如何为整个Spring Boot应用程序生成令牌

Question

I have a REST API which consumes an external API. I am using WebClient, but I have to pass a token with each request to the external API. The token is generated through an addAuthentication POST call. I want to use the same token within the entire application, until it gets expired as; this is an application specific token. But I am not sure how to generate the token to be available in my entire application, for use in all http requests.

I tried to instantiate a connector class and used in @PostConstruct in my spring boot application class; but I am not sure how to access this instance within all the application.

   @Component
   public class AppConnector {
     @Value("${some.dev.url}")
     private String baseUrl;
     @Value("${some.dev.appid}")
     private String appId;
     @Value("${some.dev.username}")
     private String username;
     @Value("${some.dev.password}")
     private String password;   
     private String token;  
     private boolean isConnected;   
     private final WebClient webClient;


  @Autowired
  public AppConnector(WebClient webClient) {
      this.webClient = WebClient.builder()
              .baseUrl("http://localhost:8080/api")
              .defaultHeader("application-id", "client-01")
              .defaultHeader("username", username)
              .defaultHeader("password", password)
              .build();
  }

/***
 * Method to add Authentication
 * @return Session_Token: String
 */
public String addAuthentication() {

    AddAuthenticationOutputVO response = null;
    response = this.webClient.post()
            .uri("/authentication?version=1.0")
            .retrieve()
            .bodyToMono(AddAuthenticationOutputVO.class).block();

    this.token = response.getSession_token();
    return response.getSession_token();
}

}

Answer 1

One solution is to use JWT signed and issued by the main application, and both system must have the main key secret. The verification can be a simple token verification, and you can find the userId or userName inside the JWT. The expiration is inside the JWT so every time the token is verified the system can know if the token has expired or not and you can answer to the client as expired token.

This solution with Spring is implement two filters, Authentication to generate the token, and Authorization to verify the token.

Here is the sample code.

Authentication:

public class JWTAuthenticationFilter extends UsernamePasswordAuthenticationFilter {

    private final AuthenticationManager authenticationManager;
    private final String maxSizeToUpload;

    public JWTAuthenticationFilter(AuthenticationManager authenticationManger, String maxSizeToUpload) {
        this.authenticationManager = authenticationManger;
        this.maxSizeToUpload = maxSizeToUpload;
    }

    @Override
    public Authentication attemptAuthentication(HttpServletRequest request, 
            HttpServletResponse response) throws AuthenticationException {
        try {
            AuthenticationRequest authRequest = new ObjectMapper().readValue(request.getInputStream(), 
                    AuthenticationRequest.class);
            return authenticationManager.authenticate(new UsernamePasswordAuthenticationToken(
                    authRequest.getUsername(), authRequest.getPassword(), new ArrayList<>()));
        } catch (IOException e) {
            throw new RuntimeException(e);
        }
    }

    @Override
    protected void successfulAuthentication(HttpServletRequest request, HttpServletResponse response,
            FilterChain chain, Authentication auth) throws IOException, ServletException {
        // Los tokens son generados hasta el final del día.
        Date expirationDate = DateUtil.setZeroHour(DateUtil.getDateAddDays(new Date(), 1));

        String token = Jwts.builder().setIssuedAt(new Date()).setIssuer(WebSecurity.ISSUER)
                .setSubject(((BuserDetails)auth.getPrincipal()).getUsername())
                .setExpiration(expirationDate)
                .signWith(SignatureAlgorithm.HS512, HardCodeUtil.JWT_KEY).compact();
        response.addHeader(WebSecurity.HEADER_AUTHORIZATION, WebSecurity.PREFIX_JWT + token);
        response.addHeader(WebSecurity.HEADER_JWT_EXPIRATION_DATE, String.valueOf(expirationDate.getTime()));
        ObjectMapper mapper = new ObjectMapper();
        ExtraParams extraParams = new ExtraParams(
                ((BuserDetails)auth.getPrincipal()).getBuser().getBusiness().getCurrency(),
                Byte.parseByte(maxSizeToUpload.replace("MB", "")));
        String body = mapper.writeValueAsString(new LoginResponse(((BuserDetails)auth.getPrincipal()).getBuser(),
                extraParams));
        response.setContentType("application/json");
        response.getWriter().write(body);
        response.getWriter().flush();
        response.getWriter().close();
    }

}

Authorization:

This must be used in both system and you can find the JWT_KEY as I used, you need to share that value in both systems.

public class JWTAuthorizationFilter extends BasicAuthenticationFilter {

    private static final Logger log = Logger.getLogger(JWTAuthorizationFilter.class.getName());

    public JWTAuthorizationFilter(AuthenticationManager authManager) {
        super(authManager);
    }

    @Override
    protected void doFilterInternal(HttpServletRequest req, HttpServletResponse res, FilterChain chain)
            throws IOException, ServletException {
        String header = req.getHeader(WebSecurity.HEADER_AUTHORIZATION);
        if (header == null || !header.startsWith(WebSecurity.PREFIX_JWT)) {
            chain.doFilter(req, res);
            return;
        }
        try {
            UsernamePasswordAuthenticationToken authentication = getAuthentication(req);
            SecurityContextHolder.getContext().setAuthentication(authentication);
            chain.doFilter(req, res);
        }catch (SignatureException ex) {
            log.log(Level.SEVERE, "FIRMA INVALIDA DEL JWT ENVIADO");
        }catch (MalformedJwtException ex) {
            log.log(Level.SEVERE, "ESTRUCTURA INVALIDA DEL JWT ENVIADO");
        }catch (ExpiredJwtException ex) {
            GeneralResponse jwtInvalidResponse = new GeneralResponse(ErrorsEnum.JWT_EXPIRED);
            ObjectMapper mapper = new ObjectMapper();
            String body = mapper.writeValueAsString(jwtInvalidResponse);
            res.setContentType("application/json");
            res.getWriter().write(body);
            res.getWriter().flush();
            res.getWriter().close();
        }catch (UnsupportedJwtException ex) {
            log.log(Level.SEVERE, "NO SOPORTADO JWT ENVIADO");
        }catch (IllegalArgumentException ex) {
            log.log(Level.SEVERE, "ILLEGAL ARGUMENT JWT ENVIADO");
        }
    }

    private UsernamePasswordAuthenticationToken getAuthentication(HttpServletRequest request) {
        String token = request.getHeader(WebSecurity.HEADER_AUTHORIZATION);
        if (token != null) {
            String user = Jwts.parser()
                    .setSigningKey(HardCodeUtil.JWT_KEY)
                    .parseClaimsJws(token.replace(WebSecurity.PREFIX_JWT, ""))
                    .getBody()
                    .getSubject();
            if (user != null) {
                return new UsernamePasswordAuthenticationToken(user, null, new ArrayList<>());
            }
        }
        return null;
    }

}

In the example I have implemented with this library:

<dependency>
     <groupId>io.jsonwebtoken</groupId>
     <artifactId>jjwt</artifactId>
     <version>0.9.1</version>
</dependency>