【问题标题】:Spring Boot. HMAC authentication. How to add custom AuthenticationProvider and Authentication filter?弹簧靴。 HMAC 认证。如何添加自定义 AuthenticationProvider 和 Authentication 过滤器?
【发布时间】:2015-08-10 17:26:52
【问题描述】:

为了实现 HMAC 身份验证,我制作了自己的过滤器、提供程序和令牌。 RestSecurityFilter:

public class RestSecurityFilter extends AbstractAuthenticationProcessingFilter {
private final Logger LOG = LoggerFactory.getLogger(RestSecurityFilter.class);

private AuthenticationManager authenticationManager;

public RestSecurityFilter(String defaultFilterProcessesUrl) {
    super(defaultFilterProcessesUrl);
}

public RestSecurityFilter(RequestMatcher requiresAuthenticationRequestMatcher) {
    super(requiresAuthenticationRequestMatcher);
}

@Override
public Authentication attemptAuthentication(HttpServletRequest req, HttpServletResponse response) throws AuthenticationException, IOException, ServletException {
    AuthenticationRequestWrapper request = new AuthenticationRequestWrapper(req);

    // Get authorization headers
    String signature = request.getHeader("Signature");
    String principal = request.getHeader("API-Key");
    String timestamp = request.getHeader("timestamp");
    if ((signature == null) || (principal == null) || (timestamp == null))
    unsuccessfulAuthentication(request, response, new BadHMACAuthRequestException("Authentication attempt failed! Request missing mandatory headers."));


    // a rest credential is composed by request data to sign and the signature
    RestCredentials credentials = new RestCredentials(HMACUtils.calculateContentToSign(request), signature);

    // Create an authentication token
    return new RestToken(principal, credentials, Long.parseLong(timestamp));
}

@Override
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {
    LOG.debug("Filter request: " + req.toString());
    HttpServletRequest request = (HttpServletRequest) req;
    HttpServletResponse response = (HttpServletResponse) res;

    chain.doFilter(request, response);

    Authentication authResult;

    try {
        authResult = attemptAuthentication(request, response);
        if (authResult == null)
            unsuccessfulAuthentication(request, response, new BadHMACAuthRequestException("Authentication attempt failed !"));

    } catch (InternalAuthenticationServiceException failed) {
        LOG.error("An internal error occurred while trying to authenticate the user.", failed);
        unsuccessfulAuthentication(request, response, failed);
    } catch (AuthenticationException failed) {
        // Authentication failed
        unsuccessfulAuthentication(request, response, failed);
    }
}
}

身份验证提供者:

@Component
public class RestAuthenticationProvider implements AuthenticationProvider {
private final Logger LOG = LoggerFactory.getLogger(RestAuthenticationProvider.class);

private ApiKeysService apiKeysService;

@Autowired
public void setApiKeysService(ApiKeysService apiKeysService) {
    this.apiKeysService = apiKeysService;
}

@Override
public Authentication authenticate(Authentication authentication) throws AuthenticationException {
    RestToken restToken = (RestToken) authentication;

    // api key (aka username)
    String principal = restToken.getPrincipal();

    LOG.info("Authenticating api key: '" + principal + "'");

    // check request time, 60000 is one minute
    long interval = Clock.systemUTC().millis() - restToken.getTimestamp();
    if ((interval < 0) && (interval > 60000))
        throw new BadHMACAuthRequestException("Auth Failed: old request.");

    // hashed blob
    RestCredentials credentials = restToken.getCredentials();

    // get secret access key from api key
    ApiKey apiKey = apiKeysService.getKeyByName(principal).orElseThrow(() -> new NotFoundException("Key not found for: '" + principal + "'"));
    String secret = apiKey.getApiKey();

    // calculate the hmac of content with secret key
    String hmac = HMACUtils.calculateHMAC(secret, credentials.getRequestData());
    LOG.debug("Api Key '{}', calculated hmac '{}'");

    // check if signatures match
    if (!credentials.getSignature().equals(hmac)) {
        throw new BadHMACAuthRequestException("Auth Failed: invalid HMAC signature.");
    }

    return new RestToken(principal, credentials, restToken.getTimestamp(), apiKeysService.getPermissions(apiKey));
}

@Override
public boolean supports(Class<?> authentication) {
    return RestToken.class.equals(authentication);

}
}

我不知道如何配置 WebSecurityConfig 以使用我的过滤器和身份验证提供程序对每个请求进行身份验证。我假设我需要创建@Bean 来初始化RestSecurityFilterAbstractAuthenticationProcessingFilter 的 JavaDoc 还说我需要 authenticationManager 属性。我会很感激使用自定义过滤器、提供程序和令牌的工作解决方案。

【问题讨论】:

    标签: java authentication spring-security spring-boot hmac


    【解决方案1】:

    我对 Spring Boot 不熟悉,但是看到你对我的问题的评论How To Inject AuthenticationManager using Java Configuration in a Custom Filter

    在传统的 Spring Security XML 配置中,您可以像这样指定自定义 RestSecurityFilter

    <http use-expressions="true" create-session="stateless" authentication-manager-ref="authenticationManager" entry-point-ref="restAuthenticationEntryPoint">
           <custom-filter ref="restSecurityFilter" position="FORM_LOGIN_FILTER" />
    </http>
    

    更多信息http://docs.spring.io/spring-security/site/docs/4.0.1.RELEASE/reference/htmlsingle/#ns-custom-filters

    【讨论】:

      猜你喜欢
      • 2016-04-17
      • 2017-04-29
      • 2019-09-25
      • 2016-06-25
      • 2018-09-16
      • 2020-02-08
      • 2018-02-14
      • 1970-01-01
      相关资源
      最近更新 更多