Integrate jwt with mtsj #334
Conversation
All static secrets were removed from batch
Send data instead of clob
fix logs and avoid one line
fix major bug. Use the equals method instead of ==
fix major bug. Use the equals method instead of ==
yes then need to figure out the where to store this file with @dario-rodriguez |
|
Did you put the keystore in This works for tests inside the core module but in the end the core is bundled to a JAR file that then gets included inside the bootified JAR/WAR of the |
opps this is new to me need to check |
Yes now it working when we put the keystore file inside mtsj\server\src\main\resources\keystore.pkcs Now in local to work we need to run using java -jar mythaistar-bootified.war. |
|
This PR is for reference only should not be merger now. It still has issue with twofactorAuthentication. |
…in devo… (devonfw#321) * Implement example batches with modified devon-batch (see devonfw#190 in devon4j) * Cleanup and documentation. Introduce job parameter for input/output file. * Implemented batch start/stop scheme which works with spring batch alone. No own implementation for launchers are required. * Remove batch disabling in core project * Remove unused super class for tests * Include example batch for restarts * Document start of this batch with H2 auto-server-mode * Fix exit code handling & exiting for web and batch * Implement example for authentication see devonfw/devon4j#90 * just start travis built, no code changes * Provide Javadoc * Upgrade to devon4j 2020.04.001
upgrade spring boot version and devon4j
| @@ -17,6 +17,7 @@ export class HttpRequestInterceptorService implements HttpInterceptor { | |||
| return this.store.select(fromAuth.getToken).pipe( | |||
| first(), | |||
| flatMap((token) => { | |||
| token = token.replace('Bearer', ''); | |||
java/mtsj/core/pom.xml
Outdated
| @@ -63,6 +63,10 @@ | |||
| <artifactId>devon4j-jpa</artifactId> | |||
| </dependency> --> | |||
|
|
|||
| <dependency> | |||
| <groupId>com.devonfw.java.starters</groupId> | |||
java/mtsj/core/pom.xml
Outdated
| <dependency> | ||
| <groupId>io.jsonwebtoken</groupId> | ||
| <artifactId>jjwt</artifactId> | ||
| <version>0.7.0</version> | ||
| </dependency> |
There was a problem hiding this comment.
shoundn't jjwt now come via devon4j jwt module and MTSJ only use this indirectly so this dependency is not needed anymore?
|
|
||
| UserDetailsClientTo userDetails = new UserDetailsClientTo(); | ||
|
|
||
| Authentication auth = this.jwtAuthenticator.authenticate(jwt.replace(JwtConstants.TOKEN_PREFIX, "")); |
There was a problem hiding this comment.
aint this a duplicated authentication? what is the purpose of this service in MTSJ?
IMHO this is to retrieve UserDetailsClientTo via REST service on the client. If so the existing authentication filter should be used and the UserDetailsClientTo should be created from the spring-security Authentication rather than again authenticating.
| @@ -39,7 +43,7 @@ | |||
| @Path("/currentuser/") | |||
| public UserDetailsClientTo getCurrentUserDetails(@Context HttpServletRequest request) { | |||
|
|
|||
| return TokenAuthenticationService.getUserdetailsFromToken(request.getHeader("Authorization")); | |||
| return this.tokenManagementService.getUserdetailsFromTokenJwt(request.getHeader("Authorization")); | |||
There was a problem hiding this comment.
exactly what I guesses. IMHO does not make so much sense...
Compare this to the original implementation of this service that should still work even it never knew about JWT.
|
I have fix the review comments , but still there is problem with twofactorauthentication and this need some more time to fix |
|
Fixed 2Fa related error |
...mtsj/core/src/main/java/com/devonfw/application/mtsj/general/common/base/PreLoginFilter.java
Show resolved
Hide resolved
...mtsj/core/src/main/java/com/devonfw/application/mtsj/general/common/base/PreLoginFilter.java
Show resolved
Hide resolved
| public class TokenAuthenticationService { | ||
|
|
||
| /** Logger instance. */ | ||
| private static final Logger LOG = LoggerFactory.getLogger(TokenAuthenticationService.class); | ||
|
|
||
| @Inject | ||
| private KeyStoreAccess keyStoreAccess; | ||
|
|
||
| @Inject | ||
| private JwtConfigProperties jwtConfig; | ||
|
|
There was a problem hiding this comment.
I am still wondering why this class is still needed after all.
There was a problem hiding this comment.
This class has been used in multiple classes like AdvancedDaoAuthenticationProvider calls method getRolesFromName, PreLoginFilter and TwoFactorFilter uses constant variable OTP. @hohwille
| private JwtCreator jwtCreator; | ||
|
|
There was a problem hiding this comment.
IMHO 2FA should be independent of or alternative to JWT:
- Typically there is a login process for human authentication. For advanced security that process may require a second factor (2FA)
- a valid JWT is however a result of a successful authentication and prevents further need for authentication so it replaces the authentication process.
So in the end this still does not make sense to me.
There was a problem hiding this comment.
i can see in the PR , it is used to get the token from the Authentication and pass it as header to the HttpServletRequest. So, should i remove this part? @hohwille
There was a problem hiding this comment.
IMHO the JWT should be returned to the browser after successful login as part of a JSON structure inside the response body - instead within the "Authorization" header. At least for me this seems to be the most often used method, especially in case of OpenID Connect. I am not aware, there were a standard for this JWT transfer to browser in a pure "JWT auth" architecture, though. So there is not only one right implementation for this.
Nevertheless: The meaning of the Authorization header is not defined, when it is used within the response - so if really a response header should be used for the transfer, that should be better a header name with leading "X-".
Due to that also the return of the "Bearer " prefix (currently within the Authentication header in response to /login) seem superfluous to me. This has no real meaning (since Authorization header in response has no meaning). That might also the reason, the "Bearer" was added again on Angular side (so the resulting header has the "Bearer " twice) - again this addition on browser side is the most often usage for JWT use, I have seen so far in other implementations.
sjimenez77
force-pushed
the
develop
branch
2 times, most recently
from
c98d581
to
2783216
Compare
|
marochs seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account. You have signed the CLA already but the status is still pending? Let us recheck it. |
|
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
1 similar comment
|
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
Few issues still in this PR
It works only if we store it to some file location in below format. Here we need to identify some path in mtsj server to store the file.(file:/pathtofile/file.pkcs)
throwing some weird exception
Caused by: java.io.IOException: insufficient data
at java.base/sun.security.util.DerInputBuffer.truncate(DerInputBuffer.java:134) ~[na:na]
at java.base/sun.security.util.DerInputStream.subStream(DerInputStream.java:160) ~[na:na]
at java.base/sun.security.util.DerInputStream.readVector(DerInputStream.java:421) ~[na:na]
at java.base/sun.security.util.DerInputStream.getSequence(DerInputStream.java:337) ~[na:na]
at java.base/sun.security.pkcs.ContentInfo.(ContentInfo.java:132) ~[na:na]
at java.base/sun.security.pkcs.ContentInfo.(ContentInfo.java:109) ~[na:na]
at java.base/sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2007) ~[na:na]
at java.base/sun.security.util.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:222) ~[na:na]
at java.base/java.security.KeyStore.load(KeyStore.java:1479) ~[na:na]
at com.devonfw.module.security.keystore.common.impl.KeyStoreAccessImpl.getKeyStore(KeyStoreAccessImpl.java:50)