Security is now completed... only token-based calls are now permitted.

2017-10-13 18:08:49 +03:00 · 2017-10-13 18:08:49 +03:00 · 7bebf8b84b
parent 55e4556167
commit 7bebf8b84b
15 changed files with 175 additions and 86 deletions
--- a/dmp-backend/.project
+++ b/dmp-backend/.project
@ -32,5 +32,6 @@
 		<nature>org.eclipse.m2e.core.maven2Nature</nature>
 		<nature>org.eclipse.jdt.core.javanature</nature>
 		<nature>org.eclipse.wst.common.project.facet.core.nature</nature>
 		<nature>org.eclipse.wst.jsdt.core.jsNature</nature>
 	</natures>
 </projectDescription>
--- a/dmp-backend/.settings/org.eclipse.wst.common.component
+++ b/dmp-backend/.settings/org.eclipse.wst.common.component
@ -4,7 +4,7 @@
        <wb-resource deploy-path="/" source-path="/src/main/webapp" tag="defaultRootSource"/>
        <wb-resource deploy-path="/WEB-INF/classes" source-path="/src/main/java"/>
        <wb-resource deploy-path="/WEB-INF/classes" source-path="/src/main/resources"/>
        <property name="java-output-path" value="/dmp-backend/target/classes"/>
        <property name="context-root" value="dmp-backend"/>
        <property name="java-output-path" value="/dmp-backend/target/classes"/>
    </wb-module>
 </project-modules>
--- a/dmp-backend/.settings/org.eclipse.wst.common.project.facet.core.xml
+++ b/dmp-backend/.settings/org.eclipse.wst.common.project.facet.core.xml
@ -1,8 +1,8 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <faceted-project>
  <fixed facet="wst.jsdt.web"/>
  <installed facet="wst.jsdt.web" version="1.0"/>
  <installed facet="java" version="1.8"/>
  <installed facet="jst.web" version="3.0"/>
  <installed facet="jpt.jpa" version="2.1"/>
  <installed facet="wst.jsdt.web" version="1.0"/>
 </faceted-project>
--- a/dmp-backend/pom.xml
+++ b/dmp-backend/pom.xml
@ -98,19 +98,19 @@
 		<dependency>
 		    <groupId>org.springframework.security</groupId>
 		    <artifactId>spring-security-core</artifactId>
-		    <version>4.2.3.RELEASE</version>
+		    <version>${org.springframework.security.version}</version>
 		</dependency>
 		<dependency>
 		    <groupId>org.springframework.security</groupId>
 		    <artifactId>spring-security-web</artifactId>
-		    <version>4.2.3.RELEASE</version>
+		    <version>${org.springframework.security.version}</version>
 		</dependency>
 		<dependency>
 			<groupId>org.springframework.security</groupId>
 			<artifactId>spring-security-config</artifactId>
-			<version>4.2.3.RELEASE</version>
+			<version>${org.springframework.security.version}</version>
 		</dependency>
 		<dependency>
@ -239,20 +239,20 @@
    <!-- Spring Security -->
    <dependency>
-	    <groupId>org.springframework.security</groupId>
+	   <groupId>org.springframework.security</groupId>
-	    <artifactId>spring-security-web</artifactId>
+	   <artifactId>spring-security-web</artifactId>
-	    <version>${org.springframework.security.version}</version>
+	   <version>${org.springframework.security.version}</version>
-	  </dependency>
+	</dependency>
-	  <dependency>
+	<dependency>
-	    <groupId>org.springframework.security</groupId>
+	   <groupId>org.springframework.security</groupId>
-	    <artifactId>spring-security-config</artifactId>
+	   <artifactId>spring-security-config</artifactId>
-	    <version>${org.springframework.security.version}</version>
+	   <version>${org.springframework.security.version}</version>
-	  </dependency>
+	</dependency>
-		<dependency>
+	<dependency>
-        <groupId>org.springframework</groupId>
+       <groupId>org.springframework</groupId>
-        <artifactId>spring-tx</artifactId>
+       <artifactId>spring-tx</artifactId>
-        <version>${org.springframework.version}</version>
+       <version>${org.springframework.version}</version>
    </dependency>
--- a/dmp-backend/src/main/java/rest/login/Login.java
+++ b/dmp-backend/src/main/java/rest/login/Login.java
@ -1,4 +1,4 @@
-package rest.login;
+package login;
 import java.io.Serializable;
 import java.security.MessageDigest;
@ -71,7 +71,7 @@ public class Login {
 			// create a token
 			token = tokenSessionManager.generateRandomAlphanumeric(512);
 			// add it to the cache 
-			tokenSessionManager.set(credentials.getUsername(), token);
+			tokenSessionManager.set(token, credentials.getUsername());
 		}
 		//get also the additional info of the user (if he has)
--- a/dmp-backend/src/main/java/security/CustomAuthenticationProvider.java
+++ b/dmp-backend/src/main/java/security/CustomAuthenticationProvider.java
@ -2,15 +2,22 @@ package security;
 import java.util.ArrayList;
 import javax.naming.NameAlreadyBoundException;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.security.authentication.AuthenticationProvider;
 import org.springframework.security.authentication.AuthenticationServiceException;
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;
 import org.springframework.stereotype.Component;
 import dao.entities.security.UserInfoDao;
 import entities.security.UserInfo;
 import exceptions.NonValidTokenException;
 import security.validators.GoogleTokenValidator;
 import security.validators.NativeTokenValidator;
 import security.validators.TokenValidator;
@Component
 public class CustomAuthenticationProvider implements AuthenticationProvider {
@ -18,36 +25,49 @@ public class CustomAuthenticationProvider implements AuthenticationProvider {
 	@Autowired private UserInfoDao userInfoDao;
 	@Autowired private GoogleTokenValidator googleTokenValidator;
 	@Autowired private NativeTokenValidator nativeTokenValidator;
 	@Override
 	public Authentication authenticate(Authentication authentication) throws AuthenticationException {
-		/*
+
 		if (authentication != null) {
-			// check whether the token is valid
+			
 			String token = (String)authentication.getCredentials();
-			GoogleTokenValidator gValidator = new GoogleTokenValidator();
+			
-			UserInfo userInfo = null;
+			TokenValidator tokenValidator = null;
 			if(TokenAuthenticationFilter.HEADER_GOOGLE_TOKEN_FIELD.equals(authentication.getPrincipal())) 
 				tokenValidator = googleTokenValidator;
 			else if(TokenAuthenticationFilter.HEADER_NATIVE_TOKEN_FIELD.equals(authentication.getPrincipal()))
 				tokenValidator = nativeTokenValidator;
 			else 
 				throw new AuthenticationServiceException("The appropriate http headers have not been set. Please check!");
 			try {
-				userInfo = gValidator.validateToken(token);
+				tokenValidator.validateToken(token);
 			} catch (NonValidTokenException e) {
 				System.out.println("Could not validate a user by his token! Reason: "+e.getMessage());
 				throw new AuthenticationServiceException("Token validation failed - Not a valid token");
 			}
 			//store to database if new
 			UserInfo existingUserInfo = userInfoDao.getByKey(userInfo.getId(), userInfo.getEmail());
 			if(existingUserInfo == null)
 				userInfoDao.create(userInfo);
-			// if reached this point, authentication is ok
+			//store to database if new
 //			UserInfo existingUserInfo = userInfoDao.getByKey(userInfo.getId(), userInfo.getEmail());
 //			if(existingUserInfo == null)
 //				userInfoDao.create(userInfo);
 			// if reached this point, authentication is ok, so return just an instance with whatever.
 			return new UsernamePasswordAuthenticationToken(authentication.getPrincipal(), authentication.getCredentials(), new ArrayList<>());
 		}
 		else
 			throw new AuthenticationServiceException("Authentication failed");
-		*/
+
-		//DELETE THIS, USE THE ABOVE
+//		//DELETE THIS, USE THE ABOVE
-		return new UsernamePasswordAuthenticationToken("", "", new ArrayList<>());
+//		return new UsernamePasswordAuthenticationToken("", "", new ArrayList<>());
 	}
--- a/dmp-backend/src/main/java/security/TokenAuthenticationFilter.java
+++ b/dmp-backend/src/main/java/security/TokenAuthenticationFilter.java
@ -14,9 +14,11 @@ import org.springframework.web.filter.GenericFilterBean;
 public class TokenAuthenticationFilter extends GenericFilterBean {
-
+	
-	private static final String HEADER_NATIVE_TOKEN_FIELD = "native-token";
+	public static final String HEADER_NATIVE_TOKEN_FIELD = "native-token";
-	private static final String HEADER_GOOGLE_TOKEN_FIELD = "google-token";
+	public static final String HEADER_GOOGLE_TOKEN_FIELD = "google-token";
 	public static final char HEADERNAME_USERNAME_DELIMITER = 0x1e;  //specially crafted delimiter
 	@Override
 	public void doFilter(final ServletRequest request, final ServletResponse response, final FilterChain chain) throws IOException, ServletException	{
@ -26,17 +28,17 @@ public class TokenAuthenticationFilter extends GenericFilterBean {
 		String nativeToken = httpRequest.getHeader(HEADER_NATIVE_TOKEN_FIELD);
 		String googleToken = httpRequest.getHeader(HEADER_GOOGLE_TOKEN_FIELD);
-		//just pass the token into the credentials object of the UsernamePasswordAuthenticationToken class
+		//just pass the header, the username and the token into the credentials object of the UsernamePasswordAuthenticationToken class
 		UsernamePasswordAuthenticationToken authentication = null;
-		if(nativeToken != null) 
+		if(nativeToken != null)
-			authentication = new UsernamePasswordAuthenticationToken("native-user", nativeToken);
+			authentication = new UsernamePasswordAuthenticationToken(HEADER_NATIVE_TOKEN_FIELD, nativeToken);
 		if(googleToken != null)
-			authentication = new UsernamePasswordAuthenticationToken("google-user", nativeToken);
+			authentication = new UsernamePasswordAuthenticationToken(HEADER_GOOGLE_TOKEN_FIELD, googleToken);
-		if(authentication != null) {
+		
-			SecurityContextHolder.getContext().setAuthentication(authentication);
+		SecurityContextHolder.getContext().setAuthentication(authentication);
-			chain.doFilter(request, response);
+		chain.doFilter(request, response);
-		}
+
 	}
--- a/dmp-backend/src/main/java/security/TokenSessionManager.java
+++ b/dmp-backend/src/main/java/security/TokenSessionManager.java
@ -34,16 +34,14 @@ public class TokenSessionManager {
 				.build();
 	}
-	
+	public String getUser(String token) {
-	public String get(String key) {
+		return cache.getIfPresent(token);
 		return cache.getIfPresent(key);
 	}
-	public void set(String key, String value) {
+	public void set(String token, String user) {
-		cache.put(key, value);
+		cache.put(token, user);
 	}
 	public String generateRandomAlphanumeric(int length) {
 		SecureRandom random = new SecureRandom();
 		byte bytes[] = new byte[length];
--- a/dmp-backend/src/main/java/security/validators/GoogleTokenValidator.java
+++ b/dmp-backend/src/main/java/security/validators/GoogleTokenValidator.java
@ -15,7 +15,7 @@ import com.google.api.client.json.jackson2.JacksonFactory;
 import entities.security.UserInfo;
 import exceptions.NonValidTokenException;
-public class GoogleTokenValidator {
+public class GoogleTokenValidator implements TokenValidator {
 	private static final JacksonFactory jacksonFactory = new JacksonFactory();
 	private static final HttpTransport transport = new NetHttpTransport();
@ -34,7 +34,8 @@ public class GoogleTokenValidator {
 	}
-	public UserInfo validateToken(String token) throws NonValidTokenException {
+	@Override
 	public void validateToken(String token) throws NonValidTokenException {
 		GoogleIdToken idToken = null;
 		try {
@ -49,22 +50,19 @@ public class GoogleTokenValidator {
 		catch(IllegalArgumentException ex) {
 			throw new NonValidTokenException("Could not verify token");
 		}
-		if (idToken != null) {
+		if(idToken == null) {
-		  Payload payload = idToken.getPayload();
+			throw new NonValidTokenException("Not a valid token");
-		  
+		}
 //		else {
 //		  Payload payload = idToken.getPayload();
 //		  UserInfo userInfo = new UserInfo(payload.getSubject(), payload.getEmail(), 
 //				  payload.getEmailVerified(), (String)payload.get("name"), (String)payload.get("picture"), 
 //				  (String)payload.get("locale"), (String)payload.get("family_name"), (String)payload.get("given_name"), "");
 //		  System.out.println(userInfo.toString());
 //		  return userInfo;
-		  
+//		}
-		  return null;
+		
 		} else {
 			throw new NonValidTokenException("Not a valid token");
 		}
 	}
--- a/dmp-backend/src/main/java/security/validators/NativeTokenValidator.java
+++ b/dmp-backend/src/main/java/security/validators/NativeTokenValidator.java
@ -0,0 +1,22 @@
 package security.validators;
 import org.springframework.beans.factory.annotation.Autowired;
 import exceptions.NonValidTokenException;
 import security.TokenSessionManager;
 public class NativeTokenValidator implements TokenValidator {
 	@Autowired private TokenSessionManager tokenSessionManager; 
 	@Override
 	public void validateToken(String token) throws NonValidTokenException {
 		String tokenUser = tokenSessionManager.getUser(token);
 		if(tokenUser==null || tokenUser.isEmpty())
 			throw new NonValidTokenException("Login session has expired! Need to login again!");
 	}
 }
--- a/dmp-backend/src/main/java/security/validators/TokenValidator.java
+++ b/dmp-backend/src/main/java/security/validators/TokenValidator.java
@ -0,0 +1,9 @@
 package security.validators;
 import exceptions.NonValidTokenException;
 public interface TokenValidator {
 	public void validateToken(String token) throws NonValidTokenException;
 }
--- a/dmp-backend/src/main/webapp/WEB-INF/applicationContext.xml
+++ b/dmp-backend/src/main/webapp/WEB-INF/applicationContext.xml
@ -25,8 +25,11 @@
 	</bean>
-	<bean id="tokenSessionManager" class="security.TokenSessionManager" factory-method="getInstance">
+	<bean id="tokenSessionManager" class="security.TokenSessionManager" factory-method="getInstance" />
-	</bean>
+	
 	<bean id="googleTokenValidator" class="security.validators.GoogleTokenValidator" />
 	<bean id="nativeTokenValidator" class="security.validators.NativeTokenValidator" />
 	<bean id="proxy" class="rest.proxy.Proxy">
 		<constructor-arg type = "String" value = "${proxy.allowed.host}"/>
@ -79,7 +82,7 @@
 	      </props>
    	</property>
 	</bean>
-		
+	
 	<bean id="organisationDao" class="dao.entities.OrganisationDaoImpl" />
--- a/dmp-backend/src/main/webapp/WEB-INF/dmp-backend-login-servlet.xml
+++ b/dmp-backend/src/main/webapp/WEB-INF/dmp-backend-login-servlet.xml
@ -0,0 +1,39 @@
 <?xml version="1.0" encoding="UTF-8" ?>
 <beans xmlns="http://www.springframework.org/schema/beans"
 	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:mvc="http://www.springframework.org/schema/mvc"
 	xmlns:context="http://www.springframework.org/schema/context"
 	xsi:schemaLocation="http://www.springframework.org/schema/mvc
 						http://www.springframework.org/schema/mvc/spring-mvc-4.1.xsd
 						http://www.springframework.org/schema/context
 						http://www.springframework.org/schema/context/spring-context-4.1.xsd
 						http://www.springframework.org/schema/beans
 						http://www.springframework.org/schema/beans/spring-beans-4.1.xsd">
 <!-- 	<context:property-placeholder location="classpath*:**/dmp.properties" /> -->
 	<mvc:resources mapping="resources/**" location="/resources/" />
 	<mvc:annotation-driven />
 	<context:component-scan base-package="login" />
 	<bean id="multipartResolver"
 		class="org.springframework.web.multipart.commons.CommonsMultipartResolver">
 		<property name="maxUploadSize" value="100000000" />
 	</bean>
 	<bean id="jsonConverter"
 		class="org.springframework.http.converter.json.MappingJackson2HttpMessageConverter">
 		<property name="prefixJson" value="false" />
 		<property name="supportedMediaTypes" value="application/json" />
 	</bean>
 	<bean
 		class="org.springframework.web.servlet.mvc.annotation.AnnotationMethodHandlerAdapter">
 		<property name="messageConverters">
 			<list>
 				<ref bean="jsonConverter" />
 			</list>
 		</property>
 	</bean>
 </beans>
--- a/dmp-backend/src/main/webapp/WEB-INF/spring-security.xml
+++ b/dmp-backend/src/main/webapp/WEB-INF/spring-security.xml
@ -1,5 +1,4 @@
-<!-- 
+
 <?xml version="1.0" encoding="UTF-8"?>
 <beans:beans
   xmlns="http://www.springframework.org/schema/security"
   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
@ -32,18 +31,5 @@
 	<beans:bean id="tokenFilter" class="security.TokenAuthenticationFilter"/>
 <authentication-manager>
 <authentication-provider>
    <password-encoder ref="encoder" />
 </authentication-provider>
  </authentication-manager>
  <beans:bean id="encoder"
 class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder">
 <beans:constructor-arg name="strength" value="11" />
  </beans:bean>
 </beans:beans>
 -->
--- a/dmp-backend/src/main/webapp/WEB-INF/web.xml
+++ b/dmp-backend/src/main/webapp/WEB-INF/web.xml
@ -3,6 +3,20 @@
  <display-name>dmp-backend</display-name>
  <servlet>
    <servlet-name>dmp-backend-login</servlet-name>
    <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
    <load-on-startup>1</load-on-startup>
  </servlet>
  <servlet-mapping>
    <servlet-name>dmp-backend-login</servlet-name>
    <url-pattern>/login/*</url-pattern>
  </servlet-mapping>
  <listener>
    <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
  </listener>
  <servlet>
    <servlet-name>dmp-backend-rest</servlet-name>
    <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
@ -37,11 +51,10 @@
    </listener-class>
  </listener>
-  
+
  <!-- ,/WEB-INF/spring-security.xml  -->
  <context-param>
    <param-name>contextConfigLocation</param-name>
-    <param-value>/WEB-INF/applicationContext.xml  
+    <param-value>/WEB-INF/applicationContext.xml,/WEB-INF/spring-security.xml 
    </param-value>
  </context-param>
  <session-config>
@ -49,17 +62,15 @@
  </session-config>
  <!-- THIS FILTER IS FOR SPRING SECURITY -->
  <!-- 
 	<filter>
 	   <filter-name>springSecurityFilterChain</filter-name>
 	   <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
 	</filter>
 	<filter-mapping>
 	   <filter-name>springSecurityFilterChain</filter-name>
-	   <url-pattern>/*</url-pattern>
+	   <url-pattern>/rest/*</url-pattern>
 	</filter-mapping>
   -->