Skip to content
Snippets Groups Projects
Commit b9f23663 authored by Julian Horner's avatar Julian Horner
Browse files

Minor improvements

parent 66dbcc9d
No related branches found
No related tags found
No related merge requests found
......@@ -13,13 +13,17 @@ import org.springframework.beans.factory.annotation.Value;
* @author Julian
*
*/
public class JwtConfiguration {
//----------------------------------------------------------------------------------------------
public class JWTConfiguration {
//---------------------------------------------------------------------------------------------
/** Get the URI where the credentials needs to be send. */
@Value("${security.jwt.uri:/auth/**}")
private String Uri;
/** Get the header authorization type. */
@Value("${security.jwt.header:Authorization}")
private String header;
/** Get the prefix of the token message. */
@Value("${security.jwt.prefix:Bearer}")
private String prefix;
......@@ -32,7 +36,7 @@ public class JwtConfiguration {
@Value("${security.jwt.secret:JwtSecretKey}")
private String secret;
//----------------------------------------------------------------------------------------------
//---------------------------------------------------------------------------------------------
/**
* Get the URI where the credentials needs to be send.
......@@ -41,26 +45,33 @@ public class JwtConfiguration {
*/
public String getUri() { return Uri; }
/**
* Get the header authorization type.
*
* @return The stated header
*/
public String getHeader() { return header; }
/**
* Get the prefix of the token message.
*
* @return The prefix
* @return The stated prefix
*/
public String getPrefix() { return prefix; }
/**
* Get the expiration of the token in seconds.
*
* @return The expiration
* @return The stated expiration
*/
public int getExpiration() { return expiration; }
/**
* Get the the key for encryption and decryption.
*
* @return The secret
* @return The stated secret
*/
public String getSecret() { return secret; }
//----------------------------------------------------------------------------------------------
//---------------------------------------------------------------------------------------------
}
......@@ -26,7 +26,7 @@ public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
/** The <code>JwtConfiguration</code>. */
@Autowired
private JwtConfiguration jwtConfiguration;
private JWTConfiguration jwtConfiguration;
//---------------------------------------------------------------------------------------------
......@@ -36,35 +36,31 @@ public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
* @return The stated JWT configuration
*/
@Bean
public JwtConfiguration jwtConfig() {
return new JwtConfiguration();
}
public JWTConfiguration jwtConfig() { return new JWTConfiguration(); }
//---------------------------------------------------------------------------------------------
/**
* Configure custom security configurations.
* <p>
* {@inheritDoc}
*/
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable()
// Use stateless sessions.
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()
// Add filter to validate tokens with every request.
.addFilterAfter(new JWTAuthenticationFilter(jwtConfiguration),
UsernamePasswordAuthenticationFilter.class)
.authorizeRequests()
// Permit only users with ADMIN role.
.antMatchers("/securedPage/**").hasRole("ADMIN")
// Permit auth and login path for sending credentials.
.antMatchers("/auth/**").permitAll()
.antMatchers("/login").permitAll().and()
// Configures where to forward if authentication is required.
.formLogin().loginPage("/login");
// Use stateless sessions.
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()
// Add filter to validate tokens with every request.
.addFilterAfter(new JWTAuthenticationFilter(jwtConfiguration),
UsernamePasswordAuthenticationFilter.class)
.authorizeRequests()
// Permit only users with ADMIN role.
.antMatchers("/securedPage/**").hasRole("ADMIN")
// Permit auth and login path for sending credentials.
.antMatchers("/auth/**").permitAll()
.antMatchers("/login").permitAll().and()
// Configures where to forward if authentication is required.
.formLogin().loginPage("/login");
}
//---------------------------------------------------------------------------------------------
......
......@@ -19,12 +19,12 @@ import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.web.filter.OncePerRequestFilter;
import de.rtuni.ms.apig.config.JwtConfiguration;
import de.rtuni.ms.apig.config.JWTConfiguration;
import io.jsonwebtoken.Claims;
import io.jsonwebtoken.Jwts;
/**
* Filter class for authentication of the JWT.
* Filter class for authentication of the user via the JWT.
*
* @author Julian
*/
......@@ -32,7 +32,7 @@ public class JWTAuthenticationFilter extends OncePerRequestFilter {
//---------------------------------------------------------------------------------------------
/** The <code>JwtConfiguration</code>. */
private JwtConfiguration jwtConfig;
private JWTConfiguration jwtConfiguration;
//---------------------------------------------------------------------------------------------
......@@ -41,7 +41,7 @@ public class JWTAuthenticationFilter extends OncePerRequestFilter {
*
* @param config The stated configuration
*/
public JWTAuthenticationFilter(final JwtConfiguration config) { jwtConfig = config; }
public JWTAuthenticationFilter(final JWTConfiguration config) { jwtConfiguration = config; }
//---------------------------------------------------------------------------------------------
......@@ -50,8 +50,6 @@ public class JWTAuthenticationFilter extends OncePerRequestFilter {
* currently authenticated user. That includes the authorities which were granted to the
* user by the auth service. If there is no supplied token the next filter will be
* executed.
* <p>
* {@inheritDoc}
*/
@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response,
......@@ -59,19 +57,19 @@ public class JWTAuthenticationFilter extends OncePerRequestFilter {
// Gets the access_token parameter.
String bearerToken = request.getParameter("access_token");
// Validate the header and check the prefix.
if (bearerToken == null || !bearerToken.startsWith(jwtConfig.getPrefix())) {
if (bearerToken == null || !bearerToken.startsWith(jwtConfiguration.getPrefix())) {
// If there's no token the user isn't authenticated and we execute the next filter.
chain.doFilter(request, response); // If not valid, go to the next filter.
return;
}
// Removes the bearer substring from the authentication header.
String token = bearerToken.replace(jwtConfig.getPrefix(), "");
String token = bearerToken.replace(jwtConfiguration.getPrefix(), "");
// Exceptions can be triggered when creating claims, e.g if the token has expired.
try {
// Sets secret and decrypts the token.
Claims claims = Jwts.parser().setSigningKey(jwtConfig.getSecret().getBytes())
Claims claims = Jwts.parser().setSigningKey(jwtConfiguration.getSecret().getBytes())
.parseClaimsJws(token).getBody();
String username = claims.getSubject();
......
......@@ -56,7 +56,7 @@
document.loginForm.submit();
} else if (httpRequest.status === 401) {
alert("You are not authorized to see the page.");
alert("Authorization failed, either user or password was incorrect.");
} else {
alert("Something went wrong try again.");
}
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment