InSource Software We use customer driven development, which allows us to deliver tailored solutions to real world problems through shared vision built on trust, teamwork and collaboration. Innovation and craftsmanship come standard. https://insource.io/ ZeroMQ with Spring Boot, Part 2 https://insource.io/blog/articles/zeromq-on-spring-boot-part-2.html Sat, 09 Jan 2021 00:00:00 +0000 <h2 id="introduction">Introduction</h2> <p>In the <a href="/blog/articles/zeromq-on-spring-boot.html">previous article</a>, we discussed using a heavy-weight broker for communication in a microservices architecture versus a more zen/zero/minimal approach. In this article, we’ll explore some examples and practical applications and look at how well it might actually work.</p> <h2 id="use-case---distributed-logging">Use Case - Distributed Logging</h2> <p>Let’s say we want to build a distributed logging solution for our distributed architecture. Further, let’s make it more difficult and say that our organization has placed limitations on us that we can either use our cloud platform’s fire-hose as input and get this for free, or build a solution that requires no additional infrastructure to stand up.</p> <p>Now, the only readily available option our ops team has given us is to use the fire-hose. Effectively, this means using the STDOUT stream from each of our JVMs, Node.js servers, what have you, to go directly to the logging server, for example a Splunk cluster. However, this solution is ignorant to the nature of our logs. On the JVM, errors in the form of a stack trace are structured as multiple lines written to STDOUT. There would be no clean way to view all lines of the stack trace as a single record in Splunk. True story.</p> <p>Let’s build a solution</p> <h3 id="logging-adapter">Logging Adapter</h3> <p>Let’s say you’re using slf4j to log to a logback appender, which logs to STDOUT. This is the default in Spring Boot. Most teams won’t ever go beyond this unless forced to. Here’s an intentionally over-simplified logback appender to log to STDOUT:</p> <div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kd">public</span> <span class="kd">class</span> <span class="nc">ConsoleAppender</span> <span class="kd">implements</span> <span class="nc">Appender</span><span class="o">&lt;</span><span class="nc">ILoggingEvent</span><span class="o">&gt;</span> <span class="o">{</span> <span class="o">...</span> <span class="kd">public</span> <span class="kt">void</span> <span class="nf">doAppend</span><span class="o">(</span><span class="nc">ILoggingEvent</span> <span class="n">event</span><span class="o">)</span> <span class="o">{</span> <span class="nc">System</span><span class="o">.</span><span class="na">out</span><span class="o">.</span><span class="na">println</span><span class="o">(</span><span class="n">event</span><span class="o">.</span><span class="na">getMessage</span><span class="o">());</span> <span class="o">}</span> <span class="o">}</span> </code></pre></div></div> <p>Let’s replace this with Spring ZeroMQ. To do that, we will need a <code class="language-plaintext highlighter-rouge">ZmqTemplate</code>. For simplicity, let’s assume we can take it as a constructor parameter.</p> <div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kd">public</span> <span class="kd">class</span> <span class="nc">ZmqAppender</span> <span class="kd">implements</span> <span class="nc">Appender</span><span class="o">&lt;</span><span class="nc">ILoggingEvent</span><span class="o">&gt;</span> <span class="o">{</span> <span class="kd">private</span> <span class="kd">final</span> <span class="nc">ZmqTemplate</span> <span class="n">zmqTemplate</span><span class="o">;</span> <span class="kd">public</span> <span class="nf">ZmqAppender</span><span class="o">(</span><span class="nc">ZmqTemplate</span> <span class="n">zmqTemplate</span><span class="o">)</span> <span class="o">{</span> <span class="k">this</span><span class="o">.</span><span class="na">zmqTemplate</span> <span class="o">=</span> <span class="n">zmqTemplate</span><span class="o">;</span> <span class="o">}</span> <span class="kd">public</span> <span class="kt">void</span> <span class="nf">doAppend</span><span class="o">(</span><span class="nc">ILoggingEvent</span> <span class="n">event</span><span class="o">)</span> <span class="o">{</span> <span class="n">zmqTemplate</span><span class="o">.</span><span class="na">send</span><span class="o">(</span><span class="n">event</span><span class="o">.</span><span class="na">getMessage</span><span class="o">());</span> <span class="o">}</span> <span class="o">}</span> </code></pre></div></div> <p>Now at this point, we aren’t doing much of anything impressive. We’re probably dropping the stack trace (if any) on the floor, and we throw away most of the useful data of the event as well, in favor of capturing only the log message. We’ll address this in a future post if there’s interest.</p> <p>From here, we must ask ourselves: “How do we get this data into Splunk?” Remember that <code class="language-plaintext highlighter-rouge">ZmqTemplate</code>? Configure it this way:</p> <div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nd">@Configuration</span> <span class="nd">@EnableZmqPublisher</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">PublisherConfiguration</span> <span class="o">{</span> <span class="nd">@Bean</span> <span class="kd">public</span> <span class="nc">ZmqTemplate</span> <span class="nf">zmqTemplate</span><span class="o">()</span> <span class="o">{</span> <span class="nc">ZmqTemplate</span> <span class="n">zmqTemplate</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">ZmqTemplate</span><span class="o">();</span> <span class="n">zmqTemplate</span><span class="o">.</span><span class="na">setTopic</span><span class="o">(</span><span class="s">"logs"</span><span class="o">);</span> <span class="n">zmqTemplate</span><span class="o">.</span><span class="na">setRoutingKey</span><span class="o">(</span><span class="s">"LoggingEvent"</span><span class="o">);</span> <span class="n">zmqTemplate</span><span class="o">.</span><span class="na">setMessageConverter</span><span class="o">(</span><span class="k">new</span> <span class="nc">LoggingEventMessageConverter</span><span class="o">());</span> <span class="k">return</span> <span class="n">zmqTemplate</span><span class="o">;</span> <span class="o">}</span> <span class="o">}</span> </code></pre></div></div> <p>And configure the publisher thread in your <code class="language-plaintext highlighter-rouge">application.yml</code>:</p> <div class="language-yaml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="na">zmq</span><span class="pi">:</span> <span class="na">publisher</span><span class="pi">:</span> <span class="na">host</span><span class="pi">:</span> <span class="s">log-service.apps.mydomain.com</span> <span class="na">port</span><span class="pi">:</span> <span class="m">5678</span> <span class="na">topics</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">logs</span> </code></pre></div></div> <p>So we probably need some kind of highly-available broker to slurp in those logs, right? We could do that, but our ops team has said that’s a non-starter. Curse them! Ok, what else can we do?</p> <p>I’m guessing you already have a microservice somewhere in your architecture that isn’t doing anything most of the time. In a recent project, we had a remote deposit capture service sitting there that occasionally processed deposits from a mobile phone. The rest of the time, it was bored. Let’s just package up a library that turns that service into a logging service.</p> <h3 id="logging-service">Logging Service</h3> <p>In the config above, notice we referenced a hypothetical service called <code class="language-plaintext highlighter-rouge">log-service</code>. Using your cloud platform of choice, go ahead and bind that URL to your bored microservice. In our case, <code class="language-plaintext highlighter-rouge">log-service.apps.mydomain.com</code> —&gt; <code class="language-plaintext highlighter-rouge">remote-deposit-service.apps.mydomain.com</code>.</p> <p>Now, we create a project that utilizes Spring Boot dependencies (the build file looks pretty much just like a spring boot app minus the spring boot plugin), but isn’t itself a microservice. Call it a micro library.</p> <p>Add a <code class="language-plaintext highlighter-rouge">src/main/resources/META-INF/spring.factories</code> with the following:</p> <div class="language-properties highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="py">org.springboot.boot.autoconfigure.EnableAutoConfiguration</span><span class="p">=</span><span class="se">\ </span><span class="s">com.mydomain.logging.autoconfigure.LoggingAutoConfiguration</span> </code></pre></div></div> <p>Here’s the <code class="language-plaintext highlighter-rouge">LoggingAutoConfiguration</code> class:</p> <div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nd">@Configuration</span> <span class="nd">@EnableZmqSubscriber</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">LoggingAutoConfiguration</span> <span class="o">{</span> <span class="nd">@Bean</span> <span class="kd">public</span> <span class="nc">LoggingSubscriber</span> <span class="nf">loggingSubscriber</span><span class="o">()</span> <span class="o">{</span> <span class="k">return</span> <span class="k">new</span> <span class="nf">LoggingSubscriber</span><span class="o">();</span> <span class="o">}</span> <span class="nd">@Bean</span> <span class="kd">public</span> <span class="nc">MessageConverter</span> <span class="nf">messageConverter</span><span class="o">()</span> <span class="o">{</span> <span class="k">return</span> <span class="k">new</span> <span class="nf">LoggingEventMessageConverter</span><span class="o">();</span> <span class="o">}</span> <span class="o">}</span> </code></pre></div></div> <div class="alert alert-info" role="alert"> Note: The <code>@EnableZmqSubscriber</code> above doesn't actually work right now. You'll need to add <code>zmq.subscriber.enabled: true</code> in your <code>application.yml</code> for now. This will be fixed in a future release. </div> <p>Implementing the <code class="language-plaintext highlighter-rouge">LoggingEventMessageConverter</code> is slightly beyond the scope of this article. However, refer to <a href="https://github.com/sjohnr/gsl-java-codecs">this project</a> for a way to generate code that works with Spring ZeroMQ.</p> <p>We just need a <code class="language-plaintext highlighter-rouge">LoggingSubscriber</code> to finish it out:</p> <div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nd">@ZmqSubscriber</span><span class="o">({</span> <span class="nd">@QueueBinding</span><span class="o">(</span><span class="n">topic</span> <span class="o">=</span> <span class="s">"logs"</span><span class="o">,</span> <span class="n">key</span> <span class="o">=</span> <span class="s">"LoggingEvent"</span><span class="o">,</span> <span class="n">queue</span> <span class="o">=</span> <span class="s">"splunk-logs"</span><span class="o">)</span> <span class="o">})</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">LoggingSubscriber</span> <span class="o">{</span> <span class="nd">@ZmqHandler</span> <span class="kd">public</span> <span class="kt">void</span> <span class="nf">onLoggingEvent</span><span class="o">(</span><span class="nc">LoggingEvent</span> <span class="n">event</span><span class="o">)</span> <span class="o">{</span> <span class="c1">// Send log data to Splunk...</span> <span class="o">}</span> <span class="o">}</span> </code></pre></div></div> <p>Sadly, I will not be covering how to actually put the log data into Splunk. It is just a convenient use-case and example. You will have to do that work yourself.</p> <p>Now, just drop this jar into the microservice that needs a second job (think sand-bucket holder). If you find that you can’t afford to tax this service with the job any longer, it takes less than 5 minutes to move it to another. If you can’t find anything available that has spare compute to do the job, then just stand up a brand new microservice to do it. Takes another 5 minutes. In this way, you are embracing the ZeroMQ philosophy (and just a darn good philosophy in general) that if you start simple, and do the next right thing, you will always find a simple path forward to the next one, and so on.</p> <p>But will it be worth it?</p> <h2 id="does-it-work">Does it work?</h2> <p>To answer whether or not this solution will work well in practice, first consider the alternative. In order to do this in a “traditional way,” we would either need a solution handed to us by our ops team (please don’t count on this, though thank them if they provide one to you), or we would need to convince our organization to buy one for us. Buying a logging solution (they’ve already paid for Splunk in this example), is likely not an option. Why do they hire engineers to solve problems for them, if the engineers say “It’s not something I can solve. Just buy something.” That’s ridiculous. Yet all too common.</p> <p>Another alternative would be to demand a message broker. That’s a fine option. But how much would it save you? Answer: Nothing. It actually costs you something extra. And it’s the same amount of work. Yet you don’t get near the same flexibility. You aren’t in complete control of your architecture. You’re now reliant on the ops team (remember the one who refused to provide a solution in the first place?) to maintain the broker. It’s OK… but not a great place to be if you don’t need to be there. I prefer to be in complete control over the entire architecture, and let the ops team handle non-solution-oriented infrastructure only. Trust me, they prefer it that way too.</p> <h2 id="conclusion">Conclusion</h2> <p>In this article, we’ve learned how to solve a common and annoying problem with distributed logging by using spare compute, a bit of creativity, and Spring Boot without the use of a message broker. We were able to leverage <a href="https://github.com/InSourceSoftware/in-spring-zeromq">in-spring-zeromq</a> to do a job that seemed daunting, and spend less than hours on the solution. Next time, we’ll examine another interesting use case involving user activity, to find out what our users are up to.</p> https://insource.io/blog/articles/zeromq-on-spring-boot-part-2.html ZeroMQ with Spring Boot https://insource.io/blog/articles/zeromq-on-spring-boot.html Fri, 08 Jan 2021 00:00:00 +0000 <h2 id="introduction">Introduction</h2> <p>In the <a href="/blog/articles/stateless-sessions-with-spring-boot.html">previous article</a>, we discussed how to use Zuul’s reverse-proxy functionality to propagate session information in a stateless way. In this article, we’ll discuss something entirely different, namely a library for getting more mileage for your messaging buck.</p> <h2 id="new-solutions-to-old-problems">New Solutions to Old Problems</h2> <p>In the last year, I’ve worked heavily on some side projects that required thinking outside the box a bit in terms of minimizing dependencies and setup. When wanting to deploy an efficient and elegant solution to a messy problem, the last thing I wanted to tell a client or potential customer was that they had to spend more or learn additional tools just to use my solution. One thing that comes up a lot when connecting distributed architectures together is a communication layer.</p> <p>There are a lot of options for this (though the obsession with messaging tools has died down a bit as microservices have become more mainstream, and AI and ML and other data-centric tech took center stage in the last few years). What I’ve seen working for a large private bank here in the midwestern U.S. is a fairly 1-size-fits-all approach. Just pick a single, decently good messaging platform, and bake it into your operational service offerings for all the developers in your organization to pull into their projects and use in any way they see fit. Normally, I’d be fine with this, as an enterprise knows what they want, and if it’s a good tool, then widespread adoption just makes it cheaper, easier to reuse, and lowers the onboarding and maintenance burden considerably.</p> <p>(It’s worth mentioning at this point that not all is sunshine and roses in the messaging garden. More on this later.)</p> <p>What if you want to develop a more generalized tool that doesn’t cost a fortune, yet lowers development costs, saves cycle time, hardware resources, and all the other niceties you want in a fancy sales pitch? When it comes to messaging tools, most in the (JVM) microservices circuit will probably go with Kafka or RabbitMQ, with RabbitMQ being possibly the more common choice (depending on the use case and the organization). After all, it’s free and open source of course. It seems well accepted and well understood. Better yet, it has awesome support in most modern frameworks and cloud ecosystems. So why not use it?</p> <p>I’m not going to sell you on that point. Let’s just look at an alternative, and you be the judge.</p> <h2 id="zeromq-for-connectivity">ZeroMQ for connectivity</h2> <p>I won’t say much here for why or why not choose ZeroMQ as a technology for your connectivity needs. If you’re curious, you can check out the <a href="http://zguide.zeromq.org/">ZeroMQ Guide</a> for an in-depth look at this technology. Just know, it’s not necessarily going to be the new hotness or fastest growing open source library in 2021. But it’s been around a long time, and is steadily growing in maturity, and solidly proves itself time and time again as an approachable tool for connecting distributed architectures.</p> <p>0MQ also has an amazing and vibrant community which is incredibly accepting, open and approachable. I love it because I don’t have time to compete with a lot of hot-shot committers who are all over things because they don’t have anything else to do. Good for them, but I need a community that wants whatever I have time to put out there. It’s so cool!</p> <h2 id="introducing-spring-zeromq">Introducing Spring ZeroMQ</h2> <p>With that being said, I’d like to introduce a project that I released yesterday evening on Maven Central, <a href="https://github.com/InSourceSoftware/in-spring-zeromq">in-spring-zeromq</a>. Check out the <a href="https://github.com/InSourceSoftware/in-spring-zeromq/blob/master/README.md">README</a> for some getting started info on the library.</p> <p>A quick background is in order. I mentioned <a href="https://www.rabbitmq.com/">RabbitMQ</a>. I like RabbitMQ actually. It’s nice. It has worked well in the simple use cases we’ve used it for in a microservices architecture. What I really like about RabbitMQ is the support bolstering it has gotten in the Spring community with <a href="https://spring.io/projects/spring-amqp">Spring AMQP</a>.</p> <div class="alert alert-info" role="alert"> Fun fact, did you know that iMatix, the company founded by Pieter Hintjens, was the initial firm contracted by JPMorgan Chase to build <a href="https://en.wikipedia.org/wiki/Advanced_Message_Queuing_Protocol#History">AMQP</a>? </div> <p>What I don’t necessarily like is the need for a broker when I’m doing simple communication patterns. Not that ZeroMQ is only well-suited for simple communication patterns. But it feels kind of ironic that RabbitMQ’s slogan is “Messaging that just works” when you have to set up (or pay for a sidecar service to use) a broker. By definition, that does not “just work.” It requires extra work… to work. Or extra money.</p> <p>Anyway, I wanted to create a ZeroMQ programming model in Spring that matched the ease-of-use of Spring AMQP. While I wouldn’t say this library approaches the level of sophistication of spring-amqp, I wanted to lay a foundation built against the same idea. Namely, when I’m building enterprise software, I don’t want to stop to have to think about how to write event loops, socket communication, and complex protocols just to send messages between two pieces. Not every part of my architecture deserves re-inventing the wheel every time I run into a connectivity problem needing to be solved. And yet, I don’t want to have to be tied to a message broker either. I want an architecture that can evolve in micro-units, like the ZeroMQ programs Pieter outlines in the ZeroMQ Guide (you really should read it).</p> <h2 id="what-can-i-do-with-this">What can I do with this?</h2> <p>Come back next time, for an in-depth look at in-spring-zeromq, a little library for hiding ZeroMQ behind a protective enterprise development blanket (on the JVM).</p> <div class="alert alert-success" role="alert"> Check out the library now! <a href="https://github.com/InSourceSoftware/in-spring-zeromq">Spring ZeroMQ</a> </div> <h2 id="conclusion">Conclusion</h2> <p>In this article, we’ve learned… well, nothing really. Hopefully we’ll get to learn a bunch next time. Thanks for watching!</p> https://insource.io/blog/articles/zeromq-on-spring-boot.html Stateless Sessions with Spring Boot https://insource.io/blog/articles/stateless-sessions-with-spring-boot.html Tue, 22 Oct 2019 00:00:00 +0000 <h2 id="introduction">Introduction</h2> <p>In the <a href="/blog/articles/custom-authentication-with-spring-boot.html">previous article</a>, we discussed how to build a custom permissions system. In this article, we’ll discuss how to use Zuul’s reverse-proxy functionality to propagate session information in a stateless way.</p> <h2 id="spring-session">Spring Session</h2> <p>Spring is a great framework. It has lots of built-in features and optional libraries that can be added to enable new functionality. Security and session management are two great examples of this. If you are using Spring Boot, it’s as easy as adding one of them (e.g. <code class="language-plaintext highlighter-rouge">spring-session-core</code>) to your classpath, and a default configuration kicks in. Further, if you add one of the extensions (like <code class="language-plaintext highlighter-rouge">spring-session-data-redis</code>) and an annotation (such as <code class="language-plaintext highlighter-rouge">@EnableRedisHttpSession</code>), you can pretty much transparently persist session state to the datastore of your choice without any other changes to your application.</p> <p>Another great feature is propagating sessions. In a microservices architecture, you’ve got a lot of tiny services all doing their thing. What if you want them all to know about the currently logged-in user? I remember discussing this with a co-worker a year or so ago, when working on a new authentication system for a microservices architecture redesign of our system. It sounded theoretically possible, and solutions utilizing Spring Session or OAuth and JWTs seemed promising.</p> <p>But what if there was a better way to share sessions within a microservices architecture?</p> <p>Let’s build such a solution.</p> <h2 id="set-up">Set Up</h2> <p>Let’s define a build for our project. In this example, we’ll actually need two projects, which we’ll get to in a minute. For our first project, here’s a pom.xml skeleton to get us started:</p> <div class="language-xml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="cp">&lt;?xml version="1.0" encoding="utf-8" ?&gt;</span> <span class="nt">&lt;project</span> <span class="na">xmlns=</span><span class="s">"http://maven.apache.org/POM/4.0.0"</span> <span class="na">xmlns:xsi=</span><span class="s">"http://www.w3.org/2001/XMLSchema-instance"</span> <span class="na">xsi:schemaLocation=</span><span class="s">"http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd"</span><span class="nt">&gt;</span> <span class="nt">&lt;modelVersion&gt;</span>4.0.0<span class="nt">&lt;/modelVersion&gt;</span> <span class="nt">&lt;groupId&gt;</span>io.insource<span class="nt">&lt;/groupId&gt;</span> <span class="nt">&lt;artifactId&gt;</span>custom-permissions-example<span class="nt">&lt;/artifactId&gt;</span> <span class="nt">&lt;version&gt;</span>0.1.0-SNAPSHOT<span class="nt">&lt;/version&gt;</span> <span class="nt">&lt;packaging&gt;</span>jar<span class="nt">&lt;/packaging&gt;</span> <span class="nt">&lt;name&gt;</span>custom-permissions-example<span class="nt">&lt;/name&gt;</span> <span class="nt">&lt;description&gt;</span>Example project for stateless session propagation.<span class="nt">&lt;/description&gt;</span> <span class="nt">&lt;parent&gt;</span> <span class="nt">&lt;groupId&gt;</span>org.springframework.boot<span class="nt">&lt;/groupId&gt;</span> <span class="nt">&lt;artifactId&gt;</span>spring-boot-starter-parent<span class="nt">&lt;/artifactId&gt;</span> <span class="nt">&lt;version&gt;</span>2.1.5.RELEASE<span class="nt">&lt;/version&gt;</span> <span class="nt">&lt;relativePath</span> <span class="nt">/&gt;</span> <span class="nt">&lt;/parent&gt;</span> <span class="nt">&lt;repositories&gt;</span> <span class="nt">&lt;repository&gt;</span> <span class="nt">&lt;id&gt;</span>spring-plugins-releases<span class="nt">&lt;/id&gt;</span> <span class="nt">&lt;url&gt;</span>http://repo.spring.io/plugins-release<span class="nt">&lt;/url&gt;</span> <span class="nt">&lt;/repository&gt;</span> <span class="nt">&lt;/repositories&gt;</span> <span class="nt">&lt;properties&gt;</span> <span class="nt">&lt;java.version&gt;</span>1.8<span class="nt">&lt;/java.version&gt;</span> <span class="nt">&lt;/properties&gt;</span> <span class="nt">&lt;dependencies&gt;</span> <span class="nt">&lt;dependency&gt;</span> <span class="nt">&lt;groupId&gt;</span>org.springframework.boot<span class="nt">&lt;/groupId&gt;</span> <span class="nt">&lt;artifactId&gt;</span>spring-boot-starter-web<span class="nt">&lt;/artifactId&gt;</span> <span class="nt">&lt;/dependency&gt;</span> <span class="nt">&lt;dependency&gt;</span> <span class="nt">&lt;groupId&gt;</span>org.springframework.boot<span class="nt">&lt;/groupId&gt;</span> <span class="nt">&lt;artifactId&gt;</span>spring-boot-starter-security<span class="nt">&lt;/artifactId&gt;</span> <span class="nt">&lt;/dependency&gt;</span> <span class="nt">&lt;/dependencies&gt;</span> <span class="nt">&lt;build&gt;</span> <span class="nt">&lt;plugins&gt;</span> <span class="nt">&lt;plugin&gt;</span> <span class="nt">&lt;groupId&gt;</span>org.apache.maven.plugins<span class="nt">&lt;/groupId&gt;</span> <span class="nt">&lt;artifactId&gt;</span>maven-compiler-plugin<span class="nt">&lt;/artifactId&gt;</span> <span class="nt">&lt;/plugin&gt;</span> <span class="nt">&lt;plugin&gt;</span> <span class="nt">&lt;groupId&gt;</span>org.springframework.boot<span class="nt">&lt;/groupId&gt;</span> <span class="nt">&lt;artifactId&gt;</span>spring-boot-maven-plugin<span class="nt">&lt;/artifactId&gt;</span> <span class="nt">&lt;/plugin&gt;</span> <span class="nt">&lt;/plugins&gt;</span> <span class="nt">&lt;pluginManagement&gt;</span> <span class="nt">&lt;plugins&gt;</span> <span class="nt">&lt;plugin&gt;</span> <span class="nt">&lt;groupId&gt;</span>org.apache.maven.plugins<span class="nt">&lt;/groupId&gt;</span> <span class="nt">&lt;artifactId&gt;</span>maven-compiler-plugin<span class="nt">&lt;/artifactId&gt;</span> <span class="nt">&lt;configuration&gt;</span> <span class="nt">&lt;source&gt;</span>${java.version}<span class="nt">&lt;/source&gt;</span> <span class="nt">&lt;target&gt;</span>${java.version}<span class="nt">&lt;/target&gt;</span> <span class="nt">&lt;/configuration&gt;</span> <span class="nt">&lt;/plugin&gt;</span> <span class="nt">&lt;/plugins&gt;</span> <span class="nt">&lt;/pluginManagement&gt;</span> <span class="nt">&lt;/build&gt;</span> <span class="nt">&lt;/project&gt;</span> </code></pre></div></div> <p>Let’s also define an entry point for our application:</p> <div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kn">import</span> <span class="nn">org.springframework.boot.SpringApplication</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.boot.autoconfigure.SpringBootApplication</span><span class="o">;</span> <span class="nd">@SpringBootApplication</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">Application</span> <span class="o">{</span> <span class="kd">public</span> <span class="kd">static</span> <span class="kt">void</span> <span class="nf">main</span><span class="o">(</span><span class="nc">String</span><span class="o">[]</span> <span class="n">args</span><span class="o">)</span> <span class="o">{</span> <span class="nc">SpringApplication</span><span class="o">.</span><span class="na">run</span><span class="o">(</span><span class="nc">Application</span><span class="o">.</span><span class="na">class</span><span class="o">,</span> <span class="n">args</span><span class="o">);</span> <span class="o">}</span> <span class="o">}</span> </code></pre></div></div> <h2 id="security-configuration">Security Configuration</h2> <p>Let’s also add some security configuration to our project for example purposes. First, let’s use pre-authentication similar to what we explored in the article <a href="/blog/articles/stateless-api-security-with-spring-boot-part-2.html">Stateless API Security with Spring Boot, Part 2</a>.</p> <div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kn">import</span> <span class="nn">io.insource.spring.ws.examples.gateway.service.SimpleUserDetailsService</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">io.insource.spring.ws.examples.gateway.support.Http401AuthenticationEntryPoint</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.context.annotation.Configuration</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.core.annotation.Order</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.http.HttpStatus</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.security.authentication.AuthenticationManager</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.security.authentication.AuthenticationProvider</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.security.authentication.ProviderManager</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.security.config.annotation.web.builders.HttpSecurity</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.security.config.annotation.web.configuration.EnableWebSecurity</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.security.core.userdetails.UserDetailsService</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.security.web.AuthenticationEntryPoint</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.security.web.authentication.logout.HttpStatusReturningLogoutSuccessHandler</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.security.web.authentication.preauth.RequestHeaderAuthenticationFilter</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">java.util.Collections</span><span class="o">;</span> <span class="nd">@Configuration</span> <span class="nd">@EnableWebSecurity</span> <span class="nd">@Order</span><span class="o">(-</span><span class="mi">1</span><span class="o">)</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">WebSecurityConfiguration</span> <span class="kd">extends</span> <span class="nc">WebSecurityConfigurerAdapter</span> <span class="o">{</span> <span class="nd">@Override</span> <span class="kd">protected</span> <span class="kt">void</span> <span class="nf">configure</span><span class="o">(</span><span class="nc">HttpSecurity</span> <span class="n">http</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">Exception</span> <span class="o">{</span> <span class="n">http</span><span class="o">.</span><span class="na">antMatcher</span><span class="o">(</span><span class="s">"/**"</span><span class="o">)</span> <span class="o">.</span><span class="na">addFilterAfter</span><span class="o">(</span><span class="n">preAuthenticationFilter</span><span class="o">(),</span> <span class="nc">RequestHeaderAuthenticationFilter</span><span class="o">.</span><span class="na">class</span><span class="o">)</span> <span class="o">.</span><span class="na">authorizeRequests</span><span class="o">()</span> <span class="o">.</span><span class="na">antMatchers</span><span class="o">(</span><span class="s">"/api/v1/anonymous"</span><span class="o">).</span><span class="na">permitAll</span><span class="o">()</span> <span class="o">.</span><span class="na">anyRequest</span><span class="o">().</span><span class="na">authenticated</span><span class="o">()</span> <span class="o">.</span><span class="na">and</span><span class="o">()</span> <span class="o">.</span><span class="na">exceptionHandling</span><span class="o">().</span><span class="na">authenticationEntryPoint</span><span class="o">(</span><span class="n">authenticationEntryPoint</span><span class="o">())</span> <span class="o">.</span><span class="na">and</span><span class="o">()</span> <span class="o">.</span><span class="na">logout</span><span class="o">().</span><span class="na">logoutUrl</span><span class="o">(</span><span class="s">"/api/v1/logout"</span><span class="o">).</span><span class="na">logoutSuccessHandler</span><span class="o">(</span><span class="n">logoutSuccessHandler</span><span class="o">())</span> <span class="o">.</span><span class="na">and</span><span class="o">()</span> <span class="o">.</span><span class="na">csrf</span><span class="o">().</span><span class="na">disable</span><span class="o">();</span> <span class="o">}</span> <span class="kd">public</span> <span class="nc">RequestHeaderAuthenticationFilter</span> <span class="nf">preAuthenticationFilter</span><span class="o">()</span> <span class="o">{</span> <span class="nc">RequestHeaderAuthenticationFilter</span> <span class="n">preAuthenticationFilter</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">RequestHeaderAuthenticationFilter</span><span class="o">();</span> <span class="n">preAuthenticationFilter</span><span class="o">.</span><span class="na">setPrincipalRequestHeader</span><span class="o">(</span><span class="s">"X-USERNAME"</span><span class="o">);</span> <span class="n">preAuthenticationFilter</span><span class="o">.</span><span class="na">setAuthenticationManager</span><span class="o">(</span><span class="n">authenticationManager</span><span class="o">());</span> <span class="n">preAuthenticationFilter</span><span class="o">.</span><span class="na">setExceptionIfHeaderMissing</span><span class="o">(</span><span class="kc">false</span><span class="o">);</span> <span class="k">return</span> <span class="n">preAuthenticationFilter</span><span class="o">;</span> <span class="o">}</span> <span class="nd">@Override</span> <span class="kd">protected</span> <span class="nc">AuthenticationManager</span> <span class="nf">authenticationManager</span><span class="o">()</span> <span class="o">{</span> <span class="k">return</span> <span class="k">new</span> <span class="nf">ProviderManager</span><span class="o">(</span><span class="nc">Collections</span><span class="o">.</span><span class="na">singletonList</span><span class="o">(</span><span class="n">authenticationProvider</span><span class="o">()));</span> <span class="o">}</span> <span class="kd">public</span> <span class="nc">AuthenticationProvider</span> <span class="nf">authenticationProvider</span><span class="o">()</span> <span class="o">{</span> <span class="nc">PreAuthenticatedAuthenticationProvider</span> <span class="n">authenticationProvider</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">PreAuthenticatedAuthenticationProvider</span><span class="o">();</span> <span class="n">authenticationProvider</span><span class="o">.</span><span class="na">setPreAuthenticatedUserDetailsService</span><span class="o">(</span><span class="n">userDetailsServiceWrapper</span><span class="o">());</span> <span class="n">authenticationProvider</span><span class="o">.</span><span class="na">setThrowExceptionWhenTokenRejected</span><span class="o">(</span><span class="kc">false</span><span class="o">);</span> <span class="k">return</span> <span class="n">authenticationProvider</span><span class="o">;</span> <span class="o">}</span> <span class="kd">public</span> <span class="nc">UserDetailsByNameServiceWrapper</span><span class="o">&lt;</span><span class="nc">PreAuthenticatedAuthenticationToken</span><span class="o">&gt;</span> <span class="nf">userDetailsServiceWrapper</span><span class="o">()</span> <span class="o">{</span> <span class="k">return</span> <span class="k">new</span> <span class="nc">UserDetailsByNameServiceWrapper</span><span class="o">&lt;&gt;(</span><span class="n">userDetailsService</span><span class="o">());</span> <span class="o">}</span> <span class="kd">public</span> <span class="nc">UserDetailsService</span> <span class="nf">userDetailsService</span><span class="o">()</span> <span class="o">{</span> <span class="k">return</span> <span class="k">new</span> <span class="nf">SimpleUserDetailsService</span><span class="o">();</span> <span class="o">}</span> <span class="kd">public</span> <span class="nc">AuthenticationEntryPoint</span> <span class="nf">authenticationEntryPoint</span><span class="o">()</span> <span class="o">{</span> <span class="k">return</span> <span class="k">new</span> <span class="nf">Http401AuthenticationEntryPoint</span><span class="o">(</span><span class="s">"MyRealm"</span><span class="o">);</span> <span class="o">}</span> <span class="kd">public</span> <span class="nc">HttpStatusReturningLogoutSuccessHandler</span> <span class="nf">logoutSuccessHandler</span><span class="o">()</span> <span class="o">{</span> <span class="k">return</span> <span class="k">new</span> <span class="nf">HttpStatusReturningLogoutSuccessHandler</span><span class="o">(</span><span class="nc">HttpStatus</span><span class="o">.</span><span class="na">NO_CONTENT</span><span class="o">);</span> <span class="o">}</span> <span class="o">}</span> </code></pre></div></div> <p>Remember that this security configuration is just an example. Whatever authentication scheme you are using should work fine here.</p> <p>Next, let’s add some authentication routes for our documentation tool to latch onto. These don’t actually perform any authentication-related tasks, as that is all handled by the Spring Security filter chain.</p> <div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kn">import</span> <span class="nn">org.slf4j.Logger</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.slf4j.LoggerFactory</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.http.HttpStatus</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.web.bind.annotation.PostMapping</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.web.bind.annotation.RequestHeader</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.web.bind.annotation.RequestMapping</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.web.bind.annotation.ResponseStatus</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.web.bind.annotation.RestController</span><span class="o">;</span> <span class="nd">@RestController</span> <span class="nd">@RequestMapping</span><span class="o">(</span><span class="s">"/api/v1"</span><span class="o">)</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">LoginController</span> <span class="o">{</span> <span class="kd">private</span> <span class="kd">static</span> <span class="kd">final</span> <span class="nc">Logger</span> <span class="n">log</span> <span class="o">=</span> <span class="nc">LoggerFactory</span><span class="o">.</span><span class="na">getLogger</span><span class="o">(</span><span class="nc">LoginController</span><span class="o">.</span><span class="na">class</span><span class="o">);</span> <span class="nd">@PostMapping</span><span class="o">(</span><span class="s">"/login"</span><span class="o">)</span> <span class="nd">@ResponseStatus</span><span class="o">(</span><span class="nc">HttpStatus</span><span class="o">.</span><span class="na">NO_CONTENT</span><span class="o">)</span> <span class="kd">public</span> <span class="kt">void</span> <span class="nf">login</span><span class="o">(</span><span class="nd">@RequestHeader</span><span class="o">(</span><span class="s">"X-USERNAME"</span><span class="o">)</span> <span class="nc">String</span> <span class="n">username</span><span class="o">)</span> <span class="o">{</span> <span class="n">log</span><span class="o">.</span><span class="na">info</span><span class="o">(</span><span class="s">"User {} successfully logged in."</span><span class="o">,</span> <span class="n">username</span><span class="o">);</span> <span class="o">}</span> <span class="nd">@PostMapping</span><span class="o">(</span><span class="s">"/logout"</span><span class="o">)</span> <span class="nd">@ResponseStatus</span><span class="o">(</span><span class="nc">HttpStatus</span><span class="o">.</span><span class="na">NO_CONTENT</span><span class="o">)</span> <span class="kd">public</span> <span class="kt">void</span> <span class="nf">logout</span><span class="o">()</span> <span class="o">{</span> <span class="c1">// Just for our chosen documentation tool, not actually invoked.</span> <span class="o">}</span> <span class="o">}</span> </code></pre></div></div> <h2 id="microservice-all-the-things">Microservice All the Things!</h2> <p>With the above set-up in place, let’s create a microservice to represent one of many stateless services we’ll deploy within our architecture. Each microservice will be fully session-aware and yet require no setup or overhead.</p> <p>The second project is just a normal web project, so head over to <a href="https://start.spring.io">Spring Initializr</a> and select Web as a dependency to generate the project structure. Once you’ve got the second project up and running, we’ll add a controller that will eventually be able to utilize session state.</p> <div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kn">import</span> <span class="nn">org.springframework.web.bind.annotation.GetMapping</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.web.bind.annotation.RequestMapping</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.web.bind.annotation.RestController</span><span class="o">;</span> <span class="nd">@RestController</span> <span class="nd">@RequestMapping</span><span class="o">(</span><span class="s">"/api/v1"</span><span class="o">)</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">HelloController</span> <span class="o">{</span> <span class="nd">@GetMapping</span><span class="o">(</span><span class="s">"/hello"</span><span class="o">)</span> <span class="kd">public</span> <span class="nc">String</span> <span class="nf">sayHello</span><span class="o">()</span> <span class="o">{</span> <span class="k">return</span> <span class="s">"Hello, World"</span><span class="o">;</span> <span class="o">}</span> <span class="o">}</span> </code></pre></div></div> <p>Very uninteresting, I know. But let’s make it interesting by first discussing what we plan to do with this API endpoint. The first thing to notice is that it takes no parameters. Why is this important, you ask? To answer that question, let’s examine a fundamental challenge in building APIs that are both re-usable and easy to consume.</p> <h2 id="the-proverbial-hypothetical">The Proverbial Hypothetical</h2> <div class="alert alert-info" role="alert"> TL;DR; The optimal solution is not your first thought; read on to learn more. </div> <p>Imagine you are building an API that manages all sorts of different things for the currently logged in user. You may need to return a list of students for a teacher and a list of tests that need to be graded, as well as submit attendance reports and manage parent-teacher topics and feedback, etc. If you plan to eventually sell this platform or host it in the cloud, but your immediate need is to deploy it on-premise at a particular school or for a particular school district, your approach might be different.</p> <p>For example, in the cloud you may have a completely different authentication scheme than in the on-premise solution, or your frontend may have very different needs in each case. You may also want to eventually integrate this platform into other larger systems, or sell it as a <abbr title="Business to Business">B2B</abbr> service. The list of possible problems that cause churn in your choice of how to architect session management is nearly endless. But even if you have none of the types of problems described above or any others related to it, the challenge of managing session state across a stateless architecture is definitely a daunting one.</p> <p>Your first thought may be to simply find a way to propagate the session among all the disparate microservices you’ll be building. This is certainly possible, and while there are some possible ways it can be accomplished, none of them are simple, and even the artistic ones aren’t really elegant.</p> <p>For example, perhaps you’ll implement an <abbr title="Single Sign-on">SSO</abbr> using OAuth with <abbr title="JSON Web Token">JWT</abbr>s. You’ll need an authorization server to create the tokens. Then, if you can somehow manage to have the JWTs sent to each microservice along with the request, you still have to manage shared secret keys to decode the payload, not to mention the possible size of the payload in JSON format.</p> <p>Or perhaps you’ll implement clustered sessions, and propagate a JSESSIONID cookie or header instead. Each microservice will just act as if it owns the session, or at least a read-only copy of it, and load it into memory on each request, perhaps from a database or a key-value data store. This could work, though I’d love to know if anyone has a link to a good tutorial on this exact topic. Perhaps I’ll work on one, just to fully analyze the benefits and drawbacks of this approach.</p> <p>At any rate, my opinion is that all of these options kind of suck. Let’s build a better solution.</p> <h2 id="the-journey">The Journey</h2> <p>Let’s list the goals of our solution:</p> <ol> <li>Make session management completely transparent to the API consumer. Keep the API documentation tool (such as Swagger) in mind - if it’s easy to use a “Try it out” button, it’ll be easy for the real API consumer.</li> <li>Make the on-boarding process for new microservices in the architecture stupid simple. We want as little setup as possible. Ideally, none, at least on the microservice deployment side. We may need a bit of setup on the architectural side.</li> <li>All session state we consider essential for any microservice to do its job should be available anywhere in our architecture.</li> </ol> <p>With these goals in mind, the first decision point is hopefully one you’ve already made in your journey toward microservices. The question is: How do we tie all these separate deployment units together, without adding complexity on the client-side? Of course, the answer is the API Gateway pattern.</p> <p>You may be tempted to say “Let’s just delegate that job to some third-party system, vendor, or platform solution, such as the <abbr title="Pivotal Cloud Foundry">PCF</abbr> go-router.” While those may have a necessary place in your infrastructure, they are not going to help us here. We need our own gateway.</p> <h2 id="add-the-bits">Add the Bits</h2> <p>Going back to our first project, let’s add Zuul from the Spring Cloud Netflix suite to our stack. We’ll need this to do reverse-proxy functions. If you have another routing solution in your architecture, use it. But make sure it has the additional capabilities we’ll cover shortly.</p> <p>First, add the following to your <code class="language-plaintext highlighter-rouge">pom.xml</code> to import the Spring Cloud Maven <abbr title="Bill of Materials">BOM</abbr> to manage Spring Cloud dependencies:</p> <div class="language-xml highlighter-rouge"><div class="highlight"><pre class="highlight"><code> <span class="nt">&lt;dependencyManagement&gt;</span> <span class="nt">&lt;dependencies&gt;</span> <span class="nt">&lt;dependency&gt;</span> <span class="nt">&lt;groupId&gt;</span>org.springframework.cloud<span class="nt">&lt;/groupId&gt;</span> <span class="nt">&lt;artifactId&gt;</span>spring-cloud-dependencies<span class="nt">&lt;/artifactId&gt;</span> <span class="nt">&lt;version&gt;</span>Greenwich.SR1<span class="nt">&lt;/version&gt;</span> <span class="nt">&lt;type&gt;</span>pom<span class="nt">&lt;/type&gt;</span> <span class="nt">&lt;scope&gt;</span>import<span class="nt">&lt;/scope&gt;</span> <span class="nt">&lt;/dependency&gt;</span> <span class="nt">&lt;/dependencies&gt;</span> <span class="nt">&lt;/dependencyManagement&gt;</span> </code></pre></div></div> <p>Note: Choose the latest version of Spring Cloud, as this article may be out of date.</p> <p>Then add the following dependency:</p> <div class="language-xml highlighter-rouge"><div class="highlight"><pre class="highlight"><code> <span class="nt">&lt;dependency&gt;</span> <span class="nt">&lt;groupId&gt;</span>org.springframework.cloud<span class="nt">&lt;/groupId&gt;</span> <span class="nt">&lt;artifactId&gt;</span>spring-cloud-starter-netflix-zuul<span class="nt">&lt;/artifactId&gt;</span> <span class="nt">&lt;/dependency&gt;</span> </code></pre></div></div> <p>Add a quick configuration, or add an annotation to your entrypoint application.</p> <div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kn">import</span> <span class="nn">org.springframework.cloud.netflix.zuul.EnableZuulProxy</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.context.annotation.Configuration</span><span class="o">;</span> <span class="nd">@Configuration</span> <span class="nd">@EnableZuulProxy</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">ZuulConfiguration</span> <span class="o">{</span> <span class="o">}</span> </code></pre></div></div> <p>Lastly, add some configuration to enable routing within Zuul:</p> <div class="language-yaml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="na">app</span><span class="pi">:</span> <span class="na">base-url</span><span class="pi">:</span> <span class="s">http://localhost:8081</span> <span class="na">zuul</span><span class="pi">:</span> <span class="na">ignored-patterns</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">/api/v1/login</span> <span class="pi">-</span> <span class="s">/api/v1/logout</span> <span class="na">routes</span><span class="pi">:</span> <span class="na">my-service</span><span class="pi">:</span> <span class="na">strip-prefix</span><span class="pi">:</span> <span class="no">false</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/api/v1/**</span> <span class="na">url</span><span class="pi">:</span> <span class="s">${app.base-url}</span> </code></pre></div></div> <p>Note: The <code class="language-plaintext highlighter-rouge">app.base-url</code> property is just a stand-in for whatever downstream routing you need to do, which is outside the scope of this article. The options are numerous, but will be very tailored to your particular use case.</p> <p>In our example, we’re assuming the microservice we built with an <code class="language-plaintext highlighter-rouge">/api/v1/hello</code> endpoint is hosted on port 8081. Here’s the relevant part of the configuration for the second project:</p> <div class="language-yaml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="na">server</span><span class="pi">:</span> <span class="na">port</span><span class="pi">:</span> <span class="m">8081</span> </code></pre></div></div> <h2 id="test-it-out">Test It Out</h2> <p>Now, when we log in, we can route traffic to a downstream microservice through our gateway. Using Postman (<a href="https://github.io/InSourceSoftware/spring-ws-examples/Spring WebService Examples.postman_collection.json">here</a>), hit the Log In route with a <code class="language-plaintext highlighter-rouge">POST</code> at http://localhost:8080/api/v1/login, then issue a <code class="language-plaintext highlighter-rouge">GET</code> to http://localhost:8080/api/v1/hello. We’re using cookies with a <code class="language-plaintext highlighter-rouge">JSESSIONID</code> so make sure both requests take them into account. All the session state is managed by the gateway (currently in memory, but we can easily use Spring Session to do better).</p> <h2 id="but-you-said">But You Said…?</h2> <p>So, how do we propagate sessions? Basically all we’ve done so far is implement some authentication scheme, and a simple API gateway. Bear with me…</p> <p>If we want to easily share state with these downstream microservices in a transparent way, without impacting our API contract, and without requiring any setup on the part of the downstream system, we’re left with only one choice. Let’s just use the protocol we’ve already committed to. HTTP.</p> <p>Let’s use HTTP headers!</p> <p>To do that, let’s add a Zuul filter to our gateway that is session-aware.</p> <div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kn">import</span> <span class="nn">com.netflix.zuul.ZuulFilter</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">com.netflix.zuul.context.RequestContext</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.security.core.Authentication</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.security.core.context.SecurityContextHolder</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.security.core.userdetails.User</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.stereotype.Component</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">static</span> <span class="n">org</span><span class="o">.</span><span class="na">springframework</span><span class="o">.</span><span class="na">cloud</span><span class="o">.</span><span class="na">netflix</span><span class="o">.</span><span class="na">zuul</span><span class="o">.</span><span class="na">filters</span><span class="o">.</span><span class="na">support</span><span class="o">.</span><span class="na">FilterConstants</span><span class="o">.</span><span class="na">PRE_DECORATION_FILTER_ORDER</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">static</span> <span class="n">org</span><span class="o">.</span><span class="na">springframework</span><span class="o">.</span><span class="na">cloud</span><span class="o">.</span><span class="na">netflix</span><span class="o">.</span><span class="na">zuul</span><span class="o">.</span><span class="na">filters</span><span class="o">.</span><span class="na">support</span><span class="o">.</span><span class="na">FilterConstants</span><span class="o">.</span><span class="na">PRE_TYPE</span><span class="o">;</span> <span class="nd">@Component</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">ZuulSessionFilter</span> <span class="kd">extends</span> <span class="nc">ZuulFilter</span> <span class="o">{</span> <span class="nd">@Override</span> <span class="kd">public</span> <span class="nc">String</span> <span class="nf">filterType</span><span class="o">()</span> <span class="o">{</span> <span class="k">return</span> <span class="no">PRE_TYPE</span><span class="o">;</span> <span class="o">}</span> <span class="nd">@Override</span> <span class="kd">public</span> <span class="kt">int</span> <span class="nf">filterOrder</span><span class="o">()</span> <span class="o">{</span> <span class="k">return</span> <span class="no">PRE_DECORATION_FILTER_ORDER</span> <span class="o">+</span> <span class="mi">1</span><span class="o">;</span> <span class="o">}</span> <span class="nd">@Override</span> <span class="kd">public</span> <span class="kt">boolean</span> <span class="nf">shouldFilter</span><span class="o">()</span> <span class="o">{</span> <span class="k">return</span> <span class="kc">true</span><span class="o">;</span> <span class="o">}</span> <span class="nd">@Override</span> <span class="kd">public</span> <span class="nc">Object</span> <span class="nf">run</span><span class="o">()</span> <span class="o">{</span> <span class="n">doFilter</span><span class="o">();</span> <span class="k">return</span> <span class="kc">null</span><span class="o">;</span> <span class="o">}</span> <span class="kd">private</span> <span class="kt">void</span> <span class="nf">doFilter</span><span class="o">()</span> <span class="o">{</span> <span class="nc">Authentication</span> <span class="n">authentication</span> <span class="o">=</span> <span class="nc">SecurityContextHolder</span><span class="o">.</span><span class="na">getContext</span><span class="o">().</span><span class="na">getAuthentication</span><span class="o">();</span> <span class="k">if</span> <span class="o">(</span><span class="n">authentication</span> <span class="o">==</span> <span class="kc">null</span><span class="o">)</span> <span class="o">{</span> <span class="c1">// Should never happen, but could be null (see javadoc for SecurityContext#getAuthentication)</span> <span class="k">return</span><span class="o">;</span> <span class="o">}</span> <span class="nc">Object</span> <span class="n">principal</span> <span class="o">=</span> <span class="n">authentication</span><span class="o">.</span><span class="na">getPrincipal</span><span class="o">();</span> <span class="c1">// Add header if user is not anonymous</span> <span class="k">if</span> <span class="o">(</span><span class="n">principal</span> <span class="k">instanceof</span> <span class="nc">User</span><span class="o">)</span> <span class="o">{</span> <span class="nc">User</span> <span class="n">user</span> <span class="o">=</span> <span class="o">(</span><span class="nc">User</span><span class="o">)</span> <span class="n">principal</span><span class="o">;</span> <span class="nc">RequestContext</span> <span class="n">requestContext</span> <span class="o">=</span> <span class="nc">RequestContext</span><span class="o">.</span><span class="na">getCurrentContext</span><span class="o">();</span> <span class="n">requestContext</span><span class="o">.</span><span class="na">addZuulRequestHeader</span><span class="o">(</span><span class="s">"X-USERNAME"</span><span class="o">,</span> <span class="n">user</span><span class="o">.</span><span class="na">getUsername</span><span class="o">());</span> <span class="o">}</span> <span class="o">}</span> <span class="o">}</span> </code></pre></div></div> <p>Again, if you’re using another gateway or reverse-proxy technology, it needs to have the capability to plug code into it that is aware of our session. Using Zuul, this is incredibly easy. We contain all the “complexity” (all 50 lines of it) in once place.</p> <p>In this example, we’re not being very creative. We’ll simply be propagating the username. We could (if we’re ambitious) propagate the <code class="language-plaintext highlighter-rouge">JSESSIONID</code> itself. Or we could add other session attributes that we’ve previously stored with our session. The choice is up to you.</p> <p>The key consideration here is to keep it light. Only information that is considered “context” or “identity” should be passed in this way. That allows each downstream microservice to have enough information to do its job, but no more. If it needs to look up the user, and that has a cost, it should be solved with additional architecture (try caching!). But passing 27KB of JSON data is not a good way to go here, nor is storing that in your session in the first place.</p> <p>Ok, Ok, I know. Let’s add the final touch and look at consuming that state down stream.</p> <h2 id="the-really-tricky-bits">The Really Tricky Bits…</h2> <p>Here it is. What we’ve all been waiting for.</p> <div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kn">import</span> <span class="nn">org.springframework.web.bind.annotation.GetMapping</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.web.bind.annotation.RequestMapping</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.web.bind.annotation.RestController</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">javax.servlet.http.HttpServletRequest</span><span class="o">;</span> <span class="nd">@RestController</span> <span class="nd">@RequestMapping</span><span class="o">(</span><span class="s">"/api/v1"</span><span class="o">)</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">HelloController</span> <span class="o">{</span> <span class="nd">@GetMapping</span><span class="o">(</span><span class="s">"/hello"</span><span class="o">)</span> <span class="kd">public</span> <span class="nc">String</span> <span class="nf">sayHello</span><span class="o">(</span><span class="nc">HttpServletRequest</span> <span class="n">request</span><span class="o">)</span> <span class="o">{</span> <span class="nc">String</span> <span class="n">username</span> <span class="o">=</span> <span class="n">request</span><span class="o">.</span><span class="na">getHeader</span><span class="o">(</span><span class="s">"X-USERNAME"</span><span class="o">);</span> <span class="k">return</span> <span class="nc">String</span><span class="o">.</span><span class="na">format</span><span class="o">(</span><span class="s">"Hello, %s!"</span><span class="o">,</span> <span class="n">username</span><span class="o">);</span> <span class="o">}</span> <span class="nd">@GetMapping</span><span class="o">(</span><span class="s">"/anonymous"</span><span class="o">)</span> <span class="kd">public</span> <span class="nc">String</span> <span class="nf">sayNothing</span><span class="o">()</span> <span class="o">{</span> <span class="k">return</span> <span class="s">"I have nothing to say to you. Who are you?"</span><span class="o">;</span> <span class="o">}</span> <span class="o">}</span> </code></pre></div></div> <p>Let’s ask ourselves, have we accomplished our goals?</p> <ol> <li> <p>Make session management completely transparent to the API consumer?</p> <p>Yep. We didn’t impact our API contract at all. As long as the API consumer is being routed through our gateway, they have no idea that username is a required parameter for <code class="language-plaintext highlighter-rouge">/hello</code>.</p> </li> <li> <p>Make the on-boarding process for new microservices in the architecture stupid simple?</p> <p>Yep. There is literally nothing special about our microservice. It’s just a regular Spring Boot app. No setup. No configuration. Nothing. Note: We did add a bit of routing to the gateway, but that’s required regardless, isn’t it?</p> </li> <li> <p>All session state we consider essential for any microservice to do its job should be available anywhere in our architecture?</p> <p>Yep. We can add any as many headers from our session as needed. We just need to keep the request size in mind. We add a tiny bit of extra information to each proxied request, and gain a huge architectural advantage.</p> </li> </ol> <h2 id="conclusion">Conclusion</h2> <p>In this article, we’ve learned how to build a stateful API gateway with routing using Zuul and secure it with any authentication scheme we want. We also learned how to add a Zuul request filter that adds session state to our proxied requests as HTTP headers. Finally, we learned how to set up microservices that are session-aware—in fact, we already knew how, because there’s no special setup required!</p> https://insource.io/blog/articles/stateless-sessions-with-spring-boot.html Custom Authorization with Spring Boot https://insource.io/blog/articles/custom-authorization-with-spring-boot.html Tue, 28 Aug 2018 00:00:00 +0000 <h2 id="introduction">Introduction</h2> <p>In the <a href="/blog/articles/custom-authentication-with-spring-boot.html">previous article</a>, we discussed how to enable Restful username/password authentication. In this article, we’ll discuss how to build a custom permissions system.</p> <h2 id="spring-security-authorization">Spring Security Authorization</h2> <p>Authorization in Spring Security is a large topic. The most common form of authorization available, one which has the most coverage in tutorials on the web, is role-based access control (RBAC). This is where you log in as a user with a particular role, say User or Admin, and are authorized to perform certain actions based on that role.</p> <p>In Spring Security, the central interface for this concept is <code class="language-plaintext highlighter-rouge">GrantedAuthority</code>, which represents an “authority”, usually a role, such as <code class="language-plaintext highlighter-rouge">ROLE_USER</code> or <code class="language-plaintext highlighter-rouge">ROLE_ADMIN</code>. In fact, <code class="language-plaintext highlighter-rouge">ROLE_</code> is so special that there are numerous aspects of Spring Security that look for it, and perform logic only when that prefix is present in the authority name. Here’s an example of a route that is protected in this way:</p> <div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nd">@RestController</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">HelloController</span> <span class="o">{</span> <span class="nd">@GetMapping</span><span class="o">(</span><span class="s">"/hello"</span><span class="o">)</span> <span class="nd">@PreAuthorize</span><span class="o">(</span><span class="s">"hasRole('ROLE_USER')"</span><span class="o">)</span> <span class="kd">public</span> <span class="nc">String</span> <span class="nf">sayHello</span><span class="o">()</span> <span class="o">{</span> <span class="k">return</span> <span class="s">"Hello, World"</span><span class="o">;</span> <span class="o">}</span> <span class="o">}</span> </code></pre></div></div> <p>But what if you want to perform authorization that is more specific than something the user is granted when they log in? You might refer to this as domain object instance security. While there are numerous ways you can go deeper than role-based, you will ultimately be led to Spring Security <abbr title="Access Control List">ACL</abbr>.</p> <p>This extension of Spring Security forces you to adopt a specific data model for persisting your authorization data so Spring Security can perform lookups and caching of that data to enable seamless integration of ACLs into your service layer.</p> <p>But what if your permissions are not traditional? I’m not sure very many existing enterprises would have their authorization concepts cleanly isolated to a few database tables that Spring Security can talk to out of the box. In those cases, you need a custom solution that’s simple to start with, and easy to extend.</p> <p>Let’s build such a solution.</p> <h2 id="set-up">Set Up</h2> <p>Let’s define a build for our project. Here’s a pom.xml skeleton to get us started:</p> <div class="language-xml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="cp">&lt;?xml version="1.0" encoding="utf-8" ?&gt;</span> <span class="nt">&lt;project</span> <span class="na">xmlns=</span><span class="s">"http://maven.apache.org/POM/4.0.0"</span> <span class="na">xmlns:xsi=</span><span class="s">"http://www.w3.org/2001/XMLSchema-instance"</span> <span class="na">xsi:schemaLocation=</span><span class="s">"http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd"</span><span class="nt">&gt;</span> <span class="nt">&lt;modelVersion&gt;</span>4.0.0<span class="nt">&lt;/modelVersion&gt;</span> <span class="nt">&lt;groupId&gt;</span>io.insource<span class="nt">&lt;/groupId&gt;</span> <span class="nt">&lt;artifactId&gt;</span>custom-permissions-example<span class="nt">&lt;/artifactId&gt;</span> <span class="nt">&lt;version&gt;</span>0.1.0-SNAPSHOT<span class="nt">&lt;/version&gt;</span> <span class="nt">&lt;packaging&gt;</span>jar<span class="nt">&lt;/packaging&gt;</span> <span class="nt">&lt;name&gt;</span>custom-permissions-example<span class="nt">&lt;/name&gt;</span> <span class="nt">&lt;description&gt;</span>Example project for method security with a custom permission evaluator.<span class="nt">&lt;/description&gt;</span> <span class="nt">&lt;parent&gt;</span> <span class="nt">&lt;groupId&gt;</span>org.springframework.boot<span class="nt">&lt;/groupId&gt;</span> <span class="nt">&lt;artifactId&gt;</span>spring-boot-starter-parent<span class="nt">&lt;/artifactId&gt;</span> <span class="nt">&lt;version&gt;</span>1.5.13.RELEASE<span class="nt">&lt;/version&gt;</span> <span class="nt">&lt;relativePath</span> <span class="nt">/&gt;</span> <span class="nt">&lt;/parent&gt;</span> <span class="nt">&lt;repositories&gt;</span> <span class="nt">&lt;repository&gt;</span> <span class="nt">&lt;id&gt;</span>spring-plugins-releases<span class="nt">&lt;/id&gt;</span> <span class="nt">&lt;url&gt;</span>http://repo.spring.io/plugins-release<span class="nt">&lt;/url&gt;</span> <span class="nt">&lt;/repository&gt;</span> <span class="nt">&lt;/repositories&gt;</span> <span class="nt">&lt;properties&gt;</span> <span class="nt">&lt;java.version&gt;</span>1.8<span class="nt">&lt;/java.version&gt;</span> <span class="nt">&lt;spring-boot.version&gt;</span>1.5.13.RELEASE<span class="nt">&lt;/spring-boot.version&gt;</span> <span class="nt">&lt;/properties&gt;</span> <span class="nt">&lt;dependencies&gt;</span> <span class="nt">&lt;dependency&gt;</span> <span class="nt">&lt;groupId&gt;</span>org.springframework.boot<span class="nt">&lt;/groupId&gt;</span> <span class="nt">&lt;artifactId&gt;</span>spring-boot-starter-web<span class="nt">&lt;/artifactId&gt;</span> <span class="nt">&lt;/dependency&gt;</span> <span class="nt">&lt;dependency&gt;</span> <span class="nt">&lt;groupId&gt;</span>org.springframework.boot<span class="nt">&lt;/groupId&gt;</span> <span class="nt">&lt;artifactId&gt;</span>spring-boot-starter-security<span class="nt">&lt;/artifactId&gt;</span> <span class="nt">&lt;/dependency&gt;</span> <span class="nt">&lt;/dependencies&gt;</span> <span class="nt">&lt;build&gt;</span> <span class="nt">&lt;plugins&gt;</span> <span class="nt">&lt;plugin&gt;</span> <span class="nt">&lt;groupId&gt;</span>org.apache.maven.plugins<span class="nt">&lt;/groupId&gt;</span> <span class="nt">&lt;artifactId&gt;</span>maven-compiler-plugin<span class="nt">&lt;/artifactId&gt;</span> <span class="nt">&lt;/plugin&gt;</span> <span class="nt">&lt;plugin&gt;</span> <span class="nt">&lt;groupId&gt;</span>org.springframework.boot<span class="nt">&lt;/groupId&gt;</span> <span class="nt">&lt;artifactId&gt;</span>spring-boot-maven-plugin<span class="nt">&lt;/artifactId&gt;</span> <span class="nt">&lt;/plugin&gt;</span> <span class="nt">&lt;/plugins&gt;</span> <span class="nt">&lt;pluginManagement&gt;</span> <span class="nt">&lt;plugins&gt;</span> <span class="nt">&lt;plugin&gt;</span> <span class="nt">&lt;groupId&gt;</span>org.apache.maven.plugins<span class="nt">&lt;/groupId&gt;</span> <span class="nt">&lt;artifactId&gt;</span>maven-compiler-plugin<span class="nt">&lt;/artifactId&gt;</span> <span class="nt">&lt;configuration&gt;</span> <span class="nt">&lt;source&gt;</span>${java.version}<span class="nt">&lt;/source&gt;</span> <span class="nt">&lt;target&gt;</span>${java.version}<span class="nt">&lt;/target&gt;</span> <span class="nt">&lt;/configuration&gt;</span> <span class="nt">&lt;/plugin&gt;</span> <span class="nt">&lt;/plugins&gt;</span> <span class="nt">&lt;/pluginManagement&gt;</span> <span class="nt">&lt;/build&gt;</span> <span class="nt">&lt;/project&gt;</span> </code></pre></div></div> <p>Let’s also define an entry point for our application:</p> <div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kn">import</span> <span class="nn">org.springframework.boot.SpringApplication</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.boot.autoconfigure.SpringBootApplication</span><span class="o">;</span> <span class="nd">@SpringBootApplication</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">Application</span> <span class="o">{</span> <span class="kd">public</span> <span class="kd">static</span> <span class="kt">void</span> <span class="nf">main</span><span class="o">(</span><span class="nc">String</span><span class="o">[]</span> <span class="n">args</span><span class="o">)</span> <span class="o">{</span> <span class="nc">SpringApplication</span><span class="o">.</span><span class="na">run</span><span class="o">(</span><span class="nc">Application</span><span class="o">.</span><span class="na">class</span><span class="o">,</span> <span class="n">args</span><span class="o">);</span> <span class="o">}</span> <span class="o">}</span> </code></pre></div></div> <h2 id="custom-authorization">Custom Authorization</h2> <h3 id="data-model">Data Model</h3> <p>Let’s start with a contrived data model. This is a terrible example, but since I am not great at contriving non-incriminating examples, this will have to do. Say you have Supervisor and Employee data. Here are the models in this example:</p> <div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nd">@Entity</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">Supervisor</span> <span class="o">{</span> <span class="nd">@Id</span> <span class="kd">private</span> <span class="nc">String</span> <span class="n">name</span><span class="o">;</span> <span class="nd">@ManyToOne</span><span class="o">(</span><span class="n">mappedBy</span> <span class="o">=</span> <span class="s">"supervisor"</span><span class="o">)</span> <span class="kd">private</span> <span class="nc">List</span><span class="o">&lt;</span><span class="nc">Employee</span><span class="o">&gt;</span> <span class="n">employees</span><span class="o">;</span> <span class="c1">// Constructors</span> <span class="c1">// Getters and Setters</span> <span class="o">}</span> <span class="nd">@Entity</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">Employee</span> <span class="o">{</span> <span class="nd">@Id</span> <span class="kd">private</span> <span class="nc">String</span> <span class="n">name</span><span class="o">;</span> <span class="kd">private</span> <span class="nc">List</span><span class="o">&lt;</span><span class="nc">String</span><span class="o">&gt;</span> <span class="n">permissions</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">ArrayList</span><span class="o">&lt;&gt;();</span> <span class="nd">@OneToMany</span> <span class="kd">private</span> <span class="nc">Supervisor</span> <span class="n">supervisor</span><span class="o">;</span> <span class="c1">// Constructors</span> <span class="c1">// Getters and Setters</span> <span class="o">}</span> </code></pre></div></div> <p>In this example, our permissions (the identifiers we want to use to secure our API in certain situations) are on the objects we want to secure.</p> <p class="alert alert-info"> <strong>Note:</strong> This may not seem like a normal example, if you're coming from the ACL model perspective, but in the real world, this is often what you get. Data coming from a system you have little/no control over (with the exception of data mapping) which has its own concept of permissions. In fact, you may normally have a situation which is even less desirable than this, where your permissions need to be derived from other data in the model, such as a status or other boolean flags. Did I mention data mapping? Hopefully, you can at least map the data coming into your application through a materialized view or a mapping layer so it looks similar to this. </p> <p>Next, let’s define some way to retrieve our models. We’ll use fake Spring Data <code class="language-plaintext highlighter-rouge">@Repository</code> stubs for example purposes.</p> <div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nd">@Repository</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">SupervisorRepository</span> <span class="kd">extends</span> <span class="nc">JpaRepository</span><span class="o">&lt;</span><span class="nc">Supervisor</span><span class="o">,</span> <span class="nc">String</span><span class="o">&gt;</span> <span class="o">{</span> <span class="o">}</span> <span class="nd">@Repository</span> <span class="kd">public</span> <span class="kd">interface</span> <span class="nc">EmployeeRepository</span> <span class="kd">extends</span> <span class="nc">JpaRepository</span><span class="o">&lt;</span><span class="nc">Employee</span><span class="o">,</span> <span class="nc">String</span><span class="o">&gt;</span> <span class="o">{</span> <span class="nc">List</span><span class="o">&lt;</span><span class="nc">Employee</span><span class="o">&gt;</span> <span class="nf">findBySupervisorName</span><span class="o">(</span><span class="nc">String</span> <span class="n">name</span><span class="o">);</span> <span class="o">}</span> </code></pre></div></div> <h3 id="permissionevaluator">PermissionEvaluator</h3> <p>The heart of Method Security (role and permissions-based authorization at the method level) in Spring Security is the <code class="language-plaintext highlighter-rouge">PermissionEvaluator</code> interface. For reference, it looks like this:</p> <div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kn">import</span> <span class="nn">java.io.Serializable</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.security.core.Authentication</span><span class="o">;</span> <span class="kd">public</span> <span class="kd">interface</span> <span class="nc">PermissionEvaluator</span> <span class="o">{</span> <span class="kt">boolean</span> <span class="nf">hasPermission</span><span class="o">(</span><span class="nc">Authentication</span> <span class="n">authentication</span><span class="o">,</span> <span class="nc">Object</span> <span class="n">targetDomainObject</span><span class="o">,</span> <span class="nc">Object</span> <span class="n">permission</span><span class="o">);</span> <span class="kt">boolean</span> <span class="nf">hasPermission</span><span class="o">(</span><span class="nc">Authentication</span> <span class="n">authentication</span><span class="o">,</span> <span class="nc">Serializable</span> <span class="n">targetId</span><span class="o">,</span> <span class="nc">String</span> <span class="n">targetType</span><span class="o">,</span> <span class="nc">Object</span> <span class="n">permission</span><span class="o">);</span> <span class="o">}</span> </code></pre></div></div> <p>Out of the box, there isn’t really an implementation of this interface, other than the <code class="language-plaintext highlighter-rouge">DenyAllPermissionEvaluator</code> which isn’t that helpful but happens to be the default. This is why you’ll usually be steered in the direction of ACLs, which has a holistic implementation of this and other decision points within the authorization portion of the framework.</p> <p>However, this interface is very easy to implement, though it is a bit archaic. In our case, we need a multi-faceted implementation to allow us to extend it very easily in the future. One way would be to take the Spring approach, and add a “manager” class, which delegates to other implementations. Let’s do that.</p> <div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kn">import</span> <span class="nn">org.springframework.security.access.PermissionEvaluator</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.security.access.expression.DenyAllPermissionEvaluator</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.security.core.Authentication</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">java.io.Serializable</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">java.util.Map</span><span class="o">;</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">PermissionEvaluatorManager</span> <span class="kd">implements</span> <span class="nc">PermissionEvaluator</span> <span class="o">{</span> <span class="kd">private</span> <span class="kd">static</span> <span class="kd">final</span> <span class="nc">PermissionEvaluator</span> <span class="n">denyAll</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">DenyAllPermissionEvaluator</span><span class="o">();</span> <span class="kd">private</span> <span class="kd">final</span> <span class="nc">Map</span><span class="o">&lt;</span><span class="nc">String</span><span class="o">,</span> <span class="nc">PermissionEvaluator</span><span class="o">&gt;</span> <span class="n">permissionEvaluators</span><span class="o">;</span> <span class="kd">public</span> <span class="nf">PermissionEvaluatorManager</span><span class="o">(</span><span class="nc">Map</span><span class="o">&lt;</span><span class="nc">String</span><span class="o">,</span> <span class="nc">PermissionEvaluator</span><span class="o">&gt;</span> <span class="n">permissionEvaluators</span><span class="o">)</span> <span class="o">{</span> <span class="k">this</span><span class="o">.</span><span class="na">permissionEvaluators</span> <span class="o">=</span> <span class="n">permissionEvaluators</span><span class="o">;</span> <span class="o">}</span> <span class="nd">@Override</span> <span class="kd">public</span> <span class="kt">boolean</span> <span class="nf">hasPermission</span><span class="o">(</span><span class="nc">Authentication</span> <span class="n">authentication</span><span class="o">,</span> <span class="nc">Object</span> <span class="n">targetDomainObject</span><span class="o">,</span> <span class="nc">Object</span> <span class="n">permission</span><span class="o">)</span> <span class="o">{</span> <span class="nc">PermissionEvaluator</span> <span class="n">permissionEvaluator</span> <span class="o">=</span> <span class="n">permissionEvaluators</span><span class="o">.</span><span class="na">get</span><span class="o">(</span><span class="n">targetDomainObject</span><span class="o">.</span><span class="na">getClass</span><span class="o">().</span><span class="na">getSimpleName</span><span class="o">());</span> <span class="k">if</span> <span class="o">(</span><span class="n">permissionEvaluator</span> <span class="o">==</span> <span class="kc">null</span><span class="o">)</span> <span class="o">{</span> <span class="n">permissionEvaluator</span> <span class="o">=</span> <span class="n">denyAll</span><span class="o">;</span> <span class="o">}</span> <span class="k">return</span> <span class="n">permissionEvaluator</span><span class="o">.</span><span class="na">hasPermission</span><span class="o">(</span><span class="n">authentication</span><span class="o">,</span> <span class="n">targetDomainObject</span><span class="o">,</span> <span class="n">permission</span><span class="o">);</span> <span class="o">}</span> <span class="nd">@Override</span> <span class="kd">public</span> <span class="kt">boolean</span> <span class="nf">hasPermission</span><span class="o">(</span><span class="nc">Authentication</span> <span class="n">authentication</span><span class="o">,</span> <span class="nc">Serializable</span> <span class="n">targetId</span><span class="o">,</span> <span class="nc">String</span> <span class="n">targetType</span><span class="o">,</span> <span class="nc">Object</span> <span class="n">permission</span><span class="o">)</span> <span class="o">{</span> <span class="nc">PermissionEvaluator</span> <span class="n">permissionEvaluator</span> <span class="o">=</span> <span class="n">permissionEvaluators</span><span class="o">.</span><span class="na">get</span><span class="o">(</span><span class="n">targetType</span><span class="o">);</span> <span class="k">if</span> <span class="o">(</span><span class="n">permissionEvaluator</span> <span class="o">==</span> <span class="kc">null</span><span class="o">)</span> <span class="o">{</span> <span class="n">permissionEvaluator</span> <span class="o">=</span> <span class="n">denyAll</span><span class="o">;</span> <span class="o">}</span> <span class="k">return</span> <span class="n">permissionEvaluator</span><span class="o">.</span><span class="na">hasPermission</span><span class="o">(</span><span class="n">authentication</span><span class="o">,</span> <span class="n">targetId</span><span class="o">,</span> <span class="n">targetType</span><span class="o">,</span> <span class="n">permission</span><span class="o">);</span> <span class="o">}</span> <span class="o">}</span> </code></pre></div></div> <p>This manager class implements the <code class="language-plaintext highlighter-rouge">PermissionEvaluator</code> interface, and composes itself using two things:</p> <ol> <li>A list of delegates, each matching a specific target type. This allows us to write one <code class="language-plaintext highlighter-rouge">PermissionEvaluator</code> for each domain object we want to support.</li> <li>A default delegate. The default behavior will be to deny access if we’re asked, as that’s the framework’s fallback. This will be the <code class="language-plaintext highlighter-rouge">DenyAllPermissionEvaluator</code>.</li> </ol> <p>If the list of delegates can’t find a match (by type name), we simply fall back <code class="language-plaintext highlighter-rouge">denyAll</code>.</p> <h3 id="targeted-permissionevaluator">Targeted PermissionEvaluator</h3> <p>Next, we need a way to target a specific type. We’ll use simple logic and only match on the type name, as mentioned above. A simple extension will suffice for this:</p> <div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kn">import</span> <span class="nn">org.springframework.security.access.PermissionEvaluator</span><span class="o">;</span> <span class="kd">public</span> <span class="kd">interface</span> <span class="nc">TargetedPermissionEvaluator</span> <span class="kd">extends</span> <span class="nc">PermissionEvaluator</span> <span class="o">{</span> <span class="nc">String</span> <span class="nf">getTargetType</span><span class="o">();</span> <span class="o">}</span> </code></pre></div></div> <p>Using this interface, we can determine what type we support for each evaluator. Here’s an <code class="language-plaintext highlighter-rouge">EmployeePermissionEvaluator</code>:</p> <div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nd">@Component</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">EmployeePermissionEvaluator</span> <span class="kd">implements</span> <span class="nc">TargetedPermissionEvaluator</span> <span class="o">{</span> <span class="nd">@Override</span> <span class="kd">public</span> <span class="nc">String</span> <span class="nf">getTargetType</span><span class="o">()</span> <span class="o">{</span> <span class="k">return</span> <span class="nc">Employee</span><span class="o">.</span><span class="na">class</span><span class="o">.</span><span class="na">getSimpleName</span><span class="o">();</span> <span class="o">}</span> <span class="nd">@Override</span> <span class="kd">public</span> <span class="kt">boolean</span> <span class="nf">hasPermission</span><span class="o">(</span><span class="nc">Authentication</span> <span class="n">authentication</span><span class="o">,</span> <span class="nc">Object</span> <span class="n">targetDomainObject</span><span class="o">,</span> <span class="nc">Object</span> <span class="n">permission</span><span class="o">)</span> <span class="o">{</span> <span class="k">if</span> <span class="o">(</span><span class="n">targetDomainObject</span> <span class="o">!=</span> <span class="kc">null</span> <span class="o">&amp;&amp;</span> <span class="nc">Employee</span><span class="o">.</span><span class="na">class</span><span class="o">.</span><span class="na">isAssignableFrom</span><span class="o">(</span><span class="n">targetDomainObject</span><span class="o">.</span><span class="na">getClass</span><span class="o">()))</span> <span class="o">{</span> <span class="nc">Employee</span> <span class="n">domainObject</span> <span class="o">=</span> <span class="o">(</span><span class="nc">Employee</span><span class="o">)</span> <span class="n">targetDomainObject</span><span class="o">;</span> <span class="k">return</span> <span class="n">domainObject</span><span class="o">.</span><span class="na">getPermissions</span><span class="o">().</span><span class="na">contains</span><span class="o">(</span><span class="n">permission</span><span class="o">.</span><span class="na">toString</span><span class="o">());</span> <span class="o">}</span> <span class="k">return</span> <span class="kc">false</span><span class="o">;</span> <span class="o">}</span> <span class="nd">@Override</span> <span class="kd">public</span> <span class="kt">boolean</span> <span class="nf">hasPermission</span><span class="o">(</span><span class="nc">Authentication</span> <span class="n">authentication</span><span class="o">,</span> <span class="nc">Serializable</span> <span class="n">targetId</span><span class="o">,</span> <span class="nc">String</span> <span class="n">targetType</span><span class="o">,</span> <span class="nc">Object</span> <span class="n">permission</span><span class="o">)</span> <span class="o">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nf">UnsupportedOperationException</span><span class="o">(</span><span class="s">"Not supported by this PermissionEvaluator: "</span> <span class="o">+</span> <span class="nc">EmployeePermissionEvaluator</span><span class="o">.</span><span class="na">class</span><span class="o">);</span> <span class="o">}</span> <span class="o">}</span> </code></pre></div></div> <h3 id="configure-method-security">Configure Method Security</h3> <p>With all that in place, we just need to configure the framework, and we can start securing APIs with Method Security and using other features of the authorization framework.</p> <div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kn">import</span> <span class="nn">org.springframework.beans.factory.annotation.Autowired</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.context.annotation.Bean</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.context.annotation.Configuration</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.security.access.PermissionEvaluator</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.security.access.expression.method.MethodSecurityExpressionHandler</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.security.config.annotation.method.configuration.GlobalMethodSecurityConfiguration</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">java.util.HashMap</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">java.util.List</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">java.util.Map</span><span class="o">;</span> <span class="nd">@Configuration</span> <span class="nd">@EnableGlobalMethodSecurity</span><span class="o">(</span><span class="n">prePostEnabled</span> <span class="o">=</span> <span class="kc">true</span><span class="o">)</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">MethodSecurityConfiguration</span> <span class="kd">extends</span> <span class="nc">GlobalMethodSecurityConfiguration</span> <span class="o">{</span> <span class="kd">private</span> <span class="kd">final</span> <span class="nc">List</span><span class="o">&lt;</span><span class="nc">TargetedPermissionEvaluator</span><span class="o">&gt;</span> <span class="n">permissionEvaluators</span><span class="o">;</span> <span class="nd">@Autowired</span> <span class="kd">public</span> <span class="nf">MethodSecurityConfiguration</span><span class="o">(</span><span class="nc">List</span><span class="o">&lt;</span><span class="nc">TargetedPermissionEvaluator</span><span class="o">&gt;</span> <span class="n">permissionEvaluators</span><span class="o">)</span> <span class="o">{</span> <span class="k">this</span><span class="o">.</span><span class="na">permissionEvaluators</span> <span class="o">=</span> <span class="n">permissionEvaluators</span><span class="o">;</span> <span class="o">}</span> <span class="nd">@Override</span> <span class="kd">protected</span> <span class="nc">MethodSecurityExpressionHandler</span> <span class="nf">createExpressionHandler</span><span class="o">()</span> <span class="o">{</span> <span class="nc">DefaultMethodSecurityExpressionHandler</span> <span class="n">methodSecurityExpressionHandler</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">DefaultMethodSecurityExpressionHandler</span><span class="o">();</span> <span class="n">methodSecurityExpressionHandler</span><span class="o">.</span><span class="na">setPermissionEvaluator</span><span class="o">(</span><span class="n">permissionEvaluator</span><span class="o">());</span> <span class="k">return</span> <span class="n">methodSecurityExpressionHandler</span><span class="o">;</span> <span class="o">}</span> <span class="nd">@Bean</span> <span class="kd">public</span> <span class="nc">PermissionEvaluator</span> <span class="nf">permissionEvaluator</span><span class="o">()</span> <span class="o">{</span> <span class="nc">Map</span><span class="o">&lt;</span><span class="nc">String</span><span class="o">,</span> <span class="nc">PermissionEvaluator</span><span class="o">&gt;</span> <span class="n">map</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">HashMap</span><span class="o">&lt;&gt;();</span> <span class="c1">// Build lookup table of PermissionEvaluator by supported target type</span> <span class="k">for</span> <span class="o">(</span><span class="nc">TargetedPermissionEvaluator</span> <span class="n">permissionEvaluator</span> <span class="o">:</span> <span class="n">permissionEvaluators</span><span class="o">)</span> <span class="o">{</span> <span class="n">map</span><span class="o">.</span><span class="na">put</span><span class="o">(</span><span class="n">permissionEvaluator</span><span class="o">.</span><span class="na">getTargetType</span><span class="o">(),</span> <span class="n">permissionEvaluator</span><span class="o">);</span> <span class="o">}</span> <span class="k">return</span> <span class="k">new</span> <span class="nf">PermissionEvaluatorManager</span><span class="o">(</span><span class="n">map</span><span class="o">);</span> <span class="o">}</span> <span class="o">}</span> </code></pre></div></div> <p>Let’s break this down.</p> <ol> <li>Enable Method Security. We also extend <code class="language-plaintext highlighter-rouge">GlobalMethodSecurityConfiguration</code> to override what we need to.</li> <li>Autowire the list of <code class="language-plaintext highlighter-rouge">TargetedPermissionEvaluator</code>s found in the <code class="language-plaintext highlighter-rouge">ApplicationContext</code>.</li> <li>Set up the <code class="language-plaintext highlighter-rouge">PermissionEvaluatorManager</code> by building a lookup table of <code class="language-plaintext highlighter-rouge">PermissionEvaluator</code> delegates.</li> <li>Wire that up to the <code class="language-plaintext highlighter-rouge">DefaultMethodSecurityExpressionHandler</code> to be used by our <code class="language-plaintext highlighter-rouge">@Pre</code> and <code class="language-plaintext highlighter-rouge">@Post</code> method security.</li> </ol> <p class="alert alert-info"> <strong>Note:</strong> We can't simply component-scan the <code>PermissionEvaluatorManager</code> because we have numerous of <code>PermissionEvaluator</code>s on the classpath. The technique above ensures only the one we want is used. There are a few hacky ways to do this, but the above is the cleanest way to ensure our intended manager class is used. </p> <h3 id="secure-your-api">Secure your API</h3> <p>With the security layer configured, we can now use <code class="language-plaintext highlighter-rouge">@Pre</code> and <code class="language-plaintext highlighter-rouge">@Post</code> annotations to secure our API. Instead of the traditional placement of these annotations on the service layer, let’s place them on our API directly. It’s your choice, but putting them in controllers makes the authorization easier to document and understand, and makes your service layer more reusable (by choosing when to lock it down, and when not to).</p> <div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kn">import</span> <span class="nn">org.springframework.http.HttpStatus</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.security.access.prepost.PostFilter</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.security.access.prepost.PreAuthorize</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.web.bind.annotation.GetMapping</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.web.bind.annotation.PathVariable</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.web.bind.annotation.PostMapping</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.web.bind.annotation.RequestBody</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.web.bind.annotation.ResponseStatus</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.web.bind.annotation.RestController</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">javax.inject.Inject</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">java.util.List</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">java.util.Map</span><span class="o">;</span> <span class="nd">@RestController</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">EmployeeController</span> <span class="o">{</span> <span class="nd">@Inject</span> <span class="kd">private</span> <span class="nc">EmployeeRepository</span> <span class="n">employeeRepository</span><span class="o">;</span> <span class="nd">@GetMapping</span><span class="o">(</span><span class="s">"/supervisors/{name}/employees"</span><span class="o">)</span> <span class="kd">public</span> <span class="nc">List</span><span class="o">&lt;</span><span class="nc">Employee</span><span class="o">&gt;</span> <span class="nf">getEmployees</span><span class="o">(</span><span class="nd">@PathVariable</span><span class="o">(</span><span class="s">"name"</span><span class="o">)</span> <span class="nc">String</span> <span class="n">supervisorName</span><span class="o">)</span> <span class="o">{</span> <span class="k">return</span> <span class="n">employeeRepository</span><span class="o">.</span><span class="na">findBySupervisorName</span><span class="o">(</span><span class="n">supervisorName</span><span class="o">);</span> <span class="o">}</span> <span class="nd">@PostFilter</span><span class="o">(</span><span class="s">"hasPermission(filterObject, #permission + '.' + #ext)"</span><span class="o">)</span> <span class="nd">@GetMapping</span><span class="o">(</span><span class="s">"/supervisors/{name}/employees/{permission}.{ext}"</span><span class="o">)</span> <span class="kd">public</span> <span class="nc">List</span><span class="o">&lt;</span><span class="nc">Employee</span><span class="o">&gt;</span> <span class="nf">getEmployeesWithPermission</span><span class="o">(</span><span class="nd">@PathVariable</span><span class="o">(</span><span class="s">"name"</span><span class="o">)</span> <span class="nc">String</span> <span class="n">name</span><span class="o">,</span> <span class="nd">@PathVariable</span><span class="o">(</span><span class="s">"permission"</span><span class="o">)</span> <span class="nc">String</span> <span class="n">permission</span><span class="o">,</span> <span class="nd">@PathVariable</span><span class="o">(</span><span class="s">"ext"</span><span class="o">)</span> <span class="nc">String</span> <span class="n">ext</span><span class="o">)</span> <span class="o">{</span> <span class="k">return</span> <span class="n">employeeRepository</span><span class="o">.</span><span class="na">findBySupervisorName</span><span class="o">(</span><span class="n">name</span><span class="o">);</span> <span class="o">}</span> <span class="nd">@PreAuthorize</span><span class="o">(</span><span class="s">"hasPermission(#report['name'], 'Employee', 'expenseReport.allowed')"</span><span class="o">)</span> <span class="nd">@PostMapping</span><span class="o">(</span><span class="s">"/employees/expense-report"</span><span class="o">)</span> <span class="nd">@ResponseStatus</span><span class="o">(</span><span class="nc">HttpStatus</span><span class="o">.</span><span class="na">ACCEPTED</span><span class="o">)</span> <span class="kd">public</span> <span class="kt">void</span> <span class="nf">submitExpenseReport</span><span class="o">(</span><span class="nd">@RequestBody</span> <span class="nc">Map</span><span class="o">&lt;</span><span class="nc">String</span><span class="o">,</span> <span class="nc">String</span><span class="o">&gt;</span> <span class="n">report</span><span class="o">)</span> <span class="o">{</span> <span class="c1">// Do something with expense report data...</span> <span class="o">}</span> <span class="o">}</span> </code></pre></div></div> <p>In this example, we are using Method Security for two of our three routes.</p> <ol> <li><code class="language-plaintext highlighter-rouge">getEmployees()</code>: No authorization. Just list employees by supervisor.</li> <li><code class="language-plaintext highlighter-rouge">getEmployeesWithPermission()</code>: Uses a post-filter. This demonstrates reusing an existing query, but filtering the list based on permissions in our data model. Not applicable in all cases (for performance reasons), but useful for keeping LoC low and reusing queries with authorization logic for filtering.</li> <li><code class="language-plaintext highlighter-rouge">submitExpenseReport()</code>: Uses a pre-authorize check. Ensures the employee has expense-report permission and the current user (not necessarily <em>that</em> employee) should be allowed to submit an expense report for that employee.</li> </ol> <p>Again, these are contrived examples. But the important thing to note is how we’ve hooked into Spring Security to perform pre/post authorize or filtering logic with a very custom permissions scheme. You should note that with access to the <code class="language-plaintext highlighter-rouge">Authentication</code> in the <code class="language-plaintext highlighter-rouge">PermissionEvaluator</code>, you can make these checks specific to the currently logged in user, or not. It all depends on your requirements. I’ll leave these custom implementations up to you. Happy coding!</p> <h2 id="conclusion">Conclusion</h2> <p>In this article, we’ve learned how to create an extensible permissions evaluation scheme with custom permission data in our model. We also learned how we can use that scheme to perform pre/post authorization logic, including filtering.</p> https://insource.io/blog/articles/custom-authorization-with-spring-boot.html Innocuous Code Lurks Around Every Corner https://insource.io/blog/posts/innocuous-code-lurks-around-every-corner.html Mon, 27 Aug 2018 00:00:00 +0000 <p>After about three hours of debugging Spring Framework code to make a simple OAuth2 authenticated call to Reddit, I finally have some semblance of understanding around why my life sucks right now. I am not insane.</p> <p><strong>TLDR;</strong></p> <p>Perhaps in another post, we’ll discuss how to actually connect to Reddit’s API via Java (or Kotlin) code and do something useful. But I can at least explain why it doesn’t work. Let’s dig in.</p> <h2 id="the-setup">The Setup</h2> <p>In order to connect to any OAuth-based server from a Spring project, you need a bit of configuration. Plenty of examples on the web, so not treading new ground here. But for completeness, here’s what we’re dealing with. The following is the important snippet of my build:</p> <p><em>build.gradle</em></p> <div class="language-groovy highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">dependencies</span> <span class="o">{</span> <span class="n">compile</span><span class="o">(</span><span class="s1">'org.springframework:spring-web'</span><span class="o">)</span> <span class="n">compile</span><span class="o">(</span><span class="s1">'org.springframework.security.oauth:spring-security-oauth2'</span><span class="o">)</span> <span class="o">}</span> </code></pre></div></div> <p>I’m using the <code class="language-plaintext highlighter-rouge">client_credentials</code> grant type for simplicity, but will eventually switch to <code class="language-plaintext highlighter-rouge">authorization_code</code>.</p> <div class="alert alert-info" role="alert"> There's a pretty decent tutorial on this topic over at <a href="https://www.baeldung.com/spring-security-oauth2-authentication-with-reddit">Baeldung</a>. </div> <p>Here’s a simple configuration using <code class="language-plaintext highlighter-rouge">@Value</code> properties from a <code class="language-plaintext highlighter-rouge">@PropertySource</code> pointing to <code class="language-plaintext highlighter-rouge">reddit.properties</code> in <code class="language-plaintext highlighter-rouge">src/main/resources</code>.</p> <p><em>RedditOAuthConfiguration.kt</em></p> <div class="language-kotlin highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="k">package</span> <span class="nn">com.reddit</span> <span class="k">import</span> <span class="nn">org.springframework.beans.factory.annotation.Value</span> <span class="k">import</span> <span class="nn">org.springframework.context.annotation.Bean</span> <span class="k">import</span> <span class="nn">org.springframework.context.annotation.Configuration</span> <span class="k">import</span> <span class="nn">org.springframework.context.annotation.PropertySource</span> <span class="k">import</span> <span class="nn">org.springframework.security.oauth2.client.OAuth2ClientContext</span> <span class="k">import</span> <span class="nn">org.springframework.security.oauth2.client.OAuth2RestTemplate</span> <span class="k">import</span> <span class="nn">org.springframework.security.oauth2.client.token.grant.client.ClientCredentialsAccessTokenProvider</span> <span class="k">import</span> <span class="nn">org.springframework.security.oauth2.client.token.grant.client.ClientCredentialsResourceDetails</span> <span class="k">import</span> <span class="nn">org.springframework.security.oauth2.config.annotation.web.configuration.EnableOAuth2Client</span> <span class="nd">@Configuration</span> <span class="nd">@EnableOAuth2Client</span> <span class="nd">@PropertySource</span><span class="p">(</span><span class="s">"classpath:reddit.properties"</span><span class="p">)</span> <span class="kd">class</span> <span class="nc">RedditOAuthConfiguration</span><span class="p">(</span> <span class="nd">@Value</span><span class="p">(</span><span class="s">"\${clientId}"</span><span class="p">)</span> <span class="k">private</span> <span class="kd">val</span> <span class="py">clientId</span><span class="p">:</span> <span class="nc">String</span><span class="p">,</span> <span class="nd">@Value</span><span class="p">(</span><span class="s">"\${clientSecret}"</span><span class="p">)</span> <span class="k">private</span> <span class="kd">val</span> <span class="py">clientSecret</span><span class="p">:</span> <span class="nc">String</span><span class="p">,</span> <span class="nd">@Value</span><span class="p">(</span><span class="s">"\${accessTokenUri}"</span><span class="p">)</span> <span class="k">private</span> <span class="kd">val</span> <span class="py">accessTokenUri</span><span class="p">:</span> <span class="nc">String</span> <span class="p">)</span> <span class="p">{</span> <span class="nd">@Bean</span> <span class="k">fun</span> <span class="nf">reddit</span><span class="p">()</span> <span class="p">=</span> <span class="nc">ClientCredentialsResourceDetails</span><span class="p">().</span><span class="nf">also</span> <span class="p">{</span> <span class="n">it</span><span class="p">.</span><span class="n">id</span> <span class="p">=</span> <span class="s">"reddit"</span> <span class="n">it</span><span class="p">.</span><span class="n">clientId</span> <span class="p">=</span> <span class="n">clientId</span> <span class="n">it</span><span class="p">.</span><span class="n">clientSecret</span> <span class="p">=</span> <span class="n">clientSecret</span> <span class="n">it</span><span class="p">.</span><span class="n">scope</span> <span class="p">=</span> <span class="nf">arrayListOf</span><span class="p">(</span><span class="s">"identity"</span><span class="p">)</span> <span class="n">it</span><span class="p">.</span><span class="n">accessTokenUri</span> <span class="p">=</span> <span class="n">accessTokenUri</span> <span class="p">}</span> <span class="nd">@Bean</span> <span class="k">fun</span> <span class="nf">redditRestTemplate</span><span class="p">(</span><span class="n">clientContext</span><span class="p">:</span> <span class="nc">OAuth2ClientContext</span><span class="p">)</span> <span class="p">=</span> <span class="nc">OAuth2RestTemplate</span><span class="p">(</span><span class="nf">reddit</span><span class="p">(),</span> <span class="n">clientContext</span><span class="p">).</span><span class="nf">also</span> <span class="p">{</span> <span class="n">it</span><span class="p">.</span><span class="nf">setAccessTokenProvider</span><span class="p">(</span><span class="nc">ClientCredentialsAccessTokenProvider</span><span class="p">())</span> <span class="p">}</span> <span class="p">}</span> </code></pre></div></div> <p>With that configuration defining a <code class="language-plaintext highlighter-rouge">RestTemplate</code> and enabling a <code class="language-plaintext highlighter-rouge">Oauth2ClientContextFilter</code> (via <code class="language-plaintext highlighter-rouge">@EnableOAuth2Client</code>), we can use it. In my case, I’m stuffing it into a Swagger-generated API client.</p> <p><em>RedditApiConfiguration.kt</em></p> <div class="language-kotlin highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="k">package</span> <span class="nn">com.reddit</span> <span class="k">import</span> <span class="nn">com.reddit.api.RedditApi</span> <span class="k">import</span> <span class="nn">org.springframework.beans.factory.annotation.Value</span> <span class="k">import</span> <span class="nn">org.springframework.context.annotation.Bean</span> <span class="k">import</span> <span class="nn">org.springframework.context.annotation.Configuration</span> <span class="k">import</span> <span class="nn">org.springframework.context.annotation.PropertySource</span> <span class="k">import</span> <span class="nn">org.springframework.security.oauth2.client.OAuth2RestTemplate</span> <span class="nd">@Configuration</span> <span class="nd">@PropertySource</span><span class="p">(</span><span class="s">"classpath:reddit.properties"</span><span class="p">)</span> <span class="kd">class</span> <span class="nc">RedditApiConfiguration</span><span class="p">(</span> <span class="nd">@Value</span><span class="p">(</span><span class="s">"\${basePath}"</span><span class="p">)</span> <span class="k">private</span> <span class="kd">val</span> <span class="py">basePath</span><span class="p">:</span> <span class="nc">String</span> <span class="p">)</span> <span class="p">{</span> <span class="nd">@Bean</span> <span class="k">fun</span> <span class="nf">redditApi</span><span class="p">(</span><span class="n">oAuth2RestTemplate</span><span class="p">:</span> <span class="nc">OAuth2RestTemplate</span><span class="p">)</span> <span class="p">=</span> <span class="nc">RedditApi</span><span class="p">(</span><span class="nc">ApiClient</span><span class="p">(</span><span class="n">oAuth2RestTemplate</span><span class="p">).</span><span class="nf">also</span> <span class="p">{</span> <span class="n">it</span><span class="p">.</span><span class="n">basePath</span> <span class="p">=</span> <span class="n">basePath</span> <span class="p">})</span> <span class="p">}</span> </code></pre></div></div> <p>Here’s an example of <code class="language-plaintext highlighter-rouge">reddit.properties</code>. The <code class="language-plaintext highlighter-rouge">userAuthorizationUri</code> is there if you want to switch grant types.</p> <p><em>reddit.properties</em></p> <div class="language-properties highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="py">clientId</span><span class="p">=</span><span class="s">...</span> <span class="py">clientSecret</span><span class="p">=</span><span class="s">...</span> <span class="c">#userAuthorizationUri=https://www.reddit.com/api/v1/authorize </span><span class="py">accessTokenUri</span><span class="p">=</span><span class="s">https://www.reddit.com/api/v1/access_token</span> <span class="py">basePath</span><span class="p">=</span><span class="s">https://oauth.reddit.com</span> </code></pre></div></div> <h2 id="the-problem">The Problem</h2> <p>So with this in place, any attempt to use the API client (and by association, the <code class="language-plaintext highlighter-rouge">RestTemplate</code>) to talk to Reddit’s API results in this:</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>org.springframework.security.oauth2.common.exceptions.OAuth2Exception: 429 at org.springframework.security.oauth2.common.exceptions.OAuth2ExceptionJackson2Deserializer.deserialize(OAuth2ExceptionJackson2Deserializer.java:120) ~[spring-security-oauth2-2.0.6.RELEASE.jar:na] at org.springframework.security.oauth2.common.exceptions.OAuth2ExceptionJackson2Deserializer.deserialize(OAuth2ExceptionJackson2Deserializer.java:1) ~[spring-security-oauth2-2.0.6.RELEASE.jar:na] at com.fasterxml.jackson.databind.ObjectMapper._readMapAndClose(ObjectMapper.java:4013) ~[jackson-databind-2.9.6.jar:2.9.6] at com.fasterxml.jackson.databind.ObjectMapper.readValue(ObjectMapper.java:3084) ~[jackson-databind-2.9.6.jar:2.9.6] at org.springframework.http.converter.json.AbstractJackson2HttpMessageConverter.readJavaType(AbstractJackson2HttpMessageConverter.java:237) ~[spring-web-5.0.8.RELEASE.jar:5.0.8.RELEASE] at org.springframework.http.converter.json.AbstractJackson2HttpMessageConverter.readInternal(AbstractJackson2HttpMessageConverter.java:217) ~[spring-web-5.0.8.RELEASE.jar:5.0.8.RELEASE] at org.springframework.http.converter.AbstractHttpMessageConverter.read(AbstractHttpMessageConverter.java:198) ~[spring-web-5.0.8.RELEASE.jar:5.0.8.RELEASE] at org.springframework.security.oauth2.client.token.OAuth2AccessTokenSupport$AccessTokenErrorHandler.handleError(OAuth2AccessTokenSupport.java:235) ~[spring-security-oauth2-2.0.6.RELEASE.jar:na] at org.springframework.web.client.ResponseErrorHandler.handleError(ResponseErrorHandler.java:63) ~[spring-web-5.0.8.RELEASE.jar:5.0.8.RELEASE] at org.springframework.web.client.RestTemplate.handleResponse(RestTemplate.java:766) ~[spring-web-5.0.8.RELEASE.jar:5.0.8.RELEASE] at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:724) ~[spring-web-5.0.8.RELEASE.jar:5.0.8.RELEASE] at org.springframework.web.client.RestTemplate.execute(RestTemplate.java:690) ~[spring-web-5.0.8.RELEASE.jar:5.0.8.RELEASE] at org.springframework.security.oauth2.client.token.OAuth2AccessTokenSupport.retrieveToken(OAuth2AccessTokenSupport.java:137) ~[spring-security-oauth2-2.0.6.RELEASE.jar:na] at org.springframework.security.oauth2.client.token.grant.client.ClientCredentialsAccessTokenProvider.obtainAccessToken(ClientCredentialsAccessTokenProvider.java:44) ~[spring-security-oauth2-2.0.6.RELEASE.jar:na] at org.springframework.security.oauth2.client.OAuth2RestTemplate.acquireAccessToken(OAuth2RestTemplate.java:221) ~[spring-security-oauth2-2.0.6.RELEASE.jar:na] at org.springframework.security.oauth2.client.OAuth2RestTemplate.getAccessToken(OAuth2RestTemplate.java:173) ~[spring-security-oauth2-2.0.6.RELEASE.jar:na] at org.springframework.security.oauth2.client.OAuth2RestTemplate.createRequest(OAuth2RestTemplate.java:105) ~[spring-security-oauth2-2.0.6.RELEASE.jar:na] at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:719) ~[spring-web-5.0.8.RELEASE.jar:5.0.8.RELEASE] at org.springframework.security.oauth2.client.OAuth2RestTemplate.doExecute(OAuth2RestTemplate.java:128) ~[spring-security-oauth2-2.0.6.RELEASE.jar:na] at org.springframework.web.client.RestTemplate.exchange(RestTemplate.java:668) ~[spring-web-5.0.8.RELEASE.jar:5.0.8.RELEASE] at com.reddit.ApiClient.invokeAPI(ApiClient.java:530) ~[classes/:na] at com.reddit.api.RedditApi.meUsingGET(RedditApi.java:78) ~[classes/:na] ... </code></pre></div></div> <p>Not very helpful. Spending lots of time tracing code yields a request reproduced via Postman that looks like this (using cURL):</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>curl -X POST \ https://www.reddit.com/api/v1/access_token \ -H 'Accept: application/json, application/x-www-form-urlencoded' \ -H 'Authorization: Basic XDlvLWJJS0VTd1RzTEE6cm9mWG5Db1V4OHJTaj2W8UtGcx9QSUVmW2Lr' \ -H 'Cache-Control: no-cache' \ -H 'Content-Length: 44' \ -H 'Content-Type: application/x-www-form-urlencoded' \ -d 'grant_type=client_credentials&amp;scope=identity' </code></pre></div></div> <p>Amazingly, this works perfectly and produces the following:</p> <div class="language-json highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="p">{</span><span class="w"> </span><span class="nl">"access_token"</span><span class="p">:</span><span class="w"> </span><span class="s2">"-6808zn3KtBjkWJ7b7Z-lpmyKp_4"</span><span class="p">,</span><span class="w"> </span><span class="nl">"token_type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"bearer"</span><span class="p">,</span><span class="w"> </span><span class="nl">"expires_in"</span><span class="p">:</span><span class="w"> </span><span class="mi">3600</span><span class="p">,</span><span class="w"> </span><span class="nl">"scope"</span><span class="p">:</span><span class="w"> </span><span class="s2">"identity"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre></div></div> <p>So if I can hit this with Postman just fine, but not Java, what gives? So I traced the code some more, until I could fine every applicable line of code that results in making the actual API call to get the token. Here’s the reproduced scenario in a unit test:</p> <p><em>HttpTest.kt</em></p> <div class="language-kotlin highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="k">package</span> <span class="nn">io.insource.api.demo</span> <span class="k">import</span> <span class="nn">org.hamcrest.Matchers.`is`</span> <span class="k">import</span> <span class="nn">org.junit.Assert.assertThat</span> <span class="k">import</span> <span class="nn">org.junit.Test</span> <span class="k">import</span> <span class="nn">org.springframework.http.HttpStatus</span> <span class="k">import</span> <span class="nn">org.springframework.http.MediaType</span> <span class="k">import</span> <span class="nn">org.springframework.util.FileCopyUtils</span> <span class="k">import</span> <span class="nn">java.net.HttpURLConnection</span> <span class="k">import</span> <span class="nn">java.net.URL</span> <span class="k">import</span> <span class="nn">java.nio.charset.StandardCharsets</span> <span class="kd">class</span> <span class="nc">HttpTest</span> <span class="p">{</span> <span class="nd">@Test</span> <span class="k">fun</span> <span class="nf">testHttpURLConnection</span><span class="p">()</span> <span class="p">{</span> <span class="kd">val</span> <span class="py">charset</span> <span class="p">=</span> <span class="nc">MediaType</span><span class="p">(</span><span class="nc">MediaType</span><span class="p">.</span><span class="nc">APPLICATION_FORM_URLENCODED</span><span class="p">,</span> <span class="nc">StandardCharsets</span><span class="p">.</span><span class="nc">UTF_8</span><span class="p">).</span><span class="n">charset</span><span class="o">!!</span> <span class="kd">val</span> <span class="py">bytes</span> <span class="p">=</span> <span class="s">"grant_type=client_credentials&amp;scope=identity"</span><span class="p">.</span><span class="nf">toByteArray</span><span class="p">(</span><span class="n">charset</span><span class="p">)</span> <span class="kd">val</span> <span class="py">url</span> <span class="p">=</span> <span class="nc">URL</span><span class="p">(</span><span class="s">"https://www.reddit.com/api/v1/access_token"</span><span class="p">)</span> <span class="kd">val</span> <span class="py">connection</span> <span class="p">=</span> <span class="n">url</span><span class="p">.</span><span class="nf">openConnection</span><span class="p">()</span> <span class="k">as</span> <span class="nc">HttpURLConnection</span> <span class="n">connection</span><span class="p">.</span><span class="n">connectTimeout</span> <span class="p">=</span> <span class="mi">30000</span> <span class="n">connection</span><span class="p">.</span><span class="n">readTimeout</span> <span class="p">=</span> <span class="mi">30000</span> <span class="n">connection</span><span class="p">.</span><span class="n">doInput</span> <span class="p">=</span> <span class="k">true</span> <span class="n">connection</span><span class="p">.</span><span class="n">doOutput</span> <span class="p">=</span> <span class="k">true</span> <span class="n">connection</span><span class="p">.</span><span class="n">instanceFollowRedirects</span> <span class="p">=</span> <span class="k">false</span> <span class="n">connection</span><span class="p">.</span><span class="n">requestMethod</span> <span class="p">=</span> <span class="s">"POST"</span> <span class="n">connection</span><span class="p">.</span><span class="nf">addRequestProperty</span><span class="p">(</span><span class="s">"Authorization"</span><span class="p">,</span> <span class="s">"Basic XDlvLWJJS0VTd1RzTEE6cm9mWG5Db1V4OHJTaj2W8UtGcx9QSUVmW2Lr"</span><span class="p">)</span> <span class="n">connection</span><span class="p">.</span><span class="nf">addRequestProperty</span><span class="p">(</span><span class="s">"Content-Type"</span><span class="p">,</span> <span class="s">"application/x-www-form-urlencoded;charset=UTF-8"</span><span class="p">)</span> <span class="n">connection</span><span class="p">.</span><span class="nf">addRequestProperty</span><span class="p">(</span><span class="s">"Accept"</span><span class="p">,</span> <span class="s">"application/json, application/x-www-form-urlencoded"</span><span class="p">)</span> <span class="n">connection</span><span class="p">.</span><span class="nf">addRequestProperty</span><span class="p">(</span><span class="s">"Content-Length"</span><span class="p">,</span> <span class="n">bytes</span><span class="p">.</span><span class="n">size</span><span class="p">.</span><span class="nf">toString</span><span class="p">())</span> <span class="n">connection</span><span class="p">.</span><span class="nf">connect</span><span class="p">()</span> <span class="nc">FileCopyUtils</span><span class="p">.</span><span class="nf">copy</span><span class="p">(</span><span class="n">bytes</span><span class="p">,</span> <span class="n">connection</span><span class="p">.</span><span class="n">outputStream</span><span class="p">)</span> <span class="kd">val</span> <span class="py">httpStatus</span> <span class="p">=</span> <span class="nc">HttpStatus</span><span class="p">.</span><span class="nf">resolve</span><span class="p">(</span><span class="n">connection</span><span class="p">.</span><span class="n">responseCode</span><span class="p">)</span> <span class="nf">assertThat</span><span class="p">(</span><span class="n">httpStatus</span><span class="p">,</span> <span class="nf">`is`</span><span class="p">(</span><span class="nc">HttpStatus</span><span class="p">.</span><span class="nc">OK</span><span class="p">))</span> <span class="kd">val</span> <span class="py">responseBody</span> <span class="p">=</span> <span class="nc">FileCopyUtils</span><span class="p">.</span><span class="nf">copyToByteArray</span><span class="p">(</span><span class="n">connection</span><span class="p">.</span><span class="n">inputStream</span><span class="p">).</span><span class="nf">toString</span><span class="p">()</span> <span class="nf">println</span><span class="p">(</span><span class="n">responseBody</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> </code></pre></div></div> <p>So now we ask ourselves, “What do we know?”</p> <p>“Well, we know that we keep getting errors. We also know that it works fine in a sane HTTP client, like Postman or cURL. So we know Java is being weird. But why…”</p> <p>Then I looked closer. Let’s ask ourselves again, “What do we know?”</p> <p>“Well, we know we get a 429 error. Wait… 429? That’s some !@#$ ain’t it? Why is it giving us 429 Too Many Requests? Reddit’s API is dropping us, isn’t it? Hmm….”</p> <p>Yep, it’s confirmed. There’s rate limiting going on. But if we’re not DDoS’ing Reddit’s API, who is? Well, as it turns out, everyone is. The rate limit is high enough for most API consumers to get by fine, but if you combine it with all the people making the same uneducated requests to Reddit’s API that I am, you get quite a lot of noise. The answer, as it turns out, is here:</p> <p><a href="https://github.com/reddit-archive/reddit/wiki/API">Reddit Wiki - API</a></p> <blockquote> <p>Change your client’s User-Agent string to something unique and descriptive, including the target platform, a unique application identifier, a version string, and your username as contact information, in the following format:</p> <ul> <li>&lt;platform&gt;:&lt;app ID&gt;:&lt;version string&gt; (by /u/<reddit username="">)</reddit></li> <li>Example: User-Agent: android:com.example.myredditapp:v1.2.3 (by /u/kemitche)</li> <li>Many default User-Agents (like “Python/urllib” or “Java”) are drastically limited to encourage unique and descriptive user-agent strings.</li> </ul> </blockquote> <p>If we add a User-Agent header (anything unique-ish basically), the minimal test case passes and prints our response.</p> <div class="language-kotlin highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="k">package</span> <span class="nn">io.insource.api.demo</span> <span class="k">import</span> <span class="nn">org.hamcrest.Matchers.`is`</span> <span class="k">import</span> <span class="nn">org.junit.Assert.assertThat</span> <span class="k">import</span> <span class="nn">org.junit.Test</span> <span class="k">import</span> <span class="nn">org.springframework.http.HttpStatus</span> <span class="k">import</span> <span class="nn">org.springframework.http.MediaType</span> <span class="k">import</span> <span class="nn">org.springframework.util.FileCopyUtils</span> <span class="k">import</span> <span class="nn">java.net.HttpURLConnection</span> <span class="k">import</span> <span class="nn">java.net.URL</span> <span class="k">import</span> <span class="nn">java.nio.charset.StandardCharsets</span> <span class="kd">class</span> <span class="nc">HttpTest</span> <span class="p">{</span> <span class="nd">@Test</span> <span class="k">fun</span> <span class="nf">testHttpURLConnection</span><span class="p">()</span> <span class="p">{</span> <span class="kd">val</span> <span class="py">charset</span> <span class="p">=</span> <span class="nc">MediaType</span><span class="p">(</span><span class="nc">MediaType</span><span class="p">.</span><span class="nc">APPLICATION_FORM_URLENCODED</span><span class="p">,</span> <span class="nc">StandardCharsets</span><span class="p">.</span><span class="nc">UTF_8</span><span class="p">).</span><span class="n">charset</span><span class="o">!!</span> <span class="kd">val</span> <span class="py">bytes</span> <span class="p">=</span> <span class="s">"grant_type=client_credentials&amp;scope=identity"</span><span class="p">.</span><span class="nf">toByteArray</span><span class="p">(</span><span class="n">charset</span><span class="p">)</span> <span class="kd">val</span> <span class="py">url</span> <span class="p">=</span> <span class="nc">URL</span><span class="p">(</span><span class="s">"https://www.reddit.com/api/v1/access_token"</span><span class="p">)</span> <span class="kd">val</span> <span class="py">connection</span> <span class="p">=</span> <span class="n">url</span><span class="p">.</span><span class="nf">openConnection</span><span class="p">()</span> <span class="k">as</span> <span class="nc">HttpURLConnection</span> <span class="n">connection</span><span class="p">.</span><span class="n">connectTimeout</span> <span class="p">=</span> <span class="mi">30000</span> <span class="n">connection</span><span class="p">.</span><span class="n">readTimeout</span> <span class="p">=</span> <span class="mi">30000</span> <span class="n">connection</span><span class="p">.</span><span class="n">doInput</span> <span class="p">=</span> <span class="k">true</span> <span class="n">connection</span><span class="p">.</span><span class="n">doOutput</span> <span class="p">=</span> <span class="k">true</span> <span class="n">connection</span><span class="p">.</span><span class="n">instanceFollowRedirects</span> <span class="p">=</span> <span class="k">false</span> <span class="n">connection</span><span class="p">.</span><span class="n">requestMethod</span> <span class="p">=</span> <span class="s">"POST"</span> <span class="n">connection</span><span class="p">.</span><span class="nf">addRequestProperty</span><span class="p">(</span><span class="s">"Authorization"</span><span class="p">,</span> <span class="s">"Basic XDlvLWJJS0VTd1RzTEE6cm9mWG5Db1V4OHJTaj2W8UtGcx9QSUVmW2Lr"</span><span class="p">)</span> <span class="n">connection</span><span class="p">.</span><span class="nf">addRequestProperty</span><span class="p">(</span><span class="s">"Content-Type"</span><span class="p">,</span> <span class="s">"application/x-www-form-urlencoded;charset=UTF-8"</span><span class="p">)</span> <span class="n">connection</span><span class="p">.</span><span class="nf">addRequestProperty</span><span class="p">(</span><span class="s">"Accept"</span><span class="p">,</span> <span class="s">"application/json, application/x-www-form-urlencoded"</span><span class="p">)</span> <span class="n">it</span><span class="p">.</span><span class="nf">addRequestProperty</span><span class="p">(</span><span class="s">"User-Agent"</span><span class="p">,</span> <span class="s">"This is a test"</span><span class="p">)</span> <span class="n">connection</span><span class="p">.</span><span class="nf">addRequestProperty</span><span class="p">(</span><span class="s">"Content-Length"</span><span class="p">,</span> <span class="n">bytes</span><span class="p">.</span><span class="n">size</span><span class="p">.</span><span class="nf">toString</span><span class="p">())</span> <span class="n">connection</span><span class="p">.</span><span class="nf">connect</span><span class="p">()</span> <span class="nc">FileCopyUtils</span><span class="p">.</span><span class="nf">copy</span><span class="p">(</span><span class="n">bytes</span><span class="p">,</span> <span class="n">connection</span><span class="p">.</span><span class="n">outputStream</span><span class="p">)</span> <span class="kd">val</span> <span class="py">httpStatus</span> <span class="p">=</span> <span class="nc">HttpStatus</span><span class="p">.</span><span class="nf">resolve</span><span class="p">(</span><span class="n">connection</span><span class="p">.</span><span class="n">responseCode</span><span class="p">)</span> <span class="nf">assertThat</span><span class="p">(</span><span class="n">httpStatus</span><span class="p">,</span> <span class="nf">`is`</span><span class="p">(</span><span class="nc">HttpStatus</span><span class="p">.</span><span class="nc">OK</span><span class="p">))</span> <span class="kd">val</span> <span class="py">responseBody</span> <span class="p">=</span> <span class="nc">FileCopyUtils</span><span class="p">.</span><span class="nf">copyToByteArray</span><span class="p">(</span><span class="n">connection</span><span class="p">.</span><span class="n">inputStream</span><span class="p">).</span><span class="nf">toString</span><span class="p">()</span> <span class="nf">println</span><span class="p">(</span><span class="n">responseBody</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> </code></pre></div></div> <p>So why did cURL and Postman work? As it turns out, cURL works only sometimes. And postman must be silently adding a <code class="language-plaintext highlighter-rouge">User-Agent</code> header and not telling us. Either that, or it’s not nearly as limited as the Java User-Agent (which is either <code class="language-plaintext highlighter-rouge">null</code> or another silent thing being added to requests that don’t have a <code class="language-plaintext highlighter-rouge">User-Agent</code>, I’m unsure which).</p> <p>So after all that, the answer is don’t skimp reading the documentation. Especially if it’s poorly organized and not cohesive or in one place like it should be.</p> https://insource.io/blog/posts/innocuous-code-lurks-around-every-corner.html Custom Authentication with Spring Boot https://insource.io/blog/articles/custom-authentication-with-spring-boot.html Wed, 06 Jun 2018 00:00:00 +0000 <h2 id="introduction">Introduction</h2> <p>In the <a href="/blog/articles/stateless-api-security-with-spring-boot-part-2.html">previous article</a>, we discussed adding an <code class="language-plaintext highlighter-rouge">Authorization</code> header and a custom security scheme to a Spring Boot application for stateless API security. In this article, we’ll discuss how to enable Restful username/password authentication.</p> <h2 id="rest-authentication">Rest Authentication</h2> <p>In Spring Security, it’s been fairly effortless to enable username/password authentication through Form Login, which is a vestige of a bygone era of simple login screens and stateful servers before single page applications were prevalent (or even existed). Admittedly, once an HTTP POST with URL encoded form data is no longer viable, it’s likely that username/password authentication is not viable either. Most likely, we’ll want a multi-factor authentication flow. We’ll discuss this in a future post.</p> <p>For now, let’s look at how to bypass the traditional form login, but use the same concepts with a JSON-based API.</p> <h3 id="set-up">Set Up</h3> <p>Let’s define a build for our project. Here’s a pom.xml skeleton to get us started:</p> <div class="language-xml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="cp">&lt;?xml version="1.0" encoding="utf-8" ?&gt;</span> <span class="nt">&lt;project</span> <span class="na">xmlns=</span><span class="s">"http://maven.apache.org/POM/4.0.0"</span> <span class="na">xmlns:xsi=</span><span class="s">"http://www.w3.org/2001/XMLSchema-instance"</span> <span class="na">xsi:schemaLocation=</span><span class="s">"http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd"</span><span class="nt">&gt;</span> <span class="nt">&lt;modelVersion&gt;</span>4.0.0<span class="nt">&lt;/modelVersion&gt;</span> <span class="nt">&lt;groupId&gt;</span>io.insource<span class="nt">&lt;/groupId&gt;</span> <span class="nt">&lt;artifactId&gt;</span>customauth-security-example<span class="nt">&lt;/artifactId&gt;</span> <span class="nt">&lt;version&gt;</span>0.1.0-SNAPSHOT<span class="nt">&lt;/version&gt;</span> <span class="nt">&lt;packaging&gt;</span>jar<span class="nt">&lt;/packaging&gt;</span> <span class="nt">&lt;name&gt;</span>customauth-security-example<span class="nt">&lt;/name&gt;</span> <span class="nt">&lt;description&gt;</span>Example project for securing REST endpoints with custom authentication.<span class="nt">&lt;/description&gt;</span> <span class="nt">&lt;parent&gt;</span> <span class="nt">&lt;groupId&gt;</span>org.springframework.boot<span class="nt">&lt;/groupId&gt;</span> <span class="nt">&lt;artifactId&gt;</span>spring-boot-starter-parent<span class="nt">&lt;/artifactId&gt;</span> <span class="nt">&lt;version&gt;</span>1.5.13.RELEASE<span class="nt">&lt;/version&gt;</span> <span class="nt">&lt;relativePath</span> <span class="nt">/&gt;</span> <span class="nt">&lt;/parent&gt;</span> <span class="nt">&lt;repositories&gt;</span> <span class="nt">&lt;repository&gt;</span> <span class="nt">&lt;id&gt;</span>spring-plugins-releases<span class="nt">&lt;/id&gt;</span> <span class="nt">&lt;url&gt;</span>http://repo.spring.io/plugins-release<span class="nt">&lt;/url&gt;</span> <span class="nt">&lt;/repository&gt;</span> <span class="nt">&lt;/repositories&gt;</span> <span class="nt">&lt;properties&gt;</span> <span class="nt">&lt;java.version&gt;</span>1.8<span class="nt">&lt;/java.version&gt;</span> <span class="nt">&lt;spring-boot.version&gt;</span>1.5.13.RELEASE<span class="nt">&lt;/spring-boot.version&gt;</span> <span class="nt">&lt;/properties&gt;</span> <span class="nt">&lt;dependencies&gt;</span> <span class="nt">&lt;dependency&gt;</span> <span class="nt">&lt;groupId&gt;</span>org.springframework.boot<span class="nt">&lt;/groupId&gt;</span> <span class="nt">&lt;artifactId&gt;</span>spring-boot-starter-web<span class="nt">&lt;/artifactId&gt;</span> <span class="nt">&lt;/dependency&gt;</span> <span class="nt">&lt;dependency&gt;</span> <span class="nt">&lt;groupId&gt;</span>org.springframework.boot<span class="nt">&lt;/groupId&gt;</span> <span class="nt">&lt;artifactId&gt;</span>spring-boot-starter-security<span class="nt">&lt;/artifactId&gt;</span> <span class="nt">&lt;/dependency&gt;</span> <span class="nt">&lt;/dependencies&gt;</span> <span class="nt">&lt;build&gt;</span> <span class="nt">&lt;plugins&gt;</span> <span class="nt">&lt;plugin&gt;</span> <span class="nt">&lt;groupId&gt;</span>org.apache.maven.plugins<span class="nt">&lt;/groupId&gt;</span> <span class="nt">&lt;artifactId&gt;</span>maven-compiler-plugin<span class="nt">&lt;/artifactId&gt;</span> <span class="nt">&lt;/plugin&gt;</span> <span class="nt">&lt;plugin&gt;</span> <span class="nt">&lt;groupId&gt;</span>org.springframework.boot<span class="nt">&lt;/groupId&gt;</span> <span class="nt">&lt;artifactId&gt;</span>spring-boot-maven-plugin<span class="nt">&lt;/artifactId&gt;</span> <span class="nt">&lt;/plugin&gt;</span> <span class="nt">&lt;/plugins&gt;</span> <span class="nt">&lt;pluginManagement&gt;</span> <span class="nt">&lt;plugins&gt;</span> <span class="nt">&lt;plugin&gt;</span> <span class="nt">&lt;groupId&gt;</span>org.apache.maven.plugins<span class="nt">&lt;/groupId&gt;</span> <span class="nt">&lt;artifactId&gt;</span>maven-compiler-plugin<span class="nt">&lt;/artifactId&gt;</span> <span class="nt">&lt;configuration&gt;</span> <span class="nt">&lt;source&gt;</span>${java.version}<span class="nt">&lt;/source&gt;</span> <span class="nt">&lt;target&gt;</span>${java.version}<span class="nt">&lt;/target&gt;</span> <span class="nt">&lt;/configuration&gt;</span> <span class="nt">&lt;/plugin&gt;</span> <span class="nt">&lt;/plugins&gt;</span> <span class="nt">&lt;/pluginManagement&gt;</span> <span class="nt">&lt;/build&gt;</span> <span class="nt">&lt;/project&gt;</span> </code></pre></div></div> <p>Let’s also define an entry point for our application:</p> <div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kn">import</span> <span class="nn">org.springframework.boot.SpringApplication</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.boot.autoconfigure.SpringBootApplication</span><span class="o">;</span> <span class="nd">@SpringBootApplication</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">Application</span> <span class="o">{</span> <span class="kd">public</span> <span class="kd">static</span> <span class="kt">void</span> <span class="nf">main</span><span class="o">(</span><span class="nc">String</span><span class="o">[]</span> <span class="n">args</span><span class="o">)</span> <span class="o">{</span> <span class="nc">SpringApplication</span><span class="o">.</span><span class="na">run</span><span class="o">(</span><span class="nc">Application</span><span class="o">.</span><span class="na">class</span><span class="o">,</span> <span class="n">args</span><span class="o">);</span> <span class="o">}</span> <span class="o">}</span> </code></pre></div></div> <p>Lastly, let’s define an endpoint we want to be able to secure:</p> <div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kn">import</span> <span class="nn">org.springframework.web.bind.annotation.GetMapping</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.web.bind.annotation.RequestMapping</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.web.bind.annotation.RestController</span><span class="o">;</span> <span class="nd">@RestController</span> <span class="nd">@RequestMapping</span><span class="o">(</span><span class="s">"/api/v1"</span><span class="o">)</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">HelloController</span> <span class="o">{</span> <span class="nd">@GetMapping</span><span class="o">(</span><span class="s">"/hello"</span><span class="o">)</span> <span class="kd">public</span> <span class="nc">String</span> <span class="nf">sayHello</span><span class="o">()</span> <span class="o">{</span> <span class="k">return</span> <span class="s">"Hello, World"</span><span class="o">;</span> <span class="o">}</span> <span class="o">}</span> </code></pre></div></div> <h3 id="custom-auth-filter">Custom Auth Filter</h3> <p>Instead of using the traditional <code class="language-plaintext highlighter-rouge">formLogin()</code> configurer, let’s author our own simple filter. In fact, we can extend the existing form login filter, called <code class="language-plaintext highlighter-rouge">UsernamePasswordAuthenticationFilter</code>, and provide a tiny bit of code to get access to a request body.</p> <p>Create the following class:</p> <div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kn">import</span> <span class="nn">com.fasterxml.jackson.databind.ObjectMapper</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">javax.servlet.FilterChain</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">javax.servlet.ServletException</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">javax.servlet.ServletRequest</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">javax.servlet.ServletResponse</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">javax.servlet.http.HttpServletRequest</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">javax.servlet.http.HttpServletResponse</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">java.io.IOException</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">java.util.HashMap</span><span class="o">;</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">CustomAuthenticationFilter</span> <span class="kd">extends</span> <span class="nc">UsernamePasswordAuthenticationFilter</span> <span class="o">{</span> <span class="kd">private</span> <span class="kd">static</span> <span class="kd">final</span> <span class="nc">String</span> <span class="no">BODY_ATTRIBUTE</span> <span class="o">=</span> <span class="nc">CustomAuthenticationFilter</span><span class="o">.</span><span class="na">class</span><span class="o">.</span><span class="na">getSimpleName</span><span class="o">()</span> <span class="o">+</span> <span class="s">".body"</span><span class="o">;</span> <span class="kd">private</span> <span class="kd">final</span> <span class="nc">ObjectMapper</span> <span class="n">objectMapper</span><span class="o">;</span> <span class="kd">public</span> <span class="nf">CustomAuthenticationFilter</span><span class="o">(</span><span class="nc">ObjectMapper</span> <span class="n">objectMapper</span><span class="o">)</span> <span class="o">{</span> <span class="k">this</span><span class="o">.</span><span class="na">objectMapper</span> <span class="o">=</span> <span class="n">objectMapper</span><span class="o">;</span> <span class="o">}</span> <span class="nd">@Override</span> <span class="kd">public</span> <span class="kt">void</span> <span class="nf">doFilter</span><span class="o">(</span><span class="nc">ServletRequest</span> <span class="n">req</span><span class="o">,</span> <span class="nc">ServletResponse</span> <span class="n">res</span><span class="o">,</span> <span class="nc">FilterChain</span> <span class="n">chain</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">IOException</span><span class="o">,</span> <span class="nc">ServletException</span> <span class="o">{</span> <span class="nc">HttpServletRequest</span> <span class="n">request</span> <span class="o">=</span> <span class="o">(</span><span class="nc">HttpServletRequest</span><span class="o">)</span> <span class="n">req</span><span class="o">;</span> <span class="nc">HttpServletResponse</span> <span class="n">response</span> <span class="o">=</span> <span class="o">(</span><span class="nc">HttpServletResponse</span><span class="o">)</span> <span class="n">res</span><span class="o">;</span> <span class="c1">// Parse the request body as a HashMap and populate a request attribute</span> <span class="k">if</span> <span class="o">(</span><span class="n">requiresAuthentication</span><span class="o">(</span><span class="n">request</span><span class="o">,</span> <span class="n">response</span><span class="o">))</span> <span class="o">{</span> <span class="nc">UsernamePasswordRequest</span> <span class="n">usernamePasswordRequest</span> <span class="o">=</span> <span class="n">objectMapper</span><span class="o">.</span><span class="na">readValue</span><span class="o">(</span><span class="n">request</span><span class="o">.</span><span class="na">getInputStream</span><span class="o">(),</span> <span class="nc">UsernamePasswordRequest</span><span class="o">.</span><span class="na">class</span><span class="o">);</span> <span class="n">request</span><span class="o">.</span><span class="na">setAttribute</span><span class="o">(</span><span class="no">BODY_ATTRIBUTE</span><span class="o">,</span> <span class="n">usernamePasswordRequest</span><span class="o">);</span> <span class="o">}</span> <span class="kd">super</span><span class="o">.</span><span class="na">doFilter</span><span class="o">(</span><span class="n">req</span><span class="o">,</span> <span class="n">res</span><span class="o">,</span> <span class="n">chain</span><span class="o">);</span> <span class="o">}</span> <span class="kd">protected</span> <span class="nc">String</span> <span class="nf">obtainUsername</span><span class="o">(</span><span class="nc">HttpServletRequest</span> <span class="n">request</span><span class="o">)</span> <span class="o">{</span> <span class="nc">UsernamePasswordRequest</span> <span class="n">usernamePasswordRequest</span> <span class="o">=</span> <span class="o">(</span><span class="nc">UsernamePasswordRequest</span><span class="o">)</span> <span class="n">request</span><span class="o">.</span><span class="na">getAttribute</span><span class="o">(</span><span class="no">BODY_ATTRIBUTE</span><span class="o">);</span> <span class="k">return</span> <span class="n">usernamePasswordRequest</span><span class="o">.</span><span class="na">get</span><span class="o">(</span><span class="n">getUsernameParameter</span><span class="o">());</span> <span class="o">}</span> <span class="kd">protected</span> <span class="nc">String</span> <span class="nf">obtainPassword</span><span class="o">(</span><span class="nc">HttpServletRequest</span> <span class="n">request</span><span class="o">)</span> <span class="o">{</span> <span class="nc">UsernamePasswordRequest</span> <span class="n">usernamePasswordRequest</span> <span class="o">=</span> <span class="o">(</span><span class="nc">UsernamePasswordRequest</span><span class="o">)</span> <span class="n">request</span><span class="o">.</span><span class="na">getAttribute</span><span class="o">(</span><span class="no">BODY_ATTRIBUTE</span><span class="o">);</span> <span class="k">return</span> <span class="n">usernamePasswordRequest</span><span class="o">.</span><span class="na">get</span><span class="o">(</span><span class="n">getPasswordParameter</span><span class="o">());</span> <span class="o">}</span> <span class="kd">private</span> <span class="kd">static</span> <span class="kd">class</span> <span class="nc">UsernamePasswordRequest</span> <span class="kd">extends</span> <span class="nc">HashMap</span><span class="o">&lt;</span><span class="nc">String</span><span class="o">,</span> <span class="nc">String</span><span class="o">&gt;</span> <span class="o">{</span> <span class="c1">// Nothing, just a type marker</span> <span class="o">}</span> <span class="o">}</span> </code></pre></div></div> <p>This class makes use of everything provided by <code class="language-plaintext highlighter-rouge">UsernamePasswordAuthenticationFilter</code> which in turn extends <code class="language-plaintext highlighter-rouge">AbstractAuthenticationProcessingFilter</code>. It will terminate processing of the request if it finds a request that matches, so no <code class="language-plaintext highlighter-rouge">@RestController</code> will be invoked (just as with Form Login).</p> <p>In addition to the <code class="language-plaintext highlighter-rouge">UsernamePasswordAuthenticationToken</code> and other window dressing that is created by the parent class, we take over processing the request body. Using a simple <code class="language-plaintext highlighter-rouge">ObjectMapper</code>, we can convert an arbitrary key/value JSON structure into a <code class="language-plaintext highlighter-rouge">HashMap</code>.</p> <p>Once the body is parsed, we can easily obtain an arbitrarily named username and password, just as with Form Login. We use a bit of request attribute trickery just to satisfy the method calls made by the parent class.</p> <h3 id="customize-authentication">Customize Authentication</h3> <p>Once we have a basic custom filter in place to do authentication (note we didn’t have to code that part), let’s turn our attention to configuring Spring Security.</p> <div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kn">import</span> <span class="nn">com.fasterxml.jackson.databind.ObjectMapper</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.boot.autoconfigure.security.Http401AuthenticationEntryPoint</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.context.annotation.Bean</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.context.annotation.Configuration</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.security.authentication.AuthenticationManager</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.security.config.annotation.web.builders.HttpSecurity</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.security.config.annotation.web.configuration.EnableWebSecurity</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.security.web.AuthenticationEntryPoint</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.security.web.authentication.AuthenticationSuccessHandler</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.security.web.authentication.preauth.RequestHeaderAuthenticationFilter</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.security.web.authentication.session.ChangeSessionIdAuthenticationStrategy</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.security.web.authentication.session.CompositeSessionAuthenticationStrategy</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.security.web.authentication.session.SessionAuthenticationStrategy</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.security.web.csrf.CsrfAuthenticationStrategy</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.security.web.csrf.CsrfTokenRepository</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.security.web.csrf.LazyCsrfTokenRepository</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.security.web.util.matcher.AntPathRequestMatcher</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">java.util.Arrays</span><span class="o">;</span> <span class="nd">@Configuration</span> <span class="nd">@EnableWebSecurity</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">WebSecurityConfiguration</span> <span class="kd">extends</span> <span class="nc">WebSecurityConfigurerAdapter</span> <span class="o">{</span> <span class="nd">@Override</span> <span class="kd">protected</span> <span class="kt">void</span> <span class="nf">configure</span><span class="o">(</span><span class="nc">HttpSecurity</span> <span class="n">http</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">Exception</span> <span class="o">{</span> <span class="n">http</span><span class="o">.</span><span class="na">antMatcher</span><span class="o">(</span><span class="s">"/**"</span><span class="o">)</span> <span class="o">.</span><span class="na">addFilterAfter</span><span class="o">(</span><span class="n">customAuthFilter</span><span class="o">(),</span> <span class="nc">RequestHeaderAuthenticationFilter</span><span class="o">.</span><span class="na">class</span><span class="o">)</span> <span class="o">.</span><span class="na">authorizeRequests</span><span class="o">()</span> <span class="o">.</span><span class="na">antMatchers</span><span class="o">(</span><span class="s">"/login"</span><span class="o">,</span> <span class="s">"/csrf"</span><span class="o">).</span><span class="na">permitAll</span><span class="o">()</span> <span class="o">.</span><span class="na">anyRequest</span><span class="o">().</span><span class="na">authenticated</span><span class="o">()</span> <span class="o">.</span><span class="na">and</span><span class="o">()</span> <span class="o">.</span><span class="na">csrf</span><span class="o">().</span><span class="na">csrfTokenRepository</span><span class="o">(</span><span class="n">csrfTokenRepository</span><span class="o">())</span> <span class="o">.</span><span class="na">and</span><span class="o">()</span> <span class="o">.</span><span class="na">exceptionHandling</span><span class="o">().</span><span class="na">authenticationEntryPoint</span><span class="o">(</span><span class="n">authenticationEntryPoint</span><span class="o">())</span> <span class="o">.</span><span class="na">and</span><span class="o">()</span> <span class="o">.</span><span class="na">formLogin</span><span class="o">().</span><span class="na">disable</span><span class="o">();</span> <span class="o">}</span> <span class="nd">@Bean</span> <span class="kd">public</span> <span class="nc">UsernamePasswordAuthenticationFilter</span> <span class="nf">customAuthFilter</span><span class="o">()</span> <span class="kd">throws</span> <span class="nc">Exception</span> <span class="o">{</span> <span class="nc">UsernamePasswordAuthenticationFilter</span> <span class="n">authenticationFilter</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">CustomAuthenticationFilter</span><span class="o">(</span><span class="n">objectMapper</span><span class="o">());</span> <span class="n">authenticationFilter</span><span class="o">.</span><span class="na">setRequiresAuthenticationRequestMatcher</span><span class="o">(</span><span class="k">new</span> <span class="nc">AntPathRequestMatcher</span><span class="o">(</span><span class="s">"/login"</span><span class="o">,</span> <span class="s">"POST"</span><span class="o">));</span> <span class="n">authenticationFilter</span><span class="o">.</span><span class="na">setUsernameParameter</span><span class="o">(</span><span class="s">"username"</span><span class="o">);</span> <span class="n">authenticationFilter</span><span class="o">.</span><span class="na">setPasswordParameter</span><span class="o">(</span><span class="s">"password"</span><span class="o">);</span> <span class="n">authenticationFilter</span><span class="o">.</span><span class="na">setAuthenticationManager</span><span class="o">(</span><span class="n">authenticationManagerBean</span><span class="o">());</span> <span class="n">authenticationFilter</span><span class="o">.</span><span class="na">setAuthenticationSuccessHandler</span><span class="o">(</span><span class="n">authenticationSuccessHandler</span><span class="o">());</span> <span class="n">authenticationFilter</span><span class="o">.</span><span class="na">setSessionAuthenticationStrategy</span><span class="o">(</span><span class="n">sessionAuthenticationStrategy</span><span class="o">());</span> <span class="k">return</span> <span class="n">authenticationFilter</span><span class="o">;</span> <span class="o">}</span> <span class="nd">@Override</span> <span class="kd">protected</span> <span class="kt">void</span> <span class="nf">configure</span><span class="o">(</span><span class="nc">AuthenticationManagerBuilder</span> <span class="n">auth</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">Exception</span> <span class="o">{</span> <span class="n">auth</span><span class="o">.</span><span class="na">inMemoryAuthentication</span><span class="o">()</span> <span class="o">.</span><span class="na">withUser</span><span class="o">(</span><span class="s">"user"</span><span class="o">).</span><span class="na">password</span><span class="o">(</span><span class="s">"password"</span><span class="o">).</span><span class="na">roles</span><span class="o">(</span><span class="s">"USER"</span><span class="o">).</span><span class="na">and</span><span class="o">()</span> <span class="o">.</span><span class="na">withUser</span><span class="o">(</span><span class="s">"admin"</span><span class="o">).</span><span class="na">password</span><span class="o">(</span><span class="s">"admin"</span><span class="o">).</span><span class="na">roles</span><span class="o">(</span><span class="s">"ADMIN"</span><span class="o">);</span> <span class="o">}</span> <span class="nd">@Bean</span> <span class="nd">@Override</span> <span class="kd">public</span> <span class="nc">AuthenticationManager</span> <span class="nf">authenticationManagerBean</span><span class="o">()</span> <span class="kd">throws</span> <span class="nc">Exception</span> <span class="o">{</span> <span class="k">return</span> <span class="kd">super</span><span class="o">.</span><span class="na">authenticationManagerBean</span><span class="o">();</span> <span class="o">}</span> <span class="nd">@Bean</span> <span class="kd">public</span> <span class="nc">AuthenticationSuccessHandler</span> <span class="nf">authenticationSuccessHandler</span><span class="o">()</span> <span class="o">{</span> <span class="k">return</span> <span class="k">new</span> <span class="nf">SimpleUrlAuthenticationSuccessHandler</span><span class="o">(</span><span class="s">"/"</span><span class="o">);</span> <span class="o">}</span> <span class="nd">@Bean</span> <span class="kd">public</span> <span class="nc">SessionAuthenticationStrategy</span> <span class="nf">sessionAuthenticationStrategy</span><span class="o">()</span> <span class="o">{</span> <span class="k">return</span> <span class="k">new</span> <span class="nf">CompositeSessionAuthenticationStrategy</span><span class="o">(</span><span class="nc">Arrays</span><span class="o">.</span><span class="na">asList</span><span class="o">(</span> <span class="k">new</span> <span class="nf">ChangeSessionIdAuthenticationStrategy</span><span class="o">(),</span> <span class="k">new</span> <span class="nf">CsrfAuthenticationStrategy</span><span class="o">(</span><span class="n">csrfTokenRepository</span><span class="o">())</span> <span class="o">));</span> <span class="o">}</span> <span class="nd">@Bean</span> <span class="kd">public</span> <span class="nc">CsrfTokenRepository</span> <span class="nf">csrfTokenRepository</span><span class="o">()</span> <span class="o">{</span> <span class="k">return</span> <span class="k">new</span> <span class="nf">LazyCsrfTokenRepository</span><span class="o">(</span><span class="k">new</span> <span class="nc">HttpSessionCsrfTokenRepository</span><span class="o">());</span> <span class="o">}</span> <span class="nd">@Bean</span> <span class="kd">public</span> <span class="nc">AuthenticationEntryPoint</span> <span class="nf">authenticationEntryPoint</span><span class="o">()</span> <span class="o">{</span> <span class="k">return</span> <span class="k">new</span> <span class="nf">Http401AuthenticationEntryPoint</span><span class="o">(</span><span class="s">"MyRealm"</span><span class="o">);</span> <span class="o">}</span> <span class="nd">@Bean</span> <span class="kd">public</span> <span class="nc">ObjectMapper</span> <span class="nf">objectMapper</span><span class="o">()</span> <span class="o">{</span> <span class="k">return</span> <span class="k">new</span> <span class="nf">ObjectMapper</span><span class="o">();</span> <span class="o">}</span> <span class="o">}</span> </code></pre></div></div> <p>There’s a few things going on here, so let’s break it down.</p> <h4 id="configuration">Configuration</h4> <p>First, we wire in our custom extension of <code class="language-plaintext highlighter-rouge">UsernamePasswordAuthenticationFilter</code>. It’s best to define an order for the filter to fit into the filter chain. In this case, it doesn’t clash with anything in the defaults, so we could skip this step, but in case we add pre-auth (see previous tutorials), the <code class="language-plaintext highlighter-rouge">addFilterAfter()</code> ensures it will be <em>after</em> that filter if present. In this case, it fires pretty early in the chain.</p> <p>Next, we manually open up the <code class="language-plaintext highlighter-rouge">/login</code> and <code class="language-plaintext highlighter-rouge">/csrf</code> routes and lock down everything else.</p> <p>We also need to make sure our CSRF protection is consistent between the default filter chain and our custom filter, so we need to define the glue piece manually, which is the <code class="language-plaintext highlighter-rouge">HttpSessionCsrfTokenRepository</code>. We use this later as well.</p> <p>Then we disable the default form login, which would put another <code class="language-plaintext highlighter-rouge">UsernamePasswordAuthenticationFilter</code> into the filter chain and we definitely don’t want that.</p> <h4 id="usernamepasswordauthenticationfilter">UsernamePasswordAuthenticationFilter</h4> <p>In order to configure our filter, we need several additional things.</p> <p>First, we define an <code class="language-plaintext highlighter-rouge">ObjectMapper</code> to use with our custom JSON parsing inside the filter.</p> <p>Then, we define the request matcher. We don’t have helper methods for this custom filter but it’s not hard to do it manually with an <code class="language-plaintext highlighter-rouge">AntPathRequestMatcher</code>. This makes it identical to the default form login configuration, but with JSON instead of form fields.</p> <p>Also similar to the defaults, we set up the username and password fields that will hold our principal and credentials. I’ve explicitly set them to call out where to configure them for your needs.</p> <p>We then define a <code class="language-plaintext highlighter-rouge">SessionAuthenticationStrategy</code>, since we don’t get any defaults for free. I haven’t ensured this is perfectly consistent with the defaults, so comments are welcome, but in this example, we’re also adding session-fixation and CSRF protection to the filter chain with a <code class="language-plaintext highlighter-rouge">CompositeSessionAuthenticationStrategy</code>. The <code class="language-plaintext highlighter-rouge">CsrfAuthenticationStrategy</code> uses the same <code class="language-plaintext highlighter-rouge">CsrfTokenRepository</code> we defined above, which also gets used by our own custom controller (shown below) to expose the CSRF token.</p> <p>We also define an <code class="language-plaintext highlighter-rouge">AuthenticationEntryPoint</code> to throw a <code class="language-plaintext highlighter-rouge">401 Unauthorized</code> with a <code class="language-plaintext highlighter-rouge">WWW-Authenticate</code> response header containing our custom realm name when unauthenticated API calls are made.</p> <p class="alert alert-info"> <strong>Update:</strong> If you are using Spring Boot 2.x, please note that the <code>Http401AuthenticationEntryPoint</code> class has been removed. For reference, <a href="https://github.com/spring-projects/spring-boot/blob/v1.5.20.RELEASE/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/Http401AuthenticationEntryPoint.java">view this file on GitHub</a> if you need to copy it and define it within your project. </p> <p>Lastly, we define a simple <code class="language-plaintext highlighter-rouge">AuthenticationManager</code> and <code class="language-plaintext highlighter-rouge">AuthenticationSuccessHandler</code>. The important thing about the <code class="language-plaintext highlighter-rouge">AuthenticationManager</code> is we need to expose it as a bean so we can add it to our custom filter.</p> <p class="alert alert-info"> <strong>Note:</strong> This is also useful if we need to access it from somewhere within our application, as the default security configurer does not expose any of these objects as beans. You may need that, for example, if you want to build a password management screen where you need to re-test the user's credentials prior to changing them. </p> <h2 id="expose-the-csrf">Expose the CSRF</h2> <p>We need to add one piece that’s missing from the form generated by the <code class="language-plaintext highlighter-rouge">DefaultLoginPageGeneratingFilter</code>. I’ve not seen any tutorials for how to do this, but the docs cover this deep into the weeds of Spring Security. We can use the <code class="language-plaintext highlighter-rouge">CsrfTokenArgumentResolver</code> to get a handle on the <code class="language-plaintext highlighter-rouge">CsrfToken</code> automatically.</p> <p>Let’s add a <code class="language-plaintext highlighter-rouge">@RestController</code> to our application:</p> <div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kn">import</span> <span class="nn">org.springframework.http.HttpStatus</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.security.web.csrf.CsrfToken</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.web.bind.annotation.GetMapping</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.web.bind.annotation.ResponseStatus</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.web.bind.annotation.RestController</span><span class="o">;</span> <span class="nd">@RestController</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">AuthController</span> <span class="o">{</span> <span class="nd">@GetMapping</span><span class="o">(</span><span class="s">"/"</span><span class="o">)</span> <span class="nd">@ResponseStatus</span><span class="o">(</span><span class="nc">HttpStatus</span><span class="o">.</span><span class="na">NO_CONTENT</span><span class="o">)</span> <span class="kd">public</span> <span class="kt">void</span> <span class="nf">getIndex</span><span class="o">()</span> <span class="o">{</span> <span class="o">}</span> <span class="nd">@GetMapping</span><span class="o">(</span><span class="s">"/login"</span><span class="o">)</span> <span class="nd">@ResponseStatus</span><span class="o">(</span><span class="nc">HttpStatus</span><span class="o">.</span><span class="na">NO_CONTENT</span><span class="o">)</span> <span class="kd">public</span> <span class="kt">void</span> <span class="nf">getLogin</span><span class="o">()</span> <span class="o">{</span> <span class="o">}</span> <span class="nd">@GetMapping</span><span class="o">(</span><span class="s">"/csrf"</span><span class="o">)</span> <span class="kd">public</span> <span class="nc">CsrfToken</span> <span class="nf">getCsrf</span><span class="o">(</span><span class="nc">CsrfToken</span> <span class="n">csrfToken</span><span class="o">)</span> <span class="o">{</span> <span class="k">return</span> <span class="n">csrfToken</span><span class="o">;</span> <span class="o">}</span> <span class="o">}</span> </code></pre></div></div> <p>The <code class="language-plaintext highlighter-rouge">GET /</code> and <code class="language-plaintext highlighter-rouge">GET /login</code> routes are optional, but creates a simple landing page that tells you that you’ve logged in and out successfully.</p> <p>The <code class="language-plaintext highlighter-rouge">GET /csrf</code> route replaces the <code class="language-plaintext highlighter-rouge">_csrf</code> hidden attribute from the Form Login page by utilizing the aforementioned <code class="language-plaintext highlighter-rouge">CsrfTokenRepository</code> through the <code class="language-plaintext highlighter-rouge">CsrfTokenArgumentResolver</code>. API consumers will need to obtain the CSRF prior to invoking the <code class="language-plaintext highlighter-rouge">/login</code> route, as the entire application has CSRF protection enabled. Invoking it produces the following output:</p> <div class="language-json highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="p">{</span><span class="w"> </span><span class="nl">"token"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2f1f8b7f-660f-4285-8a08-b29c789c8f60"</span><span class="p">,</span><span class="w"> </span><span class="nl">"headerName"</span><span class="p">:</span><span class="w"> </span><span class="s2">"X-CSRF-TOKEN"</span><span class="p">,</span><span class="w"> </span><span class="nl">"parameterName"</span><span class="p">:</span><span class="w"> </span><span class="s2">"_csrf"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre></div></div> <p>Here is a sample CURL request for using the CSRF token:</p> <pre><code class="language-jshelllanguage">curl -X POST \ http://localhost:8080/login \ -H 'Cache-Control: no-cache' \ -H 'Content-Type: application/json' \ -H 'X-CSRF-TOKEN: 2f1f8b7f-660f-4285-8a08-b29c789c8f60' \ -d '{ "username": "user", "password": "password" }' </code></pre> <p><code class="language-plaintext highlighter-rouge">X-CSRF-TOKEN</code> is the default name of the header required by the <code class="language-plaintext highlighter-rouge">CsrfFilter</code> that was enabled with <code class="language-plaintext highlighter-rouge">csrf()</code> in our <code class="language-plaintext highlighter-rouge">WebSecurityConfigurerAdapter</code>.</p> <h2 id="conclusion">Conclusion</h2> <p>In this article, we’ve learned how to create a custom username/password authentication filter, and manually configure Spring Security to use it. We also learned how to expose the CSRF token through our REST API with consistent CSRF protection throughout the application.</p> https://insource.io/blog/articles/custom-authentication-with-spring-boot.html Stateless API Security with Spring Boot, Part 2 https://insource.io/blog/articles/stateless-api-security-with-spring-boot-part-2.html Thu, 31 May 2018 00:00:00 +0000 <h2 id="introduction">Introduction</h2> <p>In the <a href="/blog/articles/stateless-api-security-with-spring-boot-part-1.html">previous article</a>, we discussed adding Basic authentication to our project and turned off session management for a pure stateless API. In this article, we’ll discuss how to extend that using an <code class="language-plaintext highlighter-rouge">Authorization</code> header and a custom security scheme.</p> <h2 id="custom-authentication-scheme">Custom Authentication Scheme</h2> <p>Let’s now turn our attention to how to evolve beyond the Basic authentication scheme, which has limited uses for us in practice (though it can be a very suitable model for simple app-to-app security). Let’s imagine that we want to provision API keys for clients to consume our API. With the previous concepts in place, we have the ability to do username/password authentication. But we need to move to a new scheme that only uses tokens as credentials.</p> <h3 id="add-pre-authentication">Add Pre-Authentication</h3> <p>Instead of basic auth, let’s define a customized filter to enable pre-authentication. You may have seen tutorials on the web using the <code class="language-plaintext highlighter-rouge">SM_USER</code> header to do this. This is Siteminder security, which assumes an API Gateway is forcing users to authenticate prior to hitting our application, and providing a header with the pre-authenticated username.</p> <p>Let’s use this concept with the <code class="language-plaintext highlighter-rouge">Authorization</code> header. Replace the Java config we defined for Basic auth with the following:</p> <div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kn">import</span> <span class="nn">org.springframework.boot.autoconfigure.security.Http401AuthenticationEntryPoint</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.cache.CacheManager</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.cache.annotation.EnableCaching</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.cache.concurrent.ConcurrentMapCache</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.cache.support.SimpleCacheManager</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.context.annotation.Bean</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.context.annotation.Configuration</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.core.annotation.Order</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.security.authentication.AuthenticationManager</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.security.authentication.AuthenticationProvider</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.security.authentication.ProviderManager</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.security.config.annotation.web.builders.HttpSecurity</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.security.config.annotation.web.configuration.EnableWebSecurity</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.security.config.http.SessionCreationPolicy</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.security.core.userdetails.AuthenticationUserDetailsService</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.security.web.AuthenticationEntryPoint</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.security.web.authentication.preauth.RequestHeaderAuthenticationFilter</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">java.util.Collections</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">java.util.regex.Pattern</span><span class="o">;</span> <span class="nd">@Configuration</span> <span class="nd">@EnableWebSecurity</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">WebSecurityConfiguration</span> <span class="kd">extends</span> <span class="nc">WebSecurityConfigurerAdapter</span> <span class="o">{</span> <span class="kd">public</span> <span class="kd">static</span> <span class="kd">final</span> <span class="nc">String</span> <span class="no">REALM_NAME</span> <span class="o">=</span> <span class="s">"MyRealm"</span><span class="o">;</span> <span class="kd">public</span> <span class="kd">static</span> <span class="kd">final</span> <span class="nc">String</span> <span class="no">API_KEY_PARAM</span> <span class="o">=</span> <span class="s">"apikey"</span><span class="o">;</span> <span class="kd">public</span> <span class="kd">static</span> <span class="kd">final</span> <span class="nc">Pattern</span> <span class="no">AUTHORIZATION_HEADER_PATTERN</span> <span class="o">=</span> <span class="nc">Pattern</span><span class="o">.</span><span class="na">compile</span><span class="o">(</span> <span class="nc">String</span><span class="o">.</span><span class="na">format</span><span class="o">(</span><span class="s">"%s %s=\"(\\S+)\""</span><span class="o">,</span> <span class="no">REALM_NAME</span><span class="o">,</span> <span class="no">API_KEY_PARAM</span><span class="o">)</span> <span class="o">);</span> <span class="nd">@Override</span> <span class="kd">protected</span> <span class="kt">void</span> <span class="nf">configure</span><span class="o">(</span><span class="nc">HttpSecurity</span> <span class="n">http</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">Exception</span> <span class="o">{</span> <span class="n">http</span><span class="o">.</span><span class="na">antMatcher</span><span class="o">(</span><span class="s">"/**"</span><span class="o">)</span> <span class="o">.</span><span class="na">addFilterAfter</span><span class="o">(</span><span class="n">preAuthenticationFilter</span><span class="o">(),</span> <span class="nc">RequestHeaderAuthenticationFilter</span><span class="o">.</span><span class="na">class</span><span class="o">)</span> <span class="o">.</span><span class="na">authorizeRequests</span><span class="o">()</span> <span class="o">.</span><span class="na">anyRequest</span><span class="o">().</span><span class="na">authenticated</span><span class="o">()</span> <span class="o">.</span><span class="na">and</span><span class="o">()</span> <span class="o">.</span><span class="na">sessionManagement</span><span class="o">().</span><span class="na">sessionCreationPolicy</span><span class="o">(</span><span class="nc">SessionCreationPolicy</span><span class="o">.</span><span class="na">STATELESS</span><span class="o">)</span> <span class="o">.</span><span class="na">and</span><span class="o">()</span> <span class="o">.</span><span class="na">exceptionHandling</span><span class="o">().</span><span class="na">authenticationEntryPoint</span><span class="o">(</span><span class="n">authenticationEntryPoint</span><span class="o">())</span> <span class="o">.</span><span class="na">and</span><span class="o">()</span> <span class="o">.</span><span class="na">csrf</span><span class="o">().</span><span class="na">disable</span><span class="o">();</span> <span class="o">}</span> <span class="nd">@Bean</span> <span class="kd">public</span> <span class="nc">RequestHeaderAuthenticationFilter</span> <span class="nf">preAuthenticationFilter</span><span class="o">()</span> <span class="o">{</span> <span class="nc">RequestHeaderAuthenticationFilter</span> <span class="n">preAuthenticationFilter</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">RequestHeaderAuthenticationFilter</span><span class="o">();</span> <span class="n">preAuthenticationFilter</span><span class="o">.</span><span class="na">setPrincipalRequestHeader</span><span class="o">(</span><span class="s">"Authorization"</span><span class="o">);</span> <span class="n">preAuthenticationFilter</span><span class="o">.</span><span class="na">setCredentialsRequestHeader</span><span class="o">(</span><span class="s">"Authorization"</span><span class="o">);</span> <span class="n">preAuthenticationFilter</span><span class="o">.</span><span class="na">setAuthenticationManager</span><span class="o">(</span><span class="n">authenticationManager</span><span class="o">());</span> <span class="n">preAuthenticationFilter</span><span class="o">.</span><span class="na">setExceptionIfHeaderMissing</span><span class="o">(</span><span class="kc">false</span><span class="o">);</span> <span class="k">return</span> <span class="n">preAuthenticationFilter</span><span class="o">;</span> <span class="o">}</span> <span class="nd">@Override</span> <span class="kd">protected</span> <span class="nc">AuthenticationManager</span> <span class="nf">authenticationManager</span><span class="o">()</span> <span class="o">{</span> <span class="k">return</span> <span class="k">new</span> <span class="nf">ProviderManager</span><span class="o">(</span><span class="nc">Collections</span><span class="o">.</span><span class="na">singletonList</span><span class="o">(</span><span class="n">authenticationProvider</span><span class="o">()));</span> <span class="o">}</span> <span class="nd">@Bean</span> <span class="kd">public</span> <span class="nc">AuthenticationProvider</span> <span class="nf">authenticationProvider</span><span class="o">()</span> <span class="o">{</span> <span class="nc">PreAuthenticatedAuthenticationProvider</span> <span class="n">authenticationProvider</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">PreAuthenticatedAuthenticationProvider</span><span class="o">();</span> <span class="n">authenticationProvider</span><span class="o">.</span><span class="na">setPreAuthenticatedUserDetailsService</span><span class="o">(</span><span class="n">userDetailsServiceWrapper</span><span class="o">());</span> <span class="n">authenticationProvider</span><span class="o">.</span><span class="na">setThrowExceptionWhenTokenRejected</span><span class="o">(</span><span class="kc">false</span><span class="o">);</span> <span class="k">return</span> <span class="n">authenticationProvider</span><span class="o">;</span> <span class="o">}</span> <span class="nd">@Bean</span> <span class="kd">public</span> <span class="nc">AuthenticationUserDetailsService</span><span class="o">&lt;</span><span class="nc">PreAuthenticatedAuthenticationToken</span><span class="o">&gt;</span> <span class="nf">userDetailsServiceWrapper</span><span class="o">()</span> <span class="o">{</span> <span class="k">return</span> <span class="k">new</span> <span class="nf">AuthorizationUserDetailsService</span><span class="o">();</span> <span class="o">}</span> <span class="nd">@Bean</span> <span class="kd">public</span> <span class="nc">AuthenticationEntryPoint</span> <span class="nf">authenticationEntryPoint</span><span class="o">()</span> <span class="o">{</span> <span class="k">return</span> <span class="k">new</span> <span class="nf">Http401AuthenticationEntryPoint</span><span class="o">(</span><span class="no">REALM_NAME</span><span class="o">);</span> <span class="o">}</span> <span class="o">}</span> </code></pre></div></div> <p>This is a larger configuration. Let’s break it down.</p> <h4 id="constants">Constants</h4> <p>We’ve defined some constants at the top of the file. We could use a similar <code class="language-plaintext highlighter-rouge">@ConfigurationProperties</code> technique as before. But by the time we’re defining our own security model, it’s probably overkill to make it configurable. Using the RFC 2617 format, we’ve defined a custom scheme. It looks like this:</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>Authorization: MyRealm apikey="..." </code></pre></div></div> <h4 id="preauthenticationfilter">PreAuthenticationFilter</h4> <p>We’ve defined a filter using a stock Spring class, <code class="language-plaintext highlighter-rouge">RequestHeaderAuthenticationFilter</code>. As with the Siteminder example, we can take any header we like and use it to perform “pre” authentication.</p> <p>What this does is assume that the authentication was performed elsewhere, and our job is to validate or simply use the header to create an authenticated session. In this example, we’ve turned off session management (we’ll see why that’s important in a minute), so we’re actually just creating a <code class="language-plaintext highlighter-rouge">SecurityContext</code> on each API call. That sounds expensive. We’ll fix it later.</p> <p>With this filter, we have to define a bunch of pieces to make it work.</p> <p>1. We’ve provided an instance of <code class="language-plaintext highlighter-rouge">RequestHeaderAuthenticationFilter</code>.</p> <p>We’ve configured it with a principal (required) and credentials (optional) and told it not to puke on missing header (so our authentication entrypoint is used instead).</p> <p>2. We’ve provided an <code class="language-plaintext highlighter-rouge">AuthenticationManager</code> with a single <code class="language-plaintext highlighter-rouge">AuthenticationProvider</code>.</p> <p>Our provider of type <code class="language-plaintext highlighter-rouge">PreAuthenticatedAuthenticationProvider</code> expects an <code class="language-plaintext highlighter-rouge">AuthenticationUserDetailsService</code> parameterized with <code class="language-plaintext highlighter-rouge">PreAuthenticatedAuthenticationToken</code>.</p> <p>3. We’ve provided a <code class="language-plaintext highlighter-rouge">AuthenticationUserDetailsService</code> to do the creation of a <code class="language-plaintext highlighter-rouge">UserDetails</code>.</p> <p>This is where our custom authorization logic will go, based on the <code class="language-plaintext highlighter-rouge">PreAuthenticatedAuthenticationToken</code> given by our provider.</p> <h4 id="authenticationentrypoint">AuthenticationEntryPoint</h4> <p>Our entry point simply throws a <code class="language-plaintext highlighter-rouge">401 Unauthorized</code> with a <code class="language-plaintext highlighter-rouge">WWW-Authenticate</code> response header containing our custom auth scheme when things go wrong or are missing.</p> <h4 id="userdetailsservice">UserDetailsService</h4> <p>There’s some magic in the <code class="language-plaintext highlighter-rouge">AuthenticationUserDetailsService</code>, so let’s explore that. Here’s the definition:</p> <div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kn">import</span> <span class="nn">org.slf4j.Logger</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.slf4j.LoggerFactory</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.security.core.authority.SimpleGrantedAuthority</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.security.core.userdetails.User</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.security.core.userdetails.UserDetails</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.security.core.userdetails.UserDetailsService</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.security.core.userdetails.UsernameNotFoundException</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">java.util.Collections</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">java.util.regex.Matcher</span><span class="o">;</span> <span class="cm">/* Not marked @Component to simplify WebSecurityConfiguration. */</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">AuthorizationUserDetailsService</span> <span class="kd">implements</span> <span class="nc">AuthenticationUserDetailsService</span><span class="o">&lt;</span><span class="nc">PreAuthenticatedAuthenticationToken</span><span class="o">&gt;</span> <span class="o">{</span> <span class="kd">private</span> <span class="kd">static</span> <span class="kd">final</span> <span class="nc">Logger</span> <span class="n">logger</span> <span class="o">=</span> <span class="nc">LoggerFactory</span><span class="o">.</span><span class="na">getLogger</span><span class="o">(</span><span class="nc">AuthorizationUserDetailsService</span><span class="o">.</span><span class="na">class</span><span class="o">);</span> <span class="nd">@Override</span> <span class="kd">public</span> <span class="nc">UserDetails</span> <span class="nf">loadUserDetails</span><span class="o">(</span><span class="nc">PreAuthenticatedAuthenticationToken</span> <span class="n">token</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">UsernameNotFoundException</span> <span class="o">{</span> <span class="nc">String</span> <span class="n">authorizationHeader</span> <span class="o">=</span> <span class="n">token</span><span class="o">.</span><span class="na">getCredentials</span><span class="o">().</span><span class="na">toString</span><span class="o">();</span> <span class="n">logger</span><span class="o">.</span><span class="na">info</span><span class="o">(</span><span class="s">"Loading user for Authorization header: "</span> <span class="o">+</span> <span class="n">authorizationHeader</span><span class="o">);</span> <span class="c1">// Check authentication scheme</span> <span class="k">if</span> <span class="o">(!</span><span class="n">authorizationHeader</span><span class="o">.</span><span class="na">startsWith</span><span class="o">(</span><span class="nc">WebSecurityConfiguration</span><span class="o">.</span><span class="na">REALM_NAME</span><span class="o">))</span> <span class="o">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nf">AuthorizationHeaderException</span><span class="o">(</span><span class="s">"Invalid authentication scheme found in Authorization header"</span><span class="o">);</span> <span class="o">}</span> <span class="c1">// Check for apikey parameter</span> <span class="k">if</span> <span class="o">(!</span><span class="n">authorizationHeader</span><span class="o">.</span><span class="na">contains</span><span class="o">(</span><span class="nc">WebSecurityConfiguration</span><span class="o">.</span><span class="na">API_KEY_PARAM</span><span class="o">))</span> <span class="o">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nf">AuthorizationHeaderException</span><span class="o">(</span><span class="s">"Unable to locate apikey parameter in Authorization header"</span><span class="o">);</span> <span class="o">}</span> <span class="c1">// Check that the Authorization header matches the pattern</span> <span class="nc">Matcher</span> <span class="n">matcher</span> <span class="o">=</span> <span class="nc">WebSecurityConfiguration</span><span class="o">.</span><span class="na">AUTHORIZATION_HEADER_PATTERN</span><span class="o">.</span><span class="na">matcher</span><span class="o">(</span><span class="n">authorizationHeader</span><span class="o">);</span> <span class="k">if</span> <span class="o">(!</span><span class="n">matcher</span><span class="o">.</span><span class="na">matches</span><span class="o">())</span> <span class="o">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nf">AuthorizationHeaderException</span><span class="o">(</span><span class="s">"Unable to parse apikey from Authorization header"</span><span class="o">);</span> <span class="o">}</span> <span class="k">return</span> <span class="nf">loadUserDetails</span><span class="o">(</span><span class="n">matcher</span><span class="o">.</span><span class="na">group</span><span class="o">());</span> <span class="o">}</span> <span class="kd">private</span> <span class="nc">UserDetails</span> <span class="nf">loadUserDetails</span><span class="o">(</span><span class="nc">String</span> <span class="n">apiKey</span><span class="o">)</span> <span class="o">{</span> <span class="c1">// TODO: Implement with your own logic to resolve API key (from Authentication header value)</span> <span class="k">return</span> <span class="k">new</span> <span class="nf">User</span><span class="o">(</span><span class="s">"user"</span><span class="o">,</span> <span class="n">apiKey</span><span class="o">,</span> <span class="nc">Collections</span><span class="o">.</span><span class="na">singletonList</span><span class="o">(</span><span class="k">new</span> <span class="nc">SimpleGrantedAuthority</span><span class="o">(</span><span class="s">"ROLE_USER"</span><span class="o">)));</span> <span class="o">}</span> <span class="o">}</span> </code></pre></div></div> <p>This is the easiest place I can think of to place our custom auth scheme logic. The <code class="language-plaintext highlighter-rouge">AuthenticationUserDetailsService</code> is usually used to convert a principal/credentials pair into a <code class="language-plaintext highlighter-rouge">UserDetails</code>. But we can easily use it to do some validation first. The <code class="language-plaintext highlighter-rouge">Authorization</code> header value is passed in the <code class="language-plaintext highlighter-rouge">PreAuthenticatedAuthenticationToken</code>, so we can use that to convert to a user however we wish to.</p> <p>First, we validate that the header value is in the right format. Marginally expensive, but negligible in the scheme of things.</p> <p>Then we parse the <code class="language-plaintext highlighter-rouge">apiKey</code> from the header. Once we have this, we’re in the driver’s seat as to how we implement the lookup/conversion. You can look up the user in an API key provisioning database or load them from a JWT. You can also place roles or other information in this <code class="language-plaintext highlighter-rouge">User</code> object, or define your own custom <code class="language-plaintext highlighter-rouge">UserDetails</code> implementation.</p> <p>What’s missing from this example is what happens if the <code class="language-plaintext highlighter-rouge">apiKey</code> is invalid. Just throw an exception similar to the above validation logic. By the way, here’s that exception:</p> <div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kn">import</span> <span class="nn">org.springframework.http.HttpStatus</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.security.core.AuthenticationException</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.web.bind.annotation.ResponseStatus</span><span class="o">;</span> <span class="nd">@ResponseStatus</span><span class="o">(</span><span class="nc">HttpStatus</span><span class="o">.</span><span class="na">UNAUTHORIZED</span><span class="o">)</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">AuthorizationHeaderException</span> <span class="kd">extends</span> <span class="nc">AuthenticationException</span> <span class="o">{</span> <span class="kd">public</span> <span class="nf">AuthorizationHeaderException</span><span class="o">(</span><span class="nc">String</span> <span class="n">msg</span><span class="o">)</span> <span class="o">{</span> <span class="kd">super</span><span class="o">(</span><span class="n">msg</span><span class="o">);</span> <span class="o">}</span> <span class="kd">public</span> <span class="nf">AuthorizationHeaderException</span><span class="o">(</span><span class="nc">String</span> <span class="n">msg</span><span class="o">,</span> <span class="nc">Throwable</span> <span class="n">t</span><span class="o">)</span> <span class="o">{</span> <span class="kd">super</span><span class="o">(</span><span class="n">msg</span><span class="o">,</span> <span class="n">t</span><span class="o">);</span> <span class="o">}</span> <span class="o">}</span> </code></pre></div></div> <p>You can also use the <code class="language-plaintext highlighter-rouge">UsernameNotFoundException</code> from the method signature if you prefer.</p> <h3 id="stateless">Stateless???</h3> <p>The last problem with this scheme is that we’re attempting to be stateless. Without sessions, we’re kind of hosed from a performance perspective. Now, if you wish to enable sessions for your use case, you’re welcome to. And there are many good reasons to do it. But in this case, we’re developing a pure API that is consumed by another process or API consumer, not a web browser.</p> <p>All “stateless” means in this context is that there shouldn’t be any state stored in our JVM. Of course, for example purposes we’re going to do that, but in production, you’ll want to bind in sidecar services to handle it, such as Redis or MongoDB. Those would also be good choices if you want to re-enable sessions.</p> <p>But in this case, we’re going to practice treating stateless (part of any good 12 factor app) the right way, and make it totally transparent. Simply add this bean definition to the Java config above:</p> <div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kn">import</span> <span class="nn">io.insource.spring.ws.examples.security.service.AuthorizationUserDetailsService</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.cache.CacheManager</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.cache.annotation.EnableCaching</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.cache.concurrent.ConcurrentMapCache</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.cache.support.SimpleCacheManager</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.context.annotation.Bean</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.context.annotation.Configuration</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.security.config.annotation.web.configuration.EnableWebSecurity</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">java.util.Collections</span><span class="o">;</span> <span class="nd">@Configuration</span> <span class="nd">@EnableWebSecurity</span> <span class="nd">@EnableCaching</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">WebSecurityConfiguration</span> <span class="kd">extends</span> <span class="nc">WebSecurityConfigurerAdapter</span> <span class="o">{</span> <span class="o">...</span> <span class="nd">@Bean</span> <span class="kd">public</span> <span class="nc">CacheManager</span> <span class="nf">cacheManager</span><span class="o">()</span> <span class="o">{</span> <span class="nc">SimpleCacheManager</span> <span class="n">cacheManager</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">SimpleCacheManager</span><span class="o">();</span> <span class="n">cacheManager</span><span class="o">.</span><span class="na">setCaches</span><span class="o">(</span><span class="nc">Collections</span><span class="o">.</span><span class="na">singletonList</span><span class="o">(</span><span class="k">new</span> <span class="nc">ConcurrentMapCache</span><span class="o">(</span><span class="s">"users"</span><span class="o">)));</span> <span class="k">return</span> <span class="n">cacheManager</span><span class="o">;</span> <span class="o">}</span> <span class="o">}</span> </code></pre></div></div> <p>With that in place (replace with your chosen production sidecar for caching, outside the scope of this article), we can start caching stuff. Very similar to adding session management, but handled down in our own <code class="language-plaintext highlighter-rouge">UserDetailsService</code>:</p> <div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kn">import</span> <span class="nn">org.springframework.cache.annotation.Cacheable</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.security.core.userdetails.AuthenticationUserDetailsService</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.security.core.userdetails.UsernameNotFoundException</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken</span><span class="o">;</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">AuthorizationUserDetailsService</span> <span class="kd">implements</span> <span class="nc">AuthenticationUserDetailsService</span><span class="o">&lt;</span><span class="nc">PreAuthenticatedAuthenticationToken</span><span class="o">&gt;</span> <span class="o">{</span> <span class="nd">@Override</span> <span class="nd">@Cacheable</span><span class="o">(</span><span class="n">value</span> <span class="o">=</span> <span class="s">"users"</span><span class="o">,</span> <span class="n">key</span> <span class="o">=</span> <span class="s">"#token"</span><span class="o">)</span> <span class="kd">public</span> <span class="nc">UserDetails</span> <span class="nf">loadUserDetails</span><span class="o">(</span><span class="nc">PreAuthenticatedAuthenticationToken</span> <span class="n">token</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">UsernameNotFoundException</span> <span class="o">{</span> <span class="o">...</span> <span class="o">}</span> <span class="o">}</span> </code></pre></div></div> <p>What we have here is a stateless application that uses no session management (no Cookies for you) and yet can cache user details (actually API consumers) as close to the application as we like. Using the caching layer, you can define when and how often your user details expire or are purged, etc.</p> <p>With caching in place, our API calls to load the <code class="language-plaintext highlighter-rouge">Authentication</code> into the <code class="language-plaintext highlighter-rouge">SecurityContext</code> do not exhibit such a terrible performance penalty.</p> <h2 id="conclusion">Conclusion</h2> <p>In this article, we’ve learned how to implement a pure stateless API with tokens provided in an <code class="language-plaintext highlighter-rouge">Authorization</code> header, and defined our own custom scheme for accepting those tokens. We’ve also discussed how this example is very relevant even if you want to enable sessions and consume this API from a mobile app or web browser.</p> https://insource.io/blog/articles/stateless-api-security-with-spring-boot-part-2.html Stateless API Security with Spring Boot, Part 1 https://insource.io/blog/articles/stateless-api-security-with-spring-boot-part-1.html Mon, 28 May 2018 00:00:00 +0000 <h2 id="introduction">Introduction</h2> <p>In this series of articles, we’ll discuss how to implement pure (stateless) API security for your REST application in Spring Boot using an Authorization header and a custom security scheme.</p> <h2 id="basic-authentication">Basic Authentication</h2> <p>First, let’s discuss the original precursor in the web security space, Basic authentication. Basic uses an <code class="language-plaintext highlighter-rouge">Authorization</code> header (defined in <a href="http://www.ietf.org/rfc/rfc2617.txt">RFC 2617</a>) of the form:</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>credentials = "Basic" basic-credentials basic-credentials = base64-user-pass base64-user-pass = &lt;base64 encoding of user-pass&gt; user-pass = userid ":" password userid = *&lt;TEXT excluding ":"&gt; password = *TEXT </code></pre></div></div> <p>However, the current acceptable format for this header is defined in the same RFC as:</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>credentials = auth-scheme #auth-param auth-scheme = token auth-param = token "=" ( token | quoted-string ) </code></pre></div></div> <p>Notice that these schemes are not compatible. The Basic form is supported for legacy purposes to enable the continued use of the Basic authentication scheme.</p> <p>Let’s build an application that supports basic authentication first, and then evolve it to meet our end goals for a custom authentication scheme that is compatible with industry standards.</p> <h3 id="set-up">Set Up</h3> <p>Let’s define a build for our project. Here’s a pom.xml skeleton to get us started:</p> <div class="language-xml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="cp">&lt;?xml version="1.0" encoding="utf-8" ?&gt;</span> <span class="nt">&lt;project</span> <span class="na">xmlns=</span><span class="s">"http://maven.apache.org/POM/4.0.0"</span> <span class="na">xmlns:xsi=</span><span class="s">"http://www.w3.org/2001/XMLSchema-instance"</span> <span class="na">xsi:schemaLocation=</span><span class="s">"http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd"</span><span class="nt">&gt;</span> <span class="nt">&lt;modelVersion&gt;</span>4.0.0<span class="nt">&lt;/modelVersion&gt;</span> <span class="nt">&lt;groupId&gt;</span>io.insource<span class="nt">&lt;/groupId&gt;</span> <span class="nt">&lt;artifactId&gt;</span>basicauth-security-example<span class="nt">&lt;/artifactId&gt;</span> <span class="nt">&lt;version&gt;</span>0.1.0-SNAPSHOT<span class="nt">&lt;/version&gt;</span> <span class="nt">&lt;packaging&gt;</span>jar<span class="nt">&lt;/packaging&gt;</span> <span class="nt">&lt;name&gt;</span>basicauth-security-example<span class="nt">&lt;/name&gt;</span> <span class="nt">&lt;description&gt;</span>Example project for securing REST endpoints with basic auth security.<span class="nt">&lt;/description&gt;</span> <span class="nt">&lt;parent&gt;</span> <span class="nt">&lt;groupId&gt;</span>org.springframework.boot<span class="nt">&lt;/groupId&gt;</span> <span class="nt">&lt;artifactId&gt;</span>spring-boot-starter-parent<span class="nt">&lt;/artifactId&gt;</span> <span class="nt">&lt;version&gt;</span>1.5.13.RELEASE<span class="nt">&lt;/version&gt;</span> <span class="nt">&lt;relativePath</span> <span class="nt">/&gt;</span> <span class="nt">&lt;/parent&gt;</span> <span class="nt">&lt;repositories&gt;</span> <span class="nt">&lt;repository&gt;</span> <span class="nt">&lt;id&gt;</span>spring-plugins-releases<span class="nt">&lt;/id&gt;</span> <span class="nt">&lt;url&gt;</span>http://repo.spring.io/plugins-release<span class="nt">&lt;/url&gt;</span> <span class="nt">&lt;/repository&gt;</span> <span class="nt">&lt;/repositories&gt;</span> <span class="nt">&lt;properties&gt;</span> <span class="nt">&lt;java.version&gt;</span>1.8<span class="nt">&lt;/java.version&gt;</span> <span class="nt">&lt;spring-boot.version&gt;</span>1.5.13.RELEASE<span class="nt">&lt;/spring-boot.version&gt;</span> <span class="nt">&lt;/properties&gt;</span> <span class="nt">&lt;dependencies&gt;</span> <span class="nt">&lt;dependency&gt;</span> <span class="nt">&lt;groupId&gt;</span>org.springframework.boot<span class="nt">&lt;/groupId&gt;</span> <span class="nt">&lt;artifactId&gt;</span>spring-boot-starter-web<span class="nt">&lt;/artifactId&gt;</span> <span class="nt">&lt;/dependency&gt;</span> <span class="nt">&lt;/dependencies&gt;</span> <span class="nt">&lt;build&gt;</span> <span class="nt">&lt;plugins&gt;</span> <span class="nt">&lt;plugin&gt;</span> <span class="nt">&lt;groupId&gt;</span>org.apache.maven.plugins<span class="nt">&lt;/groupId&gt;</span> <span class="nt">&lt;artifactId&gt;</span>maven-compiler-plugin<span class="nt">&lt;/artifactId&gt;</span> <span class="nt">&lt;/plugin&gt;</span> <span class="nt">&lt;plugin&gt;</span> <span class="nt">&lt;groupId&gt;</span>org.springframework.boot<span class="nt">&lt;/groupId&gt;</span> <span class="nt">&lt;artifactId&gt;</span>spring-boot-maven-plugin<span class="nt">&lt;/artifactId&gt;</span> <span class="nt">&lt;/plugin&gt;</span> <span class="nt">&lt;/plugins&gt;</span> <span class="nt">&lt;pluginManagement&gt;</span> <span class="nt">&lt;plugins&gt;</span> <span class="nt">&lt;plugin&gt;</span> <span class="nt">&lt;groupId&gt;</span>org.apache.maven.plugins<span class="nt">&lt;/groupId&gt;</span> <span class="nt">&lt;artifactId&gt;</span>maven-compiler-plugin<span class="nt">&lt;/artifactId&gt;</span> <span class="nt">&lt;configuration&gt;</span> <span class="nt">&lt;source&gt;</span>${java.version}<span class="nt">&lt;/source&gt;</span> <span class="nt">&lt;target&gt;</span>${java.version}<span class="nt">&lt;/target&gt;</span> <span class="nt">&lt;/configuration&gt;</span> <span class="nt">&lt;/plugin&gt;</span> <span class="nt">&lt;/plugins&gt;</span> <span class="nt">&lt;/pluginManagement&gt;</span> <span class="nt">&lt;/build&gt;</span> <span class="nt">&lt;/project&gt;</span> </code></pre></div></div> <p>Let’s also define an entry point for our application:</p> <div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kn">import</span> <span class="nn">org.springframework.boot.SpringApplication</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.boot.autoconfigure.SpringBootApplication</span><span class="o">;</span> <span class="nd">@SpringBootApplication</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">Application</span> <span class="o">{</span> <span class="kd">public</span> <span class="kd">static</span> <span class="kt">void</span> <span class="nf">main</span><span class="o">(</span><span class="nc">String</span><span class="o">[]</span> <span class="n">args</span><span class="o">)</span> <span class="o">{</span> <span class="nc">SpringApplication</span><span class="o">.</span><span class="na">run</span><span class="o">(</span><span class="nc">Application</span><span class="o">.</span><span class="na">class</span><span class="o">,</span> <span class="n">args</span><span class="o">);</span> <span class="o">}</span> <span class="o">}</span> </code></pre></div></div> <p>Lastly, let’s define an endpoint we want to be able to secure:</p> <div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kn">import</span> <span class="nn">org.springframework.web.bind.annotation.GetMapping</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.web.bind.annotation.RequestMapping</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.web.bind.annotation.RestController</span><span class="o">;</span> <span class="nd">@RestController</span> <span class="nd">@RequestMapping</span><span class="o">(</span><span class="s">"/api/v1"</span><span class="o">)</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">HelloController</span> <span class="o">{</span> <span class="nd">@GetMapping</span><span class="o">(</span><span class="s">"/hello"</span><span class="o">)</span> <span class="kd">public</span> <span class="nc">String</span> <span class="nf">sayHello</span><span class="o">()</span> <span class="o">{</span> <span class="k">return</span> <span class="s">"Hello, World"</span><span class="o">;</span> <span class="o">}</span> <span class="o">}</span> </code></pre></div></div> <h3 id="add-basic-authentication">Add Basic Authentication</h3> <p>Spring Boot makes it easy to create secure-by-default applications. Though they may not be useful beyond the prototyping stage. Let’s add a dependency to our pom:</p> <div class="language-xml highlighter-rouge"><div class="highlight"><pre class="highlight"><code> <span class="nt">&lt;dependency&gt;</span> <span class="nt">&lt;groupId&gt;</span>org.springframework.boot<span class="nt">&lt;/groupId&gt;</span> <span class="nt">&lt;artifactId&gt;</span>spring-boot-starter-security<span class="nt">&lt;/artifactId&gt;</span> <span class="nt">&lt;/dependency&gt;</span> </code></pre></div></div> <p>With that change in place, we can run this application and it will be secure out of the box. We must use Basic authentication to access the <code class="language-plaintext highlighter-rouge">/api/v1/hello</code> endpoint. The username is “user” by default, with a generated password printed out to the console.</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code> . ____ _ __ _ _ /\\ / ___'_ __ _ _(_)_ __ __ _ \ \ \ \ ( ( )\___ | '_ | '_| | '_ \/ _` | \ \ \ \ \\/ ___)| |_)| | | | | || (_| | ) ) ) ) ' |____| .__|_| |_|_| |_\__, | / / / / =========|_|==============|___/=/_/_/_/ :: Spring Boot :: (v1.5.13.RELEASE) ... 2018-05-28 10:36:37.977 INFO 62012 --- [ main] b.a.s.AuthenticationManagerConfiguration : Using default security password: dc458486-180c-4653-a5d7-d4ca5e0eab3b ... </code></pre></div></div> <h3 id="customize-basic-authentication">Customize Basic Authentication</h3> <p>If we want to customize the username/password, we can do so by creating an <code class="language-plaintext highlighter-rouge">application.yml</code>, as follows:</p> <div class="language-yml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="na">security</span><span class="pi">:</span> <span class="na">basic</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="no">true</span> <span class="na">user</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">user</span> <span class="na">password</span><span class="pi">:</span> <span class="s">password</span> </code></pre></div></div> <p>Note that it’s also possible to encrypt the password in this file (and other techniques), which is outside the scope of this article.</p> <p>We can also customize other aspects of the security model, and this is where we get into the delicate inner workings of Spring Security. Let’s also add a Java configuration:</p> <div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code> <span class="kn">import</span> <span class="nn">org.springframework.boot.autoconfigure.security.SecurityProperties</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.context.annotation.Bean</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.context.annotation.Configuration</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.security.config.annotation.authentication.configurers.provisioning.InMemoryUserDetailsManagerConfigurer</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.security.config.annotation.web.builders.HttpSecurity</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.security.config.annotation.web.configuration.EnableWebSecurity</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.security.config.http.SessionCreationPolicy</span><span class="o">;</span> <span class="nd">@Configuration</span> <span class="nd">@EnableWebSecurity</span> <span class="nd">@EnableConfigurationProperties</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">WebSecurityConfiguration</span> <span class="kd">extends</span> <span class="nc">WebSecurityConfigurerAdapter</span> <span class="o">{</span> <span class="nd">@Override</span> <span class="kd">protected</span> <span class="kt">void</span> <span class="nf">configure</span><span class="o">(</span><span class="nc">HttpSecurity</span> <span class="n">http</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">Exception</span> <span class="o">{</span> <span class="nc">BasicAuthProperties</span> <span class="n">properties</span> <span class="o">=</span> <span class="n">basicAuthProperties</span><span class="o">();</span> <span class="n">http</span><span class="o">.</span><span class="na">requestMatchers</span><span class="o">().</span><span class="na">antMatchers</span><span class="o">(</span><span class="n">properties</span><span class="o">.</span><span class="na">getPath</span><span class="o">())</span> <span class="o">.</span><span class="na">and</span><span class="o">()</span> <span class="o">.</span><span class="na">authorizeRequests</span><span class="o">()</span> <span class="o">.</span><span class="na">anyRequest</span><span class="o">().</span><span class="na">authenticated</span><span class="o">()</span> <span class="o">.</span><span class="na">and</span><span class="o">()</span> <span class="o">.</span><span class="na">sessionManagement</span><span class="o">().</span><span class="na">sessionCreationPolicy</span><span class="o">(</span><span class="nc">SessionCreationPolicy</span><span class="o">.</span><span class="na">STATELESS</span><span class="o">)</span> <span class="o">.</span><span class="na">and</span><span class="o">()</span> <span class="o">.</span><span class="na">httpBasic</span><span class="o">().</span><span class="na">realmName</span><span class="o">(</span><span class="n">properties</span><span class="o">.</span><span class="na">getRealm</span><span class="o">())</span> <span class="o">.</span><span class="na">and</span><span class="o">()</span> <span class="o">.</span><span class="na">csrf</span><span class="o">().</span><span class="na">disable</span><span class="o">();</span> <span class="o">}</span> <span class="nd">@Override</span> <span class="kd">protected</span> <span class="kt">void</span> <span class="nf">configure</span><span class="o">(</span><span class="nc">AuthenticationManagerBuilder</span> <span class="n">auth</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">Exception</span> <span class="o">{</span> <span class="nc">BasicAuthProperties</span> <span class="n">properties</span> <span class="o">=</span> <span class="n">basicAuthProperties</span><span class="o">();</span> <span class="nc">InMemoryUserDetailsManagerConfigurer</span><span class="o">&lt;</span><span class="nc">AuthenticationManagerBuilder</span><span class="o">&gt;</span> <span class="n">builder</span> <span class="o">=</span> <span class="n">auth</span><span class="o">.</span><span class="na">inMemoryAuthentication</span><span class="o">();</span> <span class="k">for</span> <span class="o">(</span><span class="nc">SecurityProperties</span><span class="o">.</span><span class="na">User</span> <span class="n">user</span> <span class="o">:</span> <span class="n">properties</span><span class="o">.</span><span class="na">getUsers</span><span class="o">())</span> <span class="o">{</span> <span class="n">builder</span><span class="o">.</span><span class="na">withUser</span><span class="o">(</span><span class="n">user</span><span class="o">.</span><span class="na">getName</span><span class="o">())</span> <span class="o">.</span><span class="na">password</span><span class="o">(</span><span class="n">user</span><span class="o">.</span><span class="na">getPassword</span><span class="o">())</span> <span class="o">.</span><span class="na">roles</span><span class="o">(</span><span class="n">user</span><span class="o">.</span><span class="na">getRole</span><span class="o">().</span><span class="na">toArray</span><span class="o">(</span><span class="k">new</span> <span class="nc">String</span><span class="o">[</span><span class="mi">0</span><span class="o">]));</span> <span class="o">}</span> <span class="o">}</span> <span class="nd">@Bean</span> <span class="kd">public</span> <span class="nc">BasicAuthProperties</span> <span class="nf">basicAuthProperties</span><span class="o">()</span> <span class="o">{</span> <span class="k">return</span> <span class="k">new</span> <span class="nf">BasicAuthProperties</span><span class="o">();</span> <span class="o">}</span> <span class="o">}</span> </code></pre></div></div> <p>Here, we’ve defined some very elementary configuration to override the defaults. There are two notable aspects of this config.</p> <p>First, we’ve set the <code class="language-plaintext highlighter-rouge">SessionCreationPolicy</code> to <code class="language-plaintext highlighter-rouge">STATELESS</code>. This effectively turns off session management and forces the client to authenticate on every API call. We’ve also disabled CSRF to make it clear that we won’t need them. This step is optional as without sessions, we can’t have CSRF tokens, but it just helps to be clear what our intention is with this security model.</p> <p>Second, we’ve defined a new <code class="language-plaintext highlighter-rouge">@ConfigurationProperties</code> of <code class="language-plaintext highlighter-rouge">BasicAuthProperties</code> and enabled it with <code class="language-plaintext highlighter-rouge">@EnableConfigurationProperties</code>. We’ve also loaded a list of users in memory from external properties. Here’s what that class looks like:</p> <div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kn">import</span> <span class="nn">org.springframework.boot.autoconfigure.security.SecurityProperties</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.boot.context.properties.ConfigurationProperties</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">java.util.ArrayList</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">java.util.Collections</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">java.util.List</span><span class="o">;</span> <span class="nd">@ConfigurationProperties</span><span class="o">(</span><span class="s">"app.security.basic"</span><span class="o">)</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">BasicAuthProperties</span> <span class="o">{</span> <span class="cm">/** * HTTP basic realm name. */</span> <span class="kd">private</span> <span class="nc">String</span> <span class="n">realm</span> <span class="o">=</span> <span class="s">"Spring"</span><span class="o">;</span> <span class="cm">/** * Comma-separated list of paths to secure. */</span> <span class="kd">private</span> <span class="nc">String</span><span class="o">[]</span> <span class="n">path</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">String</span><span class="o">[]</span> <span class="o">{</span> <span class="s">"/**"</span> <span class="o">};</span> <span class="cm">/** * Basic authentication users. */</span> <span class="kd">private</span> <span class="nc">List</span><span class="o">&lt;</span><span class="nc">SecurityProperties</span><span class="o">.</span><span class="na">User</span><span class="o">&gt;</span> <span class="n">users</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">ArrayList</span><span class="o">&lt;&gt;(</span><span class="nc">Collections</span><span class="o">.</span><span class="na">singletonList</span><span class="o">(</span> <span class="k">new</span> <span class="nc">SecurityProperties</span><span class="o">.</span><span class="na">User</span><span class="o">()</span> <span class="o">));</span> <span class="kd">public</span> <span class="nc">String</span> <span class="nf">getRealm</span><span class="o">()</span> <span class="o">{</span> <span class="k">return</span> <span class="n">realm</span><span class="o">;</span> <span class="o">}</span> <span class="kd">public</span> <span class="kt">void</span> <span class="nf">setRealm</span><span class="o">(</span><span class="nc">String</span> <span class="n">realm</span><span class="o">)</span> <span class="o">{</span> <span class="k">this</span><span class="o">.</span><span class="na">realm</span> <span class="o">=</span> <span class="n">realm</span><span class="o">;</span> <span class="o">}</span> <span class="kd">public</span> <span class="nc">String</span><span class="o">[]</span> <span class="nf">getPath</span><span class="o">()</span> <span class="o">{</span> <span class="k">return</span> <span class="n">path</span><span class="o">;</span> <span class="o">}</span> <span class="kd">public</span> <span class="kt">void</span> <span class="nf">setPath</span><span class="o">(</span><span class="nc">String</span><span class="o">[]</span> <span class="n">path</span><span class="o">)</span> <span class="o">{</span> <span class="k">this</span><span class="o">.</span><span class="na">path</span> <span class="o">=</span> <span class="n">path</span><span class="o">;</span> <span class="o">}</span> <span class="kd">public</span> <span class="nc">List</span><span class="o">&lt;</span><span class="nc">SecurityProperties</span><span class="o">.</span><span class="na">User</span><span class="o">&gt;</span> <span class="nf">getUsers</span><span class="o">()</span> <span class="o">{</span> <span class="k">return</span> <span class="n">users</span><span class="o">;</span> <span class="o">}</span> <span class="kd">public</span> <span class="kt">void</span> <span class="nf">setUsers</span><span class="o">(</span><span class="nc">List</span><span class="o">&lt;</span><span class="nc">SecurityProperties</span><span class="o">.</span><span class="na">User</span><span class="o">&gt;</span> <span class="n">users</span><span class="o">)</span> <span class="o">{</span> <span class="k">this</span><span class="o">.</span><span class="na">users</span> <span class="o">=</span> <span class="n">users</span><span class="o">;</span> <span class="o">}</span> <span class="o">}</span> </code></pre></div></div> <p>You may also want to add this dependency to generate metadata from your <code class="language-plaintext highlighter-rouge">@ConfigurationProperties</code>:</p> <div class="language-xml highlighter-rouge"><div class="highlight"><pre class="highlight"><code> <span class="nt">&lt;dependency&gt;</span> <span class="nt">&lt;groupId&gt;</span>org.springframework.boot<span class="nt">&lt;/groupId&gt;</span> <span class="nt">&lt;artifactId&gt;</span>spring-boot-configuration-processor<span class="nt">&lt;/artifactId&gt;</span> <span class="nt">&lt;optional&gt;</span>true<span class="nt">&lt;/optional&gt;</span> <span class="nt">&lt;/dependency&gt;</span> </code></pre></div></div> <p>This allows us to inject our own configuration into the <code class="language-plaintext highlighter-rouge">application.yml</code> file to control our custom Java config. We’ve borrowed just enough from the default config (including <code class="language-plaintext highlighter-rouge">SecurityProperties.User</code>) to be consistent. We can add this to <code class="language-plaintext highlighter-rouge">application.yml</code>:</p> <div class="language-yml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="na">app</span><span class="pi">:</span> <span class="na">security</span><span class="pi">:</span> <span class="na">basic</span><span class="pi">:</span> <span class="na">realm</span><span class="pi">:</span> <span class="s">MyRealm</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/**</span> <span class="na">users</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">user</span> <span class="na">password</span><span class="pi">:</span> <span class="s">password</span> <span class="na">roles</span><span class="pi">:</span> <span class="s">USER</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">admin</span> <span class="na">password</span><span class="pi">:</span> <span class="s">admin</span> <span class="na">roles</span><span class="pi">:</span> <span class="s">ADMIN</span> </code></pre></div></div> <p>In practice, you’d probably want to get away from hard-coded credentials (though it can work in some instances using profiles and CI/CD pipelines). This is beyond the scope of this article, though I may provide an example of how to do this later.</p> <h2 id="conclusion">Conclusion</h2> <p>In this article, we’ve learned how to add Basic authentication to any Spring Boot application. In the next article, we’ll learn how to evolve that into our own custom authentication scheme, in which we provision tokens for API consumers.</p> https://insource.io/blog/articles/stateless-api-security-with-spring-boot-part-1.html Google Cloud Platform, Part 2 https://insource.io/blog/posts/google-cloud-platform-part-2.html Tue, 15 May 2018 00:00:00 +0000 <p>Answer: Don’t. Use Pivotal Cloud Foundry instead.</p> <p>Look for our next post, where we’ll discuss the transition from Google Cloud to PCF, and the challenges (or complete lack thereof) encountered in that transition.</p> https://insource.io/blog/posts/google-cloud-platform-part-2.html Google Cloud Platform, Part 1 https://insource.io/blog/articles/google-cloud-platform-part-1.html Tue, 20 Mar 2018 00:00:00 +0000 <h2 id="-start-debug-with-args--xenvdev">~&gt; ./start –debug –with-args -Xenv:dev</h2> <p><strong>The Hook:</strong> I want to deploy a secure Spring Boot app with a Google Cloud SQL connection to the App Engine Standard environment.</p> <p><strong>The Line:</strong> Know what the @%$&amp;!# you are doing.</p> <p><strong>The Sinker:</strong> Just use <a href="https://github.com/spring-cloud/spring-cloud-gcp/tree/master/spring-cloud-gcp-starters/spring-cloud-gcp-starter-sql-mysql">spring-cloud-gcp-starter-sql-mysql</a>.</p> <h2 id="-cat-outputdump--grep-info--less">~&gt; cat output.dump | grep INFO | less</h2> <p>This was difficult for several reasons. Here’s the short list:</p> <ol> <li>Local development does not (quite) work like a GCP deployed app</li> <li>App Engine Standard and App Engine Flexible do not work the same way</li> <li>App Engine Standard is poorly documented (for certain use cases, like mine)</li> <li>App Engine Standard requires a WAR file deploy and runs on Jetty, not Tomcat</li> </ol> <p>I assumed App Engine Flexible environment was the way to go, as it’s newer, the docs are better, the examples are more relevant, and the setup seemed easier. It also uses Docker, so I figured this seems like the easy way to get to that utopia state of the same app deployed everywhere.</p> <p>What I failed to realize is that Flexible environment is ridiculously expensive, has crazy slow deployments, and is not designed for the same use cases. In fact, most of the time, you don’t want to use Flexible environment. That being said, it is vastly superior in almost every way. Apps work the Spring Boot way inside the Docker containers that Google builds. Configuration and setup are vastly simplified, and use yaml files instead of XML deployment descriptors (remember that archaic concept???). Most of Google’s services just work out of the box. Etc.</p> <p>But Flexible environment is a sledgehammer for the problem of driving a tiny stud into the sparse wasteland of a roof that is my budget-conscious project. I really need a @$%#!&amp; nail gun. That’s what App Engine Standard is. It just isn’t my favorite brand. On account of it sucks.</p> <h2 id="-cat-outputdump--grep-error--more">~&gt; cat output.dump | grep ERROR | more</h2> <p>Let’s cut to the chase. The failure cases I encountered are almost too numerous to list. What I started with was a functional app capable of being deployed to App Engine Flexible, built using the <a href="https://cloud.google.com/community/tutorials/run-spring-petclinic-on-app-engine-cloudsql">very helpful tutorial on GCP’s documentation site</a> and <a href="https://github.com/GoogleCloudPlatform/getting-started-java/tree/master/helloworld-springboot">Hello World GitHub project</a>, among others.</p> <p>While there were some very specific caveats to even getting this working (which took an embarassingly long time to get working, at least 2-3 evenings), it generally worked well and was only slightly ridiculous. Here’s the setup for this piece to work:</p> <p><code class="language-plaintext highlighter-rouge">src/main/resources/application.yml</code></p> <div class="language-yaml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="na">spring</span><span class="pi">:</span> <span class="na">application</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">hello-world</span> <span class="na">jackson</span><span class="pi">:</span> <span class="na">serialization</span><span class="pi">:</span> <span class="na">write_dates_as_timestamps</span><span class="pi">:</span> <span class="no">false</span> <span class="na">jpa</span><span class="pi">:</span> <span class="na">open-in-view</span><span class="pi">:</span> <span class="no">true</span> <span class="na">show-sql</span><span class="pi">:</span> <span class="no">true</span> <span class="na">hibernate</span><span class="pi">:</span> <span class="na">ddl-auto</span><span class="pi">:</span> <span class="s">none</span> <span class="na">security</span><span class="pi">:</span> <span class="na">oauth2</span><span class="pi">:</span> <span class="na">sso</span><span class="pi">:</span> <span class="na">loginPath</span><span class="pi">:</span> <span class="s">/login</span> <span class="na">client</span><span class="pi">:</span> <span class="na">clientId</span><span class="pi">:</span> <span class="s">my-client-id</span> <span class="na">clientSecret</span><span class="pi">:</span> <span class="s">my-client-secret</span> <span class="na">accessTokenUri</span><span class="pi">:</span> <span class="s">https://www.googleapis.com/oauth2/v3/token</span> <span class="na">userAuthorizationUri</span><span class="pi">:</span> <span class="s">https://accounts.google.com/o/oauth2/auth</span> <span class="na">tokenName</span><span class="pi">:</span> <span class="s">oauth_token</span> <span class="na">authenticationScheme</span><span class="pi">:</span> <span class="s">query</span> <span class="na">clientAuthenticationScheme</span><span class="pi">:</span> <span class="s">form</span> <span class="na">scope</span><span class="pi">:</span> <span class="s">profile</span> <span class="na">resource</span><span class="pi">:</span> <span class="na">userInfoUri</span><span class="pi">:</span> <span class="s">https://www.googleapis.com/userinfo/v2/me</span> <span class="na">preferTokenInfo</span><span class="pi">:</span> <span class="no">false</span> <span class="c1"># Spoiler Alert: The following sits innocuously fooling </span> <span class="c1"># you into believing things that aren't true...</span> <span class="na">management</span><span class="pi">:</span> <span class="na">contextPath</span><span class="pi">:</span> <span class="s">/_ah</span> <span class="na">security</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="no">false</span> </code></pre></div></div> <p>Here, we’ve set up some basic security configuration using Google as an OAuth2 provider (there are good tutorials for how to do this on the web). The <code class="language-plaintext highlighter-rouge">management</code> section <em>seems</em> to disable security for the <code class="language-plaintext highlighter-rouge">/_ah</code> requests Google makes, and in App Engine Flexible, things are fine.</p> <p>Next, we have two profiles with separate configs, setting up a database for local development, and a Google Cloud SQL database for production.</p> <p><code class="language-plaintext highlighter-rouge">src/main/resources/application-dev.yml</code></p> <div class="language-yaml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="na">spring</span><span class="pi">:</span> <span class="na">datasource</span><span class="pi">:</span> <span class="na">driverClassName</span><span class="pi">:</span> <span class="s">com.mysql.jdbc.Driver</span> <span class="na">url</span><span class="pi">:</span> <span class="s">jdbc:mysql://localhost:3306/hello-world?useUnicode=true&amp;characterEncoding=utf8&amp;useSSL=false</span> <span class="na">username</span><span class="pi">:</span> <span class="s">myuser</span> <span class="na">password</span><span class="pi">:</span> <span class="s">mypassword</span> <span class="na">jpa</span><span class="pi">:</span> <span class="na">database</span><span class="pi">:</span> <span class="s">mysql</span> </code></pre></div></div> <p><code class="language-plaintext highlighter-rouge">src/main/resources/application-prod.yml</code></p> <div class="language-yaml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="na">spring</span><span class="pi">:</span> <span class="na">datasource</span><span class="pi">:</span> <span class="na">driverClassName</span><span class="pi">:</span> <span class="s">com.mysql.jdbc.Driver</span> <span class="na">url</span><span class="pi">:</span> <span class="s">jdbc:mysql://google/hello-world?useSSL=false&amp;cloudSqlInstance=my-project:us-central1:hello-world&amp;socketFactory=com.google.cloud.sql.mysql.SocketFactory</span> <span class="na">username</span><span class="pi">:</span> <span class="s">myuser</span> <span class="na">password</span><span class="pi">:</span> <span class="s">mypassword</span> <span class="na">jpa</span><span class="pi">:</span> <span class="na">database</span><span class="pi">:</span> <span class="s">mysql</span> </code></pre></div></div> <p>In order to make this work for App Engine, I used the following configuration for Flexible environment.</p> <p><code class="language-plaintext highlighter-rouge">src/main/appengine/app.yaml</code></p> <div class="language-yaml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="na">runtime</span><span class="pi">:</span> <span class="s">java</span> <span class="na">env</span><span class="pi">:</span> <span class="s">flex</span> <span class="na">service</span><span class="pi">:</span> <span class="s">processor</span> <span class="na">manual_scaling</span><span class="pi">:</span> <span class="na">instances</span><span class="pi">:</span> <span class="m">1</span> <span class="na">resources</span><span class="pi">:</span> <span class="na">memory_gb</span><span class="pi">:</span> <span class="m">0.768</span> <span class="na">handlers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">url</span><span class="pi">:</span> <span class="s">/.*</span> <span class="na">script</span><span class="pi">:</span> <span class="s">this field is required, but ignored</span> <span class="na">env_variables</span><span class="pi">:</span> <span class="na">ENVIRONMENT</span><span class="pi">:</span> <span class="s2">"</span><span class="s">prod"</span> </code></pre></div></div> <p>Notice the environment variable. This was necessary to allow a local development setup that was different from the production deployment. A bit of trickery in the Spring Boot init uses this environment variable:</p> <p><code class="language-plaintext highlighter-rouge">src/main/java/com/example/java/gettingstarted/HelloworldApplication.java</code></p> <div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nd">@SpringBootApplication</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">HelloworldApplication</span> <span class="o">{</span> <span class="kd">public</span> <span class="kd">static</span> <span class="kt">void</span> <span class="nf">main</span><span class="o">(</span><span class="nc">String</span><span class="o">[]</span> <span class="n">args</span><span class="o">)</span> <span class="o">{</span> <span class="nc">SpringApplication</span> <span class="n">springApplication</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">SpringApplication</span><span class="o">(</span><span class="nc">HelloworldApplication</span><span class="o">.</span><span class="na">class</span><span class="o">);</span> <span class="nc">String</span> <span class="n">env</span> <span class="o">=</span> <span class="nc">System</span><span class="o">.</span><span class="na">getenv</span><span class="o">(</span><span class="s">"ENVIRONMENT"</span><span class="o">);</span> <span class="k">if</span> <span class="o">(</span><span class="n">env</span> <span class="o">==</span> <span class="kc">null</span><span class="o">)</span> <span class="o">{</span> <span class="n">env</span> <span class="o">=</span> <span class="s">"dev"</span><span class="o">;</span> <span class="o">}</span> <span class="n">springApplication</span><span class="o">.</span><span class="na">setAdditionalProfiles</span><span class="o">(</span><span class="n">env</span><span class="o">);</span> <span class="n">springApplication</span><span class="o">.</span><span class="na">run</span><span class="o">(</span><span class="n">args</span><span class="o">);</span> <span class="o">}</span> <span class="o">}</span> </code></pre></div></div> <p>Assuming the appengine plugin is applied to your build, you just need an extra dependency to add the socket factory for Google Cloud SQL to the classpath at runtime. I added the following to my Gradle build:</p> <div class="language-groovy highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">dependencies</span> <span class="o">{</span> <span class="o">...</span> <span class="n">runtime</span> <span class="s1">'com.google.cloud.sql:mysql-socket-factory'</span> <span class="o">}</span> </code></pre></div></div> <p>While I won’t delve into the details of why this special piece is needed for Cloud SQL, suffice it to say this handles connecting correctly in a Google Cloud environment.</p> <p>With this basic app in place (and whatever code you want to do databas-ey things, which I trust you can figure out on your own), you’re good to go in App Engine Flexible. The app is secure and can connect to a cloud database, and <code class="language-plaintext highlighter-rouge">/_ah</code> requests made by Google to monitor health work fine. So it would seem.</p> <h2 id="-cat-outputdump--grep-severe--devnull">~&gt; cat output.dump | grep SEVERE &gt; /dev/null</h2> <p>However, when you deploy this totally functional app to App Engine Standard (with a few changes, see below), it fails spectacularly. Here’s the changes I thought I needed.</p> <p><code class="language-plaintext highlighter-rouge">src/main/webapp/WEB-INF/appengine-web.xml</code></p> <div class="language-xml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="cp">&lt;?xml version="1.0" encoding="utf-8"?&gt;</span> <span class="nt">&lt;appengine-web-app</span> <span class="na">xmlns=</span><span class="s">"http://appengine.google.com/ns/1.0"</span><span class="nt">&gt;</span> <span class="nt">&lt;service&gt;</span>hello-world<span class="nt">&lt;/service&gt;</span> <span class="nt">&lt;threadsafe&gt;</span>true<span class="nt">&lt;/threadsafe&gt;</span> <span class="nt">&lt;runtime&gt;</span>java8<span class="nt">&lt;/runtime&gt;</span> <span class="nt">&lt;sessions-enabled&gt;</span>true<span class="nt">&lt;/sessions-enabled&gt;</span> <span class="nt">&lt;public-root&gt;</span>/static<span class="nt">&lt;/public-root&gt;</span> <span class="nt">&lt;env-variables&gt;</span> <span class="nt">&lt;env-var</span> <span class="na">name=</span><span class="s">"ENVIRONMENT"</span> <span class="na">value=</span><span class="s">"prod"</span> <span class="nt">/&gt;</span> <span class="nt">&lt;/env-variables&gt;</span> <span class="nt">&lt;system-properties&gt;</span> <span class="nt">&lt;property</span> <span class="na">name=</span><span class="s">"java.util.logging.config.file"</span> <span class="na">value=</span><span class="s">"WEB-INF/classes/logging.properties"</span><span class="nt">/&gt;</span> <span class="nt">&lt;/system-properties&gt;</span> <span class="nt">&lt;/appengine-web-app&gt;</span> </code></pre></div></div> <p>The above replaces the <code class="language-plaintext highlighter-rouge">app.yaml</code> that Flexible required. You can add additional scaling parameters if you like, see <a href="https://cloud.google.com/appengine/docs/standard/java/config/appref">appengine-web.xml Reference</a>.</p> <p>Then, depending on your build tool (I use Gradle), you may need to make changes to deploy a WAR file as well. See <a href="https://github.com/GoogleCloudPlatform/getting-started-java/tree/master/appengine-standard-java8/springboot-appengine-standard">this totally unhelpful example</a>. I shouldn’t say totally unhelpful. It definitely works. But it does not do anything Spring Boot-ish whatsoever, other than stare at you and wave… Creepy.</p> <p>The problem is that deploying to Standard using the config that worked on Flexible, I can’t connect to a Cloud SQL datasource. My app fails to deploy and start up successfully. Something is missing. And attempting to figure it out via Google was not working.</p> <p>Somehow, at the end of it all (after nearly a month of procrastinating because this problem was so frustrating to work out), I found the <a href="https://github.com/spring-cloud/spring-cloud-gcp">spring-cloud-gcp project</a>. After looking at the source code, I think I’ve worked out the missing piece, but it’s still a theory. However, the simple fix was to add a starter from this project to my classpath, which effectively adds <code class="language-plaintext highlighter-rouge">spring-cloud-gcp-autoconfigure.jar</code> containing an implementation or two of <code class="language-plaintext highlighter-rouge">CloudSqlJdbcInfoProvider</code>, whatever that is.</p> <p>I added the following to my Gradle build:</p> <div class="language-groovy highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">repositories</span> <span class="o">{</span> <span class="o">...</span> <span class="n">maven</span> <span class="o">{</span> <span class="n">url</span> <span class="s2">"https://repo.spring.io/milestone"</span> <span class="o">}</span> <span class="o">}</span> <span class="n">dependencyManagement</span> <span class="o">{</span> <span class="n">imports</span> <span class="o">{</span> <span class="n">mavenBom</span> <span class="s1">'org.springframework.cloud:spring-cloud-gcp-dependencies:1.0.0.M2'</span> <span class="o">}</span> <span class="o">}</span> <span class="n">dependencies</span> <span class="o">{</span> <span class="o">...</span> <span class="n">providedRuntime</span> <span class="s1">'org.springframework.boot:spring-boot-starter-tomcat'</span> <span class="n">compileOnly</span> <span class="s1">'org.slf4j:jul-to-slf4j'</span> <span class="n">compileOnly</span> <span class="s1">'javax.servlet:javax.servlet-api'</span> <span class="n">runtime</span> <span class="s1">'org.springframework.cloud:spring-cloud-gcp-starter-sql-mysql'</span> <span class="o">}</span> </code></pre></div></div> <p>The first three dependencies are just changes going from Flexible to Standard, which runs in a Jetty container instead of embedded Tomcat. More on this next time. The last piece adds the aforementioned starter for mysql to the classpath at runtime. We do need a few config changes. Here’s the prod config:</p> <p><code class="language-plaintext highlighter-rouge">src/main/resources/application-prod.yml</code></p> <div class="language-yaml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="na">spring</span><span class="pi">:</span> <span class="na">datasource</span><span class="pi">:</span> <span class="c1"># driverClassName: com.mysql.jdbc.Driver</span> <span class="c1"># url: jdbc:mysql://google/hello-world?useSSL=false&amp;cloudSqlInstance=my-project:us-central1:hello-world&amp;socketFactory=com.google.cloud.sql.mysql.SocketFactory</span> <span class="na">username</span><span class="pi">:</span> <span class="s">myuser</span> <span class="na">password</span><span class="pi">:</span> <span class="s">mypassword</span> <span class="na">jpa</span><span class="pi">:</span> <span class="na">database</span><span class="pi">:</span> <span class="s">mysql</span> <span class="na">cloud</span><span class="pi">:</span> <span class="na">gcp</span><span class="pi">:</span> <span class="na">project-id</span><span class="pi">:</span> <span class="s">my-project</span> <span class="na">sql</span><span class="pi">:</span> <span class="na">database-type</span><span class="pi">:</span> <span class="s">mysql</span> <span class="na">database-name</span><span class="pi">:</span> <span class="s">hello-world</span> <span class="na">instance-connection-name</span><span class="pi">:</span> <span class="s">my-project:us-central1:hello-world</span> </code></pre></div></div> <p>The theory is that the <code class="language-plaintext highlighter-rouge">CloudSqlJdbcInfoProvider</code> actually configures the two commented out settings. What looks to happen is that the <code class="language-plaintext highlighter-rouge">driverClassName</code> actually gets set to <code class="language-plaintext highlighter-rouge">com.mysql.jdbc.GoogleDriver</code>, which I don’t even know where that comes from. It isn’t on the classpath. It’s just a mystery. I suspect this is actually the magic, which could make this starter dependency optional at best, though it could have other uses, so your mileage may vary.</p> <p>Now, there’s one last issue with App Engine Standard. Remember the config for Spring Boot from earlier, with the comment about innocuous settings fooling you into believing things that aren’t true? Yeah… About that. So the <code class="language-plaintext highlighter-rouge">management</code> section does not seem to apply in the Standard environment. Possibly because of the war file deployment, additional Spring Boot features aren’t available, feedback welcome on what causes it. But suffice it to say, the <code class="language-plaintext highlighter-rouge">/_ah</code> requests made by Google fail. Why? Because security.</p> <p>So you’ll need to add a couple of unsecured endpoints that can respond to the App Engine Standard health requests. These are <code class="language-plaintext highlighter-rouge">/_ah/start</code> and <code class="language-plaintext highlighter-rouge">/_ah/stop</code>.</p> <div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nd">@RestController</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">HealthController</span> <span class="o">{</span> <span class="nd">@GetMapping</span><span class="o">(</span><span class="s">"/_ah/start"</span><span class="o">)</span> <span class="nd">@PreAuthorize</span><span class="o">(</span><span class="s">"hasRole('ANONYMOUS')"</span><span class="o">)</span> <span class="kd">public</span> <span class="nc">String</span> <span class="nf">start</span><span class="o">()</span> <span class="o">{</span> <span class="k">return</span> <span class="s">"OK"</span><span class="o">;</span> <span class="o">}</span> <span class="nd">@GetMapping</span><span class="o">(</span><span class="s">"/_ah/stop"</span><span class="o">)</span> <span class="nd">@PreAuthorize</span><span class="o">(</span><span class="s">"hasRole('ANONYMOUS')"</span><span class="o">)</span> <span class="kd">public</span> <span class="nc">String</span> <span class="nf">stop</span><span class="o">()</span> <span class="o">{</span> <span class="k">return</span> <span class="s">"OK"</span><span class="o">;</span> <span class="o">}</span> <span class="o">}</span> </code></pre></div></div> <p>You will want to add these to your unsecured routes as well.</p> <div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nd">@Configuration</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">WebSecurityConfiguration</span> <span class="kd">extends</span> <span class="nc">WebSecurityConfigurerAdapter</span> <span class="o">{</span> <span class="nd">@Override</span> <span class="kd">public</span> <span class="kt">void</span> <span class="nf">configure</span><span class="o">(</span><span class="nc">HttpSecurity</span> <span class="n">http</span><span class="o">)</span> <span class="o">{</span> <span class="n">http</span> <span class="o">.</span><span class="na">authorizeRequests</span><span class="o">()</span> <span class="o">.</span><span class="na">antMatchers</span><span class="o">(</span><span class="s">"/_ah/*"</span><span class="o">)</span> <span class="o">.</span><span class="na">permitAll</span><span class="o">();</span> <span class="o">}</span> <span class="o">}</span> </code></pre></div></div> <p>This works in App Engine Standard. FINALLY!!!</p> <p>Now, there are a few nasty problems left to deal with. I’ll save those for next time.</p> <p>Hint: Try running this pile of mess from your IDE <em>after</em> converting to App Engine Standard. Double Hint: You can’t!!!</p> https://insource.io/blog/articles/google-cloud-platform-part-1.html