IVIS-46: - Add tokens flow and access to protected resources in sdk r…

…outines chapter.
imCodePartnerAB · Nov 1, 2016 · 20b78fa · 20b78fa
1 parent 1922684
commit 20b78fa
Show file tree

Hide file tree

Showing 6 changed files with 135 additions and 20 deletions.
diff --git a/docs/sdk/routines/access_to_protected_resources.rst b/docs/sdk/routines/access_to_protected_resources.rst
@@ -0,0 +1,72 @@
+Access to protected resources
+=============================
+
+Prerequisites
+-------------
+
+    * `Tokens flow <http://docs.ivis.se/en/latest/sdk/routines/tokens_flow.html>`_
+
+You can limit access to specific urls, or some code areas on JSP page. iVIS provides SDK in both case.
+
+Both variants has optional parameter roles (String), it is comma separated list of roles that access give user access
+to protected resources.
+
+Filter
+------
+
+Java config
+~~~~~~~~~~~
+
+`BeansContext.java <http://docs.ivis.se/en/latest/sdk/routines/code/BeansContext.java>`_
+
+.. literalinclude:: /sdk/routines/code/BeansContext.java
+    :language: java
+    :linenos:
+    :lines: 39-54
+
+XML config
+~~~~~~~~~~
+
+You need write in web.xml following.
+
+.. code-block:: xml
+    :linenos:
+
+    <filter>
+        <filter-name>ivisAuthorizedFilter</filter-name>
+        <filter-class>imcode.services.filter.IvisAuthorizedFilter</filter-class>
+    </filter>
+    <filter-mapping>
+        <filter-name>ivisAuthorizedFilter</filter-name>
+        <url-pattern>/persons/*</url-pattern>
+        <url-pattern>/pupils/*</ur l-pattern>
+        <init-param>
+           <param-name>roles</param-name>
+           <param-value>ROLE_ADMIN,ROLE_DEVELOPER</param-value>
+        </init-param>
+    </filter-mapping>
+
+Tag
+---
+
+To know if user login on JSP you can invoke special tag <ivis:authorized> with optional parameter role.
+
+.. code-block:: jsp
+    :linenos:
+
+    <%@taglib prefix="ivis" uri="ivis.sdk" %>
+
+    <ivis:authorized>
+        Information for authorized users
+    </ivis:authorized>
+
+    ...
+
+    <ivis:authorized roles="ROLE_ADMIN">
+        Information for authorized users in admin role
+    </ivis:authorized>
+
+.. important::
+
+    You can use this two cases if you have permission to use method getCurrent user.
+    After invoking Filter or tag in session persisted user object ("loggedInUser" key to parameter).
diff --git a/docs/sdk/routines/code/BeansContext.java b/docs/sdk/routines/code/BeansContext.java
@@ -1,9 +1,12 @@
 import org.springframework.security.oauth2.client.resource.OAuth2ProtectedResourceDetails;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.context.annotation.Bean;
+import org.springframework.boot.web.servlet.FilterRegistrationBean;
 import org.springframework.beans.factory.annotation.Value;
+import javax.servlet.Filter;
 import com.imcode.imcms.addon.ivisclient.oauth2.IvisAuthorizationCodeResourceDetails;
 import imcode.services.utils.builders.CollectionBuilder;
+import imcode.services.filter.IvisAuthorizedFilter;
 
 @Configuration
 public class BeansContext {
@@ -21,7 +24,7 @@ public class BeansContext {
     private String accessTokenUri;
 
     @Bean
-    public OAuth2ProtectedResourceDetails cleintBean() {
+    public OAuth2ProtectedResourceDetails clientBean() {
         IvisAuthorizationCodeResourceDetails client = new IvisAuthorizationCodeResourceDetails();
         client.setClientOnly(true);
         client.setGrantType("authorization_code");
@@ -32,4 +35,22 @@ public OAuth2ProtectedResourceDetails cleintBean() {
         client.setScope(CollectionBuilder.asLinkedList("read", "write"));
         return client;
     }
+
+    @Bean
+    public FilterRegistrationBean someFilterRegistration() {
+        FilterRegistrationBean registration = new FilterRegistrationBean();
+        registration.setFilter(ivisAuthorizedFilter());
+        registration.addUrlPatterns("/persons/*");
+        registration.addUrlPatterns("/pupils/*");
+        registration.addInitParameter("roles", "ROLE_ADMIN,ROLE_DEVELOPER");
+        registration.setName("ivisAuthorizedFilter");
+        registration.setOrder(1);
+        return registration;
+    }
+
+    @Bean(name = "ivisAuthorizedFilter")
+    public Filter ivisAuthorizedFilter() {
+        return new IvisAuthorizedFilter();
+    }
+
 }
diff --git a/docs/sdk/routines/code/LoginController.java → ...nes/code/IvisAuthorizationController.java b/docs/sdk/routines/code/LoginController.java → ...nes/code/IvisAuthorizationController.java
@@ -12,19 +12,23 @@
 import org.springframework.web.servlet.ModelAndView;
 
 import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
 import java.io.UnsupportedEncodingException;
 import java.net.URISyntaxException;
 
 @Controller
-public class LoginController {
+public class IvisAuthorizationController {
 
     @Value("#{'${client-address}' + '${redirect-relate-uri}'}")
     private String redirectUri;
 
+    @Value("${refresh-token-validity-seconds")
+    private Integer refreshTokenValiditySeconds;
+
     private final AuthorizationCodeResourceDetails client;
 
     @Autowired
-    public LoginController(AuthorizationCodeResourceDetails client) {
+    public IvisAuthorizationController(AuthorizationCodeResourceDetails client) {
         this.client = client;
     }
 
@@ -38,10 +42,12 @@ public ModelAndView login(ModelAndView view) throws URISyntaxException {
     @RequestMapping(value = "${redirect-relate-uri}", method = RequestMethod.GET)
     public ModelAndView authorizationClientProcess(ModelAndView view,
                                                    HttpServletRequest request,
+                                                   HttpServletResponse response,
                                                    @RequestParam("code") String code) throws UnsupportedEncodingException {
         //send post request and receive token
         OAuth2AccessToken accessToken = IvisOAuth2Utils.getAccessToken(client, code, redirectUri);
         IvisOAuth2Utils.setAccessToken(request, accessToken);
+        IvisOAuth2Utils.setRefreshTokenAsCokie(response, accessToken.getRefreshToken(), refreshTokenValiditySeconds);
         view.setViewName("start_page_view");//view name of start page
         return view;
     }

diff --git a/docs/sdk/routines/configuration.rst b/docs/sdk/routines/configuration.rst
@@ -29,13 +29,19 @@ Beans for injection
 Java config
 ~~~~~~~~~~~
 
+`BeansContext.java <http://docs.ivis.se/en/latest/sdk/routines/code/BeansContext.java>`_
+
 .. literalinclude:: /sdk/routines/code/BeansContext.java
     :language: java
     :linenos:
+    :lines: 14-37
 
 XML config
 ~~~~~~~~~~
 
+`beansContext.xml <http://docs.ivis.se/en/latest/sdk/routines/code/beansContext.xml>`_
+
 .. literalinclude:: /sdk/routines/code/beansContext.xml
     :language: xml
     :linenos:
+    :lines: 7-15
diff --git a/docs/sdk/routines/login.rst b/docs/sdk/routines/login.rst
@@ -16,29 +16,13 @@ To login you need:
 
 Let's see how it looks like.
 
-.. literalinclude:: /sdk/routines/code/LoginController.java
+.. literalinclude:: /sdk/routines/code/IvisAuthorizationController.java
     :language: java
     :linenos:
 
-To know if user login on JSP you can invoke special tag <ivis:authorized> with optional parameter role.
 
-.. code-block:: jsp
 
-    <%@taglib prefix="ivis" uri="ivis.sdk" %>
 
-    <ivis:authorized>
-        Information for authorized persons
-    </ivis:authorized>
-
-    ...
-
-    <ivis:authorized role="ROLE_ADMIN">
-        Information for user in admin role
-    </ivis:authorized>
-
-.. important::
-
-    You can use this tag if you have permission to use method getCurrent user.
 
 
 

diff --git a/docs/sdk/routines/tokens_flow.rst b/docs/sdk/routines/tokens_flow.rst
@@ -0,0 +1,26 @@
+Tokens flow
+===========
+
+Prerequisites
+-------------
+
+    * `Login <http://docs.ivis.se/en/latest/sdk/routines/login.html>`_
+
+Need say few words how to use tokens flow.
+
+After login user in way described at `Login <http://docs.ivis.se/en/latest/sdk/routines/login.html>`_
+in session placed
+`access token <http://docs.spring.io/spring-security/oauth/apidocs/org/springframework/security/oauth2/common/OAuth2AccessToken.html>`_.
+And also refresh token value from access token object put in cookie.
+
+.. important::
+
+    Cookie has expiration time defined. It is defined by value refresh token validity seconds,
+    contact system administrator to know that.
+
+So tokens flow looks like
+
+    #. Client app login user (access token -> session, refresh token -> cookie with with expiration time).
+    #. If token is expired (IvisOAuth2Utils.isTokenGood(httpServletRequest) -> exchange refresh token from cookie (cookie key "refreshToken") to access token.
+    #. If cookie does not exist -> login user again.
+