Compare commits
No commits in common. "975ebae553465398091b00377cf8790c80ea7547" and "e48fb283c3475bb5ee6c7ea3f5a941c345b74371" have entirely different histories.
975ebae553
...
e48fb283c3
|
@ -60,7 +60,6 @@ dependencies {
|
|||
runtimeOnly("com.microsoft.sqlserver:mssql-jdbc:9.2.1.jre11")
|
||||
|
||||
runtimeOnly("io.jsonwebtoken:jjwt-impl:0.11.2")
|
||||
runtimeOnly("io.jsonwebtoken:jjwt-jackson:0.11.2")
|
||||
}
|
||||
|
||||
springBoot {
|
||||
|
|
|
@ -72,7 +72,7 @@ case "`uname`" in
|
|||
Darwin* )
|
||||
darwin=true
|
||||
;;
|
||||
MSYS* | MINGW* )
|
||||
MINGW* )
|
||||
msys=true
|
||||
;;
|
||||
NONSTOP* )
|
||||
|
|
|
@ -1,5 +1,3 @@
|
|||
package dev.fyloz.colorrecipesexplorer
|
||||
|
||||
typealias SpringUser = org.springframework.security.core.userdetails.User
|
||||
typealias SpringUserDetails = org.springframework.security.core.userdetails.UserDetails
|
||||
typealias SpringUserDetailsService = org.springframework.security.core.userdetails.UserDetailsService
|
||||
public typealias SpringUser = org.springframework.security.core.userdetails.User
|
||||
|
|
|
@ -1,19 +1,21 @@
|
|||
package dev.fyloz.colorrecipesexplorer.config.security
|
||||
|
||||
import com.fasterxml.jackson.module.kotlin.jacksonObjectMapper
|
||||
import dev.fyloz.colorrecipesexplorer.SpringUser
|
||||
import dev.fyloz.colorrecipesexplorer.config.properties.CreSecurityProperties
|
||||
import dev.fyloz.colorrecipesexplorer.exception.NotFoundException
|
||||
import dev.fyloz.colorrecipesexplorer.model.account.UserDetails
|
||||
import dev.fyloz.colorrecipesexplorer.model.account.UserLoginRequest
|
||||
import dev.fyloz.colorrecipesexplorer.utils.buildJwt
|
||||
import dev.fyloz.colorrecipesexplorer.utils.parseJwt
|
||||
import io.jsonwebtoken.ExpiredJwtException
|
||||
import io.jsonwebtoken.Jwts
|
||||
import org.springframework.security.authentication.AuthenticationManager
|
||||
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken
|
||||
import org.springframework.security.core.Authentication
|
||||
import org.springframework.security.core.context.SecurityContextHolder
|
||||
import org.springframework.security.core.userdetails.UserDetails
|
||||
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter
|
||||
import org.springframework.security.web.authentication.www.BasicAuthenticationFilter
|
||||
import org.springframework.util.Assert
|
||||
import org.springframework.web.util.WebUtils
|
||||
import javax.servlet.FilterChain
|
||||
import javax.servlet.http.HttpServletRequest
|
||||
|
@ -44,11 +46,10 @@ class JwtAuthenticationFilter(
|
|||
request: HttpServletRequest,
|
||||
response: HttpServletResponse,
|
||||
chain: FilterChain,
|
||||
auth: Authentication
|
||||
authResult: Authentication
|
||||
) {
|
||||
val userDetails = (auth.principal as UserDetails)
|
||||
val token =
|
||||
userDetails.user.buildJwt(securityProperties.jwtSecret, duration = securityProperties.jwtDuration).token
|
||||
val user = (authResult.principal as SpringUser)
|
||||
val token = user.buildJwt(securityProperties)
|
||||
|
||||
var bearerCookie =
|
||||
"$authorizationCookieName=Bearer$token; Max-Age=${securityProperties.jwtDuration / 1000}; HttpOnly; SameSite=strict"
|
||||
|
@ -58,13 +59,11 @@ class JwtAuthenticationFilter(
|
|||
bearerCookie
|
||||
)
|
||||
response.addHeader(authorizationCookieName, "Bearer $token")
|
||||
|
||||
updateUserLoginTime(userDetails.user.id)
|
||||
}
|
||||
}
|
||||
|
||||
class JwtAuthorizationFilter(
|
||||
private val securityProperties: CreSecurityProperties,
|
||||
private val securityConfigurationProperties: CreSecurityProperties,
|
||||
authenticationManager: AuthenticationManager,
|
||||
private val loadUserById: (Long) -> UserDetails
|
||||
) : BasicAuthenticationFilter(authenticationManager) {
|
||||
|
@ -100,10 +99,16 @@ class JwtAuthorizationFilter(
|
|||
}
|
||||
|
||||
private fun getAuthentication(token: String): UsernamePasswordAuthenticationToken? {
|
||||
val jwtSecret = securityConfigurationProperties.jwtSecret
|
||||
Assert.notNull(jwtSecret, "No JWT secret has been defined.")
|
||||
return try {
|
||||
with(parseJwt(token.replace("Bearer", ""), securityProperties.jwtSecret)) {
|
||||
getAuthenticationToken(this.subject)
|
||||
}
|
||||
|
||||
val userId = Jwts.parser()
|
||||
.setSigningKey(jwtSecret.toByteArray())
|
||||
.parseClaimsJws(token.replace("Bearer", ""))
|
||||
.body
|
||||
.subject
|
||||
if (userId != null) getAuthenticationToken(userId) else null
|
||||
} catch (_: ExpiredJwtException) {
|
||||
null
|
||||
}
|
||||
|
|
|
@ -4,8 +4,6 @@ import dev.fyloz.colorrecipesexplorer.config.properties.CreSecurityProperties
|
|||
import dev.fyloz.colorrecipesexplorer.emergencyMode
|
||||
import dev.fyloz.colorrecipesexplorer.model.account.Permission
|
||||
import dev.fyloz.colorrecipesexplorer.model.account.User
|
||||
import dev.fyloz.colorrecipesexplorer.model.account.UserDetails
|
||||
import dev.fyloz.colorrecipesexplorer.model.account.user
|
||||
import dev.fyloz.colorrecipesexplorer.service.CreUserDetailsService
|
||||
import dev.fyloz.colorrecipesexplorer.service.UserService
|
||||
import org.slf4j.Logger
|
||||
|
@ -24,6 +22,7 @@ import org.springframework.security.config.annotation.web.configuration.WebSecur
|
|||
import org.springframework.security.config.http.SessionCreationPolicy
|
||||
import org.springframework.security.core.AuthenticationException
|
||||
import org.springframework.security.core.authority.SimpleGrantedAuthority
|
||||
import org.springframework.security.core.userdetails.UserDetails
|
||||
import org.springframework.security.core.userdetails.UsernameNotFoundException
|
||||
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder
|
||||
import org.springframework.security.crypto.password.PasswordEncoder
|
||||
|
@ -35,6 +34,7 @@ import org.springframework.web.cors.UrlBasedCorsConfigurationSource
|
|||
import javax.annotation.PostConstruct
|
||||
import javax.servlet.http.HttpServletRequest
|
||||
import javax.servlet.http.HttpServletResponse
|
||||
import org.springframework.security.core.userdetails.User as SpringUser
|
||||
|
||||
@Configuration
|
||||
@Profile("!emergency")
|
||||
|
@ -122,6 +122,8 @@ class EmergencySecurityConfig(
|
|||
private val securityProperties: CreSecurityProperties,
|
||||
private val environment: Environment
|
||||
) : WebSecurityConfigurerAdapter() {
|
||||
private val rootUserRole = Permission.ADMIN.name
|
||||
|
||||
init {
|
||||
emergencyMode = true
|
||||
}
|
||||
|
@ -140,7 +142,7 @@ class EmergencySecurityConfig(
|
|||
auth.inMemoryAuthentication()
|
||||
.withUser(securityProperties.root!!.id.toString())
|
||||
.password(passwordEncoder().encode(securityProperties.root!!.password))
|
||||
.authorities(SimpleGrantedAuthority(Permission.ADMIN.name))
|
||||
.authorities(SimpleGrantedAuthority(rootUserRole))
|
||||
}
|
||||
|
||||
override fun configure(http: HttpSecurity) {
|
||||
|
@ -170,11 +172,11 @@ class EmergencySecurityConfig(
|
|||
private fun loadUserById(id: Long): UserDetails {
|
||||
assertRootUserNotNull(securityProperties)
|
||||
if (id == securityProperties.root!!.id) {
|
||||
return UserDetails(user(
|
||||
id = id,
|
||||
password = securityProperties.root!!.password,
|
||||
permissions = mutableSetOf(Permission.ADMIN)
|
||||
))
|
||||
return SpringUser(
|
||||
id.toString(),
|
||||
securityProperties.root!!.password,
|
||||
listOf(SimpleGrantedAuthority(rootUserRole))
|
||||
)
|
||||
}
|
||||
throw UsernameNotFoundException(id.toString())
|
||||
}
|
||||
|
|
|
@ -1,6 +1,5 @@
|
|||
package dev.fyloz.colorrecipesexplorer.model.account
|
||||
|
||||
import dev.fyloz.colorrecipesexplorer.SpringUserDetails
|
||||
import dev.fyloz.colorrecipesexplorer.exception.AlreadyExistsException
|
||||
import dev.fyloz.colorrecipesexplorer.exception.NotFoundException
|
||||
import dev.fyloz.colorrecipesexplorer.model.EntityDto
|
||||
|
@ -60,6 +59,9 @@ data class User(
|
|||
.apply {
|
||||
if (group != null) this.addAll(group!!.flatPermissions)
|
||||
}
|
||||
|
||||
val authorities: Set<GrantedAuthority>
|
||||
get() = flatPermissions.map { it.toAuthority() }.toMutableSet()
|
||||
}
|
||||
|
||||
open class UserSaveDto(
|
||||
|
@ -108,19 +110,6 @@ data class UserOutputDto(
|
|||
|
||||
data class UserLoginRequest(val id: Long, val password: String)
|
||||
|
||||
data class UserDetails(val user: User) : SpringUserDetails {
|
||||
override fun getPassword() = user.password
|
||||
override fun getUsername() = user.id.toString()
|
||||
|
||||
override fun getAuthorities() =
|
||||
user.flatPermissions.map { it.toAuthority() }.toMutableSet()
|
||||
|
||||
override fun isAccountNonExpired() = true
|
||||
override fun isAccountNonLocked() = true
|
||||
override fun isCredentialsNonExpired() = true
|
||||
override fun isEnabled() = true
|
||||
}
|
||||
|
||||
// ==== DSL ====
|
||||
fun user(
|
||||
passwordEncoder: PasswordEncoder = BCryptPasswordEncoder(),
|
||||
|
|
|
@ -1,6 +1,5 @@
|
|||
package dev.fyloz.colorrecipesexplorer.service
|
||||
|
||||
import dev.fyloz.colorrecipesexplorer.SpringUserDetailsService
|
||||
import dev.fyloz.colorrecipesexplorer.config.security.blacklistedJwtTokens
|
||||
import dev.fyloz.colorrecipesexplorer.config.security.defaultGroupCookieName
|
||||
import dev.fyloz.colorrecipesexplorer.exception.NotFoundException
|
||||
|
@ -10,6 +9,8 @@ import dev.fyloz.colorrecipesexplorer.repository.GroupRepository
|
|||
import dev.fyloz.colorrecipesexplorer.repository.UserRepository
|
||||
import org.springframework.context.annotation.Lazy
|
||||
import org.springframework.context.annotation.Profile
|
||||
import org.springframework.security.core.userdetails.UserDetails
|
||||
import org.springframework.security.core.userdetails.UserDetailsService
|
||||
import org.springframework.security.core.userdetails.UsernameNotFoundException
|
||||
import org.springframework.security.crypto.password.PasswordEncoder
|
||||
import org.springframework.stereotype.Service
|
||||
|
@ -18,6 +19,7 @@ import java.time.LocalDateTime
|
|||
import javax.servlet.http.HttpServletRequest
|
||||
import javax.servlet.http.HttpServletResponse
|
||||
import javax.transaction.Transactional
|
||||
import org.springframework.security.core.userdetails.User as SpringUser
|
||||
|
||||
interface UserService :
|
||||
ExternalModelService<User, UserSaveDto, UserUpdateDto, UserOutputDto, UserRepository> {
|
||||
|
@ -67,7 +69,7 @@ interface GroupService :
|
|||
fun setResponseDefaultGroup(groupId: Long, response: HttpServletResponse)
|
||||
}
|
||||
|
||||
interface CreUserDetailsService : SpringUserDetailsService {
|
||||
interface CreUserDetailsService : UserDetailsService {
|
||||
/** Loads an [User] for the given [id]. */
|
||||
fun loadUserById(id: Long, ignoreDefaultGroupUsers: Boolean = false): UserDetails
|
||||
}
|
||||
|
@ -302,7 +304,8 @@ class GroupServiceImpl(
|
|||
@Profile("!emergency")
|
||||
class CreUserDetailsServiceImpl(
|
||||
private val userService: UserService
|
||||
) : CreUserDetailsService {
|
||||
) :
|
||||
CreUserDetailsService {
|
||||
override fun loadUserByUsername(username: String): UserDetails {
|
||||
try {
|
||||
return loadUserById(username.toLong(), true)
|
||||
|
@ -319,6 +322,6 @@ class CreUserDetailsServiceImpl(
|
|||
ignoreDefaultGroupUsers = ignoreDefaultGroupUsers,
|
||||
ignoreSystemUsers = false
|
||||
)
|
||||
return UserDetails(user)
|
||||
return SpringUser(user.id.toString(), user.password, user.authorities)
|
||||
}
|
||||
}
|
||||
|
|
|
@ -1,62 +1,33 @@
|
|||
package dev.fyloz.colorrecipesexplorer.utils
|
||||
|
||||
import dev.fyloz.colorrecipesexplorer.model.account.User
|
||||
import dev.fyloz.colorrecipesexplorer.SpringUser
|
||||
import dev.fyloz.colorrecipesexplorer.config.properties.CreSecurityProperties
|
||||
import io.jsonwebtoken.Jwts
|
||||
import io.jsonwebtoken.SignatureAlgorithm
|
||||
import io.jsonwebtoken.io.Encoders
|
||||
import io.jsonwebtoken.security.Keys
|
||||
import java.util.*
|
||||
import javax.crypto.SecretKey
|
||||
|
||||
data class Jwt(
|
||||
val subject: String,
|
||||
val secret: String,
|
||||
val duration: Long? = null,
|
||||
val signatureAlgorithm: SignatureAlgorithm = SignatureAlgorithm.HS512,
|
||||
val claims: Map<String, Any?> = mapOf()
|
||||
) {
|
||||
val token: String by lazy {
|
||||
val builder = Jwts.builder()
|
||||
.signWith(keyFromSecret(secret))
|
||||
.setSubject(subject)
|
||||
.addClaims(claims.filterValues { it != null })
|
||||
val duration: Long,
|
||||
val signatureAlgorithm: SignatureAlgorithm = SignatureAlgorithm.HS512
|
||||
)
|
||||
|
||||
duration?.let {
|
||||
val expirationMs = System.currentTimeMillis() + it
|
||||
val expirationDate = Date(expirationMs)
|
||||
fun SpringUser.buildJwt(properties: CreSecurityProperties) =
|
||||
Jwt(this.username, properties.jwtSecret, properties.jwtDuration).build()
|
||||
|
||||
builder.setExpiration(expirationDate)
|
||||
}
|
||||
fun Jwt.build(): String {
|
||||
val expirationMs = System.currentTimeMillis() + this.duration
|
||||
val expirationDate = Date(expirationMs)
|
||||
|
||||
builder.compact()
|
||||
}
|
||||
val base64Secret = Encoders.BASE64.encode(this.secret.toByteArray())
|
||||
val key = Keys.hmacShaKeyFor(base64Secret.toByteArray())
|
||||
|
||||
return Jwts.builder()
|
||||
.setSubject(this.subject)
|
||||
.setExpiration(expirationDate)
|
||||
.signWith(key)
|
||||
.compact()
|
||||
}
|
||||
|
||||
/** Build a [Jwt] for the given [User]. */
|
||||
fun User.buildJwt(secret: String, duration: Long?) =
|
||||
Jwt(
|
||||
subject = this.id.toString(),
|
||||
secret,
|
||||
duration,
|
||||
claims = mapOf(
|
||||
"groupId" to this.group?.id,
|
||||
"groupName" to this.group?.name
|
||||
)
|
||||
)
|
||||
|
||||
/** Parses the given [jwt] string. */
|
||||
fun parseJwt(jwt: String, secret: String) =
|
||||
with(
|
||||
Jwts.parserBuilder()
|
||||
.setSigningKey(keyFromSecret(secret))
|
||||
.build()
|
||||
.parseClaimsJws(jwt)
|
||||
) {
|
||||
Jwt(this.body.subject, secret)
|
||||
}
|
||||
|
||||
/** Creates a base64 encoded [SecretKey] from the given [secret]. */
|
||||
private fun keyFromSecret(secret: String) =
|
||||
with(Encoders.BASE64.encode(secret.toByteArray())) {
|
||||
Keys.hmacShaKeyFor(this.toByteArray())
|
||||
}
|
||||
|
|
|
@ -3,7 +3,7 @@ server.port=9090
|
|||
# CRE
|
||||
cre.server.data-directory=data
|
||||
cre.server.config-directory=config
|
||||
cre.security.jwt-secret=CtnvGQjgZ44A1fh295gE78WWOgl8InrbwBgQsMy0
|
||||
cre.security.jwt-secret=CtnvGQjgZ44A1fh295gE
|
||||
cre.security.jwt-duration=18000000
|
||||
cre.security.aes-secret=blabla
|
||||
# Root user
|
||||
|
|
Loading…
Reference in New Issue