Atividade Spring Security

exemplos/02-seguranca/pom.xml

@@ -1,70 +1,90 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
-    <modelVersion>4.0.0</modelVersion>
-    <parent>
-        <groupId>org.springframework.boot</groupId>
-        <artifactId>spring-boot-starter-parent</artifactId>
-        <version>2.1.9.RELEASE</version>
-        <relativePath/> <!-- lookup parent from repository -->
-    </parent>
-    <groupId>br.com.ifpb.pweb2</groupId>
-    <artifactId>security-demo</artifactId>
-    <version>0.0.1-SNAPSHOT</version>
-    <name>security-demo</name>
-    <description>Demo project for Spring Security</description>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
+	<modelVersion>4.0.0</modelVersion>
+	<parent>
+		<groupId>org.springframework.boot</groupId>
+		<artifactId>spring-boot-starter-parent</artifactId>
+		<version>2.1.9.RELEASE</version>
+		<relativePath /> <!-- lookup parent from repository -->
+	</parent>
+	<groupId>br.com.ifpb.pweb2</groupId>
+	<artifactId>security-demo</artifactId>
+	<version>0.0.1-SNAPSHOT</version>
+	<name>security-demo</name>
+	<description>Demo project for Spring Security</description>
 
-    <properties>
-        <java.version>1.8</java.version>
-    </properties>
+	<properties>
+		<java.version>1.8</java.version>
+	</properties>
 
-    <dependencies>
-        <dependency>
-            <groupId>org.springframework.boot</groupId>
-            <artifactId>spring-boot-starter-data-jpa</artifactId>
-        </dependency>
-        <dependency>
-            <groupId>org.springframework.boot</groupId>
-            <artifactId>spring-boot-starter-web</artifactId>
-        </dependency>
+	<dependencies>
+		<dependency>
+			<groupId>org.springframework.boot</groupId>
+			<artifactId>spring-boot-starter-data-jpa</artifactId>
+		</dependency>
+		<dependency>
+			<groupId>org.springframework.boot</groupId>
+			<artifactId>spring-boot-starter-web</artifactId>
+		</dependency>
 
-        <dependency>
-            <groupId>org.springframework.boot</groupId>
-            <artifactId>spring-boot-starter-security</artifactId>
-        </dependency>
+		<dependency>
+			<groupId>org.springframework.boot</groupId>
+			<artifactId>spring-boot-starter-security</artifactId>
+		</dependency>
 
-        <dependency>
-            <groupId>org.projectlombok</groupId>
-            <artifactId>lombok</artifactId>
-            <version>1.18.10</version>
-        </dependency>
+		<dependency>
+			<groupId>org.projectlombok</groupId>
+			<artifactId>lombok</artifactId>
+			<version>1.18.10</version>
+		</dependency>
 
+		<dependency>
+			<groupId>org.springframework.boot</groupId>
+			<artifactId>spring-boot-starter-test</artifactId>
+			<scope>test</scope>
+		</dependency>
+		<dependency>
+			<groupId>org.springframework.security</groupId>
+			<artifactId>spring-security-test</artifactId>
+			<scope>test</scope>
+		</dependency>
+
+		<dependency>
+			<groupId>org.postgresql</groupId>
+			<artifactId>postgresql</artifactId>
+			<scope>runtime</scope>
+		</dependency>
+
+		 <!-- JJWT Lib (https://github.com/jwtk/jjwt)-->
         <dependency>
-            <groupId>org.springframework.boot</groupId>
-            <artifactId>spring-boot-starter-test</artifactId>
-            <scope>test</scope>
+            <groupId>io.jsonwebtoken</groupId>
+            <artifactId>jjwt-api</artifactId>
+            <version>0.10.5</version>
         </dependency>
         <dependency>
-            <groupId>org.springframework.security</groupId>
-            <artifactId>spring-security-test</artifactId>
-            <scope>test</scope>
+            <groupId>io.jsonwebtoken</groupId>
+            <artifactId>jjwt-impl</artifactId>
+            <version>0.10.5</version>
+            <scope>runtime</scope>
         </dependency>
-
         <dependency>
-            <groupId>org.postgresql</groupId>
-            <artifactId>postgresql</artifactId>
-            <version>42.2.8</version>
+            <groupId>io.jsonwebtoken</groupId>
+            <artifactId>jjwt-jackson</artifactId>
+            <version>0.10.5</version>
+            <scope>runtime</scope>
         </dependency>
 
-    </dependencies>
+	</dependencies>
 
-    <build>
-        <plugins>
-            <plugin>
-                <groupId>org.springframework.boot</groupId>
-                <artifactId>spring-boot-maven-plugin</artifactId>
-            </plugin>
-        </plugins>
-    </build>
+	<build>
+		<plugins>
+			<plugin>
+				<groupId>org.springframework.boot</groupId>
+				<artifactId>spring-boot-maven-plugin</artifactId>
+			</plugin>
+		</plugins>
+	</build>
 
 </project>

exemplos/02-seguranca/src/main/java/br/com/ifpb/pweb2/securitydemo/config/ApplicationConfig.java

@@ -1,11 +1,10 @@
 package br.com.ifpb.pweb2.securitydemo.config;
 
-import lombok.Data;
-import lombok.Getter;
-import lombok.Setter;
 import org.springframework.boot.context.properties.ConfigurationProperties;
 import org.springframework.context.annotation.Configuration;
 
+import lombok.Data;
+
 @Configuration
 @ConfigurationProperties(prefix = "app")
 @Data

exemplos/02-seguranca/src/main/java/br/com/ifpb/pweb2/securitydemo/config/SecurityConfig.java

@@ -0,0 +1,17 @@
+package br.com.ifpb.pweb2.securitydemo.config;
+
+import lombok.Data;
+import org.springframework.boot.context.properties.ConfigurationProperties;
+import org.springframework.context.annotation.Configuration;
+
+@Configuration
+@ConfigurationProperties(prefix="security")
+@Data
+public class SecurityConfig {
+    private String authLoginUrl;
+    private String tokenType;
+    private String secret;
+    private String issuer;
+    private String audience;
+    private Long expiration;
+}

exemplos/02-seguranca/src/main/java/br/com/ifpb/pweb2/securitydemo/config/SecurityConstants.java

@@ -0,0 +1,21 @@
+package br.com.ifpb.pweb2.securitydemo.config;
+
+public class SecurityConstants {
+	public static final String AUTH_LOGIN_URL = "/api/authenticate";
+
+    // Signing key for HS512 algorithm
+    // Use http://www.allkeysgenerator.com/ para gerar uma chave
+    public static final String JWT_SECRET = "884B504E-224E-48DE-9664-7A3057BAEC23";
+
+    // JWT token defaults
+    public static final String TOKEN_HEADER = "Authorization";
+    public static final String TOKEN_PREFIX = "Bearer ";
+    public static final String TOKEN_TYPE = "JWT";
+    public static final String TOKEN_ISSUER = "secure-api";
+    public static final String TOKEN_AUDIENCE = "secure-app";
+
+    private SecurityConstants() {
+    }
+
+
+}

exemplos/02-seguranca/src/main/java/br/com/ifpb/pweb2/securitydemo/config/WebSecurityConfig.java

@@ -1,33 +1,65 @@
 package br.com.ifpb.pweb2.securitydemo.config;
 
-import org.springframework.core.annotation.Order;
+import br.com.ifpb.pweb2.securitydemo.config.jwt.JwtAuthenticationFilter;
+import br.com.ifpb.pweb2.securitydemo.config.jwt.JwtAuthorizationFilter;
+import br.com.ifpb.pweb2.securitydemo.service.UsuarioService;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.context.annotation.Bean;
+import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
 import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 import org.springframework.security.config.http.SessionCreationPolicy;
+import org.springframework.security.core.userdetails.UserDetailsService;
+import org.springframework.security.crypto.password.PasswordEncoder;
+import org.springframework.web.cors.CorsConfiguration;
+import org.springframework.web.cors.CorsConfigurationSource;
+import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
 
 @EnableWebSecurity
 @EnableGlobalMethodSecurity(jsr250Enabled = true, securedEnabled = true, prePostEnabled = true)
 public class WebSecurityConfig extends WebSecurityConfigurerAdapter  {
 
-    public WebSecurityConfig() {
+    private final SecurityConfig securityConfig;
+
+    private final UserDetailsService userDetailsService;
+
+    private final PasswordEncoder passwordEncoder;
+
+
+    public WebSecurityConfig(SecurityConfig securityConfig, UserDetailsService userDetailsService, PasswordEncoder passwordEncoder) {
+        this.securityConfig = securityConfig;
+        this.userDetailsService = userDetailsService;
+        this.passwordEncoder = passwordEncoder;
     }
 
     @Override
     protected void configure(HttpSecurity http) throws Exception {
-        http
+        http.cors().and()
                 .authorizeRequests()
-                .antMatchers("/api/**").authenticated()
                 .antMatchers("/publico").permitAll()
-                .antMatchers("/usuarios").hasRole("ADMIN")
+                .anyRequest().authenticated()
             .and()
+                .addFilter(new JwtAuthenticationFilter(authenticationManager(), securityConfig))
+                .addFilter(new JwtAuthorizationFilter(authenticationManager(), securityConfig))
             .sessionManagement()
                 .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
-            .and()
-                .httpBasic()
             .and()
                 .csrf().disable();
     }
 
+
+    @Override
+    public void configure(AuthenticationManagerBuilder auth) throws Exception {
+            auth.userDetailsService(userDetailsService).passwordEncoder(passwordEncoder);
+    }
+
+    @Bean
+    public CorsConfigurationSource corsConfigurationSource() {
+        final UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
+        source.registerCorsConfiguration("/**", new CorsConfiguration().applyPermitDefaultValues());
+        return source;
+    }
+
 }

exemplos/02-seguranca/src/main/java/br/com/ifpb/pweb2/securitydemo/config/jwt/JwtAuthenticationFilter.java

@@ -0,0 +1,69 @@
+package br.com.ifpb.pweb2.securitydemo.config.jwt;
+
+import br.com.ifpb.pweb2.securitydemo.config.SecurityConfig;
+import io.jsonwebtoken.Jwts;
+import io.jsonwebtoken.SignatureAlgorithm;
+import io.jsonwebtoken.security.Keys;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.authentication.AuthenticationManager;
+import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.userdetails.UserDetails;
+import org.springframework.security.crypto.password.PasswordEncoder;
+import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
+
+import javax.servlet.FilterChain;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.util.Date;
+import java.util.List;
+import java.util.stream.Collectors;
+
+public class JwtAuthenticationFilter extends UsernamePasswordAuthenticationFilter {
+
+    private final AuthenticationManager authenticationManager;
+
+    private final SecurityConfig securityConfig;
+
+    public JwtAuthenticationFilter(AuthenticationManager authenticationManager, SecurityConfig securityConfig) {
+        this.authenticationManager=authenticationManager;
+        this.securityConfig = securityConfig;
+        setFilterProcessesUrl(this.securityConfig.getAuthLoginUrl());
+    }
+
+    @Override
+    public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) {
+        String username = request.getParameter("usuario");
+        String password = request.getParameter("senha");
+        UsernamePasswordAuthenticationToken authenticationToken = new UsernamePasswordAuthenticationToken(username, password);
+
+        return authenticationManager.authenticate(authenticationToken);
+    }
+
+    @Override
+    protected void successfulAuthentication(HttpServletRequest request, HttpServletResponse response,
+                                            FilterChain filterChain, Authentication authentication) {
+        UserDetails user = ((UserDetails) authentication.getPrincipal());
+
+        List<String> roles = user.getAuthorities()
+                .stream()
+                .map(GrantedAuthority::getAuthority)
+                .collect(Collectors.toList());
+
+        String signingKey = securityConfig.getSecret();
+
+        String token = Jwts.builder()
+                .signWith(Keys.hmacShaKeyFor(signingKey.getBytes()), SignatureAlgorithm.HS512)
+                .setHeaderParam("type", securityConfig.getTokenType())
+                .setIssuer(securityConfig.getIssuer()) //emissor
+                .setAudience(securityConfig.getAudience()) //destinatario
+                .setSubject(user.getUsername())
+                .setExpiration(new Date(System.currentTimeMillis() + securityConfig.getExpiration()))
+                .claim("roles", roles)
+                .compact();
+
+        response.addHeader("Authorization", "Bearer " + token);
+    }
+
+}