Skip to content

Authentication

Jump to bottom
mangeshdase edited this page Oct 27, 2021 · 2 revisions

Description

Authentication is the process of validating user credentials and authorization is the process of checking privileges for a user to access specific modules in an application.

A simple example of authentication is entering a username and password when you log in to any website. These credentials are verified from the database or any other alternative, if it exists then the user is a valid candidate for the next Process-Authorization.

We have used JWT(JSON Web Token) Authentication. JWT is an open standard used for securely transmitting information between parties as a JSON object. JSON Web Tokens are very useful for various scenarios like authorization purposes or Information exchange using digitally signed key-value pairs.

Code Snippet

For JWT Configuration in project we provide JWTConfigurer.java class in security.jwt package

public class JWTConfigurer extends SecurityConfigurerAdapter<DefaultSecurityFilterChain, HttpSecurity> {
       private final TokenProvider tokenProvider;

public JWTConfigurer(TokenProvider tokenProvider) {
    this.tokenProvider = tokenProvider;
}

@Override
public void configure(HttpSecurity http) throws Exception {
    JWTFilter customFilter = new JWTFilter(tokenProvider);
    http.addFilterBefore(customFilter, UsernamePasswordAuthenticationFilter.class);
    
    http.authorizeRequests()
    .antMatchers("/swagger-ui/**", "/javainuse-openapi/**").permitAll()
    .anyRequest().authenticated()
    .and()
    .httpBasic();
}
}

In JWTConfigurer we use TokenProvider class for create, provide and validate token.

public TokenProvider(JHipsterProperties jHipsterProperties) {
    byte[] keyBytes;
    String secret = jHipsterProperties.getSecurity().getAuthentication().getJwt().getBase64Secret();
    if (!ObjectUtils.isEmpty(secret)) {
        log.debug("Using a Base64-encoded JWT secret key");
        keyBytes = Decoders.BASE64.decode(secret);
    } else {
        log.warn(
            "Warning: the JWT key used is not Base64-encoded. " +
            "We recommend using the `jhipster.security.authentication.jwt.base64-secret` key for optimum security."
        );
        secret = jHipsterProperties.getSecurity().getAuthentication().getJwt().getSecret();
        keyBytes = secret.getBytes(StandardCharsets.UTF_8);
    }
    key = Keys.hmacShaKeyFor(keyBytes);
    jwtParser = Jwts.parserBuilder().setSigningKey(key).build();
    this.tokenValidityInMilliseconds = 1000 * jHipsterProperties.getSecurity().getAuthentication().getJwt().getTokenValidityInSeconds();
    this.tokenValidityInMillisecondsForRememberMe =
        1000 * jHipsterProperties.getSecurity().getAuthentication().getJwt().getTokenValidityInSecondsForRememberMe();
}

And using this particular token we do the authentication

      public Authentication getAuthentication(String token) {
    Claims claims = jwtParser.parseClaimsJws(token).getBody();

    Collection<? extends GrantedAuthority> authorities = Arrays
        .stream(claims.get(AUTHORITIES_KEY).toString().split(","))
        .filter(auth -> !auth.trim().isEmpty())
        .map(SimpleGrantedAuthority::new)
        .collect(Collectors.toList());

    User principal = new User(claims.getSubject(), "", authorities);

    return new UsernamePasswordAuthenticationToken(principal, token, authorities);
}

Home

Clean Architecture Layers(Design constructs)

Hexagonal Hybrid Architecture

Flow of Control

[Module/Features]

Http Gateway Layer

Caching Mechanism

Automated Testing

Code Quality Check

Clone this wiki locally