Spring - 远程基本认证

Question

I'm rewriting a Monolith Java/Spring server to Microservices while exposing the same API interface to the clients so they won't notice any change was made.

In the Monolith server we use Spring-Security and Spring-Security-OAuth2 .

The first part is creating a Java based API-Gateway which will handle all authentication/authorization as a tunnel to the Monolith server.

After creating a new microservice (using spring initializr) I have tried to configure spring security to tunnel all Authentication to the Monolith Server using:

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    private final AuthenticationProvider authenticationProvider;

    public WebSecurityConfig(AuthenticationProvider authenticationProvider) {
        this.authenticationProvider = authenticationProvider;
    }
}

@Component("authenticationProvider")
public class CustomRemoteAuthenticationProvider extends RemoteAuthenticationProvider {

    @Override
    @Autowired
    @Qualifier("remoteAuthenticationManager")
    public void setRemoteAuthenticationManager(RemoteAuthenticationManager remoteAuthenticationManager) {
        super.setRemoteAuthenticationManager(remoteAuthenticationManager);
    }

}

@Service("remoteAuthenticationManager")
public class CustomRemoteAuthenticationManager implements RemoteAuthenticationManager {

    @Override
    public Collection<? extends GrantedAuthority> attemptAuthentication(String username, String password) throws RemoteAuthenticationException {
        ... here I do an HTTP call to the Monolith `/oauth/login`
    }
}

This seems to be working as I visit the http://localhost:8080/login page of the spring-security, I can successfully login and the request is tunneled into our Monolith server.

The problem starts when I try to configure the OAuth2 resource server, as our clients currently authenticating using a POST to oauth/token with some Basic Authentication in the Header:

Basic xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Note: The token for the basic is a static token for all clients (I know it's not worth anything but this is the way it's currently implementated and I try to implement a fully compatible API-Gateway)

Which allows them to communicate with that end-point and get a valid token for the user/password in the body (Which is application/x-www-form-urlencoded):

password=somepassword&username=user@example.com&grant_type=password&scope=read%20write

The problem is that spring-security returning a 401 Unauthorized for that call without even letting the request enter the /oauth/login route and do a remote authentication.

I can't find a way to tunnel the Basic Authentication into the monolith server so the /oauth/login will actually authenticate against the Monolith with Remote Basic Authentication and after success it will act as a tunnel and will pass the body itself into the Monolith /oauth/login end point (as I succesfully did in the WebSecurityConfig above)

Any direction will be appreciated. Thanks in advance!

Answer 1

I am doing a similar project and I think that I can help you with some guidance.

OAuth2 is token-based security authorization and authentication that we can break in four components:

1. A Protected Resource (can be accessed only by the authenticated user that have the proper authorization)
2. A Resource Owner (defines what application can call their service which user are allowed to access the service and what can they do)
3. An Application (is the application that is going to call the service on behalf of the users)
4. OAuth2 Authentication Service(stands between the application and the protected resource)

In your case, the protected resource is the monolith that you want to break in a microservices architecture.

• The first thing you need to do is create an authorization service.

Create SpringCloud project from spring intilizr make sure that the dependencies below are present:

        <dependency>
            <groupId>org.springframework.cloud</groupId>
            <artifactId>spring-cloud-starter-oauth2</artifactId>
        </dependency>

        <dependency>
            <groupId>org.springframework.cloud</groupId>
            <artifactId>spring-cloud-starter-security</artifactId>
        </dependency>

After that in the main class of oauth2 service you need to add two annotation. @EnableResourceServer is used to tell your microservice that is a protected resource. I will explain below why this is needed. @EnableAuthorizationServer is going to tell spring cloud that is service is going to be used as OAuth2Service. Below it is the code snippet:

@SpringBootApplication
@EnableResourceServer
@EnableAuthorizationServer
public class Oauth2ServerApplication {

    public static void main(String[] args) {
        SpringApplication.run(Oauth2ServerApplication.class, args);
    }

}

We create an endpoint that is going to exposes the user information. This endpoint is going to be called by other services. This is the reason why we annotated this application with @EnableResourceServer . Below is the rest endpoint that return the user information:

@RestController
@RequestMapping("/user")
public class UserRestController {

    @GetMapping(produces="application/json")
    public Map<String,Object> getUser(OAuth2Authentication user){
        Map<String,Object> userInfo = new HashMap<>();
        userInfo.put("user",user.getUserAuthentication().getPrincipal());
        userInfo.put("authorities", user.getUserAuthentication().getAuthorities());
        return userInfo;
    }

}

Now you will register the application in oauth2 service. You will define the application that will access the protected resource. You will create a configuration class that will define what application can use your service.

@Configuration
public class OAuth2Config extends AuthorizationServerConfigurerAdapter {

    @Autowired
    private AuthenticationManager authenticationManager;
    @Autowired
    private UserDetailsService userDetailsService;
    @Autowired
    private PasswordEncoder passwordEncoder;
    @Autowired
    OAuth2ConfigParameters oauth2ConfigParameters;

    @Bean
    public OAuth2ConfigParameters oAuth2ConfigParameters() {
        return new OAuth2ConfigParameters();
    }

    @Override
    public void configure(AuthorizationServerEndpointsConfigurer endpoints) {
        endpoints
                .authenticationManager(authenticationManager)
                .userDetailsService(userDetailsService);
    }

    @Override
    public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
        clients.inMemory()
        .withClient("your application")
        .secret("your password")
        .authorizedGrantTypes( "refresh_token","password","client_credentials")
        .scopes("webclient","mobileclient");
    }
}

You need to define what users and roles for the application. This is familiar if you have done security with SpringBoot. Check the snippet below:

@Configuration
public class WebSecurityConfigurer extends WebSecurityConfigurerAdapter {

    @Override
    @Bean
    public AuthenticationManager authenticationManagerBean() throws Exception {
        return super.authenticationManagerBean();
    }

    @Override
    @Bean
    public UserDetailsService userDetailsServiceBean() throws Exception {
        return super.userDetailsServiceBean();
    }

    @Bean
    public BCryptPasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder();
    }

    @Override 
    public void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.inMemoryAuthentication()
        .withUser("you user")
        .password(passwordEncoder().encode("your password"))
        .roles("your role");
    }
}

In the end check with postman if you can retrieve the token from oauth2 service.

HttpMethod : POST, URL : http://localhost:application-port/oauth/token

Authorization Type : Basic, username : Client id, password : client secret

Body : form data,

grant:password

scope:webclient

username: your username

password: your password

After retrieving the token, test if you can access that token the URL of the endpoint which you expose user information.

HttpMethod : Get, URL : localhost:application-port/user

Authorization : Bearer, Token : token generated

---

• Second, protecting your old monolith which will be accessed from the gateway server. Remember that your old monolith is a protected resource.

First you need to add Spring Security and OAuth2 jars to the service you are trying to protect.

<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-security</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.security.oauth</groupId>
<artifactId>spring-security-oauth2</artifactId>
</dependency>

Next in the application.yml of the monolith we configure service point of your oauth2 service. This is done because the monolith is a protected service and every time a request came you want to check if the token of the request is valid.

security:
 oauth2:
  resource:
   userInfoUri: http://localhost:oauth2-app-port/auth/user

After that don't forget to add the @EnableResourceServer which makes the monolith a protected resource.

@SpringBootApplication
@EnableResourceServer
public class Application {

    public static void main(String[] args) {
        SpringApplication.run(Application.class, args);
    }
}

After that we specify the restriction we want. I have provided below with example restricting access to only authenticated users.

@Configuration
public class ResourceServerConfiguration extends ResourceServerConfigurerAdapter {
    @Override
    public void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests().anyRequest().authenticated();
    }
}

---

• Recap

Your user is authenticated from OAuth service and has the generated token. With the generated token send a request to monolith through the gateway server. The gateway tries to access monolith by propagating the token that it received from the request. The monolith check if token it is valid.

Below is a link of my microservice architecture with zuul gateway server and oauth2 server: https://github.com/rshtishi/payroll . You can check it if you want to see more details.