@Override public void eraseCredentials() { userDto.setPassword(null); attributes = null; claims = null; userInfo = null; idToken = null; } }
@Override public String getUsername() { return userDto.getUsername(); }
@Override public String getPassword() { return userDto.getPassword(); }
/** * Makes a User DTO */ public UserDto toUserDto() { UserDto userDto = new UserDto(); userDto.setId(getId().toString()); userDto.setUsername(email); userDto.setPassword(password); userDto.setRoles(roles); userDto.setTag(toTag()); userDto.initialize(); return userDto; }
protected Authentication createAuthToken(String token) { JWTClaimsSet claims = blueTokenService.parseToken(token, BlueTokenService.AUTH_AUDIENCE); UserDto userDto = LecUtils.getUserDto(claims); if (userDto == null) userDto = fetchUserDto(claims); LemonPrincipal principal = new LemonPrincipal(userDto); return new UsernamePasswordAuthenticationToken(principal, token, principal.getAuthorities()); }
public static <ID> boolean hasPermission(ID id, UserDto currentUser, String permission) { log.debug("Computing " + permission + " permission for User " + id + "\n Logged in user: " + currentUser); if (permission.equals("edit")) { if (currentUser == null) return false; boolean isSelf = currentUser.getId().equals(id.toString()); return isSelf || currentUser.isGoodAdmin(); // self or admin; } return false; } }
@Override public Collection<? extends GrantedAuthority> getAuthorities() { Set<String> roles = userDto.getRoles(); Collection<LemonGrantedAuthority> authorities = roles.stream() .map(role -> new LemonGrantedAuthority("ROLE_" + role)) .collect(Collectors.toCollection(() -> new ArrayList<LemonGrantedAuthority>(roles.size() + 2))); if (userDto.isGoodUser()) { authorities.add(new LemonGrantedAuthority("ROLE_" + LecUtils.GOOD_USER)); if (userDto.isGoodAdmin()) authorities.add(new LemonGrantedAuthority("ROLE_" + LecUtils.GOOD_ADMIN)); } return authorities; }
protected void addAuthHeader(ServerHttpResponse response, UserDto userDto, long expirationMillis) { log.debug("Adding auth header for " + userDto.getUsername()); response.getHeaders().add(LecUtils.TOKEN_RESPONSE_HEADER_NAME, LecUtils.TOKEN_PREFIX + blueTokenService.createToken(BlueTokenService.AUTH_AUDIENCE, userDto.getUsername(), expirationMillis)); }
protected ReactiveAuthenticationManager tokenAuthenticationManager() { return authentication -> { log.debug("Authenticating with token ..."); String token = (String) authentication.getCredentials(); JWTClaimsSet claims = blueTokenService.parseToken(token, BlueTokenService.AUTH_AUDIENCE); UserDto userDto = LecUtils.getUserDto(claims); Mono<UserDto> userDtoMono = userDto == null ? fetchUserDto(claims) : Mono.just(userDto); return userDtoMono.map(LemonPrincipal::new) .doOnNext(LemonPrincipal::eraseCredentials) .map(principal -> new UsernamePasswordAuthenticationToken(principal, token, principal.getAuthorities())); }; }
@Override public Optional<ID> getCurrentAuditor() { UserDto user = currentUser(); if (user == null) return Optional.empty(); return Optional.of(idConverter.toId(user.getId())); } }
/** * Adds a Lemon-Authorization header to the response */ public void addAuthHeader(HttpServletResponse response, String username, Long expirationMillis) { response.addHeader(LecUtils.TOKEN_RESPONSE_HEADER_NAME, LecUtils.TOKEN_PREFIX + blueTokenService.createToken(BlueTokenService.AUTH_AUDIENCE, username, expirationMillis)); }
@Override public <T> T parseClaim(String token, String claim) { JWTClaimsSet claims = parseToken(token); return (T) claims.getClaim(claim); }
@Override public String createToken(String audience, String subject, Long expirationMillis) { return createToken(audience, subject, expirationMillis, new HashMap<>()); }
/** * Extracts the current-user from authentication object * * @param auth * @return */ public static <ID extends Serializable> UserDto currentUser(Authentication auth) { if (auth != null) { Object principal = auth.getPrincipal(); if (principal instanceof LemonPrincipal) { return ((LemonPrincipal) principal).currentUser(); } } return null; }
/** * Configures PermissionEvaluator if missing */ @Bean @ConditionalOnMissingBean(PermissionEvaluator.class) public PermissionEvaluator permissionEvaluator() { log.info("Configuring LemonPermissionEvaluator"); return new LemonPermissionEvaluator(); }
@Override public String createToken(String aud, String subject, Long expirationMillis, Map<String, Object> claimMap) { Payload payload = createPayload(aud, subject, expirationMillis, claimMap); // Create the JWE object and encrypt it JWEObject jweObject = new JWEObject(header, payload); try { jweObject.encrypt(encrypter); } catch (JOSEException e) { throw new RuntimeException(e); } // Serialize to compact JOSE form... return jweObject.serialize(); }
@Override protected String determineTargetUrl(HttpServletRequest request, HttpServletResponse response) { UserDto currentUser = LecwUtils.currentUser(); String shortLivedAuthToken = blueTokenService.createToken( BlueTokenService.AUTH_AUDIENCE, currentUser.getUsername(), (long) properties.getJwt().getShortLivedMillis()); String targetUrl = LecwUtils.fetchCookie(request, HttpCookieOAuth2AuthorizationRequestRepository.LEMON_REDIRECT_URI_COOKIE_PARAM_NAME) .map(Cookie::getValue) .orElse(properties.getOauth2AuthenticationSuccessUrl()); return targetUrl + shortLivedAuthToken; } }
/** * returns the current user and a new authorization token in the response */ protected UserDto userWithToken(HttpServletResponse response) { UserDto currentUser = LecwUtils.currentUser(); lemonService.addAuthHeader(response, currentUser.getUsername(), jwtExpirationMillis); return currentUser; } }
@Override public JWTClaimsSet parseToken(String token, String audience, long issuedAfter) { JWTClaimsSet claims = parseToken(token, audience); long issueTime = (long) claims.getClaim(LEMON_IAT); LecUtils.ensureCredentials(issueTime >= issuedAfter, "com.naturalprogrammer.spring.obsoleteToken"); return claims; }
/** * returns the current user and a new authorization token in the response */ public Mono<UserDto> userWithToken(Mono<UserDto> userDto, ServerHttpResponse response, long expirationMillis) { return userDto.doOnNext(user -> { log.debug("Adding auth header for " + user.getUsername()); addAuthHeader(response, user, expirationMillis); }); }