Read Time: 12 min
Christopher Woodward
"The film vault" by Sean_Marshall is licensed under CC BY-NC 2.0
Introduction
In the previous article ( Authentication Service Part II), we began implementing the Authentication Service. In this article, we finish our discussion by covering selected methods within the AuthenticationService class, AuthorizationFilter, and AuthenticationController REST endpoint.Requirements
Before you get started, you will need the following:- Java
- Maven
- Docker
- Docker-Compose
Building the Authentication Service
Authentication Service
The AuthenticationService class contains the business logic of the service. Due to the size of the class we will not reproduce it here in its entirety. Instead, we will cover the main highlights of the class.@Autowired fields
While the AuthenticationClass provides the business logic, it depends on the framework to create and @Autowired the following fields: /**
* The discovery client provides access to the <b>ServiceDiscovery</b>
* service.
*/
@Autowired
private DiscoveryClient discoveryClient;
/**
* Provides access to <b>User</b> entities.
*/
@Autowired
private UserRepository userRepository;
/**
* Provides access to <b>Role</b> entities.
*/
@Autowired
private RoleRepository roleRepository;
/**
* Responsible for the generation of JSON Web tokens <b>JWT</b>
*/
@Autowired
private JWTProvider jwtProvider;
/**
* Provides encryption support for passwords
*/
@Autowired
private PasswordEncoder bcryptEncoder;
/**
* Provides an email client that sends email messages through the
* <b>NotificationService</b>.
*/
@Autowired
private EmailClient emailClientService;
/**
* Provides a message channel for sending <b>Account Events</b> to the
* applications message broker.
*/
@Autowired
private AccountEventSource accountEventSource;
/**
* Provides various string validation methods
*/
@Autowired
private Validator validator;
@Autowired
private MeterRegistry meterRegistry;
@Value("${admin.user.email:administrator@thinkmicroservices.com}")
private String adminEmail;
@Value("${admin.user.password:Password_1}")
private String adminPassword;
@Value("${recovery.code.interval.minutes:5}")
long recoveryCodeExpirationIntervalMinutes = 5;
@Value("${token.expiration.interval.minutes:2}")
long tokenExpirationIntervalMinutes = 2;
@Value("${refresh.token.expiration.interval.minutes:15}")
long refreshTokenExpirationIntervalMinutes = 5;
@Value("${active.services.required.check:false}")
private boolean checkRequiredActiveServices = false;
@Value("#{'${active.services.required.for.authentication}'.split(',')}")
private List<String> activeServicesRequiredForAuthentication;
AuthenticationService.java @Autowired excerpt live from GitHub. View Raw
Registration
The registration method is responsible for creating new application accounts. * @param firstName
* @param middleName
* @param lastName
* @param password
* @param confirmPassword
* @return
* @throws RegistrationException
*/
public User registerUser(String email, String firstName, String middleName, String lastName, String password, String confirmPassword) throws RegistrationException {
log.info("register user: {},{},{}", email, password, confirmPassword);
if ((firstName == null) || (firstName.length() == 0)) {
throw new RegistrationException("error.registration.first.name.required");
}
if ((lastName == null) || (lastName.length() == 0)) {
throw new RegistrationException("error.registration.first.name.required");
}
if (!this.isUsernameAvailable(email)) {
throw new RegistrationException("error.registration.email.already.registered");
}
if (!this.validator.isEmailValid(email)) {
throw new RegistrationException("error.registration.email.invalid");
}
if ((password == null) || (password.length() == 0)) {
throw new RegistrationException("error.registration.password.cannot.be.empty");
}
if (!this.validator.isPasswordValid(password)) {
throw new RegistrationException("error.registration.password.complexity.failure");
}
if (!password.equals(confirmPassword)) {
throw new RegistrationException("error.registration.password.confirmation.does.not.match");
}
User user = save(email, password);
AccountRegisteredEvent accountRegisteredEvent = new AccountRegisteredEvent(user.getAccountId(), email, firstName, middleName, lastName);
log.debug(accountRegisteredEvent.toString());
// send account event "Created User"
this.accountEventSource.accountEvents()
.send(MessageBuilder.withPayload(accountRegisteredEvent)
.setHeader("type", "ACCOUNT_REGISTERED_EVENT").build());
this.registrationCounter.increment();
this.emailClientService.sendRegistrationEmail(email);
return user;
}
AuthenticationService.java registration excerpt live from GitHub. View Raw
The method starts by checking the registration rules, throwing RegistrationExceptions with the appropriate I18N message key when necessary. When all the registration conditionals have passed, we create a user entity, publish an AccountRegisteredEvent, and send a registration email to the user.
Authentication
The authentication method is responsible for verifying a valid credential set (email/password) has been registered with the application and generates a JSON Web Token ( JWT) that corresponds to these credentials. *
* @param username
* @param password
* @return
* @throws AuthenticationException
*/
public AuthenticationToken authenticate(String username, String password) throws
AuthenticationException {
log.debug("authenticate:" + username);
if ((checkRequiredActiveServices) && (activeServicesRequiredForAuthentication.size() > 0)) {
log.info("requiredServices:{}", this.activeServicesRequiredForAuthentication.toString());
List<String> activeServices = discoveryClient.getServices().stream().map(String::toUpperCase).collect(Collectors.toList());;
log.info("Discovery services:{}", activeServices);
this.authenticationFailedCounter.increment();
if (!activeServices.containsAll(this.activeServicesRequiredForAuthentication)) {
log.info("all required services are not available,");
List<String> required = new ArrayList<>(this.activeServicesRequiredForAuthentication);
required.removeAll(activeServices);
log.info("missing services:{}", required);
throw new AuthenticationException("error.authentication.required.services.unavailable", required.toString());
}
}
User user = this.loadUserByUsername(username);
// throw exception if no user found
if (user == null) {
this.accountEventSource
.accountEvents()
.send(MessageBuilder
.withPayload(new CredentialsAuthenticationRequestedEvent(null, username, false))
.setHeader("type", "CREDENTIALS_AUTHENTICATION_REQUEST_EVENT").build());
this.authenticationFailedCounter.increment();
throw new AuthenticationException("error.authentication.credentials.invalid");
}
// throw exception if the user account is disabled
boolean isEnabled = this.isAccountEnabled(username);
log.debug("{} activeStatus is {}", username, isEnabled);
if (isEnabled == false) {
this.accountEventSource
.accountEvents()
.send(MessageBuilder
.withPayload(new CredentialsAuthenticationRequestedEvent(null, username, false))
.setHeader("type", "CREDENTIALS_AUTHENTICATION_REQUEST_EVENT").build());
this.authenticationFailedCounter.increment();
throw new AuthenticationException("error.authentication.account.disabled");
}
// check if password matches
User testUser = this.userRepository.findByUsername(username);
if (this.bcryptEncoder.matches(password, testUser.getPassword())) {
Set<Role> roles = user.getRoles();
ArrayList<GrantedAuthority> authorities = this.getGrantedAuthorities(roles);
java.sql.Timestamp lastLogonTimestamp = new java.sql.Timestamp((new java.util.Date().getTime()));
String refreshToken = UUID.randomUUID().toString();
LocalDateTime refreshTokenExpirationTimestamp = LocalDateTime.now();
refreshTokenExpirationTimestamp = refreshTokenExpirationTimestamp.plusMinutes(this.refreshTokenExpirationIntervalMinutes);
LocalDateTime tokenExpiresAtTimestamp = LocalDateTime.now();
tokenExpiresAtTimestamp = tokenExpiresAtTimestamp.plusMinutes(this.tokenExpirationIntervalMinutes);
user.setRefreshTokenExpirationAt(Timestamp.valueOf(refreshTokenExpirationTimestamp));
user.setRefreshToken(refreshToken);
user.setLastLogon(lastLogonTimestamp);
user.setTokenIssuedAt(lastLogonTimestamp);
user.setTokenExpirationAt(Timestamp.valueOf(tokenExpiresAtTimestamp));
this.userRepository.save(user);
final String tokenString = jwtProvider.generateToken(user,
authorities,
lastLogonTimestamp.getTime(), // issued at
Timestamp.valueOf(tokenExpiresAtTimestamp).getTime(),
refreshToken,
Timestamp.valueOf(refreshTokenExpirationTimestamp).getTime());
this.accountEventSource.accountEvents()
.send(MessageBuilder.withPayload(new CredentialsAuthenticationRequestedEvent(user.getAccountId(), username, true))
.setHeader("type", "CREDENTIALS_AUTHENTICATION_REQUEST_EVENT").build());
authenticationSuccessfulCounter.increment();
return new AuthenticationToken(tokenString);
} else {
log.debug("alternate authentication Failed");
this.authenticationFailedCounter.increment();
throw new AuthenticationException("error.authentication.credentials.invalid");
}
}
/**
AuthenticationService.java authentication excerpt live from GitHub. View Raw
The method starts with an option test for required services. This test ensures that all the declared services are available before authenticating. Due to the application's distributed nature, we may want to all users to authenticate only when set of services are available.
We then attempt to load the user by the supplied username (in this case, email address). If the user is not found, we publish a failing CredentialAuthenticationRequestEvent to log the attempt, and throw an AuthenticationException.
If the user is found, its activeStatus is checked. The activeStatus that controls whether an existing user is allowed to authenticate. If the activeStatus is false, we publish a failing CredentialAuthenticationRequestEvent to log the attempt, and throw an AuthenticationException indicating that the account has been disabled.
If the activeStatus is true, we compare the user's stored password with the authentication password. If the password doesn't match, we throw a new AuthenticationException with the invalid credentials message. If the password matches we generate the JWT, publish a passing CredentialAuthenticationRequestEvent to log the success.
Change Password
The changePassword method provides a mechanism for authenticated users to change their existing password. /**
*
* @param changePasswordRequest
* @return
* @throws ChangePasswordException
*/
public void changePassword(String accountId, String currentPassword, String newPassword, String confirmPassword) throws ChangePasswordException {
User userModel = null;
log.debug("change password accountID:{}", accountId);
// lookup the user by email address
if (accountId != null) {
// check if the user exists
log.debug("change password for account id:{}", accountId);
userModel = this.userRepository.findByAccountId(accountId);
if (userModel == null) {
throw new ChangePasswordException("error.authentication.token.isnull");
}
// check if the current password has been supplied
if ((currentPassword == null) || (currentPassword.length() == 0)) {
throw new ChangePasswordException("error.authentication.current.password.required");
}
// check if the current password supplied matches the persisted password
if (!this.bcryptEncoder.matches(currentPassword, userModel.getPassword())) {
throw new ChangePasswordException("error.authentication.current.password.does.not.match");
}
// check if they supplied a new password
if ((newPassword == null) || (newPassword.length() == 0)) {
throw new ChangePasswordException("error.changepassword.cannot.be.empty");
}
// check if the user supplied a matching confirmation password
if (!newPassword.equals(confirmPassword)) {
throw new ChangePasswordException("error.changepassword.confirmation.does.not.match");
}
// check that the new password meets the complexity requirements
if (!validator.isPasswordValid(newPassword)) {
throw new ChangePasswordException("error.changepassword.complexity.failure");
}
// save the new password
userModel.setPassword(bcryptEncoder.encode(newPassword));
userRepository.save(userModel);
// send account event "ChangePassword"
this.accountEventSource
.accountEvents()
.send(MessageBuilder.withPayload(new PasswordChangedEvent(userModel.getAccountId(), userModel.getEmail()))
.setHeader("type", "PASSWORD_CHANGED_EVENT").build());
this.passwordChangedCounter.increment();
} else {
throw new ChangePasswordException("error.authentication.token.invalid");
}
}
/**
AuthenticationService.java change password excerpt live from GitHub. View Raw
It starts by looking up the User using the accountId. This value is present in the JWT. The method requires the user supply the current password along with the a new password and a confirmation password. We require the current password be supplied to prevent a third-party from changing the password if they gain control of an authenticated client. The method then checks that the new password meets the appropriate criteria raising a ChangePasswordException with the corresponding I18N message key if it doesn't. If all criteria are met, the new password is encrypted and stored in the user repository and a PasswordChangedEvent is published.
Password Recovery Request
The recoverPassword method provides a mechanism for users to change forgotten passwords. This is accomplished by generating a recovery password and emailing it to the users. /**
*
* @param user
* @return
* @throws RecoverPasswordException
*/
public String recoverPassword(String email) throws RecoverPasswordException {
log.debug("recover password for:" + email);
User userModel = userRepository.findByUsername(email);
if (userModel == null) {
throw new RecoverPasswordException("error.passwordrecovery.invalid.user", email);
}
String recoveryCodeString = UUID.randomUUID().toString();
userModel.setRecoveryCode(recoveryCodeString);
LocalDateTime expirationTimestamp = LocalDateTime.now();
log.debug("recoveryCodeExpireationIntervalMinutes:{}", recoveryCodeExpirationIntervalMinutes);
log.debug("currentTime :{}" + Timestamp.valueOf(expirationTimestamp));
// add the interval before we store it
expirationTimestamp = expirationTimestamp.plusMinutes(recoveryCodeExpirationIntervalMinutes);
log.debug("currentTime+interval:{}" + Timestamp.valueOf(expirationTimestamp));
log.debug("{} -recovery code={}, expires={} ", email, recoveryCodeString, Timestamp.valueOf(expirationTimestamp));
userModel.setRecoveryExpiresAt(Timestamp.valueOf(expirationTimestamp));
userRepository.save(userModel);
this.emailClientService.sendRecoveryEmail(email, recoveryCodeString);
// send account event "RecoverPassword Requested"
this.accountEventSource.accountEvents().send(MessageBuilder.withPayload(new PasswordRecoveryRequestedEvent(userModel.getAccountId(), userModel.getEmail()))
.setHeader("type", "PASSWORD_RECOVERY_REQUESTED_EVENT").build());
this.passwordRecoveredCounter.increment();
return recoveryCodeString;
}
/**
AuthenticationService.java recover password excerpt live from GitHub. View Raw
The method starts by looking up the user by their email address. If no user is found, the method throws a RecoverPasswordException. If a corresponding user is found, the method will generate a Recovery Code (we use a random UUID) and an expiration time that are store in the User entity. The method then sends an email message containing the Recovery Code to the user's email address. We finish by publishing a PasswordRecoveryRequestedEvent.
Password Recovery Reset
The resetPassword method operates in a similar fashion to the changePassword method with two exceptions. /**
*
* @param email
* @param recoveryCode
* @param newPassword
* @param passwordConfirm
* @throws ResetPasswordException
*/
public void resetPassword(String email, String recoveryCode, String newPassword,
String passwordConfirm) throws ResetPasswordException {
log.debug("reset password");
// check if the email is a registered user
User userModel = userRepository.findByUsername(email);
if (userModel == null) {
throw new ResetPasswordException("error.passwordreset.invalid.user", email);
}
long currentTime = System.currentTimeMillis();
if (userModel.getRecoveryExpiresAt() != null) {
log.debug("difference -{}", userModel.getRecoveryExpiresAt().getTime() - currentTime);
}
// check if the recovery code exists for the user
String persistedRecoveryCode = userModel.getRecoveryCode();
if ((persistedRecoveryCode == null) || (!persistedRecoveryCode.equals(recoveryCode))) {
throw new ResetPasswordException("error.passwordreset.invalid.code");
}
// check if the recovery code expiration is set
if (userModel.getRecoveryExpiresAt() == null) {
log.debug("no recovery expiration date");
throw new ResetPasswordException("error.passwordreset.invalid.code");
}
// check the recovery code hasn't expired
if (currentTime > userModel.getRecoveryExpiresAt().getTime()) {
log.debug("recovery code expired");
throw new ResetPasswordException("error.passwordreset.recovery.code.expired");
}
// check if the new password meets the complexity requirements
if ((newPassword == null) || (!this.validator.isPasswordValid(newPassword))) {
throw new ResetPasswordException("error.passwordreset.password.complexity.failure");
}
// check if the confirmation password matches
if (!newPassword.equals(passwordConfirm)) {
throw new ResetPasswordException("error.passwordreset.password.does.not.match");
}
// ok- change the password
userModel.setPassword(bcryptEncoder.encode(newPassword));
userRepository.save(userModel);
// send account event "ResetPassword"
this.accountEventSource
.accountEvents()
.send(MessageBuilder.withPayload(new PasswordRecoveryCompletedEvent(userModel.getAccountId(), userModel.getEmail()))
.setHeader("type", "PASSWORD_RECOVERY_COMPLETED_EVENT").build());
}
/**
AuthenticationService.java reset password excerpt live from GitHub. View Raw
First, we confirm that the recoveryCode matches the value store in the user entity. If not, the method throws a ResetPasswordException with the invalid code message key.
Secondly, we confirm that the current time is prior to the recovery code expiration time. If not, the method throws a ResetPasswordException with the recovery code expired message.
If all the method conditions are met, the new password will be encrypted and stored, an a PasswordRecoveryCompletedEvent will be published.
Token Refresh
The refreshToken method performs a function similar to the authenticate method. However, instead of requiring a credential set, the method requires a refreshToken. /**
*
* @param refreshToken
* @return
* @throws RefreshTokenException
*/
public AuthenticationToken refreshToken(String refreshToken) throws
RefreshTokenException {
log.debug("refresh token:" + refreshToken);
// check with the service discovery service client that the required
// services are active before allowing a user to authenticate
if (activeServicesRequiredForAuthentication.size() > 0) {
log.info("requiredServices:{}", this.activeServicesRequiredForAuthentication.toString());
List<String> activeServices = discoveryClient.getServices().stream().map(String::toUpperCase).collect(Collectors.toList());;
log.info("Discovery services:{}", activeServices);
if (!activeServices.containsAll(this.activeServicesRequiredForAuthentication)) {
log.info("all required services are not available,");
List<String> required = new ArrayList<>(this.activeServicesRequiredForAuthentication);
required.removeAll(activeServices);
log.info("missing services:{}", required);
throw new RefreshTokenException("error.authentication.required.services.unavailable", required.toString());
}
}
// get the user
User user = this.loadUserByRefreshToken(refreshToken);
// if user is disabled dont return a token
if (!user.isActiveStatus()) {
return new AuthenticationToken("");
}
// everything is cool - generate the new token
Set<Role> roles = user.getRoles();
ArrayList<GrantedAuthority> authorities = this.getGrantedAuthorities(roles);
java.sql.Timestamp lastLogonTimestamp = new java.sql.Timestamp((new java.util.Date().getTime()));
String newRefreshToken = UUID.randomUUID().toString();
LocalDateTime refreshTokenExpirationTimestamp = LocalDateTime.now();
refreshTokenExpirationTimestamp = refreshTokenExpirationTimestamp.plusMinutes(this.refreshTokenExpirationIntervalMinutes);
LocalDateTime tokenExpiresAtTimestamp = LocalDateTime.now();
tokenExpiresAtTimestamp = tokenExpiresAtTimestamp.plusMinutes(this.tokenExpirationIntervalMinutes);
user.setRefreshTokenExpirationAt(Timestamp.valueOf(refreshTokenExpirationTimestamp));
user.setRefreshToken(newRefreshToken);
user.setLastLogon(lastLogonTimestamp);
user.setTokenIssuedAt(lastLogonTimestamp);
user.setTokenExpirationAt(Timestamp.valueOf(tokenExpiresAtTimestamp));
this.userRepository.save(user);
final String tokenString = jwtProvider.generateToken(user,
authorities,
lastLogonTimestamp.getTime(), // issued at
Timestamp.valueOf(tokenExpiresAtTimestamp).getTime(),
newRefreshToken,
Timestamp.valueOf(refreshTokenExpirationTimestamp).getTime());
// TODO generate refresh token event
/*this.accountEventSource.accountEvents()
.send(MessageBuilder.withPayload(new CredentialsAuthenticationRequestedEvent(user.getAccountId(), username, true))
.setHeader("type", "CREDENTIALS_AUTHENTICATION_REQUEST_EVENT").build());
*/
return new AuthenticationToken(tokenString);
}
/**
AuthenticationService.java refresh token excerpt live from GitHub. View Raw
Like the authenticate method, the refreshToken also contains a test for a required set of active services that can be optionally enabled. However, this method performs it's lookup by a refreshToken value. The method checks that the User's status is active before generating a new token. This step is important to prevent previously authenticated users from continuously refreshing their token and using the application in the event that their account has been disabled. Finally, once we have run the gauntlet of conditionals we can generate a new token.
Metric Collection
We will collect five service-specific metrics:- registration.created-a counter collecting the number of new registrations.
- authentication.successul-a counter collecting the number of successful authentication attempts.
- authentication.failed-a counter collecting the number of failed authentication attempts.
- password.changed-a counter collecting the number of password change requests.
- password.recovered-a counter collecting the number of password change requests.
AuthorizationFilter
Several of the features we have discuss require that the caller be authenticated and authorized. As we mentioned in the previous article, this is handled by passing the JWT in the HTTP Authorization Header. Rather than require each service method to test for the presence and validity of the JWT, we centralize this function in the JWTAuthorizationFilter. The filter is called prior to invoking the service's controller which allows the service to inspect the service's request path and authorization header. With the path and authorization header we can query the JWTRoleTable for required roles and verify if the request's JWT contains the requisite roles.package com.thinkmicroservices.ri.spring.auth.jwt;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
import lombok.extern.slf4j.Slf4j;
/**
* The JWTRoleTable provides a mechanism for looking up the required roles for a
* given application uri path. The uri paths and corresponding roles are stored
* in a two dimensional array.
*
* @author cwoodward
*/
@Slf4j
public class JWTRoleTable {
// declare the role names
private static final String USER_ROLE = "user";
private static final String ADMIN_ROLE = "admin";
// name the two dimensional array indexes
private static int URI_PREFIX_INDEX = 0;
private static int URI_REQUIRED_ROLES_INDEX = 1;
private static final Object[][] uriRoleTable = {
{"/changePassword", new String[]{USER_ROLE}},
{"/findUsersByActiveStatus", new String[]{ADMIN_ROLE}},
{"/setUserActiveStatus", new String[]{ADMIN_ROLE}},
{"/getAccountStatusByAccountIds", new String[]{ADMIN_ROLE}}
};
/**
*
* @param uriPath URI path string
* @return Collection of Strings representing the roles required for the URI
* path. Returns <b>null</b> if no match found
*
*/
public static List<String> getRequiredRolesByUriPath(String uriPath) {
for (int idx = 0; idx < uriRoleTable.length; idx++) {
log.debug("uri path {}->{}", uriPath, uriRoleTable[idx][URI_PREFIX_INDEX]);
// compare the incoming uri path agains the table. Return the List
// of role strings for the first match
if (uriPath.startsWith(uriRoleTable[idx][URI_PREFIX_INDEX].toString())) {
return convertToStringList(uriRoleTable[idx][URI_REQUIRED_ROLES_INDEX]);
}
}
return new ArrayList<String>();
}
/**
*
* @param objects
* @return a list of all non-null object strings
*/
private static List<String> convertToStringList(Object objx) {
List<String> results = new ArrayList<>();
// guard to ensure method parameter is a non-null, array
if ((objx == null) && (objx.getClass().isArray())) {
return results;
}
// convert the object to an array of objects
Object[] objects = (Object[]) objx;
for (Object obj : objects) {
if (obj != null) {
results.add(obj.toString());
}
}
return results;
}
}
JWTRoleTable live from GitHub. View Raw
The paths and required roles are stored in the class's uriRoleTable. This provides the mapping between a path and an array of required roles.
package com.thinkmicroservices.ri.spring.auth.jwt;
import java.io.IOException;
import java.util.List;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.ServletContext;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import lombok.extern.slf4j.Slf4j;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.core.Ordered;
import org.springframework.core.annotation.Order;
import org.springframework.stereotype.Component;
import org.springframework.web.context.WebApplicationContext;
import org.springframework.web.context.support.WebApplicationContextUtils;
/**
*
* @author cwoodward
*/
@Component
@Order(Ordered.HIGHEST_PRECEDENCE)
@Slf4j
public class JWTAuthorizationFilter implements Filter {
/**
* message returned when the supplied token has expired.
*/
protected static final String TOKEN_EXPIRED_MESSAGE = "Token Expired";
/**
* message returned when the no token is present
*/
protected static final String TOKEN_MISSING_MESSAGE = "Token Missing";
protected static final String TOKEN_ROLES_INSUFFICIENT_MESSAGE = "Token Insufficient Privileges";
@Autowired
private JWTService jwtService;
/**
* filters incoming requests and ensures a token is provided and has not
* expired. The token is added to the request prior to dispatch to the next
* filter.
*
* @param request
* @param response
* @param chain
* @throws IOException
* @throws ServletException
*/
@Override
public void doFilter(
ServletRequest request,
ServletResponse response,
FilterChain chain) throws IOException, ServletException {
log.debug("invoking JWTAuthorizationFilter...>");
checkJWTServiceAvailable(request);
HttpServletRequest httpRequest = (HttpServletRequest) request;
HttpServletResponse httpResponse = (HttpServletResponse) response;
String requestURI = httpRequest.getRequestURI();
log.debug("requestURI={}", requestURI);
List<String> rolesRequired = JWTRoleTable.getRequiredRolesByUriPath(requestURI);
log.debug("required roles for {}={}", requestURI, rolesRequired);
if (rolesRequired.size() > 0) {
// get the token
JWT jwt = extractJwtFromRequest(httpRequest);
// if no token present send an error
if (jwt == null) {
httpResponse.sendError(HttpServletResponse.SC_UNAUTHORIZED, TOKEN_MISSING_MESSAGE);
return;
}
// if the token has expired send an error
if (jwt.isTokenExpired()) {
log.debug("uri:{},token expired", httpRequest.getRequestURI());
httpResponse.sendError(HttpServletResponse.SC_UNAUTHORIZED, TOKEN_EXPIRED_MESSAGE);
return;
}
// if token is missing required roles send an error
if (!jwt.hasAllRoles(rolesRequired)) {
log.debug("uri:{},insufficient roles", httpRequest.getRequestURI());
httpResponse.sendError(HttpServletResponse.SC_UNAUTHORIZED, TOKEN_ROLES_INSUFFICIENT_MESSAGE);
return;
}
// everything looks good. set the JWT into the request for future use
request.setAttribute("JWT", jwt);
log.debug("uri:{},set JWT Attribute", httpRequest.getRequestURI());
// return;
}
//} else {
chain.doFilter(request, response);
//}
}
private JWT extractJwtFromRequest(HttpServletRequest httpRequest) {
String authHeader = httpRequest.getHeader("Authorization");
if ((authHeader != null) && (authHeader.length() > 7)) {
String token = authHeader.substring(7);
log.debug("uri:{},token=>{}", httpRequest.getRequestURI(), token);
return jwtService.decodeJWT(token);
}
return null;
}
public void checkJWTServiceAvailable(ServletRequest request) {
log.debug("checking JWTService");
// this is hack to get the jwtService in the Filter
if (jwtService == null) {
ServletContext servletContext = request.getServletContext();
WebApplicationContext webApplicationContext = WebApplicationContextUtils.getWebApplicationContext(servletContext);
jwtService = webApplicationContext.getBean(JWTService.class);
}
log.debug("JWTService=>{}", jwtService);
}
}
JWTAuthorizationFilter live from GitHub. View Raw
The bulk of the filter resided in the doFilter method which extends the standard javax.servlet.Filter. We start by getting the list of role required to process the request URI. If the list is empty, we dont need to check the JWT roles and we continue to the controller. If the list is not empty, we extract attempts to extract the JWT from the HTTP request. We then perform the following tests:
- If no JWT is present, the filter sends an HTTP response containing the 401 UNUATHORIZED status code and the Token Missing message.
- If no JWT has expired, the filter sends an HTTP response containing the 401 UNUATHORIZED status code and the Token Expired message.
- If no JWT does not contain all the required roles, the filter sends an HTTP response containing the 401 UNUATHORIZED status code and the Token Insufficient Privileges message.
Now that we have an authorization filter, we need to configure our service to use the filter. To do this we create the FilterConfig class.
package com.thinkmicroservices.ri.spring.auth;
import com.thinkmicroservices.ri.spring.auth.jwt.JWTAuthorizationFilter;
import lombok.extern.slf4j.Slf4j;
import org.springframework.boot.web.servlet.FilterRegistrationBean;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
/**
*
* @author cwoodward
*/
@Configuration
@Slf4j
public class FilterConfig {
protected static final String URL_PATTERN = "/*";
/**
*
* @return
*/
@Bean
public FilterRegistrationBean<JWTAuthorizationFilter> jwtFilterRegistration() {
FilterRegistrationBean<JWTAuthorizationFilter> filterRegistrationBean
= new FilterRegistrationBean<>(new JWTAuthorizationFilter());
filterRegistrationBean.addUrlPatterns(URL_PATTERN);
log.debug("JWTFilter patterns {}", filterRegistrationBean.getUrlPatterns());
return filterRegistrationBean;
}
}
FilterConfig live from GitHub. View Raw
In this class we add the @Configuration annotation to notify the framework that this is a configuration class. We then create a FilterRegistrationBean that maps all request paths to the JWTAuthorizationFilter (the URL_PATTERN="/*" accomplishes this).
Authentication Controller
The AuthenticationController provides our service's REST endpoint adapter.package com.thinkmicroservices.ri.spring.auth.controller;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.http.ResponseEntity;
import org.springframework.web.bind.annotation.RequestBody;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.RestController;
import org.springframework.http.HttpStatus;
import com.thinkmicroservices.ri.spring.auth.model.AuthenticationRequest;
import com.thinkmicroservices.ri.spring.auth.service.AuthenticationService;
import com.thinkmicroservices.ri.spring.auth.service.AuthenticationResponse;
import com.thinkmicroservices.ri.spring.auth.model.ChangePasswordRequest;
import com.thinkmicroservices.ri.spring.auth.model.ChangePasswordResponse;
import com.thinkmicroservices.ri.spring.auth.model.RecoverPasswordRequest;
import com.thinkmicroservices.ri.spring.auth.model.RecoveryCodeDTO;
import com.thinkmicroservices.ri.spring.auth.model.RegistrationRequest;
import com.thinkmicroservices.ri.spring.auth.model.RegistrationResponse;
import com.thinkmicroservices.ri.spring.auth.model.ResetPasswordRequest;
import com.thinkmicroservices.ri.spring.auth.model.ResetPasswordResponse;
import com.thinkmicroservices.ri.spring.auth.service.AuthenticationToken;
import com.thinkmicroservices.ri.spring.auth.validator.Validator;
import com.thinkmicroservices.ri.spring.auth.service.exception.ChangePasswordException;
import com.thinkmicroservices.ri.spring.auth.jwt.JWT;
import com.thinkmicroservices.ri.spring.auth.jwt.JWTService;
import com.thinkmicroservices.ri.spring.auth.service.exception.AuthenticationException;
import com.thinkmicroservices.ri.spring.auth.service.exception.RecoverPasswordException;
import com.thinkmicroservices.ri.spring.auth.service.exception.RefreshTokenException;
import com.thinkmicroservices.ri.spring.auth.service.exception.RegistrationException;
import com.thinkmicroservices.ri.spring.auth.service.exception.ResetPasswordException;
import io.swagger.annotations.ApiImplicitParam;
import io.swagger.annotations.ApiImplicitParams;
import java.util.List;
import javax.servlet.http.HttpServletRequest;
import lombok.extern.slf4j.Slf4j;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.web.bind.annotation.PathVariable;
import org.springframework.web.bind.annotation.RequestParam;
/**
*
* @author cwoodward
*/
@RestController
@Slf4j
public class AuthenticationController {
@Value("${useEmailAsUsername:true}")
private boolean useEmailAsUsername;
@Autowired
private Validator validator;
@Autowired
private AuthenticationService authenticationService;
@Autowired
private JWTService jwtService;
/**
*
* NO ROLES REQUIRED
*
* @param authenticationRequest
* @return
* @throws Exception
*/
@RequestMapping(value = "/authenticate", method = RequestMethod.POST)
public ResponseEntity<?> authentication(
@RequestBody AuthenticationRequest authenticationRequest) throws Exception {
log.debug("authentication request=>" + authenticationRequest);
try {
AuthenticationToken token = authenticationService.authenticate(authenticationRequest.getEmail(), authenticationRequest.getPassword());
return ResponseEntity.ok(AuthenticationResponse.builder()
.success(true)
.token(token.getToken())
.build()
);
} catch (AuthenticationException ex) {
return new ResponseEntity<>(AuthenticationResponse.builder()
.success(false)
.errorMessage(ex.getI18NMessage())
.build(),
HttpStatus.UNAUTHORIZED);
}
}
/**
* NO ROLES REQUIRED
*
* @param refreshToken
* @return
*/
@RequestMapping(value = "/refreshToken/{refreshToken}", method = RequestMethod.GET)
public ResponseEntity<?> refreshToken(@PathVariable String refreshToken) {
log.debug("refresh token=>" + refreshToken);
try {
AuthenticationToken token = authenticationService.refreshToken(refreshToken);
return ResponseEntity.ok(AuthenticationResponse.builder()
.success(true)
.token(token.getToken())
.build()
);
//return ResponseEntity.ok(refreshToken);
} catch (RefreshTokenException ex) {
return new ResponseEntity<>(AuthenticationResponse.builder()
.success(false)
.errorMessage(ex.getI18NMessage())
.build(),
HttpStatus.UNAUTHORIZED);
}
}
/**
* NO ROLES REQUIRED
*
* @param registrationRequest
* @return
* @throws Exception
*/
@RequestMapping(value = "/register", method = RequestMethod.POST)
public ResponseEntity<?> registerUser(@RequestBody RegistrationRequest registrationRequest) throws Exception {
log.debug("creating user:" + registrationRequest);
try {
this.authenticationService.registerUser(registrationRequest.getEmail(),
registrationRequest.getFirstName(),
registrationRequest.getMiddleName(),
registrationRequest.getLastName(),
registrationRequest.getPassword(),
registrationRequest.getConfirmPassword());
return new ResponseEntity<>(RegistrationResponse.builder().success(true).build(), HttpStatus.OK);
} catch (RegistrationException rex) {
log.error(rex.getMessage());
return new ResponseEntity<>(RegistrationResponse.builder().success(false)
.errorMessage(rex.getI18NMessage()).build(), HttpStatus.UNPROCESSABLE_ENTITY);
}
}
/**
* USER ROLE REQUIRED
*
* @param changePassword
* @return
*/
@RequestMapping(value = "/changePassword", method = RequestMethod.POST)
@ApiImplicitParams({
@ApiImplicitParam(name = "Authorization", value = "Authorization token",
required = true, dataType = "string", paramType = "header")})
public ResponseEntity<ChangePasswordResponse> changePassword(@RequestBody ChangePasswordRequest changePassword, HttpServletRequest httpRequest
) {
JWT jwt = (JWT) httpRequest.getAttribute("JWT");
if (jwt != null) {
String accountId = jwt.getAccountId();
try {
authenticationService.changePassword(accountId, changePassword.getCurrentPassword(), changePassword.getNewPassword(), changePassword.getConfirmPassword());
return new ResponseEntity<>(ChangePasswordResponse.builder().success(true).build(), HttpStatus.OK);
} catch (ChangePasswordException cpex) {
log.warn(cpex.getMessage());
return new ResponseEntity<>(ChangePasswordResponse.builder().success(false)
.errorMessage(cpex.getI18NMessage()).build(), HttpStatus.UNPROCESSABLE_ENTITY);
}
}
return new ResponseEntity<>(ChangePasswordResponse.builder().success(false)
.errorMessage("no bearer token in header").build(), HttpStatus.UNAUTHORIZED);
}
/**
* NO ROLES REQUIRED
*
* @param recoverPassword
* @return
*/
@RequestMapping(value = "/recoverPassword", method = RequestMethod.POST)
public ResponseEntity<?> recoverPassword(@RequestBody RecoverPasswordRequest recoverPassword) {
log.debug("recover Password:" + recoverPassword);
RecoveryCodeDTO recoveryCodeDTO = new RecoveryCodeDTO();
recoveryCodeDTO.setEmail(recoverPassword.getEmail());
try {
String recoveryCodeString = authenticationService.recoverPassword(recoverPassword.getEmail());
} catch (RecoverPasswordException rpex) {
return ResponseEntity.status(HttpStatus.PRECONDITION_FAILED)
.body(rpex.getI18NMessage());
}
return ResponseEntity.ok(recoveryCodeDTO);
}
/**
* USER ROLE REQUIRED
*
* @param resetPasswordRequest
* @return
*/
@RequestMapping(value = "/resetPassword", method = RequestMethod.POST)
public ResponseEntity<?> resetPassword(@RequestBody ResetPasswordRequest resetPasswordRequest) {
log.debug("recoverPassword=> {}", resetPasswordRequest);
try {
authenticationService.resetPassword(resetPasswordRequest.getEmail(),
resetPasswordRequest.getRecoveryCode(),
resetPasswordRequest.getNewPassword(),
resetPasswordRequest.getPasswordConfirm());
return new ResponseEntity<>(ResetPasswordResponse.builder()
.success(true)
.build(), HttpStatus.OK);
} catch (ResetPasswordException rpex) {
return new ResponseEntity(ResetPasswordResponse.builder()
.success(false)
.errorMessage(rpex.getI18NMessage()).build(), HttpStatus.FAILED_DEPENDENCY);
}
}
/**
* ADMIN ROLE REQUIRED
*
* @param pageNo
* @param pageSize
* @param sortBy
* @param active
* @param httpServletRequest
* @return
*/
@ApiImplicitParams({
@ApiImplicitParam(name = "Authorization", value = "Authorization token",
required = true, dataType = "string", paramType = "header")})
@RequestMapping(value = "/findUsersByActiveStatus", method = RequestMethod.POST)
public ResponseEntity<?> findUsersByPage(@RequestParam Integer pageNo, @RequestParam Integer pageSize, @RequestParam String sortBy, @RequestParam boolean active, HttpServletRequest httpServletRequest) {
return ResponseEntity.ok(this.authenticationService.findActiveUsersByPage(pageNo, pageSize, sortBy, active));
}
/**
* ADMIN ROLE REQUIRED
*
* @param accountId
* @param activeStatus
* @return
*/
@ApiImplicitParams({
@ApiImplicitParam(name = "Authorization", value = "Authorization token",
required = true, dataType = "string", paramType = "header")})
@RequestMapping(value = "/setUserActiveStatus/{accountId}", method = RequestMethod.POST)
public ResponseEntity<?> setUserActiveStatus(@PathVariable String accountId,
@RequestParam boolean activeStatus) {
return ResponseEntity.ok(this.authenticationService.setUserActiveStatus(accountId, activeStatus));
}
/**
* ADMIN ROLE REQUIRED
*
* @param accountIds
* @return
*/
@ApiImplicitParams({
@ApiImplicitParam(name = "Authorization", value = "Authorization token",
required = true, dataType = "string", paramType = "header")})
@RequestMapping(value = "/getAccountStatusByAccountIds", method = RequestMethod.POST)
public ResponseEntity<?> getAccountStatusByAccountIds(@RequestBody List<String> accountIds
) {
return ResponseEntity.ok(this.authenticationService.findUsersByAccountIds(accountIds));
}
}
AuthenticationController live from GitHub. View Raw
The AuthenticationController exposes nine REST endpoint methods. Each of these methods handle the translation of HTTP requests to the corresponding AuthenticationService class methods and process the results back into HTTP responses handling exceptions, and I18N translations.
From a security perspective, we can divide them into three groups::
Unsecured
These methods dont require authentication/authorization.- registerUser
- authentication
- recoverPassword
User-Role secured
These methods require that the JWT contain the User role.- refreshToken
- changePassword
- recoverPassword
- resetPassword
Admin-Role secured
These methods require that the JWT contain the Admin role. These methods are provides to allow basic user adminstration functions.- findUsersByPage
- setUserActiveStatus
- getAccountStatus
Resources
- AuthenticationService Github repository
- AuthenticationService Docker hub image.
- ThinkMicroservice AuthenticationService Dashboard.
Twitter
Facebook
Reddit
LinkedIn
Email