0

I am using Spring authorization Server 1.0.0. In this I have customized the JWT as per my requirement as follows. Let's say there is a user "vinay". And his role is also "vinay".

I am adding extra field "authority" : [{"role":"ROLE_vinay"}] in JWT. Below is the payload of JWT.

{ "sub": "vinay", "aud": "messaging-client", "nbf": 1671430162, "authority": [ { "role": "ROLE_vinay" } ], "scope": [ "openid" ], "iss": "http://localhost:8000", "exp": 1671430462, "iat": 1671430162 }

For Role "vinay", there are multiple permissions/restrictions. This data is present in MySQL. After user authentication(login), I am adding this data in Redis in KEY:VALUE pair where key is "vinay", value is [Restriction 1, Permission 1, Permission 2].

"vinay" : [Permission 1, Permission 2, Restriction 1]

After succesful login from user(vinay), Client gets the custom token, and sends the request to spring resource server with custom JWT in the header with Bearer prefix. For each request How to decode incoming JWT and get "role" and verify it from Redis? If there is any restriction in Redis, it should not allow it. It should throw "401 unauthorized". If there is permission, then It shall proceed with the request.

Vinayak Pattar
  • 21
  • 4
  • What have you tried so far? – Steve Riesenberg Jan 05 '23 at 16:09
  • Hi @SteveRiesenberg, I am able to verify and validate token in Resource server. I have exposed my own "JwtDecoder", which has "OAuth2TokenValidator" class implementation which does the custom validation. It is going through but I still have some doubts. 1) What happens when Authorization Server changes the key pair? Does Resource Server to be restarted or anyway to notify resource server? 2) How do I get incoming request details in "JwtDecoder" or "OAuth2TokenValidator"? I am using "(ServletRequestAttributes) RequestContextHolder". Is it right or wrong? Thank you. – Vinayak Pattar Jan 06 '23 at 04:56
  • This isn't a very focused question, it sounds like you have quite a few questions. Much of what you're asking can be discovered through testing and/or reading documentation. As far as getting request details, I would say it's probably wrong because the JwtDecoder isn't where request-level processing happens. It simply validates/decodes a token. It depends on what you want to do with request details where the right place to put that logic is. – Steve Riesenberg Jan 06 '23 at 19:29
  • I also wonder why you would want to add a dependency to Redis for validating a JWT when you could instead include the permissions/restrictions in the JWT when it is created. Are you expecting many such entries? Lastly, I don't understand why you would check Redis when originally the data is already present in MySQL. I would think using MySQL to add permissions/restrictions to the JWT through an `OAuth2TokenCustomizer` would be the way to go, and not use Redis at all. Clearly I'm missing part of your use case. – Steve Riesenberg Jan 06 '23 at 19:32
  • Hi @SteveRiesenberg,Thank you.Here is the scenario, MySQL table contains URL patterns for which the user is allowed to access the resource. Ex: (POST: /customer). I want to validate JWT against this data. (JWT has "authority": [ { "role": "ROLE_vinay" } ] and MySQL has table "authority" with ROLE_vinay as primary key and its URL and method details in other fields). After I get the incoming Jwt, and decode it, it has filed "authority" and I will fetch Role_vinay details from MySQL, it contains URL and method details. I want to campare this against the incoming request. – Vinayak Pattar Jan 09 '23 at 04:55
  • Is this the right way or any other standard ways available for the implementation I am doing? – Vinayak Pattar Jan 09 '23 at 04:55

1 Answers1

1

In your latest comment you described using only MySQL, and I think that makes sense. I don't see Redis fitting in anywhere in this scenario. So the flow is:

  1. In authorization server, you use OAuth2TokenCustomizer<JwtEncodingContext> to add the authority field to the JWT (e.g. ROLE_xyz).
  2. In a resource server, you use JwtGrantedAuthoritiesConverter to map the authority field of the JWT to authentication.getAuthorities() in Spring Security.

The challenge is that in your DB, you're mapping roles directly to a set of allowed URLs (e.g. ROLE_xyz => POST /customer, ...). Perhaps you're dealing with an existing database schema and can't design the data or relationships from scratch. What I would expect is a mapping of roles to a set of permissions (e.g. ROLE_xyz => customer.write, ...).

If you have a permissions scheme like this, you could do the lookup in the JwtGrantedAuthoritiesConverter above and map those permissions as authorities instead.

However, if the data in MySQL maps roles to URL patterns, your best bet is to use the AuthorizationManager API to integrate authorization with your MySQL table (see Configure RequestMatcherDelegatingAuthorizationManager under Authorize HttpServletRequests with AuthorizationFilter for an example).

A custom AuthorizationManager can be implemented to look up ROLE_xyz and dynamically build a list of authorization rules with RequestMatcherDelegatingAuthorizationManager.builder().

For example:

@Configuration
@EnableWebMvc
@EnableWebSecurity
public class SecurityConfiguration {

    @Bean
    SecurityFilterChain securityFilterChain(HttpSecurity http, AuthorizationManager<RequestAuthorizationContext> access)
            throws Exception {
        // @formatter:off
        http
            .authorizeHttpRequests((authorize) -> authorize
                .anyRequest().access(access)
            )
            .oauth2ResourceServer(OAuth2ResourceServerConfigurer::jwt);
        // @formatter:on

        return http.build();
    }

    @Bean
    AuthorizationManager<RequestAuthorizationContext> authorizationManager(
            HandlerMappingIntrospector introspector) {
        MvcRequestMatcher.Builder mvcMatcherBuilder = new MvcRequestMatcher.Builder(introspector);
        RequestMatcher anyRequest = AnyRequestMatcher.INSTANCE;

        AuthorizationManager<RequestAuthorizationContext> authenticated =
            AuthenticatedAuthorizationManager.authenticated();
        AuthorizationManager<RequestAuthorizationContext> denyAll =
            (a, c) -> new AuthorizationDecision(false);

        return (supplier, context) -> {
            Authentication authentication = supplier.get();
            HttpServletRequest request = context.getRequest();

            // TODO: Look up mappings in MySQL using authentication.getAuthorities()...

            RequestMatcherDelegatingAuthorizationManager.Builder builder =
                RequestMatcherDelegatingAuthorizationManager.builder();

            // TODO: Add custom mappings from MySQL...
            //builder.add(mvcMatcherBuilder.pattern("/customer/**"), authenticated);

            RequestMatcherDelegatingAuthorizationManager delegate =
                builder.add(anyRequest, denyAll).build();

            return delegate.check(() -> authentication, request);
        };
    }

}

This may seem complex, but your authorization scheme (using OAuth2 + JWTs AND roles/authorities AND MySQL to manage roles) is a somewhat complex setup. The AuthorizationManager API actually makes it easier than it has been in earlier versions of Spring Security.

Also note that the above example assumes that role mappings in the database can change at runtime, and so must be looked up every time. If this is not the case, the example could be changed to load data from MySQL only on startup. MySQL lookup performance could also be improved with caching if needed.

Steve Riesenberg
  • 4,271
  • 1
  • 4
  • 26