Merge pull request #4 from manirDev/jwt-token

JWT token provider is implemented.

Author: manirDev

pom.xml

@@ -52,6 +52,13 @@
 			<groupId>org.springframework.boot</groupId>
 			<artifactId>spring-boot-starter-security</artifactId>
 		</dependency>
+		<!-- https://mvnrepository.com/artifact/io.jsonwebtoken/jjwt -->
+		<dependency>
+			<groupId>io.jsonwebtoken</groupId>
+			<artifactId>jjwt</artifactId>
+			<version>0.9.1</version>
+		</dependency>
+
 		<dependency>
 			<groupId>org.springframework.boot</groupId>
 			<artifactId>spring-boot-starter-test</artifactId>

src/main/java/com/manir/springbootecommercerestapi/config/SecurityConfig.java

@@ -1,6 +1,8 @@
 package com.manir.springbootecommercerestapi.config;
 
 import com.manir.springbootecommercerestapi.security.CustomUserDetailsService;
+import com.manir.springbootecommercerestapi.security.JwtAuthenticationEntryPoint;
+import com.manir.springbootecommercerestapi.security.JwtAuthenticationFilter;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
@@ -11,8 +13,10 @@
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.config.http.SessionCreationPolicy;
 import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
 import org.springframework.security.crypto.password.PasswordEncoder;
+import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
 
 @Configuration
 @EnableWebSecurity
@@ -25,21 +29,43 @@ public class SecurityConfig extends WebSecurityConfigurerAdapter {
 
     @Autowired
     private CustomUserDetailsService customUserDetailsService;
+    @Autowired
+    private JwtAuthenticationEntryPoint authenticationEntryPoint;
 
     @Override
     protected void configure(HttpSecurity http) throws Exception {
         http
                 .csrf().disable()
+                /*-------------------------JWT Starts------------------------------*/
+                .exceptionHandling()
+                .authenticationEntryPoint(authenticationEntryPoint)
+                .and()
+                .sessionManagement()
+                .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
+                /*-------------------------JWT ends------------------------------*/
+                .and()
                 .authorizeRequests()
                 //to permit all get request and secure post put and delete methods
                 .antMatchers(HttpMethod.GET, "/api/**").permitAll()
                 //authorize singIn and signUp
                 .antMatchers("/api/v1/auth/**").permitAll()
                 .anyRequest()
-                .authenticated()
-                .and()
+                .authenticated();
+
+                /**
+                  Basic auth used before JWT implementation
+                 .and()
                 .httpBasic();
+                 **/
+        http
+                .addFilterBefore(jwtAuthenticationFilter(), UsernamePasswordAuthenticationFilter.class);
+
+    }
 
+    //Jwt auth filter method
+    @Bean
+    public JwtAuthenticationFilter jwtAuthenticationFilter(){
+        return new JwtAuthenticationFilter();
     }
 
     //In memory Auth

src/main/java/com/manir/springbootecommercerestapi/controller/AuthController.java

@@ -3,6 +3,8 @@
 import com.manir.springbootecommercerestapi.dto.LoginDto;
 import com.manir.springbootecommercerestapi.dto.SignUpDto;
 import com.manir.springbootecommercerestapi.repository.UserRepository;
+import com.manir.springbootecommercerestapi.response.JWTAuthResponse;
+import com.manir.springbootecommercerestapi.security.JwtTokenProvider;
 import com.manir.springbootecommercerestapi.service.UserRegisterService;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.HttpStatus;
@@ -28,10 +30,12 @@ public class AuthController {
     private UserRepository userRepository;
     @Autowired
     private UserRegisterService userRegisterService;
+    @Autowired
+    private JwtTokenProvider tokenProvider;
 
     //login api
     @PostMapping("/login")
-    public ResponseEntity<String> authenticateUser(@RequestBody LoginDto loginDto){
+    public ResponseEntity<JWTAuthResponse> authenticateUser(@RequestBody LoginDto loginDto){
 
         Authentication authentication = authenticationManager.authenticate(
                                     new UsernamePasswordAuthenticationToken(
@@ -40,7 +44,11 @@ public ResponseEntity<String> authenticateUser(@RequestBody LoginDto loginDto){
                                     )
                                 );
         SecurityContextHolder.getContext().setAuthentication(authentication);
-        return new ResponseEntity<>("User sign-In successfully", HttpStatus.OK);
+
+        //get token from token provider
+        String token = tokenProvider.generateToken(authentication);
+
+        return new ResponseEntity<>(new JWTAuthResponse(token), HttpStatus.OK);
     }
 
     //register api

src/main/java/com/manir/springbootecommercerestapi/response/JWTAuthResponse.java

@@ -0,0 +1,15 @@
+package com.manir.springbootecommercerestapi.response;
+
+import lombok.Getter;
+import lombok.Setter;
+
+@Getter
+@Setter
+public class JWTAuthResponse {
+    private String accessToken;
+    private String tokenType = "Bearer";
+
+    public JWTAuthResponse(String accessToken) {
+        this.accessToken = accessToken;
+    }
+}

src/main/java/com/manir/springbootecommercerestapi/security/JwtAuthenticationEntryPoint.java

@@ -0,0 +1,21 @@
+package com.manir.springbootecommercerestapi.security;
+
+import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.web.AuthenticationEntryPoint;
+import org.springframework.stereotype.Component;
+
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+
+@Component
+public class JwtAuthenticationEntryPoint implements AuthenticationEntryPoint {
+    @Override
+    public void commence(HttpServletRequest request,
+                         HttpServletResponse response,
+                         AuthenticationException authException) throws IOException, ServletException {
+
+        response.sendError(HttpServletResponse.SC_UNAUTHORIZED, authException.getMessage());
+    }
+}

src/main/java/com/manir/springbootecommercerestapi/security/JwtAuthenticationFilter.java

@@ -0,0 +1,57 @@
+package com.manir.springbootecommercerestapi.security;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.core.userdetails.UserDetails;
+import org.springframework.security.web.authentication.WebAuthenticationDetailsSource;
+import org.springframework.util.StringUtils;
+import org.springframework.web.filter.OncePerRequestFilter;
+
+import javax.servlet.FilterChain;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+
+public class JwtAuthenticationFilter extends OncePerRequestFilter {
+
+    @Autowired
+    private JwtTokenProvider tokenProvider;
+    @Autowired
+    private CustomUserDetailsService userDetailsService;
+
+    @Override
+    protected void doFilterInternal(HttpServletRequest request,
+                                    HttpServletResponse response,
+                                    FilterChain filterChain) throws ServletException, IOException {
+
+        //get jwt token from http request
+        String token = getJWTFromToken(request);
+        //validate token
+        if (StringUtils.hasText(token) && tokenProvider.validateToken(token)){
+            //retrieve user form token
+            String userName = tokenProvider.getUserNameFromToken(token);
+            //load user associated with the token
+            UserDetails userDetails = userDetailsService.loadUserByUsername(userName);
+            UsernamePasswordAuthenticationToken authenticationToken = new UsernamePasswordAuthenticationToken(
+                    userDetails, null, userDetails.getAuthorities()
+            );
+            //set spring security
+            authenticationToken.setDetails(new WebAuthenticationDetailsSource().buildDetails(request));
+            SecurityContextHolder.getContext().setAuthentication(authenticationToken);
+        }
+        filterChain.doFilter(request, response);
+    }
+
+    //get jwt from token
+    //Bearer <accessToken>
+    private String getJWTFromToken(HttpServletRequest request){
+
+        String bearerToken = request.getHeader("Authorization");
+        if (StringUtils.hasText(bearerToken) && bearerToken.startsWith("Bearer ")){
+            return bearerToken.substring(7, bearerToken.length());
+        }
+        return null;
+    }
+}

src/main/java/com/manir/springbootecommercerestapi/security/JwtTokenProvider.java

@@ -0,0 +1,66 @@
+package com.manir.springbootecommercerestapi.security;
+
+import com.manir.springbootecommercerestapi.exception.EcommerceApiException;
+import io.jsonwebtoken.*;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.http.HttpStatus;
+import org.springframework.security.core.Authentication;
+import org.springframework.stereotype.Component;
+
+import java.util.Date;
+
+@Component
+public class JwtTokenProvider {
+
+    @Value("${app.jwt-secret}")
+    private String jwtSecret;
+    @Value("${app.jwt-expiration-milliseconds}")
+    private int jwtExpirationTime;
+
+    //generate token method
+
+    public String generateToken(Authentication authentication){
+        String userName = authentication.getName();
+        Date currentDate = new Date();
+        Date expireDate = new Date(currentDate.getTime() + jwtExpirationTime);
+
+        String token = Jwts.builder()
+                                    .setSubject(userName)
+                                    .setIssuedAt(new Date())
+                                    .setExpiration(expireDate)
+                                    .signWith(SignatureAlgorithm.HS512, jwtSecret)
+                                    .compact();
+
+        return token;
+    }
+
+    //get username from the token, retrieve username from generated token
+    public String getUserNameFromToken(String token){
+        Claims claims = Jwts.parser()
+                                    .setSigningKey(jwtSecret)
+                                    .parseClaimsJws(token)
+                                    .getBody();
+
+        return claims.getSubject();
+    }
+
+    //validate JWT token
+    public boolean validateToken(String token){
+            try {
+                Jwts.parser()
+                            .setSigningKey(jwtSecret)
+                            .parseClaimsJws(token);
+                return true;
+            }catch (SignatureException e){
+                throw new EcommerceApiException("Invalid JWT signature", HttpStatus.BAD_REQUEST);
+            }catch (MalformedJwtException e){
+                throw new EcommerceApiException("Invalid JWT token", HttpStatus.BAD_REQUEST);
+            }catch (ExpiredJwtException e){
+                throw new EcommerceApiException("Expired JWT token", HttpStatus.BAD_REQUEST);
+            }catch (UnsupportedJwtException e){
+                throw new EcommerceApiException("Unsupported JWT token", HttpStatus.BAD_REQUEST);
+            }catch (IllegalArgumentException e){
+                throw new EcommerceApiException("JWT claims string is empty", HttpStatus.BAD_REQUEST);
+            }
+    }
+}

src/main/resources/application.properties

@@ -13,3 +13,6 @@ logging.level.org.springframework.security=DEBUG
 #spring.security.customer.name= customer
 #spring.security.customer.roles= ADMIN
 
+#JWT properties
+app.jwt-secret = JWTSecretKey
+app.jwt-expiration-milliseconds = 604800000