1
0
mirror of synced 2026-07-08 20:30:04 +00:00

Compare commits

...

10 Commits

Author SHA1 Message Date
Rob Winch 8ce1ac3ec5 Release 5.2.1.RELEASE 2019-11-04 13:09:25 -06:00
Josh Cummings 906a69b7cb Add Resource Server Multi-tenancy Docs
Fixes: gh-7532
2019-11-04 13:09:25 -06:00
Rob Winch 7b8dd79db2 Update to blockound 1.0.1.RELEASE
Fixes gh-7613
2019-11-04 13:09:25 -06:00
Rob Winch 526e3fd402 Update to hibernate-validator 6.1.0.Final
Fixes gh-7612
2019-11-04 13:09:25 -06:00
Rob Winch f340da88d4 Update to hibernate-entitymanager 5.4.8.Final
Fixes gh-7611
2019-11-04 13:09:25 -06:00
Rob Winch 7fdebf3f7f Update to Unbounded 4.0.12
Fixes gh-7610
2019-11-04 13:09:25 -06:00
Rob Winch c091d6ded4 Update to powermock 2.0.4
Fixes gh-7609
2019-11-04 13:09:25 -06:00
Rob Winch 036a3b914b Update to Bouncy Castle 1.64
Fixes gh-7608
2019-11-04 13:09:25 -06:00
Rob Winch f7477b02ba Update to Reactor Dysprosium-SR1
Fixes gh-7607
2019-11-04 13:09:25 -06:00
Rob Winch 4583cbc3dd Update to GAE 1.9.76
Fixes gh-7606
2019-11-04 13:09:25 -06:00
3 changed files with 305 additions and 21 deletions
@@ -1148,8 +1148,292 @@ OpaqueTokenIntrospector introspector() {
}
----
Thus far we have only taken a look at the most basic authentication configuration.
Let's take a look at a few slightly more advanced options for configuring authentication.
[[oauth2reourceserver-opaqueandjwt]]
=== Supporting both JWT and Opaque Token
In some cases, you may have a need to access both kinds of tokens.
For example, you may support more than one tenant where one tenant issues JWTs and the other issues opaque tokens.
If this decision must be made at request-time, then you can use an `AuthenticationManagerResolver` to achieve it, like so:
[source,java]
----
@Bean
AuthenticationManagerResolver<HttpServletRequest> tokenAuthenticationManagerResolver() {
BearerTokenResolver bearerToken = new DefaultBearerTokenResolver();
JwtAuthenticationProvider jwt = jwt();
OpaqueTokenAuthenticationProvider opaqueToken = opaqueToken();
return request -> {
String token = bearerToken.resolve(request);
if (isAJwt(token)) {
return jwt::authenticate;
} else {
return opaqueToken::authenticate;
}
}
}
----
And then specify this `AuthenticationManagerResolver` in the DSL:
[source,java]
----
http
.authorizeRequests()
.anyRequest().authenticated()
.and()
.oauth2ResourceServer()
.authenticationManagerResolver(this.tokenAuthenticationManagerResolver);
----
[[oauth2resourceserver-multitenancy]]
=== Multi-tenancy
A resource server is considered multi-tenant when there are multiple strategies for verifying a bearer token, keyed by some tenant identifier.
For example, your resource server may accept bearer tokens from two different authorization servers.
Or, your authorization server may represent a multiplicity of issuers.
In each case, there are two things that need to be done and trade-offs associated with how you choose to do them:
1. Resolve the tenant
2. Propagate the tenant
==== Resolving the Tenant By Request Material
Resolving the tenant by request material can be done my implementing an `AuthenticationManagerResolver`, which determines the `AuthenticationManager` at runtime, like so:
[source,java]
----
@Component
public class TenantAuthenticationManagerResolver
implements AuthenticationManagerResolver<HttpServletRequest> {
private final BearerTokenResolver resolver = new DefaultBearerTokenResolver();
private final TenantRepository tenants; <1>
private final Map<String, AuthenticationManager> authenticationManagers = new ConcurrentHashMap<>(); <2>
public TenantAuthenticationManagerResolver(TenantRepository tenants) {
this.tenants = tenants;
}
@Override
public AuthenticationManager resolve(HttpServletRequest request) {
return this.authenticationManagers.computeIfAbsent(toTenant(request), this::fromTenant);
}
private String toTenant(HttpServletRequest request) {
String[] pathParts = request.getRequestURI().split("/");
return pathParts.length > 0 ? pathParts[1] : null;
}
private AuthenticationManager fromTenant(String tenant) {
return Optional.ofNullable(this.tenants.get(tenant)) <3>
.map(JwtDecoders::fromIssuerLocation) <4>
.map(JwtAuthenticationProvider::new)
.orElseThrow(() -> new IllegalArgumentException("unknown tenant"))::authenticate;
}
}
----
<1> A hypothetical source for tenant information
<2> A cache for `AuthenticationManager`s, keyed by tenant identifier
<3> Looking up the tenant is more secure than simply computing the issuer location on the fly - the lookup acts as a tenant whitelist
<4> Create a `JwtDecoder` via the discovery endpoint - the lazy lookup here means that you don't need to configure all tenants at startup
And then specify this `AuthenticationManagerResolver` in the DSL:
[source,java]
----
http
.authorizeRequests()
.anyRequest().authenticated()
.and()
.oauth2ResourceServer()
.authenticationManagerResolver(this.tenantAuthenticationManagerResolver);
----
==== Resolving the Tenant By Claim
Resolving the tenant by claim is similar to doing so by request material.
The only real difference is the `toTenant` method implementation:
[source,java]
----
@Component
public class TenantAuthenticationManagerResolver implements AuthenticationManagerResolver<HttpServletRequest> {
private final BearerTokenResolver resolver = new DefaultBearerTokenResolver();
private final TenantRepository tenants; <1>
private final Map<String, AuthenticationManager> authenticationManagers = new ConcurrentHashMap<>(); <2>
public TenantAuthenticationManagerResolver(TenantRepository tenants) {
this.tenants = tenants;
}
@Override
public AuthenticationManager resolve(HttpServletRequest request) {
return this.authenticationManagers.computeIfAbsent(toTenant(request), this::fromTenant); <3>
}
private String toTenant(HttpServletRequest request) {
try {
String token = this.resolver.resolve(request);
return (String) JWTParser.parse(token).getJWTClaimsSet().getIssuer();
} catch (Exception e) {
throw new IllegalArgumentException(e);
}
}
private AuthenticationManager fromTenant(String tenant) {
return Optional.ofNullable(this.tenants.get(tenant)) <3>
.map(JwtDecoders::fromIssuerLocation) <4>
.map(JwtAuthenticationProvider::new)
.orElseThrow(() -> new IllegalArgumentException("unknown tenant"))::authenticate;
}
}
----
<1> A hypothetical source for tenant information
<2> A cache for `AuthenticationManager`s, keyed by tenant identifier
<3> Looking up the tenant is more secure than simply computing the issuer location on the fly - the lookup acts as a tenant whitelist
<4> Create a `JwtDecoder` via the discovery endpoint - the lazy lookup here means that you don't need to configure all tenants at startup
[source,java]
----
http
.authorizeRequests()
.anyRequest().authenticated()
.and()
.oauth2ResourceServer()
.authenticationManagerResolver(this.tenantAuthenticationManagerResolver);
----
==== Parsing the Claim Only Once
You may have observed that this strategy, while simple, comes with the trade-off that the JWT is parsed once by the `AuthenticationManagerResolver` and then again by the `JwtDecoder`.
This extra parsing can be alleviated by configuring the `JwtDecoder` directly with a `JWTClaimSetAwareJWSKeySelector` from Nimbus:
[source,java]
----
@Component
public class TenantJWSKeySelector
implements JWTClaimSetAwareJWSKeySelector<SecurityContext> {
private final TenantRepository tenants; <1>
private final Map<String, JWSKeySelector<SecurityContext>> selectors = new ConcurrentHashMap<>(); <2>
public TenantJWSKeySelector(TenantRepository tenants) {
this.tenants = tenants;
}
@Override
public List<? extends Key> selectKeys(JWSHeader jwsHeader, JWTClaimsSet jwtClaimsSet, SecurityContext securityContext)
throws KeySourceException {
return this.selectors.computeIfAbsent(toTenant(jwtClaimsSet), this::fromTenant)
.selectJWSKeys(jwsHeader, securityContext);
}
private String toTenant(JWTClaimsSet claimSet) {
return (String) claimSet.getClaim("iss");
}
private JWSKeySelector<SecurityContext> fromTenant(String tenant) {
return Optional.ofNullable(this.tenantRepository.findById(tenant)) <3>
.map(t -> t.getAttrbute("jwks_uri"))
.map(this::fromUri)
.orElseThrow(() -> new IllegalArgumentException("unknown tenant"));
}
private JWSKeySelector<SecurityContext> fromUri(String uri) {
try {
return JWSAlgorithmFamilyJWSKeySelector.fromJWKSetURL(new URL(uri)); <4>
} catch (Exception e) {
throw new IllegalArgumentException(e);
}
}
}
----
<1> A hypothetical source for tenant information
<2> A cache for `JWKKeySelector`s, keyed by tenant identifier
<3> Looking up the tenant is more secure than simply calculating the JWK Set endpoint on the fly - the lookup acts as a tenant whitelist
<4> Create a `JWSKeySelector` via the types of keys that come back from the JWK Set endpoint - the lazy lookup here means that you don't need to configure all tenants at startup
The above key selector is a composition of many key selectors.
It chooses which key selector to use based on the `iss` claim in the JWT.
NOTE: To use this approach, make sure that the authorization server is configured to include the claim set as part of the token's signature.
Without this, you have no guarantee that the issuer hasn't been altered by a bad actor.
Next, we can construct a `JWTProcessor`:
[source,java]
----
@Bean
JWTProcessor jwtProcessor(JWTClaimSetJWSKeySelector keySelector) {
ConfigurableJWTProcessor<SecurityContext> jwtProcessor =
new DefaultJWTProcessor();
jwtProcessor.setJWTClaimSetJWSKeySelector(keySelector);
return jwtProcessor;
}
----
As you are already seeing, the trade-off for moving tenant-awareness down to this level is more configuration.
We have just a bit more.
Next, we still want to make sure you are validating the issuer.
But, since the issuer may be different per JWT, then you'll need a tenant-aware validator, too:
[source,java]
----
@Component
public class TenantJwtIssuerValidator implements OAuth2TokenValidator<Jwt> {
private final TenantRepository tenants;
private final Map<String, JwtIssuerValidator> validators = new ConcurrentHashMap<>();
public TenantJwtIssuerValidator(TenantRepository tenants) {
this.tenants = tenants;
}
@Override
public OAuth2TokenValidatorResult validate(Jwt token) {
return this.validators.computeIfAbsent(toTenant(token), this::fromTenant)
.validate(token);
}
private String toTenant(Jwt jwt) {
return jwt.getIssuer();
}
private JwtIssuerValidator fromTenant(String tenant) {
return Optional.ofNullable(this.tenants.findById(tenant))
.map(t -> t.getAttribute("issuer"))
.map(JwtIssuerValidator::new)
.orElseThrow(() -> new IllegalArgumentException("unknown tenant"));
}
}
----
Now that we have a tenant-aware processor and a tenant-aware validator, we can proceed with creating our `JwtDecoder`:
[source,java]
----
@Bean
JwtDecoder jwtDecoder(JWTProcessor jwtProcessor, OAuth2TokenValidator<Jwt> jwtValidator) {
NimbusJwtDecoder decoder = new NimbusJwtDecoder(processor);
OAuth2TokenValidator<Jwt> validator = new DelegatingOAuth2TokenValidator<>
(JwtValidators.createDefault(), this.jwtValidator);
decoder.setJwtValidator(validator);
return decoder;
}
----
We've finished talking about resolving the tenant.
If you've chosen to resolve the tenant by request material, then you'll need to make sure you address your downstream resource servers in the same way.
For example, if you are resolving it by subdomain, you'll need to address the downstream resource server using the same subdomain.
However, if you resolve it by a claim in the bearer token, read on to learn about <<oauth2resourceserver-bearertoken-resolver,Spring Security's support for bearer token propagation>>.
[[oauth2resourceserver-bearertoken-resolver]]
=== Bearer Token Resolution
+1 -1
View File
@@ -1,5 +1,5 @@
aspectjVersion=1.9.3
gaeVersion=1.9.76
springBootVersion=2.2.0.RELEASE
version=5.2.1.BUILD-SNAPSHOT
version=5.2.1.RELEASE
org.gradle.jvmargs=-Xmx3g -XX:MaxPermSize=2048m -XX:+HeapDumpOnOutOfMemoryError
+18 -18
View File
@@ -1,5 +1,5 @@
if (!project.hasProperty('reactorVersion')) {
ext.reactorVersion = 'Dysprosium-RELEASE'
ext.reactorVersion = 'Dysprosium-SR1'
}
if (!project.hasProperty('springVersion')) {
@@ -24,12 +24,12 @@ dependencyManagement {
dependency 'opensymphony:sitemesh:2.4.2'
dependency 'org.gebish:geb-spock:0.10.0'
dependency 'org.jasig.cas:cas-server-webapp:4.2.7'
dependency 'org.powermock:powermock-api-mockito2:2.0.2'
dependency 'org.powermock:powermock-api-support:2.0.2'
dependency 'org.powermock:powermock-core:2.0.2'
dependency 'org.powermock:powermock-module-junit4-common:2.0.2'
dependency 'org.powermock:powermock-module-junit4:2.0.2'
dependency 'org.powermock:powermock-reflect:2.0.2'
dependency 'org.powermock:powermock-api-mockito2:2.0.4'
dependency 'org.powermock:powermock-api-support:2.0.4'
dependency 'org.powermock:powermock-core:2.0.4'
dependency 'org.powermock:powermock-module-junit4-common:2.0.4'
dependency 'org.powermock:powermock-module-junit4:2.0.4'
dependency 'org.powermock:powermock-reflect:2.0.4'
dependency 'org.python:jython:2.5.0'
dependency 'org.spockframework:spock-core:1.0-groovy-2.4'
dependency 'org.spockframework:spock-spring:1.0-groovy-2.4'
@@ -47,11 +47,11 @@ dependencyManagement {
dependency 'com.fasterxml.jackson.core:jackson-databind:2.10.0'
dependency 'com.fasterxml:classmate:1.3.4'
dependency 'com.github.stephenc.jcip:jcip-annotations:1.0-1'
dependency 'com.google.appengine:appengine-api-1.0-sdk:1.9.76'
dependency 'com.google.appengine:appengine-api-labs:1.9.76'
dependency 'com.google.appengine:appengine-api-stubs:1.9.76'
dependency 'com.google.appengine:appengine-testing:1.9.76'
dependency 'com.google.appengine:appengine:1.9.76'
dependency 'com.google.appengine:appengine-api-1.0-sdk:$gaeVersion'
dependency 'com.google.appengine:appengine-api-labs:$gaeVersion'
dependency 'com.google.appengine:appengine-api-stubs:$gaeVersion'
dependency 'com.google.appengine:appengine-testing:$gaeVersion'
dependency 'com.google.appengine:appengine:$gaeVersion'
dependency 'com.google.code.gson:gson:2.8.2'
dependency 'com.google.guava:guava:20.0'
dependency 'com.google.inject:guice:3.0'
@@ -62,7 +62,7 @@ dependencyManagement {
dependency 'com.squareup.okio:okio:1.13.0'
dependency 'com.sun.xml.bind:jaxb-core:2.3.0.1'
dependency 'com.sun.xml.bind:jaxb-impl:2.3.2'
dependency 'com.unboundid:unboundid-ldapsdk:4.0.11'
dependency 'com.unboundid:unboundid-ldapsdk:4.0.12'
dependency 'com.vaadin.external.google:android-json:0.0.20131108.vaadin1'
dependency 'commons-cli:commons-cli:1.4'
dependency 'commons-codec:commons-codec:1.13'
@@ -72,7 +72,7 @@ dependencyManagement {
dependency 'commons-lang:commons-lang:2.6'
dependency 'commons-logging:commons-logging:1.2'
dependency 'dom4j:dom4j:1.6.1'
dependency 'io.projectreactor.tools:blockhound:1.0.0.RC1'
dependency 'io.projectreactor.tools:blockhound:1.0.1.RELEASE'
dependency "io.rsocket:rsocket-core:${rsocketVersion}"
dependency "io.rsocket:rsocket-transport-netty:${rsocketVersion}"
dependency 'javax.activation:activation:1.1.1'
@@ -156,8 +156,8 @@ dependencyManagement {
dependency "org.aspectj:aspectjweaver:$aspectjVersion"
dependency 'org.assertj:assertj-core:3.12.2'
dependency 'org.attoparser:attoparser:2.0.4.RELEASE'
dependency 'org.bouncycastle:bcpkix-jdk15on:1.63'
dependency 'org.bouncycastle:bcprov-jdk15on:1.63'
dependency 'org.bouncycastle:bcpkix-jdk15on:1.64'
dependency 'org.bouncycastle:bcprov-jdk15on:1.64'
dependency 'org.codehaus.groovy:groovy-all:2.4.17'
dependency 'org.codehaus.groovy:groovy-json:2.4.17'
dependency 'org.codehaus.groovy:groovy:2.4.17'
@@ -182,8 +182,8 @@ dependencyManagement {
dependency 'org.hibernate.common:hibernate-commons-annotations:5.0.1.Final'
dependency 'org.hibernate.javax.persistence:hibernate-jpa-2.1-api:1.0.0.Final'
dependency 'org.hibernate:hibernate-core:5.2.17.Final'
dependency 'org.hibernate:hibernate-entitymanager:5.4.5.Final'
dependency 'org.hibernate:hibernate-validator:6.0.17.Final'
dependency 'org.hibernate:hibernate-entitymanager:5.4.8.Final'
dependency 'org.hibernate:hibernate-validator:6.1.0.Final'
dependency 'org.hsqldb:hsqldb:2.5.0'
dependency 'org.jasig.cas.client:cas-client-core:3.5.1'
dependency 'org.javassist:javassist:3.22.0-CR2'