Manual authentication between a Spring Boot REST service and Shibboleth

Question

I have a backend of stateless REST services written in Java Spring Boot.

1- One of the services is "/Login". It receives a username and a password from my own web form (not the form generated by Shibboleth). In this service call, I want to contact Shibboleth (using OAuth2 or SAML or whatever) to authenticate this user and get a token. This should be done synchronously, as the service must return "true" or "false" to the caller. No redirection is permitted: either true of false.

2- This token will be included in the response sent back to the frontend and will be stored in the frontend. It will be resend back to the backend in the following calls to the other REST services (other than /Login). Those other calls must contact Shibboleth by sending the token to it. Shibboleth must return the information about the user, or an error if the token is not correct.

How can I implement points 1- and 2- manually, i.e. without using Spring Security? Just pur Java and maybe other third party libraries.

Answer 1

In my opinion, you can safely use Spring Security for this purpose. All it takes is to just configure it properly.

Let's start from the end, which involves querying Shibboleth after each request to see if the passed token is valid. What you need to do is simply define a class that extends BasicAuthenticationFilter and use it in your Spring Security configuration. A very simplified implementation might look like this:

import org.springframework.security.authentication.AuthenticationManager;  
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;  
import org.springframework.security.core.context.SecurityContextHolder;  
import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;  
  
import javax.servlet.FilterChain;  
import javax.servlet.ServletException;  
import javax.servlet.http.HttpServletRequest;  
import javax.servlet.http.HttpServletResponse;  
import java.io.IOException;  
import java.util.Optional;  
  
public class JWTAuthorizationFilter extends BasicAuthenticationFilter {  
  
    public JWTAuthorizationFilter(AuthenticationManager authManager) {  
        super(authManager);  
    }  
  
    @Override  
    protected void doFilterInternal(HttpServletRequest request,  
                                    HttpServletResponse response,  
                                    FilterChain chain) throws IOException, ServletException {  
        Optional<CredentialsDto> credentials = getCredentialsFromRequest(request);  
  
        if (!credentials.isPresent() || !isUserAuthenticated(credentials.get())) {  
            chain.doFilter(request, response);  
            return;  
        }  
  
        UsernamePasswordAuthenticationToken authentication = getAuthenticationObject(credentials.get());  
        SecurityContextHolder.getContext().setAuthentication(authentication);  
        chain.doFilter(request, response);  
    }  
  
    private Optional<CredentialsDto> getCredentialsFromRequest(HttpServletRequest request) {  
        //gets passed credentials from web form. Either from headers or body and returns custom dto object.  
    }  
  
    private boolean isUserAuthenticated(CredentialsDto credentials) {  
        //calls your Shibboleth service to check whether user is authenticated.  
    }  
  
    private UsernamePasswordAuthenticationToken getAuthenticationObject(CredentialsDto credentials) {  
        //returns org.springframework.security.authentication.UsernamePasswordAuthenticationToken object  
        //so Spring Security may know that user is authenticated.  
        return new UsernamePasswordAuthenticationToken(/*TODO*/, /*TODO*/, /*TODO*/);  
    }  
}

Next, you use this class in your Spring Security configuration and set session management to Stateless, so Spring Security does not store sessions, and authentication is required with every single request:

import org.springframework.security.config.annotation.web.builders.HttpSecurity;  
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;  
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;  
import org.springframework.security.config.http.SessionCreationPolicy;  
  
@EnableWebSecurity  
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {  
  
    @Override  
    protected void configure(HttpSecurity http) throws Exception {  
        http.authorizeRequests()  
                .antMatchers("/login").permitAll()
                .anyRequest().authenticated()  
                .and()  
                .addFilter(new JWTAuthorizationFilter(authenticationManager()))  
                .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);  
    }  
}

In the end, all you need to do is define an endpoint that allows logging in and obtaining a token. This will be nothing more than a simple proxy to Shibboleth, that exposes your own form:

import org.springframework.http.ResponseEntity;  
import org.springframework.web.bind.annotation.PostMapping;  
import org.springframework.web.bind.annotation.RequestBody;  
import org.springframework.web.bind.annotation.RestController;  
  
@RestController  
public class LoginController {  
  
    private final ShibbolethCient shibbolethClient;  
  
    public LoginController(ShibbolethCient shibbolethCient) {  
        this.shibbolethClient = shibbolethCient;  
    }  
  
    @PostMapping("/login")  
    public ResponseEntity<?> login(@RequestBody LoginRequest loginRequest) {  
        ShibbolethTokenRequest tokenRequest = mapIntoTokenRequest(loginRequest);  
          
        String token = shibbolethClient.getToken(tokenRequest);  
          
        //returns ResponseEntity based on Shibboleth Client response.   
}  
      
    private ShibbolethTokenRequest mapIntoTokenRequest(LoginRequest loginRequest) {  
        //returns dto for performing Shibboleth token request  
    }  
}

I would definitely recommend doing this with Spring Security, because that's exactly what this tool is for. It does have a somewhat high barrier to entry, but it will definitely pay off, believe me.

Answer 2

If you dont want to use spring security you should save token in redis or a table that contains user id and its token. After that you should write filters. Its recommended to use aspect or spring-Aop .

In every request first this request comes to your aspect that fetch the user id and token from frontend and then fetch token of this user id from redis or your database and compare them with each other if is correct your request will be proceed and if is not correct it will throw an exception.

There is a sample Aop code bellow

package com.dpco.aop;

import com.dpco.business.exception.CustomException;
import com.dpco.logger.Logger4j;
import org.aspectj.lang.ProceedingJoinPoint;
import org.aspectj.lang.annotation.Around;
import org.aspectj.lang.annotation.Aspect;
import org.aspectj.lang.annotation.Pointcut;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Configuration;
import org.springframework.http.HttpStatus;
import org.springframework.web.bind.annotation.RequestMapping;
import java.io.File;
import java.io.FileWriter;
import java.io.IOException;
import java.util.Date;


@Aspect
@Configuration
public class LoggerAspect {

    @Autowired
    private Logger4j logger4j;

    @Pointcut("execution(* com.dpco.controller.*.*(..)) && @annotation(requestMapping)")
    public void controller(RequestMapping requestMapping){
    }


    @Around("controller(requestMapping)")
    public Object around(ProceedingJoinPoint joinPoint , RequestMapping requestMapping) throws Throwable {

            Object[] obj = joinPoint.getArgs();
            File file = new File("log.txt");
            Object object = null;
            try {
                if (file.createNewFile()) {
                    FileWriter fileWriter = new FileWriter(file);
                    fileWriter.write("\n\n-----------------------------------------this is the logger of project , you can see the methods that calls and information of them  in here------------------------------------\n\n");
                    fileWriter.close();
                }
                FileWriter fileWriter = new FileWriter(file, true);
                Date first = new Date();
                fileWriter.write("\n---------------------------------------" + joinPoint.getSignature().getName() + "-------------------------------------------\n");
                fileWriter.write("path is : " + requestMapping.path()[0] + "\n");
                fileWriter.write("the method of request is :" + requestMapping.method()[0] + "\n");
                StringBuilder builder = new StringBuilder();
                for (Object arg : obj) {
                    builder.append(arg.toString() + ",");
                }
                if(builder.length() != 0) {
                    builder.deleteCharAt(builder.indexOf(builder.toString()));
                }
                fileWriter.write("the arguments of this method is : " + builder.toString() + "\n");
                object = joinPoint.proceed();
                Date second = new Date();
                fileWriter.write("the milli seconds that left : " + String.valueOf(second.getTime() - first.getTime()));
                fileWriter.close();
            } catch (IOException e) {
                logger4j.getLogger(e);
                throw new CustomException("hello", HttpStatus.MULTI_STATUS);
            }
            return object;

    }



}

This aspect contains log before every call of rest controllers

You can change it based on your need.

I think its the best way based on your need