Patel Romil :
I am trying to implement JWT Token Based Authentication and Authorization. I am using Spring Boot for backend and Angular 7 as frontend and my job is to complete backend work. Bearer Token is successfully generated in Authentication. And I have added it into Header but when I try to fetch the Header using request.getHeader(HEADER_STRING) it isnull.
So how to use this generated Token for further identifying logged in user OR it is frontend job to identify user after token generation?
I have used custom login page in Spring Security and when I make a request to http://localhost:8080/login it contains two login forms instead of one.
Console
doFilterInternal header null response.getHeader(HEADER_STRING) null
getAuthenticationToken token: null
doFilterInternal authenticationToken : null null
doFilterInternal header null response.getHeader(HEADER_STRING) null
getAuthenticationToken token: null
doFilterInternal authenticationToken : null null
doFilterInternal header null response.getHeader(HEADER_STRING) null
getAuthenticationToken token: null
doFilterInternal authenticationToken : null null
doFilterInternal header null response.getHeader(HEADER_STRING) null
getAuthenticationToken token: null
doFilterInternal authenticationToken : null null
attemptAuthentication email: [email protected] abcd@A123
2019-03-04 11:33:34.320 INFO 11652 --- [nio-8080-exec-5] o.h.h.i.QueryTranslatorFactoryInitiator : HHH000397: Using ASTQueryTranslatorFactory
Hibernate: select user0_.id as id1_1_, user0_.branch as branch2_1_, user0_.contact as contact3_1_, user0_.createtime as createti4_1_, user0_.designation as designat5_1_, user0_.email as email6_1_, user0_.expreiance as expreian7_1_, user0_.name as name8_1_, user0_.password as password9_1_, user0_.role as role10_1_, user0_.skypeid as skypeid11_1_, user0_.statusenable as statuse12_1_ from user user0_ where user0_.email=?
loadUserByUsername User [user.toString] Role: ROLE_ADMIN
successfulAuthentication username [email protected]
successfulAuthentication bearer Token Bearer eyJhbGciOiJIUzUxMiJ9.eyJzdWIiOiJycEBjeWduZXRpbmZvdGVjaC5jb20iLCJleHAiOjE1NTE3NjU4MTR9.9mLS64W6JBS1RqlEKl1Zmjb8YS03E9k92ITkaFmw35JH4ELIua8Tbkzj0r9crDgdQnxm3YvFKAD9lY3cgoQsNw
doFilterInternal header null response.getHeader(HEADER_STRING) null
getAuthenticationToken token: null
doFilterInternal authenticationToken : null null
doFilterInternal header null response.getHeader(HEADER_STRING) null
getAuthenticationToken token: null
doFilterInternal authenticationToken : null null
doFilterInternal header null response.getHeader(HEADER_STRING) null
getAuthenticationToken token: null
doFilterInternal authenticationToken : null null
JWTAuthenticationFilter.java
public class JWTAuthenticationFilter extends UsernamePasswordAuthenticationFilter {
private AuthenticationManager authenticationManager;
public JWTAuthenticationFilter(AuthenticationManager authenticationManager) {
this.authenticationManager = authenticationManager;
}
@Autowired
CustomUserDetailService customUserDetailService;
@Override
public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException {
try {
System.out.println("attemptAuthentication "+" email: "+request.getParameter("email") + " "+request.getParameter("password"));
//User user = new ObjectMapper().readValue(request.getInputStream(), User.class);
return this.authenticationManager
.authenticate(new UsernamePasswordAuthenticationToken(request.getParameter("email"), request.getParameter("password")));
} catch (Exception e) {
throw new RuntimeException(e);
}
}
@Override
protected void successfulAuthentication(HttpServletRequest request,
HttpServletResponse response,
FilterChain chain,
Authentication authResult) throws IOException, ServletException {
String username = ((org.springframework.security.core.userdetails.User) authResult.getPrincipal()).getUsername();
System.out.println("successfulAuthentication "+" username "+username);
String token = Jwts
.builder()
.setSubject(username)
.setExpiration(new Date(System.currentTimeMillis() + EXPIRATION_TIME))
.signWith(SignatureAlgorithm.HS512, SECRET)
.compact();
String bearerToken = TOKEN_PREFIX + token;
System.out.println("successfulAuthentication bearer Token "+bearerToken);
response.getWriter().write(bearerToken);
response.addHeader(HEADER_STRING, bearerToken);
response.sendRedirect(SIGN_UP_SUCCESS);
}
}
JWTAuthorizationFilter.java
public class JWTAuthorizationFilter extends BasicAuthenticationFilter {
private final CustomUserDetailService customUserDetailService;
public JWTAuthorizationFilter(AuthenticationManager authenticationManager, CustomUserDetailService customUserDetailService) {
super(authenticationManager);
this.customUserDetailService = customUserDetailService;
}
@Override
protected void doFilterInternal(HttpServletRequest request,
HttpServletResponse response,
FilterChain chain) throws IOException, ServletException {
String header = request.getHeader(HEADER_STRING);
System.out.println("doFilterInternal header "+header+ " response.getHeader(HEADER_STRING) "+response.getHeader(HEADER_STRING));
if (header == null || !header.startsWith(TOKEN_PREFIX)) {
chain.doFilter(request, response);
}
UsernamePasswordAuthenticationToken authenticationToken = getAuthenticationToken(request);
SecurityContextHolder.getContext().setAuthentication(authenticationToken);
response.addHeader(header, SIGN_UP_URL);
System.out.println("doFilterInternal authenticationToken : "+authenticationToken+ " "+response.getHeader(SIGN_UP_URL));
chain.doFilter(request, response);
}
private UsernamePasswordAuthenticationToken getAuthenticationToken(HttpServletRequest request) {
String token = request.getHeader(HEADER_STRING);
System.out.println("getAuthenticationToken token: "+token);
if (token == null) return null;
String username = Jwts.parser().setSigningKey(SECRET)
.parseClaimsJws(token.replace(TOKEN_PREFIX, ""))
.getBody()
.getSubject();
UserDetails userDetails = customUserDetailService.loadUserByUsername(username);
System.out.println("getAuthenticationToken userDetails "+userDetails.toString()+ " userDetails.getAuthorities() "+userDetails.getAuthorities());
return username != null ?
new UsernamePasswordAuthenticationToken(userDetails, null, userDetails.getAuthorities()) : null;
}
}
CustomUserDetailService.java
@Component
public class CustomUserDetailService implements UserDetailsService {
private final UserRepository userRepository;
@Autowired
public CustomUserDetailService(UserRepository userRepository) {
this.userRepository = userRepository;
}
@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
User user = userRepository.findByEmail(username);
if(user==null)
{
new UsernameNotFoundException("User not found");
return null;
}
else
{
System.out.println("loadUserByUsername "+user.toString()+" Role: "+user.getRole());
List<GrantedAuthority> authorityListAdmin = AuthorityUtils.createAuthorityList("ROLE_USER", "ROLE_ADMIN");
List<GrantedAuthority> authorityListUser = AuthorityUtils.createAuthorityList("ROLE_USER");
return new org.springframework.security.core.userdetails.User
(user.getEmail(), user.getPassword(), user.getRole()=="ADMIN" ? authorityListAdmin : authorityListUser);
}
}
}
SecuriyConfig.java
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter implements WebMvcConfigurer{
@Autowired
private CustomUserDetailService customUserDetailService;
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(customUserDetailService).passwordEncoder(new BCryptPasswordEncoder());
}
@Override
public void addViewControllers(ViewControllerRegistry registry) {
registry.addViewController("/home").setViewName("home");
registry.addViewController("/").setViewName("login");
registry.setOrder(Ordered.HIGHEST_PRECEDENCE);
registry.addViewController("/login").setViewName("login");
registry.setOrder(Ordered.HIGHEST_PRECEDENCE);
registry.addViewController("/failure").setViewName("failure");
registry.addViewController("/403").setViewName("403");
}
@Override
protected void configure(HttpSecurity http) throws Exception{
http
.csrf().disable()
.authorizeRequests().antMatchers("/login","/home","/failure").permitAll()
.antMatchers(HttpMethod.POST,"/admin/**").permitAll()//hasRole("ADMIN")
.antMatchers(HttpMethod.PUT,"/admin/**").hasRole("ADMIN")
.antMatchers(HttpMethod.GET,"/admin/**").hasRole("ADMIN")
.antMatchers(HttpMethod.GET,"/user/**").hasAnyRole("ADMIN","USER")
.antMatchers(HttpMethod.POST,"/user/**").hasAnyRole("ADMIN","USER")
.anyRequest().authenticated()
.and()
.addFilter(new JWTAuthenticationFilter(authenticationManager()))
.addFilter(new JWTAuthorizationFilter(authenticationManager(), customUserDetailService))
.exceptionHandling().accessDeniedPage("/403")
.and()
.formLogin()
.loginPage("/login")
.loginProcessingUrl("/login")
.usernameParameter("email")
.passwordParameter("password")
.defaultSuccessUrl("/home",true)
.failureUrl("/failure")
.and()
.logout().logoutUrl("/logout").permitAll();
}
public SecurityConfig(UserDetailsService userDetailsService) {
super();
this.customUserDetailService = customUserDetailService;
}
}
SecurityConstants.java
public class SecurityConstants {
static final String SECRET = "Romil";
static final String TOKEN_PREFIX = "Bearer ";
static final String HEADER_STRING = "Authorization";
static final String SIGN_UP_URL = "/login";
static final String SIGN_UP_SUCCESS = "/home";
static final long EXPIRATION_TIME = 86400000L;
}
Patel Romil :
How to Pass Token?
- Generate the Token in Spring Boot On Successful Login send token as Response to front-end
- Create AuthInterceptor in Angular that which will set the Token on every further request.
Notes:
We also have to set WebConfig file according to our requirements.
- allowedMethods
- allowedHeaders
- exposedHeaders
- maxAge etc..
For the request in which we don't need to Authenticate and Authorize the user we can add that APIs in
ignoring().antMatchers("").
@Override public void configure(WebSecurity web) throws Exception { web .ignoring() .antMatchers("/userlogin/") .antMatchers("/forgetPassword"); }
Why Access-Control-Expose-Headers?
Access-Control-Expose-Headers (optional) - The XMLHttpRequest object has a getResponseHeader() method that returns the value of a particular response header. During a CORS request, the getResponseHeader() method can only access simple response headers. Simple response headers are defined as follows:
- Cache-Control
- Content-Language
- Content-Type
- Expires
- Last-Modified
- Pragma
If you want clients to be able to access other headers, you have to use the Access-Control-Expose-Headers header. The value of this header is a comma-delimited list of response headers you want to expose to the client.
response.setHeader("Access-Control-Expose-Headers", "Authorization");
AuthInterceptor
import { Injectable } from '@angular/core';
import { HttpEvent, HttpHandler, HttpInterceptor, HttpRequest } from '@angular/common/http';
import { Observable } from 'rxjs';
@Injectable()
export class AuthInterceptor implements HttpInterceptor {
intercept(req: HttpRequest<any>, next: HttpHandler): Observable<HttpEvent<any>> {
const token = window.localStorage.getItem('tokenKey'); // you probably want to store it in localStorage or something
if (!token) {
return next.handle(req);
}
const req1 = req.clone({
headers: req.headers.set('Authorization', `${token}`),
});
return next.handle(req1);
}
}