Wednesday, January 25, 2023

Spring Authorization Server 1.0 with LDAP - Spring Security 6

 

Introduction:


Spring Authorization Server is a framework that provides implementations of the OAuth 2.1 and OpenID Connect 1.0 specifications and other related specifications. It is built on top of Spring Security to provide a secure, light-weight, and customizable foundation for building OpenID Connect 1.0 Identity Providers and OAuth2 Authorization Server products.

Spring Authorization Server requires a Java 17 or higher Runtime Environment. 


Demo


In this demo, I integrated Spring Authorization Server 1.0 with LDAP.  In LDAP servers can use LDIF (LDAP Data Interchange Format) files to exchange user data. so I used test-server.ldif provide by spring example.



Technology


  • Spring Boot 3.0.1
  • Java 17
  • Spring Authorization Server 1.0
  • Maven 
  • IntelliJ IDEA


Configuration Spring Boot project 


Add Spring Authorization Server and  Spring Security as a dependencies, as in the following example:

   <dependencies>

<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>

<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-oauth2-authorization-server</artifactId>
<version>1.0.0</version>
</dependency>

<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>

<dependency>
<groupId>org.springframework.ldap</groupId>
<artifactId>spring-ldap-core</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-ldap</artifactId>
</dependency>
<dependency>
<groupId>com.unboundid</groupId>
<artifactId>unboundid-ldapsdk</artifactId>
</dependency>

<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-thymeleaf</artifactId>
</dependency>

<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
</dependency>

</dependencies>



application.yml



The spring.ldap.embedded.ldif property inside application.yml lets Spring Boot pull in an LDIF data file. 
server:
port: 9000

spring:
ldap:
embedded:
base-dn: dc=springframework,dc=org
ldif: classpath:test-server.ldif
port: 8389
url: ldap://localhost:8389/

logging:
level:
root: INFO
org.springframework.web: INFO
org.springframework.security: INFO
org.springframework.security.oauth2: INFO
# org.springframework.boot.autoconfigure: DEBUG

Create a Simples Webs Controllers

@RestController
public class HelloResource {

@GetMapping("/hello")
public String hello(Principal principal) {
return "Hello "+principal.getName();
}
}

@Controller
public class AuthorizationController {

@GetMapping(value={"", "/", "landing"})
public String consent(Principal principal, Model model){

System.out.println("user "+principal.getName());
model.addAttribute("principalName", principal.getName());
return "landing";
}
}


Set up Spring Security


The ldapAuthentication() method configures things so that the user name at the login form is plugged into {0} such that it searches uid={0},ou=people,dc=springframework,dc=org in the LDAP server. Also, the passwordCompare() method configures the encoder and the name of the password’s attribute.

@Configuration
public class DefaultSecurityConfig {

@Bean
@Order(2)
public SecurityFilterChain defaultSecurityFilterChain(HttpSecurity http)
throws Exception {
http
.authorizeHttpRequests((authorize) -> authorize
.anyRequest().authenticated()
)
// Form login handles the redirect to the login page from the
// authorization server filter chain
.formLogin(Customizer.withDefaults());

return http.build();
}

/* @Bean
public UserDetailsService userDetailsService() {
UserDetails userDetails = User.withUsername("henry")
.password(passwordEncoder().encode("123"))
.roles("USER")
.build();

return new InMemoryUserDetailsManager(userDetails);
}*/
@Autowired
public void configure(AuthenticationManagerBuilder auth) throws Exception {
auth
.ldapAuthentication()
.userDnPatterns("uid={0},ou=people")
.groupSearchBase("ou=groups")
.contextSource()
.url("ldap://localhost:8389/dc=springframework,dc=org")
.and()
.passwordCompare()
.passwordEncoder(new BCryptPasswordEncoder())
.passwordAttribute("userPassword");
}
}

Set up Authorization Server


  • To get started, You need the minimum required components defined as a @Bean in a Spring @Configuration
  • The first bean is used to define the OAuth2 Protocol Endpoint.
  • The RegisteredClientRepository is the central component where new clients can be registered and existing clients can be queried. It is used by other components when following a specific protocol flow, such as client authentication, authorization grant processing, token introspection, dynamic client registration, and others.
  • com.nimbusds.jose.jwk.source.JWKSource for signing access tokens.
  • java.security.KeyPair with keys generated on startup used to create the JWKSource.
  • JwtDecoder for decoding signed access tokens.
  • AuthorizationServerSettings contains the configuration settings for the OAuth2 authorization server. It specifies the URI for the protocol endpoints as well as the issuer identifier. The default URI for the protocol endpoints are as follows:

@Configuration
public class AuthorizationServerConfig {

@Bean
@Order(1)
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http)
throws Exception {
OAuth2AuthorizationServerConfiguration.applyDefaultSecurity(http);
http.getConfigurer(OAuth2AuthorizationServerConfigurer.class)
.oidc(Customizer.withDefaults()); // Enable OpenID Connect 1.0
http
// Redirect to the login page when not authenticated from the
// authorization endpoint
.exceptionHandling((exceptions) -> exceptions
.authenticationEntryPoint(
new LoginUrlAuthenticationEntryPoint("/login"))
)
// Accept access tokens for User Info and/or Client Registration
.oauth2ResourceServer(OAuth2ResourceServerConfigurer::jwt);

return http.build();
}

@Bean
public RegisteredClientRepository registeredClientRepository() {
RegisteredClient registeredClient = RegisteredClient.withId(UUID.randomUUID().toString())
.clientId("messaging-client")
.clientSecret("{noop}secret")
.clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC)
.authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE)
.authorizationGrantType(AuthorizationGrantType.REFRESH_TOKEN)
.authorizationGrantType(AuthorizationGrantType.CLIENT_CREDENTIALS)
.redirectUri("http://127.0.0.1:9000/login/oauth2/code/messaging-client-oidc")
.redirectUri("http://127.0.0.1:9000/authorized")
.scope(OidcScopes.OPENID)
.scope(OidcScopes.PROFILE)
.scope("message.read")
.scope("message.write")
.clientSettings(ClientSettings.builder().requireAuthorizationConsent(true).build())
.build();

return new InMemoryRegisteredClientRepository(registeredClient);
}

@Bean
public JWKSource<SecurityContext> jwkSource() {
KeyPair keyPair = generateRsaKey();
RSAPublicKey publicKey = (RSAPublicKey) keyPair.getPublic();
RSAPrivateKey privateKey = (RSAPrivateKey) keyPair.getPrivate();
RSAKey rsaKey = new RSAKey.Builder(publicKey)
.privateKey(privateKey)
.keyID(UUID.randomUUID().toString())
.build();
JWKSet jwkSet = new JWKSet(rsaKey);
return new ImmutableJWKSet<>(jwkSet);
}

private static KeyPair generateRsaKey() {
KeyPair keyPair;
try {
KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");
keyPairGenerator.initialize(2048);
keyPair = keyPairGenerator.generateKeyPair();
}
catch (Exception ex) {
throw new IllegalStateException(ex);
}
return keyPair;
}

@Bean
public JwtDecoder jwtDecoder(JWKSource<SecurityContext> jwkSource) {
return OAuth2AuthorizationServerConfiguration.jwtDecoder(jwkSource);
}

@Bean
public AuthorizationServerSettings authorizationServerSettings() {
return AuthorizationServerSettings.builder().build();
}

@Bean
public BCryptPasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
}

 

Run & Test


Run Spring Boot application with command: mvn spring-boot:run. by console, IntelliJ etc.

http://localhost:9000/landing





User: henry
Password: 123

Result this:


















Source Code


Here on GitHub.




References.

https://spring.io/projects/spring-authorization-server
https://spring.io/guides/gs/authenticating-ldap/
https://docs.spring.io/spring-security/reference/servlet/authentication/passwords/ldap.html
https://spring.io/blog/2022/02/21/spring-security-without-the-websecurityconfigureradapter
https://spring.io/guides/gs/authenticating-ldap/

















Thursday, January 12, 2023

Angular - HTTP interceptor

Introduction:

In Angular, an interceptor is a middleware that can be used to modify or intercept HTTP requests or responses before they are handled by the application.

To implement the HttpInterceptor interface provided by the @angular/common/http module. This interface requires implementing a single method called intercept, which takes in an HttpRequest object and a HttpHandler, and returns an Observable of HttpEvent.

By official documentation

Methods


intercept()


Identifies and handles a given HTTP request.

intercept(req: HttpRequest<any>, next: HttpHandler): Observable<HttpEvent<any>>

Parameters


req HttpRequest<any> The outgoing request object to handle.

next HttpHandler The next interceptor in the chain, or the backend if no interceptors remain in the chain.

Returns


Observable<HttpEvent<any>>: An observable of the event stream.


Usage





I used jsonplaceholder fake json. Get, Post, Put, Patch and Delete, it is common to use OAuth2 token for to access backend app from angular frontend, so it is need to add next header. 

const clonedRequest = req.clone({
      headers: req.headers.set('Authorization'`Bearer ${token}`),
    });

Before to send to backend request. 


Auth Service (fake token)


Real token we will get from Open Source Identity and Access Management, Basic Auth or something like that.

import { Injectable } from '@angular/core';

@Injectable({
  providedIn: 'root',
})
export class AuthService {
  public get token(): string {
    return '123456';
  }
}


Interceptor Service


Method called intercept that takes in two arguments: req: HttpRequest<any> and next: HttpHandler. Within the intercept method,  adding headers. After modifying the request, call the next.handle(req) method to continue with the request.

import { Injectable } from '@angular/core';
import {
  HttpInterceptor,
  HttpRequest,
  HttpHandler,
  HttpEvent,
from '@angular/common/http';
import { Observable } from 'rxjs';
import { AuthService } from '../auth.service';

@Injectable()
export class MyInterceptor implements HttpInterceptor {
  constructor(private authAuthService) {}

  intercept(
    reqHttpRequest<any>,
    nextHttpHandler
  ): Observable<HttpEvent<any>> {
    const token = this.auth.token;
    // Clone the request and add the new header
    const clonedRequest = req.clone({
      headers: req.headers.set('Authorization'`Bearer ${token}`),
    });

    // Pass the cloned request instead of the original request to the next handle
    console.log(clonedRequest);
    const keys = clonedRequest.headers.keys();
    alert(
      'Before request new header is added: \n' +
        keys.map((keyany=> `${key}${clonedRequest.headers.get(key)}`)
    );

    return next.handle(clonedRequest);
  }
}




HTTP Request Service


import { Injectable } from '@angular/core';
import { HttpClientHttpResponseHttpHeaders } from '@angular/common/http';
import { Observable } from 'rxjs';

const headers = new HttpHeaders().set(
  'content-type',
  'application/json; charset=UTF-8'
);
const endpoint = 'https://jsonplaceholder.typicode.com/posts';

@Injectable()
export class MyServiceService {
  constructor(private httpHttpClient) {}

  postData(dataany): Observable<HttpResponse<any>> {
    return this.http.post<any>(`${endpoint}`data, { headers: headers });
  }

  getData(idnumber): Observable<HttpResponse<any>> {
    return this.http.get<any>(`${endpoint}/${id}`);
  }

  updateData(dataanyidnumber): Observable<HttpResponse<any>> {
    return this.http.put<any>(`${endpoint}/${id}`data, { headers: headers });
  }

  patchData(dataanyidnumber): Observable<HttpResponse<any>> {
    return this.http.patch<any>(`${endpoint}/${id}`data, {
      headers: headers,
    });
  }

  deleteData(idnumber): Observable<HttpResponse<any>> {
    return this.http.delete<any>(`${endpoint}/${id}`);
  }
}



Component


import { ComponentVERSION } from '@angular/core';
import { MyServiceService } from './services/myservice/my-service.service';

@Component({
  selector: 'my-app',
  templateUrl: './app.component.html',
  styleUrls: ['./app.component.css'],
})
export class AppComponent {
  name = 'HTTP interceptor';
  constructor(private _serviceMyServiceService) {}

  responseboolean;
  datastring;

  onGet(valueboolean) {
    this.response = value;
    this._service.getData(1).subscribe((dataany=> {
      this.data = data;
    });
  }

  onSave(valueboolean) {
    this.response = value;
    let json = JSON.stringify({
      title: 'foo',
      body: 'bar',
      userId: 1,
    });

    this._service.postData(json).subscribe((dataany=> {
      this.data = data;
    });
  }

  onPut(valueboolean) {
    this.response = value;

    let json = JSON.stringify({
      id: 1,
      title: 'foo',
      body: 'bar',
      userId: 1,
    });

    this._service.updateData(json1).subscribe((dataany=> {
      this.data = data;
    });
  }

  onPatch(valueboolean) {
    this.response = value;
    let json = JSON.stringify({
      title: 'foo',
    });

    this._service.patchData(json1).subscribe((dataany=> {
      this.data = data;
    });
  }

  onDelete(valueboolean) {
    this.response = value;
    this._service.deleteData(1).subscribe((dataany=> {
      this.data = data;
    });
  }
}




Test






















Here integration example Spring Boot, Angular, Ldap and Keycloak.

Source Code

Here on stackblitz.


References

https://angular.io/
https://jsonplaceholder.typicode.com/






Monday, January 2, 2023

Java Generics - List

  • Only instances of that type can be inserted
            List<T> list = new ArrayList<T>();
  • list − object of List interface.
  • T − The generic type parameter passed during list declaration.

Example:

import java.util.ArrayList;
import java.util.List;

public class GenericList <T>{

List<T> wrappedList;

public GenericList() {
this.wrappedList = new ArrayList<>();
}
public GenericList(List<T> wrappedList) {
this.wrappedList = wrappedList;
}

//get method with custom one
public T myGet(int index){
return wrappedList.get(index);
}

//add method with custom one
public void myAdd(T o){
wrappedList.add(o);
}

//remove method with custom one
public T myRemove(int index){
return wrappedList.remove(index);
}

@Override
public String toString() {
return wrappedList.toString();
}

public static void main(String[] args) {

GenericList<CharSequence> g = new GenericList<>();
g.myAdd("hi");
g.myAdd("hello");
var o = g.myGet(0);
System.out.println("Element 0 = "+o);

System.out.println("Wrapped List "+g.myRemove(0));

}

}

Multiple Data Sources in Spring Boot 3 with Java 21

  In this blog post, we'll explore the configuration and setup for a Spring Boot 3 application with Java 21 that uses multiple data sour...