Added some security changes

OKaluzny · OKaluzny · commit c6f288b4bf40 · 2023-08-15T17:01:18.000+03:00
diff --git a/Dockerfile b/Dockerfile
@@ -0,0 +1,3 @@
+FROM openjdk:17
+ADD /target/spring-boot-keycloak-docker-postgres.jar spring-boot-keycloak-docker-postgres.jar
+ENTRYPOINT ["java", "-jar", "spring-boot-keycloak-docker-postgres.jar"]
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -1,26 +1,30 @@
 # Docker Compose file Reference (https://docs.docker.com/compose/compose-file/)
-#version: '3.9'
-
-services: # <-- Define services
-  app: # <-- App backend service
-    # This service depends on postgres. Start that first.
+version: '3.9'
+# Define services
+services:
+  # App backend service
+  app:
+    # This service depends on postgres db and keycloak auth. Start that first.
     depends_on:
       db:
         condition: service_healthy
       keycloak:
         condition: service_started
     image: spring-boot-keycloak-docker-postgres:latest
+    build:
+      context: ./
+      dockerfile: "Dockerfile"
     # Give the container the name web-app. You can change to something else.
     container_name: web-app
-    #hostname: web-app
     # Forward the exposed port 8080 on the container to port 8080 on the host machine
     ports:
-      - 8088:8080
+      - "8088:8080"
     networks:
       - backend
-   # entrypoint: [ "java", "-Xms512m", "-Xmx1g", "-jar" ]
-  db: # <-- Database Service (Postgres)
-    # Use the Docker Image postgres. This will pull the 12 version.
+    # entrypoint: [ "java", "-Xms512m", "-Xmx1g", "-jar" ]
+  # Database Service (Postgres)
+  db:
+    # Use the Docker Image postgres. This will pull the 14 version.
     image: postgres:14-alpine
     # Give the container the name postgres-db. You can change to something else.
     container_name: postgres-db
@@ -46,9 +50,10 @@ services: # <-- Define services
   keycloak:
     image: quay.io/keycloak/keycloak:22.0.1
     container_name: keycloak-auth
-    command: start-dev
+    command:
+      - "start-dev"
     ports:
-      - 8180:8080
+      - "8180:8080"
     networks:
       - backend
     environment:
@@ -61,7 +66,7 @@ services: # <-- Define services
       KC_DB_PASSWORD: password
       KC_HEALTH_ENABLED: true
     depends_on:
-        - keycloak-db
+       - keycloak-db
     #volumes:
     #  - /home/keycloak/automobile-realm.json:/opt/keycloak/data/import/automobile-realm.json
   # Database Service (Postgres) for Keycloak
@@ -78,6 +83,8 @@ services: # <-- Define services
       POSTGRES_PASSWORD: password
     networks:
       - backend
+    healthcheck:
+      test: "pg_isready -U keycloak"
 
 networks:
   backend:
diff --git a/pom.xml b/pom.xml
@@ -115,29 +115,26 @@
             </plugin>
 
             <plugin>
-                <groupId>com.spotify</groupId>
+                <groupId>io.fabric8</groupId>
                 <artifactId>docker-maven-plugin</artifactId>
-                <version>1.2.2</version>
-                <configuration>
-                    <imageName>${project.artifactId}</imageName>
-                    <baseImage>openjdk:17</baseImage>
-                    <entryPoint>["java", "-jar", "/${project.build.finalName}.jar"]</entryPoint>
-                    <!-- copy the service's jar file from target into the root directory of the image -->
-                    <resources>
-                        <resource>
-                            <targetPath>/</targetPath>
-                            <directory>${project.build.directory}</directory>
-                            <include>${project.build.finalName}.jar</include>
-                        </resource>
-                    </resources>
-                </configuration>
+                <version>0.43.0</version>
                 <executions>
                     <execution>
-                        <id>build-image</id>
+                        <id>docker-build</id>
                         <phase>package</phase>
                         <goals>
                             <goal>build</goal>
                         </goals>
+                        <configuration>
+                            <images>
+                                <image>
+                                    <name>spring-boot-keycloak-docker-postgres</name>
+                                    <build>
+                                        <dockerFile>${project.basedir}/Dockerfile</dockerFile>
+                                    </build>
+                                </image>
+                            </images>
+                        </configuration>
                     </execution>
                 </executions>
             </plugin>
diff --git a/src/main/java/com/kaluzny/demo/config/SecurityConfig.java b/src/main/java/com/kaluzny/demo/config/SecurityConfig.java
@@ -1,10 +1,15 @@
 package com.kaluzny.demo.config;
 
+import lombok.RequiredArgsConstructor;
+import org.springframework.beans.factory.annotation.Value;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.core.authority.SimpleGrantedAuthority;
+import org.springframework.security.oauth2.jose.jws.SignatureAlgorithm;
+import org.springframework.security.oauth2.jwt.JwtDecoder;
+import org.springframework.security.oauth2.jwt.NimbusJwtDecoder;
 import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationToken;
 import org.springframework.security.web.SecurityFilterChain;
 
@@ -14,26 +19,39 @@
 
 @Configuration
 @EnableWebSecurity
+//@EnableMethodSecurity
+@RequiredArgsConstructor
 class SecurityConfig {
 
+    @Value("${spring.security.oauth2.resource-server.jwt.jwk-set-uri}")
+    private String jwkSetUri;
+
     @Bean
     public SecurityFilterChain securityFilterChain(HttpSecurity httpSecurity) throws Exception {
+
         httpSecurity
                 .authorizeHttpRequests(registry -> registry
                         .requestMatchers("/api/**").hasRole("ADMIN")
                         .anyRequest().authenticated()
                 )
                 .oauth2ResourceServer(oauth2Configurer -> oauth2Configurer
-                        .jwt(jwtConfigurer -> jwtConfigurer.jwtAuthenticationConverter(jwt -> {
-                            Map<String, Collection<String>> realmAccess = jwt.getClaim("realm_access");
-                            Collection<String> roles = realmAccess.get("roles");
-                            var grantedAuthorities = roles.stream()
-                                    .map(role -> new SimpleGrantedAuthority("ROLE_" + role))
-                                    .collect(Collectors.toList());
-                            return new JwtAuthenticationToken(jwt, grantedAuthorities);
-                        })))
-        ;
-
+                        .jwt(jwtConfigurer -> jwtConfigurer
+                                .jwtAuthenticationConverter(jwt -> {
+                                    // Map<String, Collection<String>> realmAccess = jwt.getClaim("realm_access");
+                                    Map<String, Collection<String>> realmAccess = jwt.getClaim("resource_access");
+                                    Collection<String> roles = realmAccess.get("roles");
+                                    var grantedAuthorities = roles.stream()
+                                            .map(role -> new SimpleGrantedAuthority("ROLE_" + role))
+                                            .collect(Collectors.toList());
+                                    return new JwtAuthenticationToken(jwt, grantedAuthorities);
+                                }).decoder(jwtDecoder())));
         return httpSecurity.build();
     }
-}
+
+    @Bean
+    public JwtDecoder jwtDecoder() {
+        return NimbusJwtDecoder
+                .withJwkSetUri(jwkSetUri)
+                .jwsAlgorithm(SignatureAlgorithm.RS256).build();
+    }
+}
diff --git a/src/main/resources/application.yml b/src/main/resources/application.yml
@@ -28,31 +28,20 @@ spring:
       resource-server:
         jwt:
           issuer-uri: http://localhost:8180/realms/automobile-realm
-      client:
-        registration:
-          keycloak:
-            client-id: automobile-management-api
-            client-secret: IdaFymmCJaKLhwp1gTnEpBRrE56BLyqy
-            authorization-grant-type: authorization_code
-            redirect-uri: http://localhost:8180/login/oauth2/code/automobile-management-api
-            scope:
-              - openid
-        provider:
-          keycloak:
-            issuer-uri: http://localhost:8180/realms/automobile-realm
+          jwk-set-uri: http://localhost:8180/realms/automobile-realm/protocol/openid-connect/certs
+
 # Logger configuration
 logging:
   pattern:
     console: "%d %-5level %logger : %msg%n"
   level:
-    #org.springframework: debug
-    org.keycloak: info
+    org.springframework: info
     #org.hibernate: debug
 # Server configuration
 server:
   port: 8088 #set your port
-  servlet:
-    context-path: /demo
+  #servlet:
+   # context-path: /demo
 # Swagger configuration
 springdoc:
   swagger-ui:

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+FROM openjdk:17`
	`2`	`+ADD /target/spring-boot-keycloak-docker-postgres.jar spring-boot-keycloak-docker-postgres.jar`
	`3`	`+ENTRYPOINT ["java", "-jar", "spring-boot-keycloak-docker-postgres.jar"]`