Spring Authorization Server 1.0 with LDAP - Spring Security 6

 

Introduction:

Spring Authorization Server is a framework that provides implementations of the OAuth 2.1 and OpenID Connect 1.0 specifications and other related specifications. It is built on top of Spring Security to provide a secure, light-weight, and customizable foundation for building OpenID Connect 1.0 Identity Providers and OAuth2 Authorization Server products.

Spring Authorization Server requires a Java 17 or higher Runtime Environment. 

Demo

In this demo, I integrated Spring Authorization Server 1.0 with LDAP.  In LDAP servers can use LDIF (LDAP Data Interchange Format) files to exchange user data. so I used test-server.ldif provide by spring example.

Technology

• Spring Boot 3.0.1
• Java 17
• Spring Authorization Server 1.0
• Maven 
• IntelliJ IDEA

Configuration Spring Boot project 

Add Spring Authorization Server and  Spring Security as a dependencies, as in the following example:

   <dependencies>

      <dependency>
         <groupId>org.springframework.boot</groupId>
         <artifactId>spring-boot-starter-security</artifactId>
      </dependency>

         <dependency>
            <groupId>org.springframework.security</groupId>
            <artifactId>spring-security-oauth2-authorization-server</artifactId>
            <version>1.0.0</version>
         </dependency>

      <dependency>
         <groupId>org.springframework.boot</groupId>
         <artifactId>spring-boot-starter-web</artifactId>
      </dependency>

      <dependency>
         <groupId>org.springframework.ldap</groupId>
         <artifactId>spring-ldap-core</artifactId>
      </dependency>
      <dependency>
         <groupId>org.springframework.security</groupId>
         <artifactId>spring-security-ldap</artifactId>
      </dependency>
      <dependency>
         <groupId>com.unboundid</groupId>
         <artifactId>unboundid-ldapsdk</artifactId>
      </dependency>

      <dependency>
         <groupId>org.springframework.boot</groupId>
         <artifactId>spring-boot-starter-thymeleaf</artifactId>
      </dependency>

      <dependency>
         <groupId>org.springframework.boot</groupId>
         <artifactId>spring-boot-starter-test</artifactId>
         <scope>test</scope>
      </dependency>

   </dependencies>

  

application.yml


The spring.ldap.embedded.ldif property inside application.yml lets Spring Boot pull in an LDIF data file. 
server:
  port: 9000

spring:
  ldap:
    embedded:
      base-dn: dc=springframework,dc=org
      ldif: classpath:test-server.ldif
      port: 8389
      url: ldap://localhost:8389/

logging:
  level:
    root: INFO
    org.springframework.web: INFO
    org.springframework.security: INFO
    org.springframework.security.oauth2: INFO
#    org.springframework.boot.autoconfigure: DEBUG

Create a Simples Webs Controllers

@RestController
public class HelloResource {

    @GetMapping("/hello")
    public String hello(Principal principal) {
        return "Hello "+principal.getName();
    }
}

@Controller
public class AuthorizationController {

    @GetMapping(value={"", "/", "landing"})
    public String consent(Principal principal, Model model){

        System.out.println("user "+principal.getName());
        model.addAttribute("principalName", principal.getName());
        return "landing";
    }
}


Set up Spring Security

The ldapAuthentication() method configures things so that the user name at the login form is plugged into {0} such that it searches uid={0},ou=people,dc=springframework,dc=org in the LDAP server. Also, the passwordCompare() method configures the encoder and the name of the password’s attribute.

@Configuration
public class DefaultSecurityConfig {

    @Bean
    @Order(2)
    public SecurityFilterChain defaultSecurityFilterChain(HttpSecurity http)
            throws Exception {
        http
                .authorizeHttpRequests((authorize) -> authorize
                        .anyRequest().authenticated()
                )
                // Form login handles the redirect to the login page from the
                // authorization server filter chain
                .formLogin(Customizer.withDefaults());

        return http.build();
    }

    /* @Bean
    public UserDetailsService userDetailsService() {
        UserDetails userDetails = User.withUsername("henry")
                .password(passwordEncoder().encode("123"))
                .roles("USER")
                .build();

        return new InMemoryUserDetailsManager(userDetails);
    }*/
    @Autowired
    public void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth
                .ldapAuthentication()
                .userDnPatterns("uid={0},ou=people")
                .groupSearchBase("ou=groups")
                .contextSource()
                .url("ldap://localhost:8389/dc=springframework,dc=org")
                .and()
                .passwordCompare()
                .passwordEncoder(new BCryptPasswordEncoder())
                .passwordAttribute("userPassword");
    }
}

Set up Authorization Server

• To get started, You need the minimum required components defined as a @Bean in a Spring @Configuration
• The first bean is used to define the OAuth2 Protocol Endpoint.
• The RegisteredClientRepository is the central component where new clients can be registered and existing clients can be queried. It is used by other components when following a specific protocol flow, such as client authentication, authorization grant processing, token introspection, dynamic client registration, and others.
• com.nimbusds.jose.jwk.source.JWKSource for signing access tokens.
• java.security.KeyPair with keys generated on startup used to create the JWKSource.
• JwtDecoder for decoding signed access tokens.
• AuthorizationServerSettings contains the configuration settings for the OAuth2 authorization server. It specifies the URI for the protocol endpoints as well as the issuer identifier. The default URI for the protocol endpoints are as follows:

@Configuration
public class AuthorizationServerConfig {

    @Bean
    @Order(1)
    public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http)
            throws Exception {
        OAuth2AuthorizationServerConfiguration.applyDefaultSecurity(http);
        http.getConfigurer(OAuth2AuthorizationServerConfigurer.class)
                .oidc(Customizer.withDefaults());  // Enable OpenID Connect 1.0
        http
                // Redirect to the login page when not authenticated from the
                // authorization endpoint
                .exceptionHandling((exceptions) -> exceptions
                        .authenticationEntryPoint(
                                new LoginUrlAuthenticationEntryPoint("/login"))
                )
                // Accept access tokens for User Info and/or Client Registration
                .oauth2ResourceServer(OAuth2ResourceServerConfigurer::jwt);

        return http.build();
    }

    @Bean
    public RegisteredClientRepository registeredClientRepository() {
        RegisteredClient registeredClient = RegisteredClient.withId(UUID.randomUUID().toString())
                .clientId("messaging-client")
                .clientSecret("{noop}secret")
                .clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC)
                .authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE)
                .authorizationGrantType(AuthorizationGrantType.REFRESH_TOKEN)
                .authorizationGrantType(AuthorizationGrantType.CLIENT_CREDENTIALS)
                .redirectUri("http://127.0.0.1:9000/login/oauth2/code/messaging-client-oidc")
                .redirectUri("http://127.0.0.1:9000/authorized")
                .scope(OidcScopes.OPENID)
                .scope(OidcScopes.PROFILE)
                .scope("message.read")
                .scope("message.write")
                .clientSettings(ClientSettings.builder().requireAuthorizationConsent(true).build())
                .build();

        return new InMemoryRegisteredClientRepository(registeredClient);
    }

    @Bean
    public JWKSource<SecurityContext> jwkSource() {
        KeyPair keyPair = generateRsaKey();
        RSAPublicKey publicKey = (RSAPublicKey) keyPair.getPublic();
        RSAPrivateKey privateKey = (RSAPrivateKey) keyPair.getPrivate();
        RSAKey rsaKey = new RSAKey.Builder(publicKey)
                .privateKey(privateKey)
                .keyID(UUID.randomUUID().toString())
                .build();
        JWKSet jwkSet = new JWKSet(rsaKey);
        return new ImmutableJWKSet<>(jwkSet);
    }

    private static KeyPair generateRsaKey() {
        KeyPair keyPair;
        try {
            KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");
            keyPairGenerator.initialize(2048);
            keyPair = keyPairGenerator.generateKeyPair();
        }
        catch (Exception ex) {
            throw new IllegalStateException(ex);
        }
        return keyPair;
    }

    @Bean
    public JwtDecoder jwtDecoder(JWKSource<SecurityContext> jwkSource) {
        return OAuth2AuthorizationServerConfiguration.jwtDecoder(jwkSource);
    }

    @Bean
    public AuthorizationServerSettings authorizationServerSettings() {
        return AuthorizationServerSettings.builder().build();
    }

    @Bean
    public BCryptPasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder();
    }
}

 

Run & Test

Run Spring Boot application with command: mvn spring-boot:run. by console, IntelliJ etc.

http://localhost:9000/landing

User: henry

Password: 123

Result this:

Source Code

Here on GitHub.

References.

https://spring.io/projects/spring-authorization-server

https://spring.io/guides/gs/authenticating-ldap/

https://docs.spring.io/spring-security/reference/servlet/authentication/passwords/ldap.html

https://spring.io/blog/2022/02/21/spring-security-without-the-websecurityconfigureradapter

https://spring.io/guides/gs/authenticating-ldap/

Angular - HTTP interceptor

Introduction:

In Angular, an interceptor is a middleware that can be used to modify or intercept HTTP requests or responses before they are handled by the application.

To implement the HttpInterceptor interface provided by the @angular/common/http module. This interface requires implementing a single method called intercept, which takes in an HttpRequest object and a HttpHandler, and returns an Observable of HttpEvent.

By official documentation

Methods

intercept()

Identifies and handles a given HTTP request.

intercept(req: HttpRequest<any>, next: HttpHandler): Observable<HttpEvent<any>>

Parameters

req HttpRequest<any> The outgoing request object to handle.

next HttpHandler The next interceptor in the chain, or the backend if no interceptors remain in the chain.

Returns

Observable<HttpEvent<any>>: An observable of the event stream.

Usage

I used jsonplaceholder fake json. Get, Post, Put, Patch and Delete, it is common to use OAuth2 token for to access backend app from angular frontend, so it is need to add next header. 

const clonedRequest = req.clone({

      headers: req.headers.set('Authorization', `Bearer ${token}`),

    });

Before to send to backend request. 

Auth Service (fake token)

Real token we will get from Open Source Identity and Access Management, Basic Auth or something like that.

import { Injectable } from '@angular/core';

@Injectable({

  providedIn: 'root',

})

export class AuthService {

  public get token(): string {

    return '123456';

  }

}

Interceptor Service

Method called intercept that takes in two arguments: req: HttpRequest<any> and next: HttpHandler. Within the intercept method,  adding headers. After modifying the request, call the next.handle(req) method to continue with the request.

import { Injectable } from '@angular/core';

import {

  HttpInterceptor,

  HttpRequest,

  HttpHandler,

  HttpEvent,

} from '@angular/common/http';

import { Observable } from 'rxjs';

import { AuthService } from '../auth.service';

@Injectable()

export class MyInterceptor implements HttpInterceptor {

  constructor(private auth: AuthService) {}

  intercept(

    req: HttpRequest<any>,

    next: HttpHandler

  ): Observable<HttpEvent<any>> {

    const token = this.auth.token;

    // Clone the request and add the new header

    const clonedRequest = req.clone({

      headers: req.headers.set('Authorization', `Bearer ${token}`),

    });

    // Pass the cloned request instead of the original request to the next handle

    console.log(clonedRequest);

    const keys = clonedRequest.headers.keys();

    alert(

      'Before request new header is added: \n' +

        keys.map((key: any) => `${key}: ${clonedRequest.headers.get(key)}`)

    );

    return next.handle(clonedRequest);

  }

}

HTTP Request Service

import { Injectable } from '@angular/core';

import { HttpClient, HttpResponse, HttpHeaders } from '@angular/common/http';

import { Observable } from 'rxjs';

const headers = new HttpHeaders().set(

  'content-type',

  'application/json; charset=UTF-8'

);

const endpoint = 'https://jsonplaceholder.typicode.com/posts';

@Injectable()

export class MyServiceService {

  constructor(private http: HttpClient) {}

  postData(data: any): Observable<HttpResponse<any>> {

    return this.http.post<any>(`${endpoint}`, data, { headers: headers });

  }

  getData(id: number): Observable<HttpResponse<any>> {

    return this.http.get<any>(`${endpoint}/${id}`);

  }

  updateData(data: any, id: number): Observable<HttpResponse<any>> {

    return this.http.put<any>(`${endpoint}/${id}`, data, { headers: headers });

  }

  patchData(data: any, id: number): Observable<HttpResponse<any>> {

    return this.http.patch<any>(`${endpoint}/${id}`, data, {

      headers: headers,

    });

  }

  deleteData(id: number): Observable<HttpResponse<any>> {

    return this.http.delete<any>(`${endpoint}/${id}`);

  }

}

Component

import { Component, VERSION } from '@angular/core';

import { MyServiceService } from './services/myservice/my-service.service';

@Component({

  selector: 'my-app',

  templateUrl: './app.component.html',

  styleUrls: ['./app.component.css'],

})

export class AppComponent {

  name = 'HTTP interceptor';

  constructor(private _service: MyServiceService) {}

  response: boolean;

  data: string;

  onGet(value: boolean) {

    this.response = value;

    this._service.getData(1).subscribe((data: any) => {

      this.data = data;

    });

  }

  onSave(value: boolean) {

    this.response = value;

    let json = JSON.stringify({

      title: 'foo',

      body: 'bar',

      userId: 1,

    });

    this._service.postData(json).subscribe((data: any) => {

      this.data = data;

    });

  }

  onPut(value: boolean) {

    this.response = value;

    let json = JSON.stringify({

      id: 1,

      title: 'foo',

      body: 'bar',

      userId: 1,

    });

    this._service.updateData(json, 1).subscribe((data: any) => {

      this.data = data;

    });

  }

  onPatch(value: boolean) {

    this.response = value;

    let json = JSON.stringify({

      title: 'foo',

    });

    this._service.patchData(json, 1).subscribe((data: any) => {

      this.data = data;

    });

  }

  onDelete(value: boolean) {

    this.response = value;

    this._service.deleteData(1).subscribe((data: any) => {

      this.data = data;

    });

  }

}

Test

Here integration example Spring Boot, Angular, Ldap and Keycloak.

Source Code

Here on stackblitz.

References

https://angular.io/

https://jsonplaceholder.typicode.com/

Java Generics - List

• Only instances of that type can be inserted

            List<T> list = new ArrayList<T>();

• list − object of List interface.
• T − The generic type parameter passed during list declaration.

Example:

import java.util.ArrayList;
import java.util.List;

public class GenericList <T>{

    List<T> wrappedList;

    public GenericList() {
        this.wrappedList = new ArrayList<>();
    }
    public GenericList(List<T> wrappedList) {
        this.wrappedList = wrappedList;
    }

    //get method with custom one
    public T myGet(int index){
        return  wrappedList.get(index);
    }

    //add method with custom one
    public void myAdd(T o){
        wrappedList.add(o);
    }

    //remove method with custom one
    public T myRemove(int index){
        return  wrappedList.remove(index);
    }

    @Override
    public String toString() {
        return wrappedList.toString();
    }

    public static void main(String[] args) {

        GenericList<CharSequence> g = new GenericList<>();
        g.myAdd("hi");
        g.myAdd("hello");
        var o = g.myGet(0);
        System.out.println("Element 0 = "+o);

        System.out.println("Wrapped List "+g.myRemove(0));

    }

}