2.Customized Authentication

Now it is time to start customizing the auto-configuration.

As soon as you customize any bit of Spring Security the complete spring boot auto-configuration will back-off.

Custom authentication with persistent users

Before we start let's look into some internal details how spring security works for the servlet web stack.

By using a ServletFilter you can add functionality that is called around each request and response. Spring Security provides several web filter out of the box.

Filter

Description

AuthenticationWebFilter

Performs authentication of a particular request

AuthorizationWebFilter

Determines if an authenticated user has access to a specific object

CorsWebFilter

Handles CORS preflight requests and intercepts

CsrfWebFilter

Applies CSRF protection using a synchronizer token pattern.

Spring Security WebFilter

Security Filter Chain

Spring Security configures security by utilizing a Security Filter Chain

In step 1 we just used the auto configuration of Spring Boot. This configured a default security filter chain.

As part of this lab we will customize several things for authentication:

  • Connect the existing persistent user data with Spring Security to enable authentication based on these

  • Encode the password values to secure hashed ones in the database

  • Ensure a password policy to enforce secure passwords (a common source of hacking authentication are weak passwords)

Encrypting Passwords

We start by replacing the default user/password with our own persistent user storage (already present in DB). To do this we add a new class WebSecurityConfiguration to package com.example.libraryserver.config having the following contents.

package com.example.libraryserver.config;

import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.boot.actuate.autoconfigure.security.servlet.EndpointRequest;
import org.springframework.boot.actuate.health.HealthEndpoint;
import org.springframework.boot.actuate.info.InfoEndpoint;
import org.springframework.boot.autoconfigure.security.servlet.PathRequest;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.Primary;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.factory.PasswordEncoderFactories;
import org.springframework.security.crypto.password.DelegatingPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;

import java.util.HashMap;
import java.util.Map;

import static org.springframework.security.config.Customizer.withDefaults;

@Configuration
@EnableWebSecurity
public class WebSecurityConfiguration {

  @Primary
  @Bean
  public PasswordEncoder passwordEncoder() {
    return PasswordEncoderFactories.createDelegatingPasswordEncoder();
  }

  @Qualifier("LegacyEncoder")
  @Bean
  public PasswordEncoder legacyPasswordEncoder() {
    String encodingId = "MD5";
    Map<String, PasswordEncoder> encoders = new HashMap<>();
    encoders.put(
        encodingId,
        new org.springframework.security.crypto.password.MessageDigestPasswordEncoder("MD5"));
    return new DelegatingPasswordEncoder(encodingId, encoders);
  }

  @Configuration
  public static class ApiWebSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
      // http.csrf().disable();
      http.authorizeRequests(
              authorizeRequests ->
                  authorizeRequests
                      .requestMatchers(EndpointRequest.to(HealthEndpoint.class, InfoEndpoint.class))
                      .permitAll()
                      .requestMatchers(EndpointRequest.toAnyEndpoint())
                      .authenticated()
                      .requestMatchers(PathRequest.toStaticResources().atCommonLocations())
                      .permitAll()
                      .mvcMatchers("/")
                      .permitAll()
                      .anyRequest()
                      .authenticated())
          .httpBasic(withDefaults())
          .formLogin(withDefaults());
    }
  }
}

WebSecurityConfiguration.java

The WebSecurityConfiguration implementation does two important things:

  • This adds the SecurityWebFilterChain

  • Configures a PasswordEncoder. A password encoder is used by spring security to encrypt passwords and to check if a given password matches the encrypted one.

    You may recognize as well a legacy password encoder (this will be used later in this lab for password upgrades)

package org.springframework.security.crypto.password;

public interface PasswordEncoder {

    String encode(CharSequence rawPassword); // <1>

    boolean matches(CharSequence rawPassword, String encodedPassword); // <2>
}

PasswordEncoder interface

Encrypts the given cleartext password

Validates the given cleartext password with the encrypted one (without revealing the unencrypted one)

In spring security 5 creating an instance of the DelegatingPasswordEncoder is much easier by using the class PasswordEncoderFactories. In past years several previously used password encryption algorithms have been broken (like MD4 or MD5). By using PasswordEncoderFactories you always get a configured PasswordEncoder that uses an PasswordEncoder with a state of the art encryption algorithm like BCrypt or Argon2 at the time of creating this workshop.

package org.springframework.security.crypto.factory;

public class PasswordEncoderFactories {

    public static PasswordEncoder createDelegatingPasswordEncoder() {
        String encodingId = "bcrypt";
        Map<String, PasswordEncoder> encoders = new HashMap<>();
        encoders.put(encodingId, new BCryptPasswordEncoder());
        encoders.put("ldap", new org.springframework.security.crypto.password.LdapShaPasswordEncoder());
        encoders.put("MD4", new org.springframework.security.crypto.password.Md4PasswordEncoder());
        encoders.put("MD5", new org.springframework.security.crypto.password.MessageDigestPasswordEncoder("MD5"));
        encoders.put("noop", org.springframework.security.crypto.password.NoOpPasswordEncoder.getInstance());
        encoders.put("pbkdf2", new Pbkdf2PasswordEncoder());
        encoders.put("scrypt", new SCryptPasswordEncoder());
        encoders.put("SHA-1", new org.springframework.security.crypto.password.MessageDigestPasswordEncoder("SHA-1"));
        encoders.put("SHA-256", new org.springframework.security.crypto.password.MessageDigestPasswordEncoder("SHA-256"));
        encoders.put("sha256", new org.springframework.security.crypto.password.StandardPasswordEncoder());
        encoders.put("argon2", new Argon2PasswordEncoder());

        return new DelegatingPasswordEncoder(encodingId, encoders);
    }

    private PasswordEncoderFactories() {}
}

DelegatingPasswordEncoder

To have encrypted passwords in our database we need to tweak our existing DataInitializer a bit with the PasswordEncoder we just have configured.

package com.example.libraryserver;

import com.example.libraryserver.book.data.Book;
import com.example.libraryserver.book.data.BookRepository;
import com.example.libraryserver.user.data.User;
import com.example.libraryserver.user.data.UserRepository;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.boot.CommandLineRunner;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.stereotype.Component;
import org.springframework.transaction.annotation.Transactional;

import java.util.Arrays;
import java.util.Collections;
import java.util.HashSet;
import java.util.List;
import java.util.Optional;
import java.util.UUID;
import java.util.stream.Collectors;
import java.util.stream.Stream;

@Component
public class DataInitializer implements CommandLineRunner {

  //...
  private static final Logger LOGGER = LoggerFactory.getLogger(DataInitializer.class);

  private final BookRepository bookRepository;
  private final UserRepository userRepository;
  private final PasswordEncoder passwordEncoder;
  private final PasswordEncoder legacyPasswordEncoder;

  public DataInitializer(
      BookRepository bookRepository,
      UserRepository userRepository,
      PasswordEncoder passwordEncoder,
      @Qualifier("LegacyEncoder") PasswordEncoder legacyPasswordEncoder) {
    this.bookRepository = bookRepository;
    this.userRepository = userRepository;
    this.passwordEncoder = passwordEncoder;
    this.legacyPasswordEncoder = legacyPasswordEncoder;
  }

  @Override
  public void run(String... args) {
    createUsers();
    createBooks();
  }

  @Transactional
  void createUsers() {

    LOGGER.info("Creating users with LIBRARY_USER, LIBRARY_CURATOR and LIBRARY_ADMIN roles...");
    List<User> userList =
        Stream.of(
                new User(
                    LEGACY_USER_IDENTIFIER,
                    "Doctor",
                    "Strange",
                    "doctor.strange@example.com",
                    legacyPasswordEncoder.encode("strange"),
                    Collections.singleton("LIBRARY_USER")),
                new User(
                    WAYNE_USER_IDENTIFIER,
                    "Bruce",
                    "Wayne",
                    "bruce.wayne@example.com",
                    passwordEncoder.encode("wayne"),
                    Collections.singleton("LIBRARY_USER")),
                new User(
                    BANNER_USER_IDENTIFIER,
                    "Bruce",
                    "Banner",
                    "bruce.banner@example.com",
                    passwordEncoder.encode("banner"),
                    Collections.singleton("LIBRARY_USER")),
                new User(
                    CURATOR_IDENTIFIER,
                    "Peter",
                    "Parker",
                    "peter.parker@example.com",
                    passwordEncoder.encode("parker"),
                    Collections.singleton("LIBRARY_CURATOR")),
                new User(
                    ADMIN_IDENTIFIER,
                    "Clark",
                    "Kent",
                    "clark.kent@example.com",
                    passwordEncoder.encode("kent"),
                    Collections.singleton("LIBRARY_ADMIN")))
            .map(userRepository::save)
            .collect(Collectors.toList());
    LOGGER.info("Created {} users", userList.size());
  }

  @Transactional
  void createBooks() {
    //...
  }
}

DataInitializer.java

Persistent User Storage

Now that we already have configured the encrypting part for passwords of our user storage we need to connect our own user store (the users already stored in the DB) with spring security's authentication manager.

This is done in two steps:

In the first step we need to implement spring security's definition of a user implementing UserDetails. Please create a new class called AuthenticatedUser in package com.example.libraryserver.security.

To make it a bit easier we just extend our existing User data class.

package com.example.libraryserver.security;

import com.example.libraryserver.user.data.User;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.AuthorityUtils;
import org.springframework.security.core.userdetails.UserDetails;

import java.util.Collection;

public class AuthenticatedUser extends User implements UserDetails {

  public AuthenticatedUser(User user) {
    super(
        user.getIdentifier(),
        user.getFirstName(),
        user.getLastName(),
        user.getEmail(),
        user.getPassword(),
        user.getRoles());
  }

  @Override
  public Collection<? extends GrantedAuthority> getAuthorities() {
    return AuthorityUtils.commaSeparatedStringToAuthorityList(String.join(",", getRoles()));
  }

  @Override
  public String getUsername() {
    return getEmail();
  }

  @Override
  public boolean isAccountNonExpired() {
    return true;
  }

  @Override
  public boolean isAccountNonLocked() {
    return true;
  }

  @Override
  public boolean isCredentialsNonExpired() {
    return true;
  }

  @Override
  public boolean isEnabled() {
    return true;
  }
}

AuthenticatedUser.java

In the second step we need to implement spring security's interface UserDetailsService to integrate our user store with the authentication manager. Please go ahead and create a new class LibraryUserDetailsService in package com.example.libraryserver.security:

package com.example.libraryserver.security;

import com.example.libraryserver.user.service.UserService;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsPasswordService;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.stereotype.Service;

@Qualifier("library-user-details-service")
@Service
public class LibraryUserDetailsService implements UserDetailsService, UserDetailsPasswordService {

  private static final Logger LOGGER = LoggerFactory.getLogger(LibraryUserDetailsService.class);

  private final UserService userService;

  public LibraryUserDetailsService(UserService userService) {
    this.userService = userService;
  }

  @Override
  public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
    return userService
        .findOneByEmail(username)
        .map(AuthenticatedUser::new)
        .orElseThrow(() -> new UsernameNotFoundException("No user found for " + username));
  }

  @Override
  public UserDetails updatePassword(UserDetails user, String newPassword) {
    return userService
        .findOneByEmail(user.getUsername())
        .map(
            u -> {
              LOGGER.info(
                  "Upgrading password {} for user {} to {}",
                  user.getPassword(),
                  user.getUsername(),
                  newPassword);
              u.setPassword(newPassword);
              return new AuthenticatedUser(userService.save(u));
            })
        .orElseThrow(
            () -> new UsernameNotFoundException("No user found for " + user.getUsername()));
  }
}

LibraryUserDetailsService.java

After completing this part of the workshop we now still have the auto-configured SecurityWebFilterChain but we have replaced the default user with our own users from our DB persistent storage.

If you restart the application now you have to use the following user credentials to log in:

Username

Email

Password

Role

bwayne

bruce.wayne@example.com

wayne

LIBRARY_USER

bbanner

bruce.banner@example.com

banner

LIBRARY_USER

pparker

peter.parker@example.com

parker

LIBRARY_CURATOR

ckent

clark.kent@example.com

kent

LIBRARY_ADMIN

Authenticated Principal

As we now have a persistent authenticated user we can now also use this user to check if the current user is allowed to borrow or return a book. This requires changes in BookService and BookRestController.

First change the class BookService:

package com.example.libraryserver.book.service;

import com.example.libraryserver.book.data.Book;
import com.example.libraryserver.book.data.BookRepository;
import com.example.libraryserver.security.AuthenticatedUser;
import com.example.libraryserver.user.data.UserRepository;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.stereotype.Service;
import org.springframework.transaction.annotation.Transactional;
import org.springframework.util.IdGenerator;

import java.util.List;
import java.util.Optional;
import java.util.UUID;

@Service
@Transactional(readOnly = true)
public class BookService {

  private static final Logger LOGGER = LoggerFactory.getLogger(BookService.class);

  private final BookRepository bookRepository;
  private final UserRepository userRepository;
  private final IdGenerator idGenerator;

  public BookService(
      BookRepository bookRepository, UserRepository userRepository, IdGenerator idGenerator) {
    this.bookRepository = bookRepository;
    this.userRepository = userRepository;
    this.idGenerator = idGenerator;
  }

  // ...

  @Transactional
  public Optional<Book> borrowForUser(
      UUID bookIdentifier, UUID userIdentifier, AuthenticatedUser authenticatedUser) {
    LOGGER.trace(
        "borrow book with identifier {} for user with identifier {}",
        bookIdentifier,
        userIdentifier);

    return bookRepository
        .findOneByIdentifier(bookIdentifier)
        .filter(
            b ->
                b.getBorrowedByUser() == null
                    && authenticatedUser != null
                    && userIdentifier.equals(authenticatedUser.getIdentifier()))
        .flatMap(
            b ->
                userRepository
                    .findOneByIdentifier(userIdentifier)
                    .map(
                        u -> {
                          b.setBorrowedByUser(u);
                          Book borrowedBook = bookRepository.save(b);
                          LOGGER.info("Borrowed book {} for user {}", borrowedBook, u);
                          return Optional.of(borrowedBook);
                        })
                    .orElse(Optional.empty()));
  }

  @Transactional
  public Optional<Book> returnForUser(
      UUID bookIdentifier, UUID userIdentifier, AuthenticatedUser authenticatedUser) {
    LOGGER.trace(
        "return book with identifier {} of user with identifier {}",
        bookIdentifier,
        userIdentifier);

    return bookRepository
        .findOneByIdentifier(bookIdentifier)
        .filter(
            b ->
                b.getBorrowedByUser() != null
                    && authenticatedUser != null
                    && b.getBorrowedByUser().getIdentifier().equals(userIdentifier)
                    && b.getBorrowedByUser()
                        .getIdentifier()
                        .equals(authenticatedUser.getIdentifier()))
        .flatMap(
            b ->
                userRepository
                    .findOneByIdentifier(userIdentifier)
                    .map(
                        u -> {
                          b.setBorrowedByUser(null);
                          Book returnedBook = bookRepository.save(b);
                          LOGGER.info("Returned book {} for user {}", returnedBook, u);
                          return Optional.of(returnedBook);
                        })
                    .orElse(Optional.empty()));
  }

  //...

}

BookService.java

Then please adapt the BookRestController accordingly.

package com.example.libraryserver.book.web;

import com.example.libraryserver.book.data.Book;
import com.example.libraryserver.book.service.BookService;
import com.example.libraryserver.security.AuthenticatedUser;
import org.springframework.hateoas.CollectionModel;
import org.springframework.http.ResponseEntity;
import org.springframework.security.core.annotation.AuthenticationPrincipal;
import org.springframework.validation.annotation.Validated;
import org.springframework.web.bind.annotation.DeleteMapping;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.PathVariable;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.PutMapping;
import org.springframework.web.bind.annotation.RequestBody;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;
import org.springframework.web.servlet.support.ServletUriComponentsBuilder;

import javax.servlet.http.HttpServletRequest;
import javax.validation.Valid;
import java.net.URI;
import java.util.UUID;

import static org.springframework.hateoas.server.mvc.WebMvcLinkBuilder.linkTo;

@RestController
@RequestMapping("/books")
@Validated
public class BookRestController {

  private final BookService bookService;
  private final BookModelAssembler bookModelAssembler;

  public BookRestController(BookService bookService, BookModelAssembler bookModelAssembler) {
    this.bookService = bookService;
    this.bookModelAssembler = bookModelAssembler;
  }

  // ...

  @PostMapping("/{bookIdentifier}/borrow/{userIdentifier}")
  public ResponseEntity<BookModel> borrowBook(
      @PathVariable("bookIdentifier") UUID bookIdentifier,
      @PathVariable("userIdentifier") UUID userIdentifier,
      @AuthenticationPrincipal AuthenticatedUser authenticatedUser) {

    return bookService
        .borrowForUser(bookIdentifier, userIdentifier, authenticatedUser)
        .map(b -> ResponseEntity.ok(bookModelAssembler.toModel(b)))
        .orElse(ResponseEntity.notFound().build());
  }

  @PostMapping("/{bookIdentifier}/return/{userIdentifier}")
  public ResponseEntity<BookModel> returnBook(
      @PathVariable("bookIdentifier") UUID bookIdentifier,
      @PathVariable("userIdentifier") UUID userIdentifier,
      @AuthenticationPrincipal AuthenticatedUser authenticatedUser) {

    return bookService
        .returnForUser(bookIdentifier, userIdentifier, authenticatedUser)
        .map(b -> ResponseEntity.ok(bookModelAssembler.toModel(b)))
        .orElse(ResponseEntity.notFound().build());
  }

  // ...
}

BookRestController.java

You will get compilation errors in class BookModelAssembler. Here you just have to adapt the method calls for returnBook and borrowBook.

package com.example.libraryserver.book.web;

import com.example.libraryserver.book.data.Book;
import com.example.libraryserver.user.web.UserModelAssembler;
import org.owasp.encoder.Encode;
import org.springframework.hateoas.CollectionModel;
import org.springframework.hateoas.server.mvc.RepresentationModelAssemblerSupport;
import org.springframework.stereotype.Component;

import java.util.ArrayList;
import java.util.List;

import static org.springframework.hateoas.server.mvc.WebMvcLinkBuilder.linkTo;
import static org.springframework.hateoas.server.mvc.WebMvcLinkBuilder.methodOn;

@Component
public class BookModelAssembler extends RepresentationModelAssemblerSupport<Book, BookModel> {

  public BookModelAssembler() {
    super(BookRestController.class, BookModel.class);
  }

  @Override
  public BookModel toModel(Book book) {
    BookModel bookModel =
        outputEscaping(
            new BookModel(
                book.getIdentifier(),
                book.getIsbn(),
                book.getTitle(),
                book.getDescription(),
                book.getAuthors(),
                book.getBorrowedByUser() != null
                    ? new UserModelAssembler().toModel(book.getBorrowedByUser())
                    : null));
    bookModel.add(
        linkTo(methodOn(BookRestController.class).getSingleBook(bookModel.getIdentifier()))
            .withSelfRel());
    bookModel.add(
        linkTo(methodOn(BookRestController.class).borrowBook(bookModel.getIdentifier(), null, null))
            .withRel("borrow"));
    bookModel.add(
        linkTo(methodOn(BookRestController.class).returnBook(bookModel.getIdentifier(), null, null))
            .withRel("return"));

    return bookModel;
  }

  // ...
}

BookModelAssembler.java

Automatic Password Encryption Updates

We already looked into the DelegatingPasswordEncoder and PasswordEncoderFactories. As these classes have knowledge about all encryption algorithms that are supported in spring security, the framework can detect an outdated encryption algorithm. If you look at the LibraryUserDetailsService class we just have added this also implements the additionally provided interface UserDetailsPasswordService. This way we can now enable an automatic password encryption upgrade mechanism.

The UserDetailsPasswordService interface just defines one more operation.

package org.springframework.security.core.userdetails;

public interface UserDetailsPasswordService {

    UserDetails updatePassword(UserDetails user, String newPassword);
}

UserDetailsPasswordService interface

We already have a user using a password that is encrypted using an outdated MD5 algorithm. We achieved this by defining a legacy user doctor.strange@example.com with password strange in the existing DataInitializer class.

Now restart the application and see what happens if we try to get the list of books using this new user (username='doctor.strange@example.com', password='strange').

In the console you should see the log output showing the old MD5 password being updated to bcrypt password.

CAUTION: Never log any sensitive data like passwords, tokens etc., even in encrypted format. Also never put such sensitive data into your version control. And never let error details reach the client (via REST API or web application). Make sure you disable stacktraces in client error messages using property server.error.include-stacktrace=never

Actuator Security

It is also a good idea to restrict the details of the health actuator endpoint to authenticated users. Anonymous users should only see the UP or DOWN status values but no further details.

Just change this entry in application.yml file:

...
management:
  endpoint:
    health:
      show-details: when_authorized
...

Adding a Password Policy

Usually not the authentication mechanisms are hacked, instead weak passwords are the most critical source for attacking authentication. Therefore strong passwords are really important. It is also not a good practice any more to force users to change their passwords after a period of time.

Now we want to follow the recommendations of the NIST for secure passwords: NIST (section 5.1.1.2 Memorized Secret Verifiers) to implement a password policy.

We will utilize the Passay library for this.

So first add a new dependency to build.gradle:

dependencies {
    // ...
    implementation 'org.passay:passay:1.5.0'
    // ...
}
package com.example.libraryserver.user.service;

import org.passay.CharacterCharacteristicsRule;
import org.passay.CharacterRule;
import org.passay.DictionarySubstringRule;
import org.passay.EnglishCharacterData;
import org.passay.LengthRule;
import org.passay.PasswordData;
import org.passay.PasswordValidator;
import org.passay.RepeatCharacterRegexRule;
import org.passay.RuleResult;
import org.passay.UsernameRule;
import org.passay.WhitespaceRule;
import org.passay.dictionary.ArrayWordList;
import org.passay.dictionary.WordList;
import org.passay.dictionary.WordListDictionary;
import org.passay.dictionary.WordLists;
import org.passay.dictionary.sort.ArraysSort;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.core.io.ClassPathResource;

import javax.annotation.PostConstruct;
import java.io.FileReader;
import java.io.IOException;
import java.util.Arrays;
import java.util.List;

/**
 * Password policy validator. Uses recommendations from
 * https://pages.nist.gov/800-63-3/sp800-63b.html (section 5.1.1.2 Memorized Secret Verifiers)
 */
public class PasswordValidationService {

  private static final Logger LOGGER = LoggerFactory.getLogger(PasswordValidationService.class);

  /* https://github.com/danielmiessler/SecLists/blob/master/Passwords/darkweb2017-top100.txt */
  private static final String PASSWORD_LIST_TXT = "password-list.txt";

  private PasswordValidator passwordValidator;

  @PostConstruct
  public void init() {

    WordList wordList;
    try {
      ClassPathResource resource = new ClassPathResource(PASSWORD_LIST_TXT);
      wordList =
          WordLists.createFromReader(
              new FileReader[] {new FileReader(resource.getFile())}, false, new ArraysSort());
      LOGGER.info(
          "Successfully loaded the password list from {} with size {}",
          resource.getURL(),
          wordList.size());
    } catch (IOException ex) {
      wordList =
          new ArrayWordList(
              new String[] {
                "password", "Password", "123456", "12345678", "admin", "geheim", "secret"
              },
              false,
              new ArraysSort());
      LOGGER.warn("Error loading the password list: {}", ex.getMessage());
    }

    CharacterCharacteristicsRule characteristicsRule = new CharacterCharacteristicsRule();

    characteristicsRule.setNumberOfCharacteristics(3);

    characteristicsRule.getRules().add(new CharacterRule(EnglishCharacterData.UpperCase, 1));
    characteristicsRule.getRules().add(new CharacterRule(EnglishCharacterData.LowerCase, 1));
    characteristicsRule.getRules().add(new CharacterRule(EnglishCharacterData.Digit, 1));
    characteristicsRule.getRules().add(new CharacterRule(EnglishCharacterData.Special, 1));

    this.passwordValidator =
        new PasswordValidator(
            Arrays.asList(
                new LengthRule(12, 64),
                characteristicsRule,
                new RepeatCharacterRegexRule(4),
                new UsernameRule(),
                new WhitespaceRule(),
                new DictionarySubstringRule(new WordListDictionary(wordList))));
  }

  public void validate(String username, String password) {
    RuleResult result = this.passwordValidator.validate(new PasswordData(username, password));
    if (!result.isValid()) {
      List<String> messages = passwordValidator.getMessages(result);
      LOGGER.warn("Password validation failed");
      messages.forEach(LOGGER::info);
      throw new InvalidPasswordError(messages);
    } else {
      LOGGER.info("Password validated successfully");
    }
  }
}

PasswordValidationService.java

We also need to configure this service as Spring bean by creating new class PasswordValidationConfiguration:

package com.example.libraryserver.config;

import com.example.libraryserver.user.service.PasswordValidationService;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;

@Configuration
public class PasswordValidationConfiguration {

  @Bean
  public PasswordValidationService passwordValidationService() {
    return new PasswordValidationService();
  }
}

We also check for well-known insecure passwords using a password list. There are plenty of password lists available on the internet (especially useful for performing brute force attacks by hackers). Please download one of these the password list from https://github.com/danielmiessler/SecLists/blob/master/Passwords/darkweb2017-top100.txt and store this file as password-list.txt in folder src/main/resources.

We also need a special error for reporting password policy violations. Please create a new class InvalidPasswordError.

package com.example.libraryserver.user.service;

import java.util.List;

public class InvalidPasswordError extends RuntimeException {

  private List<String> validationErrors;

  public InvalidPasswordError(List<String> validationErrors) {
    super("Validation failed: " + String.join(",", validationErrors));
    this.validationErrors = validationErrors;
  }

  public List<String> getValidationErrors() {
    return validationErrors;
  }
}

Now we have to add the PasswordValidationService to our UserRestController to check the policy when creating or updating a User.

package com.example.libraryserver.user.web;

import com.example.libraryserver.user.data.User;
import com.example.libraryserver.user.service.PasswordValidationService;
import com.example.libraryserver.user.service.UserService;
import org.springframework.hateoas.CollectionModel;
import org.springframework.http.ResponseEntity;
import org.springframework.web.bind.annotation.DeleteMapping;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.PathVariable;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.PutMapping;
import org.springframework.web.bind.annotation.RequestBody;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.ResponseStatus;
import org.springframework.web.bind.annotation.RestController;
import org.springframework.web.servlet.support.ServletUriComponentsBuilder;

import javax.servlet.http.HttpServletRequest;
import javax.validation.Valid;
import java.net.URI;
import java.util.UUID;

import static org.springframework.hateoas.server.mvc.WebMvcLinkBuilder.linkTo;
import static org.springframework.http.HttpStatus.NO_CONTENT;
import static org.springframework.http.HttpStatus.OK;

@RestController
@RequestMapping("/users")
public class UserRestController {

  private final UserService userService;
  private final PasswordValidationService passwordValidationService;
  private final UserModelAssembler userModelAssembler;

  public UserRestController(
      UserService userService,
      PasswordValidationService passwordValidationService,
      UserModelAssembler userModelAssembler) {
    this.userService = userService;
    this.passwordValidationService = passwordValidationService;
    this.userModelAssembler = userModelAssembler;
  }

  @PostMapping
  public ResponseEntity<UserModel> registerUser(
      @RequestBody @Valid CreateUserModel createUserModel, HttpServletRequest request) {

    passwordValidationService.validate(createUserModel.getEmail(), createUserModel.getPassword());

    User user =
        userService.save(
            new User(
                createUserModel.getFirstName(),
                createUserModel.getLastName(),
                createUserModel.getEmail(),
                createUserModel.getPassword(),
                createUserModel.getRoles()));
    URI uri =
        ServletUriComponentsBuilder.fromServletMapping(request)
            .path("/users/" + user.getIdentifier())
            .build()
            .toUri();

    return ResponseEntity.created(uri).body(userModelAssembler.toModel(user));
  }

  @PutMapping("/{userIdentifier}")
  public ResponseEntity<UserModel> updateUser(
      @PathVariable("userIdentifier") UUID userIdentifier,
      @RequestBody @Valid CreateUserModel createUserModel) {

    return userService
        .findOneByIdentifier(userIdentifier)
        .map(
            u -> {
              if (!u.getPassword().equals(createUserModel.getPassword())) {
                passwordValidationService.validate(
                    createUserModel.getEmail(), createUserModel.getPassword());
              }
              u.setFirstName(createUserModel.getFirstName());
              u.setLastName(createUserModel.getLastName());
              u.setEmail(createUserModel.getEmail());
              u.setPassword(createUserModel.getPassword());
              u.setRoles(createUserModel.getRoles());
              return ResponseEntity.ok(userModelAssembler.toModel(userService.save(u)));
            })
        .orElse(ResponseEntity.notFound().build());
  }

  //...
}

UserRestController.java

To correctly handle password policy violations with correct http status we need to extend the ErrorHandler class:

package com.example.libraryserver.common.web;

import com.example.libraryserver.user.service.InvalidPasswordError;
import org.owasp.encoder.Encode;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.http.HttpStatus;
import org.springframework.http.ResponseEntity;
import org.springframework.web.bind.MethodArgumentNotValidException;
import org.springframework.web.bind.annotation.ControllerAdvice;
import org.springframework.web.bind.annotation.ExceptionHandler;
import org.springframework.web.bind.annotation.RestController;

@ControllerAdvice(annotations = RestController.class)
public class ErrorHandler {

  // ...

  @ExceptionHandler(InvalidPasswordError.class)
  public ResponseEntity<String> handle(InvalidPasswordError ex) {
    LOGGER.warn(ex.getMessage());
    return ResponseEntity.badRequest()
        .body(Encode.forJavaScriptSource(Encode.forHtmlContent(ex.getMessage())));
  }

  // ...
}

This is the end of lab 2 of the workshop.

NOTE: You find the completed code in project lab2/library-server-complete.

In the next lab we will add the Mutual TLS authentication.

Previous1.Security via Spring Boot Auto-ConfigurationNext3.Mutual TLS (MTLS)

Last updated