spring : how to apply role to existing JWT token

Question

In SingleSignOn(SSO), i am getting jwt beareer token from my office network when application loads, basically i have written code in the rest web-service to get bearer token from different web-service.

What i want is: I want to secure some of the rest endpoints in spring? How can i do that!

I don't want to provide login & password forms to re-login. Because already i am calling web-service to get the user-Info and bearer token. It means i am already login, and i am able to print user info.

I have user role table with userId, i just want to apply thoese roles available in the table to logged in User Id.

How can we do thia?

I found this but i am expecting this should not ask to re enter username and password again https://www.ekiras.com/2016/04/authenticate-user-with-custom-user-details-service-in-spring-security.html

https://stackoverflow.com/a/11314388/1684778 similar kind of my problem https://stackoverflow.com/a/12057327/1684778

You are trying SSO from your front end application I suppose. In that case, why don't you just store the token in your cookies or application storage and use it repeatedly? — Reaz Murshed, Dec 06 '19 at 05:49
i can store the token, and send for each rest end point call, but how can implement @HasAuthority('something') because that token came from another service they don't have table role mapped with this table — Dan, Dec 06 '19 at 05:52
You need to assign the roles you got from table based on user id as authorities to the current authenticated user in SecurityContext. And also have the roles/authorities you need already defined per endpoint — Sunil Dabburi, Dec 06 '19 at 06:08
@SunilChakravarthy how to implement this, can you show example — Dan, Dec 06 '19 at 06:14
I answered your question just now. It is hard to answer everything. I am assuming you can fill in the gaps. — Sunil Dabburi, Dec 06 '19 at 06:46
@SunilChakravarthy i will implement it, will let you know if you can further help — Dan, Dec 06 '19 at 06:56

score 1 · Answer 1 · answered Dec 06 '19 at 06:45

There are multiple things to consider here

User authentication: When the user credentials are verified, we mark the user authenticated and register it in SecurityContext

You must be using AuthenticationProvider to authenticate the token received.

Ex:

public class SSOAuthenticationProvider implements AuthenticationProvider {

    public Authentication authenticate(Authentication authentication) {

        // verified the authentication token
        authentication.setAuthenticated(true);

        // make the database call, get roles for the user
        authentication.setAuthorities(<authorities - discussed below>);
        SecurityContextHolder.getContext().setAuthentication(authentication);

        return authentication;
    }
}

Authorities: Once the user is authenticated, we need to get the granted authorities for the user and set them. For that, we need a custom class to represent the granted authorities.

public class CustomAuthority implements GrantedAuthority {

    private String role;

    public CustomAuthority(String role) {
        this.role = role;
    }

    @Override
    public String getAuthority() {
    return role;
    }
}

We create these custom authority instances from the roles we receive from the database. So in previous SSOAuthenticationProvider, we do the following

// make the database call, get roles for the user
List<String> roles = <db call to get roles>
authentication.setAuthorities(Collections.unmodifiableCollection(roles.stream().map(CustomAuthority::new).collect(Collectors.toList()));
SecurityContextHolder.getContext().setAuthentication(authentication);

This results in currently authenticated user holding all the roles they are entitled to.

The only pending step is to hardcode the authority/role for each endpoint. Now, when the user authentication process is done and an endpoint verification is performed, Spring looks at the authorities needed for the current endpoint and looks for them in the currently authenticated user. If it's present, the endpoint code gets executed. If not, AccessDeniedException is thrown

No i am not using AuthenticationProvider in my project. From my office network it detects my browser and i send request to a SSO url to get the token,user name of mine , userId . My project is using using this https://mvnrepository.com/artifact/com.nimbusds/oauth2-oidc-sdk/5.24.1 — Dan, Dec 06 '19 at 12:49
In your case, the place where you verify the token in your code is the place where you need to add the logic I pointed out in my answer. That should solve your problem. If you don't have authentication object, you can create one. — Sunil Dabburi, Dec 06 '19 at 15:16

spring : how to apply role to existing JWT token

1 Answers1