Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improve integration with Spring Security #3395

Closed
grgrzybek opened this issue Apr 16, 2024 · 3 comments · Fixed by #3457
Closed

Improve integration with Spring Security #3395

grgrzybek opened this issue Apr 16, 2024 · 3 comments · Fixed by #3457
Assignees
@grgrzybek
Labels
area/spring-boot kind/enhancement

Comments

@grgrzybek
Copy link
Contributor

Currently, integration with Spring Security in io.hawt.web.auth.AuthenticationFilter looks roughly like this:

  • check for existence of org.springframework.security.core.SpringSecurityCoreVersion class (Spring Security available)
  • check jakarta.servlet.http.HttpServletRequest#getRemoteUser() - this, when Spring Security is configured, delegates to org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestWrapper#getRemoteUser(), which uses org.springframework.security.core.context.SecurityContext#getAuthentication() which is populated by entire Spring Security infrastructure (org.springframework.security.web.FilterChainProxy)
  • remote user is simply put (together with empty javax.security.auth.Subject) into session.

However, Spring Security's org.springframework.security.core.Authentication is much more than just user name. For example in (examples/springboot-security) we have:

result = {org.springframework.security.authentication.UsernamePasswordAuthenticationToken@11076} "UsernamePasswordAuthenticationToken [Principal=org.springframework.security.core.userdetails.User [Username=hawtio, Password=[PROTECTED], Enabled=true, AccountNonExpired=true, CredentialsNonExpired=true, AccountNonLocked=true, Granted Authorities=[ROLE_admin, ROLE_viewer]], Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=127.0.0.1, SessionId=VGRiZ4T__XDL5esYEOzG43rVi_uECFT3_9j5H4V4], Granted Authorities=[ROLE_admin, ROLE_viewer]]"
 authenticated: boolean  = true
 authorities: java.util.Collection  = {java.util.Collections$UnmodifiableRandomAccessList@11078}  size = 2
  0 = {org.springframework.security.core.authority.SimpleGrantedAuthority@11083} "ROLE_admin"
  1 = {org.springframework.security.core.authority.SimpleGrantedAuthority@11084} "ROLE_viewer"
 credentials: java.lang.Object  = null
 details: java.lang.Object  = {org.springframework.security.web.authentication.WebAuthenticationDetails@11079} "WebAuthenticationDetails [RemoteIpAddress=127.0.0.1, SessionId=VGRiZ4T__XDL5esYEOzG43rVi_uECFT3_9j5H4V4]"
 principal: java.lang.Object  = {org.springframework.security.core.userdetails.User@11077} "org.springframework.security.core.userdetails.User [Username=hawtio, Password=[PROTECTED], Enabled=true, AccountNonExpired=true, CredentialsNonExpired=true, AccountNonLocked=true, Granted Authorities=[ROLE_admin, ROLE_viewer]]"
  accountNonExpired: boolean  = true
  accountNonLocked: boolean  = true
  authorities: java.util.Set  = {java.util.Collections$UnmodifiableSet@11088}  size = 2
   0 = {org.springframework.security.core.authority.SimpleGrantedAuthority@11083} "ROLE_admin"
   1 = {org.springframework.security.core.authority.SimpleGrantedAuthority@11084} "ROLE_viewer"
  credentialsNonExpired: boolean  = true
  enabled: boolean  = true
  password: java.lang.String  = null
  username: java.lang.String  = {@11087} "hawtio"

While Spring Security has documentation section about JAAS, there's one nice class which isn't mentioned there: org.springframework.security.authentication.jaas.SecurityContextLoginModule.

With this, we can login using JAAS (we already do JAAS login in io.hawt.system.Authenticator#doAuthenticate()) using this module and what we'll get is kind of transparent translation of Spring Security token into JAAS subject.
@grgrzybek grgrzybek self-assigned this Apr 16, 2024
@tadayosi
Copy link
Member

@grgrzybek Looks nice, but is it something we can do anything for at hawtio/react? This area/spring-boot label is mainly for the client side Spring Boot plugin and not related to the Spring Boot backend runtime.

@grgrzybek grgrzybek transferred this issue from hawtio/hawtio-next Apr 16, 2024
@grgrzybek
Copy link
Contributor Author

Oops, I meant to create it in hawtio/hawtio ;)

@grgrzybek grgrzybek mentioned this issue Apr 19, 2024
Closed
@grgrzybek
Copy link
Contributor Author

grgrzybek commented May 21, 2024
edited

Connecting to self (http://localhost:10001/actuator/jolokia) from Hawtio with Spring Security doesn't work (yet).

  • examples/springboot - connections work
  • examples/springboot-authentication - connections work
  • examples/springboot-security - connections don't work (checking while working on this issue, because it's related)

grgrzybek added a commit that referenced this issue May 22, 2024
@grgrzybek
feat(springboot): Use more flexible Spring Security + JAAS integration (
c5f18c0 
fixes #3395)

Signed-off-by: Grzegorz Grzybek <gr.grzybek@gmail.com>
@grgrzybek grgrzybek mentioned this issue May 22, 2024
Merged
grgrzybek added a commit that referenced this issue May 23, 2024
@grgrzybek
feat(springboot): Use more flexible Spring Security + JAAS integration (
406c681 
fixes #3395) (#3457)

Signed-off-by: Grzegorz Grzybek <gr.grzybek@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@grgrzybek grgrzybek

Labels
area/spring-boot kind/enhancement
Projects
Kanban Board
Status: Done
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat(springboot): Use more flexible Spring Security + JAAS integratio… hawtio/hawtio
2 participants
@tadayosi @grgrzybek