Merge pull request rohitghatol#1 from rohitghatol/master

Match with changes in rohitghatol's repo

Author: rohitghatol

.gitignore

@@ -15,3 +15,5 @@ build
 bin
 .settings
 .gradle
+.DS_Store
+.classpath

README.md

@@ -2,6 +2,8 @@
 This repository is an example of how to get Microservices going using Spring Boot, Spring Cloud, Spring OAuth 2 and Netflix OSS frameworks.
 
 # Table of Content
+* [Contributors](#contributors)
+* [Using the application](#using-application)
 * [Microservices Overview](#microservices-overview)
 * [Netflix OSS](#netflix-oss)
 * [Spring Boot Overview](#spring-boot-overview)
@@ -11,6 +13,29 @@ This repository is an example of how to get Microservices going using Spring Boo
 * [OAuth 2.0 Overview](#oauth-2.0-overview)
 * [Spring OAuth 2.0 Overview](#spring-oauth-2.0-overview)
 
+## <a name="contributors"></a>Contributors
+
+* [Rohit Ghatol](https://www.linkedin.com/in/rohitghatol)
+* [Anil Allewar](https://www.linkedin.com/pub/anil-allewar/18/378/393)
+
+## <a name="using-application"></a>Using the application
+
+The application consists of 7 different services 
+
+* [config server](config-server/README.md) - setup external configuration
+* [webservice-registry](webservice-registry/README.md) - Eureka server
+* [auth-server](auth-server/README.md) - Oauth2 authorization server
+* [user-webservice](user-webservice/README.md) - User micro-service
+* [task-webservice](task-webservice/README.md) - Task micro-service
+* [comments-webservice](comments-webservice/README.md) - Comments for task micro-service
+* [api-gateway](api-gateway/README.md) - API gateway that proxies all the micro-services
+* [web-portal](web-portal/README.md) - Single Page Application that provides the UI
+
+Please refer to the individual readme files on instructions of how to run the services. For demo, you can run the applications in the same order listed above.
+
+Note:
+* If the gradle wrapper doesn't work, then install gradle and run `gradle wrapper` before using `gradlew`.
+* If you need to setup the classpath correctly, then run `./gradlew clean build eclipse` which would setup the `.classpath` accordingly.
 
 ## <a name="microservices-overview"></a>Microservices Overview
 
@@ -129,13 +154,44 @@ You can read in detail about Spring Boot here - https://spring.io/guides/gs/spri
 
 ## <a name="spring-cloud-overview"></a>Spring Cloud Overview
 
+Spring Cloud provides tools for developers to quickly build some of the common patterns in distributed systems (e.g. configuration management, service discovery, circuit breakers, intelligent routing, micro-proxy, control bus, one-time tokens, global locks, leadership election, distributed sessions, cluster state)
 
+You can read in detail about Spring Cloud here - http://projects.spring.io/spring-cloud/
 
 ## <a name="spring-cloud-config-overview"></a>Spring Cloud Config Overview
 
+Spring Cloud config provides support for externalizing configuration in distributed systems. With the Config Server you have a central place to manage external properties for applications across all environments.
+
+You can read in detail about Spring Cloud config here - http://cloud.spring.io/spring-cloud-config/
+
 ## <a name="spring-cloud-netflix-overview"></a>Spring Cloud Netflix Overview
 
+Spring Cloud Netflix provides Netflix OSS integrations for Spring Boot apps through autoconfiguration and binding to the Spring Environment and other Spring programming model idioms.
+
+You can read in detail about Spring Cloud Netflix here - http://cloud.spring.io/spring-cloud-netflix/
+
 ## <a name="oauth-2.0-overview"></a>OAuth 2.0 Overview
 
+OAuth2 is an authorization framework that specifies different ways a third-party application can obtain limited access to determined set of resources. 
+
+![OAuth2 abstract protocol](/images/OAuth2 abstract protocol flow.png)
+
+OAuth defines four roles:
+
+   **resource owner:**
+      An entity capable of granting access to a protected resource. When the resource owner is a person, it is referred to as an end-user.
+
+   **resource server:**
+      The server hosting the protected resources, capable of accepting and responding to protected resource requests using access tokens.
+
+   **client:**
+      An application making protected resource requests on behalf of the resource owner and with its authorization.  The term "client" does not imply any particular implementation characteristics (e.g., whether the application executes on a server, a desktop, or other devices).
+
+   **authorizationserver:**
+      The server issuing access tokens to the client after successfully authenticating the resource owner and obtaining authorization.
+      
+To get more details of how differnt authorizations work in OAuth2, please refer to the readme at **[auth-server](auth-server/README.md)**
+
 ## <a name="spring-oauth-2.0-overview"></a>Spring OAuth2 Overview
 
+Spring provides nice integration between Spring security and OAuth2 providers including the ability to setup your own authorization server. Please see [Spring security with OAuth2](http://projects.spring.io/spring-security-oauth/docs/oauth2.html) for more details. 

api-gateway/README.md

@@ -0,0 +1,20 @@
+#Overview
+
+The api-gateway application acts the router and authentication and authorization endpoint. 
+
+The Zuul api gateway solves a very common use case where a UI application wants to proxy calls to one or more back end services. This feature is useful for a user interface to proxy to the backend services it requires, avoiding the need to manage CORS and authentication concerns independently for all the backends.For example in our application `/api/user/**` endpoint is mapped to the `user-webservice`. 
+
+It also knows how to invoke the authorization server in case the user is not authenticated. Once the authentication is complete, it relays the OAuth2 token to the respective services so that they can find the authenticated user and provide services.
+
+##Pre-requisites
+
+### Projects that need to be started before
+* [config server](/../../blob/master/config-server/README.md) - For pulling the configuration information
+* [webserver-registry](/../../blob/master/webservice-registry/README.md) - For starting the Eureka server since the authorization server also is a micro-service that needs to be registered with Eureka server.    
+
+### Running the application
+* Build the application by running the `./gradlew clean build` gradle command at the "task-webservice" project root folder	on the terminal.
+* If you want to run the application as jar file, then run `java -jar build/libs/sample-api-gateway-0.0.1.jar` command at the terminal.
+
+## External Configuration
+Please refer to [user webservice](/../../blob/master/user-webservice/README.md) for details on how the external configuration works. Note that there is separate configuration file for each Spring application; the application should refer to it's own .yml file for configuration.

api-gateway/application.yml

@@ -0,0 +1,5 @@
+logging:
+  level:
+     org:
+       springframework:
+         security: DEBUG

api-gateway/bootstrap.yml

@@ -1,6 +1,6 @@
 spring:
   application:
     name: api-gateway
-    cloud:
-      config:
-       uri: http://localhost:8888
+  cloud:
+    config:
+      uri: http://localhost:8888

api-gateway/build.gradle

@@ -39,6 +39,7 @@ dependencies {
 	compile("org.springframework.cloud:spring-cloud-config-client:${project.cloudVersion}")
 	compile("org.springframework.cloud:spring-cloud-starter-eureka:${project.cloudVersion}")
 	compile("org.springframework.cloud:spring-cloud-starter-zuul:${project.cloudVersion}")
+	compile("org.springframework.cloud:spring-cloud-starter-security:${project.cloudVersion}")
 
 	compile("org.springframework.boot:spring-boot-starter-security:${project.bootVersion}")
 	compile("org.springframework.security.oauth:spring-security-oauth2:${project.seurityVersion}")

api-gateway/src/main/java/com/rohitghatol/microservice/gateway/Application.java

@@ -5,23 +5,52 @@
 
 import org.springframework.boot.SpringApplication;
 import org.springframework.boot.autoconfigure.EnableAutoConfiguration;
-import org.springframework.cloud.client.discovery.EnableDiscoveryClient;
+import org.springframework.cloud.netflix.eureka.EnableEurekaClient;
 import org.springframework.cloud.netflix.zuul.EnableZuulProxy;
+import org.springframework.cloud.security.oauth2.resource.EnableOAuth2Resource;
+import org.springframework.cloud.security.oauth2.sso.EnableOAuth2Sso;
 import org.springframework.context.annotation.ComponentScan;
 import org.springframework.context.annotation.Configuration;
 
 
 /**
- * The Main Spring Boot Application class.
- *
+ * The Main Spring Boot Application class which does the following
+ * <ol>
+ * <li>Act as a Eureka client; this behavior is provided by the
+ * {@link EnableEurekaClient} annotation. The Eureka server URL is provided by
+ * the external configuration provided by the config server.</li>
+ * <li>Act as Zuul reverse proxy; this behavior is provided by the
+ * {@link EnableZuulProxy} annotation. Annotating the application with
+ * {@link EnableZuulProxy} forwards local calls to the appropriate service. By
+ * convention, a service with the Eureka ID "users", will receive requests from
+ * the proxy located at /users (with the prefix stripped).</li>
+ * <li>Enable OAuth2 single sign on (SSO) using the {@link EnableOAuth2Sso}
+ * annotation.
+ * <ol>
+ * <li>If your app has a Spring Cloud Zuul embedded reverse proxy (using
+ * {@link EnableZuulProxy}) then you can ask it to forward OAuth2 access tokens
+ * downstream to the services it is proxying.</li>
+ * <li>If you also add the {@link EnableOAuth2Sso} annotation; then it will (in
+ * addition to loggin the user in and grabbing a token) pass the authentication
+ * token downstream to the /proxy/* services.</li>
+ * <li>If those services are implemented with {@link EnableOAuth2Resource} then
+ * they will get a valid token in the correct header.</li>
+ * </ol>
+ * </li>
+ * <li>Note that all these annotations work in conjunction with properties
+ * defined in the external configuration files specified by the config server.
+ * </li>
+ * </ol>
+ * 
  * @author rohitghatol
  */
 
 @Configuration
 @ComponentScan
 @EnableAutoConfiguration
 @EnableZuulProxy
-@EnableDiscoveryClient
+@EnableEurekaClient
+@EnableOAuth2Sso
 public class Application {
 
 	/**

api-gateway/src/main/java/com/rohitghatol/microservice/gateway/config/OAuthConfiguration.java

@@ -1,51 +1,129 @@
 package com.rohitghatol.microservice.gateway.config;
 
-import javax.sql.DataSource;
+import java.io.IOException;
 
-import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.context.annotation.Bean;
+import javax.servlet.Filter;
+import javax.servlet.FilterChain;
+import javax.servlet.ServletException;
+import javax.servlet.http.Cookie;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.springframework.cloud.security.oauth2.sso.OAuth2SsoConfigurerAdapter;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.http.HttpMethod;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
-import org.springframework.security.oauth2.config.annotation.web.configuration.EnableResourceServer;
-import org.springframework.security.oauth2.config.annotation.web.configuration.ResourceServerConfigurerAdapter;
-import org.springframework.security.oauth2.config.annotation.web.configurers.ResourceServerSecurityConfigurer;
-import org.springframework.security.oauth2.provider.token.TokenStore;
-import org.springframework.security.oauth2.provider.token.store.JdbcTokenStore;
+import org.springframework.security.web.csrf.CsrfFilter;
+import org.springframework.security.web.csrf.CsrfToken;
+import org.springframework.security.web.csrf.CsrfTokenRepository;
+import org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository;
+import org.springframework.stereotype.Component;
+import org.springframework.web.filter.OncePerRequestFilter;
+import org.springframework.web.util.WebUtils;
 
 
 /**
- * The Class OAuthConfiguration.
+ * The Class OAuthConfiguration that sets up the OAuth2 single sign on
+ * configuration and the web security associated with it.
  */
 @Configuration
-@EnableResourceServer
-public class OAuthConfiguration extends ResourceServerConfigurerAdapter {
+@Component
+public class OAuthConfiguration extends OAuth2SsoConfigurerAdapter {
+	
+	private static final String CSRF_COOKIE_NAME = "XSRF-TOKEN";
+	private static final String CSRF_ANGULAR_HEADER_NAME = "X-XSRF-TOKEN";
 
-	@Autowired
-	private DataSource dataSource;
-
-	@Bean
-	public TokenStore tokenStore() {
-		return new JdbcTokenStore(dataSource);
-	}
-
-	/* (non-Javadoc)
-	 * @see org.springframework.security.oauth2.config.annotation.web.configuration.ResourceServerConfigurerAdapter#configure(org.springframework.security.oauth2.config.annotation.web.configurers.ResourceServerSecurityConfigurer)
-	 */
 	@Override
-	public void configure(ResourceServerSecurityConfigurer resources)
-			throws Exception {
-		resources.resourceId("apis").tokenStore(tokenStore());
+	public void match(RequestMatchers matchers) {
+		matchers.anyRequest();
 	}
+	
+	/**
+	 * Define the security that applies to the proxy
+	 */
 	@Override
     public void configure(HttpSecurity http) throws Exception {
         http
-            .authorizeRequests()
-            .antMatchers(HttpMethod.GET, "/api/user/**","/api/task/**").access("#oauth2.hasScope('read')")
+        	.authorizeRequests()
+        	//Allow access to all static resources without authentication
+        	.antMatchers("/","/**/*.html").permitAll()
+        	.anyRequest().authenticated()
+        	.antMatchers(HttpMethod.GET, "/api/user/**","/api/task/**").access("#oauth2.hasScope('read')")
             .antMatchers(HttpMethod.OPTIONS, "/api/user/**","/api/task/**").access("#oauth2.hasScope('read')")
             .antMatchers(HttpMethod.POST, "/api/user/**","/api/task/**").access("#oauth2.hasScope('write')")
             .antMatchers(HttpMethod.PUT, "/api/user/**","/api/task/**").access("#oauth2.hasScope('write')")
             .antMatchers(HttpMethod.PATCH, "/api/user/**","/api/task/**").access("#oauth2.hasScope('write')")
-            .antMatchers(HttpMethod.DELETE, "/api/user/**","/api/task/**").access("#oauth2.hasScope('write')");
+            .antMatchers(HttpMethod.DELETE, "/api/user/**","/api/task/**").access("#oauth2.hasScope('write')")
+            .and().csrf().csrfTokenRepository(this.getCSRFTokenRepository())
+            .and().addFilterAfter(this.createCSRFHeaderFilter(), CsrfFilter.class);
     }
+	
+	/**
+	 * Spring security offers in-built protection for cross site request forgery
+	 * (CSRF) by needing a custom token in the header for any requests that are
+	 * NOT safe i.e. modify the resources from the server e.g. POST, PUT & PATCH
+	 * etc.<br>
+	 * <br>
+	 * 
+	 * This protection is achieved using cookies that send a custom value (would
+	 * remain same for the session) in the first request and then the front-end
+	 * would send back the value as a custom header.<br>
+	 * <br>
+	 * 
+	 * In this method we create a filter that is applied to the web security as
+	 * follows:
+	 * <ol>
+	 * <li>Spring security provides the CSRF token value as a request attribute;
+	 * so we extract it from there.</li>
+	 * <li>If we have the token, Angular wants the cookie name to be
+	 * "XSRF-TOKEN". So we add the cookie if it's not there and set the path for
+	 * the cookie to be "/" which is root. In more complicated cases, this might
+	 * have to be the context root of the api gateway.</li>
+	 * <li>We forward the request to the next filter in the chain</li>
+	 * </ol>
+	 * 
+	 * The request-to-cookie filter that we add needs to be after the
+	 * <code>csrf()</code> filter so that the request attribute for CsrfToken
+	 * has been already added before we start to process it.
+	 * 
+	 * @return
+	 */
+	private Filter createCSRFHeaderFilter() {
+		return new OncePerRequestFilter() {
+			@Override
+			protected void doFilterInternal(HttpServletRequest request,
+					HttpServletResponse response, FilterChain filterChain)
+					throws ServletException, IOException {
+				CsrfToken csrf = (CsrfToken) request.getAttribute(CsrfToken.class
+						.getName());
+				if (csrf != null) {
+					Cookie cookie = WebUtils.getCookie(request, CSRF_COOKIE_NAME);
+					String token = csrf.getToken();
+					if (cookie == null || token != null
+							&& !token.equals(cookie.getValue())) {
+						cookie = new Cookie(CSRF_COOKIE_NAME, token);
+						cookie.setPath("/");
+						response.addCookie(cookie);
+					}
+				}
+				filterChain.doFilter(request, response);
+			}
+		};
+	}
+
+	/**
+	 * Angular sends the CSRF token in a custom header named "X-XSRF-TOKEN"
+	 * rather than the default "X-CSRF-TOKEN" that Spring security expects.
+	 * Hence we are now telling Spring security to expect the token in the
+	 * "X-XSRF-TOKEN" header.<br><br>
+	 * 
+	 * This customization is added to the <code>csrf()</code> filter.
+	 * 
+	 * @return
+	 */
+	private CsrfTokenRepository getCSRFTokenRepository() {
+		HttpSessionCsrfTokenRepository repository = new HttpSessionCsrfTokenRepository();
+		repository.setHeaderName(CSRF_ANGULAR_HEADER_NAME);
+		return repository;
+	}
 }