0

I am pretty new to Spring-boot, I am building micro-service which will simply forward request to other system for processing (JSON to XML). For this, along with request I need to set username and password, so as I far I Googled I found below snippet only.

@Configuration
@EnableWebSecurity
public class CustomWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {

    @Autowired
    private MyBasicAuthenticationEntryPoint authenticationEntryPoint;

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
        auth.inMemoryAuthentication()
          .withUser("user1").password(passwordEncoder().encode("user1Pass"))
          .authorities("ROLE_USER");
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests()
          .antMatchers("/securityNone").permitAll()
          .anyRequest().authenticated()
          .and()
          .httpBasic()
          .authenticationEntryPoint(authenticationEntryPoint);

        http.addFilterAfter(new CustomFilter(),
          BasicAuthenticationFilter.class);
    }

    @Bean
    public PasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder();
    }
}

Here, it is hard coded, we don't require this, also don't want to maintain database. I am trying to get username and password of Auth tab of Postman (Basic Authorization) in controller. So that, we can simply forward it with request.

Amol Bais
  • 332
  • 1
  • 6
  • 30

2 Answers2

3

The code snippet you gave is for the use-case, that your service authenticates the user.

But as I understood you just want to forward the credentials to another service and let the downstream service handle the authentication.

So, the credentials are sent with the "Authorization" HTTP header [1]. If you want to access them, you can simply get it from the request (HttpServletRequest.java [2,3]) like below:

public ResponseEntity<DemoClass> getDemo(HttpServletRequest request) {
    final String authorizationHeader = request.getHeader(HttpHeaders.AUTHORIZATION);
    // ...

The value you get is Base64[4] encoded, so you have to decode it.

For example, basic authorization with username "username" and password "password" looks like that:

Basic dXNlcm5hbWU6cGFzc3dvcmQ=

First, the prefix "Basic" has to be removed and then you have just the username and password Base64-encoded. After decoding it is:

username:password

A simpler approach would be to just take the Authorization header from the user request and put it into your request.

For example, like below:

OkHttpClient client = new OkHttpClient().newBuilder()
  .build();

Request request = new Request.Builder()
  .url("http://localhost:8080/")
  .method("GET", null)
  .addHeader("Authorization", "Basic dXNlcm5hbWU6cGFzc3dvcmQ=") // Client credentials from the header
  .build();

Note: I just took that from the postman example (Java - OkHttp).

For more information:

  1. https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Authorization
  2. https://docs.oracle.com/javaee/7/api/javax/servlet/http/HttpServletRequest.html
  3. https://docs.oracle.com/javaee/7/api/javax/servlet/http/HttpServletRequest.html#getHeader-java.lang.String-
  4. https://en.wikipedia.org/wiki/Base64
Dharman
  • 30,962
  • 25
  • 85
  • 135
Tonne11
  • 31
  • 3
0

I achieved it in following simple way.

import org.apache.commons.codec.binary.Base64;

    @PostMapping("/servce-uri")
    public ResponseEntity<Result> announce(@RequestHeader("Authorization") String authentication,@Valid @RequestBody RequestDTO requestDto) {
        String pair=new String(Base64.decodeBase64(authentication.substring(6)));
        String userName=pair.split(":")[0];
        String password=pair.split(":")[1];
       // call to service
        return ResponseEntity.status(HttpStatus.OK).body(result);

    }
Amol Bais
  • 332
  • 1
  • 6
  • 30