https://github.com/amadr-95/spring-security
Spring security course. Basic auth, permission and form based auth, JWT
https://github.com/amadr-95/spring-security
auth java jwt spring-security
Last synced: over 1 year ago
JSON representation
Spring security course. Basic auth, permission and form based auth, JWT
- Host: GitHub
- URL: https://github.com/amadr-95/spring-security
- Owner: amadr-95
- Created: 2024-05-16T06:57:33.000Z (about 2 years ago)
- Default Branch: master
- Last Pushed: 2024-05-16T07:25:26.000Z (about 2 years ago)
- Last Synced: 2025-01-27T06:44:05.036Z (over 1 year ago)
- Topics: auth, java, jwt, spring-security
- Language: Java
- Homepage:
- Size: 430 KB
- Stars: 0
- Watchers: 1
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
README
# Spring Security
Spring Security allows to secure the access to API endpoints and
grant priviliges only to trusted users or permissions.
In this example we start from a API already built.
## ApplicationSecurityConfig class
Under the package `com.spring.security` is the class where all configurations about security are done
```java
package com.spring.spring.security;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
@Configuration
@EnableWebSecurity
public class ApplicationSecurityConfig {
}
```
### User Roles and Permissions (Authorities)
We can create **roles** and **permissions** as follows:
#### Permissions
```java
public enum ApplicationUserPermission {
STUDENT_READ("student:read"),
STUDENT_WRITE("student:write"),
STUDENT_DELETE("student:delete"),
STUDENT_UPDATE("student:update");
private final String permission;
ApplicationUserPermission(String permission) {
this.permission = permission;
}
public String getPermission() {
return permission;
}
}
```
#### Roles
Once permissions are stablished, they can be assigned to roles. So in
this manner a specific role can have a set of permissions.
```java
public enum ApplicationUserRole {
STUDENT(Set.of(STUDENT_READ, STUDENT_UPDATE)),
ADMIN(Set.of(STUDENT_READ, STUDENT_WRITE, STUDENT_DELETE, STUDENT_UPDATE));
private final Set permissions;
ApplicationUserRole(Set permissions) {
this.permissions = permissions;
}
public Set getPermissions() {
return permissions;
}
}
```
## Types of Auth
### Basic Auth
In this method the client send the user and password in
every request, which are encrypted by Basic64.
There is no posibility to logout
(mostly used with external API's)
#### Role based Authentication
Granting access to API endpoints filtering by **user role**.
> [!WARNING]
> **Cross Site Request Forgery**
> The action of forging a copy or imitation of a document, signature,
> banknote, or work of art.
> Spring Security try to protect teh API by default.
> On POST, PUT, DELETE methods the request is rejected
> because no token was sent to the client when logged in. That is
> what csrf does by default when it is enabled.
>
> 
>
> [CSRF protection is recommended](https://docs.spring.io/spring-security/site/docs/5.0.x/reference/html/csrf.html) to use for any request that could be
> processed by a browser by normal users. If you are only creating a service that is used by non-browser clients, you
> will
> likely want to disable CSRF protection. So in this case we can disable it.
```java
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity httpSecurity) throws Exception {
return httpSecurity
.authorizeHttpRequests(authz -> authz
.csrf(AbstractHttpConfigurer::disable)
.requestMatchers("/", "index.html", "/css/*", "/js/*")
.permitAll()
.requestMatchers("/api/**").hasRole(ADMIN.toString())
.anyRequest()
.authenticated()
)
.httpBasic(Customizer.withDefaults())
.build();
}
```
Creating the user using `InMemoryUserDetailsManager` with its role (ADMIN).
```java
@Bean
public InMemoryUserDetailsManager userDetailsService(PasswordEncoder passwordEncoder) {
UserDetails admin = User.builder()
.username("admin")
.password(passwordEncoder.encode("password"))
.roles("ADMIN")
.build();
return new InMemoryUserDetailsManager(admin);
}
```
> [!NOTE]
> The password must be encoded
#### Permission based Authentication
Granting access to API endpoints filtering by **user's permissions** instead of the role itself.
Now we have to change `.role(ROLE)` for `.authorities(authorities)`:
```java
@Bean
public InMemoryUserDetailsManager userDetailsManager(PasswordEncoder passwordEncoder) {
UserDetails studentUser = User.builder()
.username("student")
.password(passwordEncoder.encode("student"))
//.roles(STUDENT.toString()) //ROL_STUDENT
.authorities(STUDENT.getGrantedAuthorities())
.build();
UserDetails adminUser = User.builder()
.username("admin")
.password(passwordEncoder.encode("admin"))
//.roles(ADMIN.toString()) //ROL_ADMIN
.authorities(ADMIN.getGrantedAuthorities())
.build();
return new InMemoryUserDetailsManager(studentUser, adminUser);
}
```
To be able to obtain permissions from an user, we have to convert permissions from plain text to
a type that implements `GrantedAuthority` interface, such as `SimpleGrantedAuthority`:
```java
public Set getGrantedAuthorities() {
Set grantedAuthorities = new HashSet<>();
//convert every ApplicationUserPermission to a SimpleGrantedAuthority
for (ApplicationUserPermission permission : permissions) {
grantedAuthorities.add(
new SimpleGrantedAuthority(permission.getPermission())
);
}
//Add role
grantedAuthorities.add(new SimpleGrantedAuthority("ROLE_" + this));
return grantedAuthorities;
}
```
By doing this, we have attached the correct authorities to users.
#### Permission based Authentication on a method level
We can also set authentication by annotating methods with `@PreAuthorized()`.
Within the annotation we can both filter by roles or permissions passing it these strings:
- hasRole('ROLE_')
- hasAnyRole('ROLE_')
- hasAuthority('permission')
- hasAnyAuthority('permission')
To use that we also have to annotate `ApplicationSecurityConfig` with `@EnableMethodSecurity`
```java
@GetMapping
@PreAuthorize("hasRole('ADMIN')")
public List findAllStudents() {
return studentService.findAllStudents();
}
@GetMapping("{id}")
@PreAuthorize("hasAnyRole('ADMIN', 'STUDENT')")
public Student findStudentById(@PathVariable("id") Integer studentId) throws StudentNotFoundException {
return studentService.findStudentById(studentId);
}
@PostMapping
@PreAuthorize("hasAuthority('student:write')")
public void addNewStudent(@RequestBody StudentRequest student) throws StudentException {
studentService.addNewStudent(student);
}
```
### Form based Authentication
Form based is the default type of auth that comes with Spring security.
It auto-generates a form to login with user credentials. Once logged,
a cookie `SESSIONID` (generated when the user login for first time) is sending
to the server on every request.
Enabling form auth instead of basic auth is just a matter of changing one line:
```java
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity httpSecurity) throws Exception {
return httpSecurity
.authorizeHttpRequests(authz -> authz
...
)
.formLogin(Customizer.withDefaults())
.build();
}
```
#### Options
* Custom login page
```java
.formLogin(httpSecurityFormLoginConfigurer -> httpSecurityFormLoginConfigurer
.passwordParameter("password") //same name as form name in html
.usernameParameter("username")
.loginPage("/login")
.permitAll()
.defaultSuccessUrl("url", true)
)
```
* Custom remember me expiration time
By default SESSIONID cookie expires after 30' of inactivity.
These can be changed as follows:
```java
//.rememberMe(Customizer.withDefaults()) //valid 30'
.rememberMe(httpSecurityRememberMeConfigurer -> httpSecurityRememberMeConfigurer
.rememberMeParameter("remember-me")
.tokenValiditySeconds((int) TimeUnit.DAYS.toSeconds(21))
.key("securekey") //key to encrypt the username and expiration time instead of default one
)
```
* Custom logout
```java
.logout(httpSecurityLogoutConfigurer -> httpSecurityLogoutConfigurer
.logoutUrl("/logout")
.clearAuthentication(true)
.deleteCookies("JSESSIONID", "remember-me")
.logoutSuccessUrl("/index.html")
)
```
## JWT (JSON Web Token)
### Java JWT Library
Managing authentication requests based on username and password using JSON Web Tokens (JWT).
To use these library we have to add the dependecies to `pom.xml`:
```xml
io.jsonwebtoken
jjwt
0.9.1
javax.xml.bind
jaxb-api
2.3.1
```
`UsernamePasswordAuthenticationFilter` is the dafault class Spring uses.
By extending from it we can override some methods and give them specific implementation.
### First step: validates credentials
- Modelate authentication request with `UsernameAndPasswordAuthenticationRequest.class`
- Override `attempAuthentication` method.
- If username and password are correct, this method return the Authentication
### Second step: generates token and send it to the client
- `successfulAuthentication` method will be executed only if `attempAuthentication` does not fail.
- Create the token
- Send it to the client
Once implemented, we can access to `http://localhost:8080/api/v1/auth/authenticate` and try to log in with any user:
If credentials are correct, a token will be generated. This token must be used as authorization method in every request to the API as follows:
