Lesson 10: Securing Microservices with Spring Security

Author: philwebb

Diff for: livelessons-parent/pom.xml

@@ -15,6 +15,7 @@
 	<properties>
 		<main.basedir>../..</main.basedir>
 		<java.version>1.8</java.version>
+		<spring-security-oauth.version>2.0.6.RELEASE</spring-security-oauth.version>
 	</properties>
 	<build>
 		<plugins>

Diff for: livelessons-security/README.adoc

@@ -0,0 +1,9 @@
+:compat-mode:
+= Lesson 10: Securing Microservices With Spring Security
+
+_How to apply security to your microservices._
+
+- link:livelessons-security-basic[Basic Security]
+- link:livelessons-security-sso-auth-server[Single Sign On (Server)]
+- link:livelessons-security-sso-resource[Single Sign On (Resource)]
+- link:livelessons-security-https[HTTPS (TSL/SSL)]

Diff for: livelessons-security/livelessons-security-basic/TODO.txt

@@ -0,0 +1 @@
+https://github.com/SpringOne2GX-2014/microservice-security/blob/master/certs/src/test/java/sample/tomcat/X509ApplicationTests.java

Diff for: livelessons-security/livelessons-security-basic/pom.xml

@@ -0,0 +1,45 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+	<modelVersion>4.0.0</modelVersion>
+	<parent>
+		<groupId>livelessons</groupId>
+		<artifactId>livelessons-security</artifactId>
+		<version>1.0.0-SNAPSHOT</version>
+	</parent>
+	<artifactId>livelessons-security-basic</artifactId>
+	<properties>
+		<main.basedir>../..</main.basedir>
+	</properties>
+	<dependencies>
+		<dependency>
+			<groupId>org.apache.httpcomponents</groupId>
+			<artifactId>httpclient</artifactId>
+		</dependency>
+		<dependency>
+			<groupId>org.springframework.boot</groupId>
+			<artifactId>spring-boot-starter-web</artifactId>
+		</dependency>
+		<dependency>
+			<groupId>org.springframework.boot</groupId>
+			<artifactId>spring-boot-starter-security</artifactId>
+		</dependency>
+		<dependency>
+			<groupId>org.springframework.boot</groupId>
+			<artifactId>spring-boot-starter-actuator</artifactId>
+		</dependency>
+		<dependency>
+			<groupId>org.springframework.boot</groupId>
+			<artifactId>spring-boot-starter-jdbc</artifactId>
+		</dependency>
+		<dependency>
+			<groupId>com.h2database</groupId>
+			<artifactId>h2</artifactId>
+		</dependency>
+		<dependency>
+			<groupId>org.springframework.boot</groupId>
+			<artifactId>spring-boot-starter-test</artifactId>
+			<scope>test</scope>
+		</dependency>
+	</dependencies>
+</project>

Diff for: livelessons-security/livelessons-security-basic/src/main/java/basic/BasicSecurityApplication.java

@@ -0,0 +1,44 @@
+package basic;
+
+import java.sql.ResultSet;
+
+import org.springframework.boot.SpringApplication;
+import org.springframework.boot.autoconfigure.SpringBootApplication;
+import org.springframework.context.annotation.Bean;
+import org.springframework.jdbc.core.JdbcTemplate;
+import org.springframework.jdbc.core.RowMapper;
+import org.springframework.security.core.authority.AuthorityUtils;
+import org.springframework.security.core.userdetails.User;
+import org.springframework.security.core.userdetails.UserDetailsService;
+
+/**
+ * Demonstrates HTTP basic authentication in action. Try to access the resource
+ * <A href="http://localhost:8080/hi">in your browser</A> and you'll be prompted to supply
+ * a username and password. You can find some sample usernames and passwords in
+ * {@code data.sql}. Similarly, if you try to {@code curl http://localhost:8080/hi},
+ * you'll be prompted for authentication information.
+ */
+@SpringBootApplication
+public class BasicSecurityApplication {
+
+	@Bean
+	public UserDetailsService userDetailsService(JdbcTemplate jdbcTemplate) {
+		// @formatter:off
+		RowMapper<User> userRowMapper = (ResultSet rs, int i) -> new User(
+				rs.getString("ACCOUNT_NAME"),
+				rs.getString("PASSWORD"),
+				rs.getBoolean("ENABLED"),
+				rs.getBoolean("ENABLED"),
+				rs.getBoolean("ENABLED"),
+				rs.getBoolean("ENABLED"),
+				AuthorityUtils.createAuthorityList("ROLE_USER", "ROLE_ADMIN"));
+		return username -> jdbcTemplate.queryForObject(
+				"select * from ACCOUNT where ACCOUNT_NAME = ?", userRowMapper, username);
+		// @formatter:on
+	}
+
+	public static void main(String[] args) {
+		SpringApplication.run(BasicSecurityApplication.class, args);
+	}
+
+}

Diff for: livelessons-security/livelessons-security-basic/src/main/java/basic/CustomGlobalAuthenticationManagerConfiguration.java

@@ -0,0 +1,23 @@
+package basic;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
+import org.springframework.security.config.annotation.authentication.configuration.EnableGlobalAuthentication;
+import org.springframework.security.config.annotation.authentication.configurers.GlobalAuthenticationConfigurerAdapter;
+import org.springframework.security.core.userdetails.UserDetailsService;
+
+@Configuration
+@EnableGlobalAuthentication
+public class CustomGlobalAuthenticationManagerConfiguration
+		extends GlobalAuthenticationConfigurerAdapter {
+
+	@Autowired
+	private UserDetailsService userDetailsService;
+
+	@Override
+	public void init(AuthenticationManagerBuilder auth) throws Exception {
+		auth.userDetailsService(this.userDetailsService);
+	}
+
+}

Diff for: livelessons-security/livelessons-security-basic/src/main/java/basic/GreetingsRestController.java

@@ -0,0 +1,21 @@
+package basic;
+
+import java.util.HashMap;
+import java.util.Map;
+import java.util.UUID;
+
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RestController;
+
+@RestController
+public class GreetingsRestController {
+
+	@RequestMapping("/hi")
+	public Map<String, Object> hi() {
+		Map<String, Object> result = new HashMap<>();
+		result.put("id", UUID.randomUUID().toString());
+		result.put("content", "Hello, world!");
+		return result;
+	}
+
+}

Diff for: livelessons-security/livelessons-security-basic/src/main/resources/application.properties

@@ -0,0 +1,8 @@
+-- users in system
+insert into account(account_name , password) values('jlong', 'spring');
+insert into account(account_name , password) values('pwebb', 'boot');
+
+
+-- oauth client details
+insert into client_details(   client_id, client_secret,  resource_ids,   scopes,   grant_types,                                  authorities)
+                    values(   'acme' ,  'acmesecret',    null,           'read',   'authorization_code,refresh_token,password',  null );

Diff for: livelessons-security/livelessons-security-basic/src/main/resources/data.sql

@@ -0,0 +1,16 @@
+DROP TABLE account if EXISTS ;
+DROP TABLE client_details if EXISTS ;
+
+create table account ( ACCOUNT_NAME varchar(255) not null,
+                      PASSWORD varchar(255 ) not null,
+                      ID serial,
+                      ENABLED bool default true) ;
+
+create table client_details(
+  CLIENT_ID VARCHAR (255) not null unique ,
+  CLIENT_SECRET VARCHAR (255) not null   ,
+  RESOURCE_IDS VARCHAR (255) null ,
+  SCOPES VARCHAR (255) null ,
+  GRANT_TYPES VARCHAR (255) null ,
+  AUTHORITIES VARCHAR (255) null
+);

Diff for: livelessons-security/livelessons-security-basic/src/main/resources/schema.sql

@@ -0,0 +1,74 @@
+package basic;
+
+import org.apache.http.auth.AuthScope;
+import org.apache.http.auth.UsernamePasswordCredentials;
+import org.apache.http.client.CredentialsProvider;
+import org.apache.http.impl.client.BasicCredentialsProvider;
+import org.apache.http.impl.client.CloseableHttpClient;
+import org.apache.http.impl.client.HttpClientBuilder;
+import org.junit.Assert;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.boot.test.SpringApplicationConfiguration;
+import org.springframework.boot.test.WebIntegrationTest;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.http.ResponseEntity;
+import org.springframework.http.client.HttpComponentsClientHttpRequestFactory;
+import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
+import org.springframework.web.client.RestTemplate;
+
+@RunWith(SpringJUnit4ClassRunner.class)
+@SpringApplicationConfiguration(classes = BasicSecurityApplication.class)
+@WebIntegrationTest(randomPort = true)
+public class BasicSecurityApplicationTests {
+
+	@Value("${local.server.port}")
+	private int port;
+
+	@Autowired
+	private RestTemplate restTemplate;
+
+	@Test
+	public void contextLoaded() throws Throwable {
+		ResponseEntity<String> re = restTemplate
+				.getForEntity("http://localhost:" + port + "/hi", String.class);
+		String actual = re.getBody().trim().toLowerCase();
+		Assert.assertTrue(actual.contains("hello"));
+		System.out.println("received: " + actual);
+	}
+
+	@Configuration
+	public static class BasicAuthRestTemplateConfig {
+
+		private String user = "pwebb", password = "boot";
+
+		@Bean
+		RestTemplate auth() {
+			// credentials
+			UsernamePasswordCredentials credentials = new UsernamePasswordCredentials(
+					this.user, this.password);
+
+			CredentialsProvider credsProvider = new BasicCredentialsProvider();
+			credsProvider.setCredentials(AuthScope.ANY, credentials);
+
+			// set credentialsProvider on httpClient
+			HttpClientBuilder httpClientBuilder = HttpClientBuilder.create();
+
+			httpClientBuilder.setDefaultCredentialsProvider(credsProvider);
+			CloseableHttpClient httpClient = httpClientBuilder.build();
+
+			HttpComponentsClientHttpRequestFactory factory = new HttpComponentsClientHttpRequestFactory(
+					httpClient);
+
+			RestTemplate restTemplate = new RestTemplate();
+			restTemplate.setRequestFactory(factory);
+
+			return restTemplate;
+		}
+	}
+
+}

Diff for: livelessons-security/livelessons-security-basic/src/test/java/basic/BasicSecurityApplicationTests.java

@@ -0,0 +1 @@
+https://github.com/SpringOne2GX-2014/microservice-security/blob/master/certs/src/test/java/sample/tomcat/X509ApplicationTests.java

Diff for: livelessons-security/livelessons-security-https/TODO.txt

@@ -0,0 +1,46 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+	<modelVersion>4.0.0</modelVersion>
+	<parent>
+		<groupId>livelessons</groupId>
+		<artifactId>livelessons-security</artifactId>
+		<version>1.0.0-SNAPSHOT</version>
+	</parent>
+	<artifactId>livelessons-security-https</artifactId>
+	<properties>
+		<main.basedir>../..</main.basedir>
+	</properties>
+	<dependencies>
+		<dependency>
+			<groupId>org.springframework.boot</groupId>
+			<artifactId>spring-boot-starter-web</artifactId>
+		</dependency>
+		<dependency>
+			<groupId>org.apache.httpcomponents</groupId>
+			<artifactId>httpclient</artifactId>
+			<scope>test</scope>
+		</dependency>
+		<dependency>
+			<groupId>org.springframework.boot</groupId>
+			<artifactId>spring-boot-starter-security</artifactId>
+		</dependency>
+		<dependency>
+			<groupId>org.springframework.boot</groupId>
+			<artifactId>spring-boot-starter-actuator</artifactId>
+		</dependency>
+		<dependency>
+			<groupId>org.springframework.boot</groupId>
+			<artifactId>spring-boot-starter-jdbc</artifactId>
+		</dependency>
+		<dependency>
+			<groupId>com.h2database</groupId>
+			<artifactId>h2</artifactId>
+		</dependency>
+		<dependency>
+			<groupId>org.springframework.boot</groupId>
+			<artifactId>spring-boot-starter-test</artifactId>
+			<scope>test</scope>
+		</dependency>
+	</dependencies>
+</project>

Diff for: livelessons-security/livelessons-security-https/pom.xml

@@ -0,0 +1,18 @@
+package demo;
+
+import org.springframework.boot.SpringApplication;
+import org.springframework.boot.autoconfigure.SpringBootApplication;
+
+/**
+ * This example is lifted <a href=
+ * "https://github.com/SpringOne2GX-2014/microservice-security/blob/master/certs/pom.xml"
+ * > from Dr. Dave Syer's example on microservice security</a>.
+ */
+@SpringBootApplication
+public class BasicHttpsSecurityApplication {
+
+	public static void main(String[] args) {
+		SpringApplication.run(BasicHttpsSecurityApplication.class, args);
+	}
+
+}

Diff for: livelessons-security/livelessons-security-https/src/main/java/demo/BasicHttpsSecurityApplication.java

@@ -0,0 +1,21 @@
+package demo;
+
+import java.util.HashMap;
+import java.util.Map;
+import java.util.UUID;
+
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RestController;
+
+@RestController
+public class GreetingsRestController {
+
+	@RequestMapping("/hi")
+	public Map<String, Object> hi() {
+		Map<String, Object> result = new HashMap<>();
+		result.put("id", UUID.randomUUID().toString());
+		result.put("content", "Hello, world!");
+		return result;
+	}
+
+}