PMT-14: JWT Auth #1

Merged
SZUT-Dominik merged 3 commits from story/PMT-14-api-authentizierung-per into trunk 2024-09-27 11:26:16 +00:00
3 changed files with 133 additions and 0 deletions
Showing only changes of commit ead0bccfe7 - Show all commits

View file

@ -0,0 +1,57 @@
package de.hmmh.pmt.auth;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.core.session.SessionRegistry;
import org.springframework.security.core.session.SessionRegistryImpl;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.authentication.session.RegisterSessionAuthenticationStrategy;
import org.springframework.security.web.authentication.session.SessionAuthenticationStrategy;
import org.springframework.security.web.session.HttpSessionEventPublisher;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
@Configuration
@EnableWebSecurity
@EnableMethodSecurity
public class AuthConfig {
private final JWT jwt;
AuthConfig(JWT jwt) {
this.jwt = jwt;
}
@Bean
public SessionRegistry sessionRegistry() {
return new SessionRegistryImpl();
}
@Bean
protected SessionAuthenticationStrategy sessionAuthenticationStrategy() {
return new RegisterSessionAuthenticationStrategy(sessionRegistry());
}
@Bean
public HttpSessionEventPublisher httpSessionEventPublisher() {
return new HttpSessionEventPublisher();
}
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
http
.authorizeHttpRequests(auth -> auth
.anyRequest()
.authenticated()
)
.oauth2ResourceServer(resourceServer -> resourceServer
.jwt(jwt -> jwt
.jwtAuthenticationConverter(this.jwt.jwtAuthenticationConverter())
)
);
return http.build();
}
}

View file

@ -0,0 +1,69 @@
package de.hmmh.pmt.auth;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import org.springframework.http.ResponseEntity;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.oauth2.core.oidc.user.OidcUser;
import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationConverter;
import org.springframework.security.web.authentication.logout.LogoutHandler;
import org.springframework.stereotype.Component;
import org.springframework.web.client.RestTemplate;
import org.springframework.web.util.UriComponentsBuilder;
import java.util.ArrayList;
import java.util.List;
import java.util.Map;
@Component
public class JWT implements LogoutHandler {
private static final String REALM_ACCESS_CLAIM = "realm_access";
private static final String ROLES_CLAIM = "roles";
private static final String ROLE_PREFIX = "ROLE_";
private static final String OIDC_LOGOUT_ROUTE = "/protocol/openid-connect/logout";
private static final String OIDC_TOKEN_HINT_QUERY_PARAMETER = "id_token_hin";
private final RestTemplate template = new RestTemplate();
@Override
public void logout(HttpServletRequest request, HttpServletResponse response, Authentication authentication) {
OidcUser user = (OidcUser) authentication.getPrincipal();
String endSessionEndpoint = user.getIssuer() + OIDC_LOGOUT_ROUTE;
UriComponentsBuilder builder = UriComponentsBuilder
.fromUriString(endSessionEndpoint)
.queryParam(OIDC_TOKEN_HINT_QUERY_PARAMETER, user.getIdToken().getTokenValue());
ResponseEntity<String> logoutResponse = template.getForEntity(builder.toUriString(), String.class);
if (logoutResponse.getStatusCode().is2xxSuccessful()) {
System.out.println("Logged out successfully");
} else {
System.out.println("Failed to logout");
}
}
public JwtAuthenticationConverter jwtAuthenticationConverter() {
JwtAuthenticationConverter jwtAuthenticationConverter = new JwtAuthenticationConverter();
jwtAuthenticationConverter.setJwtGrantedAuthoritiesConverter(jwt -> {
List<GrantedAuthority> grantedAuthorities = new ArrayList<>();
Map<String, Object> realmAccess = jwt.getClaim(REALM_ACCESS_CLAIM);
if (realmAccess == null || !realmAccess.containsKey(ROLES_CLAIM)) {
return grantedAuthorities;
}
Object rolesClaim = realmAccess.get(ROLES_CLAIM);
if (!(rolesClaim instanceof List<?>)) {
return grantedAuthorities;
}
for (Object role : (List<?>) rolesClaim) {
assert role instanceof String;
grantedAuthorities.add(new SimpleGrantedAuthority(ROLE_PREFIX + role));
}
return grantedAuthorities;
});
return jwtAuthenticationConverter;
}
}

View file

@ -5,8 +5,15 @@ info:
version: 1.0.0
servers:
- url: /api/v1
security:
- JWTAuth: []
components:
securitySchemes:
JWTAuth:
type: http
scheme: bearer
bearerFormat: JWT
schemas:
HelloOut:
description: "A Test Schema"