oauth token with jwt more security less brain

Author: mertakdut

BankApplicationBackend/pom.xml

@@ -35,10 +35,20 @@
 		<!-- <groupId>org.springframework.boot</groupId> -->
 		<!-- <artifactId>spring-boot-starter-thymeleaf</artifactId> -->
 		<!-- </dependency> -->
-		<!-- <dependency> -->
-		<!-- <groupId>org.springframework.boot</groupId> -->
-		<!-- <artifactId>spring-boot-starter-security</artifactId> -->
-		<!-- </dependency> -->
+		<dependency>
+			<groupId>org.springframework.boot</groupId>
+			<artifactId>spring-boot-starter-security</artifactId>
+		</dependency>
+		<dependency>
+			<groupId>org.springframework.security</groupId>
+			<artifactId>spring-security-jwt</artifactId>
+			<version>1.0.7.RELEASE</version>
+		</dependency>
+		<dependency>
+			<groupId>com.auth0</groupId>
+			<artifactId>java-jwt</artifactId>
+			<version>3.4.0</version>
+		</dependency>
 
 		<dependency>
 			<groupId>mysql</groupId>

BankApplicationBackend/src/main/java/com/demo/bankapp/BankApplication.java

@@ -2,6 +2,9 @@
 
 import org.springframework.boot.SpringApplication;
 import org.springframework.boot.autoconfigure.SpringBootApplication;
+import org.springframework.context.annotation.Bean;
+import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
+import org.springframework.security.crypto.password.PasswordEncoder;
 
 @SpringBootApplication
 public class BankApplication {

BankApplicationBackend/src/main/java/com/demo/bankapp/assembler/UserResourceAssembler.java

@@ -17,7 +17,6 @@ public class UserResourceAssembler implements ResourceAssembler<User, Resource<U
 	public Resource<User> toResource(User user) {
 		return new Resource<>(user,
 				linkTo(methodOn(UserController.class).createNewUser(null)).withSelfRel(),
-				linkTo(methodOn(UserController.class).findAll()).withRel("users"),
-				linkTo(methodOn(UserController.class).login(null)).withRel("login"));
+				linkTo(methodOn(UserController.class).findAll()).withRel("users"));
 	}
 }

BankApplicationBackend/src/main/java/com/demo/bankapp/configuration/SecurityConfig.java

@@ -0,0 +1,66 @@
+package com.demo.bankapp.configuration.security;
+
+import java.io.IOException;
+import java.util.ArrayList;
+import java.util.Date;
+
+import com.fasterxml.jackson.databind.ObjectMapper;
+
+import javax.servlet.FilterChain;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.springframework.security.authentication.AuthenticationManager;
+import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
+
+import static com.auth0.jwt.algorithms.Algorithm.HMAC512;
+import static com.demo.bankapp.configuration.security.SecurityConstants.EXPIRATION_TIME;
+import static com.demo.bankapp.configuration.security.SecurityConstants.HEADER_STRING;
+import static com.demo.bankapp.configuration.security.SecurityConstants.SECRET;
+import static com.demo.bankapp.configuration.security.SecurityConstants.TOKEN_PREFIX;
+
+import com.auth0.jwt.JWT;
+import com.demo.bankapp.model.User;
+
+public class JWTAuthenticationFilter extends UsernamePasswordAuthenticationFilter {
+	
+    private AuthenticationManager authenticationManager;
+
+    public JWTAuthenticationFilter(AuthenticationManager authenticationManager) {
+        this.authenticationManager = authenticationManager;
+    }
+
+    @Override
+    public Authentication attemptAuthentication(HttpServletRequest req,
+                                                HttpServletResponse res) {
+    	
+    	try {
+    		User creds = new ObjectMapper().readValue(req.getInputStream(), User.class);
+
+            return authenticationManager.authenticate(
+                    new UsernamePasswordAuthenticationToken(
+                            creds.getUsername(),
+                            creds.getPassword(),
+                            new ArrayList<>())
+            );
+        } catch (IOException e) {
+            throw new RuntimeException(e);
+        }
+    }
+
+    @Override
+    protected void successfulAuthentication(HttpServletRequest req,
+                                            HttpServletResponse res,
+                                            FilterChain chain,
+                                            Authentication auth) throws IOException, ServletException {
+
+        String token = JWT.create()
+                .withSubject(((org.springframework.security.core.userdetails.User) auth.getPrincipal()).getUsername())
+                .withExpiresAt(new Date(System.currentTimeMillis() + EXPIRATION_TIME))
+                .sign(HMAC512(SECRET.getBytes()));
+        res.addHeader(HEADER_STRING, TOKEN_PREFIX + token);
+    }
+}

BankApplicationBackend/src/main/java/com/demo/bankapp/configuration/security/JWTAuthenticationFilter.java

@@ -0,0 +1,56 @@
+package com.demo.bankapp.configuration.security;
+
+import com.auth0.jwt.JWT;
+import com.auth0.jwt.algorithms.Algorithm;
+import org.springframework.security.authentication.AuthenticationManager;
+import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
+
+import javax.servlet.FilterChain;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import static com.demo.bankapp.configuration.security.SecurityConstants.HEADER_STRING;
+import static com.demo.bankapp.configuration.security.SecurityConstants.SECRET;
+import static com.demo.bankapp.configuration.security.SecurityConstants.TOKEN_PREFIX;
+
+import java.io.IOException;
+import java.util.ArrayList;
+
+public class JWTAuthorizationFilter extends BasicAuthenticationFilter {
+
+	public JWTAuthorizationFilter(AuthenticationManager authManager) {
+		super(authManager);
+	}
+
+	@Override
+	protected void doFilterInternal(HttpServletRequest req, HttpServletResponse res, FilterChain chain) throws IOException, ServletException {
+		String header = req.getHeader(HEADER_STRING);
+
+		if (header == null || !header.startsWith(TOKEN_PREFIX)) {
+			chain.doFilter(req, res);
+			return;
+		}
+
+		UsernamePasswordAuthenticationToken authentication = getAuthentication(req);
+
+		SecurityContextHolder.getContext().setAuthentication(authentication);
+		chain.doFilter(req, res);
+	}
+
+	private UsernamePasswordAuthenticationToken getAuthentication(HttpServletRequest request) {
+		String token = request.getHeader(HEADER_STRING);
+		if (token != null) {
+			// parse the token.
+			String user = JWT.require(Algorithm.HMAC512(SECRET.getBytes())).build().verify(token.replace(TOKEN_PREFIX, "")).getSubject();
+
+			if (user != null) {
+				return new UsernamePasswordAuthenticationToken(user, null, new ArrayList<>());
+			}
+			return null;
+		}
+		return null;
+	}
+}

BankApplicationBackend/src/main/java/com/demo/bankapp/configuration/security/JWTAuthorizationFilter.java

@@ -0,0 +1,60 @@
+package com.demo.bankapp.configuration.security;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.context.annotation.Bean;
+import org.springframework.http.HttpMethod;
+import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.config.http.SessionCreationPolicy;
+import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
+import org.springframework.security.crypto.password.PasswordEncoder;
+import org.springframework.web.cors.CorsConfiguration;
+import org.springframework.web.cors.CorsConfigurationSource;
+import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
+
+import com.demo.bankapp.service.concretions.UserService;
+
+@EnableWebSecurity
+public class SecurityConfig extends WebSecurityConfigurerAdapter {
+	
+	@Autowired
+    private UserService userService;
+    
+    @Autowired
+    private PasswordEncoder passwordEncoder;
+
+    @Override
+    protected void configure(HttpSecurity http) throws Exception {
+    	http.cors().and().csrf().disable().anonymous().and().authorizeRequests()
+        .antMatchers("/wealth/**").authenticated()
+        .antMatchers("/transfer/**").authenticated()
+        .antMatchers("/transaction/**").authenticated()
+        .antMatchers("/user/find/all").authenticated()
+        .antMatchers("/user/login").authenticated()
+        .antMatchers(HttpMethod.POST, "/user/create").permitAll()
+        .and()
+        .addFilter(new JWTAuthenticationFilter(authenticationManager()))
+        .addFilter(new JWTAuthorizationFilter(authenticationManager()))
+        // this disables session creation on Spring Security
+        .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
+    }
+
+    @Override
+    public void configure(AuthenticationManagerBuilder auth) throws Exception {
+        auth.userDetailsService(userService).passwordEncoder(passwordEncoder);
+    }
+
+	@Bean
+	CorsConfigurationSource corsConfigurationSource() {
+		final UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
+		source.registerCorsConfiguration("/**", new CorsConfiguration().applyPermitDefaultValues());
+		return source;
+	}
+	
+	@Bean
+	public PasswordEncoder passwordEncoder() {
+	    return new BCryptPasswordEncoder();
+	}
+}

BankApplicationBackend/src/main/java/com/demo/bankapp/configuration/security/SecurityConfig.java

@@ -0,0 +1,8 @@
+package com.demo.bankapp.configuration.security;
+
+public class SecurityConstants {
+	public static final String SECRET = "SecretKeyToGenJWTs";
+	public static final long EXPIRATION_TIME = 864_000_000; // 10 days
+	public static final String TOKEN_PREFIX = "Bearer ";
+	public static final String HEADER_STRING = "Authorization";
+}

BankApplicationBackend/src/main/java/com/demo/bankapp/configuration/security/SecurityConstants.java

@@ -62,21 +62,6 @@ public Resource<User> createNewUser(@RequestBody CreateNewUserRequest request) {
 		return assembler.toResource(user);
 	}
 
-	@PostMapping("/login")
-	public Resource<User> login(@RequestBody LoginRequest request) {
-
-		if (request == null) {
-			throw new BadRequestException();
-		}
-
-		if (request.getUsername() == null || request.getUsername().equals("") || request.getPassword() == null || request.getPassword().equals("")) {
-			throw new BadRequestException("Invalid credentials.");
-		}
-
-		User user = userService.login(request.getUsername(), request.getPassword());
-		return assembler.toResource(user);
-	}
-
 	private boolean isNumeric(String str) {
 		return Pattern.matches("[0-9]+", str);
 	}

BankApplicationBackend/src/main/java/com/demo/bankapp/controller/UserController.java

@@ -3,7 +3,6 @@
 import java.util.List;
 
 import com.demo.bankapp.model.User;
-import com.demo.bankapp.request.LoginRequest;
 
 public interface IUserService {
 
@@ -15,6 +14,4 @@ public interface IUserService {
 
 	User createNewUser(User user);
 
-	User login(String username, String password);
-
 }

BankApplicationBackend/src/main/java/com/demo/bankapp/service/abstractions/IUserService.java

@@ -1,19 +1,23 @@
 package com.demo.bankapp.service.concretions;
 
+import static java.util.Collections.emptyList;
+
 import java.util.List;
 
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.core.userdetails.UserDetails;
+import org.springframework.security.core.userdetails.UserDetailsService;
+import org.springframework.security.core.userdetails.UsernameNotFoundException;
 import org.springframework.security.crypto.password.PasswordEncoder;
 import org.springframework.stereotype.Service;
 
-import com.demo.bankapp.exception.BadCredentialsException;
 import com.demo.bankapp.exception.UserNotFoundException;
 import com.demo.bankapp.model.User;
 import com.demo.bankapp.repository.UserRepository;
 import com.demo.bankapp.service.abstractions.IUserService;
 
 @Service
-public class UserService implements IUserService {
+public class UserService implements IUserService, UserDetailsService {
 
 	@Autowired
 	private UserRepository repository;
@@ -32,19 +36,6 @@ public User createNewUser(User user) {
 		return repository.save(user);
 	}
 
-	@Override
-	public User login(String username, String password) {
-
-		User user = findByUserName(username);
-		String encodedPassword = passwordEncoder.encode(password);
-
-		if (!encodedPassword.equals(user.getPassword())) {
-			throw new BadCredentialsException();
-		}
-
-		return user;
-	}
-
 	@Override
 	public User findByUserName(String username) {
 		User user = repository.findByUsername(username);
@@ -64,6 +55,17 @@ public User findByTcno(String tcno) {
 		else
 			return user;
 	}
+	
+	@Override
+	public UserDetails loadUserByUsername(String username) {
+		User user = repository.findByUsername(username);
+
+		if (user == null) {
+			throw new UsernameNotFoundException(username);
+		}
+
+		return new org.springframework.security.core.userdetails.User(user.getUsername(), user.getPassword(), emptyList());
+	}
 
 	// Avoid timing attacks?
 	// private boolean isEqual(byte[] a, byte[] b) {