From 0861a8a5db37834e3ebd6200b2a4abcf00cc1d86 Mon Sep 17 00:00:00 2001
From: Julian Horner <julianhorner@web.de>
Date: Wed, 18 Dec 2019 17:44:48 +0100
Subject: [PATCH] Improve authentication
---
pom.xml | 21 ++++++----------
.../ms/apig/JwtTokenAuthenticationFilter.java | 25 ++++++++-----------
.../rtuni/ms/apig/SecurityConfiguration.java | 4 +--
src/main/resources/application.yml | 5 ++--
4 files changed, 22 insertions(+), 33 deletions(-)
diff --git a/pom.xml b/pom.xml
index 6a90a39..ee7f92e 100644
--- a/pom.xml
+++ b/pom.xml
@@ -23,19 +23,6 @@
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
- <dependency>
- <groupId>org.springframework.cloud</groupId>
- <artifactId>spring-cloud-starter-netflix-eureka-client</artifactId>
- </dependency>
- <dependency>
- <groupId>org.springframework.cloud</groupId>
- <artifactId>spring-cloud-starter-netflix-zuul</artifactId>
- </dependency>
- <dependency>
- <groupId>org.springframework.boot</groupId>
- <artifactId>spring-boot-starter-tomcat</artifactId>
- <scope>provided</scope>
- </dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-devtools</artifactId>
@@ -50,6 +37,14 @@
<artifactId>jjwt</artifactId>
<version>0.9.0</version>
</dependency>
+ <dependency>
+ <groupId>org.springframework.cloud</groupId>
+ <artifactId>spring-cloud-starter-netflix-eureka-client</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>org.springframework.cloud</groupId>
+ <artifactId>spring-cloud-starter-netflix-zuul</artifactId>
+ </dependency>
</dependencies>
<dependencyManagement>
diff --git a/src/main/java/de/rtuni/ms/apig/JwtTokenAuthenticationFilter.java b/src/main/java/de/rtuni/ms/apig/JwtTokenAuthenticationFilter.java
index 1e1f0c9..e561fad 100644
--- a/src/main/java/de/rtuni/ms/apig/JwtTokenAuthenticationFilter.java
+++ b/src/main/java/de/rtuni/ms/apig/JwtTokenAuthenticationFilter.java
@@ -23,7 +23,7 @@ import io.jsonwebtoken.Claims;
import io.jsonwebtoken.Jwts;
/**
- * Class for
+ * Filter class for authentication of the provided JSON web token.
*
* @author Julian
*/
@@ -36,7 +36,7 @@ public class JwtTokenAuthenticationFilter extends OncePerRequestFilter {
//----------------------------------------------------------------------------------------------
/**
- * Set the given configuration for json web token.
+ * Set the given configuration for the token.
*
* @param config The stated configuration
*/
@@ -51,28 +51,26 @@ public class JwtTokenAuthenticationFilter extends OncePerRequestFilter {
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response,
FilterChain chain) throws ServletException, IOException {
- // 1. get the authentication header. Tokens are supposed to be passed in the
- // authentication header
+ // 1. get the authentication header.
+ // Tokens are supposed to be passed in the authentication header.
String header = request.getHeader(jwtConfig.getHeader());
// 2. validate the header and check the prefix
if (header == null || !header.startsWith(jwtConfig.getPrefix())) {
chain.doFilter(request, response); // If not valid, go to the next filter.
+
return;
}
-
+
/*
- * If there is no token provided and hence the user won't be authenticated.
- * It's Ok. Maybe the user accessing a public path or asking for a token.
- * All secured paths that needs a token are already defined and secured in config class.
- * And if user tried to access without access token, then he won't be authenticated and
- * an exception will be thrown.
+ * If no token is provided, the user is not authenticated. That is okay. Maybe the user
+ * accessing a public path or asking for a token. All secured paths that needs a token are
+ * already defined and secured in SecurityConfiguration class. If the user tried to access
+ * without access token, then he won't be authenticated and an exception will be thrown.
*/
// 3. Get the token
String token = header.replace(jwtConfig.getPrefix(), "");
- try {
- // exceptions might be thrown in creating the claims if for example the token is expired
-
+ try { // Exceptions can be triggered when creating claims, e.g if the token has expired
// 4. Validate the token
Claims claims = Jwts.parser().setSigningKey(jwtConfig.getSecret().getBytes())
.parseClaimsJws(token).getBody();
@@ -95,7 +93,6 @@ public class JwtTokenAuthenticationFilter extends OncePerRequestFilter {
map(SimpleGrantedAuthority::new).collect(Collectors.toList()));
// 6. Authenticate the user
- // Now, user is authenticated
SecurityContextHolder.getContext().setAuthentication(auth);
}
} catch (Exception e) {
diff --git a/src/main/java/de/rtuni/ms/apig/SecurityConfiguration.java b/src/main/java/de/rtuni/ms/apig/SecurityConfiguration.java
index c75541a..e778876 100644
--- a/src/main/java/de/rtuni/ms/apig/SecurityConfiguration.java
+++ b/src/main/java/de/rtuni/ms/apig/SecurityConfiguration.java
@@ -50,9 +50,7 @@ public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
// allow all who are accessing "auth" service
.antMatchers(HttpMethod.POST, jwtConfig.getUri()).permitAll()
// must be an admin if trying to access secured page (authentication is also required)
- .antMatchers("/securedPage/**").hasRole("ADMIN")
- // Any other request must be authenticated
- .anyRequest().authenticated();
+ .antMatchers("/securedPage/**").hasRole("ADMIN");
}
//----------------------------------------------------------------------------------------------
diff --git a/src/main/resources/application.yml b/src/main/resources/application.yml
index 0661d09..f6e0aa4 100644
--- a/src/main/resources/application.yml
+++ b/src/main/resources/application.yml
@@ -2,8 +2,6 @@
spring:
application:
name: api-gateway # Identify this application
- main:
- allow-bean-definition-overriding: true
# HTTP Server
server:
@@ -25,5 +23,6 @@ zuul:
service-id: dummy-service
auth-service:
path: /auth/**
- service-id: auth-service # can we write this lowercase?
+ service-id: auth-service
+ strip-prefix: false
sensitive-headers: Cookie,Set-Cookie
--
GitLab