From e4f427e9ff8b97637b524fb979984900a62e430c Mon Sep 17 00:00:00 2001 From: Marcel Schwarz Date: Sat, 9 May 2020 18:37:26 +0200 Subject: [PATCH] Propagate Roles from Repository --- backend/build.gradle | 1 + .../security/JWTAuthorizationFilter.java | 21 ++++++++++++++----- .../de/hft/geotime/security/WebSecurity.java | 7 +++++-- .../de/hft/geotime/user/UserController.java | 11 +++++++--- .../geotime/user/UserDetailsServiceImpl.java | 17 ++++++++++++--- 5 files changed, 44 insertions(+), 13 deletions(-) diff --git a/backend/build.gradle b/backend/build.gradle index 499d544..2d135e8 100644 --- a/backend/build.gradle +++ b/backend/build.gradle @@ -18,6 +18,7 @@ dependencies { implementation 'org.springframework.boot:spring-boot-starter-actuator' implementation 'org.springframework.boot:spring-boot-starter-data-jpa' + implementation 'org.springframework.boot:spring-boot-starter-data-rest' compileOnly 'org.projectlombok:lombok' annotationProcessor 'org.projectlombok:lombok' implementation 'org.mariadb.jdbc:mariadb-java-client' diff --git a/backend/src/main/java/de/hft/geotime/security/JWTAuthorizationFilter.java b/backend/src/main/java/de/hft/geotime/security/JWTAuthorizationFilter.java index 7a9525f..1fc719d 100644 --- a/backend/src/main/java/de/hft/geotime/security/JWTAuthorizationFilter.java +++ b/backend/src/main/java/de/hft/geotime/security/JWTAuthorizationFilter.java @@ -2,8 +2,11 @@ package de.hft.geotime.security; import com.auth0.jwt.JWT; import com.auth0.jwt.algorithms.Algorithm; +import de.hft.geotime.user.TimetrackUser; +import de.hft.geotime.user.TimetrackUserRepository; import org.springframework.security.authentication.AuthenticationManager; import org.springframework.security.authentication.UsernamePasswordAuthenticationToken; +import org.springframework.security.core.authority.SimpleGrantedAuthority; import org.springframework.security.core.context.SecurityContextHolder; import org.springframework.security.web.authentication.www.BasicAuthenticationFilter; @@ -12,14 +15,18 @@ import javax.servlet.ServletException; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import java.io.IOException; -import java.util.ArrayList; +import java.util.Collections; +import java.util.List; import static de.hft.geotime.security.SecurityConstants.*; public class JWTAuthorizationFilter extends BasicAuthenticationFilter { - public JWTAuthorizationFilter(AuthenticationManager authManager) { + private final TimetrackUserRepository userRepository; + + public JWTAuthorizationFilter(AuthenticationManager authManager, TimetrackUserRepository userRepository) { super(authManager); + this.userRepository = userRepository; } @Override @@ -41,13 +48,17 @@ public class JWTAuthorizationFilter extends BasicAuthenticationFilter { String token = request.getHeader(HEADER_STRING); if (token != null) { // parse the token. - String user = JWT.require(Algorithm.HMAC512(SECRET.getBytes())) + String username = JWT.require(Algorithm.HMAC512(SECRET.getBytes())) .build() .verify(token.replace(TOKEN_PREFIX, "")) .getSubject(); - if (user != null) { - return new UsernamePasswordAuthenticationToken(user, null, new ArrayList<>()); + TimetrackUser user = userRepository.findFirstByUsername(username); + SimpleGrantedAuthority role = new SimpleGrantedAuthority(user.getRole().getName()); + + if (username != null) { + List authorityList = Collections.singletonList(role); + return new UsernamePasswordAuthenticationToken(username, null, authorityList); } return null; } diff --git a/backend/src/main/java/de/hft/geotime/security/WebSecurity.java b/backend/src/main/java/de/hft/geotime/security/WebSecurity.java index 63c3213..7556627 100644 --- a/backend/src/main/java/de/hft/geotime/security/WebSecurity.java +++ b/backend/src/main/java/de/hft/geotime/security/WebSecurity.java @@ -1,5 +1,6 @@ package de.hft.geotime.security; +import de.hft.geotime.user.TimetrackUserRepository; import de.hft.geotime.user.UserDetailsServiceImpl; import org.springframework.context.annotation.Bean; import org.springframework.http.HttpMethod; @@ -19,10 +20,12 @@ import static de.hft.geotime.security.SecurityConstants.SIGN_UP_URL; public class WebSecurity extends WebSecurityConfigurerAdapter { private final UserDetailsServiceImpl userDetailsService; private final BCryptPasswordEncoder bCryptPasswordEncoder; + private final TimetrackUserRepository userRepository; - public WebSecurity(UserDetailsServiceImpl userDetailsService, BCryptPasswordEncoder bCryptPasswordEncoder) { + public WebSecurity(UserDetailsServiceImpl userDetailsService, BCryptPasswordEncoder bCryptPasswordEncoder, TimetrackUserRepository userRepository) { this.userDetailsService = userDetailsService; this.bCryptPasswordEncoder = bCryptPasswordEncoder; + this.userRepository = userRepository; } @Override @@ -32,7 +35,7 @@ public class WebSecurity extends WebSecurityConfigurerAdapter { .anyRequest().authenticated() .and() .addFilter(new JWTAuthenticationFilter(authenticationManager())) - .addFilter(new JWTAuthorizationFilter(authenticationManager())) + .addFilter(new JWTAuthorizationFilter(authenticationManager(), userRepository)) // this disables session creation on Spring Security .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS); } diff --git a/backend/src/main/java/de/hft/geotime/user/UserController.java b/backend/src/main/java/de/hft/geotime/user/UserController.java index 5d73f85..8dad747 100644 --- a/backend/src/main/java/de/hft/geotime/user/UserController.java +++ b/backend/src/main/java/de/hft/geotime/user/UserController.java @@ -10,8 +10,8 @@ import java.util.HashMap; @RequestMapping("/user") public class UserController { - private TimetrackUserRepository userRepository; - private BCryptPasswordEncoder bCryptPasswordEncoder; + private final TimetrackUserRepository userRepository; + private final BCryptPasswordEncoder bCryptPasswordEncoder; public UserController(TimetrackUserRepository userRepository, BCryptPasswordEncoder bCryptPasswordEncoder) { this.userRepository = userRepository; @@ -21,7 +21,12 @@ public class UserController { @GetMapping public String getUsername(Authentication authentication) { TimetrackUser timetrackUser = userRepository.findFirstByUsername(authentication.getName()); - return "Welcome back " + timetrackUser.getFirstname() + " " + timetrackUser.getLastname(); + return "Welcome back " + + timetrackUser.getFirstname() + + " " + + timetrackUser.getLastname() + + " roles from Auth: " + + authentication.getAuthorities(); } // TODO: implement register, maybe move to another class diff --git a/backend/src/main/java/de/hft/geotime/user/UserDetailsServiceImpl.java b/backend/src/main/java/de/hft/geotime/user/UserDetailsServiceImpl.java index 365b6f8..8fbdcca 100644 --- a/backend/src/main/java/de/hft/geotime/user/UserDetailsServiceImpl.java +++ b/backend/src/main/java/de/hft/geotime/user/UserDetailsServiceImpl.java @@ -1,12 +1,13 @@ package de.hft.geotime.user; +import org.springframework.security.core.authority.SimpleGrantedAuthority; import org.springframework.security.core.userdetails.User; import org.springframework.security.core.userdetails.UserDetails; import org.springframework.security.core.userdetails.UserDetailsService; import org.springframework.security.core.userdetails.UsernameNotFoundException; import org.springframework.stereotype.Service; -import java.util.Collections; +import java.util.Arrays; @Service public class UserDetailsServiceImpl implements UserDetailsService { @@ -23,7 +24,17 @@ public class UserDetailsServiceImpl implements UserDetailsService { if (timetrackUser == null) { throw new UsernameNotFoundException(username); } - System.out.println("Loaded user " + timetrackUser.getFirstname() + " " + timetrackUser.getLastname()); - return new User(timetrackUser.getUsername(), timetrackUser.getPassword(), Collections.emptyList()); + System.out.println("Loaded user " + + timetrackUser.getFirstname() + + " " + + timetrackUser.getLastname() + + " with role: " + + timetrackUser.getRole().getName() + ); + return new User( + timetrackUser.getUsername(), + timetrackUser.getPassword(), + Arrays.asList(new SimpleGrantedAuthority(timetrackUser.getRole().getName())) + ); } }