December 10, 2022

Blog @ Munaf Sheikh

Latest news from tech-feeds around the world.

Authentication: Remote LDAP Server in WebFlux

Great post from our friends at Source link

In my previous article, we covered authentication and authorization with remote LDAP servers in Spring Web MVC. Since base concepts are the same, some sections are unavoidably the same in these two articles. In order to start from scratch, please refer to the previous article before reading this one.

In this article, we will explain the concept for Spring Webflux. To keep this article as simple as possible; while walking through the sections, if necessary, you will be forwarded to the previous article’s related section for detailed information.

Development Environment Information

For the sake of being on the same page, below is our development environment information. Version information for project dependencies is discussed in the next section.

  • OS: Windows 10 20H2
  • IDE: IntelliJ IDEA 2019.3.1 (Ultimate Edition)
  • Java: 1.8
  • Spring Boot: 2.5.8
  • Apache Maven: 3.5.0

Preparing the Spring Boot Project

We are initializing our Spring Boot project from Spring Initializr.

In order to integrate with LDAP server, do not forget to add the necessary dependencies explained in the “LDAP Integration” section of the previous article.

Preparing APIs

For this project; we have two roles: FINANCE and BUSINESS. We authorize these roles for paths /finance-zone and /business-zone respectively.  These APIs and how authentication is being handled via /authentication API are explained in detail in our previous article under “Preparing APIs” section. Also please refer to the “Introducing JWT Handling Mechanism” section for how JWT mechanism work for authentication purposes.

Introducing Auth/Autz Exception Handling Mechanisms

For unauthenticated requests (i.e., access attempts with expired JWT tokens) we prepare AuthenticationEntryPoint to handle this case and return the descriptive response to the client. Here is the code:

@Configuration
@Slf4j
public class AuthenticationEntryPoint implements ServerAuthenticationEntryPoint {

    @Override
    public Mono<Void> commence(ServerWebExchange serverWebExchange, AuthenticationException e) {
        if (CollectionUtils.isNotEmpty(serverWebExchange.getRequest().getHeaders().get(Constants.HEADER_AUTHORIZATION))) {
            return Mono.empty();
        } else {
            log.info("Unauthenticated access attempt to resource {} with HttpMethod of {} Token: {}",
                    serverWebExchange.getRequest().getPath(),
                    StringUtils.defaultString(serverWebExchange.getRequest().getMethod().name(), StringUtils.EMPTY),
                    serverWebExchange.getRequest().getHeaders().get(Constants.HEADER_AUTHORIZATION));
            return Mono.error(new UnauthenticatedException("Please login to access this resource!"));
        }
    }
}

For this scenario, the client will receive a “HttpStatus.400 (Bad Request)” response since the authentication info being sent is bad.

For unauthorized requests (i.e., access attempts to an API that is not allowed by that user’s role), we prepare AccessDeniedHandler to handle this case and return the descriptive response to the client. Here is the code:

@Configuration
@Slf4j
public class AccessDeniedHandler implements ServerAccessDeniedHandler {

    @Override
    public Mono<Void> handle(ServerWebExchange serverWebExchange, AccessDeniedException e) {
        log.info("Access Denied. Unauthorized access attempt to resource {} from {} with HttpMethod of {} Authorization header: {}",
                serverWebExchange.getRequest().getPath(),
                Optional.ofNullable(serverWebExchange.getRequest().getHeaders().get(Constants.HEADER_X_FORWARDED_FOR))
                        .orElse(Collections.singletonList(serverWebExchange.getRequest().getRemoteAddress().getHostName())),
                StringUtils.defaultString(serverWebExchange.getRequest().getMethod().name(), StringUtils.EMPTY),
                serverWebExchange.getRequest().getHeaders().get(Constants.HEADER_AUTHORIZATION));

        return Mono.error(new UnauthorizedException("You are trying to access to a resource that you're not allowed to."));
    }
}

We’ll use both mechanisms while configuring security in later topics.

Configuring Spring Security

This is the point where we should describe the core of this whole mechanism: WebSecurityConfiguration. In this class, we configure the security of our web application under the configure method:

@Configuration
@EnableWebFluxSecurity
@EnableReactiveMethodSecurity
@RequiredArgsConstructor
public class WebSecurityConfiguration {
    private final AuthenticationSuccessHandler authenticationSuccessHandler;
    private final AuthenticationEntryPoint authenticationEntryPoint;
    private final AccessDeniedHandler accessDeniedHandler;
    private final PortalUserService portalUserService;

    @Value("${autz.permitted.paths.all}")
    private String[] permittedPaths;
    @Value("${autz.permitted.paths.finance}")
    private String[] financeRolePermittedPaths;
    @Value("${autz.permitted.paths.business}")
    private String[] businessRolePermittedPaths;

    @Value("${jwt.secret}")
    private String jwtSecret;

    @Bean
    SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
        AuthenticationWebFilter authenticationWebFilter = new AuthenticationWebFilter(new UserDetailsRepositoryReactiveAuthenticationManager(portalUserService));
        authenticationWebFilter.setAuthenticationSuccessHandler(authenticationSuccessHandler);

        http
                .cors()
                .and()
                .csrf()
                    .disable()
                .addFilterAt(authenticationWebFilter, SecurityWebFiltersOrder.FIRST)
                .authorizeExchange()
                    .pathMatchers(permittedPaths).permitAll()
                    .pathMatchers(financeRolePermittedPaths).hasAuthority(Constants.LDAP_ROLE_FINANCE)
                    .pathMatchers(businessRolePermittedPaths).hasAuthority(Constants.LDAP_ROLE_BUSINESS)
                    .anyExchange().denyAll()
                .and()
                    .exceptionHandling()
                    .authenticationEntryPoint(this.authenticationEntryPoint)
                    .accessDeniedHandler(this.accessDeniedHandler)
                .and()
                    .securityContextRepository(NoOpServerSecurityContextRepository.getInstance())
                    .logout()
                        .disable()
                    .formLogin()
                        .disable();

        http.addFilterAt(new JwtRequestFilter(jwtSecret, portalUserService, authenticationSuccessHandler), SecurityWebFiltersOrder.FIRST);

        return http.build();
    }
}

The following list explains the above code:

  1. Cors and csrf strategies are declared. We disabled csrf since we use JWT for authorization in each and every request.
  2. Under authorizeExchange(), we declared “who has access to where.” Authorization checks are done according to these rules.
  3. Since we authorize each request with JWT, we don’t need a session. We declared the session creation policy as stateless by setting securityContextRepository to NoOpServerSecurityContextRepository. (This also works well if you don’t share sessions between application servers.)
  4. What will happen when an authentication or authorization error occurs? This question is being answered under exceptionHandling(). We covered the contents of these classes in previous sections. 
  5. At last, we disabled the built-in login mechanism of Spring Security, since we provided the  /authentication API. We also disabled the logout mechanism, because it is beyond the scope of this article.

Testing

We test our application with Postman. You can find the exported Postman collection in my GitHub repository.

First things first; we authenticate our Finance user and retrieve the token:
Screenshot showing user authentication.

Here is the response we received:Screenshot of user authentication response.

Now its time to call the /finance API with the above token:Screenshot of the Finance API.

Here is the response we received;
Response returned for Finance API.

So what if we call the /business API with our Finance user? Here is the request:
Screenshot showing /business API request.

Here is the response:

Conclusion

In this article, we developed a Spring Boot project and integrated it into a remote LDAP through Spring Security. In addition, we performed authentication and authorization operations over JWT for the APIs we opened. 

You can get the full implementation of this article from my GitHub repository.

#Authentication #Remote #LDAP #Server #WebFlux