JWT

ead65f1b · Bruno Teixeira · f6050a78 · ead65f1b · ead65f1b · ead65f1b
Commit ead65f1b authored 5 years ago by Bruno Teixeira
--- a/Backend/build.gradle
+++ b/Backend/build.gradle
@@ -21,6 +21,9 @@ repositories {
 dependencies {
    implementation 'org.springframework.boot:spring-boot-starter-data-mongodb'
    implementation 'org.springframework.boot:spring-boot-starter-web'
+    compile group: 'org.springframework.boot', name: 'spring-boot-starter-security', version: '2.3.0.RELEASE'
+    compile group: 'com.auth0', name: 'java-jwt', version: '3.10.3'
+
    compileOnly 'org.projectlombok:lombok'
    annotationProcessor 'org.projectlombok:lombok'
    testImplementation('org.springframework.boot:spring-boot-starter-test') {

--- a/Backend/src/main/java/com/mobilecomputing/pecunia/PecuniaApplication.java
+++ b/Backend/src/main/java/com/mobilecomputing/pecunia/PecuniaApplication.java
@@ -2,10 +2,17 @@ package com.mobilecomputing.pecunia;

 import org.springframework.boot.SpringApplication;
 import org.springframework.boot.autoconfigure.SpringBootApplication;
+import org.springframework.context.annotation.Bean;
+import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;

 @SpringBootApplication
 public class PecuniaApplication {

+    @Bean
+    public BCryptPasswordEncoder bCryptPasswordEncoder(){
+        return new BCryptPasswordEncoder();
+    }
+
    public static void main(String[] args) {
        SpringApplication.run(PecuniaApplication.class, args);
    }

--- a/Backend/src/main/java/com/mobilecomputing/pecunia/controller/UserController.java
+++ b/Backend/src/main/java/com/mobilecomputing/pecunia/controller/UserController.java
 package com.mobilecomputing.pecunia.controller;

-import com.mobilecomputing.pecunia.model.User;
+import com.mobilecomputing.pecunia.model.ApplicationUser;
 import com.mobilecomputing.pecunia.repository.UserRepository;
 import org.bson.types.ObjectId;
 import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.http.ResponseEntity;
+import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
 import org.springframework.web.bind.annotation.*;

 @RestController
@@ -13,6 +13,8 @@ public class UserController {
    @Autowired
    UserRepository userRepository;

+    BCryptPasswordEncoder bCryptPasswordEncoder;
+
    @GetMapping("/getById")
    public String getUserById(@RequestParam String id){
        return String.valueOf(userRepository.findById(new ObjectId(id)));
@@ -27,17 +29,11 @@ public class UserController {
        return String.valueOf(userRepository.findAll());
    }

-    @PostMapping("/registrateUser")
-    public String registrateUser(@RequestParam String eMail, @RequestParam String name, @RequestParam String surname,
-                                 @RequestParam String password){
-        User user = new User();
-        user.seteMail(eMail); // überprüfen ob email schon vergeben ist
-        user.setName(name);
-        user.setSurname(surname);
-        user.setPassword(password);
+    @PostMapping("/sign-up")
+    public void signUp(@RequestBody ApplicationUser user){
+        user.setPassword(bCryptPasswordEncoder.encode(user.getPassword()));

        userRepository.save(user);
-        return "ok?";
    }

    @DeleteMapping("/deleteUser")

--- a/Backend/src/main/java/com/mobilecomputing/pecunia/model/User.java
+++ b/Backend/src/main/java/com/mobilecomputing/pecunia/model/User.java
@@ -2,7 +2,7 @@ package com.mobilecomputing.pecunia.model;

 import org.springframework.data.annotation.Id;

-public class User {
+public class ApplicationUser {

    @Id
    private String eMail;
@@ -10,7 +10,7 @@ public class User {
    private String surname;
    private String password;

-    public String geteMail() {
+    public String getEMail() {
        return eMail;
    }


--- a/Backend/src/main/java/com/mobilecomputing/pecunia/model/Transaction.java
+++ b/Backend/src/main/java/com/mobilecomputing/pecunia/model/Transaction.java
+package com.mobilecomputing.pecunia.model;
+
+import org.springframework.data.annotation.Id;
+
+public class Transaction {
+
+    @Id
+    private String transactionId;
+
+}
--- a/Backend/src/main/java/com/mobilecomputing/pecunia/model/Trip.java
+++ b/Backend/src/main/java/com/mobilecomputing/pecunia/model/Trip.java
@@ -11,9 +11,9 @@ public class Trip {
    private String tripName;
    private Date startOfTrip;
    private Date endOfTrip;
-    private List<User> tripParticipants;
+    private List<ApplicationUser> tripParticipants;

-    public Trip(String tripId, String tripName, Date startOfTrip, Date endOfTrip, List<User> tripParticipants) {
+    public Trip(String tripId, String tripName, Date startOfTrip, Date endOfTrip, List<ApplicationUser> tripParticipants) {
        this.tripId = tripId;
        this.tripName = tripName;
        this.startOfTrip = startOfTrip;
@@ -53,11 +53,11 @@ public class Trip {
        this.endOfTrip = endOfTrip;
    }

-    public List<User> getTripParticipants() {
+    public List<ApplicationUser> getTripParticipants() {
        return tripParticipants;
    }

-    public void setTripParticipants(List<User> tripParticipants) {
+    public void setTripParticipants(List<ApplicationUser> tripParticipants) {
        this.tripParticipants = tripParticipants;
    }
 }
--- a/Backend/src/main/java/com/mobilecomputing/pecunia/repository/UserRepository.java
+++ b/Backend/src/main/java/com/mobilecomputing/pecunia/repository/UserRepository.java
 package com.mobilecomputing.pecunia.repository;

-import com.mobilecomputing.pecunia.model.Trip;
-import com.mobilecomputing.pecunia.model.User;
+import com.mobilecomputing.pecunia.model.ApplicationUser;
 import org.bson.types.ObjectId;
 import org.springframework.data.repository.CrudRepository;

-public interface UserRepository extends CrudRepository<User, ObjectId> {
+public interface UserRepository extends CrudRepository<ApplicationUser, ObjectId> {
 }
--- a/Backend/src/main/java/com/mobilecomputing/pecunia/security/JWTAuthenticationFilter.java
+++ b/Backend/src/main/java/com/mobilecomputing/pecunia/security/JWTAuthenticationFilter.java
+package com.mobilecomputing.pecunia.security;
+
+import com.auth0.jwt.JWT;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.mobilecomputing.pecunia.model.ApplicationUser;
+import org.springframework.security.authentication.AuthenticationManager;
+import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
+
+import javax.servlet.FilterChain;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+import java.util.ArrayList;
+import java.util.Date;
+
+import static com.auth0.jwt.algorithms.Algorithm.HMAC512;
+import static com.mobilecomputing.pecunia.security.SecurityConstraints.*;
+
+/**
+ * https://auth0.com/blog/implementing-jwt-authentication-on-spring-boot/#User-Authentication-and-Authorization-on-Spring-Boot
+ */
+public class JWTAuthenticationFilter extends UsernamePasswordAuthenticationFilter {
+    private AuthenticationManager authenticationManager;
+
+    public JWTAuthenticationFilter(AuthenticationManager authenticationManager) {
+        this.authenticationManager = authenticationManager;
+        System.out.println("JWT AUTHENTICATION created");
+    }
+
+    @Override
+    public Authentication attemptAuthentication(HttpServletRequest request,
+                                                HttpServletResponse response) throws AuthenticationException {
+        try {
+            System.out.println("attemptAuthentication");
+            ApplicationUser creds = new ObjectMapper().readValue(request.getInputStream(), ApplicationUser.class);
+            return authenticationManager.authenticate(new UsernamePasswordAuthenticationToken(
+                    creds.getEMail(),
+                    creds.getPassword(),
+                    new ArrayList<>()));
+
+        } catch (IOException e) {
+            throw new RuntimeException(e);
+        }
+    }
+
+    @Override
+    protected void successfulAuthentication(HttpServletRequest request,
+                                            HttpServletResponse response,
+                                            FilterChain chain,
+                                            Authentication authResult) throws IOException, ServletException {
+        System.out.println("successfulAuthentication");
+        String token = JWT.create()
+                .withSubject(((ApplicationUser)authResult.getPrincipal()).getEMail())
+                .withExpiresAt(new Date(System.currentTimeMillis() + EXPIRATION_TIME))
+                .sign(HMAC512(SECRET.getBytes()));
+        System.out.println(token);
+        response.addHeader(HEADER_STRING,TOKEN_PREFIX+token);
+    }
+}
--- a/Backend/src/main/java/com/mobilecomputing/pecunia/security/JWTAuthorizationFilter.java
+++ b/Backend/src/main/java/com/mobilecomputing/pecunia/security/JWTAuthorizationFilter.java
+package com.mobilecomputing.pecunia.security;
+
+import com.auth0.jwt.JWT;
+import com.auth0.jwt.algorithms.Algorithm;
+import org.springframework.security.authentication.AuthenticationManager;
+import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.web.AuthenticationEntryPoint;
+import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
+
+import javax.servlet.FilterChain;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+import java.util.ArrayList;
+
+import static com.mobilecomputing.pecunia.security.SecurityConstraints.*;
+
+public class JWTAuthorizationFilter extends BasicAuthenticationFilter {
+
+    public JWTAuthorizationFilter(AuthenticationManager authenticationManager) {
+        super(authenticationManager);
+    }
+
+    @Override
+    protected void doFilterInternal(HttpServletRequest request,
+                                    HttpServletResponse response,
+                                    FilterChain chain) throws IOException, ServletException {
+        String header = request.getHeader(HEADER_STRING);
+
+        System.out.println("doFilterInternal");
+
+        if(header == null || !header.startsWith(TOKEN_PREFIX)){
+            chain.doFilter(request,response);
+            return;
+        }
+
+        UsernamePasswordAuthenticationToken authentication = getAuthentication(request);
+
+        SecurityContextHolder.getContext().setAuthentication(authentication);
+        chain.doFilter(request, response);
+    }
+
+    private UsernamePasswordAuthenticationToken getAuthentication(HttpServletRequest request){
+        String token = request.getHeader(HEADER_STRING);
+        System.out.println("JWT AUTHORIZATION username passwordauthToken drinn");
+        if(token!=null){
+            String user = JWT.require(Algorithm.HMAC512(SECRET.getBytes()))
+                    .build()
+                    .verify(token.replace(TOKEN_PREFIX, ""))
+                    .getSubject();
+
+            if(user!=null){
+                return new UsernamePasswordAuthenticationToken(user,null, new ArrayList<>());
+            }
+            return null;
+        }
+        return null;
+    }
+}
--- a/Backend/src/main/java/com/mobilecomputing/pecunia/security/SecurityConstraints.java
+++ b/Backend/src/main/java/com/mobilecomputing/pecunia/security/SecurityConstraints.java
+package com.mobilecomputing.pecunia.security;
+
+public class SecurityConstraints {
+    public static final String SECRET = "SecretKeyToGenJWTs";
+    public static final long EXPIRATION_TIME = 864_000_000; // 10 days
+    public static final String TOKEN_PREFIX = "Bearer ";
+    public static final String HEADER_STRING = "Authorization";
+    public static final String SIGN_UP_URL = "/users/sign-up";
+}
--- a/Backend/src/main/java/com/mobilecomputing/pecunia/security/UserDetailsServiceImpl.java
+++ b/Backend/src/main/java/com/mobilecomputing/pecunia/security/UserDetailsServiceImpl.java
+package com.mobilecomputing.pecunia.security;
+
+import com.mobilecomputing.pecunia.model.ApplicationUser;
+import com.mobilecomputing.pecunia.repository.UserRepository;
+import org.bson.types.ObjectId;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.core.userdetails.User;
+import org.springframework.security.core.userdetails.UserDetails;
+import org.springframework.security.core.userdetails.UserDetailsService;
+import org.springframework.security.core.userdetails.UsernameNotFoundException;
+
+import java.util.Collections;
+import java.util.Optional;
+
+public class UserDetailsServiceImpl implements UserDetailsService {
+
+    @Autowired
+    private UserRepository userRepository;
+
+    public UserDetailsServiceImpl(UserRepository userRepository){
+        System.out.println("userDetails Service created");
+        this.userRepository=userRepository;
+    }
+
+    @Override
+    public UserDetails loadUserByUsername(String userEmail) throws UsernameNotFoundException {
+        System.out.println("loadbyUsername");
+        Optional<ApplicationUser> user = userRepository.findById(new ObjectId(userEmail));
+        if(user ==null){
+            throw new UsernameNotFoundException(user.toString());
+        }
+        ApplicationUser applicationUser = user.get();
+        return new User(applicationUser.getEMail(),applicationUser.getPassword(), Collections.emptyList());
+    }
+}
--- a/Backend/src/main/java/com/mobilecomputing/pecunia/security/WebSecurity.java
+++ b/Backend/src/main/java/com/mobilecomputing/pecunia/security/WebSecurity.java
+package com.mobilecomputing.pecunia.security;
+
+import org.springframework.context.annotation.Bean;
+import org.springframework.http.HttpMethod;
+import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.config.http.SessionCreationPolicy;
+import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
+import org.springframework.web.cors.CorsConfiguration;
+import org.springframework.web.cors.CorsConfigurationSource;
+import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
+
+import static com.mobilecomputing.pecunia.security.SecurityConstraints.SIGN_UP_URL;
+
+
+public class WebSecurity extends WebSecurityConfigurerAdapter {
+    private UserDetailsServiceImpl userDetailsService;
+    private BCryptPasswordEncoder bCryptPasswordEncoder;
+
+    public WebSecurity(UserDetailsServiceImpl userDetailsService, BCryptPasswordEncoder bCryptPasswordEncoder) {
+        this.userDetailsService = userDetailsService;
+        this.bCryptPasswordEncoder = bCryptPasswordEncoder;
+    }
+
+    @Override
+    protected void configure(HttpSecurity http) throws Exception {
+        System.out.println("web sec configure");
+        http.cors().and().csrf().disable().authorizeRequests()
+                .antMatchers(HttpMethod.POST, SIGN_UP_URL).permitAll()
+                .anyRequest().authenticated()
+                .and()
+                .addFilter(new JWTAuthenticationFilter(authenticationManager()))
+                .addFilter(new JWTAuthorizationFilter(authenticationManager()))
+                .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
+    }
+
+    @Override
+    public void configure(AuthenticationManagerBuilder auth) throws Exception {
+        System.out.println("web sec configure 2");
+        auth.userDetailsService(userDetailsService).passwordEncoder(bCryptPasswordEncoder);
+    }
+
+    @Bean
+    CorsConfigurationSource corsConfigurationSource() {
+        System.out.println("web sec config cors");
+        final UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
+        source.registerCorsConfiguration("/**", new CorsConfiguration().applyPermitDefaultValues());
+        return source;
+    }
+}