Skip to main content

How to create spring boot rest app and authenticate with cognito of AWS

Recently, just put all staff done to create a fundamental work to migrate the existing system to aws beanstalk. The main reason to use beanstalk is because that the current system used spring+java. Beanstalk will be make it easy to handle the serverless environment to save the company cost.

1. Write the basic spring boot rest application, I created 2 controller, one for authenticate to fetch te token and one DemoController to support general resource request using Bearer Token of Cognito.
@RestController
public class AuthController {
@Autowired
private CognitoService cognitoService;
private static Logger logger = LoggerFactory.getLogger(AuthController.class);
@GetMapping("auth")
public ResponseEntity<?> fetchToken(@RequestHeader(value = "Authorization") String basicAndencodedUserPassword) throws AuthenticationException {
try {
StringTokenizer encodedUserPasswordTokenizer = new StringTokenizer(basicAndencodedUserPassword, " ");
encodedUserPasswordTokenizer.nextToken();
final String encodedUserPassword = encodedUserPasswordTokenizer.nextToken();
String usernameAndPassword = new String(Base64.getDecoder().decode(encodedUserPassword));
final StringTokenizer tokenizer = new StringTokenizer(usernameAndPassword, ":");
final String username = tokenizer.nextToken();
final String password = tokenizer.nextToken();
AuthenticationResultType authResult = cognitoService.login(username, password);
if(StringUtils.isEmpty(authResult.getAccessToken())) {
return Result.fail("failed to authenticate with " + basicAndencodedUserPassword, HttpStatus.UNAUTHORIZED);
}
return Result.ok(authResult);
} catch (Exception e) {
//return Result.fail(AUTH_ERROR.withMessage("failed to authenticate with " + basicAndencodedUserPassword));
logger.error("failed to authenticate with " + basicAndencodedUserPassword, e);
return Result.fail("failed to authenticate with " + basicAndencodedUserPassword, HttpStatus.UNAUTHORIZED);
}
}
}
view raw AuthController.java hosted with ❤ by GitHub
DemoController:
@RestController
public class DemoController {
private static Logger logger = LoggerFactory.getLogger(DemoController.class);
@GetMapping("demo")
public ResponseEntity<?> demo() {
Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
return Result.ok(authentication);
}
}
view raw DemoController.java hosted with ❤ by GitHub


2.Configure to set the public access to /auth and secured access to /demo
@Configuration
@ComponentScan
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private JwtAuthenticationEntryPoint jwtAuthenticationEntryPoint;
@Autowired
private JwtAuthenticationFilter jwtRequestFilter;
@Override
protected void configure(HttpSecurity http) throws Exception {
http.cors();
http.authorizeRequests()
.antMatchers("/auth").permitAll()
.antMatchers("/health").permitAll()
.anyRequest().authenticated();
http.exceptionHandling()
.authenticationEntryPoint(jwtAuthenticationEntryPoint);
http.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS);
// Add a filter to validate the tokens with every request
http.addFilterBefore(jwtRequestFilter, UsernamePasswordAuthenticationFilter.class);
}
}
view raw SecurityConfig.java hosted with ❤ by GitHub
The SecurityConfig.java above also defined the JWTAuthenticateEntryPoint to handle the validation error case and JwtAuthenticationFilter to do the validation based on cognito Bearer token.
JWTAuthenticateEntryPoint:
@Component
public class JwtAuthenticationEntryPoint implements AuthenticationEntryPoint {
@Override
public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException authException) throws IOException {
// This is invoked when user tries to access a secured REST resource without supplying any credentials
// We should just send a 401 Unauthorized response because there is no 'login page' to redirect to
response.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Unauthorized");
}
}
view raw JwtAuthenticationEntryPoint.java hosted with ❤ by GitHub
JwtAuthenticationFilter:
@Component
public class JwtAuthenticationFilter extends OncePerRequestFilter {
@Autowired
private CognitoService cognitoService;
@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {
final String requestTokenHeader = request.getHeader("Authorization");
// JWT Token is in the form "Bearer token". Remove Bearer word and get
// only the Token
if (requestTokenHeader != null && requestTokenHeader.startsWith("Bearer ")) {
String jwtToken = requestTokenHeader.substring(7);
try {
GetUserResult user = cognitoService.verifyUserByToken(jwtToken);
List<GrantedAuthority> granites = user.getUserAttributes().stream()
.map(attr -> new CognitoGrantedAuthority(attr.getName(), attr.getValue())).collect(Collectors.toList());
SecurityContextHolder.getContext()
.setAuthentication(new UsernamePasswordAuthenticationToken(user.getUsername(), jwtToken, granites));
} catch (Exception e) {
logger.error("failed to verfy user by token:", e);
}
} else {
logger.warn("JWT Token does not begin with Bearer String");
}
filterChain.doFilter(request, response);
}
}
view raw JwtAuthenticationFilter.java hosted with ❤ by GitHub
The line 18 set the credential back to requestContext as the global context which is used by DemoController above.

3. Start the spring boot server, and run the test, assuming you had done for your CognitoServic implementation.
For life easy purpose, I use port 5000 since Elastic Beanstalks use 5000 as the default port for mapping.

@SpringBootApplication
public class RestServicesApplication {
public static void main(String[] args) {
SpringApplication app = new SpringApplication(RestServicesApplication.class);
app.setDefaultProperties(Collections
.singletonMap("server.port", "5000"));
app.run(args);
}
}
view raw RestServicesApplication.java hosted with ❤ by GitHub
4. follow up aws official doc to upload the jar you built with gradle, if you compile with JDK 11 and make sure to use corretto 11 Evn during the configuration(very important). Also to enable Load balancer to scalability purpose for real production usage.

5. After that we should be all set to run now.

Comments

Post a Comment

Popular posts from this blog

How to fix "ValueError when trying to compile python module with VC Express"

When I tried to compile the python, I always get compile issue as following: ------------ ... File "C:\Python26\lib\ distutils\msvc9compiler.py ", line 358, in initialize vc_env = query_vcvarsall(VERSION, plat_spec) File "C:\Python26\lib\ distutils\msvc9compiler.py ", line 274, in query_vcvarsall raise ValueError(str(list(result.keys()))) ValueError: [u'path'] --------------------- Python community discussed a lot but no solution: http://bugs.python.org/issue7511 The root cause is because the latest visual studio change the *.bat file a lot especially on 64bit env. The python 2.7 didn't update the path accordingly. Based on the assumption above, the following solution worked for me. To install Visual Studio 2008 Express Edition with all required components: 1. Install Microsoft Visual Studio 2008 Express Edition. The main Visual Studio 2008 Express installer is available from (the C++ installer name is vcsetup.exe): https://ww...
21 comments
Read more

How to convert the ResultSet to Stream

Java 8 provided the Stream family and easy operation of it. The way of pipeline usage made the code clear and smart. However, ResultSet is still go with very legacy way to process. Per actual ResultSet usage, it is really helpful if converted as Stream. Here is the simple usage of above: StreamUtils.uncheckedConsumer is required to convert the the SQLException to runtimeException to make the Lamda clear.
Post a Comment
Read more

How to run odoo(openerp8) in IDE from source on windows

1. install python 2.7 (per openerp8's official doc, python 27 is required.) 2. download get-pip.py from https://bootstrap.pypa.io/get-pip.py , execute the command: python get-pip.py 3. get source of openerp8 from https://github.com/odoo/odoo.git 4. execute the command: pip install -r D:\source_code\odoo\openerp8/requirements.txt . (requirements.txt contains all dependencies. ) The pip will install the python module automatically. However, the real world always bring us the issues because our C++ compile environment is not setup correctly.  we will get the link error when pip try to install psycopg2 (driver to access postgresql db.). Go to  http://www.stickpeople.com/projects/python/win-psycopg/  and choose the compiled binary file directly. For Python-ldap, go to  http://www.lfd.uci.edu/~gohlke/pythonlibs/ 5. Finally, go to http://sourceforge.net/projects/pywin32/files/pywin32 and choose correct version for python-win32service. 6. If you are family with...
5 comments
Read more