This repository has been archived by the owner on Nov 15, 2023. It is now read-only.
forked from grpc-ecosystem/grpc-spring
/
SecurityConfiguration.java
95 lines (83 loc) · 4.64 KB
/
SecurityConfiguration.java
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
/*
* Copyright (c) 2016-2020 Michael Zhang <yidongnan@gmail.com>
*
* Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated
* documentation files (the "Software"), to deal in the Software without restriction, including without limitation the
* rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to
* permit persons to whom the Software is furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included in all copies or substantial portions of the
* Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE
* WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
* COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR
* OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
*/
package net.devh.boot.grpc.examples.security.server;
import java.util.ArrayList;
import java.util.List;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.authentication.ProviderManager;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.oauth2.jwt.JwtDecoder;
import org.springframework.security.oauth2.jwt.NimbusJwtDecoder;
import org.springframework.security.oauth2.server.resource.BearerTokenAuthenticationToken;
import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationConverter;
import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationProvider;
import net.devh.boot.grpc.server.security.authentication.BearerAuthenticationReader;
import net.devh.boot.grpc.server.security.authentication.GrpcAuthenticationReader;
/**
* The security configuration. If you use spring security for web applications most of the stuff is already configured.
*
* @author Gregor Eeckels (gregor.eeckels@gmail.com)
*/
@Configuration
// proxyTargetClass is required, if you use annotation driven security!
// However, you will receive a warning that GrpcServerService#bindService() method is final.
// You cannot avoid that warning (without massive amount of work), but it is safe to ignore it.
// The #bindService() method uses a reference to 'this', which will be used to invoke the methods.
// If the method is not final it will delegate to the original instance and thus it will bypass any security layer that
// you intend to add, unless you re-implement the #bindService() method on the outermost layer (which Spring does not).
@EnableGlobalMethodSecurity(securedEnabled = true, proxyTargetClass = true)
public class SecurityConfiguration {
@Bean
JwtAuthenticationConverter jwtAuthenticationConverter() {
final JwtAuthenticationConverter converter = new JwtAuthenticationConverter();
converter.setJwtGrantedAuthoritiesConverter(keyCloakGrantedAuthoritiesConverter());
return converter;
}
@Bean
KeyCloakGrantedAuthoritiesConverter keyCloakGrantedAuthoritiesConverter() {
return new KeyCloakGrantedAuthoritiesConverter();
}
@Bean
JwtAuthenticationProvider jwtAuthenticationProvider() {
final JwtAuthenticationProvider provider = new JwtAuthenticationProvider(jwtDecoder());
provider.setJwtAuthenticationConverter(jwtAuthenticationConverter());
return provider;
}
@Bean
/*
* Add the authentication providers to the manager.
*/
AuthenticationManager authenticationManager() {
final List<AuthenticationProvider> providers = new ArrayList<>();
providers.add(jwtAuthenticationProvider());
return new ProviderManager(providers);
}
@Bean
// Configure which authentication types you support.
GrpcAuthenticationReader authenticationReader() {
return new BearerAuthenticationReader(accessToken -> new BearerTokenAuthenticationToken(accessToken));
}
@Bean
JwtDecoder jwtDecoder() {
// Uses local Keycloak instance running on port 8080 with the realm: TestRealm
final String endpointURI = "http://localhost:8080/auth/realms/TestRealm/protocol/openid-connect/certs";
return NimbusJwtDecoder.withJwkSetUri(endpointURI).build();
}
}