Spring - RESTful authentication using cookies -
i try implement authentication (for android client app) using cookies, based on article -http://automateddeveloper.blogspot.co.uk/2014/03/securing-your-mobile-api-spring-security.html
securityconfig:
@configuration @enablewebsecurity public class securityconfig extends websecurityconfigureradapter { private final static string token_string = "my_token"; private final static string cookie_string = "my_cookie"; @autowired private userdetailsservice usersvc; @autowired private mytokenbasedremembermeservice tokensvc; @autowired private remembermeauthenticationprovider remembermeprovider; @autowired private myauthsuccesshandler authsuccess; @autowired private myauthfailurehandler authfailure; @autowired private mylogoutsuccesshandler logoutsuccess; @autowired protected void configureglobal(authenticationmanagerbuilder auth) throws exception { auth .userdetailsservice(usersvc) .passwordencoder(passwordencoder()); auth.authenticationprovider(remembermeprovider); } @override protected void configure(httpsecurity http) throws exception { http .authorizerequests() .antmatchers("/register").permitall() .anyrequest().authenticated().and() .formlogin() .loginpage("/") .loginprocessingurl("/loginendpoint") .successhandler(authsuccess) .failurehandler(authfailure).and() .logout() .logouturl("/logout") .logoutsuccess(logoutsuccess) .deletecookies(cookie_string).and() .rememberme() .remembermeservices(tokensvc).and() .csrf() .disable() .addfilterbefore(remembermeauthenticationfilter(), basicauthenticationfilter.class) .sessionmanagement() .sessioncreationpolicy(sessioncreationpolicy.stateless); } @bean @override public authenticationmanager authenticationmanagerbean() throws exception { return super.authenticationmanagerbean(); } @bean public remembermeauthenticationfilter remembermeauthenticationfilter() throws exception { return new remembermeauthenticationfilter(authenticationmanager(), tokenbasedremembermeservice()); } @bean public remembermeauthenticationprovider remembermeauthenticationprovider() { return new remembermeauthenticationprovider(token_string); } @bean public mytokenbasedremembermeservice tokenbasedremembermeservice() { mytokenbasedremembermeservice service = new mytokenbasedremembermeservice(token_string, usersvc); service.setalwaysremember(true); service.setcookiename(cookie_string); return service; } @bean public passwordencoder passwordencoder() { passwordencoder encoder = new bcryptpasswordencoder(); return encoder; } }
mytokenbasedremembermeservice:
public class mytokenbasedremembermeservice extends tokenbasedremembermeservices { private final static string token_string = "my_token"; public mytokenbasedremembermeservice(string key, userdetailsservice userdetailsservice) { super(key, userdetailsservice); } @override protected string extractremembermecookie(httpservletrequest request) { string token = request.getheader(token_string); if ((token == null) || (token.length() == 0)) { return ""; } return token; } }
unfortunately after successful login cookie empty on client side:
set-cookie: my_cookie=""; expires=thu, 01-jan-1970 00:00:10 gmt; path=/
what's wrong?
-------edit 1-------
if login directly in browser no cookie (in dev tools example)?
i tested using postman , received jsessionid cookie (no my_cookie).
also, using custom login controller method? (e.g. usercontroller explicitly authenticating users?)
yes, i'm using custom login controller method, i'm new in spring security , if can done without custom controller grateful explanations. controller responsible authentication of user.
if not using spring-security handle authentication suspect may have explicitly set cookies etc yourself
no, i'm using spring security only. @ least think ... :)
what usercontroller login method doing?
i updated code.
-------edit 2-------
according @rhinds advices , spring documentation corrected few things (above code updated). can login loginendpoint
, after login my_cookie
. have related questions:
- after successful login receive cookie in response. further requests have manually add token (client side) if it's automatically added on server side?
- what logout? how "spring" know user has logged out?
- what token expiration date? default 2 weeks, what? can set token never expires?
for people similar recommend @ great article - https://dzone.com/articles/secure-rest-services-using :)
ok, best place start move away custom spring controller logging in , delegate spring security - docs give pretty overview of how started - see here started
from linked article, if @ config code:
@override protected void configure(httpsecurity http) throws exception { http .csrf() .disable() .authorizerequests() .antmatchers("/resources/**").permitall() .antmatchers("/sign-up").permitall() .antmatchers("/sign-in").permitall() .anyrequest().authenticated() .and() .formlogin() .loginpage("/") .loginprocessingurl("/loginprocess") .failureurl("/mobile/app/sign-in?loginfailure=true") .permitall().and() .rememberme().remembermeservices(tokenbasedremembermeservice); }
the section under .formlogin()
call telling spring-security endpoint listen on login attempts - e.g. if have config , post
endpoint /loginprocess
spring-security intercept , use authentication manager process submitted form (expecting username , password fields etc).
the next important bit wiring of userdetailsservice
, authentication manger:
@override protected void registerauthentication(authenticationmanagerbuilder auth) throws exception { auth .userdetailsservice(userdetailsserviceimpl) .passwordencoder(bcryptpasswordencoder()); auth.authenticationprovider(remembermeauthenticationprovider); }
this gives spring-security means attempt load user object given provided login attempt - long class implements userdetailsservice
spring security should have needs.
assuming correct, should able remove custom login controller method, define loginprocessingurl
, post
, spring-security should kick in , (attempt) handle it.
it might worth spending time getting spring-security config working , handling simple login case, once been delegated spring-security machinery should easier update config wire in rememberme side of things.
response edit 2
i assuming following implementation details in linked article based on general approach here: http://automateddeveloper.blogspot.co.uk/2014/03/securing-your-api-for-mobile-access.html (the explanation of implementation details have linked in op)
- after successful login receive cookie in response. further requests have manually add token (client side) if it's automatically added on server side?
so assuming logging in , making api requests mobile app - per article, need webview in app allow users login, once have done webview recieve response login include cookie. @ point, care extracting token cookie -after that, cookie isn't needed. in app can persist token like, , add make sure provide in every api request make app - rememberme implementation in article extracts token api request headers , authenticates user.
- what logout? how "spring" know user has logged out?
it won't - config has set spring stateless, e.g. doesn't track logged in users, logged presence of valid cookie (or in case of api requests, presence of token extracted) - e.g. in stateless mode, every single request made app checked see if authenticated
- what token expiration date? default 2 weeks, what? can set token never expires?
again, assuming following pattern described in link above, not matter, use cookie on first login, after app has remember me token used authentication cookie discarded point.
Comments
Post a Comment