feat(uaa-web): Authentication handler for OAuth2 Server

sergio11 · sergio11 · commit f1663b381469 · 2017-06-11T15:02:14.000+02:00
diff --git a/uaa/uaa-web/pom.xml b/uaa/uaa-web/pom.xml
@@ -49,6 +49,10 @@
             <groupId>org.springframework.boot</groupId>
             <artifactId>spring-boot-starter-jdbc</artifactId>
         </dependency>
+        <dependency>
+            <groupId>org.springframework</groupId>
+            <artifactId>spring-test</artifactId>
+        </dependency>
         <dependency>
             <groupId>com.h2database</groupId>
             <artifactId>h2</artifactId>
diff --git a/uaa/uaa-web/src/main/java/sanchez/sergio/config/security/AuthServerOAuth2Config.java b/uaa/uaa-web/src/main/java/sanchez/sergio/config/security/AuthServerOAuth2Config.java
@@ -2,7 +2,6 @@
 
 
 import java.util.ArrayList;
-import java.util.Arrays;
 import java.util.List;
 import javax.annotation.PostConstruct;
 import javax.sql.DataSource;
diff --git a/uaa/uaa-web/src/main/java/sanchez/sergio/config/security/UaaWebSecurityConfiguration.java b/uaa/uaa-web/src/main/java/sanchez/sergio/config/security/UaaWebSecurityConfiguration.java
@@ -17,6 +17,8 @@
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 import org.springframework.security.config.http.SessionCreationPolicy;
+import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
+import sanchez.sergio.security.filter.OAuth2ServerAuthenticationFilter;
 
 @Configuration
 @EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true)
@@ -26,6 +28,9 @@ public class UaaWebSecurityConfiguration extends WebSecurityConfigurerAdapter {
     
     @Autowired
     private AuthenticationProvider authenticationProvider;
+    
+    @Autowired
+    private OAuth2ServerAuthenticationFilter authenticationFilter;
 
     @Override
     @Bean
@@ -44,6 +49,7 @@ protected void configure(AuthenticationManagerBuilder auth) throws Exception {
     protected void configure(HttpSecurity http) throws Exception {
         
         http
+                .addFilterBefore(authenticationFilter, BasicAuthenticationFilter.class)
                 .exceptionHandling()
                     .authenticationEntryPoint((request, response, authException) -> response.sendError(HttpServletResponse.SC_UNAUTHORIZED))
                 .and()
diff --git a/uaa/uaa-web/src/main/java/sanchez/sergio/security/filter/DefaultOAuth2AccessTokenExtractor.java b/uaa/uaa-web/src/main/java/sanchez/sergio/security/filter/DefaultOAuth2AccessTokenExtractor.java
@@ -0,0 +1,32 @@
+package sanchez.sergio.security.filter;
+
+import com.fasterxml.jackson.core.JsonParseException;
+import com.fasterxml.jackson.databind.JsonMappingException;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import java.io.IOException;
+import org.springframework.security.oauth2.common.OAuth2AccessToken;
+
+/**
+ * @author Sergio Sánchez
+ * this is the implementation for extract access_token from response of oauth/token response
+ * this will work fine for password flow
+ */
+public class DefaultOAuth2AccessTokenExtractor implements OAuth2AccessTokenExtractor {
+
+    private ObjectMapper mapper = new ObjectMapper();
+
+    @Override
+    public String getAccessTokenValue(byte[] response) {
+        try {
+            return mapper.readValue(response, OAuth2AccessToken.class)
+                    .getValue();
+        } catch (JsonParseException e) {
+            e.printStackTrace();
+        } catch (JsonMappingException e) {
+            e.printStackTrace();
+        } catch (IOException e) {
+            e.printStackTrace();
+        }
+        return null;
+    }
+}
diff --git a/uaa/uaa-web/src/main/java/sanchez/sergio/security/filter/OAuth2AccessTokenExtractor.java b/uaa/uaa-web/src/main/java/sanchez/sergio/security/filter/OAuth2AccessTokenExtractor.java
@@ -0,0 +1,9 @@
+package sanchez.sergio.security.filter;
+
+/**
+ * @author Sergio Sánchez
+ * To extractor access_token from response of /token
+ */
+public interface OAuth2AccessTokenExtractor {
+    String getAccessTokenValue(byte[] response);
+}
diff --git a/uaa/uaa-web/src/main/java/sanchez/sergio/security/filter/OAuth2ServerAuthenticationFilter.java b/uaa/uaa-web/src/main/java/sanchez/sergio/security/filter/OAuth2ServerAuthenticationFilter.java
@@ -0,0 +1,172 @@
+package sanchez.sergio.security.filter;
+
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+
+import javax.servlet.Filter;
+import javax.servlet.FilterChain;
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletException;
+import javax.servlet.ServletOutputStream;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletResponse;
+import javax.servlet.http.HttpServletResponseWrapper;
+
+import org.apache.commons.io.output.TeeOutputStream;
+import org.apache.log4j.Logger;
+import org.springframework.mock.web.DelegatingServletOutputStream;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.oauth2.common.OAuth2AccessToken;
+import org.springframework.security.oauth2.common.util.OAuth2Utils;
+import org.springframework.security.oauth2.provider.OAuth2Authentication;
+import org.springframework.security.oauth2.provider.token.DefaultTokenServices;
+
+/**
+ * @author Sergio Sánchez
+ * Filter to handle authentication of server
+ *
+ */
+public abstract class OAuth2ServerAuthenticationFilter implements Filter {
+
+    private static Logger log = Logger
+            .getLogger(OAuth2ServerAuthenticationFilter.class);
+
+    private DefaultTokenServices tokenServices;
+
+    private OAuth2AccessTokenExtractor tokenExtractor;
+
+    public OAuth2ServerAuthenticationFilter(DefaultTokenServices tokenServices) {
+        this.tokenServices = tokenServices;
+        this.tokenExtractor = new DefaultOAuth2AccessTokenExtractor();
+    }
+
+    public OAuth2ServerAuthenticationFilter(DefaultTokenServices tokenServices,
+            OAuth2AccessTokenExtractor tokenExtractor) {
+        this.tokenServices = tokenServices;
+        this.tokenExtractor = tokenExtractor;
+    }
+
+    @Override
+    public void doFilter(ServletRequest request, ServletResponse response,
+            FilterChain chain) throws IOException, ServletException {
+
+        // create wrapper to read response body
+        ByteArrayResponseWrapper responseWraper = new ByteArrayResponseWrapper(
+                response);
+
+        // led them go
+        chain.doFilter(request, responseWraper);
+
+        // get ClientAuthentication
+        Authentication clientAuthentication = SecurityContextHolder
+                .getContext().getAuthentication();
+
+        // is authenticated or not to proceed
+        if (clientAuthentication != null
+                && clientAuthentication.isAuthenticated()) {
+
+            // callBack client authenticated successfully
+            onSuccessfulClientAuthentication(request, response,
+                    clientAuthentication);
+
+            // check response status is success of failure
+            if (responseWraper.getStatus() == 200) {
+
+                // extract accessToken from response
+                String token = tokenExtractor
+                        .getAccessTokenValue(responseWraper.getByteArray());
+
+                if (token != null && !token.isEmpty()) {
+
+                    // load authentication from token
+                    OAuth2Authentication oAuth2Authentication = this.tokenServices
+                            .loadAuthentication(token);
+                    OAuth2AccessToken actualAccessToken = this.tokenServices
+                            .getAccessToken(oAuth2Authentication);
+
+                    // callBack user authenticated successfully
+                    onSuccessfulUserAuthentication(request, response,
+                            clientAuthentication, oAuth2Authentication,
+                            actualAccessToken);
+                } else {
+                    log.error("access token is empty from extractor");
+                }
+            } else {
+                // callBack user authenticated failure
+                onFailureUserAuthentication(request, response,
+                        clientAuthentication, request.getParameter("username"));
+            }
+        } else {
+            // callBack client authenticated failure
+            onFailClientAuthentication(request, response,
+                    request.getParameter(OAuth2Utils.CLIENT_ID));
+        }
+    }
+
+    protected void onSuccessfulClientAuthentication(ServletRequest request,
+            ServletResponse response, Authentication authentication) {
+    }
+
+    protected void onFailClientAuthentication(ServletRequest request,
+            ServletResponse response, String clientId) {
+    }
+
+    protected void onSuccessfulUserAuthentication(ServletRequest request,
+            ServletResponse response, Authentication clientAuthentication,
+            OAuth2Authentication userOAuth2Authentication,
+            OAuth2AccessToken token) {
+    }
+
+    protected void onFailureUserAuthentication(ServletRequest request,
+            ServletResponse response, Authentication clientAuthentication,
+            String username) {
+    }
+
+    @Override
+    public void init(FilterConfig filterConfig) throws ServletException {
+
+    }
+
+    @Override
+    public void destroy() {
+
+    }
+
+    public DefaultTokenServices getTokenServices() {
+        return tokenServices;
+    }
+
+    public void setTokenServices(DefaultTokenServices tokenServices) {
+        this.tokenServices = tokenServices;
+    }
+
+    public OAuth2AccessTokenExtractor getTokenExtractor() {
+        return tokenExtractor;
+    }
+
+    public void setTokenExtractor(OAuth2AccessTokenExtractor tokenExtractor) {
+        this.tokenExtractor = tokenExtractor;
+    }
+
+    // response wrapper
+    private class ByteArrayResponseWrapper extends HttpServletResponseWrapper {
+
+        public ByteArrayResponseWrapper(ServletResponse response) {
+            super((HttpServletResponse) response);
+        }
+
+        private ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
+
+        @Override
+        public ServletOutputStream getOutputStream() throws IOException {
+            return new DelegatingServletOutputStream(new TeeOutputStream(
+                    super.getOutputStream(), byteArrayOutputStream));
+        }
+
+        public byte[] getByteArray() {
+            return this.byteArrayOutputStream.toByteArray();
+        }
+    }
+}
diff --git a/uaa/uaa-web/src/main/java/sanchez/sergio/security/filter/OAuth2ServerAuthenticationFilterImpl.java b/uaa/uaa-web/src/main/java/sanchez/sergio/security/filter/OAuth2ServerAuthenticationFilterImpl.java
@@ -0,0 +1,99 @@
+package sanchez.sergio.security.filter;
+
+import javax.annotation.PostConstruct;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletRequest;
+
+import org.apache.log4j.Logger;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.oauth2.common.OAuth2AccessToken;
+import org.springframework.security.oauth2.provider.OAuth2Authentication;
+import org.springframework.security.oauth2.provider.token.DefaultTokenServices;
+import org.springframework.security.oauth2.provider.token.TokenStore;
+import org.springframework.stereotype.Component;
+import org.springframework.util.Assert;
+
+/**
+ * @author Sergio Sánchez
+ * Authentication handler for server.
+ *
+ */
+@Component
+public class OAuth2ServerAuthenticationFilterImpl extends OAuth2ServerAuthenticationFilter {
+
+    private static final Logger logger = Logger.getLogger(OAuth2ServerAuthenticationFilterImpl.class);
+    
+    @Autowired
+    private TokenStore tokenStore;
+
+    public OAuth2ServerAuthenticationFilterImpl(DefaultTokenServices tokenServices) {
+        super(tokenServices);
+    }
+
+    @Override
+    protected void onSuccessfulUserAuthentication(ServletRequest request,
+            ServletResponse response, Authentication clientAuthentication,
+            OAuth2Authentication userOAuth2Authentication,
+            OAuth2AccessToken token) {
+
+        // To skip refresh_token request
+        if (userOAuth2Authentication.getOAuth2Request()
+                .getRefreshTokenRequest() == null) {
+
+            Authentication userAuthentication = (Authentication) userOAuth2Authentication.getUserAuthentication();
+            if(userAuthentication != null) {
+                
+                logger.debug("on Successful User Authentication- " + userAuthentication.getName());
+            }
+        }
+    }
+
+    @Override
+    protected void onFailureUserAuthentication(ServletRequest request,
+            ServletResponse response, Authentication clientAuthentication,
+            String username) {
+        logger.debug("on fail user authenticaion -" + username);
+    }
+
+    @Override
+    protected void onFailClientAuthentication(ServletRequest request,
+            ServletResponse response, String clientId) {
+        logger.debug("on fail Client Authentication -" + clientId);
+    }
+
+    @Override
+    protected void onSuccessfulClientAuthentication(ServletRequest request,
+            ServletResponse response, Authentication authentication) {
+        logger.debug("on Successful Client Authentication -" + authentication);
+    }
+
+    private String extractIp(ServletRequest request) {
+        String ipAddress = null;
+        if (request instanceof HttpServletRequest) {
+            HttpServletRequest req = (HttpServletRequest) request;
+            ipAddress = req.getHeader("X-FORWARDED-FOR");
+            if (ipAddress == null) {
+                ipAddress = request.getRemoteAddr();
+            }
+        }
+        return ipAddress;
+    }
+
+    private String extractUserAgent(ServletRequest request) {
+        String userAgent = null;
+        if (request instanceof HttpServletRequest) {
+            userAgent = ((HttpServletRequest) request).getHeader("User-Agent")
+                    .toLowerCase();
+        }
+        return userAgent;
+    }
+    
+    @PostConstruct
+    public void init(){
+        logger.info("Init OAuth2Server Authentication Filter ...");
+        Assert.state(tokenStore != null, "A TokenStore must be provided");
+    }
+
+}
