Propagate Roles from Repository

This commit is contained in:
Marcel Schwarz 2020-05-09 18:37:26 +02:00
parent 46262af668
commit e4f427e9ff
5 changed files with 44 additions and 13 deletions

View File

@ -18,6 +18,7 @@ dependencies {
implementation 'org.springframework.boot:spring-boot-starter-actuator' implementation 'org.springframework.boot:spring-boot-starter-actuator'
implementation 'org.springframework.boot:spring-boot-starter-data-jpa' implementation 'org.springframework.boot:spring-boot-starter-data-jpa'
implementation 'org.springframework.boot:spring-boot-starter-data-rest'
compileOnly 'org.projectlombok:lombok' compileOnly 'org.projectlombok:lombok'
annotationProcessor 'org.projectlombok:lombok' annotationProcessor 'org.projectlombok:lombok'
implementation 'org.mariadb.jdbc:mariadb-java-client' implementation 'org.mariadb.jdbc:mariadb-java-client'

View File

@ -2,8 +2,11 @@ package de.hft.geotime.security;
import com.auth0.jwt.JWT; import com.auth0.jwt.JWT;
import com.auth0.jwt.algorithms.Algorithm; import com.auth0.jwt.algorithms.Algorithm;
import de.hft.geotime.user.TimetrackUser;
import de.hft.geotime.user.TimetrackUserRepository;
import org.springframework.security.authentication.AuthenticationManager; import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken; import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.context.SecurityContextHolder; import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.web.authentication.www.BasicAuthenticationFilter; import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
@ -12,14 +15,18 @@ import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpServletResponse;
import java.io.IOException; import java.io.IOException;
import java.util.ArrayList; import java.util.Collections;
import java.util.List;
import static de.hft.geotime.security.SecurityConstants.*; import static de.hft.geotime.security.SecurityConstants.*;
public class JWTAuthorizationFilter extends BasicAuthenticationFilter { public class JWTAuthorizationFilter extends BasicAuthenticationFilter {
public JWTAuthorizationFilter(AuthenticationManager authManager) { private final TimetrackUserRepository userRepository;
public JWTAuthorizationFilter(AuthenticationManager authManager, TimetrackUserRepository userRepository) {
super(authManager); super(authManager);
this.userRepository = userRepository;
} }
@Override @Override
@ -41,13 +48,17 @@ public class JWTAuthorizationFilter extends BasicAuthenticationFilter {
String token = request.getHeader(HEADER_STRING); String token = request.getHeader(HEADER_STRING);
if (token != null) { if (token != null) {
// parse the token. // parse the token.
String user = JWT.require(Algorithm.HMAC512(SECRET.getBytes())) String username = JWT.require(Algorithm.HMAC512(SECRET.getBytes()))
.build() .build()
.verify(token.replace(TOKEN_PREFIX, "")) .verify(token.replace(TOKEN_PREFIX, ""))
.getSubject(); .getSubject();
if (user != null) { TimetrackUser user = userRepository.findFirstByUsername(username);
return new UsernamePasswordAuthenticationToken(user, null, new ArrayList<>()); SimpleGrantedAuthority role = new SimpleGrantedAuthority(user.getRole().getName());
if (username != null) {
List<SimpleGrantedAuthority> authorityList = Collections.singletonList(role);
return new UsernamePasswordAuthenticationToken(username, null, authorityList);
} }
return null; return null;
} }

View File

@ -1,5 +1,6 @@
package de.hft.geotime.security; package de.hft.geotime.security;
import de.hft.geotime.user.TimetrackUserRepository;
import de.hft.geotime.user.UserDetailsServiceImpl; import de.hft.geotime.user.UserDetailsServiceImpl;
import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Bean;
import org.springframework.http.HttpMethod; import org.springframework.http.HttpMethod;
@ -19,10 +20,12 @@ import static de.hft.geotime.security.SecurityConstants.SIGN_UP_URL;
public class WebSecurity extends WebSecurityConfigurerAdapter { public class WebSecurity extends WebSecurityConfigurerAdapter {
private final UserDetailsServiceImpl userDetailsService; private final UserDetailsServiceImpl userDetailsService;
private final BCryptPasswordEncoder bCryptPasswordEncoder; private final BCryptPasswordEncoder bCryptPasswordEncoder;
private final TimetrackUserRepository userRepository;
public WebSecurity(UserDetailsServiceImpl userDetailsService, BCryptPasswordEncoder bCryptPasswordEncoder) { public WebSecurity(UserDetailsServiceImpl userDetailsService, BCryptPasswordEncoder bCryptPasswordEncoder, TimetrackUserRepository userRepository) {
this.userDetailsService = userDetailsService; this.userDetailsService = userDetailsService;
this.bCryptPasswordEncoder = bCryptPasswordEncoder; this.bCryptPasswordEncoder = bCryptPasswordEncoder;
this.userRepository = userRepository;
} }
@Override @Override
@ -32,7 +35,7 @@ public class WebSecurity extends WebSecurityConfigurerAdapter {
.anyRequest().authenticated() .anyRequest().authenticated()
.and() .and()
.addFilter(new JWTAuthenticationFilter(authenticationManager())) .addFilter(new JWTAuthenticationFilter(authenticationManager()))
.addFilter(new JWTAuthorizationFilter(authenticationManager())) .addFilter(new JWTAuthorizationFilter(authenticationManager(), userRepository))
// this disables session creation on Spring Security // this disables session creation on Spring Security
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS); .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
} }

View File

@ -10,8 +10,8 @@ import java.util.HashMap;
@RequestMapping("/user") @RequestMapping("/user")
public class UserController { public class UserController {
private TimetrackUserRepository userRepository; private final TimetrackUserRepository userRepository;
private BCryptPasswordEncoder bCryptPasswordEncoder; private final BCryptPasswordEncoder bCryptPasswordEncoder;
public UserController(TimetrackUserRepository userRepository, BCryptPasswordEncoder bCryptPasswordEncoder) { public UserController(TimetrackUserRepository userRepository, BCryptPasswordEncoder bCryptPasswordEncoder) {
this.userRepository = userRepository; this.userRepository = userRepository;
@ -21,7 +21,12 @@ public class UserController {
@GetMapping @GetMapping
public String getUsername(Authentication authentication) { public String getUsername(Authentication authentication) {
TimetrackUser timetrackUser = userRepository.findFirstByUsername(authentication.getName()); TimetrackUser timetrackUser = userRepository.findFirstByUsername(authentication.getName());
return "Welcome back " + timetrackUser.getFirstname() + " " + timetrackUser.getLastname(); return "Welcome back "
+ timetrackUser.getFirstname()
+ " "
+ timetrackUser.getLastname()
+ " roles from Auth: "
+ authentication.getAuthorities();
} }
// TODO: implement register, maybe move to another class // TODO: implement register, maybe move to another class

View File

@ -1,12 +1,13 @@
package de.hft.geotime.user; package de.hft.geotime.user;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.userdetails.User; import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails; import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService; import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException; import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.stereotype.Service; import org.springframework.stereotype.Service;
import java.util.Collections; import java.util.Arrays;
@Service @Service
public class UserDetailsServiceImpl implements UserDetailsService { public class UserDetailsServiceImpl implements UserDetailsService {
@ -23,7 +24,17 @@ public class UserDetailsServiceImpl implements UserDetailsService {
if (timetrackUser == null) { if (timetrackUser == null) {
throw new UsernameNotFoundException(username); throw new UsernameNotFoundException(username);
} }
System.out.println("Loaded user " + timetrackUser.getFirstname() + " " + timetrackUser.getLastname()); System.out.println("Loaded user "
return new User(timetrackUser.getUsername(), timetrackUser.getPassword(), Collections.emptyList()); + timetrackUser.getFirstname()
+ " "
+ timetrackUser.getLastname()
+ " with role: "
+ timetrackUser.getRole().getName()
);
return new User(
timetrackUser.getUsername(),
timetrackUser.getPassword(),
Arrays.asList(new SimpleGrantedAuthority(timetrackUser.getRole().getName()))
);
} }
} }