Propagate Roles from Repository

backend/build.gradle

@@ -18,6 +18,7 @@ dependencies {
 	implementation 'org.springframework.boot:spring-boot-starter-actuator'
 
 	implementation 'org.springframework.boot:spring-boot-starter-data-jpa'
+	implementation 'org.springframework.boot:spring-boot-starter-data-rest'
 	compileOnly 'org.projectlombok:lombok'
 	annotationProcessor 'org.projectlombok:lombok'
 	implementation 'org.mariadb.jdbc:mariadb-java-client'

backend/src/main/java/de/hft/geotime/security/JWTAuthorizationFilter.java

@@ -2,8 +2,11 @@ package de.hft.geotime.security;
 
 import com.auth0.jwt.JWT;
 import com.auth0.jwt.algorithms.Algorithm;
+import de.hft.geotime.user.TimetrackUser;
+import de.hft.geotime.user.TimetrackUserRepository;
 import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
+import org.springframework.security.core.authority.SimpleGrantedAuthority;
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
 
@@ -12,14 +15,18 @@ import javax.servlet.ServletException;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import java.io.IOException;
-import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
 
 import static de.hft.geotime.security.SecurityConstants.*;
 
 public class JWTAuthorizationFilter extends BasicAuthenticationFilter {
 
-    public JWTAuthorizationFilter(AuthenticationManager authManager) {
+    private final TimetrackUserRepository userRepository;
+
+    public JWTAuthorizationFilter(AuthenticationManager authManager, TimetrackUserRepository userRepository) {
         super(authManager);
+        this.userRepository = userRepository;
     }
 
     @Override
@@ -41,13 +48,17 @@ public class JWTAuthorizationFilter extends BasicAuthenticationFilter {
         String token = request.getHeader(HEADER_STRING);
         if (token != null) {
             // parse the token.
-            String user = JWT.require(Algorithm.HMAC512(SECRET.getBytes()))
+            String username = JWT.require(Algorithm.HMAC512(SECRET.getBytes()))
                     .build()
                     .verify(token.replace(TOKEN_PREFIX, ""))
                     .getSubject();
 
-            if (user != null) {
+            TimetrackUser user = userRepository.findFirstByUsername(username);
-                return new UsernamePasswordAuthenticationToken(user, null, new ArrayList<>());
+            SimpleGrantedAuthority role = new SimpleGrantedAuthority(user.getRole().getName());
+
+            if (username != null) {
+                List<SimpleGrantedAuthority> authorityList = Collections.singletonList(role);
+                return new UsernamePasswordAuthenticationToken(username, null, authorityList);
             }
             return null;
         }

backend/src/main/java/de/hft/geotime/security/WebSecurity.java

@@ -1,5 +1,6 @@
 package de.hft.geotime.security;
 
+import de.hft.geotime.user.TimetrackUserRepository;
 import de.hft.geotime.user.UserDetailsServiceImpl;
 import org.springframework.context.annotation.Bean;
 import org.springframework.http.HttpMethod;
@@ -19,10 +20,12 @@ import static de.hft.geotime.security.SecurityConstants.SIGN_UP_URL;
 public class WebSecurity extends WebSecurityConfigurerAdapter {
     private final UserDetailsServiceImpl userDetailsService;
     private final BCryptPasswordEncoder bCryptPasswordEncoder;
+    private final TimetrackUserRepository userRepository;
 
-    public WebSecurity(UserDetailsServiceImpl userDetailsService, BCryptPasswordEncoder bCryptPasswordEncoder) {
+    public WebSecurity(UserDetailsServiceImpl userDetailsService, BCryptPasswordEncoder bCryptPasswordEncoder, TimetrackUserRepository userRepository) {
         this.userDetailsService = userDetailsService;
         this.bCryptPasswordEncoder = bCryptPasswordEncoder;
+        this.userRepository = userRepository;
     }
 
     @Override
@@ -32,7 +35,7 @@ public class WebSecurity extends WebSecurityConfigurerAdapter {
                 .anyRequest().authenticated()
                 .and()
                 .addFilter(new JWTAuthenticationFilter(authenticationManager()))
-                .addFilter(new JWTAuthorizationFilter(authenticationManager()))
+                .addFilter(new JWTAuthorizationFilter(authenticationManager(), userRepository))
                 // this disables session creation on Spring Security
                 .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
     }

backend/src/main/java/de/hft/geotime/user/UserController.java

@@ -10,8 +10,8 @@ import java.util.HashMap;
 @RequestMapping("/user")
 public class UserController {
 
-    private TimetrackUserRepository userRepository;
+    private final TimetrackUserRepository userRepository;
-    private BCryptPasswordEncoder bCryptPasswordEncoder;
+    private final BCryptPasswordEncoder bCryptPasswordEncoder;
 
     public UserController(TimetrackUserRepository userRepository, BCryptPasswordEncoder bCryptPasswordEncoder) {
         this.userRepository = userRepository;
@@ -21,7 +21,12 @@ public class UserController {
     @GetMapping
     public String getUsername(Authentication authentication) {
         TimetrackUser timetrackUser = userRepository.findFirstByUsername(authentication.getName());
-        return "Welcome back " + timetrackUser.getFirstname() + " " + timetrackUser.getLastname();
+        return "Welcome back "
+                + timetrackUser.getFirstname()
+                + " "
+                + timetrackUser.getLastname()
+                + " roles from Auth: "
+                + authentication.getAuthorities();
     }
 
     // TODO: implement register, maybe move to another class

backend/src/main/java/de/hft/geotime/user/UserDetailsServiceImpl.java

@@ -1,12 +1,13 @@
 package de.hft.geotime.user;
 
+import org.springframework.security.core.authority.SimpleGrantedAuthority;
 import org.springframework.security.core.userdetails.User;
 import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.core.userdetails.UsernameNotFoundException;
 import org.springframework.stereotype.Service;
 
-import java.util.Collections;
+import java.util.Arrays;
 
 @Service
 public class UserDetailsServiceImpl implements UserDetailsService {
@@ -23,7 +24,17 @@ public class UserDetailsServiceImpl implements UserDetailsService {
         if (timetrackUser == null) {
             throw new UsernameNotFoundException(username);
         }
-        System.out.println("Loaded user " + timetrackUser.getFirstname() + " " + timetrackUser.getLastname());
+        System.out.println("Loaded user "
-        return new User(timetrackUser.getUsername(), timetrackUser.getPassword(), Collections.emptyList());
+                + timetrackUser.getFirstname()
+                + " "
+                + timetrackUser.getLastname()
+                + " with role: "
+                + timetrackUser.getRole().getName()
+        );
+        return new User(
+                timetrackUser.getUsername(),
+                timetrackUser.getPassword(),
+                Arrays.asList(new SimpleGrantedAuthority(timetrackUser.getRole().getName()))
+        );
     }
 }