Ryosuke Uchitate, profile picture
Uploaded byRyosuke Uchitate
PDF, PPTX18,052 views

Amazon Cognito使って認証したい?それならSpring Security使いましょう!

This document contains code snippets related to Spring Security configuration and authentication. It defines classes and methods for configuring security, processing login requests, loading user details, and authenticating users. Key aspects include configuring security filters and authorization rules, processing username/password authentication, validating login credentials against encoded passwords, and loading pre-authenticated users based on access tokens.

Embed presentation

Download as PDF, PPTX
1 / 102
2 / 102
3 / 102
4 / 102
5 / 102
6 / 102
7 / 102
8 / 102
9 / 102
10 / 102
11 / 102
Most read
12 / 102
13 / 102
Most read
14 / 102
Most read
15 / 102
16 / 102
17 / 102
18 / 102
19 / 102
20 / 102
21 / 102
22 / 102
23 / 102
24 / 102
25 / 102
26 / 102
27 / 102
28 / 102
29 / 102
30 / 102
31 / 102
32 / 102
33 / 102
34 / 102
35 / 102
36 / 102
37 / 102
38 / 102
39 / 102
40 / 102
41 / 102
42 / 102
43 / 102
44 / 102
45 / 102
46 / 102
47 / 102
48 / 102
49 / 102
50 / 102
51 / 102
52 / 102
53 / 102
54 / 102
55 / 102
56 / 102
57 / 102
58 / 102
59 / 102
60 / 102
61 / 102
62 / 102
63 / 102
64 / 102
65 / 102
66 / 102
67 / 102
68 / 102
69 / 102
70 / 102
71 / 102
72 / 102
73 / 102
74 / 102
75 / 102
76 / 102
77 / 102
78 / 102
79 / 102
80 / 102
81 / 102
82 / 102
83 / 102
84 / 102
85 / 102
86 / 102
87 / 102
88 / 102
89 / 102
90 / 102
91 / 102
92 / 102
93 / 102
94 / 102
95 / 102
96 / 102
97 / 102
98 / 102
99 / 102
100 / 102
101 / 102
102 / 102
final class FilterComparator implements Comparator<Filter>, Serializable { private static final int INITIAL_ORDER = 100; private static final int ORDER_STEP = 100; private final Map<String, Integer> filterToOrder = new HashMap<>(); FilterComparator() { Step order = new FilterComparator.Step(INITIAL_ORDER, ORDER_STEP); put(ChannelProcessingFilter.class, order.next()); put(ConcurrentSessionFilter.class, order.next()); put(WebAsyncManagerIntegrationFilter.class, order.next()); put(SecurityContextPersistenceFilter.class, order.next()); put(HeaderWriterFilter.class, order.next()); put(CorsFilter.class, order.next()); put(CsrfFilter.class, order.next()); put(LogoutFilter.class, order.next()); // ……
public interface AccessDecisionVoter<S> { int ACCESS_GRANTED = 1; int ACCESS_ABSTAIN = 0; int ACCESS_DENIED = -1;
@Configuration @EnableWebSecurity public class WebSecurityConfig extends WebSecurityConfigurerAdapter { private final UserDetailsServiceImpl userDetailsService; // …… @Override protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests() .antMatchers("/js/**", "/css/**", "/webjars/**").permitAll() .antMatchers("/users/**").hasRole(Role.STAFF.name()) .antMatchers("/**").authenticated() .and() .formLogin() .loginPage("/login") .loginProcessingUrl("/login") .defaultSuccessUrl("/success", true) .failureUrl("/login?error=true").permitAll(); } }
@Configuration @EnableWebSecurity public class WebSecurityConfig extends WebSecurityConfigurerAdapter { private final UserDetailsServiceImpl userDetailsService; // …… @Override protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests() .antMatchers("/js/**", "/css/**", "/webjars/**").permitAll() .antMatchers("/users/**").hasRole(Role.STAFF.name()) .antMatchers("/**").authenticated() .and() .formLogin() .loginPage("/login") .loginProcessingUrl("/login") .defaultSuccessUrl("/success", true) .failureUrl("/login?error=true").permitAll(); } }
public FormLoginConfigurer() { super(new UsernamePasswordAuthenticationFilter(),null); usernameParameter("username"); passwordParameter("password"); }
public Authentication attemptAuthentication( HttpServletRequest request, HttpServletResponse response) throws AuthenticationException { // …… String username = obtainUsername(request); String password = obtainPassword(request); if (username == null) { username = ""; } if (password == null) { password = ""; } username = username.trim(); UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(username, password); setDetails(request, authRequest); return this.getAuthenticationManager().authenticate(authRequest); }
public Authentication attemptAuthentication( HttpServletRequest request, HttpServletResponse response) throws AuthenticationException { // …… String username = obtainUsername(request); String password = obtainPassword(request); if (username == null) { username = ""; } if (password == null) { password = ""; } username = username.trim(); UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(username, password); setDetails(request, authRequest); return this.getAuthenticationManager().authenticate(authRequest); }
public Authentication authenticate(Authentication authentication) throws AuthenticationException { // …… for (AuthenticationProvider provider : getProviders()) { if (!provider.supports(toTest)) { continue; } // …… try { result = provider.authenticate(authentication); if (result != null) { copyDetails(authentication, result); break; } } // ……
protected final UserDetails retrieveUser( String username, UsernamePasswordAuthenticationToken authentication) throws AuthenticationException { // …… try { UserDetails loadedUser = this.getUserDetailsService().loadUserByUsername(username); if (loadedUser == null) { // …… } return loadedUser; } // …… }
@Service @RequiredArgsConstructor public class UserDetailsServiceImpl implements UserDetailsService { private final UserRepository userRepository; @Override public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException { User user = userRepository.findByUsername(username) .orElseThrow( () -> new UsernameNotFoundException("username not found")); return new org.springframework.security.core.userdetails.User( user.getUsername(), user.getPassword(), createAuthorityList("ROLE_" + user.getRole().name())); } }
protected void additionalAuthenticationChecks( UserDetails userDetails, UsernamePasswordAuthenticationToken authentication) throws AuthenticationException { // …… String presentedPassword = authentication.getCredentials().toString(); if (!passwordEncoder.matches( presentedPassword, userDetails.getPassword())) { // …… throw new BadCredentialsException(messages.getMessage( "AbstractUserDetailsAuthenticationProvider.badCredentials", "Bad credentials")); } }
public class CustomPreAuthenticatedProcessingFilter extends AbstractPreAuthenticatedProcessingFilter { @Override protected Object getPreAuthenticatedPrincipal( HttpServletRequest request) { return ""; } @Override protected Object getPreAuthenticatedCredentials( HttpServletRequest request) { String accessToken = request.getHeader(HttpHeaders.AUTHORIZATION); if (StringUtils.isEmpty(accessToken) || !accessToken.startsWith("Bearer ")) { return ""; } return accessToken.split(" ")[1]; } }
public class CustomPreAuthenticatedProcessingFilter extends AbstractPreAuthenticatedProcessingFilter { @Override protected Object getPreAuthenticatedPrincipal( HttpServletRequest request) { return ""; } @Override protected Object getPreAuthenticatedCredentials( HttpServletRequest request) { String accessToken = request.getHeader(HttpHeaders.AUTHORIZATION); if (StringUtils.isEmpty(accessToken) || !accessToken.startsWith("Bearer ")) { return ""; } return accessToken.split(" ")[1]; } }
private void doAuthenticate( HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException { Authentication authResult; Object principal = getPreAuthenticatedPrincipal(request); Object credentials = getPreAuthenticatedCredentials(request); // …… try { PreAuthenticatedAuthenticationToken authRequest = new PreAuthenticatedAuthenticationToken( principal, credentials); authRequest.setDetails( authenticationDetailsSource.buildDetails(request)); authResult = authenticationManager.authenticate(authRequest); successfulAuthentication(request, response, authResult); } catch (AuthenticationException failed) { // …… } }
private void doAuthenticate( HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException { Authentication authResult; Object principal = getPreAuthenticatedPrincipal(request); Object credentials = getPreAuthenticatedCredentials(request); // …… try { PreAuthenticatedAuthenticationToken authRequest = new PreAuthenticatedAuthenticationToken( principal, credentials); // …… authResult = authenticationManager.authenticate(authRequest); successfulAuthentication(request, response, authResult); } catch (AuthenticationException failed) { // …… } }
public Authentication authenticate(Authentication auth) throws AuthenticationException { String accessToken = Optional.ofNullable(auth.getCredentials()) .map(Object::toString) .orElse(null); if (accessToken == null) { throw new BadCredentialsException("access token not found."); } DecodedJWT decodedAccessToken = JWTUtils.decode(accessToken); // …… String username = decodedAccessToken.getClaim("username").asString(); UserDetails ud = userDetailsService.loadUserDetails( new PreAuthenticatedAuthenticationToken( username, auth.getCredentials()); return new PreAuthenticatedAuthenticationToken( ud, authentication.getCredentials(), ud.getAuthorities()); }
public Authentication authenticate(Authentication auth) throws AuthenticationException { String accessToken = Optional.ofNullable(auth.getCredentials()) .map(Object::toString) .orElse(null); if (accessToken == null) { throw new BadCredentialsException("access token not found."); } DecodedJWT decodedAccessToken = JWTUtils.decode(accessToken); // …… String username = decodedAccessToken.getClaim("username").asString(); UserDetails ud = userDetailsService.loadUserDetails( new PreAuthenticatedAuthenticationToken( username, auth.getCredentials()); return new PreAuthenticatedAuthenticationToken( ud, authentication.getCredentials(), ud.getAuthorities()); }
public Authentication authenticate(Authentication auth) throws AuthenticationException { String accessToken = Optional.ofNullable(auth.getCredentials()) .map(Object::toString) .orElse(null); if (accessToken == null) { throw new BadCredentialsException("access token not found."); } DecodedJWT decodedAccessToken = JWTUtils.decode(accessToken); // …… JWT String username = decodedAccessToken.getClaim("username").asString(); UserDetails ud = userDetailsService.loadUserDetails( new PreAuthenticatedAuthenticationToken( username, auth.getCredentials()); return new PreAuthenticatedAuthenticationToken( ud, authentication.getCredentials(), ud.getAuthorities()); }
@Service public class CustomAuthenticationUserDetailsService implements AuthenticationUserDetailsService { private final CustomUserDetailsService userDetailsService; // …… @Override public UserDetails loadUserDetails(Authentication token) throws UsernameNotFoundException { String username = token.getPrincipal().toString(); String accessToken = token.getCredentials().toString(); return Optional.ofNullable( userDetailsService.loadUserByUsername(username)) .map(u -> new CustomUserDetails( ((CustomUserDetails) u).getUser(), accessToken)) .orElseThrow(() -> new UsernameNotFoundException("user not found")); } }
<dependencies> <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-test</artifactId> <scope>test</scope> </dependency> </dependencies> testCompile “org.springframework.security:spring- security-test:5.1.1.RELEASE”
@BeforeEach void beforeEach() { mockMvc = MockMvcBuilders .webAppContextSetup(context) .apply(springSecurity()) .build(); }
@Test void loginSuccess() throws Exception { MvcResult result = mockMvc .perform(formLogin() .user("ruchitate").password("password")) .andReturn(); Assertions.assertThat(result.getResponse()) .extracting( MockHttpServletResponse::getStatus, MockHttpServletResponse::getRedirectedUrl) .containsExactly(302, "/success"); }
@Test void useWith200() throws Exception { MvcResult result = mockMvc.perform(get("/users/{id}", 1) .with(user("ruchitate").roles("STAFF"))) .andExpect(status().isOk()) .andReturn(); assertEquals( "{"name":" ","username":"ruchitate", "createdAt":"2018-10-01T00:00:00","lastSignInAt":null}", result.getResponse().getContentAsString()); }
@Test void useWith403ForAdmin() throws Exception { mockMvc.perform(get("/users/{id}", 1) .with(user("ruchitate").roles("ADMIN"))) .andExpect(status().isForbidden()) .andReturn(); }
@PreAuthorize("hasRole('ADMIN')") public List<User> list() { return userRepository.findAll(); } @PreAuthorize("#role == 'ADMIN'") public List<User> list(String role) { return userRepository.findAll(); } @PreAuthorize("#r.name == 'ruchitate'") public List<User> list(@P("r") UserRequest request) { return userRepository.findAll(); }
@PostAuthorize("returnObject != null && returnObject.username == 'ruchitate'") public User get(Integer id) { return userRepository.findById(id).orElse(null); }
@PreFilter("filterObject.name.equals('ruchitate')") public List<User> list(List<UserRequest> requests) { List<String> usernameList = requests.stream() .map(UserRequest::getName) .collect(Collectors.toList()); return userRepository .findAllByUsernameIn(usernameList); }
@PostFilter("filterObject.username == 'ruchitate'") public List<User> list() { return userRepository.findAll(); }
Amazon Cognito使って認証したい?それならSpring Security使いましょう!
Amazon Cognito使って認証したい?それならSpring Security使いましょう!
Amazon Cognito使って認証したい?それならSpring Security使いましょう!
Amazon Cognito使って認証したい?それならSpring Security使いましょう!

More Related Content

PDF
Javaのログ出力: 道具と考え方
byTaku Miyakawa
 
PDF
DDD x CQRS 更新系と参照系で異なるORMを併用して上手くいった話
byKoichiro Matsuoka
 
PDF
LogbackからLog4j 2への移行によるアプリケーションのスループット改善 ( JJUG CCC 2021 Fall )
byHironobu Isoda
 
PDF
MQTTとAMQPと.NET
byterurou
 
PDF
At least onceってぶっちゃけ問題の先送りだったよね #kafkajp
byYahoo!デベロッパーネットワーク
 
PDF
こんなに使える!今どきのAPIドキュメンテーションツール
bydcubeio
 
PPTX
監査要件を有するシステムに対する PostgreSQL 導入の課題と可能性
byOhyama Masanori
 
PDF
外部キー制約に伴うロックの小話
byichirin2501
 
Javaのログ出力: 道具と考え方
byTaku Miyakawa
 
DDD x CQRS 更新系と参照系で異なるORMを併用して上手くいった話
byKoichiro Matsuoka
 
LogbackからLog4j 2への移行によるアプリケーションのスループット改善 ( JJUG CCC 2021 Fall )
byHironobu Isoda
 
MQTTとAMQPと.NET
byterurou
 
At least onceってぶっちゃけ問題の先送りだったよね #kafkajp
byYahoo!デベロッパーネットワーク
 
こんなに使える!今どきのAPIドキュメンテーションツール
bydcubeio
 
監査要件を有するシステムに対する PostgreSQL 導入の課題と可能性
byOhyama Masanori
 
外部キー制約に伴うロックの小話
byichirin2501
 

What's hot

PDF
認証の課題とID連携の実装 〜ハンズオン〜
byMasaru Kurahayashi
 
PDF
イミュータブルデータモデル(入門編)
byYoshitaka Kawashima
 
PDF
今からでも遅くないDBマイグレーション - Flyway と SchemaSpy の紹介 -
byonozaty
 
PDF
Where狙いのキー、order by狙いのキー
byyoku0825
 
PDF
Form認証で学ぶSpring Security入門
byRyosuke Uchitate
 
PDF
怖くないSpring Bootのオートコンフィグレーション
by土岐 孝平
 
PPTX
SPAセキュリティ入門~PHP Conference Japan 2021
byHiroshi Tokumaru
 
PDF
例外設計における大罪
byTakuto Wada
 
PDF
雑なMySQLパフォーマンスチューニング
byyoku0825
 
PDF
Keycloak拡張入門
byHiroyuki Wada
 
PDF
[Aurora事例祭り]Amazon Aurora を使いこなすためのベストプラクティス
byAmazon Web Services Japan
 
PDF
マルチテナント化で知っておきたいデータベースのこと
byAmazon Web Services Japan
 
PPTX
初心者向けMongoDBのキホン!
byTetsutaro Watanabe
 
PDF
PostgreSQLをKubernetes上で活用するためのOperator紹介!(Cloud Native Database Meetup #3 発表資料)
byNTT DATA Technology & Innovation
 
PDF
Microsoft Azure Storage 概要
byTakeshi Fukuhara
 
PDF
【BS13】チーム開発がこんなにも快適に!コーディングもデバッグも GitHub 上で。 GitHub Codespaces で叶えられるシームレスな開発
by日本マイクロソフト株式会社
 
ODP
SPAのルーティングの話
byushiboy
 
PDF
SpringBootTest入門
byYahoo!デベロッパーネットワーク
 
PDF
マイクロにしすぎた結果がこれだよ!
bymosa siru
 
PPTX
RLSを用いたマルチテナント実装 for Django
byTakayuki Shimizukawa
 
認証の課題とID連携の実装 〜ハンズオン〜
byMasaru Kurahayashi
 
イミュータブルデータモデル(入門編)
byYoshitaka Kawashima
 
今からでも遅くないDBマイグレーション - Flyway と SchemaSpy の紹介 -
byonozaty
 
Where狙いのキー、order by狙いのキー
byyoku0825
 
Form認証で学ぶSpring Security入門
byRyosuke Uchitate
 
怖くないSpring Bootのオートコンフィグレーション
by土岐 孝平
 
SPAセキュリティ入門~PHP Conference Japan 2021
byHiroshi Tokumaru
 
例外設計における大罪
byTakuto Wada
 
雑なMySQLパフォーマンスチューニング
byyoku0825
 
Keycloak拡張入門
byHiroyuki Wada
 
[Aurora事例祭り]Amazon Aurora を使いこなすためのベストプラクティス
byAmazon Web Services Japan
 
マルチテナント化で知っておきたいデータベースのこと
byAmazon Web Services Japan
 
初心者向けMongoDBのキホン!
byTetsutaro Watanabe
 
PostgreSQLをKubernetes上で活用するためのOperator紹介!(Cloud Native Database Meetup #3 発表資料)
byNTT DATA Technology & Innovation
 
Microsoft Azure Storage 概要
byTakeshi Fukuhara
 
【BS13】チーム開発がこんなにも快適に!コーディングもデバッグも GitHub 上で。 GitHub Codespaces で叶えられるシームレスな開発
by日本マイクロソフト株式会社
 
SPAのルーティングの話
byushiboy
 
SpringBootTest入門
byYahoo!デベロッパーネットワーク
 
マイクロにしすぎた結果がこれだよ!
bymosa siru
 
RLSを用いたマルチテナント実装 for Django
byTakayuki Shimizukawa
 

Similar to Amazon Cognito使って認証したい?それならSpring Security使いましょう!

PDF
From 0 to Spring Security 4.0
byrobwinch
 
PDF
Hacking the Grails Spring Security Plugins
byGR8Conf
 
PDF
Security enforcement of Java Microservices with Apiman & Keycloak
byCharles Moulliard
 
PPTX
Spring Security 3
byJason Ferguson
 
PDF
Building layers of defense for your application
byVMware Tanzu
 
PDF
Java Web Application Security with Java EE, Spring Security and Apache Shiro ...
byMatt Raible
 
PDF
Java Web Application Security with Java EE, Spring Security and Apache Shiro ...
byMatt Raible
 
PDF
Lesson_07_Spring_Security_Register_NEW.pdf
byScott Anderson
 
PDF
Lesson07_Spring_Security_API.pdf
byScott Anderson
 
PDF
Fun With Spring Security
byBurt Beckwith
 
From 0 to Spring Security 4.0
byrobwinch
 
Hacking the Grails Spring Security Plugins
byGR8Conf
 
Security enforcement of Java Microservices with Apiman & Keycloak
byCharles Moulliard
 
Spring Security 3
byJason Ferguson
 
Building layers of defense for your application
byVMware Tanzu
 
Java Web Application Security with Java EE, Spring Security and Apache Shiro ...
byMatt Raible
 
Java Web Application Security with Java EE, Spring Security and Apache Shiro ...
byMatt Raible
 
Lesson_07_Spring_Security_Register_NEW.pdf
byScott Anderson
 
Lesson07_Spring_Security_API.pdf
byScott Anderson
 
Fun With Spring Security
byBurt Beckwith
 

More from Ryosuke Uchitate

PDF
決済サービスのSpring Bootのバージョンを2系に上げた話
byRyosuke Uchitate
 
PDF
パラレルキャリアがもたらす相乗効果
byRyosuke Uchitate
 
PDF
Micrometerでメトリクスを収集してAmazon CloudWatchで可視化
byRyosuke Uchitate
 
PDF
オレはIntelliJ IDEAをこう使っている
byRyosuke Uchitate
 
PDF
春だしBannerで遊バナいか?
byRyosuke Uchitate
 
PDF
ユニットテストのアサーション 流れるようなインターフェースのAssertJを添えて 入門者仕立て
byRyosuke Uchitate
 
PPTX
Spring超入門-Springと出会ってから1年半-
byRyosuke Uchitate
 
PPTX
Spring starterによるSpring Boot Starter
byRyosuke Uchitate
 
決済サービスのSpring Bootのバージョンを2系に上げた話
byRyosuke Uchitate
 
パラレルキャリアがもたらす相乗効果
byRyosuke Uchitate
 
Micrometerでメトリクスを収集してAmazon CloudWatchで可視化
byRyosuke Uchitate
 
オレはIntelliJ IDEAをこう使っている
byRyosuke Uchitate
 
春だしBannerで遊バナいか?
byRyosuke Uchitate
 
ユニットテストのアサーション 流れるようなインターフェースのAssertJを添えて 入門者仕立て
byRyosuke Uchitate
 
Spring超入門-Springと出会ってから1年半-
byRyosuke Uchitate
 
Spring starterによるSpring Boot Starter
byRyosuke Uchitate
 

Recently uploaded

PDF
RAMON Scrap quality detection system.pdf
bymohamedassar81
 
PPTX
Unit 5 - THERMO ELECTRIC ENERGY BASED PROCESSES .pptx
byarivazhaganrajangam
 
PPTX
chapterOverview - embedded systems .pptx
bysamyukthakg2020
 
PPT
introduction to supply chain management.ppt
byrutujawawre
 
PDF
0acebd80-08f7-4be1-9135-15abe45dbc94.pdf
bySirvan7
 
PPT
Steam Power plant Generation anatomy and organs
byVishalSingh995299
 
PDF
Unconventional reservoirs in petroleum engineering
byMuhammadHaris61480
 
PPT
Steam generation , types of steam, boilers and their classifications, mountin...
byPrashantPatunkar1
 
PPTX
narrow-band-dfr-presentation-megger.pptx
byssuser52ed331
 
PPT
CHAPTER 09 - Digital signatures cryptography note
bySherin Wilson
 
PPTX
STM Unit 1 Complete notes for engineering students for better understanding
byLakshmiVivekaKesanap
 
PPTX
SOFTWARE PROJECT MANAGEMENT PART 1-.pptx
byssuserbafe2d
 
PDF
Bme manufacturing process module 3 .4648
bysatyabsp44
 
PPTX
Basics of internal combustio nengines, vapor compression cycle
byPrashantPatunkar1
 
PPTX
STM Unit 2 Complete notes for engineering students for better understanding
byLakshmiVivekaKesanap
 
PPTX
Introduction to Physical Metallurgy II.pptx
byOcheriCyril2
 
PPTX
Slide sur les concepts_Module_5_STP.pptx
bydine46
 
PPTX
SOFTWARE PROJECT MANAGEMENT PART 2-2.pptx
byssuserbafe2d
 
PDF
Dimensional Analysis and modelling similitude
by360degrees1
 
PPTX
TR334_Foundation_Engineering_I_Slope stability _i.pptx
byalexander402774
 
RAMON Scrap quality detection system.pdf
bymohamedassar81
 
Unit 5 - THERMO ELECTRIC ENERGY BASED PROCESSES .pptx
byarivazhaganrajangam
 
chapterOverview - embedded systems .pptx
bysamyukthakg2020
 
introduction to supply chain management.ppt
byrutujawawre
 
0acebd80-08f7-4be1-9135-15abe45dbc94.pdf
bySirvan7
 
Steam Power plant Generation anatomy and organs
byVishalSingh995299
 
Unconventional reservoirs in petroleum engineering
byMuhammadHaris61480
 
Steam generation , types of steam, boilers and their classifications, mountin...
byPrashantPatunkar1
 
narrow-band-dfr-presentation-megger.pptx
byssuser52ed331
 
CHAPTER 09 - Digital signatures cryptography note
bySherin Wilson
 
STM Unit 1 Complete notes for engineering students for better understanding
byLakshmiVivekaKesanap
 
SOFTWARE PROJECT MANAGEMENT PART 1-.pptx
byssuserbafe2d
 
Bme manufacturing process module 3 .4648
bysatyabsp44
 
Basics of internal combustio nengines, vapor compression cycle
byPrashantPatunkar1
 
STM Unit 2 Complete notes for engineering students for better understanding
byLakshmiVivekaKesanap
 
Introduction to Physical Metallurgy II.pptx
byOcheriCyril2
 
Slide sur les concepts_Module_5_STP.pptx
bydine46
 
SOFTWARE PROJECT MANAGEMENT PART 2-2.pptx
byssuserbafe2d
 
Dimensional Analysis and modelling similitude
by360degrees1
 
TR334_Foundation_Engineering_I_Slope stability _i.pptx
byalexander402774
 

Amazon Cognito使って認証したい?それならSpring Security使いましょう!

  • 13.
    final class FilterComparatorimplements Comparator<Filter>, Serializable { private static final int INITIAL_ORDER = 100; private static final int ORDER_STEP = 100; private final Map<String, Integer> filterToOrder = new HashMap<>(); FilterComparator() { Step order = new FilterComparator.Step(INITIAL_ORDER, ORDER_STEP); put(ChannelProcessingFilter.class, order.next()); put(ConcurrentSessionFilter.class, order.next()); put(WebAsyncManagerIntegrationFilter.class, order.next()); put(SecurityContextPersistenceFilter.class, order.next()); put(HeaderWriterFilter.class, order.next()); put(CorsFilter.class, order.next()); put(CsrfFilter.class, order.next()); put(LogoutFilter.class, order.next()); // ……
  • 26.
    public interface AccessDecisionVoter<S>{ int ACCESS_GRANTED = 1; int ACCESS_ABSTAIN = 0; int ACCESS_DENIED = -1;
  • 40.
    @Configuration @EnableWebSecurity public class WebSecurityConfigextends WebSecurityConfigurerAdapter { private final UserDetailsServiceImpl userDetailsService; // …… @Override protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests() .antMatchers("/js/**", "/css/**", "/webjars/**").permitAll() .antMatchers("/users/**").hasRole(Role.STAFF.name()) .antMatchers("/**").authenticated() .and() .formLogin() .loginPage("/login") .loginProcessingUrl("/login") .defaultSuccessUrl("/success", true) .failureUrl("/login?error=true").permitAll(); } }
  • 41.
    @Configuration @EnableWebSecurity public class WebSecurityConfigextends WebSecurityConfigurerAdapter { private final UserDetailsServiceImpl userDetailsService; // …… @Override protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests() .antMatchers("/js/**", "/css/**", "/webjars/**").permitAll() .antMatchers("/users/**").hasRole(Role.STAFF.name()) .antMatchers("/**").authenticated() .and() .formLogin() .loginPage("/login") .loginProcessingUrl("/login") .defaultSuccessUrl("/success", true) .failureUrl("/login?error=true").permitAll(); } }
  • 42.
    public FormLoginConfigurer() { super(newUsernamePasswordAuthenticationFilter(),null); usernameParameter("username"); passwordParameter("password"); }
  • 45.
    public Authentication attemptAuthentication( HttpServletRequestrequest, HttpServletResponse response) throws AuthenticationException { // …… String username = obtainUsername(request); String password = obtainPassword(request); if (username == null) { username = ""; } if (password == null) { password = ""; } username = username.trim(); UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(username, password); setDetails(request, authRequest); return this.getAuthenticationManager().authenticate(authRequest); }
  • 46.
    public Authentication attemptAuthentication( HttpServletRequestrequest, HttpServletResponse response) throws AuthenticationException { // …… String username = obtainUsername(request); String password = obtainPassword(request); if (username == null) { username = ""; } if (password == null) { password = ""; } username = username.trim(); UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(username, password); setDetails(request, authRequest); return this.getAuthenticationManager().authenticate(authRequest); }
  • 48.
    public Authentication authenticate(Authenticationauthentication) throws AuthenticationException { // …… for (AuthenticationProvider provider : getProviders()) { if (!provider.supports(toTest)) { continue; } // …… try { result = provider.authenticate(authentication); if (result != null) { copyDetails(authentication, result); break; } } // ……
  • 50.
    protected final UserDetailsretrieveUser( String username, UsernamePasswordAuthenticationToken authentication) throws AuthenticationException { // …… try { UserDetails loadedUser = this.getUserDetailsService().loadUserByUsername(username); if (loadedUser == null) { // …… } return loadedUser; } // …… }
  • 51.
    @Service @RequiredArgsConstructor public class UserDetailsServiceImplimplements UserDetailsService { private final UserRepository userRepository; @Override public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException { User user = userRepository.findByUsername(username) .orElseThrow( () -> new UsernameNotFoundException("username not found")); return new org.springframework.security.core.userdetails.User( user.getUsername(), user.getPassword(), createAuthorityList("ROLE_" + user.getRole().name())); } }
  • 52.
    protected void additionalAuthenticationChecks( UserDetailsuserDetails, UsernamePasswordAuthenticationToken authentication) throws AuthenticationException { // …… String presentedPassword = authentication.getCredentials().toString(); if (!passwordEncoder.matches( presentedPassword, userDetails.getPassword())) { // …… throw new BadCredentialsException(messages.getMessage( "AbstractUserDetailsAuthenticationProvider.badCredentials", "Bad credentials")); } }
  • 75.
    public class CustomPreAuthenticatedProcessingFilterextends AbstractPreAuthenticatedProcessingFilter { @Override protected Object getPreAuthenticatedPrincipal( HttpServletRequest request) { return ""; } @Override protected Object getPreAuthenticatedCredentials( HttpServletRequest request) { String accessToken = request.getHeader(HttpHeaders.AUTHORIZATION); if (StringUtils.isEmpty(accessToken) || !accessToken.startsWith("Bearer ")) { return ""; } return accessToken.split(" ")[1]; } }
  • 76.
    public class CustomPreAuthenticatedProcessingFilterextends AbstractPreAuthenticatedProcessingFilter { @Override protected Object getPreAuthenticatedPrincipal( HttpServletRequest request) { return ""; } @Override protected Object getPreAuthenticatedCredentials( HttpServletRequest request) { String accessToken = request.getHeader(HttpHeaders.AUTHORIZATION); if (StringUtils.isEmpty(accessToken) || !accessToken.startsWith("Bearer ")) { return ""; } return accessToken.split(" ")[1]; } }
  • 77.
    private void doAuthenticate( HttpServletRequestrequest, HttpServletResponse response) throws IOException, ServletException { Authentication authResult; Object principal = getPreAuthenticatedPrincipal(request); Object credentials = getPreAuthenticatedCredentials(request); // …… try { PreAuthenticatedAuthenticationToken authRequest = new PreAuthenticatedAuthenticationToken( principal, credentials); authRequest.setDetails( authenticationDetailsSource.buildDetails(request)); authResult = authenticationManager.authenticate(authRequest); successfulAuthentication(request, response, authResult); } catch (AuthenticationException failed) { // …… } }
  • 78.
    private void doAuthenticate( HttpServletRequestrequest, HttpServletResponse response) throws IOException, ServletException { Authentication authResult; Object principal = getPreAuthenticatedPrincipal(request); Object credentials = getPreAuthenticatedCredentials(request); // …… try { PreAuthenticatedAuthenticationToken authRequest = new PreAuthenticatedAuthenticationToken( principal, credentials); // …… authResult = authenticationManager.authenticate(authRequest); successfulAuthentication(request, response, authResult); } catch (AuthenticationException failed) { // …… } }
  • 81.
    public Authentication authenticate(Authenticationauth) throws AuthenticationException { String accessToken = Optional.ofNullable(auth.getCredentials()) .map(Object::toString) .orElse(null); if (accessToken == null) { throw new BadCredentialsException("access token not found."); } DecodedJWT decodedAccessToken = JWTUtils.decode(accessToken); // …… String username = decodedAccessToken.getClaim("username").asString(); UserDetails ud = userDetailsService.loadUserDetails( new PreAuthenticatedAuthenticationToken( username, auth.getCredentials()); return new PreAuthenticatedAuthenticationToken( ud, authentication.getCredentials(), ud.getAuthorities()); }
  • 82.
    public Authentication authenticate(Authenticationauth) throws AuthenticationException { String accessToken = Optional.ofNullable(auth.getCredentials()) .map(Object::toString) .orElse(null); if (accessToken == null) { throw new BadCredentialsException("access token not found."); } DecodedJWT decodedAccessToken = JWTUtils.decode(accessToken); // …… String username = decodedAccessToken.getClaim("username").asString(); UserDetails ud = userDetailsService.loadUserDetails( new PreAuthenticatedAuthenticationToken( username, auth.getCredentials()); return new PreAuthenticatedAuthenticationToken( ud, authentication.getCredentials(), ud.getAuthorities()); }
  • 83.
    public Authentication authenticate(Authenticationauth) throws AuthenticationException { String accessToken = Optional.ofNullable(auth.getCredentials()) .map(Object::toString) .orElse(null); if (accessToken == null) { throw new BadCredentialsException("access token not found."); } DecodedJWT decodedAccessToken = JWTUtils.decode(accessToken); // …… JWT String username = decodedAccessToken.getClaim("username").asString(); UserDetails ud = userDetailsService.loadUserDetails( new PreAuthenticatedAuthenticationToken( username, auth.getCredentials()); return new PreAuthenticatedAuthenticationToken( ud, authentication.getCredentials(), ud.getAuthorities()); }
  • 85.
    @Service public class CustomAuthenticationUserDetailsService implementsAuthenticationUserDetailsService { private final CustomUserDetailsService userDetailsService; // …… @Override public UserDetails loadUserDetails(Authentication token) throws UsernameNotFoundException { String username = token.getPrincipal().toString(); String accessToken = token.getCredentials().toString(); return Optional.ofNullable( userDetailsService.loadUserByUsername(username)) .map(u -> new CustomUserDetails( ((CustomUserDetails) u).getUser(), accessToken)) .orElseThrow(() -> new UsernameNotFoundException("user not found")); } }
  • 88.
  • 89.
    @BeforeEach void beforeEach() { mockMvc= MockMvcBuilders .webAppContextSetup(context) .apply(springSecurity()) .build(); }
  • 90.
    @Test void loginSuccess() throwsException { MvcResult result = mockMvc .perform(formLogin() .user("ruchitate").password("password")) .andReturn(); Assertions.assertThat(result.getResponse()) .extracting( MockHttpServletResponse::getStatus, MockHttpServletResponse::getRedirectedUrl) .containsExactly(302, "/success"); }
  • 91.
    @Test void useWith200() throwsException { MvcResult result = mockMvc.perform(get("/users/{id}", 1) .with(user("ruchitate").roles("STAFF"))) .andExpect(status().isOk()) .andReturn(); assertEquals( "{"name":" ","username":"ruchitate", "createdAt":"2018-10-01T00:00:00","lastSignInAt":null}", result.getResponse().getContentAsString()); }
  • 92.
    @Test void useWith403ForAdmin() throwsException { mockMvc.perform(get("/users/{id}", 1) .with(user("ruchitate").roles("ADMIN"))) .andExpect(status().isForbidden()) .andReturn(); }
  • 95.
    @PreAuthorize("hasRole('ADMIN')") public List<User> list(){ return userRepository.findAll(); } @PreAuthorize("#role == 'ADMIN'") public List<User> list(String role) { return userRepository.findAll(); } @PreAuthorize("#r.name == 'ruchitate'") public List<User> list(@P("r") UserRequest request) { return userRepository.findAll(); }
  • 96.
    @PostAuthorize("returnObject != null&& returnObject.username == 'ruchitate'") public User get(Integer id) { return userRepository.findById(id).orElse(null); }
  • 97.
    @PreFilter("filterObject.name.equals('ruchitate')") public List<User> list(List<UserRequest>requests) { List<String> usernameList = requests.stream() .map(UserRequest::getName) .collect(Collectors.toList()); return userRepository .findAllByUsernameIn(usernameList); }
  • 98.
    @PostFilter("filterObject.username == 'ruchitate'") publicList<User> list() { return userRepository.findAll(); }