Java Code Examples for org.springframework.security.core.Authentication

/**
 * Attempt to authenticate request - basically just pass over to another method to authenticate request headers
 */
@Override
public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) {

    String header = request.getHeader(tokenHeader);
    if (header == null || !header.startsWith("Bearer ")) {
        throw new JwtTokenMissingException("No JWT token found in request headers");
    }
    String authToken = header.substring(7);

    if (SecurityContextHolder.getContext().getAuthentication() == null) {
        JwtAuthenticationToken authentication = new JwtAuthenticationToken(authToken);
        authentication.setDetails(new WebAuthenticationDetailsSource().buildDetails(request));
        SecurityContextHolder.getContext().setAuthentication(authentication);
    }
    return SecurityContextHolder.getContext().getAuthentication();
}
 

public Authentication validateKerberosTicket(HttpServletRequest request) {
    // Only support Kerberos login when running securely
    if (!request.isSecure()) {
        return null;
    }

    String header = request.getHeader(AUTHORIZATION_HEADER_NAME);

    if (isValidKerberosHeader(header)) {
        if (logger.isDebugEnabled()) {
            logger.debug("Received Negotiate Header for request " + request.getRequestURL() + ": " + header);
        }
        byte[] base64Token = header.substring(header.indexOf(" ") + 1).getBytes(StandardCharsets.UTF_8);
        byte[] kerberosTicket = Base64.decode(base64Token);
        KerberosServiceRequestToken authenticationRequest = new KerberosServiceRequestToken(kerberosTicket);
        authenticationRequest.setDetails(authenticationDetailsSource.buildDetails(request));

        return kerberosServiceAuthenticationProvider.authenticate(authenticationRequest);
    } else {
        return null;
    }
}
 

@Override
public void decide(Authentication authentication, Object obj, Collection<ConfigAttribute> configAttributes)
		throws AccessDeniedException, InsufficientAuthenticationException {
	if (null == configAttributes || configAttributes.size() <= 0) {
		logger.info("decide == return");
		return;
	}
	ConfigAttribute c;
	String needRole;
	for (Iterator<ConfigAttribute> iter = configAttributes.iterator(); iter.hasNext();) {
		c = iter.next();
		needRole = c.getAttribute();
		logger.info("need======" + needRole.trim() + "  size=" + authentication.getAuthorities());
		for (GrantedAuthority ga : authentication.getAuthorities()) {
			logger.info("needRole==" + needRole.trim() + " [] = authority=" + ga.getAuthority());
			// authentication 为在注释1 中循环添加到 GrantedAuthority 对象中的权限信息集合
			if (needRole.trim().equals(ga.getAuthority())) {
				return;
			}
		}
	}
	throw new AccessDeniedException("no right");
}
 

@Override
public Authentication createAuthentication(String token) throws BadCredentialsException {
	Claims claims = createClaimsFromToken(token);
	DateTime expireation = new DateTime(claims.getExpiration());
	if(expireation.isBeforeNow()){
		return null;
	}
	String authorityString = claims.get(JwtSecurityUtils.CLAIM_AUTHORITIES).toString();
	List<GrantedAuthority> authorities = GuavaUtils.splitAsStream(authorityString, ",").map(auth->{
		return new SimpleGrantedAuthority(auth);
	})
	.collect(Collectors.toList());
	
	Authentication authentication = buildAuthentication(claims, authorities);
	return authentication;
}
 

/**
 * Get the {@link CalendarUser} by obtaining the currently logged in Spring Security user's
 * {@link Authentication#getName()} and using that to find the {@link CalendarUser} by email address (since for our
 * application Spring Security usernames are email addresses).
 */
@Override
public CalendarUser getCurrentUser() {
    SecurityContext context = SecurityContextHolder.getContext();
    Authentication authentication = context.getAuthentication();
    if (authentication == null) {
        return null;
    }
    CalendarUser user = (CalendarUser) authentication.getPrincipal();
    String email = user.getEmail();        if (email == null) {
        return null;
    }
    CalendarUser result = calendarService.findUserByEmail(email);
    if (result == null) {
        throw new IllegalStateException(
                "Spring Security is not in synch with CalendarUsers. Could not find user with email " + email);
    }

    logger.info("CalendarUser: {}", result);
    return result;
}
 

@Override
public Authentication authenticate(Authentication authentication) throws AuthenticationException {
    // 获取认证的用户名 & 密码
    String name = authentication.getName();
    Object pd = authentication.getCredentials();
    if (pd == null) {
        return new UsernamePasswordAuthenticationToken(name, "", new ArrayList<>());
    }
    String password = pd.toString();
    UserLoginEntity userLoginEntity = loginService.loginValidator(name, password);
    // 认证逻辑
    if (userLoginEntity.isFlag()) {
        return getRole(name, password);
    } else {
        logger.info("登录失败,原因是:账号 {}: {}", userLoginEntity.getUsername(), userLoginEntity.getMessage());
        throw new BadCredentialsException(new GsonBuilder().create().toJson(userLoginEntity));
    }
}
 

@Override
public void onLogoutSuccess(HttpServletRequest request, HttpServletResponse response,
                            Authentication authentication)
    throws IOException, ServletException {

    // Request the token
    String token = request.getHeader("authorization");
    if (token != null && token.startsWith(BEARER_AUTHENTICATION)) {
        final OAuth2AccessToken oAuth2AccessToken = tokenStore.readAccessToken(StringUtils.substringAfter(token, BEARER_AUTHENTICATION));

        if (oAuth2AccessToken != null) {
            tokenStore.removeAccessToken(oAuth2AccessToken);
        }
    }

    response.setStatus(HttpServletResponse.SC_OK);
}
 

@Test
public void testUpdateUserNamespaceAuthorizationLowerCaseParameters()
{
    // Override the security context to return an application user populated with test values.
    Authentication originalAuthentication = overrideSecurityContext();

    // Create a user namespace authorization key.
    UserNamespaceAuthorizationKey key = new UserNamespaceAuthorizationKey(USER_ID, NAMESPACE);

    // Create and persist the relative database entities.
    UserNamespaceAuthorizationEntity userNamespaceAuthorizationEntity = userNamespaceAuthorizationDaoTestHelper
        .createUserNamespaceAuthorizationEntity(key, Arrays.asList(NamespacePermissionEnum.READ, NamespacePermissionEnum.WRITE));

    // Update a user namespace authorization using lowercase input parameters.
    UserNamespaceAuthorization resultUserNamespaceAuthorization = userNamespaceAuthorizationService
        .updateUserNamespaceAuthorization(new UserNamespaceAuthorizationKey(key.getUserId().toLowerCase(), key.getNamespace().toLowerCase()),
            new UserNamespaceAuthorizationUpdateRequest(SUPPORTED_NAMESPACE_PERMISSIONS));

    // Validate the returned object.
    assertEquals(new UserNamespaceAuthorization(userNamespaceAuthorizationEntity.getId(), key, SUPPORTED_NAMESPACE_PERMISSIONS),
        resultUserNamespaceAuthorization);

    // Restore the original authentication.
    restoreSecurityContext(originalAuthentication);
}
 

private ResponseEntity<Void> handleReservationWith(String eventName, String reservationId, Authentication authentication,
                                                   BiFunction<Event, TicketReservation, ResponseEntity<Void>> with) {
    ResponseEntity<Void> notFound = ResponseEntity.notFound().build();
    ResponseEntity<Void> badRequest = ResponseEntity.badRequest().build();



    return eventRepository.findOptionalByShortName(eventName).map(event -> {
            if(canAccessReceiptOrInvoice(event, authentication)) {
                return ticketReservationManager.findById(reservationId).map(ticketReservation -> with.apply(event, ticketReservation)).orElse(notFound);
            } else {
                return badRequest;
            }
        }
    ).orElse(notFound);
}
 

@Override
	public void decide(Authentication authentication, Object object, Collection<ConfigAttribute> configAttributes)
			throws AccessDeniedException, InsufficientAuthenticationException {
	    //无需验证放行
	    if(configAttributes==null || configAttributes.size()==0)
	        return;
	    log.info("开始验证");
//	    if(!authentication.isAuthenticated()){
        if(authenticationTrustResolver.isAnonymous(authentication)){
	        throw new InsufficientAuthenticationException("未登录");
        }
        Collection<? extends GrantedAuthority> authorities = authentication.getAuthorities();
        for(ConfigAttribute attribute : configAttributes){
            if(!(attribute instanceof MyConfigAttribute)) continue;
            MyConfigAttribute urlConfigAttribute = (MyConfigAttribute)attribute;
            for(GrantedAuthority authority: authorities){
                if(!(authority instanceof MyGrantedAuthority)) continue;
                MyGrantedAuthority myGrantedAuthority = (MyGrantedAuthority)authority;
                if(urlConfigAttribute.getMyGrantedAuthority().equals(myGrantedAuthority))
                    return;
            }
        }
        throw new AccessDeniedException("无权限");
	}
 

/**
 * When logout occurs, only invalidate the current token, and not all user sessions.
 * <p>
 * The standard Spring Security implementations are too basic: they invalidate all tokens for the
 * current user, so when he logs out from one browser, all his other sessions are destroyed.
 */
@Override
@Transactional
public void logout(HttpServletRequest request, HttpServletResponse response, Authentication authentication) {
    String rememberMeCookie = extractRememberMeCookie(request);
    if (rememberMeCookie != null && rememberMeCookie.length() != 0) {
        try {
            String[] cookieTokens = decodeCookie(rememberMeCookie);
            PersistentToken token = getPersistentToken(cookieTokens);
            persistentTokenRepository.delete(token);
        } catch (InvalidCookieException ice) {
            log.info("Invalid cookie, no persistent token could be deleted");
        } catch (RememberMeAuthenticationException rmae) {
            log.debug("No persistent token found, so no token could be deleted");
        }
    }
    super.logout(request, response, authentication);
}
 

/**
 * {@inheritDoc}
 */
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
		throws IOException, ServletException {

       // Get the Bearer Token and extract claims
       Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
       OAuth2AuthenticationDetails details = (OAuth2AuthenticationDetails) authentication.getDetails();
       String accessToken = details.getTokenValue();
       String claims = JwtHelper.decode(accessToken).getClaims();
       
       // Extract user ID from Token claims -depending on Keycloak Identity Provider configuration
       // String userId = Spin.JSON(claims).prop("sub").stringValue();
       String userId = Spin.JSON(claims).prop("email").stringValue(); // useEmailAsCamundaUserId = true
       // String userId = Spin.JSON(claims).prop("preferred_username").stringValue(); // useUsernameAsCamundaUserId = true
       LOG.debug("Extracted userId from bearer token: {}", userId);

       try {
       	identityService.setAuthentication(userId, getUserGroups(userId));
       	chain.doFilter(request, response);
       } finally {
       	identityService.clearAuthentication();
       }
}
 

@Override
public Authentication authenticate(Authentication authentication) throws AuthenticationException {
    UsernamePasswordAuthenticationToken token = (UsernamePasswordAuthenticationToken) authentication;
    String email = token.getName();
    CalendarUser user = email == null ? null : calendarService.findUserByEmail(email);
    if(user == null) {
        throw new UsernameNotFoundException("Invalid username/password");
    }
    // Database Password already encrypted:
    String password = user.getPassword();

    boolean passwordsMatch = passwordEncoder.matches(token.getCredentials().toString(), password);

    if(!passwordsMatch) {
        throw new BadCredentialsException("Invalid username/password");
    }
    Collection<? extends GrantedAuthority> authorities = CalendarUserAuthorityUtils.createAuthorities(user);
    UsernamePasswordAuthenticationToken usernamePasswordAuthenticationToken = new UsernamePasswordAuthenticationToken(user, password, authorities);
    return usernamePasswordAuthenticationToken;
}
 

@Override
public String getName(String token, String user) throws PrincipalAdapterException {
	String name = null;
	Authentication oldAuth = null;

	try {
		if (token == null) {
			PrincipalUtils.getAuthentication();
		} else {
			oldAuth = PrincipalUtils.getAuthentication();
			PrincipalUtils.getAuthenticationByToken(token);
		}

		name = CommonAuthModule.getName(user);
	} catch (AccessDeniedException e) {
		throw new PrincipalAdapterException(e.getMessage(), e);
	} finally {
		if (token != null) {
			PrincipalUtils.setAuthentication(oldAuth);
		}
	}

	return name;
}
 

@Override
public Authentication authenticate(Authentication authentication) throws AuthenticationException {
    // 获取认证的用户名 & 密码
    String name = authentication.getName();
    Object pd = authentication.getCredentials();
    if (pd == null) {
        return new UsernamePasswordAuthenticationToken(name, "", new ArrayList<>());
    }
    String password = pd.toString();
    UserLoginEntity userLoginEntity = loginService.loginValidator(name, password);
    // 认证逻辑
    if (userLoginEntity.isFlag()) {
        return getRole(name, password);
    } else {
        logger.info("登录失败,原因是:账号 {}: {}", userLoginEntity.getUsername(), userLoginEntity.getMessage());
        throw new BadCredentialsException(new GsonBuilder().create().toJson(userLoginEntity));
    }
}
 

@Override
public Authentication authenticate(Authentication authentication) throws AuthenticationException {
    RemoteUser user = remoteIdmService.authenticateUser(authentication.getPrincipal().toString(), authentication.getCredentials().toString());
    if (user == null) {
        throw new FlowableException("user not found " + authentication.getPrincipal());
    }

    Collection<GrantedAuthority> grantedAuthorities = new ArrayList<>();
    for (String privilege : user.getPrivileges()) {
        grantedAuthorities.add(new SimpleGrantedAuthority(privilege));
    }

    Authentication auth = new UsernamePasswordAuthenticationToken(authentication.getPrincipal(),
            authentication.getCredentials(), grantedAuthorities);
    return auth;
}
 

@WithMockUser("jsmith")
@Test
public void submitTalk() throws Exception {
	Authentication authentication = new TestingAuthenticationToken(
			new User("jsmith", "John Smith"), "secret", "ROLE_USER");

	given(this.submissionService.create(any())).willReturn(new Submission());
	this.mvc.perform(post("/submit")
			.param("title", "Alice in Wonderland")
			.param("summary", "my abstract")
			.param("track", Track.ALTERNATE_LANGUAGES.getId())
			.param("notes", "this rocks")
			.with(authentication(authentication))
			.with(csrf()))
			.andExpect(status().isFound())
			.andExpect(header().string(HttpHeaders.LOCATION, "/submit?navSection=submit"));
	verify(this.submissionService).create(any());
}
 

/**
 * Get the {@link CalendarUser} by obtaining the currently logged in Spring Security user's
 * {@link Authentication#getName()} and using that to find the {@link CalendarUser} by email address (since for our
 * application Spring Security usernames are email addresses).
 */
@Override
public CalendarUser getCurrentUser() {
    SecurityContext context = SecurityContextHolder.getContext();
    Authentication authentication = context.getAuthentication();
    if (authentication == null) {
        return null;
    }
    CalendarUser user = (CalendarUser) authentication.getPrincipal();
    String email = user.getEmail();        if (email == null) {
        return null;
    }
    CalendarUser result = calendarService.findUserByEmail(email);
    if (result == null) {
        throw new IllegalStateException(
                "Spring Security is not in synch with CalendarUsers. Could not find user with email " + email);
    }

    logger.info("CalendarUser: {}", result);
    return result;
}
 

@Override
public Authentication authenticate(Authentication authentication) throws AuthenticationException {
    SmsAuthenticationToken authenticationToken = (SmsAuthenticationToken) authentication;
    UserDetails userDetails = userDetailService.loadUserByUsername((String) authenticationToken.getPrincipal());

    if (userDetails == null)
        throw new InternalAuthenticationServiceException("未找到与该手机号对应的用户");

    SmsAuthenticationToken authenticationResult = new SmsAuthenticationToken(userDetails, userDetails.getAuthorities());

    authenticationResult.setDetails(authenticationToken.getDetails());

    return authenticationResult;
}
 

/**
 * Returns the token using {@link SecurityContextHolder}.
 *
 *
 * @return the token or <code>null</code> if {@link SecurityContext} is empty or
 *         does not contain a token of this type.
 */
@Nullable
public static Token getToken() {
	Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
	if (Objects.nonNull(authentication) && authentication.isAuthenticated() &&
			authentication.getDetails() instanceof OAuth2AuthenticationDetails) {
		OAuth2AuthenticationDetails authDetails = (OAuth2AuthenticationDetails) authentication.getDetails();
		String tokenValue = authDetails.getTokenValue();
		// TODO IAS Support
		return new XsuaaTokenWithGrantedAuthorities(tokenValue, authentication.getAuthorities());
	}
	return null;
}
 

@Override
protected void doFilterInternal(final HttpServletRequest request, final HttpServletResponse response, final FilterChain filterChain) throws ServletException,
        IOException {
    try {
        Authentication authentication = TokenAuthenticationHelper.getAuthentication(request);
        SecurityContextHolder.getContext().setAuthentication(authentication);
        filterChain.doFilter(request, response);
    } catch (ExpiredJwtException | UnsupportedJwtException | MalformedJwtException |
            SignatureException | IllegalArgumentException e) {
        response.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Token expired");
    }
}
 

public String getUserPrincipal(){
    SecurityContext securityContext = SecurityContextHolder.getContext();
    Authentication authentication = securityContext.getAuthentication();
    String userPrincipal = null;
    if (authentication != null) {
        if (authentication.getPrincipal() instanceof UserDetails) {
            UserDetails springSecurityUser = (UserDetails) authentication.getPrincipal();
            userPrincipal = springSecurityUser.getUsername();
        } else if (authentication.getPrincipal() instanceof String) {
            userPrincipal = (String) authentication.getPrincipal();
        }
    }
    return userPrincipal;
}
 

@Override
public Authentication authenticate(Authentication authentication) throws AuthenticationException {

	String username = authentication.getName();
	String password = (String) authentication.getCredentials();

	User user = userRepository.findByName(username);

	if (user == null) {
		throw new BadCredentialsException("User not found");
	}

	if (!new BCryptPasswordEncoder().matches(password, user.getPasswordHash())) {

		throw new BadCredentialsException("Wrong password");
	} else {

		userComponent.setLoggedUser(user);

		List<GrantedAuthority> roles = new ArrayList<>();
		for (String role : user.getRoles()) {
			roles.add(new SimpleGrantedAuthority(role));
		}

		return new UsernamePasswordAuthenticationToken(username, password, roles);
	}
}
 

@Override
public Object resolveArgument(MethodParameter parameter, ModelAndViewContainer mavContainer, NativeWebRequest webRequest, WebDataBinderFactory binderFactory) throws Exception {
	Object result = null;
	if(Authentication.class.isAssignableFrom(parameter.getParameterType())){
		result = SecurityContextHolder.getContext().getAuthentication();
	}else if(User.class.isAssignableFrom(parameter.getParameterType())){
		result = SecurityUtils.getCurrentLoginUser();
	}else if(UserDetail.class.isAssignableFrom(parameter.getParameterType())){
		result = (UserDetail)SecurityUtils.getCurrentLoginUser();
	}
	return result;
}
 

@Test
public void shouldFailToAuthenticateUsingJWKIfTokenHasExpired() throws Exception {
    Calendar calendar = Calendar.getInstance();
    calendar.add(Calendar.SECOND, -10);
    Date tenSecondsAgo = calendar.getTime();

    Jwk jwk = mock(Jwk.class);
    JwkProvider jwkProvider = mock(JwkProvider.class);

    KeyPair keyPair = RSAKeyPair();
    when(jwkProvider.get(eq("key-id"))).thenReturn(jwk);
    when(jwk.getPublicKey()).thenReturn(keyPair.getPublic());
    JwtAuthenticationProvider provider = new JwtAuthenticationProvider(jwkProvider, "test-issuer", "test-audience");
    Map<String, Object> keyIdHeader = Collections.singletonMap("kid", (Object) "key-id");
    String token = JWT.create()
            .withAudience("test-audience")
            .withIssuer("test-issuer")
            .withHeader(keyIdHeader)
            .withExpiresAt(tenSecondsAgo)
            .sign(Algorithm.RSA256(null, (RSAPrivateKey) keyPair.getPrivate()));

    Authentication authentication = PreAuthenticatedAuthenticationJsonWebToken.usingToken(token);

    exception.expect(BadCredentialsException.class);
    exception.expectMessage("Not a valid token");
    exception.expectCause(Matchers.<Throwable>instanceOf(TokenExpiredException.class));
    provider.authenticate(authentication);
}
 

/**
 * Returns the username of the current authentication.
 *
 * @return username or <tt>null</tt> if 1) the current authentication is null or 2) the currently
 *     authenticated principal is the system.
 */
public static @Nullable @CheckForNull String getCurrentUsername() {
  Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
  if (authentication == null) {
    return null;
  }
  return getUsername(authentication);
}
 

/**
 * @param authRequest 访问的url,method
 * @return 有权限true, 无权限或全局资源中未找到请求url返回否
 */
@Override
public boolean decide(HttpServletRequest authRequest) {
    log.debug("正在访问的url是:{}，method:{}", authRequest.getServletPath(), authRequest.getMethod());
    //获取用户认证信息
    Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
    //获取此url，method访问对应的权限资源信息
    ConfigAttribute urlConfigAttribute = findConfigAttributesByUrl(authRequest);
    if (NONEXISTENT_URL.equals(urlConfigAttribute.getAttribute()))
        log.debug("url未在资源池中找到，拒绝访问");
    //获取此访问用户所有角色拥有的权限资源
    Set<Resource> userResources = findResourcesByAuthorityRoles(authentication.getAuthorities());
    //用户拥有权限资源 与 url要求的资源进行对比
    return isMatch(urlConfigAttribute, userResources);
}
 

/**
 * If the current user has a specific authority (security role).
 * <p>
 * <p>The name of this method comes from the isUserInRole() method in the Servlet API</p>
 *
 * @param authority the authorithy to check
 * @return true if the current user has the authority, false otherwise
 */
public static boolean isCurrentUserInRole(String authority) {
    SecurityContext securityContext = SecurityContextHolder.getContext();
    Authentication authentication = securityContext.getAuthentication();
    if (authentication != null) {
        if (authentication.getPrincipal() instanceof UserDetails) {
            UserDetails springSecurityUser = (UserDetails) authentication.getPrincipal();
            return springSecurityUser.getAuthorities().contains(new SimpleGrantedAuthority(authority));
        }
    }
    return false;
}
 

@Override
public boolean hasPermission(Authentication auth, Object targetDomainObject, Object permission) {
    if ((auth == null) || (targetDomainObject == null) || !(permission instanceof String)) {
        return false;
    }
    final String targetType = targetDomainObject.getClass().getSimpleName().toUpperCase();
    return hasPrivilege(auth, targetType, permission.toString().toUpperCase());
}
 

@Override
public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException {

	if(!request.getMethod().equals("POST")){
		throw new AuthenticationServiceException("Authentication method not supported: " + request.getMethod());
	}
	String username = this.obtainUsername(request);
	String password = this.obtainPassword(request);
	
	//加盐
	String sh1Password = password + "{" + username + "}";
	PasswordEncoder passwordEncoder = new StandardPasswordEncoderForSha1();
	String result = passwordEncoder.encode(sh1Password);
	log.info(result);
	UserInfo userDetails = (UserInfo) userDetailsService.loadUserByUsername(username);
	
	
	/*this.checkValidateCode(request);*/
	if(!passwordEncoder.matches(userDetails.getPassword(), result) || "0".equals(userDetails.getEnabled()) || userDetails == null){
		//System.out.println("用户名或密码错误！");
		throw new AuthenticationServiceException("用户名或密码错误！");
	}
	if(!userDetails.getRolesName().contains("ROLE_ADMIN") && !userDetails.getRolesName().contains("ROLE_TEACHER")){
		throw new AuthenticationServiceException("非管理用户，操作无效！");
	}
	UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(username, password);
	this.setDetails(request, authRequest);
	Authentication authentication = null;
	try{
		authentication = this.getAuthenticationManager().authenticate(authRequest);
	}catch(Exception e){
		e.printStackTrace();
	}
	
	return authentication;
}