Spring - RESTful authentication using cookies -

-

i try implement authentication (for android client app) using cookies, based on article -http://automateddeveloper.blogspot.co.uk/2014/03/securing-your-mobile-api-spring-security.html

securityconfig:

@configuration @enablewebsecurity public class securityconfig extends websecurityconfigureradapter {      private final static string token_string = "my_token";     private final static string cookie_string = "my_cookie";      @autowired     private userdetailsservice usersvc;     @autowired     private mytokenbasedremembermeservice tokensvc;     @autowired     private remembermeauthenticationprovider remembermeprovider;     @autowired      private myauthsuccesshandler authsuccess;     @autowired     private myauthfailurehandler authfailure;     @autowired     private mylogoutsuccesshandler logoutsuccess;       @autowired     protected void configureglobal(authenticationmanagerbuilder auth) throws exception {         auth             .userdetailsservice(usersvc)             .passwordencoder(passwordencoder());          auth.authenticationprovider(remembermeprovider);     }      @override     protected void configure(httpsecurity http) throws exception {           http             .authorizerequests()                 .antmatchers("/register").permitall()                 .anyrequest().authenticated().and()             .formlogin()                .loginpage("/")                .loginprocessingurl("/loginendpoint")                .successhandler(authsuccess)                .failurehandler(authfailure).and()             .logout()                                            .logouturl("/logout")                 .logoutsuccess(logoutsuccess)                 .deletecookies(cookie_string).and()             .rememberme()                 .remembermeservices(tokensvc).and()             .csrf()                 .disable()             .addfilterbefore(remembermeauthenticationfilter(), basicauthenticationfilter.class)             .sessionmanagement()                 .sessioncreationpolicy(sessioncreationpolicy.stateless);     }      @bean     @override     public authenticationmanager authenticationmanagerbean() throws exception {         return super.authenticationmanagerbean();     }      @bean     public remembermeauthenticationfilter remembermeauthenticationfilter() throws exception {         return new remembermeauthenticationfilter(authenticationmanager(), tokenbasedremembermeservice());     }      @bean     public remembermeauthenticationprovider remembermeauthenticationprovider() {         return new remembermeauthenticationprovider(token_string);     }      @bean     public mytokenbasedremembermeservice tokenbasedremembermeservice() {         mytokenbasedremembermeservice service = new mytokenbasedremembermeservice(token_string,                 usersvc);         service.setalwaysremember(true);         service.setcookiename(cookie_string);         return service;     }      @bean     public passwordencoder passwordencoder() {         passwordencoder encoder = new bcryptpasswordencoder();         return encoder;     }  }

mytokenbasedremembermeservice:

public class mytokenbasedremembermeservice extends tokenbasedremembermeservices {      private final static string token_string = "my_token";      public mytokenbasedremembermeservice(string key, userdetailsservice userdetailsservice) {         super(key, userdetailsservice);     }      @override     protected string extractremembermecookie(httpservletrequest request) {         string token = request.getheader(token_string);         if ((token == null) || (token.length() == 0)) {             return "";         }         return token;     } }

unfortunately after successful login cookie empty on client side:

set-cookie: my_cookie=""; expires=thu, 01-jan-1970 00:00:10 gmt; path=/

what's wrong?

-------edit 1-------

if login directly in browser no cookie (in dev tools example)?

i tested using postman , received jsessionid cookie (no my_cookie).

also, using custom login controller method? (e.g. usercontroller explicitly authenticating users?)

yes, i'm using custom login controller method, i'm new in spring security , if can done without custom controller grateful explanations. controller responsible authentication of user.

if not using spring-security handle authentication suspect may have explicitly set cookies etc yourself

no, i'm using spring security only. @ least think ... :)

what usercontroller login method doing?

i updated code.

-------edit 2-------

according @rhinds advices , spring documentation corrected few things (above code updated). can login loginendpoint , after login my_cookie. have related questions:

  1. after successful login receive cookie in response. further requests have manually add token (client side) if it's automatically added on server side?
  2. what logout? how "spring" know user has logged out?
  3. what token expiration date? default 2 weeks, what? can set token never expires?

for people similar recommend @ great article - https://dzone.com/articles/secure-rest-services-using :)

ok, best place start move away custom spring controller logging in , delegate spring security - docs give pretty overview of how started - see here started

from linked article, if @ config code:

@override protected void configure(httpsecurity http) throws exception {     http         .csrf()             .disable()         .authorizerequests()             .antmatchers("/resources/**").permitall()             .antmatchers("/sign-up").permitall()             .antmatchers("/sign-in").permitall()             .anyrequest().authenticated()             .and()         .formlogin()             .loginpage("/")             .loginprocessingurl("/loginprocess")             .failureurl("/mobile/app/sign-in?loginfailure=true")             .permitall().and()         .rememberme().remembermeservices(tokenbasedremembermeservice); }

the section under .formlogin() call telling spring-security endpoint listen on login attempts - e.g. if have config , post endpoint /loginprocess spring-security intercept , use authentication manager process submitted form (expecting username , password fields etc).

the next important bit wiring of userdetailsservice , authentication manger:

 @override protected void registerauthentication(authenticationmanagerbuilder auth) throws exception {      auth         .userdetailsservice(userdetailsserviceimpl)         .passwordencoder(bcryptpasswordencoder());      auth.authenticationprovider(remembermeauthenticationprovider);  }

this gives spring-security means attempt load user object given provided login attempt - long class implements userdetailsservice spring security should have needs.

assuming correct, should able remove custom login controller method, define loginprocessingurl , post , spring-security should kick in , (attempt) handle it.

it might worth spending time getting spring-security config working , handling simple login case, once been delegated spring-security machinery should easier update config wire in rememberme side of things.

response edit 2

i assuming following implementation details in linked article based on general approach here: http://automateddeveloper.blogspot.co.uk/2014/03/securing-your-api-for-mobile-access.html (the explanation of implementation details have linked in op)

  1. after successful login receive cookie in response. further requests have manually add token (client side) if it's automatically added on server side?

so assuming logging in , making api requests mobile app - per article, need webview in app allow users login, once have done webview recieve response login include cookie. @ point, care extracting token cookie -after that, cookie isn't needed. in app can persist token like, , add make sure provide in every api request make app - rememberme implementation in article extracts token api request headers , authenticates user.

  1. what logout? how "spring" know user has logged out?

it won't - config has set spring stateless, e.g. doesn't track logged in users, logged presence of valid cookie (or in case of api requests, presence of token extracted) - e.g. in stateless mode, every single request made app checked see if authenticated

  1. what token expiration date? default 2 weeks, what? can set token never expires?

again, assuming following pattern described in link above, not matter, use cookie on first login, after app has remember me token used authentication cookie discarded point.


Comments

Post a Comment

Popular posts from this blog

html - Firefox flex bug applied to buttons? -

-
i'm trying apply flex button on firefox i'm having problem on chrome doesn't happens. this css: .button { display: inline-flex; align-items: center; } as can see in fiddle, "caret" word moved new line, happens if element <button> tag, <div> works expected. http://codepen.io/anon/pen/xblmgx is firefox bug or there css i'm missing? nevermind, looks "mr firefox" doesn't idea... <button> not implementable (by browsers) in pure css, bit of black box, perspective of css. means don't react in same way e.g. <div> would. this isn't specific flexbox -- e.g. don't render scrollbars if put "overflow:scroll" on button, , don't render table if put "display:table" on it. stepping further, isn't specific <button> . consider <fieldset> , <table> have special rendering behavior: data:text/html,<fieldset style="d
Read more

html - Missing border-right in select on Firefox -

-
Image
when put select div width , padding-left, options have no border on right. more, happend if select have width 118px , parent have 15px of padding left! have idea, going on? my code: <!doctype html> <html> <head lang="en"> </head> <body> <div style="width: 1000px; padding-left: 15px;"> <select style="width: 118px;"> <option>a</option> <option>b</option> <option>c</option> </select> </div> </body> </html> and result: here plunker: click it happend on firefox on windows. tested on 40.0.2 version -webkit-box-sizing: border-box; -moz-box-sizing: border-box; -ms-box-sizing: border-box; box-sizing: border-box; source: https://stackoverflow.com/a/11390432/4431269 source of problem: https://bugzilla.mozilla.org/show_bug.cgi?id=924068 and use of google ! edit: (source of problem, explained) after rea
Read more

c# - two queries in same method -

-
i trying execute 2 queries in same method gives me exception. can red of exception declaring new command there way use same command? string id="hi"; connection.open(); oledbcommand command1 = new oledbcommand(); command1.connection = connection; string query1 = "select * products category='" + combobox1.text + "' , subcategory = '" + combobox2.text + "' , sizes='" + combobox3.text + "'"; command1.commandtext = query1; oledbdatareader reader = command1.executereader(); while (reader.read()) { id = reader[0].tostring(); } textbox1.text = id; string query = "insert category_in (category_id,amount,amount_in) values ('"+ id+"' ,500,300)"; command1.commandtext = query; command1.executenonquery(); messagebox.show("saved"); connection.close();
Read more