Reputation: 595
Spring Security filters for JWT-based authentication, verification and authorization scheme, by example
Java + Spring (and Spring Security) here, interested in implementing a JWT-based auth mechanism for my web service using bearer tokens. My understanding of the proper way of using Spring Security for authentication and authorization is through the use of provided (or custom) filters as follows:
- you specify which URLs in your app are authenticated (and thus require authenticated requests to access)
- this is typically done in an
@EnableWebSecurity-annotated web security class that extendsWebSecurityConfigurerAdapter
- this is typically done in an
- for any unauthenticated URLs, no filters should block access to the resources being requested
- an authentication filter effectively provides a "sign in" endpoint
- request clients should hit this signin endpoint (authn filter) initially to obtain an auth token that can be used for making subsequent API calls
- this filter should receive a type of "sign in request" object that contains a principal (e.g. username) and credential (e.g. password)
- this authn filter should use the principal/credential contained in the sign in request to determine if they represents a valid user in the system
- if so, an auth token (JWT, etc.) is generated and sent back to the requesters in the response somehow
- else, if the principal/credential don't match a valid user in the system, an error response is returned and authentication fails
- for authenticated URLs, a verification filter verifies that the request contains an auth token and that the auth token is valid (was signed correctly, contains user information such as JWT claims, is not expired, etc.)
- if the auth token is valid, the request continues on to the authorization filter (see below)
- else if the auth token is not valid, verification fails and the filter sends an error response back to the client
- finally, an authorization filter verifies that the user associated with the valid auth token has the ability/permission to make such a request
- if they do, then the request is allowed to continue on to whatever resources/controller was written to handle it, and that resource/controller provides the response back to the requester
- if they don't, an error response is returned to the client
- ideally the logic (code) inside this authz filter would have access to the permission annotations added to the resource method, so that I can add endpoints and specify permissions on them without having to modify the code of the authz filter
So to begin with, if anything I have stated above is a Spring Security (or web security in general) anti-pattern or is misled, please begin by providing course correction and steering me in the right direction!
Assuming I'm more or less understanding the "auth flow" above correctly...
Are there any specific Spring Security filters that take care of all of this for me already, or that can be extended and have a few methods overridden to behave this way? Or anything that comes really close? Looking at the list of authentication-specific Spring Security filters I see:
UsernamePasswordAuthenticationFilter-> looks like a decent candidate for the authn filter but expects ausernameandpasswordparameter on the query string which is strange to me, and most importantly, does not generate a JWTCasAuthenticationFilter-> looks like its used for CAS-based SSO and is not appropriate for use in non-SSO contextsBasicAuthenticationFilter-> for HTTP basic authentication-based auth, not appropriate for more sophisticated setups
As for token verification and authorization, I (much to my surprise) don't see anything in the Spring Security landscape that could qualify.
Unless anyone knows of JWT-specific filters that I can use or subclass easily, I think I need to implement my own custom filters, in which case I'm wondering how to conigure Spring Security to use them and not use any of these other authentication filters (such as UsernamePasswordAuthenticationFilter) as part of the filter chain.
Upvotes: 5
Views: 8297
Answers (1)
Reputation: 7707
As I understand it, you want to:
- Authenticate users via a username and password and respond with a JWT
- On subsequent requests, authenticate users using that JWT
username/password -> JWT isn't an established authentication mechanism on its own, which is why Spring Security doesn't yet have direct support.
You can get it on your own pretty easily, though.
First, create a /token endpoint that produces a JWT:
@RestController
public class TokenController {
@Value("${jwt.private.key}")
RSAPrivateKey key;
@PostMapping("/token")
public String token(Authentication authentication) {
Instant now = Instant.now();
long expiry = 36000L;
// @formatter:off
String scope = authentication.getAuthorities().stream()
.map(GrantedAuthority::getAuthority)
.collect(Collectors.joining(" "));
JWTClaimsSet claims = new JWTClaimsSet.Builder()
.issuer("self")
.issueTime(new Date(now.toEpochMilli()))
.expirationTime(new Date(now.plusSeconds(expiry).toEpochMilli()))
.subject(authentication.getName())
.claim("scope", scope)
.build();
// @formatter:on
JWSHeader header = new JWSHeader.Builder(JWSAlgorithm.RS256).build();
SignedJWT jwt = new SignedJWT(header, claims);
return sign(jwt).serialize();
}
SignedJWT sign(SignedJWT jwt) {
try {
jwt.sign(new RSASSASigner(this.key));
return jwt;
}
catch (Exception ex) {
throw new IllegalArgumentException(ex);
}
}
}
Second, configure Spring Security to allow HTTP Basic (for the /token endpoint) and JWT (for the rest):
@Configuration
public class RestConfig extends WebSecurityConfigurerAdapter {
@Value("${jwt.public.key}")
RSAPublicKey key;
@Override
protected void configure(HttpSecurity http) throws Exception {
// @formatter:off
http.authorizeRequests((authz) -> authz.anyRequest().authenticated())
.csrf((csrf) -> csrf.ignoringAntMatchers("/token"))
.httpBasic(Customizer.withDefaults())
.oauth2ResourceServer(OAuth2ResourceServerConfigurer::jwt)
.sessionManagement((session) -> session
.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
.exceptionHandling((exceptions) -> exceptions
.authenticationEntryPoint(new BearerTokenAuthenticationEntryPoint())
.accessDeniedHandler(new BearerTokenAccessDeniedHandler())
);
// @formatter:on
}
@Bean
UserDetailsService users() {
// @formatter:off
return new InMemoryUserDetailsManager(
User.withUsername("user")
.password("{noop}password")
.authorities("app")
.build());
// @formatter:on
}
@Bean
JwtDecoder jwtDecoder() {
return NimbusJwtDecoder.withPublicKey(this.key).build();
}
}
I think there's appetite to add support for something like this in spring-authorization-server to reduce the /token boilerplate, if you're interested in contributing your efforts!
Upvotes: 1
Related Questions
- How to design a good JWT authentication filter
- How to implement JWT based authentication and authorization in Spring Security
- Generic Authentication Filter in Spring Security used for Authentication
- How Spring Security Filter Chain works
- Spring security JWT
- JWT filter and spring security control flow in a Spring boot web application
- Spring JWT Filter Configuration
- How to use filters in spring security and develop Authentication in filters
- Servlet jsp, authentication filters
- Tomcat SecurityFilter and Authorization