ └── Module5_Tests.java ├── .gitattributes ├── .gitignore ├── pom.xml ├── mvnw.cmd ├── mvnw └── LICENSE /etc/goals: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | set +x 4 | 5 | http :8080/goals "Authorization:Bearer $TOKEN" 6 | 7 | set -x 8 | -------------------------------------------------------------------------------- /.mvn/wrapper/maven-wrapper.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jzheaux/oreilly-spring-security-rest-apis/HEAD/.mvn/wrapper/maven-wrapper.jar -------------------------------------------------------------------------------- /.mvn/wrapper/maven-wrapper.properties: -------------------------------------------------------------------------------- 1 | distributionUrl=https://repo.maven.apache.org/maven2/org/apache/maven/apache-maven/3.6.0/apache-maven-3.6.0-bin.zip 2 | -------------------------------------------------------------------------------- /etc/docs/images/securityfilterchain.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jzheaux/oreilly-spring-security-rest-apis/HEAD/etc/docs/images/securityfilterchain.png -------------------------------------------------------------------------------- /etc/docs/images/securityfilterchain.xcf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jzheaux/oreilly-spring-security-rest-apis/HEAD/etc/docs/images/securityfilterchain.xcf -------------------------------------------------------------------------------- /src/main/java/io/jzheaux/springsecurity/goals/GoalAuthorizer.java: -------------------------------------------------------------------------------- 1 | package io.jzheaux.springsecurity.goals; 2 | 3 | public class GoalAuthorizer { 4 | } 5 | -------------------------------------------------------------------------------- /src/test/java/io/jzheaux/springsecurity/goals/GoalControllerTests.java: -------------------------------------------------------------------------------- 1 | package io.jzheaux.springsecurity.goals;public class GoalControllerTests { 2 | } 3 | -------------------------------------------------------------------------------- /etc/docs/images/securitycontextholder.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jzheaux/oreilly-spring-security-rest-apis/HEAD/etc/docs/images/securitycontextholder.png -------------------------------------------------------------------------------- /etc/docs/images/basicauthenticationfilter.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jzheaux/oreilly-spring-security-rest-apis/HEAD/etc/docs/images/basicauthenticationfilter.png -------------------------------------------------------------------------------- /src/main/java/io/jzheaux/springsecurity/goals/UserRepositoryUserDetailsService.java: -------------------------------------------------------------------------------- 1 | package io.jzheaux.springsecurity.goals; 2 | 3 | public class UserRepositoryUserDetailsService { 4 | } 5 | -------------------------------------------------------------------------------- /src/main/resources/application.yml: -------------------------------------------------------------------------------- 1 | logging: 2 | level: 3 | org.springframework.security: TRACE 4 | 5 | spring: 6 | jpa: 7 | properties: 8 | hibernate: 9 | enable_lazy_load_no_trans: true -------------------------------------------------------------------------------- /src/main/java/io/jzheaux/springsecurity/goals/SecurityConfig.java: -------------------------------------------------------------------------------- 1 | package io.jzheaux.springsecurity.goals; 2 | 3 | import org.springframework.context.annotation.Configuration; 4 | 5 | @Configuration 6 | public class SecurityConfig { 7 | } 8 | -------------------------------------------------------------------------------- /etc/token-for: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | export TOKEN=`curl --user app:bfbd9f62-02ce-4638-a370-80d45514bd0a localhost:9999/auth/realms/$1/protocol/openid-connect/token -dgrant_type=password -dusername=$2 -dpassword=password -dscope="$3" | jq -r .access_token` 4 | -------------------------------------------------------------------------------- /etc/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: '3' 2 | services: 3 | keycloak: 4 | image: jboss/keycloak:7.0.0 5 | ports: 6 | - "9999:8080" 7 | environment: 8 | KEYCLOAK_USER: admin 9 | KEYCLOAK_PASSWORD: password 10 | KEYCLOAK_IMPORT: /tmp/one-realm.json 11 | volumes: 12 | - "./realms:/tmp" 13 | -------------------------------------------------------------------------------- /etc/get-csrf: -------------------------------------------------------------------------------- 1 | shopt -s extglob # Required to trim whitespace; see below 2 | 3 | while IFS=':' read key value; do 4 | # trim whitespace in "value" 5 | value=${value##+([[:space:]])}; value=${value%%+([[:space:]])} 6 | 7 | case "$key" in 8 | X-CSRF-TOKEN) export CSRF="$value" 9 | ;; 10 | esac 11 | done < <(http --print=h --session=./session.json -a user:password :8080/goals) -------------------------------------------------------------------------------- /src/main/java/io/jzheaux/springsecurity/goals/CurrentUsername.java: -------------------------------------------------------------------------------- 1 | package io.jzheaux.springsecurity.goals; 2 | 3 | import java.lang.annotation.ElementType; 4 | import java.lang.annotation.Retention; 5 | import java.lang.annotation.RetentionPolicy; 6 | import java.lang.annotation.Target; 7 | 8 | @Retention(RetentionPolicy.RUNTIME) 9 | @Target(ElementType.PARAMETER) 10 | public @interface CurrentUsername { 11 | } 12 | -------------------------------------------------------------------------------- /src/main/java/io/jzheaux/springsecurity/goals/UserRepository.java: -------------------------------------------------------------------------------- 1 | package io.jzheaux.springsecurity.goals; 2 | 3 | import org.springframework.data.repository.CrudRepository; 4 | import org.springframework.stereotype.Repository; 5 | 6 | import java.util.Optional; 7 | import java.util.UUID; 8 | 9 | @Repository 10 | public interface UserRepository extends CrudRepository { 11 | Optional findByUsername(String username); 12 | } 13 | -------------------------------------------------------------------------------- /src/main/resources/static/goals.css: -------------------------------------------------------------------------------- 1 | nav { 2 | background: #0356DC; 3 | margin-bottom: 30px; 4 | padding-top: 20px; 5 | padding-bottom: 20px; 6 | padding-left: 20px; 7 | color: white; 8 | } 9 | 10 | #logout a { 11 | line-height: 60px; 12 | color: white; 13 | } 14 | 15 | #logout a:hover { 16 | cursor:pointer; 17 | } 18 | 19 | .completed { 20 | text-decoration: line-through; 21 | color: lightgray; 22 | } 23 | -------------------------------------------------------------------------------- /etc/rewrite-hosts: -------------------------------------------------------------------------------- 1 | find -name "*.java" -exec sed -i -E "s/http:\/\/localhost:([0-9]{4})/https:\/\/$1-\1-$2.environments.katacoda.com/g" {} \; 2 | find -name "*.js" -exec sed -i -E "s/http:\/\/localhost:([0-9]{4})/https:\/\/$1-\1-$2.environments.katacoda.com/g" {} \; 3 | find -name "*.java" -exec sed -i -E "s/http:\/\/idp:([0-9]{4})/https:\/\/$1-\1-$2.environments.katacoda.com/g" {} \; 4 | find -name "*.js" -exec sed -i -E "s/http:\/\/idp:([0-9]{4})/https:\/\/$1-\1-$2.environments.katacoda.com/g" {} \; -------------------------------------------------------------------------------- /.gitattributes: -------------------------------------------------------------------------------- 1 | # From https://help.github.com/en/articles/configuring-git-to-handle-line-endings 2 | # Set the default behavior, in case people don't have core.autocrlf set. 3 | * text=auto 4 | 5 | # Explicitly declare text files you want to always be normalized and converted 6 | # to native line endings on checkout. 7 | *.c text 8 | *.h text 9 | 10 | # Declare files that will always have CRLF line endings on checkout. 11 | *.sln text eol=crlf 12 | 13 | # Denote all files that are truly binary and should not be modified. 14 | *.png binary 15 | *.jpg binary 16 | -------------------------------------------------------------------------------- /src/main/java/io/jzheaux/springsecurity/goals/GoalsApplication.java: -------------------------------------------------------------------------------- 1 | package io.jzheaux.springsecurity.goals; 2 | 3 | import org.springframework.boot.SpringApplication; 4 | import org.springframework.boot.autoconfigure.SpringBootApplication; 5 | import org.springframework.boot.autoconfigure.security.servlet.SecurityAutoConfiguration; 6 | 7 | @SpringBootApplication(exclude = SecurityAutoConfiguration.class) 8 | public class GoalsApplication { 9 | 10 | public static void main(String[] args) { 11 | SpringApplication.run(GoalsApplication.class, args); 12 | } 13 | 14 | } 15 | -------------------------------------------------------------------------------- /src/main/resources/static/basic.js: -------------------------------------------------------------------------------- 1 | $(document).ajaxSend((event, xhr) => { 2 | if (security.csrf.value) { 3 | xhr.setRequestHeader(security.csrf.header, security.csrf.value); 4 | } 5 | }); 6 | 7 | $(document).ajaxSuccess((event, xhr) => { 8 | security.success(xhr); 9 | }); 10 | 11 | $.ajaxSetup({ 12 | xhrFields: { 13 | withCredentials: true 14 | } 15 | }); 16 | 17 | const security = { 18 | csrf: { 19 | header: "x-csrf-token" 20 | }, 21 | success: (xhr) => { 22 | security.csrf.value = xhr.getResponseHeader(security.csrf.header); 23 | } 24 | } -------------------------------------------------------------------------------- /src/main/java/io/jzheaux/springsecurity/authzserver/UserController.java: -------------------------------------------------------------------------------- 1 | package io.jzheaux.springsecurity.authzserver; 2 | 3 | import java.util.Collections; 4 | import java.util.Map; 5 | 6 | import org.springframework.security.core.Authentication; 7 | import org.springframework.web.bind.annotation.GetMapping; 8 | import org.springframework.web.bind.annotation.RestController; 9 | 10 | @RestController 11 | public class UserController { 12 | @GetMapping("/user") 13 | Map user(Authentication authentication) { 14 | return Collections.singletonMap("sub", authentication.getName()); 15 | } 16 | } 17 | -------------------------------------------------------------------------------- /src/main/java/io/jzheaux/springsecurity/goals/GoalRepository.java: -------------------------------------------------------------------------------- 1 | package io.jzheaux.springsecurity.goals; 2 | 3 | import org.springframework.data.jpa.repository.Modifying; 4 | import org.springframework.data.jpa.repository.Query; 5 | import org.springframework.data.repository.CrudRepository; 6 | import org.springframework.stereotype.Repository; 7 | 8 | import java.util.UUID; 9 | 10 | @Repository 11 | public interface GoalRepository extends CrudRepository { 12 | @Modifying 13 | @Query("UPDATE Goal SET text = :text WHERE id = :id") 14 | void revise(UUID id, String text); 15 | 16 | @Modifying 17 | @Query("UPDATE Goal SET completed = 1 WHERE id = :id") 18 | void complete(UUID id); 19 | } 20 | -------------------------------------------------------------------------------- /src/main/java/io/jzheaux/springsecurity/goals/UserService.java: -------------------------------------------------------------------------------- 1 | package io.jzheaux.springsecurity.goals; 2 | 3 | import org.springframework.stereotype.Service; 4 | import org.springframework.web.reactive.function.client.WebClient; 5 | 6 | import java.util.Optional; 7 | 8 | @Service 9 | public class UserService { 10 | private final WebClient web; 11 | 12 | public UserService(WebClient.Builder web) { 13 | this.web = web.build(); 14 | } 15 | 16 | public Optional getFullName(String username) { 17 | String name = this.web.get() 18 | .uri("/user/{username}/fullName", username) 19 | .retrieve() 20 | .bodyToMono(String.class) 21 | .block(); 22 | return Optional.ofNullable(name); 23 | } 24 | } 25 | -------------------------------------------------------------------------------- /src/main/java/io/jzheaux/springsecurity/authzserver/AuthzApplication.java: -------------------------------------------------------------------------------- 1 | package io.jzheaux.springsecurity.authzserver; 2 | 3 | import org.springframework.boot.SpringApplication; 4 | import org.springframework.boot.autoconfigure.SpringBootApplication; 5 | import org.springframework.boot.web.embedded.tomcat.TomcatConnectorCustomizer; 6 | import org.springframework.context.annotation.Bean; 7 | 8 | @SpringBootApplication 9 | public class AuthzApplication { 10 | 11 | @Bean 12 | public TomcatConnectorCustomizer connectorCustomizer() { 13 | return container -> container.setPort(8083); 14 | } 15 | 16 | public static void main(String[] args) { 17 | SpringApplication.run(AuthzApplication.class, args); 18 | } 19 | 20 | } 21 | -------------------------------------------------------------------------------- /src/main/resources/static/bearer.js: -------------------------------------------------------------------------------- 1 | $(document).ajaxSend((event, xhr) => { 2 | if (security.accessToken) { 3 | xhr.setRequestHeader("Authorization", "Bearer " + security.accessToken); 4 | } 5 | if (security.csrf.value) { 6 | xhr.setRequestHeader(security.csrf.header, security.csrf.value); 7 | } 8 | }); 9 | 10 | $(document).ajaxSuccess((event, xhr) => { 11 | security.success(xhr); 12 | }); 13 | 14 | $(document).ajaxComplete((event, xhr) => { 15 | if (xhr.status === 401 || xhr.status === 403) { 16 | return pkce.authorize(); 17 | } 18 | }); 19 | 20 | const security = { 21 | csrf: { 22 | header: "x-csrf-token" 23 | }, 24 | success: (xhr) => { 25 | security.csrf.value = xhr.getResponseHeader(security.csrf.header); 26 | } 27 | } -------------------------------------------------------------------------------- /src/main/java/io/jzheaux/springsecurity/goals/CsrfHeaderAdvice.java: -------------------------------------------------------------------------------- 1 | package io.jzheaux.springsecurity.goals; 2 | 3 | import javax.servlet.http.HttpServletRequest; 4 | import javax.servlet.http.HttpServletResponse; 5 | 6 | import org.springframework.security.web.csrf.CsrfToken; 7 | import org.springframework.web.bind.annotation.ControllerAdvice; 8 | import org.springframework.web.bind.annotation.ModelAttribute; 9 | 10 | @ControllerAdvice 11 | public class CsrfHeaderAdvice { 12 | @ModelAttribute("csrf") 13 | public CsrfToken token(HttpServletRequest request, HttpServletResponse response) { 14 | CsrfToken token = (CsrfToken) request.getAttribute(CsrfToken.class.getName()); 15 | if (token != null) { 16 | response.setHeader(token.getHeaderName(), token.getToken()); 17 | } 18 | return token; 19 | } 20 | } 21 | -------------------------------------------------------------------------------- /etc/docs/module_003.md: -------------------------------------------------------------------------------- 1 | # Using CORS and HTTP Basic 2 | 3 | In this module, you'll configure the REST API to perform a CORS handshake so that it can be used by clients from a different hostname. 4 | 5 | ## Verification Steps 6 | 7 | To start up the front-end application, run from the root of the project: 8 | 9 | ```bash 10 | ./mvnw spring-boot:run -Dstart-class=io.jzheaux.springsecurity.spa.SpaApplication 11 | ``` 12 | 13 | At that point, a very simple single-page application will be available at [http://127.0.0.1:4000/basic.html](http://127.0.0.1:4000/basic.html). 14 | You'll be asked to log in. 15 | To get the goals to show, click the `Goals` button. 16 | 17 | In the beginning, the app will fail, but worry not! In this module, you'll make the CORS handshake succeed. 18 | 19 | ## Extra Credit 20 | 21 | Note that the reason this app still works even with CSRF enabled is because this application is only performing a `GET`. 22 | 23 | Were it also doing writes (`POST`, `PUT`, or `DELETE`), you'd need to configure CSRF to write the CSRF token as a cookie and then return it with each request. -------------------------------------------------------------------------------- /src/main/java/io/jzheaux/springsecurity/goals/UserAuthority.java: -------------------------------------------------------------------------------- 1 | package io.jzheaux.springsecurity.goals; 2 | 3 | import javax.persistence.Column; 4 | import javax.persistence.Entity; 5 | import javax.persistence.Id; 6 | import javax.persistence.JoinColumn; 7 | import javax.persistence.ManyToOne; 8 | import java.util.UUID; 9 | 10 | @Entity(name="authorities") 11 | public class UserAuthority { 12 | @Id 13 | UUID id; 14 | 15 | @JoinColumn(name="username", referencedColumnName="username") 16 | @ManyToOne 17 | User user; 18 | 19 | @Column 20 | String authority; 21 | 22 | UserAuthority() {} 23 | 24 | public UserAuthority(User user, String authority) { 25 | this.id = UUID.randomUUID(); 26 | this.user = user; 27 | this.authority = authority; 28 | } 29 | 30 | public UUID getId() { 31 | return id; 32 | } 33 | 34 | public void setId(UUID id) { 35 | this.id = id; 36 | } 37 | 38 | public User getUser() { 39 | return user; 40 | } 41 | 42 | public void setUser(User user) { 43 | this.user = user; 44 | } 45 | 46 | public String getAuthority() { 47 | return authority; 48 | } 49 | 50 | public void setAuthority(String authority) { 51 | this.authority = authority; 52 | } 53 | } 54 | -------------------------------------------------------------------------------- /src/main/java/io/jzheaux/springsecurity/spa/SpaApplication.java: -------------------------------------------------------------------------------- 1 | package io.jzheaux.springsecurity.spa; 2 | 3 | import org.springframework.boot.SpringApplication; 4 | import org.springframework.boot.autoconfigure.SpringBootApplication; 5 | import org.springframework.boot.web.embedded.tomcat.TomcatConnectorCustomizer; 6 | import org.springframework.context.annotation.Bean; 7 | import org.springframework.context.annotation.Configuration; 8 | import org.springframework.security.config.annotation.web.builders.HttpSecurity; 9 | import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; 10 | 11 | @SpringBootApplication 12 | public class SpaApplication { 13 | @Bean 14 | public TomcatConnectorCustomizer connectorCustomizer() { 15 | return container -> container.setPort(8081); 16 | } 17 | 18 | @Configuration 19 | static class SecurityConfig extends WebSecurityConfigurerAdapter { 20 | @Override 21 | protected void configure(HttpSecurity http) throws Exception { 22 | http 23 | .authorizeRequests(authz -> authz 24 | .anyRequest().permitAll()); 25 | } 26 | } 27 | 28 | public static void main(String[] args) { 29 | SpringApplication.run(SpaApplication.class, args); 30 | } 31 | } 32 | -------------------------------------------------------------------------------- /etc/docs/module_006.md: -------------------------------------------------------------------------------- 1 | # Performing Ingress and Egress with Bearer Tokens 2 | 3 | In this module, you'll create a more secure CORS setup as well as a secure handshake between `Resolutions` and another REST API. 4 | 5 | ## Verification Steps 6 | 7 | Verification is the same as it was for [the last two modules](module_005.md) with one more change. 8 | 9 | The repo ships with a simple RESTful service that gives back the user's full name. Of course, we've already added their full name into the app at this point; however, you can imagine the importance of figuring out how to centralize PII and take it out of applications that don't need it all the time. 10 | 11 | To start up this RESTful application, do: 12 | 13 | ```java 14 | ./mvnw spring-boot:run -Dstart-class=io.jzheaux.springsecurity.userprofiles.UserProfilesApplication 15 | ``` 16 | 17 | This will start up an application on [http://127.0.0.1:8081](http://127.0.0.1:8081). It'll be expecting a token from the authorization server, so you'll either need to retrieve one manually or you'll need to connect the goals API to this one (which is what this module is all about). 18 | 19 | At the end of this module, when you go to [http://127.0.0.1:4000/bearer.html], the front-end will be talking to `Resolutions`, but also `Resolutions` will be talking to another REST API. -------------------------------------------------------------------------------- /src/main/java/io/jzheaux/springsecurity/goals/Goal.java: -------------------------------------------------------------------------------- 1 | package io.jzheaux.springsecurity.goals; 2 | 3 | import javax.persistence.Column; 4 | import javax.persistence.Entity; 5 | import javax.persistence.Id; 6 | import java.util.UUID; 7 | 8 | import org.hibernate.annotations.Type; 9 | 10 | @Entity 11 | public class Goal { 12 | @Id 13 | @Type(type="uuid-char") 14 | private UUID id; 15 | 16 | @Column 17 | private String text; 18 | 19 | @Column 20 | private String owner; 21 | 22 | @Column(nullable=false) 23 | private Boolean completed = false; 24 | 25 | public Goal() { 26 | } 27 | 28 | public Goal(String text, String owner) { 29 | this.id = UUID.randomUUID(); 30 | this.text = text; 31 | this.owner = owner; 32 | } 33 | 34 | public UUID getId() { 35 | return id; 36 | } 37 | 38 | public void setId(UUID id) { 39 | this.id = id; 40 | } 41 | 42 | public String getText() { 43 | return text; 44 | } 45 | 46 | public void setText(String text) { 47 | this.text = text; 48 | } 49 | 50 | public String getOwner() { 51 | return owner; 52 | } 53 | 54 | public void setOwner(String owner) { 55 | this.owner = owner; 56 | } 57 | 58 | public Boolean getCompleted() { 59 | return completed; 60 | } 61 | 62 | public void setCompleted(Boolean completed) { 63 | this.completed = completed; 64 | } 65 | } 66 | -------------------------------------------------------------------------------- /src/main/resources/static/basic.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 13 | 14 | 15 |
16 | 25 |
26 |
27 |
28 |

Goals

29 |
30 |
    31 |
32 |
33 | 34 | 35 |
36 |
37 | 38 | -------------------------------------------------------------------------------- /etc/docs/module_002.md: -------------------------------------------------------------------------------- 1 | # Authorizing Requests with HTTP Basic 2 | 3 | In this module, you'll add method-based authorization rules to your REST API. 4 | 5 | ## CSRF 6 | 7 | Note that by default, Spring Security leaves CSRF turned on. 8 | For the first 2-3 modules, this will mean that the `POST` and `PUT` endpoints in this API will return a `403`. 9 | 10 | You can lift this restriction if you'd like to play around with these endpoints; look for details in Step 9 of this module to see a simple way to do this. 11 | 12 | ## Verification Steps 13 | 14 | Once you've configured Spring Security with a username and password, you can work with the API like any other REST API. 15 | 16 | You can use your favorite HTTP client, like [Postman](https://getpostman.com), cURL, or [HTTPie](https://httpie.org). The following instructions will use HTTPie. 17 | 18 | In all the instructions, `$USER` is the username, and `$PASS` is the password. 19 | 20 | ### Get a List of Resolutions 21 | ```bash 22 | http -a $USER:$PASS :8080/goals 23 | ``` 24 | ### Lookup a Resolution by Id 25 | ```bash 26 | http -a $USER:$PASS :8080/goal/$ID 27 | ``` 28 | where `$ID` is the primary key. 29 | ### Create a Resolution 30 | ```bash 31 | echo -n "some text" | http -a $USER:$PASS :8080/goal 32 | ``` 33 | ### Revise a Resolution 34 | ```bash 35 | echo -n "some updated text" | http -a $USER:$PASS PUT :8080/goal/$ID/revise 36 | ``` 37 | ### Complete a Resolution 38 | ```bash 39 | http -a $USER:$PASS PUT :8080/goal/$ID/complete 40 | ``` -------------------------------------------------------------------------------- /etc/docs/module_001.md: -------------------------------------------------------------------------------- 1 | # Authenticating Requests with HTTP Basic 2 | 3 | In this module, you'll add HTTP Basic authentication that's connected to a local database. 4 | 5 | ## CSRF 6 | 7 | Note that by default, Spring Security leaves CSRF turned on. 8 | For the first 2-3 modules, this will mean that the `POST` and `PUT` endpoints in this API will return a `403`. 9 | 10 | You can lift this restriction if you'd like to play around with these endpoints; look for details in Step 9 of this module to see a simple way to do this. 11 | 12 | ## Verification Steps 13 | 14 | Once you've configured Spring Security with a username and password, you can work with the API like any other REST API. 15 | 16 | You can use your favorite HTTP client, like [Postman](https://getpostman.com), cURL, or [HTTPie](https://httpie.org). The following instructions will use HTTPie. 17 | 18 | In all the instructions, `$USER` is the username, and `$PASS` is the password. 19 | 20 | ### Get a List of Resolutions 21 | ```bash 22 | http -a $USER:$PASS :8080/goals 23 | ``` 24 | ### Lookup a Resolution by Id 25 | ```bash 26 | http -a $USER:$PASS :8080/goal/$ID 27 | ``` 28 | where `$ID` is the primary key. 29 | ### Create a Resolution 30 | ```bash 31 | echo -n "some text" | http -a $USER:$PASS :8080/goal 32 | ``` 33 | ### Revise a Resolution 34 | ```bash 35 | echo -n "some updated text" | http -a $USER:$PASS PUT :8080/goal/$ID/revise 36 | ``` 37 | ### Complete a Resolution 38 | ```bash 39 | http -a $USER:$PASS PUT :8080/goal/$ID/complete 40 | ``` -------------------------------------------------------------------------------- /src/test/java/io/jzheaux/springsecurity/goals/GoalsApplicationTests.java: -------------------------------------------------------------------------------- 1 | package io.jzheaux.springsecurity.goals; 2 | 3 | import org.junit.Test; 4 | import org.junit.runner.RunWith; 5 | import org.springframework.beans.factory.annotation.Autowired; 6 | import org.springframework.boot.test.autoconfigure.web.servlet.AutoConfigureMockMvc; 7 | import org.springframework.boot.test.context.SpringBootTest; 8 | import org.springframework.test.context.junit4.SpringRunner; 9 | import org.springframework.test.web.servlet.MockMvc; 10 | 11 | import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.httpBasic; 12 | import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.jwt; 13 | import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get; 14 | import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status; 15 | 16 | @SpringBootTest 17 | @AutoConfigureMockMvc 18 | @RunWith(SpringRunner.class) 19 | public class GoalsApplicationTests { 20 | @Autowired 21 | MockMvc mvc; 22 | 23 | @Test 24 | public void goalsWithHttpBasicShouldReturnOk() throws Exception { 25 | this.mvc.perform(get("/goals") 26 | .with(httpBasic("user", "password"))) 27 | .andExpect(status().isOk()); 28 | } 29 | 30 | @Test 31 | public void goalsWithJwtShouldReturnOk() throws Exception { 32 | this.mvc.perform(get("/goals") 33 | .with(jwt())) 34 | .andExpect(status().isOk()); 35 | } 36 | } 37 | -------------------------------------------------------------------------------- /src/main/java/io/jzheaux/springsecurity/userprofiles/UserProfilesApplication.java: -------------------------------------------------------------------------------- 1 | package io.jzheaux.springsecurity.userprofiles; 2 | 3 | import org.springframework.boot.SpringApplication; 4 | import org.springframework.boot.autoconfigure.SpringBootApplication; 5 | import org.springframework.boot.web.embedded.tomcat.TomcatConnectorCustomizer; 6 | import org.springframework.context.annotation.Bean; 7 | import org.springframework.web.bind.annotation.GetMapping; 8 | import org.springframework.web.bind.annotation.PathVariable; 9 | import org.springframework.web.bind.annotation.RestController; 10 | 11 | import java.util.Optional; 12 | 13 | @SpringBootApplication 14 | public class UserProfilesApplication { 15 | @Bean 16 | public TomcatConnectorCustomizer connectorCustomizer() { 17 | return container -> container.setPort(8082); 18 | } 19 | 20 | @RestController 21 | static class UserController { 22 | @GetMapping("/user/{username}/fullName") 23 | Optional read(@PathVariable("username") String username) { 24 | switch(username) { 25 | case "user": 26 | return Optional.of("User Userson"); 27 | case "hasread": 28 | return Optional.of("Has Read"); 29 | case "haswrite": 30 | return Optional.of("Has Write"); 31 | case "admin": 32 | return Optional.of("Admin Adminson"); 33 | default: 34 | return Optional.empty(); 35 | } 36 | } 37 | } 38 | 39 | public static void main(String[] args) { 40 | SpringApplication.run(UserProfilesApplication.class, args); 41 | } 42 | } 43 | -------------------------------------------------------------------------------- /etc/docs/module_005.md: -------------------------------------------------------------------------------- 1 | # Authenticating and Authorizing with Opaque Tokens 2 | 3 | In this module, you'll change JWTs out for Opaque Tokens for additional security. 4 | 5 | ## Verification Steps 6 | 7 | Bearer tokens are different from HTTP Basic in that an application relies on a third-party service to authenticate. 8 | 9 | The repository ships with a `docker-compose` setup of [Keycloak](https://www.keycloak.org) to achieve this. 10 | 11 | To use it, first install and setup [Docker](https://docs.docker.com/get-docker/) and [`docker-compose`](https://docs.docker.com/compose/install). 12 | 13 | Then, from the `etc` directory in the repo, do: 14 | 15 | ```bash 16 | docker-compose up -d 17 | ``` 18 | 19 | This will start a Keycloak server at port 9999 that has `user`, `hasread`, and `haswrite` users, all with password `password`. 20 | 21 | You can navigate to [http://127.0.0.1:9999](http://127.0.0.1:9999) and log in with `admin`/`password` to see the admin console. 22 | 23 | Also, you can use the same SPA we used last time. Start it up like before with: 24 | 25 | ```bash 26 | ./mvnw spring-boot:run -Dstart-class=io.jzheaux.springsecurity.spa.SpaApplication 27 | ``` 28 | 29 | And then navigate to [http://127.0.0.1:4000/bearer.html](http://127.0.0.1:4000/bearer.html). 30 | The app will negotiate with Keycloak to get you logged in. 31 | You can use the `Resolutions` button like before. 32 | 33 | ## Extra Credit 34 | 35 | CSRF is automatically disabled for Bearer Token authentication since the browser doesn't automatically store and send those credentials. -------------------------------------------------------------------------------- /etc/docs/module_004.md: -------------------------------------------------------------------------------- 1 | # Authenticating and Authorizing with JWTs 2 | 3 | In this module, you'll add JWT-based Bearer Token Authentication as a more secure alternative to HTTP Basic. 4 | 5 | ## Verification Steps 6 | 7 | Bearer tokens are different from HTTP Basic in that an application relies on a third-party service to authenticate. 8 | 9 | The repository ships with a `docker-compose` setup of [Keycloak](https://www.keycloak.org) to achieve this. 10 | 11 | To use it, first install and setup [Docker](https://docs.docker.com/get-docker/) and [`docker-compose`](https://docs.docker.com/compose/install). 12 | 13 | Then, from the `etc` directory in the repo, do: 14 | 15 | ```bash 16 | docker-compose up -d 17 | ``` 18 | 19 | This will start a Keycloak server at port 9999 that has `user`, `hasread`, and `haswrite` users, all with password `password`. 20 | 21 | You can navigate to [http://127.0.0.1:9999](http://127.0.0.1:9999) and log in with `admin`/`password` to see the admin console. 22 | 23 | Also, you can use the same SPA we used last time. Start it up like before with: 24 | 25 | ```bash 26 | ./mvnw spring-boot:run -Dstart-class=io.jzheaux.springsecurity.spa.SpaApplication 27 | ``` 28 | 29 | And then navigate to [http://127.0.0.1:4000/bearer.html](http://127.0.0.1:4000/bearer.html). 30 | The app will negotiate with Keycloak to get you logged in. 31 | You can use the `Resolutions` button like before. 32 | 33 | ## Extra Credit 34 | 35 | CSRF is automatically disabled for Bearer Token authentication since the browser doesn't automatically store and send those credentials. -------------------------------------------------------------------------------- /src/test/java/io/jzheaux/springsecurity/goals/ReflectedUserAuthority.java: -------------------------------------------------------------------------------- 1 | package io.jzheaux.springsecurity.goals; 2 | 3 | import java.lang.reflect.Field; 4 | 5 | import static io.jzheaux.springsecurity.goals.ReflectionSupport.getDeclaredFieldByColumnName; 6 | import static io.jzheaux.springsecurity.goals.ReflectionSupport.getDeclaredFieldByName; 7 | import static io.jzheaux.springsecurity.goals.ReflectionSupport.getDeclaredFieldByType; 8 | import static io.jzheaux.springsecurity.goals.ReflectionSupport.getProperty; 9 | 10 | public class ReflectedUserAuthority { 11 | static Field userField; 12 | static Field usernameColumnField; 13 | static Field authorityField; 14 | static Field authorityColumnField; 15 | 16 | static { 17 | userField = getDeclaredFieldByType(UserAuthority.class, User.class); 18 | if (userField != null) userField.setAccessible(true); 19 | usernameColumnField = getDeclaredFieldByColumnName(UserAuthority.class, "username"); 20 | authorityField = getDeclaredFieldByName(UserAuthority.class, "authority"); 21 | authorityColumnField = getDeclaredFieldByColumnName(UserAuthority.class, "authority"); 22 | if (authorityColumnField != null) authorityColumnField.setAccessible(true); 23 | } 24 | 25 | UserAuthority userAuthority; 26 | 27 | public ReflectedUserAuthority(UserAuthority userAuthority) { 28 | this.userAuthority = userAuthority; 29 | } 30 | 31 | User getUser() { 32 | return getProperty(this.userAuthority, userField); 33 | } 34 | 35 | String getAuthority() { 36 | return getProperty(this.userAuthority, authorityColumnField); 37 | } 38 | } 39 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # Logs 2 | logs 3 | *.log 4 | npm-debug.log* 5 | yarn-debug.log* 6 | yarn-error.log* 7 | 8 | # Runtime data 9 | pids 10 | *.pid 11 | *.seed 12 | *.pid.lock 13 | 14 | # Directory for instrumented libs generated by jscoverage/JSCover 15 | lib-cov 16 | 17 | # Coverage directory used by tools like istanbul 18 | coverage 19 | 20 | # nyc test coverage 21 | .nyc_output 22 | 23 | # Grunt intermediate storage (http://gruntjs.com/creating-plugins#storing-task-files) 24 | .grunt 25 | 26 | # Bower dependency directory (https://bower.io/) 27 | bower_components 28 | 29 | # node-waf configuration 30 | .lock-wscript 31 | 32 | # Compiled binary addons (https://nodejs.org/api/addons.html) 33 | build/Release 34 | 35 | # Dependency directories 36 | node_modules/ 37 | jspm_packages/ 38 | 39 | # TypeScript v1 declaration files 40 | typings/ 41 | 42 | # Optional npm cache directory 43 | .npm 44 | 45 | # Optional eslint cache 46 | .eslintcache 47 | 48 | # Optional REPL history 49 | .node_repl_history 50 | 51 | # Output of 'npm pack' 52 | *.tgz 53 | 54 | # Yarn Integrity file 55 | .yarn-integrity 56 | 57 | # dotenv environment variables file 58 | .env 59 | 60 | # next.js build output 61 | .next 62 | 63 | HELP.md 64 | target/ 65 | !.mvn/wrapper/maven-wrapper.jar 66 | !**/src/main/** 67 | !**/src/test/** 68 | 69 | ### STS ### 70 | .apt_generated 71 | .classpath 72 | .factorypath 73 | .project 74 | .settings 75 | .springBeans 76 | .sts4-cache 77 | 78 | ### IntelliJ IDEA ### 79 | .idea 80 | *.iws 81 | *.iml 82 | *.ipr 83 | 84 | ### NetBeans ### 85 | /nbproject/private/ 86 | /nbbuild/ 87 | /dist/ 88 | /nbdist/ 89 | /.nb-gradle/ 90 | build/ 91 | 92 | ### VS Code ### 93 | .vscode/ 94 | 95 | .DS_Store 96 | -------------------------------------------------------------------------------- /src/main/resources/static/bearer.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 20 | 21 | 22 |
23 | 32 |
33 |
34 |
35 |

Goals

36 |
37 |
    38 |
39 |
40 | 41 | 42 |
43 |
44 | 45 | -------------------------------------------------------------------------------- /src/main/resources/static/goals.js: -------------------------------------------------------------------------------- 1 | const ready = () => { 2 | goalcontroller.list(); 3 | 4 | $("#logout input").val(security.csrf.value); 5 | $("#logout a").on("click", () => { $("#logout form").submit(); }); 6 | $("#new button").on("click", goalcontroller.add); 7 | $("#new input").keypress((e) => { if (e.which === 13) { goalcontroller.add() }}); 8 | }; 9 | 10 | const goalcontroller = { 11 | root: "http://127.0.0.1:8080", 12 | list : () => 13 | $.get(goalcontroller.root + "/goals", (goals) => { 14 | for (let goal of goals) { 15 | goalcontroller._upsertGoal(goal); 16 | } 17 | }), 18 | add: () => 19 | $.ajax({ 20 | type: "POST", 21 | url: goalcontroller.root + "/goal", 22 | data: $("#new input").val(), 23 | contentType: "application/json" 24 | }).done((goal) => { 25 | goalcontroller._upsertGoal(goal); 26 | $("#new input").val(""); 27 | }), 28 | complete : (id) => 29 | $.ajax({ 30 | type : "PUT", 31 | url : goalcontroller.root + "/goal/" + id + "/complete", 32 | }).done((goal) => { 33 | goalcontroller._upsertGoal(goal); 34 | }), 35 | _upsertGoal : (goal) => { 36 | let li = $("#goals li").filter(function() { return $(this).data("id") === goal.id; }); 37 | if (li.length === 0) { 38 | li = $("
  • "); 39 | li.data("id", goal.id); 40 | li.click(() => { 41 | goalcontroller.complete(li.data("id")); 42 | }); 43 | li.hover(() => { 44 | $(this).toggleClass("active"); 45 | }); 46 | $("#goals").append(li); 47 | } 48 | li.text(goal.text); 49 | if (goal.completed) { 50 | li.addClass("completed"); 51 | } else { 52 | li.removeClass("completed"); 53 | } 54 | $("#welcome").html(goal.owner + "'s Goals") 55 | } 56 | }; -------------------------------------------------------------------------------- /src/main/java/io/jzheaux/springsecurity/goals/GoalInitializer.java: -------------------------------------------------------------------------------- 1 | package io.jzheaux.springsecurity.goals; 2 | 3 | import org.springframework.beans.factory.SmartInitializingSingleton; 4 | import org.springframework.stereotype.Component; 5 | 6 | @Component 7 | public class GoalInitializer implements SmartInitializingSingleton { 8 | private final GoalRepository goals; 9 | private final UserRepository users; 10 | 11 | public GoalInitializer(GoalRepository goals, UserRepository users) { 12 | this.goals = goals; 13 | this.users = users; 14 | } 15 | 16 | @Override 17 | public void afterSingletonsInstantiated() { 18 | this.goals.save(new Goal("Read War and Peace", "user")); 19 | this.goals.save(new Goal("Free Solo the Eiffel Tower", "user")); 20 | this.goals.save(new Goal("Hang Christmas Lights", "user")); 21 | this.goals.save(new Goal("March to the Beat of My Own Drum", "hasread")); 22 | 23 | User user = new User("user", "{bcrypt}$2a$10$3njzOWhsz20aimcpMamJhOnX9Pb4Nk3toq8OO0swIy5EPZnb1YyGe"); 24 | user.setFullName("User Userson"); 25 | user.grantAuthority("goal:read"); 26 | user.grantAuthority("goal:write"); 27 | user.grantAuthority("user:read"); 28 | this.users.save(user); 29 | 30 | User hasRead = new User("hasread", "{bcrypt}$2a$10$3njzOWhsz20aimcpMamJhOnX9Pb4Nk3toq8OO0swIy5EPZnb1YyGe"); 31 | hasRead.setFullName("Has Read"); 32 | hasRead.grantAuthority("goal:read"); 33 | hasRead.grantAuthority(("user:read")); 34 | this.users.save(hasRead); 35 | 36 | User hasWrite = new User("haswrite", "{bcrypt}$2a$10$3njzOWhsz20aimcpMamJhOnX9Pb4Nk3toq8OO0swIy5EPZnb1YyGe"); 37 | hasWrite.setFullName("Has Write"); 38 | hasWrite.setSubscription("premium"); 39 | hasWrite.addFriend(hasRead); 40 | hasWrite.grantAuthority("goal:write"); 41 | this.users.save(hasWrite); 42 | 43 | User admin = new User("admin", "{bcrypt}$2a$10$3njzOWhsz20aimcpMamJhOnX9Pb4Nk3toq8OO0swIy5EPZnb1YyGe"); 44 | admin.setFullName("Admin Adminson"); 45 | admin.grantAuthority("goal:read"); 46 | admin.grantAuthority("goal:write"); 47 | admin.grantAuthority("ROLE_ADMIN"); 48 | this.users.save(admin); 49 | } 50 | } 51 | -------------------------------------------------------------------------------- /etc/docs/slides.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Spring Security REST APIs with O'Reilly 3 | author: Josh Cummings 4 | date: 2022-11-10 5 | patat: 6 | images: 7 | backend: kitty 8 | pandocExtensions: 9 | - patat_extensions 10 | - autolink_bare_uris 11 | - emoji 12 | ... 13 | 14 | # Reminder 15 | 16 | The code is at https://github.com/jzheaux/oreilly-spring-security-rest-apis. 17 | 18 | Checkout the code and load it into your favorite IDE. 19 | 20 | I will be using IntelliJ. 21 | 22 | --- 23 | 24 | # whoami 25 | 26 | Hi, I'm Josh Cummings. 27 | 28 | I've worked on Spring Security for about the last 5 years. 29 | I've worked with it for much longer (c. 2008) 30 | And I've worked adjacent to it for even longer (c. 2005) 31 | 32 | ## Points of Interest 33 | 34 | I have seven children and one wife. 35 | I like to juggle. 36 | 37 | ## Level of Java Fame Continuum 38 | 39 | |--Josh Cummings-----------------------Josh Long-------------Josh Bloch--| 40 | 41 | ## You can find me at 42 | 43 | - [Spring Security](https://github.com/spring-projects/spring-security) 44 | - [Terracotta Bank](https://github.com/terracotta-bank/terracotta-bank) 45 | - [Pluralsight](https://pluralsight.com) 46 | - [@jzheaux](https://twitter.com/jzheaux) 47 | 48 | --- 49 | 50 | # What are your goals? 51 | 52 | > - Hope over into the Group Chat to share... 53 | > - ... and while you're thinking about that, I'll share mine. 54 | 55 | --- 56 | 57 | # Definitions 58 | 59 | Spring Security REST **API** 60 | 61 | *API*: The interface by which one program commands another program 62 | 63 | --- 64 | 65 | # Definitions 66 | 67 | Spring Security **REST** API 68 | 69 | *REST*: A way to model resources over HTTP 70 | 71 | > - GET, POST, PUT, DELETE methods 72 | > - 2xx & 4xx responses 73 | 74 | --- 75 | 76 | # Definitions 77 | 78 | **Spring Security** REST API 79 | 80 | > - *Spring*: An application framework that uses *dependency injection* 81 | 82 | > - *Spring Security*: Authn, Authz, and Defense 83 | 84 | --- 85 | 86 | # Plan for today 87 | 88 | > * Add BASIC authentication to a REST API 89 | > * Add CORS and CSRF defense 90 | > * Change to Bearer Token authentication 91 | > * Add authorization 92 | > * Prepare the code for 6.0 93 | 94 | --- 95 | 96 | # The Filter Chain 97 | 98 | ![](images/securityfilterchain.png) 99 | 100 | --- 101 | 102 | # Basic Auth 103 | 104 | ![](images/basicauthenticationfilter.png) 105 | 106 | --- 107 | 108 | # The Principal 109 | 110 | ![](images/securitycontextholder.png) 111 | 112 | 113 | --- 114 | -------------------------------------------------------------------------------- /src/main/java/io/jzheaux/springsecurity/goals/GoalController.java: -------------------------------------------------------------------------------- 1 | package io.jzheaux.springsecurity.goals; 2 | 3 | import org.springframework.security.core.annotation.AuthenticationPrincipal; 4 | import org.springframework.web.bind.annotation.GetMapping; 5 | import org.springframework.web.bind.annotation.PathVariable; 6 | import org.springframework.web.bind.annotation.PostMapping; 7 | import org.springframework.web.bind.annotation.PutMapping; 8 | import org.springframework.web.bind.annotation.RequestBody; 9 | import org.springframework.web.bind.annotation.RestController; 10 | 11 | import javax.transaction.Transactional; 12 | import java.util.Optional; 13 | import java.util.UUID; 14 | 15 | @RestController 16 | public class GoalController { 17 | private final GoalRepository goals; 18 | private final UserRepository users; 19 | 20 | public GoalController(GoalRepository goals, UserRepository users) { 21 | this.goals = goals; 22 | this.users = users; 23 | } 24 | 25 | @GetMapping("/goals") 26 | public Iterable read() { 27 | Iterable goals = this.goals.findAll(); 28 | for (Goal goal : goals) { 29 | addName(goal); 30 | } 31 | return goals; 32 | } 33 | 34 | @GetMapping("/goal/{id}") 35 | public Optional read(@PathVariable("id") UUID id) { 36 | return this.goals.findById(id).map(this::addName); 37 | } 38 | 39 | @PostMapping("/goal") 40 | public Goal make(@RequestBody String text) { 41 | String owner = "user"; 42 | Goal goal = new Goal(text, owner); 43 | return this.goals.save(goal); 44 | } 45 | 46 | @PutMapping(path="/goal/{id}/revise") 47 | @Transactional 48 | public Optional revise(@PathVariable("id") UUID id, @RequestBody String text) { 49 | this.goals.revise(id, text); 50 | return read(id); 51 | } 52 | 53 | @PutMapping("/goal/{id}/complete") 54 | @Transactional 55 | public Optional complete(@PathVariable("id") UUID id) { 56 | this.goals.complete(id); 57 | return read(id); 58 | } 59 | 60 | @PutMapping("/goal/{id}/share") 61 | @Transactional 62 | public Optional share(@AuthenticationPrincipal User user, @PathVariable("id") UUID id) { 63 | Optional goal = read(id); 64 | goal.filter(r -> r.getOwner().equals(user.getUsername())) 65 | .map(Goal::getText).ifPresent(text -> { 66 | for (User friend : user.getFriends()) { 67 | this.goals.save(new Goal(text, friend.getUsername())); 68 | } 69 | }); 70 | return goal; 71 | } 72 | 73 | private Goal addName(Goal goal) { 74 | String name = this.users.findByUsername(goal.getOwner()) 75 | .map(User::getFullName).orElse("none"); 76 | goal.setText(goal.getText() + ", by " + name); 77 | return goal; 78 | } 79 | } 80 | -------------------------------------------------------------------------------- /src/test/java/io/jzheaux/springsecurity/goals/ReflectionSupport.java: -------------------------------------------------------------------------------- 1 | package io.jzheaux.springsecurity.goals; 2 | 3 | import javax.persistence.Column; 4 | import javax.persistence.Id; 5 | import javax.persistence.JoinColumn; 6 | import java.lang.annotation.Annotation; 7 | import java.lang.reflect.Constructor; 8 | import java.lang.reflect.Field; 9 | import java.lang.reflect.Method; 10 | import java.util.stream.Stream; 11 | 12 | public class ReflectionSupport { 13 | private ReflectionSupport() {} 14 | 15 | static Field getDeclaredFieldByType(Class type, Class fieldType) { 16 | return Stream.of(type.getDeclaredFields()) 17 | .filter(f -> f.getType() == fieldType) 18 | .findFirst().orElse(null); 19 | } 20 | 21 | static Field getDeclaredFieldByName(Class type, String name) { 22 | return Stream.of(type.getDeclaredFields()) 23 | .filter(f -> f.getName().equals(name)) 24 | .findFirst().orElse(null); 25 | } 26 | 27 | static Field getDeclaredFieldByColumnName(Class type, String columnName) { 28 | return Stream.of(type.getDeclaredFields()) 29 | .filter(f -> { 30 | String name = null; 31 | Column column = f.getAnnotation(Column.class); 32 | Id id = f.getAnnotation(Id.class); 33 | JoinColumn joinColumn = f.getAnnotation(JoinColumn.class); 34 | 35 | if (column != null) { 36 | name = column.name(); 37 | } else if (joinColumn != null) { 38 | name = joinColumn.name(); 39 | } else if (id != null) { 40 | name = ""; 41 | } 42 | 43 | if ("".equals(name)) { 44 | name = f.getName(); 45 | } 46 | 47 | return columnName.equals(name); 48 | }) 49 | .findFirst().orElse(null); 50 | } 51 | 52 | static Field getDeclaredFieldHavingAnnotation(Class type, Class annotation) { 53 | return Stream.of(type.getDeclaredFields()) 54 | .filter(f -> f.getAnnotation(annotation) != null) 55 | .findFirst().orElse(null); 56 | } 57 | 58 | static Constructor getConstructor(Class type, Class... parameterTypes) { 59 | try { 60 | return type.getDeclaredConstructor(parameterTypes); 61 | } catch (Exception ignored) { 62 | return null; 63 | } 64 | } 65 | 66 | static T getProperty(Object o, Field field) { 67 | try { 68 | field.setAccessible(true); 69 | return (T) field.get(o); 70 | } catch (Exception e) { 71 | throw new RuntimeException("Tried to get " + field + " from " + o, e); 72 | } 73 | } 74 | 75 | static T annotation(Class annotation, String method, Class... params) { 76 | try { 77 | Method m = GoalController.class.getDeclaredMethod(method, params); 78 | return m.getAnnotation(annotation); 79 | } catch (Exception e) { 80 | return null; 81 | } 82 | } 83 | } 84 | -------------------------------------------------------------------------------- /src/main/java/io/jzheaux/springsecurity/goals/UserRepositoryOpaqueTokenIntrospector.java: -------------------------------------------------------------------------------- 1 | package io.jzheaux.springsecurity.goals; 2 | 3 | import org.springframework.security.core.GrantedAuthority; 4 | import org.springframework.security.core.authority.SimpleGrantedAuthority; 5 | import org.springframework.security.core.userdetails.UsernameNotFoundException; 6 | import org.springframework.security.oauth2.core.OAuth2AuthenticatedPrincipal; 7 | import org.springframework.security.oauth2.server.resource.introspection.OpaqueTokenIntrospector; 8 | 9 | import java.util.Collection; 10 | import java.util.Map; 11 | import java.util.stream.Collectors; 12 | 13 | public class UserRepositoryOpaqueTokenIntrospector 14 | implements OpaqueTokenIntrospector { 15 | 16 | private final UserRepository users; 17 | private final OpaqueTokenIntrospector introspector; 18 | 19 | public UserRepositoryOpaqueTokenIntrospector( 20 | UserRepository users, OpaqueTokenIntrospector introspector) { 21 | 22 | this.users = users; 23 | this.introspector = introspector; 24 | } 25 | 26 | @Override 27 | public OAuth2AuthenticatedPrincipal introspect(String token) { 28 | OAuth2AuthenticatedPrincipal principal = this.introspector.introspect(token); 29 | User user = this.users.findByUsername(principal.getName()) 30 | .orElseThrow(() -> new UsernameNotFoundException("user not found")); 31 | Collection authorities = user.getUserAuthorities().stream() 32 | .map(userAuthority -> new SimpleGrantedAuthority(userAuthority.authority)) 33 | .collect(Collectors.toList()); 34 | Collection scope = principal.getAttribute("scope"); 35 | Collection scopes = scope.stream() 36 | .map(SimpleGrantedAuthority::new) 37 | .collect(Collectors.toList()); 38 | authorities.retainAll(scopes); 39 | 40 | // add the virtual authority goal:share that's based on whether this 41 | // authentication can goal:write authority as well as the user has a premium membership 42 | 43 | return new UserOAuth2AuthenticatedPrincipal(user, principal.getAttributes(), authorities); 44 | } 45 | 46 | private static class UserOAuth2AuthenticatedPrincipal extends User 47 | implements OAuth2AuthenticatedPrincipal { 48 | 49 | private final Map attributes; 50 | private final Collection authorities; 51 | 52 | public UserOAuth2AuthenticatedPrincipal( 53 | User user, Map attributes, Collection authorities) { 54 | super(user); 55 | this.attributes = attributes; 56 | this.authorities = authorities; 57 | } 58 | 59 | @Override 60 | public Map getAttributes() { 61 | return this.attributes; 62 | } 63 | 64 | @Override 65 | public Collection getAuthorities() { 66 | return this.authorities; 67 | } 68 | 69 | @Override 70 | public String getName() { 71 | return this.username; 72 | } 73 | } 74 | } 75 | -------------------------------------------------------------------------------- /src/main/java/io/jzheaux/springsecurity/goals/UserRepositoryJwtAuthenticationConverter.java: -------------------------------------------------------------------------------- 1 | package io.jzheaux.springsecurity.goals; 2 | 3 | import org.springframework.core.convert.converter.Converter; 4 | import org.springframework.security.authentication.AbstractAuthenticationToken; 5 | import org.springframework.security.core.GrantedAuthority; 6 | import org.springframework.security.core.userdetails.UsernameNotFoundException; 7 | import org.springframework.security.oauth2.core.OAuth2AccessToken; 8 | import org.springframework.security.oauth2.core.OAuth2AuthenticatedPrincipal; 9 | import org.springframework.security.oauth2.jwt.Jwt; 10 | import org.springframework.security.oauth2.server.resource.authentication.BearerTokenAuthentication; 11 | import org.springframework.security.oauth2.server.resource.authentication.JwtGrantedAuthoritiesConverter; 12 | 13 | import java.util.ArrayList; 14 | import java.util.Collection; 15 | import java.util.Map; 16 | 17 | import static org.springframework.security.oauth2.core.OAuth2AccessToken.TokenType.BEARER; 18 | 19 | public class UserRepositoryJwtAuthenticationConverter 20 | implements Converter { 21 | 22 | private final UserRepository users; 23 | private final JwtGrantedAuthoritiesConverter authoritiesConverter; 24 | 25 | public UserRepositoryJwtAuthenticationConverter( 26 | UserRepository users, JwtGrantedAuthoritiesConverter authoritiesConverter) { 27 | this.users = users; 28 | this.authoritiesConverter = authoritiesConverter; 29 | } 30 | 31 | @Override 32 | public AbstractAuthenticationToken convert(Jwt jwt) { 33 | User user = this.users.findByUsername(jwt.getSubject()) 34 | .orElseThrow(() -> new UsernameNotFoundException("user not found")); 35 | Collection authorities = new ArrayList<>(); 36 | 37 | // convert authorities from user.getUserAuthorities into instances of SimpleGrantedAuthority 38 | 39 | // merge these authorities from what the authorities that this.authoritiesConverter.convert returns 40 | 41 | return new BearerTokenAuthentication( 42 | new UserOAuth2AuthenticatedPrincipal(user, jwt, authorities), 43 | new OAuth2AccessToken(BEARER, jwt.getTokenValue(), null, null), 44 | authorities); 45 | } 46 | 47 | private static class UserOAuth2AuthenticatedPrincipal extends User 48 | implements OAuth2AuthenticatedPrincipal { 49 | 50 | private final Jwt jwt; 51 | private final Collection authorities; 52 | 53 | public UserOAuth2AuthenticatedPrincipal(User user, Jwt jwt, Collection authorities) { 54 | super(user); 55 | this.jwt = jwt; 56 | this.authorities = authorities; 57 | } 58 | 59 | @Override 60 | public Map getAttributes() { 61 | return this.jwt.getClaims(); 62 | } 63 | 64 | @Override 65 | public Collection getAuthorities() { 66 | return this.authorities; 67 | } 68 | 69 | @Override 70 | public String getName() { 71 | return this.username; 72 | } 73 | } 74 | } 75 | -------------------------------------------------------------------------------- /src/main/java/io/jzheaux/springsecurity/goals/User.java: -------------------------------------------------------------------------------- 1 | package io.jzheaux.springsecurity.goals; 2 | 3 | import javax.persistence.CascadeType; 4 | import javax.persistence.Column; 5 | import javax.persistence.Entity; 6 | import javax.persistence.FetchType; 7 | import javax.persistence.Id; 8 | import javax.persistence.OneToMany; 9 | import java.io.Serializable; 10 | import java.util.ArrayList; 11 | import java.util.Collection; 12 | import java.util.UUID; 13 | 14 | @Entity(name="users") 15 | public class User implements Serializable { 16 | @Id 17 | String id; 18 | 19 | @Column 20 | String username; 21 | 22 | @Column 23 | String password; 24 | 25 | @Column 26 | boolean enabled = true; 27 | 28 | @Column(name="full_name") 29 | String fullName; 30 | 31 | @Column 32 | String subscription; 33 | 34 | @OneToMany(cascade = CascadeType.ALL, fetch = FetchType.LAZY) 35 | Collection friends = new ArrayList<>(); 36 | 37 | @OneToMany(cascade = CascadeType.ALL, fetch = FetchType.EAGER) 38 | Collection userAuthorities = new ArrayList<>(); 39 | 40 | User() {} 41 | 42 | User(String username, String password) { 43 | this.id = UUID.randomUUID().toString(); 44 | this.username = username; 45 | this.password = password; 46 | } 47 | 48 | User(User user) { 49 | this.id = user.id; 50 | this.username = user.username; 51 | this.password = user.password; 52 | this.enabled = user.enabled; 53 | this.fullName = user.fullName; 54 | this.subscription = user.subscription; 55 | this.friends = user.friends; 56 | this.userAuthorities = user.userAuthorities; 57 | } 58 | 59 | public String getId() { 60 | return id; 61 | } 62 | 63 | public void setId(String id) { 64 | this.id = id; 65 | } 66 | 67 | public String getUsername() { 68 | return username; 69 | } 70 | 71 | public void setUsername(String username) { 72 | this.username = username; 73 | } 74 | 75 | public String getPassword() { 76 | return password; 77 | } 78 | 79 | public void setPassword(String password) { 80 | this.password = password; 81 | } 82 | 83 | public boolean isEnabled() { 84 | return enabled; 85 | } 86 | 87 | public void setEnabled(boolean enabled) { 88 | this.enabled = enabled; 89 | } 90 | 91 | public String getFullName() { 92 | return fullName; 93 | } 94 | 95 | public void setFullName(String fullName) { 96 | this.fullName = fullName; 97 | } 98 | 99 | public String getSubscription() { 100 | return subscription; 101 | } 102 | 103 | public void setSubscription(String subscription) { 104 | this.subscription = subscription; 105 | } 106 | 107 | public Collection getFriends() { 108 | return friends; 109 | } 110 | 111 | public void addFriend(User friend) { 112 | this.friends.add(friend); 113 | } 114 | 115 | public Collection getUserAuthorities() { 116 | return userAuthorities; 117 | } 118 | 119 | public void grantAuthority(String authority) { 120 | this.userAuthorities.add(new UserAuthority(this, authority)); 121 | } 122 | } 123 | -------------------------------------------------------------------------------- /etc/docs/architecture.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 18 | 19 | 20 | 21 | 22 | Spring Security: The Big Picture | by Josh Cummings @jzheaux 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 |
    32 |

    Your browser doesn't support the features required by impress.js, so you are presented with a simplified version of this presentation.

    33 |

    For the best experience please use the latest Chrome, Safari or Firefox browser.

    34 |
    35 | 36 |
    37 | 38 | 39 |
    40 |

    Spring Security: The Big Picture

    41 |

    by Josh Cummings

    42 |
    43 | 44 |
    45 |

    The Filter Chain

    46 |

    47 |
    48 | 49 |
    50 |

    Basic Auth

    51 |

    52 |
    53 | 54 |
    56 |

    The Principal

    57 |

    58 |
    59 |
    60 | 61 |
    62 |
    63 | 64 | 65 | 66 | 67 | 68 | 69 | -------------------------------------------------------------------------------- /etc/docs/css/cube.css: -------------------------------------------------------------------------------- 1 | @import url(fonts.css); 2 | 3 | 4 | 5 | /* Fallback message */ 6 | 7 | .fallback-message { 8 | font-family: sans-serif; 9 | line-height: 1.3; 10 | 11 | width: 780px; 12 | padding: 10px 10px 0; 13 | margin: 20px auto; 14 | 15 | border: 1px solid #E4C652; 16 | border-radius: 10px; 17 | background: #EEDC94; 18 | } 19 | 20 | .fallback-message p { 21 | margin-bottom: 10px; 22 | } 23 | 24 | .impress-supported .fallback-message { 25 | display: none; 26 | } 27 | 28 | 29 | /* Body & steps */ 30 | body { 31 | font-family: 'PT Sans', sans-serif; 32 | min-height: 740px; 33 | 34 | background: #00000f; 35 | color: rgb(102, 102, 102); 36 | } 37 | 38 | .step { 39 | position: relative; 40 | width: 700px; 41 | height: 700px; 42 | padding: 40px 60px; 43 | margin: 20px auto; 44 | 45 | box-sizing: border-box; 46 | 47 | line-height: 1.5; 48 | 49 | background-color: white; 50 | border-radius: 10px; 51 | box-shadow: 0 2px 6px rgba(0, 0, 0, .1); 52 | 53 | text-shadow: 0 2px 2px rgba(0, 0, 0, .1); 54 | font-family: 'Open Sans', Arial, sans-serif; 55 | font-size: 30px; 56 | letter-spacing: -1px; 57 | 58 | } 59 | 60 | #overview { 61 | background-color: transparent; 62 | border: none; 63 | box-shadow: none; 64 | } 65 | /* 66 | Make inactive steps a little bit transparent. 67 | */ 68 | .impress-enabled .step { 69 | margin: 0; 70 | opacity: 0.7; 71 | transition: opacity 1s; 72 | } 73 | 74 | .impress-enabled .step.active { opacity: 1 } 75 | 76 | h1, 77 | h2, 78 | h3 { 79 | margin-bottom: 0.5em; 80 | margin-top: 0.5em; 81 | text-align: center; 82 | } 83 | 84 | p { 85 | margin: 0.7em; 86 | } 87 | 88 | li { 89 | margin: 0.2em; 90 | } 91 | 92 | /* Highlight.js used for coloring pre > code blocks. */ 93 | pre > code { 94 | font-size: 14px; 95 | text-shadow: 0 0 0 rgba(0, 0, 0, 0); 96 | } 97 | 98 | /* Inline code, no Highlight.js */ 99 | code { 100 | font-family: "Cutive mono","Courier New", monospace; 101 | } 102 | 103 | 104 | a { 105 | color: inherit; 106 | text-decoration: none; 107 | padding: 0 0.1em; 108 | background: rgba(200,200,200,0.2); 109 | text-shadow: -1px 1px 2px rgba(100,100,100,0.9); 110 | border-radius: 0.2em; 111 | border-bottom: 1px solid rgba(100,100,100,0.2); 112 | border-left: 1px solid rgba(100,100,100,0.2); 113 | 114 | transition: 0.5s; 115 | } 116 | a:hover, 117 | a:focus { 118 | background: rgba(200,200,200,1); 119 | text-shadow: -1px 1px 2px rgba(100,100,100,0.5); 120 | } 121 | 122 | blockquote { 123 | font-family: 'PT Serif'; 124 | font-style: italic; 125 | font-weight: 400; 126 | } 127 | 128 | em { 129 | text-shadow: 0 2px 2px rgba(0, 0, 0, .3); 130 | } 131 | 132 | strong { 133 | text-shadow: -1px 1px 2px rgba(100,100,100,0.5); 134 | } 135 | 136 | q { 137 | font-family: 'PT Serif'; 138 | font-style: italic; 139 | font-weight: 400; 140 | text-shadow: 0 2px 2px rgba(0, 0, 0, .3); 141 | } 142 | 143 | strike { 144 | opacity: 0.7; 145 | } 146 | 147 | small { 148 | font-size: 0.4em; 149 | } -------------------------------------------------------------------------------- /etc/docs/exercises.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 18 | 19 | 20 | 21 | 22 | Spring Security: The Big Picture | by Josh Cummings @jzheaux 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 |
    32 |

    Your browser doesn't support the features required by impress.js, so you are presented with a simplified version of this presentation.

    33 |

    For the best experience please use the latest Chrome, Safari or Firefox browser.

    34 |
    35 | 36 |
    37 | 38 | 39 |
    40 |

    Spring Security for REST APIs Exercises

    41 |
    42 | 43 |
    44 |

    45 | Go to https://bit.ly/kata-local-authn for the first scenario 46 |

    47 |
    48 | 49 |
    50 |

    51 | Go to https://bit.ly/browser-based-access for the second scenario 52 |

    53 |
    54 | 55 |
    56 |

    57 | Go to https://bit.ly/distributed-authorization for the third scenario 58 |

    59 |
    60 | 61 |
    63 |

    64 | Go to https://bit.ly/kata-local-authz for the fourth scenario 65 |

    66 |
    67 |
    68 | 69 |
    70 |
    71 | 72 | 73 | 74 | 75 | 76 | 77 | -------------------------------------------------------------------------------- /src/main/resources/static/bearer-pkce.js: -------------------------------------------------------------------------------- 1 | const pkce = { 2 | _random: function () { 3 | const array = new Uint32Array(28); 4 | window.crypto.getRandomValues(array); 5 | return Array.from(array, dec => ('0' + dec.toString(16)).substr(-2)).join(''); 6 | }, 7 | _sha256: function (plain) { 8 | const encoder = new TextEncoder(); 9 | const data = encoder.encode(plain); 10 | return window.crypto.subtle.digest('SHA-256', data); 11 | }, 12 | _base64urlencode: function (str) { 13 | return btoa(String.fromCharCode.apply(null, new Uint8Array(str))) 14 | .replace(/\+/g, '-').replace(/\//g, '_').replace(/=+$/, ''); 15 | }, 16 | state: { 17 | create: function () { 18 | const state = pkce._random(); 19 | localStorage.setItem("pkce_state", state); 20 | return state; 21 | }, 22 | get: function () { 23 | return localStorage.getItem("pkce_state"); 24 | }, 25 | remove: function () { 26 | localStorage.removeItem("pkce_state"); 27 | } 28 | }, 29 | codeVerifier: { 30 | create: function () { 31 | const codeVerifier = pkce._random(); 32 | localStorage.setItem("pkce_code_verifier", codeVerifier); 33 | return codeVerifier; 34 | }, 35 | get: function () { 36 | return localStorage.getItem("pkce_code_verifier"); 37 | }, 38 | remove: function () { 39 | localStorage.removeItem("pkce_code_verifier"); 40 | } 41 | }, 42 | codeChallenge: async function (codeVerifier) { 43 | const hashed = await pkce._sha256(codeVerifier); 44 | return pkce._base64urlencode(hashed); 45 | }, 46 | authorize: async function () { 47 | const state = pkce.state.create(); 48 | const codeVerifier = pkce.codeVerifier.create(); 49 | const codeChallenge = await pkce.codeChallenge(codeVerifier); 50 | const url = "http://idp:8083/oauth2/authorize" + 51 | "?response_type=code" + 52 | "&client_id=goals-client" + 53 | "&redirect_uri=http://127.0.0.1:8081/bearer.html" + 54 | "&scope=goal:read+goal:write+user:read" + 55 | "&state=" + state + 56 | "&code_challenge=" + codeChallenge + 57 | "&code_challenge_method=S256"; 58 | location.href = url; 59 | }, 60 | token: function (params) { 61 | if (!params.get("code")) { 62 | return Promise.resolve(); 63 | } 64 | const code = params.get("code"); 65 | const verifier = pkce.codeVerifier.get(); 66 | const state = pkce.state.get(); 67 | if (params.get("state") !== state) { 68 | return Promise.resolve(); 69 | } 70 | const data = "grant_type=authorization_code" 71 | + "&client_id=goals-client" 72 | + "&code=" + encodeURIComponent(code) 73 | + "&code_verifier=" + encodeURIComponent(verifier) 74 | + "&redirect_uri=http://127.0.0.1:8081/bearer.html"; 75 | return new Promise((resolve, reject) => 76 | $.ajax("http://idp:8083/oauth2/token", 77 | { 78 | method: 'POST', 79 | data: data, 80 | success: (data) => { 81 | pkce.state.remove(); 82 | pkce.codeVerifier.remove(); 83 | resolve(data.access_token); 84 | }, 85 | error: (error) => { 86 | reject(error); 87 | } 88 | })); 89 | } 90 | }; -------------------------------------------------------------------------------- /etc/docs/css/3D-rotations.css: -------------------------------------------------------------------------------- 1 | @import url(fonts.css); 2 | 3 | 4 | 5 | /* Fallback message */ 6 | 7 | .fallback-message { 8 | font-family: sans-serif; 9 | line-height: 1.3; 10 | 11 | width: 780px; 12 | padding: 10px 10px 0; 13 | margin: 20px auto; 14 | 15 | border: 1px solid #E4C652; 16 | border-radius: 10px; 17 | background: #EEDC94; 18 | } 19 | 20 | .fallback-message p { 21 | margin-bottom: 10px; 22 | } 23 | 24 | .impress-supported .fallback-message { 25 | display: none; 26 | } 27 | 28 | 29 | /* Body & steps */ 30 | body { 31 | font-family: 'PT Sans', sans-serif; 32 | min-height: 740px; 33 | 34 | background: #001f00; 35 | color: rgb(200, 200, 200); 36 | } 37 | 38 | .step { 39 | position: relative; 40 | width: 700px; 41 | height: 700px; 42 | padding: 40px 60px; 43 | margin: 20px auto; 44 | 45 | box-sizing: border-box; 46 | 47 | line-height: 1.5; 48 | 49 | background-color: white; 50 | border-radius: 10px; 51 | box-shadow: 0 2px 6px rgba(0, 0, 0, .1); 52 | 53 | text-shadow: 0 2px 2px rgba(0, 0, 0, .1); 54 | 55 | font-family: 'Open Sans', Arial, sans-serif; 56 | font-size: 32pt; 57 | letter-spacing: -1px; 58 | 59 | } 60 | 61 | /* Overview step has no background or border */ 62 | 63 | .overview { 64 | background-color: transparent; 65 | border: none; 66 | box-shadow: none; 67 | pointer-events: none; 68 | display: none; 69 | } 70 | .overview.active { 71 | display: block; 72 | pointer-events: auto; 73 | } 74 | 75 | /* 76 | Make inactive steps a little bit transparent. 77 | */ 78 | .impress-enabled .step { 79 | margin: 0; 80 | opacity: 0.1; 81 | transition: opacity 1s; 82 | } 83 | 84 | .impress-enabled .step.active { opacity: 1 } 85 | 86 | 87 | /* Content */ 88 | 89 | h1, 90 | h2, 91 | h3 { 92 | margin-bottom: 0.5em; 93 | margin-top: 0.5em; 94 | text-align: center; 95 | } 96 | 97 | p { 98 | margin: 0.7em; 99 | } 100 | 101 | li { 102 | margin: 0.2em; 103 | } 104 | 105 | /* Highlight.js used for coloring pre > code blocks. */ 106 | pre > code { 107 | font-size: 14px; 108 | text-shadow: 0 0 0 rgba(0, 0, 0, 0); 109 | } 110 | 111 | /* Inline code, no Highlight.js */ 112 | code { 113 | font-family: "Cutive mono","Courier New", monospace; 114 | } 115 | 116 | 117 | a { 118 | color: inherit; 119 | text-decoration: none; 120 | padding: 0 0.1em; 121 | background: rgba(200,200,200,0.2); 122 | text-shadow: -1px 1px 2px rgba(100,100,100,0.9); 123 | border-radius: 0.2em; 124 | border-bottom: 1px solid rgba(100,100,100,0.2); 125 | border-left: 1px solid rgba(100,100,100,0.2); 126 | 127 | transition: 0.5s; 128 | } 129 | a:hover, 130 | a:focus { 131 | background: rgba(200,200,200,1); 132 | text-shadow: -1px 1px 2px rgba(100,100,100,0.5); 133 | } 134 | 135 | blockquote { 136 | font-family: 'PT Serif'; 137 | font-style: italic; 138 | font-weight: 400; 139 | } 140 | 141 | em { 142 | text-shadow: 0 2px 2px rgba(0, 0, 0, .3); 143 | } 144 | 145 | strong { 146 | text-shadow: -1px 1px 2px rgba(100,100,100,0.5); 147 | } 148 | 149 | q { 150 | font-family: 'PT Serif'; 151 | font-style: italic; 152 | font-weight: 400; 153 | text-shadow: 0 2px 2px rgba(0, 0, 0, .3); 154 | } 155 | 156 | strike { 157 | opacity: 0.7; 158 | } 159 | 160 | small { 161 | font-size: 0.4em; 162 | } 163 | 164 | /* Styles specific to each step */ 165 | 166 | #overview2 { 167 | font-size: 20pt; 168 | padding-left: 200px; 169 | text-align: right; 170 | } 171 | 172 | /*** Josh-added stuff ***/ 173 | 174 | li { 175 | list-style-type: none; 176 | } 177 | 178 | a { 179 | background: transparent; 180 | text-decoration: underline; 181 | font-weight: bold; 182 | } 183 | 184 | dt { 185 | font-weight: bold; 186 | } -------------------------------------------------------------------------------- /src/test/java/io/jzheaux/springsecurity/goals/ReflectedUser.java: -------------------------------------------------------------------------------- 1 | package io.jzheaux.springsecurity.goals; 2 | 3 | import javax.persistence.Id; 4 | import java.lang.reflect.Constructor; 5 | import java.lang.reflect.Field; 6 | import java.lang.reflect.Method; 7 | import java.util.Collection; 8 | import java.util.UUID; 9 | 10 | import static io.jzheaux.springsecurity.goals.ReflectionSupport.getConstructor; 11 | import static io.jzheaux.springsecurity.goals.ReflectionSupport.getDeclaredFieldByColumnName; 12 | import static io.jzheaux.springsecurity.goals.ReflectionSupport.getDeclaredFieldByName; 13 | import static io.jzheaux.springsecurity.goals.ReflectionSupport.getDeclaredFieldHavingAnnotation; 14 | import static io.jzheaux.springsecurity.goals.ReflectionSupport.getProperty; 15 | 16 | public class ReflectedUser { 17 | static Constructor defaultConstructor; 18 | static Constructor copyConstructor; 19 | static Field idColumnField; 20 | static Field usernameColumnField; 21 | static Field passwordColumnField; 22 | static Field enabledColumnField; 23 | static Field nameColumnField; 24 | static Field subscriptionColumnField; 25 | static Field userAuthorityCollectionField; 26 | static Field userFriendCollectionField; 27 | static Method grantAuthorityMethod; 28 | 29 | static { 30 | defaultConstructor = getConstructor(User.class); 31 | if (defaultConstructor != null) defaultConstructor.setAccessible(true); 32 | copyConstructor = getConstructor(User.class, User.class); 33 | idColumnField = getDeclaredFieldHavingAnnotation(User.class, Id.class); 34 | usernameColumnField = getDeclaredFieldByColumnName(User.class, "username"); 35 | if (usernameColumnField != null) usernameColumnField.setAccessible(true); 36 | passwordColumnField = getDeclaredFieldByColumnName(User.class, "password"); 37 | if (passwordColumnField != null) passwordColumnField.setAccessible(true); 38 | enabledColumnField = getDeclaredFieldByColumnName(User.class, "enabled"); 39 | if (enabledColumnField != null) enabledColumnField.setAccessible(true); 40 | nameColumnField = getDeclaredFieldByColumnName(User.class, "full_name"); 41 | if (nameColumnField != null) nameColumnField.setAccessible(true); 42 | subscriptionColumnField = getDeclaredFieldByColumnName(User.class, "subscription"); 43 | if (subscriptionColumnField != null) subscriptionColumnField.setAccessible(true); 44 | userAuthorityCollectionField = getDeclaredFieldByName(User.class, "userAuthorities"); 45 | if (userAuthorityCollectionField != null) userAuthorityCollectionField.setAccessible(true); 46 | userFriendCollectionField = getDeclaredFieldByName(User.class, "friends"); 47 | try { 48 | grantAuthorityMethod = User.class.getDeclaredMethod("grantAuthority", String.class); 49 | } catch (Exception ignored) { 50 | // user hasn't added this method yet 51 | } 52 | } 53 | 54 | User user; 55 | 56 | public static ReflectedUser newInstance() { 57 | try { 58 | return new ReflectedUser((User) defaultConstructor.newInstance()); 59 | } catch (Exception e) { 60 | throw new RuntimeException(e); 61 | } 62 | } 63 | 64 | public static ReflectedUser copiedInstance(ReflectedUser user) { 65 | try { 66 | return new ReflectedUser((User) copyConstructor.newInstance(user.user)); 67 | } catch (Exception e) { 68 | throw new RuntimeException(e); 69 | } 70 | } 71 | 72 | public ReflectedUser(User user) { 73 | this.user = user; 74 | } 75 | 76 | UUID getId() { 77 | return getProperty(this.user, idColumnField); 78 | } 79 | 80 | String getUsername() { 81 | return getProperty(this.user, usernameColumnField); 82 | } 83 | 84 | String getPassword() { 85 | return getProperty(this.user, passwordColumnField); 86 | } 87 | 88 | String getFullName() { return getProperty(this.user, nameColumnField); } 89 | 90 | String getSubscription() { return getProperty(this.user, subscriptionColumnField); } 91 | 92 | Collection getUserAuthorities() { 93 | return getProperty(this.user, userAuthorityCollectionField); 94 | } 95 | 96 | Collection getFriends() { return getProperty(this.user, userFriendCollectionField); } 97 | 98 | void grantAuthority(String authority) { 99 | try { 100 | grantAuthorityMethod.invoke(this.user, authority); 101 | } catch (Exception e) { 102 | throw new RuntimeException("Failed to call `grantAuthority` on " + this.user, e); 103 | } 104 | } 105 | } 106 | -------------------------------------------------------------------------------- /pom.xml: -------------------------------------------------------------------------------- 1 | 2 | 4 | 4.0.0 5 | 6 | org.springframework.boot 7 | spring-boot-starter-parent 8 | 2.7.14 9 | 10 | 11 | io.jzheaux.springsecurity 12 | goals 13 | 0.0.1-SNAPSHOT 14 | goals 15 | Goal-Keeper REST API 16 | 17 | 18 | 1.8 19 | io.jzheaux.springsecurity.goals.GoalsApplication 20 | 21 | 22 | 23 | 24 | org.springframework.boot 25 | spring-boot-starter-data-jpa 26 | 27 | 28 | org.springframework.security 29 | spring-security-oauth2-jose 30 | 31 | 32 | org.springframework.security 33 | spring-security-oauth2-resource-server 34 | 35 | 36 | org.springframework.boot 37 | spring-boot-starter-security 38 | 39 | 40 | org.springframework.boot 41 | spring-boot-starter-web 42 | 43 | 44 | org.springframework.security 45 | spring-security-data 46 | 47 | 48 | 49 | org.springframework.boot 50 | spring-boot-devtools 51 | true 52 | 53 | 54 | 55 | org.webjars 56 | jquery 57 | 3.6.3 58 | 59 | 60 | org.webjars 61 | bootstrap 62 | 4.5.3 63 | 64 | 65 | org.webjars 66 | webjars-locator-core 67 | 68 | 69 | 70 | org.springframework.security 71 | spring-security-oauth2-authorization-server 72 | 0.4.3 73 | 74 | 75 | 76 | org.springframework 77 | spring-webflux 78 | 79 | 80 | 81 | com.h2database 82 | h2 83 | runtime 84 | 85 | 86 | io.projectreactor.netty 87 | reactor-netty 88 | 89 | 90 | 91 | org.springframework.boot 92 | spring-boot-starter-test 93 | test 94 | 95 | 96 | 97 | org.junit.vintage 98 | junit-vintage-engine 99 | test 100 | 101 | 102 | org.hamcrest 103 | hamcrest-core 104 | 105 | 106 | 107 | 108 | 109 | org.springframework.security 110 | spring-security-test 111 | test 112 | 113 | 114 | 115 | com.squareup.okhttp3 116 | mockwebserver 117 | 118 | 119 | org.apache.maven 120 | maven-model 121 | 3.6.3 122 | test 123 | 124 | 125 | 126 | 127 | 128 | 129 | org.springframework.boot 130 | spring-boot-maven-plugin 131 | 132 | 133 | 134 | 135 | 136 | 137 | central 138 | https://repo1.maven.org/maven2 139 | 140 | 141 | 142 | -------------------------------------------------------------------------------- /etc/docs/css/impress-common.css: -------------------------------------------------------------------------------- 1 | /* impress.js doesn't require any particular CSS file. 2 | Each author should create their own, to achieve the visual style they want. 3 | Yet in practice many plugins will not do anything useful without CSS. (See for example mouse-timeout plugin.) 4 | This file contains sample CSS that you may want to use in your presentation. 5 | It is focused on plugin functionality, not the visual style of your presentation. */ 6 | 7 | /* Using the substep plugin, hide bullet points at first, then show them one by one. */ 8 | #impress .step .substep { 9 | opacity: 0; 10 | } 11 | 12 | #impress .step .substep.substep-visible { 13 | opacity: 1; 14 | transition: opacity 1s; 15 | } 16 | /* 17 | Speaker notes allow you to write comments within the steps, that will not 18 | be displayed as part of the presentation. However, they will be picked up 19 | and displayed by impressConsole.js when you press P. 20 | */ 21 | .notes { 22 | display: none; 23 | } 24 | 25 | /* Toolbar plugin */ 26 | .impress-enabled div#impress-toolbar { 27 | position: fixed; 28 | right: 1px; 29 | bottom: 1px; 30 | opacity: 0.6; 31 | z-index: 10; 32 | } 33 | .impress-enabled div#impress-toolbar > span { 34 | margin-right: 10px; 35 | } 36 | .impress-enabled div#impress-toolbar.impress-toolbar-show { 37 | display: block; 38 | } 39 | .impress-enabled div#impress-toolbar.impress-toolbar-hide { 40 | display: none; 41 | } 42 | 43 | /* Progress bar */ 44 | .impress-progress { 45 | position: absolute; 46 | left: 59px; 47 | bottom: 1px; 48 | text-align: left; 49 | font-size: 10pt; 50 | opacity: 0.6; 51 | } 52 | .impress-enabled .impress-progressbar { 53 | position: absolute; 54 | right: 318px; 55 | bottom: 1px; 56 | left: 118px; 57 | border-radius: 7px; 58 | border: 2px solid rgba(100, 100, 100, 0.2); 59 | } 60 | .impress-progressbar { 61 | right: 118px; 62 | } 63 | .impress-progressbar DIV { 64 | width: 0; 65 | height: 2px; 66 | border-radius: 5px; 67 | background: rgba(75, 75, 75, 0.4); 68 | transition: width 1s linear; 69 | } 70 | .impress-enabled .impress-progress { 71 | position: absolute; 72 | left: 59px; 73 | bottom: 1px; 74 | text-align: left; 75 | opacity: 0.6; 76 | } 77 | .impress-enabled #impress-help { 78 | background: none repeat scroll 0 0 rgba(0, 0, 0, 0.5); 79 | color: #EEEEEE; 80 | font-size: 80%; 81 | position: fixed; 82 | left: 2em; 83 | bottom: 2em; 84 | width: 24em; 85 | border-radius: 1em; 86 | padding: 1em; 87 | text-align: center; 88 | z-index: 100; 89 | font-family: Verdana, Arial, Sans; 90 | } 91 | .impress-enabled #impress-help td { 92 | padding-left: 1em; 93 | padding-right: 1em; 94 | } 95 | 96 | /* 97 | With help from the mouse-timeout plugin, we can hide the toolbar and 98 | have it show only when you move/click/touch the mouse. 99 | */ 100 | body.impress-mouse-timeout div#impress-toolbar { 101 | display: none; 102 | } 103 | 104 | /* 105 | In fact, we can hide the mouse cursor itself too, when mouse isn't used. 106 | */ 107 | body.impress-mouse-timeout { 108 | cursor: none; 109 | } 110 | 111 | 112 | /* 113 | And as the last thing there is a workaround for quite strange bug. 114 | It happens a lot in Chrome. I don't remember if I've seen it in Firefox. 115 | 116 | Sometimes the element positioned in 3D (especially when it's moved back 117 | along Z axis) is not clickable, because it falls 'behind' the 118 | element. 119 | 120 | To prevent this, I decided to make non clickable by setting 121 | pointer-events property to `none` value. 122 | Value if this property is inherited, so to make everything else clickable 123 | I bring it back on the #impress element. 124 | 125 | If you want to know more about `pointer-events` here are some docs: 126 | https://developer.mozilla.org/en/CSS/pointer-events 127 | 128 | There is one very important thing to notice about this workaround - it makes 129 | everything 'unclickable' except what's in #impress element. 130 | 131 | So use it wisely ... or don't use at all. 132 | */ 133 | 134 | .impress-enabled { pointer-events: none } 135 | .impress-enabled #impress { pointer-events: auto } 136 | 137 | /*If you disable pointer-events, you need to re-enable them for the toolbar. 138 | And the speaker console while at it.*/ 139 | 140 | .impress-enabled #impress-toolbar { pointer-events: auto } 141 | .impress-enabled #impress-console-button { pointer-events: auto } 142 | 143 | 144 | /* 145 | There is one funny thing I just realized. 146 | 147 | Thanks to this workaround above everything except #impress element is invisible 148 | for click events. That means that the hint element is also not clickable. 149 | So basically all of this transforms and delayed transitions trickery was probably 150 | not needed at all... 151 | 152 | But it was fun to learn about it, wasn't it? 153 | */ 154 | 155 | 156 | -------------------------------------------------------------------------------- /.mvn/wrapper/MavenWrapperDownloader.java: -------------------------------------------------------------------------------- 1 | /* 2 | Licensed to the Apache Software Foundation (ASF) under one 3 | or more contributor license agreements. See the NOTICE file 4 | distributed with this work for additional information 5 | regarding copyright ownership. The ASF licenses this file 6 | to you under the Apache License, Version 2.0 (the 7 | "License"); you may not use this file except in compliance 8 | with the License. You may obtain a copy of the License at 9 | 10 | https://www.apache.org/licenses/LICENSE-2.0 11 | 12 | Unless required by applicable law or agreed to in writing, 13 | software distributed under the License is distributed on an 14 | "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY 15 | KIND, either express or implied. See the License for the 16 | specific language governing permissions and limitations 17 | under the License. 18 | */ 19 | 20 | import java.io.File; 21 | import java.io.FileInputStream; 22 | import java.io.FileOutputStream; 23 | import java.io.IOException; 24 | import java.net.URL; 25 | import java.nio.channels.Channels; 26 | import java.nio.channels.ReadableByteChannel; 27 | import java.util.Properties; 28 | 29 | public class MavenWrapperDownloader { 30 | 31 | /** 32 | * Default URL to download the maven-wrapper.jar from, if no 'downloadUrl' is provided. 33 | */ 34 | private static final String DEFAULT_DOWNLOAD_URL = 35 | "https://repo.maven.apache.org/maven2/io/takari/maven-wrapper/0.4.2/maven-wrapper-0.4.2.jar"; 36 | 37 | /** 38 | * Path to the maven-wrapper.properties file, which might contain a downloadUrl property to 39 | * use instead of the default one. 40 | */ 41 | private static final String MAVEN_WRAPPER_PROPERTIES_PATH = 42 | ".mvn/wrapper/maven-wrapper.properties"; 43 | 44 | /** 45 | * Path where the maven-wrapper.jar will be saved to. 46 | */ 47 | private static final String MAVEN_WRAPPER_JAR_PATH = 48 | ".mvn/wrapper/maven-wrapper.jar"; 49 | 50 | /** 51 | * Name of the property which should be used to override the default download url for the wrapper. 52 | */ 53 | private static final String PROPERTY_NAME_WRAPPER_URL = "wrapperUrl"; 54 | 55 | public static void main(String args[]) { 56 | System.out.println("- Downloader started"); 57 | File baseDirectory = new File(args[0]); 58 | System.out.println("- Using base directory: " + baseDirectory.getAbsolutePath()); 59 | 60 | // If the maven-wrapper.properties exists, read it and check if it contains a custom 61 | // wrapperUrl parameter. 62 | File mavenWrapperPropertyFile = new File(baseDirectory, MAVEN_WRAPPER_PROPERTIES_PATH); 63 | String url = DEFAULT_DOWNLOAD_URL; 64 | if(mavenWrapperPropertyFile.exists()) { 65 | FileInputStream mavenWrapperPropertyFileInputStream = null; 66 | try { 67 | mavenWrapperPropertyFileInputStream = new FileInputStream(mavenWrapperPropertyFile); 68 | Properties mavenWrapperProperties = new Properties(); 69 | mavenWrapperProperties.load(mavenWrapperPropertyFileInputStream); 70 | url = mavenWrapperProperties.getProperty(PROPERTY_NAME_WRAPPER_URL, url); 71 | } catch (IOException e) { 72 | System.out.println("- ERROR loading '" + MAVEN_WRAPPER_PROPERTIES_PATH + "'"); 73 | } finally { 74 | try { 75 | if(mavenWrapperPropertyFileInputStream != null) { 76 | mavenWrapperPropertyFileInputStream.close(); 77 | } 78 | } catch (IOException e) { 79 | // Ignore ... 80 | } 81 | } 82 | } 83 | System.out.println("- Downloading from: : " + url); 84 | 85 | File outputFile = new File(baseDirectory.getAbsolutePath(), MAVEN_WRAPPER_JAR_PATH); 86 | if(!outputFile.getParentFile().exists()) { 87 | if(!outputFile.getParentFile().mkdirs()) { 88 | System.out.println( 89 | "- ERROR creating output direcrory '" + outputFile.getParentFile().getAbsolutePath() + "'"); 90 | } 91 | } 92 | System.out.println("- Downloading to: " + outputFile.getAbsolutePath()); 93 | try { 94 | downloadFileFromURL(url, outputFile); 95 | System.out.println("Done"); 96 | System.exit(0); 97 | } catch (Throwable e) { 98 | System.out.println("- Error downloading"); 99 | e.printStackTrace(); 100 | System.exit(1); 101 | } 102 | } 103 | 104 | private static void downloadFileFromURL(String urlString, File destination) throws Exception { 105 | URL website = new URL(urlString); 106 | ReadableByteChannel rbc; 107 | rbc = Channels.newChannel(website.openStream()); 108 | FileOutputStream fos = new FileOutputStream(destination); 109 | fos.getChannel().transferFrom(rbc, 0, Long.MAX_VALUE); 110 | fos.close(); 111 | rbc.close(); 112 | } 113 | 114 | } 115 | -------------------------------------------------------------------------------- /etc/docs/intro.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 18 | 19 | 20 | 21 | 22 | Spring Security REST APIs 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 |
    32 |

    Your browser doesn't support the features required by impress.js, so you are presented with a simplified version of this presentation.

    33 |

    For the best experience please use the latest Chrome, Safari or Firefox browser.

    34 |
    35 | 36 |
    37 | 38 | 39 |
    40 |

    Spring Security for REST APIs

    41 |

    by Josh Cummings

    42 |
    43 |
    44 |

    Hi! I'm Josh Cummings

    45 |
    46 |

    ...not that Josh!

    47 |
    48 |

    I help maintain Spring Security

    49 |

    You can find me at: 50 |

    56 |

    57 |
    58 | 59 |
    60 |

    What Are Your Goals?

    61 |

    Hope over into the discussion to share...

    62 |

    ...and while your thinking about that, I'll share mine.

    63 |
    64 | 65 |
    66 |

    Spring Security REST API

    67 |
    68 |
    API
    69 |
    The interface by which one program commands another program
    70 |
    71 |
    72 | 73 |
    74 |

    Spring Security REST API

    75 |
    76 |
    REST
    77 |
    A way to model resources over HTTP
    78 |
    79 |
      80 |
    • GET, POST, PUT, DELETE methods
      • 81 |
    • 2xx & 4xx responses
      • 82 |
    83 |
    84 | 85 |
    86 |

    Spring Security REST API

    87 |
    88 |
    Spring
    89 |
    An application framework that uses dependency injection
    90 |
    91 |
    92 |
    Spring Security
    93 |
    Authn, Authz, and Defense
    94 |
    95 |
    96 | 97 |
    99 |

    100 | Go to https://bit.ly/kata-local-authn for the first scenario 101 |

    102 |
    103 |
    104 | 105 |
    106 |
    107 | 108 | 109 | 110 | 111 | 112 | 113 | -------------------------------------------------------------------------------- /mvnw.cmd: -------------------------------------------------------------------------------- 1 | @REM ---------------------------------------------------------------------------- 2 | @REM Licensed to the Apache Software Foundation (ASF) under one 3 | @REM or more contributor license agreements. See the NOTICE file 4 | @REM distributed with this work for additional information 5 | @REM regarding copyright ownership. The ASF licenses this file 6 | @REM to you under the Apache License, Version 2.0 (the 7 | @REM "License"); you may not use this file except in compliance 8 | @REM with the License. You may obtain a copy of the License at 9 | @REM 10 | @REM https://www.apache.org/licenses/LICENSE-2.0 11 | @REM 12 | @REM Unless required by applicable law or agreed to in writing, 13 | @REM software distributed under the License is distributed on an 14 | @REM "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY 15 | @REM KIND, either express or implied. See the License for the 16 | @REM specific language governing permissions and limitations 17 | @REM under the License. 18 | @REM ---------------------------------------------------------------------------- 19 | 20 | @REM ---------------------------------------------------------------------------- 21 | @REM Maven2 Start Up Batch script 22 | @REM 23 | @REM Required ENV vars: 24 | @REM JAVA_HOME - location of a JDK home dir 25 | @REM 26 | @REM Optional ENV vars 27 | @REM M2_HOME - location of maven2's installed home dir 28 | @REM MAVEN_BATCH_ECHO - set to 'on' to enable the echoing of the batch commands 29 | @REM MAVEN_BATCH_PAUSE - set to 'on' to wait for a key stroke before ending 30 | @REM MAVEN_OPTS - parameters passed to the Java VM when running Maven 31 | @REM e.g. to debug Maven itself, use 32 | @REM set MAVEN_OPTS=-Xdebug -Xrunjdwp:transport=dt_socket,server=y,suspend=y,address=8000 33 | @REM MAVEN_SKIP_RC - flag to disable loading of mavenrc files 34 | @REM ---------------------------------------------------------------------------- 35 | 36 | @REM Begin all REM lines with '@' in case MAVEN_BATCH_ECHO is 'on' 37 | @echo off 38 | @REM set title of command window 39 | title %0 40 | @REM enable echoing by setting MAVEN_BATCH_ECHO to 'on' 41 | @if "%MAVEN_BATCH_ECHO%" == "on" echo %MAVEN_BATCH_ECHO% 42 | 43 | @REM set %HOME% to equivalent of $HOME 44 | if "%HOME%" == "" (set "HOME=%HOMEDRIVE%%HOMEPATH%") 45 | 46 | @REM Execute a user defined script before this one 47 | if not "%MAVEN_SKIP_RC%" == "" goto skipRcPre 48 | @REM check for pre script, once with legacy .bat ending and once with .cmd ending 49 | if exist "%HOME%\mavenrc_pre.bat" call "%HOME%\mavenrc_pre.bat" 50 | if exist "%HOME%\mavenrc_pre.cmd" call "%HOME%\mavenrc_pre.cmd" 51 | :skipRcPre 52 | 53 | @setlocal 54 | 55 | set ERROR_CODE=0 56 | 57 | @REM To isolate internal variables from possible post scripts, we use another setlocal 58 | @setlocal 59 | 60 | @REM ==== START VALIDATION ==== 61 | if not "%JAVA_HOME%" == "" goto OkJHome 62 | 63 | echo. 64 | echo Error: JAVA_HOME not found in your environment. >&2 65 | echo Please set the JAVA_HOME variable in your environment to match the >&2 66 | echo location of your Java installation. >&2 67 | echo. 68 | goto error 69 | 70 | :OkJHome 71 | if exist "%JAVA_HOME%\bin\java.exe" goto init 72 | 73 | echo. 74 | echo Error: JAVA_HOME is set to an invalid directory. >&2 75 | echo JAVA_HOME = "%JAVA_HOME%" >&2 76 | echo Please set the JAVA_HOME variable in your environment to match the >&2 77 | echo location of your Java installation. >&2 78 | echo. 79 | goto error 80 | 81 | @REM ==== END VALIDATION ==== 82 | 83 | :init 84 | 85 | @REM Find the project base dir, i.e. the directory that contains the folder ".mvn". 86 | @REM Fallback to current working directory if not found. 87 | 88 | set MAVEN_PROJECTBASEDIR=%MAVEN_BASEDIR% 89 | IF NOT "%MAVEN_PROJECTBASEDIR%"=="" goto endDetectBaseDir 90 | 91 | set EXEC_DIR=%CD% 92 | set WDIR=%EXEC_DIR% 93 | :findBaseDir 94 | IF EXIST "%WDIR%"\.mvn goto baseDirFound 95 | cd .. 96 | IF "%WDIR%"=="%CD%" goto baseDirNotFound 97 | set WDIR=%CD% 98 | goto findBaseDir 99 | 100 | :baseDirFound 101 | set MAVEN_PROJECTBASEDIR=%WDIR% 102 | cd "%EXEC_DIR%" 103 | goto endDetectBaseDir 104 | 105 | :baseDirNotFound 106 | set MAVEN_PROJECTBASEDIR=%EXEC_DIR% 107 | cd "%EXEC_DIR%" 108 | 109 | :endDetectBaseDir 110 | 111 | IF NOT EXIST "%MAVEN_PROJECTBASEDIR%\.mvn\jvm.config" goto endReadAdditionalConfig 112 | 113 | @setlocal EnableExtensions EnableDelayedExpansion 114 | for /F "usebackq delims=" %%a in ("%MAVEN_PROJECTBASEDIR%\.mvn\jvm.config") do set JVM_CONFIG_MAVEN_PROPS=!JVM_CONFIG_MAVEN_PROPS! %%a 115 | @endlocal & set JVM_CONFIG_MAVEN_PROPS=%JVM_CONFIG_MAVEN_PROPS% 116 | 117 | :endReadAdditionalConfig 118 | 119 | SET MAVEN_JAVA_EXE="%JAVA_HOME%\bin\java.exe" 120 | set WRAPPER_JAR="%MAVEN_PROJECTBASEDIR%\.mvn\wrapper\maven-wrapper.jar" 121 | set WRAPPER_LAUNCHER=org.apache.maven.wrapper.MavenWrapperMain 122 | 123 | set DOWNLOAD_URL="https://repo.maven.apache.org/maven2/io/takari/maven-wrapper/0.5.5/maven-wrapper-0.5.5.jar" 124 | 125 | FOR /F "tokens=1,2 delims==" %%A IN ("%MAVEN_PROJECTBASEDIR%\.mvn\wrapper\maven-wrapper.properties") DO ( 126 | IF "%%A"=="wrapperUrl" SET DOWNLOAD_URL=%%B 127 | ) 128 | 129 | @REM Extension to allow automatically downloading the maven-wrapper.jar from Maven-central 130 | @REM This allows using the maven wrapper in projects that prohibit checking in binary data. 131 | if exist %WRAPPER_JAR% ( 132 | if "%MVNW_VERBOSE%" == "true" ( 133 | echo Found %WRAPPER_JAR% 134 | ) 135 | ) else ( 136 | if not "%MVNW_REPOURL%" == "" ( 137 | SET DOWNLOAD_URL="%MVNW_REPOURL%/io/takari/maven-wrapper/0.5.5/maven-wrapper-0.5.5.jar" 138 | ) 139 | if "%MVNW_VERBOSE%" == "true" ( 140 | echo Couldn't find %WRAPPER_JAR%, downloading it ... 141 | echo Downloading from: %DOWNLOAD_URL% 142 | ) 143 | 144 | powershell -Command "&{"^ 145 | "$webclient = new-object System.Net.WebClient;"^ 146 | "if (-not ([string]::IsNullOrEmpty('%MVNW_USERNAME%') -and [string]::IsNullOrEmpty('%MVNW_PASSWORD%'))) {"^ 147 | "$webclient.Credentials = new-object System.Net.NetworkCredential('%MVNW_USERNAME%', '%MVNW_PASSWORD%');"^ 148 | "}"^ 149 | "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; $webclient.DownloadFile('%DOWNLOAD_URL%', '%WRAPPER_JAR%')"^ 150 | "}" 151 | if "%MVNW_VERBOSE%" == "true" ( 152 | echo Finished downloading %WRAPPER_JAR% 153 | ) 154 | ) 155 | @REM End of extension 156 | 157 | @REM Provide a "standardized" way to retrieve the CLI args that will 158 | @REM work with both Windows and non-Windows executions. 159 | set MAVEN_CMD_LINE_ARGS=%* 160 | 161 | %MAVEN_JAVA_EXE% %JVM_CONFIG_MAVEN_PROPS% %MAVEN_OPTS% %MAVEN_DEBUG_OPTS% -classpath %WRAPPER_JAR% "-Dmaven.multiModuleProjectDirectory=%MAVEN_PROJECTBASEDIR%" %WRAPPER_LAUNCHER% %MAVEN_CONFIG% %* 162 | if ERRORLEVEL 1 goto error 163 | goto end 164 | 165 | :error 166 | set ERROR_CODE=1 167 | 168 | :end 169 | @endlocal & set ERROR_CODE=%ERROR_CODE% 170 | 171 | if not "%MAVEN_SKIP_RC%" == "" goto skipRcPost 172 | @REM check for post script, once with legacy .bat ending and once with .cmd ending 173 | if exist "%HOME%\mavenrc_post.bat" call "%HOME%\mavenrc_post.bat" 174 | if exist "%HOME%\mavenrc_post.cmd" call "%HOME%\mavenrc_post.cmd" 175 | :skipRcPost 176 | 177 | @REM pause the script if MAVEN_BATCH_PAUSE is set to 'on' 178 | if "%MAVEN_BATCH_PAUSE%" == "on" pause 179 | 180 | if "%MAVEN_TERMINATE_CMD%" == "on" exit %ERROR_CODE% 181 | 182 | exit /B %ERROR_CODE% 183 | -------------------------------------------------------------------------------- /src/test/java/io/jzheaux/springsecurity/goals/Module3_Tests.java: -------------------------------------------------------------------------------- 1 | package io.jzheaux.springsecurity.goals; 2 | 3 | import org.junit.Before; 4 | import org.junit.Test; 5 | import org.junit.runner.RunWith; 6 | import org.springframework.beans.factory.annotation.Autowired; 7 | import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean; 8 | import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty; 9 | import org.springframework.boot.autoconfigure.security.oauth2.resource.OAuth2ResourceServerProperties; 10 | import org.springframework.boot.test.autoconfigure.web.servlet.AutoConfigureMockMvc; 11 | import org.springframework.boot.test.autoconfigure.web.servlet.MockMvcPrint; 12 | import org.springframework.boot.test.context.SpringBootTest; 13 | import org.springframework.boot.test.context.TestConfiguration; 14 | import org.springframework.context.annotation.Bean; 15 | import org.springframework.mock.web.MockHttpServletRequest; 16 | import org.springframework.security.oauth2.jwt.BadJwtException; 17 | import org.springframework.security.oauth2.jwt.Jwt; 18 | import org.springframework.security.oauth2.jwt.JwtDecoder; 19 | import org.springframework.security.oauth2.jwt.NimbusJwtDecoder; 20 | import org.springframework.security.oauth2.server.resource.introspection.NimbusOpaqueTokenIntrospector; 21 | import org.springframework.security.oauth2.server.resource.introspection.OpaqueTokenIntrospector; 22 | import org.springframework.security.web.FilterChainProxy; 23 | import org.springframework.test.context.junit4.SpringRunner; 24 | import org.springframework.test.web.servlet.MockMvc; 25 | import org.springframework.test.web.servlet.MvcResult; 26 | import org.springframework.web.bind.annotation.CrossOrigin; 27 | import org.springframework.web.cors.CorsConfiguration; 28 | import org.springframework.web.cors.CorsConfigurationSource; 29 | import org.springframework.web.filter.CorsFilter; 30 | 31 | import javax.servlet.Filter; 32 | import java.util.List; 33 | import java.util.UUID; 34 | 35 | import static io.jzheaux.springsecurity.goals.ReflectionSupport.annotation; 36 | import static org.junit.Assert.assertEquals; 37 | import static org.junit.Assert.assertNotEquals; 38 | import static org.junit.Assert.assertNotNull; 39 | import static org.junit.Assert.assertTrue; 40 | import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.options; 41 | 42 | @RunWith(SpringRunner.class) 43 | @AutoConfigureMockMvc(print= MockMvcPrint.NONE) 44 | @SpringBootTest 45 | public class Module3_Tests { 46 | @Autowired 47 | MockMvc mvc; 48 | 49 | @Autowired(required = false) 50 | FilterChainProxy springSecurityFilterChain; 51 | 52 | @Autowired(required = false) 53 | CorsConfigurationSource cors; 54 | 55 | @Autowired(required = false) 56 | Jwt jwt; 57 | 58 | @Autowired(required = false) 59 | OpaqueTokenIntrospector introspector; 60 | 61 | @Before 62 | public void setup() { 63 | assertNotNull( 64 | "Module 1: Could not find the Spring Security Filter Chain in the application context;" + 65 | "make sure that you complete the earlier modules before starting this one", 66 | this.springSecurityFilterChain); 67 | } 68 | 69 | @TestConfiguration 70 | static class TestConfig { 71 | 72 | @ConditionalOnProperty("spring.security.oauth2.resourceserver.jwt.issuer-uri") 73 | @Bean 74 | JwtDecoder jwtDecoder() { 75 | return NimbusJwtDecoder 76 | .withJwkSetUri("https://idp.example.org/jwks") 77 | .build(); 78 | } 79 | 80 | @ConditionalOnProperty("spring.security.oauth2.resourceserver.opaquetoken.introspection-uri") 81 | @Bean 82 | JwtDecoder interrim() { 83 | return token -> { 84 | throw new BadJwtException("bad jwt"); 85 | }; 86 | } 87 | 88 | @ConditionalOnProperty("spring.security.oauth2.resourceserver.opaquetoken.introspection-uri") 89 | @ConditionalOnMissingBean 90 | @Bean 91 | OpaqueTokenIntrospector introspector(OAuth2ResourceServerProperties properties) { 92 | return new NimbusOpaqueTokenIntrospector( 93 | properties.getOpaquetoken().getIntrospectionUri(), 94 | properties.getOpaquetoken().getClientId(), 95 | properties.getOpaquetoken().getClientSecret()); 96 | } 97 | 98 | } 99 | 100 | @Test 101 | public void task_1() throws Exception { 102 | // cors() 103 | 104 | CorsFilter filter = getFilter(CorsFilter.class); 105 | assertNotNull( 106 | "Task 2: It doesn't appear that `cors()` is being called on the `HttpSecurity` object. If it is, make " + 107 | "sure that `GoalsApplication` is extending `WebSecurityConfigurerAdapter` and is overriding `configure(HttpSecurity http)`", 108 | filter); 109 | 110 | CorsConfiguration configuration = this.cors.getCorsConfiguration 111 | (new MockHttpServletRequest("GET", "/" + UUID.randomUUID())); 112 | if (this.jwt == null && this.introspector == null) { // Compatibility with Module 6, which shuts this field off 113 | MockHttpServletRequest request = new MockHttpServletRequest("GET", "/goals"); 114 | assertTrue("Task 1: So that HTTP Basic works in the browser for this request, set the `allowCredentials` property to `\"true\"`", 115 | configuration.getAllowCredentials()); 116 | } 117 | 118 | 119 | assertNotNull( 120 | "Task 1: Make sure that you've added a mapping for all endpoints by calling `addMapping(\"/**\")`'", 121 | configuration); 122 | assertEquals( 123 | "Task 1: Make sure that globally you are only allowing the `http://127.0.0.1:8081` origin", 124 | 1, configuration.getAllowedOrigins().size()); 125 | assertEquals( 126 | "Task 1: Make sure that globally you are only allowing the `http://127.0.0.1:8081` origin", 127 | "http://127.0.0.1:8081", configuration.getAllowedOrigins().get(0)); 128 | 129 | MvcResult result = this.mvc.perform(options("/goals") 130 | .header("Access-Control-Request-Method", "GET") 131 | .header("Access-Control-Allow-Credentials", "true") 132 | .header("Origin", "http://127.0.0.1:8081")) 133 | .andReturn(); 134 | 135 | if (this.jwt == null && this.introspector == null) { // Compatibility with Module 6, which shuts this field off 136 | assertEquals( 137 | "Task 1: Tried to do an `OPTIONS` pre-flight request from `http://127.0.0.1:8081` for `GET /goals` failed.", 138 | "true", result.getResponse().getHeader("Access-Control-Allow-Credentials")); 139 | } 140 | } 141 | 142 | @Test 143 | public void task_2() throws Exception { 144 | task_1(); 145 | // csrf 146 | 147 | CorsConfiguration configuration = this.cors.getCorsConfiguration 148 | (new MockHttpServletRequest("GET", "/" + UUID.randomUUID())); 149 | assertTrue( 150 | "Task 2: Make sure that you are both allowing and exposing the X-CSRF-TOKEN header", 151 | configuration.getAllowedHeaders().contains("X-CSRF-TOKEN")); 152 | assertTrue( 153 | "Task 2: Make sure that you are both allowing and exposing the X-CSRF-TOKEN header", 154 | configuration.getExposedHeaders().contains("X-CSRF-TOKEN")); 155 | } 156 | 157 | private T getFilter(Class filterClass) { 158 | List filters = this.springSecurityFilterChain.getFilters("/goals"); 159 | for (Filter filter : filters) { 160 | if (filter.getClass() == filterClass) { 161 | return (T) filter; 162 | } 163 | } 164 | 165 | return null; 166 | } 167 | } 168 | -------------------------------------------------------------------------------- /src/test/java/io/jzheaux/springsecurity/goals/AuthorizationServer.java: -------------------------------------------------------------------------------- 1 | package io.jzheaux.springsecurity.goals; 2 | 3 | import com.fasterxml.jackson.databind.ObjectMapper; 4 | import com.nimbusds.jose.JWSAlgorithm; 5 | import com.nimbusds.jose.JWSHeader; 6 | import com.nimbusds.jose.crypto.RSASSASigner; 7 | import com.nimbusds.jose.jwk.JWKSet; 8 | import com.nimbusds.jose.jwk.RSAKey; 9 | import com.nimbusds.jose.jwk.gen.RSAKeyGenerator; 10 | import com.nimbusds.jwt.JWT; 11 | import com.nimbusds.jwt.JWTClaimsSet; 12 | import com.nimbusds.jwt.SignedJWT; 13 | import net.minidev.json.JSONObject; 14 | import okhttp3.mockwebserver.Dispatcher; 15 | import okhttp3.mockwebserver.MockResponse; 16 | import okhttp3.mockwebserver.MockWebServer; 17 | import okhttp3.mockwebserver.RecordedRequest; 18 | import okio.Buffer; 19 | import org.springframework.http.HttpHeaders; 20 | import org.springframework.http.MediaType; 21 | 22 | import java.io.IOException; 23 | import java.util.Base64; 24 | import java.util.Collections; 25 | import java.util.Date; 26 | import java.util.HashMap; 27 | import java.util.LinkedHashMap; 28 | import java.util.Map; 29 | import java.util.Optional; 30 | import java.util.function.Function; 31 | import java.util.stream.Collectors; 32 | import java.util.stream.Stream; 33 | 34 | class AuthorizationServer extends Dispatcher implements AutoCloseable { 35 | private static final String ISSUER_PATH = "/oauth2"; 36 | private static final String CONFIGURATION_PATH = "/.well-known/openid-configuration"; 37 | private static final String JWKS_PATH = "/jwks"; 38 | private static final String INTROSPECTION_PATH = "/introspect"; 39 | 40 | private static final MockResponse NOT_FOUND_RESPONSE = response( 41 | "{ \"message\" : \"This mock authorization server responds only to [" + 42 | ISSUER_PATH + CONFIGURATION_PATH + "," + ISSUER_PATH + JWKS_PATH + "," + ISSUER_PATH + INTROSPECTION_PATH + "]\" }", 43 | 404 44 | ); 45 | 46 | private final RSAKey key; 47 | private Map tokens = new HashMap<>(); 48 | private Map> responses = new HashMap<>(); 49 | private MockWebServer web = new MockWebServer(); 50 | private ObjectMapper mapper = new ObjectMapper(); 51 | 52 | AuthorizationServer() { 53 | try { 54 | this.key = new RSAKeyGenerator(2048).keyID("one").generate(); 55 | } catch (Exception e) { 56 | throw new RuntimeException(e); 57 | } 58 | 59 | String configuration = ISSUER_PATH + CONFIGURATION_PATH; 60 | String jwks = ISSUER_PATH + JWKS_PATH; 61 | String introspection = ISSUER_PATH + INTROSPECTION_PATH; 62 | this.responses.put(configuration, request -> { 63 | String issuer = issuer(); 64 | Map metadata = new LinkedHashMap<>(); 65 | metadata.put("issuer", issuer); 66 | metadata.put("jwks_uri", issuer + JWKS_PATH); 67 | return response(new JSONObject(metadata).toString(), 200); 68 | }); 69 | this.responses.put(jwks, request -> response(new JWKSet(this.key).toString(), 200)); 70 | this.responses.put(introspection, request -> 71 | Optional.ofNullable(request.getHeader(HttpHeaders.AUTHORIZATION)) 72 | .filter(authorization -> isAuthorized(authorization, "app", "bfbd9f62-02ce-4638-a370-80d45514bd0a")) 73 | .map(authorization -> parseBody(request.getBody())) 74 | .map(parameters -> parameters.get("token")) 75 | .map(this.tokens::get) 76 | .filter(this::isActive) 77 | .map(this::withActive) 78 | .map(jsonObject -> response(jsonObject, 200)) 79 | .orElse(response(new JSONObject(Collections.singletonMap("active", false)).toString(), 200)) 80 | ); 81 | } 82 | 83 | public MockResponse dispatch(RecordedRequest recordedRequest) { 84 | String path = recordedRequest.getPath(); 85 | return Optional.ofNullable(this.responses.get(path)) 86 | .map(function -> function.apply(recordedRequest)) 87 | .orElse(NOT_FOUND_RESPONSE); 88 | } 89 | 90 | void start() throws IOException { 91 | this.web.setDispatcher(this); 92 | this.web.start(); 93 | } 94 | 95 | void stop() throws IOException { 96 | this.web.shutdown(); 97 | } 98 | 99 | @Override 100 | public void close() throws Exception { 101 | stop(); 102 | } 103 | 104 | JWT tokenFor(String username) { 105 | try { 106 | for (JWT jwt : this.tokens.values()) { 107 | JWTClaimsSet claims = jwt.getJWTClaimsSet(); 108 | if (username.equals(claims.getSubject())) { 109 | return jwt; 110 | } 111 | } 112 | } catch (Exception e) { 113 | throw new RuntimeException(e); 114 | } 115 | return null; 116 | } 117 | 118 | String token(String username, String... scope) { 119 | JWSHeader header = new JWSHeader.Builder(JWSAlgorithm.RS256) 120 | .keyID("one").build(); 121 | JWTClaimsSet claims = new JWTClaimsSet.Builder() 122 | .subject(username) 123 | .issuer(issuer()) 124 | .claim("scope", Stream.of(scope).collect(Collectors.joining(" "))) 125 | .build(); 126 | SignedJWT jws = new SignedJWT(header, claims); 127 | try { 128 | jws.sign(new RSASSASigner(this.key)); 129 | } catch (Exception e) { 130 | throw new RuntimeException(e); 131 | } 132 | this.tokens.put(jws.serialize(), jws); 133 | return jws.serialize(); 134 | } 135 | 136 | void revoke(String token) { 137 | this.tokens.remove(token); 138 | } 139 | 140 | String issuer() { 141 | return this.web.url(ISSUER_PATH).toString(); 142 | } 143 | 144 | String jwkSetUri() { 145 | return this.web.url(ISSUER_PATH + JWKS_PATH).toString(); 146 | } 147 | 148 | String introspectionUri() { 149 | return this.web.url(ISSUER_PATH + INTROSPECTION_PATH).toString(); 150 | } 151 | 152 | private boolean isAuthorized(String authorization, String username, String password) { 153 | String[] values = new String(Base64.getDecoder().decode(authorization.substring(6))).split(":"); 154 | return username.equals(values[0]) && password.equals(values[1]); 155 | } 156 | 157 | private Map parseBody(Buffer body) { 158 | return Stream.of(body.readUtf8().split("&")) 159 | .map(parameter -> parameter.split("=")) 160 | .collect(Collectors.toMap(parts -> parts[0], parts -> parts[1])); 161 | } 162 | 163 | private boolean isActive(JWT jwt) { 164 | try { 165 | JWTClaimsSet claims = jwt.getJWTClaimsSet(); 166 | Date now = new Date(); 167 | return (claims.getIssueTime() == null || claims.getIssueTime().before(now)) && 168 | (claims.getExpirationTime() == null || claims.getExpirationTime().after(now)) && 169 | (claims.getNotBeforeTime() == null || claims.getNotBeforeTime().before(now)); 170 | } catch (Exception e) { 171 | throw new RuntimeException(e); 172 | } 173 | } 174 | 175 | private String withActive(JWT jwt) { 176 | try { 177 | Map claims = jwt.getJWTClaimsSet().toJSONObject(); 178 | claims.put("active", true); 179 | return this.mapper.writeValueAsString(claims); 180 | } catch (Exception e) { 181 | throw new RuntimeException(e); 182 | } 183 | } 184 | 185 | private static MockResponse response(String body, int status) { 186 | return new MockResponse() 187 | .setHeader(HttpHeaders.CONTENT_TYPE, MediaType.APPLICATION_JSON_VALUE) 188 | .setResponseCode(status) 189 | .setBody(body); 190 | } 191 | } 192 | -------------------------------------------------------------------------------- /src/main/java/io/jzheaux/springsecurity/authzserver/AuthorizationServerConfig.java: -------------------------------------------------------------------------------- 1 | package io.jzheaux.springsecurity.authzserver; 2 | 3 | import java.security.KeyPair; 4 | import java.security.KeyPairGenerator; 5 | import java.security.interfaces.RSAPrivateKey; 6 | import java.security.interfaces.RSAPublicKey; 7 | import java.util.UUID; 8 | 9 | import com.nimbusds.jose.jwk.JWKSet; 10 | import com.nimbusds.jose.jwk.RSAKey; 11 | import com.nimbusds.jose.jwk.source.ImmutableJWKSet; 12 | import com.nimbusds.jose.jwk.source.JWKSource; 13 | import com.nimbusds.jose.proc.SecurityContext; 14 | 15 | import org.springframework.context.annotation.Bean; 16 | import org.springframework.context.annotation.Configuration; 17 | import org.springframework.context.annotation.Role; 18 | import org.springframework.core.Ordered; 19 | import org.springframework.core.annotation.Order; 20 | import org.springframework.jdbc.core.JdbcTemplate; 21 | import org.springframework.jdbc.datasource.embedded.EmbeddedDatabase; 22 | import org.springframework.jdbc.datasource.embedded.EmbeddedDatabaseBuilder; 23 | import org.springframework.jdbc.datasource.embedded.EmbeddedDatabaseType; 24 | import org.springframework.security.config.Customizer; 25 | import org.springframework.security.config.annotation.web.builders.HttpSecurity; 26 | 27 | import org.springframework.security.core.userdetails.User; 28 | import org.springframework.security.core.userdetails.UserDetails; 29 | import org.springframework.security.core.userdetails.UserDetailsService; 30 | import org.springframework.security.oauth2.core.AuthorizationGrantType; 31 | import org.springframework.security.oauth2.core.ClientAuthenticationMethod; 32 | import org.springframework.security.oauth2.core.oidc.OidcScopes; 33 | import org.springframework.security.oauth2.jwt.JwtDecoder; 34 | import org.springframework.security.oauth2.jwt.NimbusJwtDecoder; 35 | import org.springframework.security.oauth2.server.authorization.JdbcOAuth2AuthorizationConsentService; 36 | import org.springframework.security.oauth2.server.authorization.JdbcOAuth2AuthorizationService; 37 | import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationConsentService; 38 | import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationService; 39 | import org.springframework.security.oauth2.server.authorization.client.InMemoryRegisteredClientRepository; 40 | import org.springframework.security.oauth2.server.authorization.client.JdbcRegisteredClientRepository; 41 | import org.springframework.security.oauth2.server.authorization.client.RegisteredClient; 42 | import org.springframework.security.oauth2.server.authorization.client.RegisteredClientRepository; 43 | import org.springframework.security.oauth2.server.authorization.config.annotation.web.configuration.OAuth2AuthorizationServerConfiguration; 44 | import org.springframework.security.oauth2.server.authorization.config.annotation.web.configurers.OAuth2AuthorizationServerConfigurer; 45 | import org.springframework.security.oauth2.server.authorization.settings.AuthorizationServerSettings; 46 | import org.springframework.security.oauth2.server.authorization.settings.ClientSettings; 47 | import org.springframework.security.provisioning.InMemoryUserDetailsManager; 48 | import org.springframework.security.web.SecurityFilterChain; 49 | import org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint; 50 | import org.springframework.security.web.authentication.logout.LogoutFilter; 51 | import org.springframework.web.filter.ForwardedHeaderFilter; 52 | import org.springframework.web.servlet.config.annotation.CorsRegistry; 53 | import org.springframework.web.servlet.config.annotation.WebMvcConfigurer; 54 | 55 | import static org.springframework.beans.factory.config.BeanDefinition.ROLE_INFRASTRUCTURE; 56 | 57 | @Configuration 58 | public class AuthorizationServerConfig { 59 | 60 | @Bean 61 | @Order(1) 62 | public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception { 63 | OAuth2AuthorizationServerConfiguration.applyDefaultSecurity(http); 64 | http.getConfigurer(OAuth2AuthorizationServerConfigurer.class) 65 | .oidc(Customizer.withDefaults()); 66 | return http.cors(Customizer.withDefaults()) 67 | .oauth2ResourceServer((oauth2) -> oauth2.jwt()) 68 | .exceptionHandling((exceptions) -> exceptions 69 | .authenticationEntryPoint(new LoginUrlAuthenticationEntryPoint("/login")) 70 | ) 71 | .build(); 72 | } 73 | 74 | @Bean 75 | @Order(2) 76 | SecurityFilterChain appEndpoints(HttpSecurity http) throws Exception { 77 | // @formatter:off 78 | http 79 | .authorizeHttpRequests((authz) -> authz 80 | .mvcMatchers("/error").permitAll() 81 | .anyRequest().authenticated() 82 | ) 83 | .formLogin(Customizer.withDefaults()); 84 | return http.build(); 85 | // @formatter:on 86 | } 87 | 88 | @Bean 89 | WebMvcConfigurer webMvc() { 90 | return new WebMvcConfigurer() { 91 | @Override 92 | public void addCorsMappings(CorsRegistry registry) { 93 | registry.addMapping("/oauth2/token") 94 | .allowedOrigins("http://127.0.0.1:8081") 95 | .maxAge(0); 96 | } 97 | }; 98 | } 99 | 100 | // @formatter:off 101 | @Bean 102 | public RegisteredClientRepository registeredClientRepository() { 103 | RegisteredClient registeredClient = RegisteredClient.withId(UUID.randomUUID().toString()) 104 | .clientId("goals-client") 105 | .clientSecret("{nooop}secret") 106 | .clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC) 107 | .clientAuthenticationMethod(ClientAuthenticationMethod.NONE) 108 | .authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE) 109 | .redirectUri("http://127.0.0.1:8081/bearer.html") 110 | .scope("goal:read") 111 | .scope("goal:write") 112 | .scope("user:read") 113 | .clientSettings(ClientSettings.builder().requireAuthorizationConsent(true).build()) 114 | .build(); 115 | return new InMemoryRegisteredClientRepository(registeredClient); 116 | } 117 | // @formatter:on 118 | 119 | @Bean 120 | public JWKSource jwkSource(KeyPair keyPair) { 121 | RSAPublicKey publicKey = (RSAPublicKey) keyPair.getPublic(); 122 | RSAPrivateKey privateKey = (RSAPrivateKey) keyPair.getPrivate(); 123 | // @formatter:off 124 | RSAKey rsaKey = new RSAKey.Builder(publicKey) 125 | .privateKey(privateKey) 126 | .keyID(UUID.randomUUID().toString()) 127 | .build(); 128 | JWKSet jwkSet = new JWKSet(rsaKey); 129 | return new ImmutableJWKSet<>(jwkSet); 130 | } 131 | 132 | @Bean 133 | public JwtDecoder jwtDecoder(KeyPair keyPair) { 134 | return NimbusJwtDecoder.withPublicKey((RSAPublicKey) keyPair.getPublic()).build(); 135 | } 136 | 137 | // @formatter:off 138 | @Bean 139 | public UserDetailsService users() { 140 | UserDetails user = User.withDefaultPasswordEncoder() 141 | .username("user") 142 | .password("password") 143 | .authorities("app") 144 | .build(); 145 | UserDetails hasread = User.withDefaultPasswordEncoder() 146 | .username("hasread") 147 | .password("password") 148 | .authorities("app") 149 | .build(); 150 | UserDetails haswrite = User.withDefaultPasswordEncoder() 151 | .username("haswrite") 152 | .password("password") 153 | .authorities("app") 154 | .build(); 155 | UserDetails admin = User.withDefaultPasswordEncoder() 156 | .username("admin") 157 | .password("password") 158 | .authorities("app") 159 | .build(); 160 | return new InMemoryUserDetailsManager(user, hasread, haswrite, admin); 161 | } 162 | // @formatter:on 163 | 164 | @Bean 165 | public AuthorizationServerSettings authorizationServerSettings() { 166 | return AuthorizationServerSettings.builder().issuer("http://idp:8083").build(); 167 | } 168 | 169 | @Bean 170 | @Role(ROLE_INFRASTRUCTURE) 171 | KeyPair generateRsaKey() { 172 | KeyPair keyPair; 173 | try { 174 | KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA"); 175 | keyPairGenerator.initialize(2048); 176 | keyPair = keyPairGenerator.generateKeyPair(); 177 | } 178 | catch (Exception ex) { 179 | throw new IllegalStateException(ex); 180 | } 181 | return keyPair; 182 | } 183 | } -------------------------------------------------------------------------------- /etc/docs/images/springsecuritylogo.svg: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 23 | 25 | 26 | 28 | image/svg+xml 29 | 31 | 32 | 33 | 34 | 35 | 37 | 57 | 65 | 67 | 72 | 78 | 79 | 84 | 85 | -------------------------------------------------------------------------------- /mvnw: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # ---------------------------------------------------------------------------- 3 | # Licensed to the Apache Software Foundation (ASF) under one 4 | # or more contributor license agreements. See the NOTICE file 5 | # distributed with this work for additional information 6 | # regarding copyright ownership. The ASF licenses this file 7 | # to you under the Apache License, Version 2.0 (the 8 | # "License"); you may not use this file except in compliance 9 | # with the License. You may obtain a copy of the License at 10 | # 11 | # https://www.apache.org/licenses/LICENSE-2.0 12 | # 13 | # Unless required by applicable law or agreed to in writing, 14 | # software distributed under the License is distributed on an 15 | # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY 16 | # KIND, either express or implied. See the License for the 17 | # specific language governing permissions and limitations 18 | # under the License. 19 | # ---------------------------------------------------------------------------- 20 | 21 | # ---------------------------------------------------------------------------- 22 | # Maven2 Start Up Batch script 23 | # 24 | # Required ENV vars: 25 | # ------------------ 26 | # JAVA_HOME - location of a JDK home dir 27 | # 28 | # Optional ENV vars 29 | # ----------------- 30 | # M2_HOME - location of maven2's installed home dir 31 | # MAVEN_OPTS - parameters passed to the Java VM when running Maven 32 | # e.g. to debug Maven itself, use 33 | # set MAVEN_OPTS=-Xdebug -Xrunjdwp:transport=dt_socket,server=y,suspend=y,address=8000 34 | # MAVEN_SKIP_RC - flag to disable loading of mavenrc files 35 | # ---------------------------------------------------------------------------- 36 | 37 | if [ -z "$MAVEN_SKIP_RC" ] ; then 38 | 39 | if [ -f /etc/mavenrc ] ; then 40 | . /etc/mavenrc 41 | fi 42 | 43 | if [ -f "$HOME/.mavenrc" ] ; then 44 | . "$HOME/.mavenrc" 45 | fi 46 | 47 | fi 48 | 49 | # OS specific support. $var _must_ be set to either true or false. 50 | cygwin=false; 51 | darwin=false; 52 | mingw=false 53 | case "`uname`" in 54 | CYGWIN*) cygwin=true ;; 55 | MINGW*) mingw=true;; 56 | Darwin*) darwin=true 57 | # Use /usr/libexec/java_home if available, otherwise fall back to /Library/Java/Home 58 | # See https://developer.apple.com/library/mac/qa/qa1170/_index.html 59 | if [ -z "$JAVA_HOME" ]; then 60 | if [ -x "/usr/libexec/java_home" ]; then 61 | export JAVA_HOME="`/usr/libexec/java_home`" 62 | else 63 | export JAVA_HOME="/Library/Java/Home" 64 | fi 65 | fi 66 | ;; 67 | esac 68 | 69 | if [ -z "$JAVA_HOME" ] ; then 70 | if [ -r /etc/gentoo-release ] ; then 71 | JAVA_HOME=`java-config --jre-home` 72 | fi 73 | fi 74 | 75 | if [ -z "$M2_HOME" ] ; then 76 | ## resolve links - $0 may be a link to maven's home 77 | PRG="$0" 78 | 79 | # need this for relative symlinks 80 | while [ -h "$PRG" ] ; do 81 | ls=`ls -ld "$PRG"` 82 | link=`expr "$ls" : '.*-> \(.*\)$'` 83 | if expr "$link" : '/.*' > /dev/null; then 84 | PRG="$link" 85 | else 86 | PRG="`dirname "$PRG"`/$link" 87 | fi 88 | done 89 | 90 | saveddir=`pwd` 91 | 92 | M2_HOME=`dirname "$PRG"`/.. 93 | 94 | # make it fully qualified 95 | M2_HOME=`cd "$M2_HOME" && pwd` 96 | 97 | cd "$saveddir" 98 | # echo Using m2 at $M2_HOME 99 | fi 100 | 101 | # For Cygwin, ensure paths are in UNIX format before anything is touched 102 | if $cygwin ; then 103 | [ -n "$M2_HOME" ] && 104 | M2_HOME=`cygpath --unix "$M2_HOME"` 105 | [ -n "$JAVA_HOME" ] && 106 | JAVA_HOME=`cygpath --unix "$JAVA_HOME"` 107 | [ -n "$CLASSPATH" ] && 108 | CLASSPATH=`cygpath --path --unix "$CLASSPATH"` 109 | fi 110 | 111 | # For Mingw, ensure paths are in UNIX format before anything is touched 112 | if $mingw ; then 113 | [ -n "$M2_HOME" ] && 114 | M2_HOME="`(cd "$M2_HOME"; pwd)`" 115 | [ -n "$JAVA_HOME" ] && 116 | JAVA_HOME="`(cd "$JAVA_HOME"; pwd)`" 117 | fi 118 | 119 | if [ -z "$JAVA_HOME" ]; then 120 | javaExecutable="`which javac`" 121 | if [ -n "$javaExecutable" ] && ! [ "`expr \"$javaExecutable\" : '\([^ ]*\)'`" = "no" ]; then 122 | # readlink(1) is not available as standard on Solaris 10. 123 | readLink=`which readlink` 124 | if [ ! `expr "$readLink" : '\([^ ]*\)'` = "no" ]; then 125 | if $darwin ; then 126 | javaHome="`dirname \"$javaExecutable\"`" 127 | javaExecutable="`cd \"$javaHome\" && pwd -P`/javac" 128 | else 129 | javaExecutable="`readlink -f \"$javaExecutable\"`" 130 | fi 131 | javaHome="`dirname \"$javaExecutable\"`" 132 | javaHome=`expr "$javaHome" : '\(.*\)/bin'` 133 | JAVA_HOME="$javaHome" 134 | export JAVA_HOME 135 | fi 136 | fi 137 | fi 138 | 139 | if [ -z "$JAVACMD" ] ; then 140 | if [ -n "$JAVA_HOME" ] ; then 141 | if [ -x "$JAVA_HOME/jre/sh/java" ] ; then 142 | # IBM's JDK on AIX uses strange locations for the executables 143 | JAVACMD="$JAVA_HOME/jre/sh/java" 144 | else 145 | JAVACMD="$JAVA_HOME/bin/java" 146 | fi 147 | else 148 | JAVACMD="`which java`" 149 | fi 150 | fi 151 | 152 | if [ ! -x "$JAVACMD" ] ; then 153 | echo "Error: JAVA_HOME is not defined correctly." >&2 154 | echo " We cannot execute $JAVACMD" >&2 155 | exit 1 156 | fi 157 | 158 | if [ -z "$JAVA_HOME" ] ; then 159 | echo "Warning: JAVA_HOME environment variable is not set." 160 | fi 161 | 162 | CLASSWORLDS_LAUNCHER=org.codehaus.plexus.classworlds.launcher.Launcher 163 | 164 | # traverses directory structure from process work directory to filesystem root 165 | # first directory with .mvn subdirectory is considered project base directory 166 | find_maven_basedir() { 167 | 168 | if [ -z "$1" ] 169 | then 170 | echo "Path not specified to find_maven_basedir" 171 | return 1 172 | fi 173 | 174 | basedir="$1" 175 | wdir="$1" 176 | while [ "$wdir" != '/' ] ; do 177 | if [ -d "$wdir"/.mvn ] ; then 178 | basedir=$wdir 179 | break 180 | fi 181 | # workaround for JBEAP-8937 (on Solaris 10/Sparc) 182 | if [ -d "${wdir}" ]; then 183 | wdir=`cd "$wdir/.."; pwd` 184 | fi 185 | # end of workaround 186 | done 187 | echo "${basedir}" 188 | } 189 | 190 | # concatenates all lines of a file 191 | concat_lines() { 192 | if [ -f "$1" ]; then 193 | echo "$(tr -s '\n' ' ' < "$1")" 194 | fi 195 | } 196 | 197 | BASE_DIR=`find_maven_basedir "$(pwd)"` 198 | if [ -z "$BASE_DIR" ]; then 199 | exit 1; 200 | fi 201 | 202 | ########################################################################################## 203 | # Extension to allow automatically downloading the maven-wrapper.jar from Maven-central 204 | # This allows using the maven wrapper in projects that prohibit checking in binary data. 205 | ########################################################################################## 206 | if [ -r "$BASE_DIR/.mvn/wrapper/maven-wrapper.jar" ]; then 207 | if [ "$MVNW_VERBOSE" = true ]; then 208 | echo "Found .mvn/wrapper/maven-wrapper.jar" 209 | fi 210 | else 211 | if [ "$MVNW_VERBOSE" = true ]; then 212 | echo "Couldn't find .mvn/wrapper/maven-wrapper.jar, downloading it ..." 213 | fi 214 | if [ -n "$MVNW_REPOURL" ]; then 215 | jarUrl="$MVNW_REPOURL/io/takari/maven-wrapper/0.5.5/maven-wrapper-0.5.5.jar" 216 | else 217 | jarUrl="https://repo.maven.apache.org/maven2/io/takari/maven-wrapper/0.5.5/maven-wrapper-0.5.5.jar" 218 | fi 219 | while IFS="=" read key value; do 220 | case "$key" in (wrapperUrl) jarUrl="$value"; break ;; 221 | esac 222 | done < "$BASE_DIR/.mvn/wrapper/maven-wrapper.properties" 223 | if [ "$MVNW_VERBOSE" = true ]; then 224 | echo "Downloading from: $jarUrl" 225 | fi 226 | wrapperJarPath="$BASE_DIR/.mvn/wrapper/maven-wrapper.jar" 227 | if $cygwin; then 228 | wrapperJarPath=`cygpath --path --windows "$wrapperJarPath"` 229 | fi 230 | 231 | if command -v wget > /dev/null; then 232 | if [ "$MVNW_VERBOSE" = true ]; then 233 | echo "Found wget ... using wget" 234 | fi 235 | if [ -z "$MVNW_USERNAME" ] || [ -z "$MVNW_PASSWORD" ]; then 236 | wget "$jarUrl" -O "$wrapperJarPath" 237 | else 238 | wget --http-user=$MVNW_USERNAME --http-password=$MVNW_PASSWORD "$jarUrl" -O "$wrapperJarPath" 239 | fi 240 | elif command -v curl > /dev/null; then 241 | if [ "$MVNW_VERBOSE" = true ]; then 242 | echo "Found curl ... using curl" 243 | fi 244 | if [ -z "$MVNW_USERNAME" ] || [ -z "$MVNW_PASSWORD" ]; then 245 | curl -o "$wrapperJarPath" "$jarUrl" -f 246 | else 247 | curl --user $MVNW_USERNAME:$MVNW_PASSWORD -o "$wrapperJarPath" "$jarUrl" -f 248 | fi 249 | 250 | else 251 | if [ "$MVNW_VERBOSE" = true ]; then 252 | echo "Falling back to using Java to download" 253 | fi 254 | javaClass="$BASE_DIR/.mvn/wrapper/MavenWrapperDownloader.java" 255 | # For Cygwin, switch paths to Windows format before running javac 256 | if $cygwin; then 257 | javaClass=`cygpath --path --windows "$javaClass"` 258 | fi 259 | if [ -e "$javaClass" ]; then 260 | if [ ! -e "$BASE_DIR/.mvn/wrapper/MavenWrapperDownloader.class" ]; then 261 | if [ "$MVNW_VERBOSE" = true ]; then 262 | echo " - Compiling MavenWrapperDownloader.java ..." 263 | fi 264 | # Compiling the Java class 265 | ("$JAVA_HOME/bin/javac" "$javaClass") 266 | fi 267 | if [ -e "$BASE_DIR/.mvn/wrapper/MavenWrapperDownloader.class" ]; then 268 | # Running the downloader 269 | if [ "$MVNW_VERBOSE" = true ]; then 270 | echo " - Running MavenWrapperDownloader.java ..." 271 | fi 272 | ("$JAVA_HOME/bin/java" -cp .mvn/wrapper MavenWrapperDownloader "$MAVEN_PROJECTBASEDIR") 273 | fi 274 | fi 275 | fi 276 | fi 277 | ########################################################################################## 278 | # End of extension 279 | ########################################################################################## 280 | 281 | export MAVEN_PROJECTBASEDIR=${MAVEN_BASEDIR:-"$BASE_DIR"} 282 | if [ "$MVNW_VERBOSE" = true ]; then 283 | echo $MAVEN_PROJECTBASEDIR 284 | fi 285 | MAVEN_OPTS="$(concat_lines "$MAVEN_PROJECTBASEDIR/.mvn/jvm.config") $MAVEN_OPTS" 286 | 287 | # For Cygwin, switch paths to Windows format before running java 288 | if $cygwin; then 289 | [ -n "$M2_HOME" ] && 290 | M2_HOME=`cygpath --path --windows "$M2_HOME"` 291 | [ -n "$JAVA_HOME" ] && 292 | JAVA_HOME=`cygpath --path --windows "$JAVA_HOME"` 293 | [ -n "$CLASSPATH" ] && 294 | CLASSPATH=`cygpath --path --windows "$CLASSPATH"` 295 | [ -n "$MAVEN_PROJECTBASEDIR" ] && 296 | MAVEN_PROJECTBASEDIR=`cygpath --path --windows "$MAVEN_PROJECTBASEDIR"` 297 | fi 298 | 299 | # Provide a "standardized" way to retrieve the CLI args that will 300 | # work with both Windows and non-Windows executions. 301 | MAVEN_CMD_LINE_ARGS="$MAVEN_CONFIG $@" 302 | export MAVEN_CMD_LINE_ARGS 303 | 304 | WRAPPER_LAUNCHER=org.apache.maven.wrapper.MavenWrapperMain 305 | 306 | exec "$JAVACMD" \ 307 | $MAVEN_OPTS \ 308 | -classpath "$MAVEN_PROJECTBASEDIR/.mvn/wrapper/maven-wrapper.jar" \ 309 | "-Dmaven.home=${M2_HOME}" "-Dmaven.multiModuleProjectDirectory=${MAVEN_PROJECTBASEDIR}" \ 310 | ${WRAPPER_LAUNCHER} $MAVEN_CONFIG "$@" 311 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Apache License 2 | Version 2.0, January 2004 3 | http://www.apache.org/licenses/ 4 | 5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 6 | 7 | 1. Definitions. 8 | 9 | "License" shall mean the terms and conditions for use, reproduction, 10 | and distribution as defined by Sections 1 through 9 of this document. 11 | 12 | "Licensor" shall mean the copyright owner or entity authorized by 13 | the copyright owner that is granting the License. 14 | 15 | "Legal Entity" shall mean the union of the acting entity and all 16 | other entities that control, are controlled by, or are under common 17 | control with that entity. For the purposes of this definition, 18 | "control" means (i) the power, direct or indirect, to cause the 19 | direction or management of such entity, whether by contract or 20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 21 | outstanding shares, or (iii) beneficial ownership of such entity. 22 | 23 | "You" (or "Your") shall mean an individual or Legal Entity 24 | exercising permissions granted by this License. 25 | 26 | "Source" form shall mean the preferred form for making modifications, 27 | including but not limited to software source code, documentation 28 | source, and configuration files. 29 | 30 | "Object" form shall mean any form resulting from mechanical 31 | transformation or translation of a Source form, including but 32 | not limited to compiled object code, generated documentation, 33 | and conversions to other media types. 34 | 35 | "Work" shall mean the work of authorship, whether in Source or 36 | Object form, made available under the License, as indicated by a 37 | copyright notice that is included in or attached to the work 38 | (an example is provided in the Appendix below). 39 | 40 | "Derivative Works" shall mean any work, whether in Source or Object 41 | form, that is based on (or derived from) the Work and for which the 42 | editorial revisions, annotations, elaborations, or other modifications 43 | represent, as a whole, an original work of authorship. For the purposes 44 | of this License, Derivative Works shall not include works that remain 45 | separable from, or merely link (or bind by name) to the interfaces of, 46 | the Work and Derivative Works thereof. 47 | 48 | "Contribution" shall mean any work of authorship, including 49 | the original version of the Work and any modifications or additions 50 | to that Work or Derivative Works thereof, that is intentionally 51 | submitted to Licensor for inclusion in the Work by the copyright owner 52 | or by an individual or Legal Entity authorized to submit on behalf of 53 | the copyright owner. For the purposes of this definition, "submitted" 54 | means any form of electronic, verbal, or written communication sent 55 | to the Licensor or its representatives, including but not limited to 56 | communication on electronic mailing lists, source code control systems, 57 | and issue tracking systems that are managed by, or on behalf of, the 58 | Licensor for the purpose of discussing and improving the Work, but 59 | excluding communication that is conspicuously marked or otherwise 60 | designated in writing by the copyright owner as "Not a Contribution." 61 | 62 | "Contributor" shall mean Licensor and any individual or Legal Entity 63 | on behalf of whom a Contribution has been received by Licensor and 64 | subsequently incorporated within the Work. 65 | 66 | 2. Grant of Copyright License. Subject to the terms and conditions of 67 | this License, each Contributor hereby grants to You a perpetual, 68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 69 | copyright license to reproduce, prepare Derivative Works of, 70 | publicly display, publicly perform, sublicense, and distribute the 71 | Work and such Derivative Works in Source or Object form. 72 | 73 | 3. Grant of Patent License. Subject to the terms and conditions of 74 | this License, each Contributor hereby grants to You a perpetual, 75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 76 | (except as stated in this section) patent license to make, have made, 77 | use, offer to sell, sell, import, and otherwise transfer the Work, 78 | where such license applies only to those patent claims licensable 79 | by such Contributor that are necessarily infringed by their 80 | Contribution(s) alone or by combination of their Contribution(s) 81 | with the Work to which such Contribution(s) was submitted. If You 82 | institute patent litigation against any entity (including a 83 | cross-claim or counterclaim in a lawsuit) alleging that the Work 84 | or a Contribution incorporated within the Work constitutes direct 85 | or contributory patent infringement, then any patent licenses 86 | granted to You under this License for that Work shall terminate 87 | as of the date such litigation is filed. 88 | 89 | 4. Redistribution. You may reproduce and distribute copies of the 90 | Work or Derivative Works thereof in any medium, with or without 91 | modifications, and in Source or Object form, provided that You 92 | meet the following conditions: 93 | 94 | (a) You must give any other recipients of the Work or 95 | Derivative Works a copy of this License; and 96 | 97 | (b) You must cause any modified files to carry prominent notices 98 | stating that You changed the files; and 99 | 100 | (c) You must retain, in the Source form of any Derivative Works 101 | that You distribute, all copyright, patent, trademark, and 102 | attribution notices from the Source form of the Work, 103 | excluding those notices that do not pertain to any part of 104 | the Derivative Works; and 105 | 106 | (d) If the Work includes a "NOTICE" text file as part of its 107 | distribution, then any Derivative Works that You distribute must 108 | include a readable copy of the attribution notices contained 109 | within such NOTICE file, excluding those notices that do not 110 | pertain to any part of the Derivative Works, in at least one 111 | of the following places: within a NOTICE text file distributed 112 | as part of the Derivative Works; within the Source form or 113 | documentation, if provided along with the Derivative Works; or, 114 | within a display generated by the Derivative Works, if and 115 | wherever such third-party notices normally appear. The contents 116 | of the NOTICE file are for informational purposes only and 117 | do not modify the License. You may add Your own attribution 118 | notices within Derivative Works that You distribute, alongside 119 | or as an addendum to the NOTICE text from the Work, provided 120 | that such additional attribution notices cannot be construed 121 | as modifying the License. 122 | 123 | You may add Your own copyright statement to Your modifications and 124 | may provide additional or different license terms and conditions 125 | for use, reproduction, or distribution of Your modifications, or 126 | for any such Derivative Works as a whole, provided Your use, 127 | reproduction, and distribution of the Work otherwise complies with 128 | the conditions stated in this License. 129 | 130 | 5. Submission of Contributions. Unless You explicitly state otherwise, 131 | any Contribution intentionally submitted for inclusion in the Work 132 | by You to the Licensor shall be under the terms and conditions of 133 | this License, without any additional terms or conditions. 134 | Notwithstanding the above, nothing herein shall supersede or modify 135 | the terms of any separate license agreement you may have executed 136 | with Licensor regarding such Contributions. 137 | 138 | 6. Trademarks. This License does not grant permission to use the trade 139 | names, trademarks, service marks, or product names of the Licensor, 140 | except as required for reasonable and customary use in describing the 141 | origin of the Work and reproducing the content of the NOTICE file. 142 | 143 | 7. Disclaimer of Warranty. Unless required by applicable law or 144 | agreed to in writing, Licensor provides the Work (and each 145 | Contributor provides its Contributions) on an "AS IS" BASIS, 146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 147 | implied, including, without limitation, any warranties or conditions 148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 149 | PARTICULAR PURPOSE. You are solely responsible for determining the 150 | appropriateness of using or redistributing the Work and assume any 151 | risks associated with Your exercise of permissions under this License. 152 | 153 | 8. Limitation of Liability. In no event and under no legal theory, 154 | whether in tort (including negligence), contract, or otherwise, 155 | unless required by applicable law (such as deliberate and grossly 156 | negligent acts) or agreed to in writing, shall any Contributor be 157 | liable to You for damages, including any direct, indirect, special, 158 | incidental, or consequential damages of any character arising as a 159 | result of this License or out of the use or inability to use the 160 | Work (including but not limited to damages for loss of goodwill, 161 | work stoppage, computer failure or malfunction, or any and all 162 | other commercial damages or losses), even if such Contributor 163 | has been advised of the possibility of such damages. 164 | 165 | 9. Accepting Warranty or Additional Liability. While redistributing 166 | the Work or Derivative Works thereof, You may choose to offer, 167 | and charge a fee for, acceptance of support, warranty, indemnity, 168 | or other liability obligations and/or rights consistent with this 169 | License. However, in accepting such obligations, You may act only 170 | on Your own behalf and on Your sole responsibility, not on behalf 171 | of any other Contributor, and only if You agree to indemnify, 172 | defend, and hold each Contributor harmless for any liability 173 | incurred by, or claims asserted against, such Contributor by reason 174 | of your accepting any such warranty or additional liability. 175 | 176 | END OF TERMS AND CONDITIONS 177 | 178 | APPENDIX: How to apply the Apache License to your work. 179 | 180 | To apply the Apache License to your work, attach the following 181 | boilerplate notice, with the fields enclosed by brackets "[]" 182 | replaced with your own identifying information. (Don't include 183 | the brackets!) The text should be enclosed in the appropriate 184 | comment syntax for the file format. We also recommend that a 185 | file or class name and description of purpose be included on the 186 | same "printed page" as the copyright notice for easier 187 | identification within third-party archives. 188 | 189 | Copyright [yyyy] [name of copyright owner] 190 | 191 | Licensed under the Apache License, Version 2.0 (the "License"); 192 | you may not use this file except in compliance with the License. 193 | You may obtain a copy of the License at 194 | 195 | http://www.apache.org/licenses/LICENSE-2.0 196 | 197 | Unless required by applicable law or agreed to in writing, software 198 | distributed under the License is distributed on an "AS IS" BASIS, 199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 200 | See the License for the specific language governing permissions and 201 | limitations under the License. 202 | -------------------------------------------------------------------------------- /src/test/java/io/jzheaux/springsecurity/goals/Module6_Tests.java: -------------------------------------------------------------------------------- 1 | package io.jzheaux.springsecurity.goals; 2 | 3 | import okhttp3.mockwebserver.Dispatcher; 4 | import okhttp3.mockwebserver.MockResponse; 5 | import okhttp3.mockwebserver.MockWebServer; 6 | import okhttp3.mockwebserver.RecordedRequest; 7 | import org.junit.Before; 8 | import org.junit.Test; 9 | import org.junit.runner.RunWith; 10 | import org.springframework.beans.factory.DisposableBean; 11 | import org.springframework.beans.factory.InitializingBean; 12 | import org.springframework.beans.factory.annotation.Autowired; 13 | import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean; 14 | import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty; 15 | import org.springframework.boot.autoconfigure.security.oauth2.resource.OAuth2ResourceServerProperties; 16 | import org.springframework.boot.test.autoconfigure.web.servlet.AutoConfigureMockMvc; 17 | import org.springframework.boot.test.autoconfigure.web.servlet.MockMvcPrint; 18 | import org.springframework.boot.test.context.SpringBootTest; 19 | import org.springframework.boot.test.context.TestConfiguration; 20 | import org.springframework.context.annotation.Bean; 21 | import org.springframework.core.convert.converter.Converter; 22 | import org.springframework.http.HttpHeaders; 23 | import org.springframework.http.HttpMethod; 24 | import org.springframework.http.MediaType; 25 | import org.springframework.http.RequestEntity; 26 | import org.springframework.security.core.Authentication; 27 | import org.springframework.security.core.context.SecurityContextHolder; 28 | import org.springframework.security.core.userdetails.UserDetailsService; 29 | import org.springframework.security.oauth2.core.OAuth2AccessToken; 30 | import org.springframework.security.oauth2.core.OAuth2AuthenticatedPrincipal; 31 | import org.springframework.security.oauth2.jwt.BadJwtException; 32 | import org.springframework.security.oauth2.jwt.JwtDecoder; 33 | import org.springframework.security.oauth2.jwt.JwtDecoders; 34 | import org.springframework.security.oauth2.server.resource.authentication.BearerTokenAuthentication; 35 | import org.springframework.security.oauth2.server.resource.introspection.NimbusOpaqueTokenIntrospector; 36 | import org.springframework.security.oauth2.server.resource.introspection.OpaqueTokenIntrospector; 37 | import org.springframework.security.oauth2.server.resource.web.reactive.function.client.ServletBearerExchangeFilterFunction; 38 | import org.springframework.test.context.junit4.SpringRunner; 39 | import org.springframework.test.web.servlet.MockMvc; 40 | import org.springframework.test.web.servlet.MvcResult; 41 | import org.springframework.util.LinkedMultiValueMap; 42 | import org.springframework.util.MultiValueMap; 43 | import org.springframework.web.bind.annotation.CrossOrigin; 44 | import org.springframework.web.reactive.function.client.ExchangeFilterFunction; 45 | import org.springframework.web.reactive.function.client.WebClient; 46 | 47 | import java.lang.reflect.Field; 48 | import java.net.URI; 49 | import java.util.Collections; 50 | import java.util.List; 51 | import java.util.UUID; 52 | 53 | import static io.jzheaux.springsecurity.goals.ReflectionSupport.annotation; 54 | import static io.jzheaux.springsecurity.goals.ReflectionSupport.getDeclaredFieldByType; 55 | import static org.junit.Assert.assertEquals; 56 | import static org.junit.Assert.assertFalse; 57 | import static org.junit.Assert.assertNotEquals; 58 | import static org.junit.Assert.assertNotNull; 59 | import static org.junit.Assert.assertNull; 60 | import static org.junit.Assert.assertTrue; 61 | import static org.junit.jupiter.api.Assertions.fail; 62 | import static org.springframework.security.oauth2.core.OAuth2AccessToken.TokenType.BEARER; 63 | import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.options; 64 | 65 | @RunWith(SpringRunner.class) 66 | @AutoConfigureMockMvc(print= MockMvcPrint.NONE) 67 | @SpringBootTest 68 | public class Module6_Tests { 69 | @Autowired 70 | MockMvc mvc; 71 | 72 | @Autowired(required = false) 73 | WebClient.Builder web; 74 | 75 | @Autowired(required = false) 76 | UserDetailsService userDetailsService; 77 | 78 | @Autowired(required = false) 79 | UserService userService; 80 | 81 | @Autowired(required = false) 82 | OpaqueTokenIntrospector introspector; 83 | 84 | @Autowired 85 | GoalController goalController; 86 | 87 | @Autowired 88 | GoalRepository goals; 89 | 90 | @Autowired 91 | MockWebServer userEndpoint; 92 | 93 | @Autowired 94 | AuthorizationServer authz; 95 | 96 | @TestConfiguration 97 | static class TestConfig implements DisposableBean, InitializingBean { 98 | AuthorizationServer server = new AuthorizationServer(); 99 | 100 | @Override 101 | public void afterPropertiesSet() throws Exception { 102 | this.server.start(); 103 | } 104 | 105 | @Override 106 | public void destroy() throws Exception { 107 | this.server.stop(); 108 | } 109 | 110 | @ConditionalOnProperty("spring.security.oauth2.resourceserver.jwt.issuer-uri") 111 | @Bean 112 | JwtDecoder jwtDecoder(OAuth2ResourceServerProperties properties) { 113 | return JwtDecoders.fromOidcIssuerLocation(this.server.issuer()); 114 | } 115 | 116 | @ConditionalOnProperty("spring.security.oauth2.resourceserver.opaquetoken.introspection-uri") 117 | @Bean 118 | JwtDecoder interrim() { 119 | return token -> { 120 | throw new BadJwtException("bad jwt"); 121 | }; 122 | } 123 | 124 | @ConditionalOnProperty("spring.security.oauth2.resourceserver.opaquetoken.introspection-uri") 125 | @ConditionalOnMissingBean 126 | @Bean 127 | OpaqueTokenIntrospector introspector(OAuth2ResourceServerProperties properties) { 128 | return new NimbusOpaqueTokenIntrospector( 129 | this.server.introspectionUri(), 130 | properties.getOpaquetoken().getClientId(), 131 | properties.getOpaquetoken().getClientSecret()); 132 | } 133 | 134 | @Bean 135 | AuthorizationServer authz() { 136 | return this.server; 137 | } 138 | } 139 | 140 | @TestConfiguration 141 | static class OpaqueTokenPostProcessor { 142 | @Autowired 143 | AuthorizationServer authz; 144 | 145 | @Autowired(required=false) 146 | void introspector(OpaqueTokenIntrospector introspector) throws Exception { 147 | NimbusOpaqueTokenIntrospector nimbus = null; 148 | if (introspector instanceof NimbusOpaqueTokenIntrospector) { 149 | nimbus = (NimbusOpaqueTokenIntrospector) introspector; 150 | } else if (introspector instanceof UserRepositoryOpaqueTokenIntrospector) { 151 | Field delegate = 152 | getDeclaredFieldByType(UserRepositoryOpaqueTokenIntrospector.class, OpaqueTokenIntrospector.class); 153 | if (delegate == null) { 154 | delegate = getDeclaredFieldByType(UserRepositoryOpaqueTokenIntrospector.class, NimbusOpaqueTokenIntrospector.class); 155 | } 156 | if (delegate != null) { 157 | delegate.setAccessible(true); 158 | nimbus = (NimbusOpaqueTokenIntrospector) delegate.get(introspector); 159 | } 160 | } 161 | 162 | if (nimbus != null) { 163 | nimbus.setRequestEntityConverter( 164 | defaultRequestEntityConverter(URI.create(this.authz.introspectionUri()))); 165 | } 166 | } 167 | 168 | private Converter> defaultRequestEntityConverter(URI introspectionUri) { 169 | return token -> { 170 | HttpHeaders headers = requestHeaders(); 171 | MultiValueMap body = requestBody(token); 172 | return new RequestEntity<>(body, headers, HttpMethod.POST, introspectionUri); 173 | }; 174 | } 175 | 176 | private HttpHeaders requestHeaders() { 177 | HttpHeaders headers = new HttpHeaders(); 178 | headers.setAccept(Collections.singletonList(MediaType.APPLICATION_JSON)); 179 | return headers; 180 | } 181 | 182 | private MultiValueMap requestBody(String token) { 183 | MultiValueMap body = new LinkedMultiValueMap<>(); 184 | body.add("token", token); 185 | return body; 186 | } 187 | } 188 | 189 | @TestConfiguration 190 | static class WebClientPostProcessor implements DisposableBean { 191 | static String userBaseUrl; 192 | 193 | MockWebServer userEndpoint = new MockWebServer(); 194 | 195 | @Override 196 | public void destroy() throws Exception { 197 | this.userEndpoint.shutdown(); 198 | } 199 | 200 | @Autowired(required = false) 201 | void postProcess(WebClient.Builder web) throws Exception { 202 | Field field = web.getClass().getDeclaredField("baseUrl"); 203 | field.setAccessible(true); 204 | userBaseUrl = (String) field.get(web); 205 | web.baseUrl(this.userEndpoint.url("").toString()); 206 | } 207 | 208 | @Bean 209 | MockWebServer userEndpoint() { 210 | this.userEndpoint.setDispatcher(new Dispatcher() { 211 | @Override 212 | public MockResponse dispatch(RecordedRequest recordedRequest) { 213 | MockResponse response = new MockResponse().setResponseCode(200); 214 | String path = recordedRequest.getPath(); 215 | switch(path) { 216 | case "/user/user/fullName": 217 | return response.setBody("User Userson"); 218 | case "/user/hasread/fullName": 219 | return response.setBody("Has Read"); 220 | case "/user/haswrite/fullName": 221 | return response.setBody("Has Write"); 222 | case "/user/admin/fullName": 223 | return response.setBody("Admin Adminson"); 224 | default: 225 | return response.setResponseCode(404); 226 | } 227 | } 228 | }); 229 | return this.userEndpoint; 230 | } 231 | } 232 | 233 | @Before 234 | public void setup() throws Exception { 235 | assertNotNull( 236 | "Module 1: Could not find an instance of `UserDetailsService` in the application " + 237 | "context. Make sure that you've already completed earlier modules before starting " + 238 | "this one.", 239 | this.userDetailsService); 240 | } 241 | 242 | @Test 243 | public void task_1() throws Exception { 244 | // @Cross Origin without credentials 245 | CrossOrigin crossOrigin = annotation(CrossOrigin.class, "read"); 246 | assertNotNull( 247 | "Task 1: Make sure that there is a `@CrossOrigin` annotation on `GoalController#read`", 248 | crossOrigin); 249 | assertNotEquals( 250 | "Task 1: Since you are using Bearer Token authentication now, `allowCredentials` should be removed", 251 | "true", crossOrigin.allowCredentials()); 252 | 253 | MvcResult result = this.mvc.perform(options("/goals") 254 | .header("Access-Control-Request-Method", "GET") 255 | .header("Access-Control-Allow-Credentials", "true") 256 | .header("Origin", "http://127.0.0.1:8081")) 257 | .andReturn(); 258 | 259 | assertNull( 260 | "Task 1: Did an `OPTIONS` pre-flight request from `http://127.0.0.1:8081` for `GET /goals`, and it is allowing credentials;" + 261 | "this should be shut off now that you are using Bearer Token authentication", 262 | result.getResponse().getHeader("Access-Control-Allow-Credentials")); 263 | /* 264 | result = this.mvc.perform(options("/" + UUID.randomUUID()) 265 | .header("Access-Control-Request-Method", "HEAD") 266 | .header("Access-Control-Allow-Credentials", "true") 267 | .header("Origin", "http://127.0.0.1:8081")) 268 | .andReturn(); 269 | 270 | assertNull( 271 | "Task 1: Did an `OPTIONS` pre-flight request from `http://127.0.0.1:8081` for a random endpoint, and it is allowing credentials;" + 272 | "this should be shut off now that you are using Bearer Token authentication", 273 | result.getResponse().getHeader("Access-Control-Allow-Credentials"));*/ 274 | } 275 | 276 | @Test 277 | public void task_2() throws Exception { 278 | _task_2(); 279 | 280 | // publish web client 281 | assertNotNull( 282 | "Task 3: Make sure you are adding an instance of `ServletBearerExchangeFilterFunction` to your " + 283 | "`WebClient.Builder` definition", 284 | getFilter(ServletBearerExchangeFilterFunction.class)); 285 | } 286 | 287 | private void _task_2() throws Exception { 288 | _task_4(); 289 | // add UserService 290 | 291 | assertNotNull( 292 | "Task 2: Make sure to publish a `@Bean` of type `WebClient.Builder`", 293 | this.web); 294 | 295 | assertNotNull( 296 | "Task 2: Make sure to publish your `UserService`", 297 | this.userService); 298 | 299 | assertEquals( 300 | "Task 2: The `WebClient` should be set to have a `baseUrl` of `http://127.0.0.1:8080`", 301 | "http://127.0.0.1:8080", WebClientPostProcessor.userBaseUrl); 302 | 303 | String name = this.userService.getFullName("user") 304 | .orElseGet(() -> fail("Task 2: `UserService#getFullName` returned no results for username `user`. " + 305 | "Make sure that you are calling the `/user/{username}/fullName` endpoint in the implementation")); 306 | assertEquals( 307 | "Task 2: `UserService#getFullName` returned an unexpected result for username `user`. " + 308 | "Make sure that you are calling the `/user/{username}/fullName` endpoint in the implementation", 309 | "User Userson", name); 310 | 311 | assertTrue( 312 | "Task 2: It doesn't appear that the `WebClient` is getting called. Make sure that you are " + 313 | "invoking the `WebClient` to address the `/user/{username}/fullName` endpoint.", 314 | this.userEndpoint.getRequestCount() > 0); 315 | } 316 | 317 | private void _task_4() throws Exception { 318 | task_1(); 319 | // update goal controller 320 | 321 | int count = this.userEndpoint.getRequestCount(); 322 | this.goals.save(new Goal("my last goal", "user")); 323 | String token = this.authz.token("user", "goal:read user:read"); 324 | Authentication authentication = getAuthentication(token); 325 | SecurityContextHolder.getContext().setAuthentication(authentication); 326 | try { 327 | Iterable goals = this.goalController.read(); 328 | assertTrue( 329 | "Task 4: It appears that `GoalController` is not calling `UserService`. " + 330 | "Make sure to switch `UserRepository` with `UserService`", 331 | this.userEndpoint.getRequestCount() > count); 332 | for (Goal goal : goals) { 333 | assertTrue( 334 | "Task 4: The `/goals` endpoint didn't append the user's personal name in the resolution text.", 335 | goal.getText().endsWith("User Userson")); 336 | } 337 | } finally { 338 | SecurityContextHolder.clearContext(); 339 | this.authz.revoke(token); 340 | } 341 | } 342 | 343 | private T getFilter(Class clazz) throws Exception { 344 | Field filtersField = this.web.getClass().getDeclaredField("filters"); 345 | filtersField.setAccessible(true); 346 | List filters = (List) 347 | filtersField.get(this.web); 348 | if (filters == null) { 349 | return null; 350 | } 351 | for (ExchangeFilterFunction filter : filters) { 352 | if (filter instanceof ServletBearerExchangeFilterFunction) { 353 | return (T) filter; 354 | } 355 | } 356 | return null; 357 | } 358 | 359 | private Authentication getAuthentication(String token) { 360 | OAuth2AuthenticatedPrincipal principal = this.introspector.introspect(token); 361 | OAuth2AccessToken credentials = new OAuth2AccessToken(BEARER, token, null, null); 362 | return new BearerTokenAuthentication(principal, credentials, principal.getAuthorities()); 363 | } 364 | } 365 | -------------------------------------------------------------------------------- /src/test/java/io/jzheaux/springsecurity/goals/Module4_Tests.java: -------------------------------------------------------------------------------- 1 | package io.jzheaux.springsecurity.goals; 2 | 3 | import okhttp3.mockwebserver.Dispatcher; 4 | import okhttp3.mockwebserver.MockResponse; 5 | import okhttp3.mockwebserver.MockWebServer; 6 | import okhttp3.mockwebserver.RecordedRequest; 7 | import org.junit.Before; 8 | import org.junit.Test; 9 | import org.junit.runner.RunWith; 10 | import org.springframework.beans.factory.DisposableBean; 11 | import org.springframework.beans.factory.InitializingBean; 12 | import org.springframework.beans.factory.annotation.Autowired; 13 | import org.springframework.beans.factory.annotation.Value; 14 | import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean; 15 | import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty; 16 | import org.springframework.boot.autoconfigure.security.oauth2.resource.OAuth2ResourceServerProperties; 17 | import org.springframework.boot.test.autoconfigure.web.servlet.AutoConfigureMockMvc; 18 | import org.springframework.boot.test.autoconfigure.web.servlet.MockMvcPrint; 19 | import org.springframework.boot.test.context.SpringBootTest; 20 | import org.springframework.boot.test.context.TestConfiguration; 21 | import org.springframework.context.annotation.Bean; 22 | import org.springframework.core.convert.converter.Converter; 23 | import org.springframework.data.repository.CrudRepository; 24 | import org.springframework.http.HttpHeaders; 25 | import org.springframework.http.HttpMethod; 26 | import org.springframework.http.MediaType; 27 | import org.springframework.http.RequestEntity; 28 | import org.springframework.security.authentication.AbstractAuthenticationToken; 29 | import org.springframework.security.core.Authentication; 30 | import org.springframework.security.core.context.SecurityContextHolder; 31 | import org.springframework.security.core.userdetails.UserDetailsService; 32 | import org.springframework.security.core.userdetails.UsernameNotFoundException; 33 | import org.springframework.security.oauth2.core.OAuth2AccessToken; 34 | import org.springframework.security.oauth2.core.OAuth2AuthenticatedPrincipal; 35 | import org.springframework.security.oauth2.jwt.Jwt; 36 | import org.springframework.security.oauth2.jwt.JwtDecoder; 37 | import org.springframework.security.oauth2.jwt.JwtDecoders; 38 | import org.springframework.security.oauth2.jwt.NimbusJwtDecoder; 39 | import org.springframework.security.oauth2.server.resource.authentication.BearerTokenAuthentication; 40 | import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationProvider; 41 | import org.springframework.security.oauth2.server.resource.introspection.NimbusOpaqueTokenIntrospector; 42 | import org.springframework.security.oauth2.server.resource.introspection.OpaqueTokenIntrospector; 43 | import org.springframework.test.context.junit4.SpringRunner; 44 | import org.springframework.test.web.servlet.MockMvc; 45 | import org.springframework.test.web.servlet.MvcResult; 46 | import org.springframework.util.LinkedMultiValueMap; 47 | import org.springframework.util.MultiValueMap; 48 | import org.springframework.util.StringUtils; 49 | import org.springframework.web.reactive.function.client.WebClient; 50 | 51 | import java.lang.reflect.Field; 52 | import java.net.URI; 53 | import java.util.Collections; 54 | import java.util.UUID; 55 | 56 | import static io.jzheaux.springsecurity.goals.ReflectionSupport.getDeclaredFieldByColumnName; 57 | import static io.jzheaux.springsecurity.goals.ReflectionSupport.getDeclaredFieldByType; 58 | import static org.junit.Assert.assertEquals; 59 | import static org.junit.Assert.assertFalse; 60 | import static org.junit.Assert.assertNotEquals; 61 | import static org.junit.Assert.assertNotNull; 62 | import static org.junit.Assert.assertTrue; 63 | import static org.junit.Assert.fail; 64 | import static org.springframework.security.oauth2.core.OAuth2AccessToken.TokenType.BEARER; 65 | import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get; 66 | import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post; 67 | 68 | @RunWith(SpringRunner.class) 69 | @AutoConfigureMockMvc(print=MockMvcPrint.NONE) 70 | @SpringBootTest 71 | public class Module4_Tests { 72 | @Autowired 73 | MockMvc mvc; 74 | 75 | @Value("${spring.security.oauth2.resourceserver.jwt.jwk-set-uri:#{null}}") 76 | String jwkSetUri; 77 | 78 | @Value("${spring.security.oauth2.resourceserver.opaquetoken.introspection-uri:#{null}}") 79 | String introspectionUrl; 80 | 81 | @Autowired(required = false) 82 | JwtDecoder jwt; 83 | 84 | @Autowired(required = false) 85 | JwtAuthenticationProvider jwtAuthenticationProvider; 86 | 87 | @Autowired(required = false) 88 | OpaqueTokenIntrospector introspector; 89 | 90 | @Autowired(required = false) 91 | UserDetailsService userDetailsService; 92 | 93 | @Autowired(required = false) 94 | Converter jwtAuthenticationConverter; 95 | 96 | @Autowired 97 | AuthorizationServer authz; 98 | 99 | @Autowired 100 | GoalController goalController; 101 | 102 | @Autowired 103 | GoalRepository goalRepository; 104 | 105 | @Autowired(required = false) 106 | CrudRepository users; 107 | 108 | @Before 109 | public void setup() { 110 | assertNotNull( 111 | "Module 1: Could not find `UserDetailsService` in the application context; make sure to complete the earlier modules " + 112 | "before starting this one", this.userDetailsService); 113 | assertNotNull( 114 | "Module 1: Could not find `UserRepository` in the application context; make sure to complete the earlier modules " + 115 | "before starting this one", this.users); 116 | } 117 | 118 | @TestConfiguration 119 | static class WebClientPostProcessor implements DisposableBean { 120 | MockWebServer userEndpoint = new MockWebServer(); 121 | 122 | @Override 123 | public void destroy() throws Exception { 124 | this.userEndpoint.shutdown(); 125 | } 126 | 127 | @Autowired(required = false) 128 | void postProcess(WebClient.Builder web) throws Exception { 129 | web.baseUrl(this.userEndpoint.url("").toString()); 130 | } 131 | 132 | @Bean 133 | MockWebServer userEndpoint() { 134 | this.userEndpoint.setDispatcher(new Dispatcher() { 135 | @Override 136 | public MockResponse dispatch(RecordedRequest recordedRequest) { 137 | MockResponse response = new MockResponse().setResponseCode(200); 138 | String path = recordedRequest.getPath(); 139 | switch(path) { 140 | case "/user/user/fullName": 141 | return response.setBody("User Userson"); 142 | case "/user/hasread/fullName": 143 | return response.setBody("Has Read"); 144 | case "/user/haswrite/fullName": 145 | return response.setBody("Has Write"); 146 | case "/user/admin/fullName": 147 | return response.setBody("Admin Adminson"); 148 | default: 149 | return response.setResponseCode(404); 150 | } 151 | } 152 | }); 153 | return this.userEndpoint; 154 | } 155 | } 156 | 157 | @TestConfiguration 158 | static class TestConfig implements DisposableBean, InitializingBean { 159 | AuthorizationServer server = new AuthorizationServer(); 160 | 161 | @Override 162 | public void afterPropertiesSet() throws Exception { 163 | this.server.start(); 164 | } 165 | 166 | @Override 167 | public void destroy() throws Exception { 168 | this.server.stop(); 169 | } 170 | 171 | @ConditionalOnProperty("spring.security.oauth2.resourceserver.jwt.jwk-set-uri") 172 | @Bean 173 | JwtDecoder jwtDecoder(OAuth2ResourceServerProperties properties) { 174 | return NimbusJwtDecoder.withJwkSetUri(this.server.jwkSetUri()).build(); 175 | } 176 | 177 | @ConditionalOnProperty("spring.security.oauth2.resourceserver.opaquetoken.introspection-uri") 178 | @Bean 179 | JwtDecoder interrim() { 180 | return NimbusJwtDecoder.withJwkSetUri(this.server.jwkSetUri()).build(); 181 | } 182 | 183 | @ConditionalOnProperty("spring.security.oauth2.resourceserver.opaquetoken.introspection-uri") 184 | @ConditionalOnMissingBean 185 | @Bean 186 | OpaqueTokenIntrospector introspector(OAuth2ResourceServerProperties properties) { 187 | return new NimbusOpaqueTokenIntrospector( 188 | this.server.introspectionUri(), 189 | properties.getOpaquetoken().getClientId(), 190 | properties.getOpaquetoken().getClientSecret()); 191 | } 192 | 193 | @Bean 194 | AuthorizationServer authz() { 195 | return this.server; 196 | } 197 | } 198 | 199 | 200 | @TestConfiguration 201 | static class OpaqueTokenPostProcessor { 202 | @Autowired 203 | AuthorizationServer authz; 204 | 205 | @Autowired(required=false) 206 | void introspector(OpaqueTokenIntrospector introspector) throws Exception { 207 | NimbusOpaqueTokenIntrospector nimbus = null; 208 | if (introspector instanceof NimbusOpaqueTokenIntrospector) { 209 | nimbus = (NimbusOpaqueTokenIntrospector) introspector; 210 | } else if (introspector instanceof UserRepositoryOpaqueTokenIntrospector) { 211 | Field delegate = 212 | getDeclaredFieldByType(UserRepositoryOpaqueTokenIntrospector.class, OpaqueTokenIntrospector.class); 213 | if (delegate == null) { 214 | delegate = getDeclaredFieldByType(UserRepositoryOpaqueTokenIntrospector.class, NimbusOpaqueTokenIntrospector.class); 215 | } 216 | if (delegate != null) { 217 | delegate.setAccessible(true); 218 | nimbus = (NimbusOpaqueTokenIntrospector) delegate.get(introspector); 219 | } 220 | } 221 | 222 | if (nimbus != null) { 223 | nimbus.setRequestEntityConverter( 224 | defaultRequestEntityConverter(URI.create(this.authz.introspectionUri()))); 225 | } 226 | } 227 | 228 | private Converter> defaultRequestEntityConverter(URI introspectionUri) { 229 | return token -> { 230 | HttpHeaders headers = requestHeaders(); 231 | MultiValueMap body = requestBody(token); 232 | return new RequestEntity<>(body, headers, HttpMethod.POST, introspectionUri); 233 | }; 234 | } 235 | 236 | private HttpHeaders requestHeaders() { 237 | HttpHeaders headers = new HttpHeaders(); 238 | headers.setAccept(Collections.singletonList(MediaType.APPLICATION_JSON_UTF8)); 239 | return headers; 240 | } 241 | 242 | private MultiValueMap requestBody(String token) { 243 | MultiValueMap body = new LinkedMultiValueMap<>(); 244 | body.add("token", token); 245 | return body; 246 | } 247 | } 248 | 249 | @Test 250 | public void task_1() throws Exception { 251 | _task_1(); 252 | // add oauth2ResourceServer DSL call 253 | 254 | String token = this.authz.token("user", "goal:read"); 255 | MvcResult result = this.mvc.perform(get("/goals") 256 | .header("Authorization", "Bearer " + token)) 257 | .andReturn(); 258 | assertNotEquals( 259 | "Task 1: Make sure that you've configured the application to use Bearer token authentication by adding the appropriate " + 260 | "oauth2ResourceServer call to the Spring Security DSL in `GoalsApplication`", 261 | 401, result.getResponse().getStatus()); 262 | // until we add scopes, this will be a 403; after we add scopes, it'll be a 200. But it will never been a 401. 263 | 264 | this.authz.revoke(token); 265 | } 266 | 267 | @Test 268 | public void task_2() throws Exception { 269 | task_1(); 270 | // Add JwtAuthenticationConverter 271 | 272 | assertNotNull( 273 | "Task 2: Make sure to publish an instance of `Converter` into the application context", 274 | this.jwtAuthenticationConverter); 275 | 276 | String token = this.authz.token("user", "goal:read"); 277 | Authentication authentication = getAuthentication(token); 278 | assertFalse( 279 | "Task 2: For a token with a scope of `goal:read`, `JwtAuthenticationConverter` returned no scopes back", 280 | authentication.getAuthorities().isEmpty()); 281 | assertEquals( 282 | "Task 2: For a token with a scope of `goal:read`, a `GrantedAuthority` of `goal:read` was not returned. " + 283 | "Make sure that you are setting the authority prefix in `JwtGrantedAuthoritiesConverter`", 284 | "goal:read", authentication.getAuthorities().iterator().next().getAuthority()); 285 | } 286 | 287 | @Test 288 | public void task_3() throws Exception { 289 | _task_3(); 290 | 291 | // reconcile with UserRepository using JwtAuthenticationConverter 292 | 293 | assertNotNull( 294 | "Task 3: Please make sure that you've supplied an instance of `UserRepositoryJwtAuthenticationConverter` to the Spring Security DSL", 295 | this.jwtAuthenticationConverter instanceof UserRepositoryJwtAuthenticationConverter); 296 | 297 | String token = this.authz.token(UUID.randomUUID().toString(), "goal:write"); 298 | try { 299 | getAuthentication(token); 300 | fail( 301 | "Task 3: Create a custom `Converter` that reconciles the `sub` field in the `Jwt` " + 302 | "with what's in the `UserRepository`. If the user isn't there, throw a `UsernameNotFoundException`. " + 303 | "Also, make sure that you've removed the `JwtAuthenticationConverter` `@Bean` definition since this custom one you are writing replaces that."); 304 | } catch (UsernameNotFoundException expected) { 305 | // ignore 306 | } 307 | } 308 | 309 | @Test 310 | public void task_4() throws Exception { 311 | _task_4(); 312 | // conditionally send user's name in result, based on permission 313 | 314 | ReflectedUser user = new ReflectedUser((User) this.userDetailsService.loadUserByUsername("hasread")); 315 | String token = this.authz.token("hasread", "goal:read"); 316 | Authentication authentication = getAuthentication(token); 317 | SecurityContextHolder.getContext().setAuthentication(authentication); 318 | try { 319 | Iterable goals = this.goalController.read(); 320 | for (Goal goal : goals) { 321 | assertFalse( 322 | "Task 4: The `/goal` endpoint appended the user's personal name, even though that permission " + 323 | "was not granted to the client.", 324 | goal.getText().endsWith(user.getFullName())); 325 | } 326 | } finally { 327 | SecurityContextHolder.clearContext(); 328 | this.authz.revoke(token); 329 | } 330 | } 331 | 332 | private void _task_1() { 333 | // add application.yml configuration 334 | assertTrue("Task 1: Could not find a bean in the application context that will verify the bearer token. " + 335 | "Make sure that you are specifying the correct property in `application.yml`", this.jwt != null || this.introspector != null); 336 | 337 | if (this.introspector != null) { 338 | String introspectionUrl = "http://idp:8083/oauth2/introspect"; 339 | assertEquals( 340 | "Task 1: Make sure that the `introspection-uri` property is set to `" + introspectionUrl + "`", 341 | introspectionUrl, this.introspectionUrl); 342 | } else { 343 | String jwkSetUri = "http://idp:8083/oauth2/jwks"; 344 | assertEquals( 345 | "Task 1: Make sure that the `jwk-set-uri` property is set to `" + jwkSetUri + "`", 346 | jwkSetUri, this.jwkSetUri); 347 | } 348 | } 349 | 350 | private void _task_3() throws Exception { 351 | task_2(); 352 | // custom authentication token 353 | 354 | String token = this.authz.token("hasread", "goal:read"); 355 | Authentication authentication = getAuthentication(token); 356 | assertTrue( 357 | "Task 3: Make sure that you've correctly mapped a `User` to an `OAuth2AuthenticatedPrincipal`.", 358 | authentication instanceof BearerTokenAuthentication); 359 | this.authz.revoke(token); 360 | 361 | // merge scopes and roles 362 | 363 | String mismatch = this.authz.token("hasread", "goal:write"); // client grants, but user doesn't have 364 | MvcResult result = this.mvc.perform(post("/goal") 365 | .content("my goal") 366 | .header("Authorization", "Bearer " + mismatch)) 367 | .andReturn(); 368 | assertEquals( 369 | "Task 3: Client successfully wrote a goal for `hasread`, even though `hasread` doesn't have that authority. " + 370 | "Make sure that the scopes in the `Jwt` are only granted if the user actually has that authority", 371 | 403, result.getResponse().getStatus()); 372 | this.authz.revoke(mismatch); 373 | String missing = this.authz.token("hasread"); // client doesn't grant 374 | result = this.mvc.perform(get("/goals") 375 | .header("Authorization", "Bearer " + missing)) 376 | .andReturn(); 377 | assertEquals( 378 | "Task 3: Client successfully read a goal for `hasread`, even though `hasread` didn't grant it that permission. " + 379 | "Make sure that the scopes in the `Jwt` are only granted if the user grants that authority to the client.", 380 | 403, result.getResponse().getStatus()); 381 | this.authz.revoke(missing); 382 | } 383 | 384 | private void _task_4() throws Exception { 385 | task_3(); 386 | 387 | Field nameField = getDeclaredFieldByColumnName(User.class, "full_name"); 388 | assertNotNull( 389 | "Please add a full name property to the `User` class with a column called `full_name`", 390 | nameField); 391 | 392 | ReflectedUser user = new ReflectedUser((User) this.userDetailsService.loadUserByUsername("hasread")); 393 | ReflectedUser copy = ReflectedUser.copiedInstance(user); 394 | assertEquals( 395 | "Task 4: Update your copy constructor so that the full name is also copied", 396 | user.getFullName(), copy.getFullName()); 397 | 398 | assertTrue( 399 | "Task 4: Please give each user a name by calling `setFullName` in `GoalInitializer`.", 400 | StringUtils.hasText(user.getFullName())); 401 | 402 | this.goalRepository.save(new Goal("new read goal", "hasread")); 403 | 404 | String token = this.authz.token("hasread", "goal:read", "user:read"); 405 | Authentication authentication = getAuthentication(token); 406 | SecurityContextHolder.getContext().setAuthentication(authentication); 407 | try { 408 | Iterable goals = this.goalController.read(); 409 | for (Goal goal : goals) { 410 | assertTrue( 411 | "Task 4: Please update the `/goals` endpoint to query the `UserRepository` for the user's personal name. " + 412 | "Then, append that to the end of the `text` value in each `Goal` returned", 413 | goal.getText().endsWith(user.getFullName())); 414 | } 415 | } finally { 416 | SecurityContextHolder.clearContext(); 417 | this.authz.revoke(token); 418 | } 419 | } 420 | 421 | private Authentication getAuthentication(String token) { 422 | if (this.jwt != null) { 423 | Jwt jwt = this.jwt.decode(token); 424 | return this.jwtAuthenticationConverter.convert(jwt); 425 | } 426 | 427 | OAuth2AuthenticatedPrincipal principal = this.introspector.introspect(token); 428 | OAuth2AccessToken credentials = new OAuth2AccessToken(BEARER, token, null, null); 429 | return new BearerTokenAuthentication(principal, credentials, principal.getAuthorities()); 430 | } 431 | } 432 | -------------------------------------------------------------------------------- /src/test/java/io/jzheaux/springsecurity/goals/Module5_Tests.java: -------------------------------------------------------------------------------- 1 | package io.jzheaux.springsecurity.goals; 2 | 3 | import okhttp3.mockwebserver.Dispatcher; 4 | import okhttp3.mockwebserver.MockResponse; 5 | import okhttp3.mockwebserver.MockWebServer; 6 | import okhttp3.mockwebserver.RecordedRequest; 7 | import org.junit.Before; 8 | import org.junit.Test; 9 | import org.junit.runner.RunWith; 10 | import org.springframework.beans.factory.DisposableBean; 11 | import org.springframework.beans.factory.InitializingBean; 12 | import org.springframework.beans.factory.annotation.Autowired; 13 | import org.springframework.beans.factory.annotation.Value; 14 | import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean; 15 | import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty; 16 | import org.springframework.boot.autoconfigure.security.oauth2.resource.OAuth2ResourceServerProperties; 17 | import org.springframework.boot.test.autoconfigure.web.servlet.AutoConfigureMockMvc; 18 | import org.springframework.boot.test.autoconfigure.web.servlet.MockMvcPrint; 19 | import org.springframework.boot.test.context.SpringBootTest; 20 | import org.springframework.boot.test.context.TestConfiguration; 21 | import org.springframework.context.annotation.Bean; 22 | import org.springframework.core.convert.converter.Converter; 23 | import org.springframework.http.HttpHeaders; 24 | import org.springframework.http.HttpMethod; 25 | import org.springframework.http.MediaType; 26 | import org.springframework.http.RequestEntity; 27 | import org.springframework.security.authentication.TestingAuthenticationToken; 28 | import org.springframework.security.core.authority.AuthorityUtils; 29 | import org.springframework.security.core.authority.SimpleGrantedAuthority; 30 | import org.springframework.security.core.context.SecurityContextHolder; 31 | import org.springframework.security.core.userdetails.UserDetailsService; 32 | import org.springframework.security.core.userdetails.UsernameNotFoundException; 33 | import org.springframework.security.oauth2.core.OAuth2AuthenticatedPrincipal; 34 | import org.springframework.security.oauth2.jwt.BadJwtException; 35 | import org.springframework.security.oauth2.jwt.JwtDecoder; 36 | import org.springframework.security.oauth2.jwt.JwtDecoders; 37 | import org.springframework.security.oauth2.server.resource.introspection.NimbusOpaqueTokenIntrospector; 38 | import org.springframework.security.oauth2.server.resource.introspection.OpaqueTokenIntrospector; 39 | import org.springframework.test.context.junit4.SpringRunner; 40 | import org.springframework.test.web.servlet.MockMvc; 41 | import org.springframework.test.web.servlet.MvcResult; 42 | import org.springframework.util.LinkedMultiValueMap; 43 | import org.springframework.util.MultiValueMap; 44 | import org.springframework.web.reactive.function.client.WebClient; 45 | 46 | import java.lang.reflect.Field; 47 | import java.net.URI; 48 | import java.util.Collection; 49 | import java.util.Collections; 50 | import java.util.UUID; 51 | import java.util.stream.Collectors; 52 | import java.util.stream.StreamSupport; 53 | 54 | import static io.jzheaux.springsecurity.goals.ReflectionSupport.getDeclaredFieldByColumnName; 55 | import static io.jzheaux.springsecurity.goals.ReflectionSupport.getDeclaredFieldByName; 56 | import static io.jzheaux.springsecurity.goals.ReflectionSupport.getDeclaredFieldByType; 57 | import static org.junit.Assert.assertEquals; 58 | import static org.junit.Assert.assertFalse; 59 | import static org.junit.Assert.assertNotEquals; 60 | import static org.junit.Assert.assertNotNull; 61 | import static org.junit.Assert.assertTrue; 62 | import static org.junit.Assert.fail; 63 | import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.authentication; 64 | import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.csrf; 65 | import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get; 66 | import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.put; 67 | 68 | @RunWith(SpringRunner.class) 69 | @AutoConfigureMockMvc(print= MockMvcPrint.NONE) 70 | @SpringBootTest 71 | public class Module5_Tests { 72 | 73 | @Autowired 74 | MockMvc mvc; 75 | 76 | 77 | @Value("${spring.security.oauth2.resourceserver.opaquetoken.introspection-uri:#{null}}") 78 | String introspectionUrl; 79 | 80 | @Autowired(required = false) 81 | OpaqueTokenIntrospector introspector; 82 | 83 | 84 | @Autowired(required = false) 85 | UserDetailsService userDetailsService; 86 | 87 | @Autowired 88 | GoalController goalController; 89 | 90 | @Autowired 91 | GoalRepository goalRepository; 92 | 93 | @Autowired 94 | AuthorizationServer authz; 95 | 96 | @Before 97 | public void setup() { 98 | assertNotNull( 99 | "Module 1: Could not find `UserDetailsService` in the application context; make sure to complete the earlier modules " + 100 | "before starting this one", this.userDetailsService); 101 | } 102 | 103 | @TestConfiguration 104 | static class WebClientPostProcessor implements DisposableBean { 105 | static String userBaseUrl; 106 | 107 | MockWebServer userEndpoint = new MockWebServer(); 108 | 109 | @Override 110 | public void destroy() throws Exception { 111 | this.userEndpoint.shutdown(); 112 | } 113 | 114 | @Autowired(required = false) 115 | void postProcess(WebClient.Builder web) throws Exception { 116 | Field field = web.getClass().getDeclaredField("baseUrl"); 117 | field.setAccessible(true); 118 | userBaseUrl = (String) field.get(web); 119 | web.baseUrl(this.userEndpoint.url("").toString()); 120 | } 121 | 122 | @Bean 123 | MockWebServer userEndpoint() { 124 | this.userEndpoint.setDispatcher(new Dispatcher() { 125 | @Override 126 | public MockResponse dispatch(RecordedRequest recordedRequest) { 127 | MockResponse response = new MockResponse().setResponseCode(200); 128 | String path = recordedRequest.getPath(); 129 | switch(path) { 130 | case "/user/user/fullName": 131 | return response.setBody("User Userson"); 132 | case "/user/hasread/fullName": 133 | return response.setBody("Has Read"); 134 | case "/user/haswrite/fullName": 135 | return response.setBody("Has Write"); 136 | case "/user/admin/fullName": 137 | return response.setBody("Admin Adminson"); 138 | default: 139 | return response.setResponseCode(404); 140 | } 141 | } 142 | }); 143 | return this.userEndpoint; 144 | } 145 | } 146 | 147 | @TestConfiguration 148 | static class TestConfig implements DisposableBean, InitializingBean { 149 | AuthorizationServer server = new AuthorizationServer(); 150 | 151 | @Override 152 | public void afterPropertiesSet() throws Exception { 153 | this.server.start(); 154 | } 155 | 156 | @Override 157 | public void destroy() throws Exception { 158 | this.server.stop(); 159 | } 160 | 161 | @ConditionalOnProperty("spring.security.oauth2.resourceserver.jwt.issuer-uri") 162 | @Bean 163 | JwtDecoder jwtDecoder(OAuth2ResourceServerProperties properties) { 164 | return JwtDecoders.fromOidcIssuerLocation(this.server.issuer()); 165 | } 166 | 167 | @ConditionalOnProperty("spring.security.oauth2.resourceserver.opaquetoken.introspection-uri") 168 | @Bean 169 | JwtDecoder interrim() { 170 | return token -> { 171 | throw new BadJwtException("bad jwt"); 172 | }; 173 | } 174 | 175 | @ConditionalOnProperty("spring.security.oauth2.resourceserver.opaquetoken.introspection-uri") 176 | @ConditionalOnMissingBean 177 | @Bean 178 | OpaqueTokenIntrospector introspector(OAuth2ResourceServerProperties properties) { 179 | return new NimbusOpaqueTokenIntrospector( 180 | this.server.introspectionUri(), 181 | properties.getOpaquetoken().getClientId(), 182 | properties.getOpaquetoken().getClientSecret()); 183 | } 184 | 185 | @Bean 186 | AuthorizationServer authz() { 187 | return this.server; 188 | } 189 | } 190 | 191 | @TestConfiguration 192 | static class OpaqueTokenPostProcessor { 193 | @Autowired 194 | AuthorizationServer authz; 195 | 196 | @Autowired(required=false) 197 | void introspector(OpaqueTokenIntrospector introspector) throws Exception { 198 | NimbusOpaqueTokenIntrospector nimbus = null; 199 | if (introspector instanceof NimbusOpaqueTokenIntrospector) { 200 | nimbus = (NimbusOpaqueTokenIntrospector) introspector; 201 | } else if (introspector instanceof UserRepositoryOpaqueTokenIntrospector) { 202 | Field delegate = 203 | getDeclaredFieldByType(UserRepositoryOpaqueTokenIntrospector.class, OpaqueTokenIntrospector.class); 204 | if (delegate == null) { 205 | delegate = getDeclaredFieldByType(UserRepositoryOpaqueTokenIntrospector.class, NimbusOpaqueTokenIntrospector.class); 206 | } 207 | if (delegate != null) { 208 | delegate.setAccessible(true); 209 | nimbus = (NimbusOpaqueTokenIntrospector) delegate.get(introspector); 210 | } 211 | } 212 | 213 | if (nimbus != null) { 214 | nimbus.setRequestEntityConverter( 215 | defaultRequestEntityConverter(URI.create(this.authz.introspectionUri()))); 216 | } 217 | } 218 | 219 | private Converter> defaultRequestEntityConverter(URI introspectionUri) { 220 | return token -> { 221 | HttpHeaders headers = requestHeaders(); 222 | MultiValueMap body = requestBody(token); 223 | return new RequestEntity<>(body, headers, HttpMethod.POST, introspectionUri); 224 | }; 225 | } 226 | 227 | private HttpHeaders requestHeaders() { 228 | HttpHeaders headers = new HttpHeaders(); 229 | headers.setAccept(Collections.singletonList(MediaType.APPLICATION_JSON_UTF8)); 230 | return headers; 231 | } 232 | 233 | private MultiValueMap requestBody(String token) { 234 | MultiValueMap body = new LinkedMultiValueMap<>(); 235 | body.add("token", token); 236 | return body; 237 | } 238 | } 239 | 240 | @Test 241 | public void task_1() throws Exception { 242 | _task_1(); 243 | // add application.yml configuration 244 | assertNotNull( 245 | "Task 1: Could not find an `OpaqueTokenIntrospector` bean in the application context." + 246 | "Make sure that you are specifying the correct property in `application.yml`", 247 | this.introspector); 248 | 249 | String introspectionUrl = "http://idp:8083/oauth2/introspect"; 250 | assertEquals( 251 | "Task 1: Make sure that the `introspection-uri` property is set to `" + introspectionUrl + "`", 252 | introspectionUrl, this.introspectionUrl); 253 | } 254 | 255 | @Test 256 | public void task_2() throws Exception { 257 | task_1(); 258 | // customize OpaqueTokenIntrospector 259 | 260 | assertNotNull( 261 | "Task 2: Please make sure that you've supplied an instance of `UserRepositoryOpaqueTokenIntrospector` to the application context", 262 | this.introspector instanceof UserRepositoryOpaqueTokenIntrospector); 263 | 264 | String token = this.authz.token("user", "goal:read"); 265 | OAuth2AuthenticatedPrincipal principal = this.introspector.introspect(token); 266 | assertFalse( 267 | "Task 2: For a token with a scope of `goal:read`, your custom `OpaqueTokenIntrospector` returned no scopes back", 268 | principal.getAuthorities().isEmpty()); 269 | assertEquals( 270 | "Task 2: For a token with a scope of `goal:read`, a `GrantedAuthority` of `goal:read` was not returned. " + 271 | "Make sure that you are stripping off the `SCOPE_` prefix in your custom `OpaqueTokenIntrospector`", 272 | "goal:read", principal.getAuthorities().iterator().next().getAuthority()); 273 | } 274 | 275 | @Test 276 | public void task_3() throws Exception { 277 | _task_3(); 278 | // reconcile with UserRepository using JwtAuthenticationConverter 279 | 280 | String token = this.authz.token(UUID.randomUUID().toString(), "goal:write"); 281 | try { 282 | this.introspector.introspect(token); 283 | fail( 284 | "Task 6: Create a custom `OpaqueTokenIntrospector` that reconciles the `sub` field in the token response " + 285 | "with what's in the `UserRepository`. If the user isn't there, throw a `UsernameNotFoundException`."); 286 | } catch (UsernameNotFoundException expected) { 287 | // ignore 288 | } finally { 289 | this.authz.revoke(token); 290 | } 291 | } 292 | 293 | @Test 294 | public void task_4() throws Exception { 295 | _task_8(); 296 | // derive share permission 297 | String token = this.authz.token("haswrite", "goal:write"); 298 | try { 299 | OAuth2AuthenticatedPrincipal principal = this.introspector.introspect(token); 300 | assertTrue( 301 | "Task 7: Make so that when a token is granted `goal:write` and the user has a `premium` subscription that the " + 302 | "final principal as the `goal:share` authority", 303 | principal.getAuthorities().contains(new SimpleGrantedAuthority("goal:share"))); 304 | } finally { 305 | this.authz.revoke(token); 306 | } 307 | } 308 | 309 | private void _task_1() throws Exception { 310 | 311 | String token = this.authz.token("user", "goal:read"); 312 | try { 313 | MvcResult result = this.mvc.perform(get("/goals") 314 | .header("Authorization", "Bearer " + token)) 315 | .andReturn(); 316 | assertNotEquals( 317 | "Task 1: Make sure that you've configured the application to use Bearer token authentication by adding the appropriate " + 318 | "oauth2ResourceServer call to the Spring Security DSL in `GoalsApplication`", 319 | 401, result.getResponse().getStatus()); 320 | // until we add scopes, this will be a 403; after we add scopes, it'll be a 200. But it will never been a 401. 321 | } finally { 322 | this.authz.revoke(token); 323 | } 324 | } 325 | 326 | private void _task_3() throws Exception { 327 | _task_5(); 328 | 329 | // add subscription property 330 | Field nameField = getDeclaredFieldByColumnName(User.class, "subscription"); 331 | assertNotNull( 332 | "Please add a subscription property to the `User` class with a column called `subscription`", 333 | nameField); 334 | 335 | ReflectedUser user = new ReflectedUser((User) this.userDetailsService.loadUserByUsername("haswrite")); 336 | ReflectedUser copy = ReflectedUser.copiedInstance(user); 337 | assertEquals( 338 | "Task 3: Update your copy constructor so that the subscription is also copied", 339 | user.getSubscription(), copy.getSubscription()); 340 | 341 | assertEquals( 342 | "Task 3: Please give `haswrite` a `premium` subscription.", 343 | "premium", user.getSubscription()); 344 | 345 | // add friends property 346 | Field friendsField = getDeclaredFieldByName(User.class, "friends"); 347 | assertNotNull( 348 | "Task 3: Please add a friends property to the `User` class that maps to a `Collection` of other `User`s", 349 | friendsField); 350 | 351 | user = new ReflectedUser((User) this.userDetailsService.loadUserByUsername("haswrite")); 352 | copy = ReflectedUser.copiedInstance(user); 353 | Collection userFriends = user.getFriends().stream() 354 | .map(u -> new ReflectedUser(u).getUsername()) 355 | .collect(Collectors.toList()); 356 | Collection copyFriends = copy.getFriends().stream() 357 | .map(u -> new ReflectedUser(u).getUsername()) 358 | .collect(Collectors.toList()); 359 | assertEquals( 360 | "Task 3: The friends of the original and its copy are different.", 361 | userFriends, 362 | copyFriends); 363 | 364 | assertFalse( 365 | "Task 3: Please add `hasread` to `haswrite`'s list of friends", 366 | userFriends.isEmpty()); 367 | assertTrue( 368 | "Task 3: Please add `hasread` to `haswrite`'s list of friends", 369 | userFriends.contains("hasread")); 370 | } 371 | 372 | private void _task_5() throws Exception { 373 | task_2(); 374 | // add share endpoint 375 | 376 | Goal goal = this.goalRepository.save(new Goal("haswrite's latest goal", "haswrite")); 377 | User haswrite = (User) this.userDetailsService.loadUserByUsername("haswrite"); 378 | TestingAuthenticationToken token = new TestingAuthenticationToken 379 | (haswrite, haswrite, AuthorityUtils.createAuthorityList("goal:write", "goal:share")); 380 | MvcResult result = this.mvc.perform(put("/goal/" + goal.getId() + "/share") 381 | .with(authentication(token)) 382 | .with(csrf())) 383 | .andReturn(); 384 | 385 | assertEquals( 386 | "Task 5: The `PUT /goal/{id}/share` endpoint failed to authorize a user that is granted the `goal:share` permission.", 387 | 200, result.getResponse().getStatus()); 388 | User hasread = (User) this.userDetailsService.loadUserByUsername("hasread"); 389 | token = new TestingAuthenticationToken 390 | (hasread, hasread, AuthorityUtils.createAuthorityList("goal:read")); 391 | SecurityContextHolder.getContext().setAuthentication(token); 392 | try { 393 | Collection texts = StreamSupport.stream(this.goalController.read().spliterator(), false) 394 | .map(Goal::getText).collect(Collectors.toList()); 395 | assertTrue( 396 | "Task 5: Even though `haswrite` shared a `Goal` with `hasread`, `hasread` doesn't have it or its getting filtered out. " + 397 | "Make sure that you are sending the correct username to `GoalController#make", 398 | texts.contains("haswrite's latest goal")); 399 | } finally { 400 | SecurityContextHolder.clearContext(); 401 | } 402 | 403 | goal = this.goalRepository.save(new Goal("user's latest goal", "user")); 404 | token = new TestingAuthenticationToken 405 | (haswrite, haswrite, AuthorityUtils.createAuthorityList("goal:write", "goal:share")); 406 | result = this.mvc.perform(put("/goal/" + goal.getId() + "/share") 407 | .with(authentication(token)) 408 | .with(csrf())) 409 | .andReturn(); 410 | 411 | assertEquals( 412 | "Task 5: A user with the `goal:share` authority was able to share a goal that wasn't theirs.", 413 | 403, result.getResponse().getStatus()); 414 | 415 | token = new TestingAuthenticationToken 416 | (hasread, hasread, AuthorityUtils.createAuthorityList("goal:read", "user:read")); 417 | SecurityContextHolder.getContext().setAuthentication(token); 418 | try { 419 | Iterable goals = this.goalController.read(); 420 | for (Goal hasReadGoals : goals) { 421 | assertNotEquals( 422 | "Task 5: A user with the `goal:share` authority was able to share a goal that wasn't theirs.", 423 | "user's latest goal", hasReadGoals.getText()); 424 | } 425 | } finally { 426 | SecurityContextHolder.clearContext(); 427 | } 428 | } 429 | 430 | private void _task_8() throws Exception { 431 | task_3(); 432 | // create custom principal 433 | Goal goal = this.goalRepository.save(new Goal("haswrite's new goal", "haswrite")); 434 | String token = this.authz.token("haswrite", "goal:write"); 435 | try { 436 | MvcResult result = this.mvc.perform(put("/goal/" + goal.getId() + "/share") 437 | .header("Authorization", "Bearer " + token)) 438 | .andReturn(); 439 | 440 | assertEquals( 441 | "Task 5: The `/goal/{id}/share` endpoint failed to authorize a user that is granted the `goal:share` permission.", 442 | 200, result.getResponse().getStatus()); 443 | } finally { 444 | this.authz.revoke(token); 445 | } 446 | } 447 | 448 | } 449 | --------------------------------------------------------------------------------