Now it is time to start customizing the auto-configuration.
As soon as you customize any bit of Spring Security the complete spring boot auto-configuration will back-off.
Custom authentication with persistent users
Before we start let's look into some internal details how spring security works for the servlet web stack.
By using a ServletFilter you can add functionality that is called around each request and response. Spring Security provides several web filter out of the box.
Filter
Description
AuthenticationWebFilter
Performs authentication of a particular request
AuthorizationWebFilter
Determines if an authenticated user has access to a specific object
CorsWebFilter
Handles CORS preflight requests and intercepts
CsrfWebFilter
Applies CSRF protection using a synchronizer token pattern.
Spring Security WebFilter
Security Filter Chain
Spring Security configures security by utilizing a Security Filter Chain
In step 1 we just used the auto configuration of Spring Boot. This configured a default security filter chain.
As part of this lab we will customize several things for authentication:
Connect the existing persistent user data with Spring Security to enable authentication based on these
Encode the password values to secure hashed ones in the database
Ensure a password policy to enforce secure passwords (a common source of hacking authentication are weak passwords)
Encrypting Passwords
We start by replacing the default user/password with our own persistent user storage (already present in DB). To do this we add a new class WebSecurityConfiguration to package com.example.libraryserver.config having the following contents.
Configures a PasswordEncoder. A password encoder is used by spring security to encrypt passwords and to check if a given password matches the encrypted one.
You may recognize as well a legacy password encoder (this will be used later in this lab for password upgrades)
Validates the given cleartext password with the encrypted one (without revealing the unencrypted one)
In spring security 5 creating an instance of the DelegatingPasswordEncoder is much easier by using the class PasswordEncoderFactories. In past years several previously used password encryption algorithms have been broken (like MD4 or MD5). By using PasswordEncoderFactories you always get a configured PasswordEncoder that uses an PasswordEncoder with a state of the art encryption algorithm like BCrypt or Argon2 at the time of creating this workshop.
package org.springframework.security.crypto.factory;
public class PasswordEncoderFactories {
public static PasswordEncoder createDelegatingPasswordEncoder() {
String encodingId = "bcrypt";
Map<String, PasswordEncoder> encoders = new HashMap<>();
encoders.put(encodingId, new BCryptPasswordEncoder());
encoders.put("ldap", new org.springframework.security.crypto.password.LdapShaPasswordEncoder());
encoders.put("MD4", new org.springframework.security.crypto.password.Md4PasswordEncoder());
encoders.put("MD5", new org.springframework.security.crypto.password.MessageDigestPasswordEncoder("MD5"));
encoders.put("noop", org.springframework.security.crypto.password.NoOpPasswordEncoder.getInstance());
encoders.put("pbkdf2", new Pbkdf2PasswordEncoder());
encoders.put("scrypt", new SCryptPasswordEncoder());
encoders.put("SHA-1", new org.springframework.security.crypto.password.MessageDigestPasswordEncoder("SHA-1"));
encoders.put("SHA-256", new org.springframework.security.crypto.password.MessageDigestPasswordEncoder("SHA-256"));
encoders.put("sha256", new org.springframework.security.crypto.password.StandardPasswordEncoder());
encoders.put("argon2", new Argon2PasswordEncoder());
return new DelegatingPasswordEncoder(encodingId, encoders);
}
private PasswordEncoderFactories() {}
}
DelegatingPasswordEncoder
To have encrypted passwords in our database we need to tweak our existing DataInitializer a bit with the PasswordEncoder we just have configured.
Now that we already have configured the encrypting part for passwords of our user storage we need to connect our own user store (the users already stored in the DB) with spring security's authentication manager.
This is done in two steps:
In the first step we need to implement spring security's definition of a user implementing UserDetails. Please create a new class called AuthenticatedUser in package com.example.libraryserver.security.
To make it a bit easier we just extend our existing User data class.
package com.example.libraryserver.security;
import com.example.libraryserver.user.data.User;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.AuthorityUtils;
import org.springframework.security.core.userdetails.UserDetails;
import java.util.Collection;
public class AuthenticatedUser extends User implements UserDetails {
public AuthenticatedUser(User user) {
super(
user.getIdentifier(),
user.getFirstName(),
user.getLastName(),
user.getEmail(),
user.getPassword(),
user.getRoles());
}
@Override
public Collection<? extends GrantedAuthority> getAuthorities() {
return AuthorityUtils.commaSeparatedStringToAuthorityList(String.join(",", getRoles()));
}
@Override
public String getUsername() {
return getEmail();
}
@Override
public boolean isAccountNonExpired() {
return true;
}
@Override
public boolean isAccountNonLocked() {
return true;
}
@Override
public boolean isCredentialsNonExpired() {
return true;
}
@Override
public boolean isEnabled() {
return true;
}
}
AuthenticatedUser.java
In the second step we need to implement spring security's interface UserDetailsService to integrate our user store with the authentication manager. Please go ahead and create a new class LibraryUserDetailsService in package com.example.libraryserver.security:
package com.example.libraryserver.security;
import com.example.libraryserver.user.service.UserService;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsPasswordService;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.stereotype.Service;
@Qualifier("library-user-details-service")
@Service
public class LibraryUserDetailsService implements UserDetailsService, UserDetailsPasswordService {
private static final Logger LOGGER = LoggerFactory.getLogger(LibraryUserDetailsService.class);
private final UserService userService;
public LibraryUserDetailsService(UserService userService) {
this.userService = userService;
}
@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
return userService
.findOneByEmail(username)
.map(AuthenticatedUser::new)
.orElseThrow(() -> new UsernameNotFoundException("No user found for " + username));
}
@Override
public UserDetails updatePassword(UserDetails user, String newPassword) {
return userService
.findOneByEmail(user.getUsername())
.map(
u -> {
LOGGER.info(
"Upgrading password {} for user {} to {}",
user.getPassword(),
user.getUsername(),
newPassword);
u.setPassword(newPassword);
return new AuthenticatedUser(userService.save(u));
})
.orElseThrow(
() -> new UsernameNotFoundException("No user found for " + user.getUsername()));
}
}
LibraryUserDetailsService.java
After completing this part of the workshop we now still have the auto-configured SecurityWebFilterChain but we have replaced the default user with our own users from our DB persistent storage.
If you restart the application now you have to use the following user credentials to log in:
Username
Email
Password
Role
bwayne
bruce.wayne@example.com
wayne
LIBRARY_USER
bbanner
bruce.banner@example.com
banner
LIBRARY_USER
pparker
peter.parker@example.com
parker
LIBRARY_CURATOR
ckent
clark.kent@example.com
kent
LIBRARY_ADMIN
Authenticated Principal
As we now have a persistent authenticated user we can now also use this user to check if the current user is allowed to borrow or return a book. This requires changes in BookService and BookRestController.
First change the class BookService:
package com.example.libraryserver.book.service;
import com.example.libraryserver.book.data.Book;
import com.example.libraryserver.book.data.BookRepository;
import com.example.libraryserver.security.AuthenticatedUser;
import com.example.libraryserver.user.data.UserRepository;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.stereotype.Service;
import org.springframework.transaction.annotation.Transactional;
import org.springframework.util.IdGenerator;
import java.util.List;
import java.util.Optional;
import java.util.UUID;
@Service
@Transactional(readOnly = true)
public class BookService {
private static final Logger LOGGER = LoggerFactory.getLogger(BookService.class);
private final BookRepository bookRepository;
private final UserRepository userRepository;
private final IdGenerator idGenerator;
public BookService(
BookRepository bookRepository, UserRepository userRepository, IdGenerator idGenerator) {
this.bookRepository = bookRepository;
this.userRepository = userRepository;
this.idGenerator = idGenerator;
}
// ...
@Transactional
public Optional<Book> borrowForUser(
UUID bookIdentifier, UUID userIdentifier, AuthenticatedUser authenticatedUser) {
LOGGER.trace(
"borrow book with identifier {} for user with identifier {}",
bookIdentifier,
userIdentifier);
return bookRepository
.findOneByIdentifier(bookIdentifier)
.filter(
b ->
b.getBorrowedByUser() == null
&& authenticatedUser != null
&& userIdentifier.equals(authenticatedUser.getIdentifier()))
.flatMap(
b ->
userRepository
.findOneByIdentifier(userIdentifier)
.map(
u -> {
b.setBorrowedByUser(u);
Book borrowedBook = bookRepository.save(b);
LOGGER.info("Borrowed book {} for user {}", borrowedBook, u);
return Optional.of(borrowedBook);
})
.orElse(Optional.empty()));
}
@Transactional
public Optional<Book> returnForUser(
UUID bookIdentifier, UUID userIdentifier, AuthenticatedUser authenticatedUser) {
LOGGER.trace(
"return book with identifier {} of user with identifier {}",
bookIdentifier,
userIdentifier);
return bookRepository
.findOneByIdentifier(bookIdentifier)
.filter(
b ->
b.getBorrowedByUser() != null
&& authenticatedUser != null
&& b.getBorrowedByUser().getIdentifier().equals(userIdentifier)
&& b.getBorrowedByUser()
.getIdentifier()
.equals(authenticatedUser.getIdentifier()))
.flatMap(
b ->
userRepository
.findOneByIdentifier(userIdentifier)
.map(
u -> {
b.setBorrowedByUser(null);
Book returnedBook = bookRepository.save(b);
LOGGER.info("Returned book {} for user {}", returnedBook, u);
return Optional.of(returnedBook);
})
.orElse(Optional.empty()));
}
//...
}
BookService.java
Then please adapt the BookRestController accordingly.
We already looked into the DelegatingPasswordEncoder and PasswordEncoderFactories. As these classes have knowledge about all encryption algorithms that are supported in spring security, the framework can detect an outdated encryption algorithm. If you look at the LibraryUserDetailsService class we just have added this also implements the additionally provided interface UserDetailsPasswordService. This way we can now enable an automatic password encryption upgrade mechanism.
The UserDetailsPasswordService interface just defines one more operation.
We already have a user using a password that is encrypted using an outdatedMD5 algorithm. We achieved this by defining a legacy user doctor.strange@example.com with password strange in the existing DataInitializer class.
Now restart the application and see what happens if we try to get the list of books using this new user (username='doctor.strange@example.com', password='strange').
In the console you should see the log output showing the old MD5 password being updated to bcrypt password.
CAUTION: Never log any sensitive data like passwords, tokens etc., even in encrypted format. Also never put such sensitive data into your version control. And never let error details reach the client (via REST API or web application). Make sure you disable stacktraces in client error messages using property server.error.include-stacktrace=never
Actuator Security
It is also a good idea to restrict the details of the health actuator endpoint to authenticated users. Anonymous users should only see the UP or DOWN status values but no further details.
Usually not the authentication mechanisms are hacked, instead weak passwords are the most critical source for attacking authentication. Therefore strong passwords are really important. It is also not a good practice any more to force users to change their passwords after a period of time.
package com.example.libraryserver.user.service;
import org.passay.CharacterCharacteristicsRule;
import org.passay.CharacterRule;
import org.passay.DictionarySubstringRule;
import org.passay.EnglishCharacterData;
import org.passay.LengthRule;
import org.passay.PasswordData;
import org.passay.PasswordValidator;
import org.passay.RepeatCharacterRegexRule;
import org.passay.RuleResult;
import org.passay.UsernameRule;
import org.passay.WhitespaceRule;
import org.passay.dictionary.ArrayWordList;
import org.passay.dictionary.WordList;
import org.passay.dictionary.WordListDictionary;
import org.passay.dictionary.WordLists;
import org.passay.dictionary.sort.ArraysSort;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.core.io.ClassPathResource;
import javax.annotation.PostConstruct;
import java.io.FileReader;
import java.io.IOException;
import java.util.Arrays;
import java.util.List;
/**
* Password policy validator. Uses recommendations from
* https://pages.nist.gov/800-63-3/sp800-63b.html (section 5.1.1.2 Memorized Secret Verifiers)
*/
public class PasswordValidationService {
private static final Logger LOGGER = LoggerFactory.getLogger(PasswordValidationService.class);
/* https://github.com/danielmiessler/SecLists/blob/master/Passwords/darkweb2017-top100.txt */
private static final String PASSWORD_LIST_TXT = "password-list.txt";
private PasswordValidator passwordValidator;
@PostConstruct
public void init() {
WordList wordList;
try {
ClassPathResource resource = new ClassPathResource(PASSWORD_LIST_TXT);
wordList =
WordLists.createFromReader(
new FileReader[] {new FileReader(resource.getFile())}, false, new ArraysSort());
LOGGER.info(
"Successfully loaded the password list from {} with size {}",
resource.getURL(),
wordList.size());
} catch (IOException ex) {
wordList =
new ArrayWordList(
new String[] {
"password", "Password", "123456", "12345678", "admin", "geheim", "secret"
},
false,
new ArraysSort());
LOGGER.warn("Error loading the password list: {}", ex.getMessage());
}
CharacterCharacteristicsRule characteristicsRule = new CharacterCharacteristicsRule();
characteristicsRule.setNumberOfCharacteristics(3);
characteristicsRule.getRules().add(new CharacterRule(EnglishCharacterData.UpperCase, 1));
characteristicsRule.getRules().add(new CharacterRule(EnglishCharacterData.LowerCase, 1));
characteristicsRule.getRules().add(new CharacterRule(EnglishCharacterData.Digit, 1));
characteristicsRule.getRules().add(new CharacterRule(EnglishCharacterData.Special, 1));
this.passwordValidator =
new PasswordValidator(
Arrays.asList(
new LengthRule(12, 64),
characteristicsRule,
new RepeatCharacterRegexRule(4),
new UsernameRule(),
new WhitespaceRule(),
new DictionarySubstringRule(new WordListDictionary(wordList))));
}
public void validate(String username, String password) {
RuleResult result = this.passwordValidator.validate(new PasswordData(username, password));
if (!result.isValid()) {
List<String> messages = passwordValidator.getMessages(result);
LOGGER.warn("Password validation failed");
messages.forEach(LOGGER::info);
throw new InvalidPasswordError(messages);
} else {
LOGGER.info("Password validated successfully");
}
}
}
PasswordValidationService.java
We also need to configure this service as Spring bean by creating new class PasswordValidationConfiguration:
package com.example.libraryserver.config;
import com.example.libraryserver.user.service.PasswordValidationService;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
@Configuration
public class PasswordValidationConfiguration {
@Bean
public PasswordValidationService passwordValidationService() {
return new PasswordValidationService();
}
}
We also check for well-known insecure passwords using a password list. There are plenty of password lists available on the internet (especially useful for performing brute force attacks by hackers). Please download one of these the password list from https://github.com/danielmiessler/SecLists/blob/master/Passwords/darkweb2017-top100.txt and store this file as password-list.txt in folder src/main/resources.
We also need a special error for reporting password policy violations. Please create a new class InvalidPasswordError.
package com.example.libraryserver.user.service;
import java.util.List;
public class InvalidPasswordError extends RuntimeException {
private List<String> validationErrors;
public InvalidPasswordError(List<String> validationErrors) {
super("Validation failed: " + String.join(",", validationErrors));
this.validationErrors = validationErrors;
}
public List<String> getValidationErrors() {
return validationErrors;
}
}
Now we have to add the PasswordValidationService to our UserRestController to check the policy when creating or updating a User.
