jdb/new-life-songs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Implemented token-based API authentication.

Browse Source 
Replaced the ApiKey concept with ephemeral tokens. Users and apps obtain a
token by authenticating the user credentials (to be implemented). The service
then generates a temporary token that is stored by the client and sent with
every request using the `Authorization-Token` header. The server verifies this
token to recognize and authenticate the request. With an authenticated user,
the server can use the user's role to authorize requests.

This implementation uses JSR 250 SecurityContext and security annotations.
This commit is contained in:
Jonathan Bernard 2015-03-02 21:20:25 -06:00
parent 38e0432c1e
commit 83a0f7275c
9 changed files with 141 additions and 16 deletions

7
src/main/groovy/com/jdbernard/nlsongs/model/ApiKey.groovy

@ -1,7 +0,0 @@
package com.jdbernard.nlsongs.model
public class ApiKey implements Serializable {
String key
String description
}

3
src/main/groovy/com/jdbernard/nlsongs/model/Role.java Normal file

@ -0,0 +1,3 @@
package com.jdbernard.nlsongs.model;
public enum Role { admin, user }

17
src/main/groovy/com/jdbernard/nlsongs/model/Token.groovy Normal file

@ -0,0 +1,17 @@
package com.jdbernard.nlsongs.model
public class Token implements Serializable {
String token
User user
Date expires
@Override
public boolean equals(Object thatObj) {
if (thatObj == null) return false
if (!(thatObj instanceof Token)) return false
Token that = (Token) thatObj
return (this.token == that?.token) }
}

9
src/main/groovy/com/jdbernard/nlsongs/model/User.groovy

@ -1,8 +1,17 @@
package com.jdbernard.nlsongs.model
import com.lambdaworks.crypto.SCryptUtil
public class User {
int id
String username
String pwd
Role role
public void setPwd(String pwd) {
this.pwd = SCryptUtil.scrypt(pwd, 16384, 16, 1) }
public boolean checkPwd(String givenPwd) {
return SCryptUtil.check(this.pwd, givenPwd) }
}

43
src/main/groovy/com/jdbernard/nlsongs/rest/security/NLSongsSecurityContext.groovy Normal file

@ -0,0 +1,43 @@
package com.jdbernard.nlsongs.rest.security
import java.security.Principal
import javax.ws.rs.container.ContainerRequestContext
import javax.ws.rs.core.SecurityContext
import com.jdbernard.nlsongs.model.Role
import com.jdbernard.nlsongs.model.Token
import com.jdbernard.nlsongs.servlet.NLSongsContext
public class NLSongsSecurityContext implements SecurityContext {
public final TokenPrincipal principal
public NLSongsSecurityContext(ContainerRequestContext ctx) {
// Extract the authentication token (if present)
String tokenVal = ctx.getHeaderString("Authorization-Token")
// Look up the token in the database.
Token token = NLSongsContext.songsDB.findToken(tokenVal)
// Create our principal based on this token.
this.principal = new TokenPrincipal(token)
}
@Override
public String getAuthenticationScheme() { return "Authentication-Token" }
@Override
public Principal getUserPrincipal() { return principal }
@Override
public boolean isSecure() { /* TODO */ return false }
@Override
public boolean isUserInRole(String role) {
println "Required Role: $role"
println "User's Role: ${principal?.token?.user?.role}"
println "Required Role == User's Role? ${principal?.token?.user?.role == ((Role)role)} "
return principal?.token?.user?.role == ((Role) role) }
}

17
src/main/groovy/com/jdbernard/nlsongs/rest/security/SecurityRequestFilter.java Normal file

@ -0,0 +1,17 @@
package com.jdbernard.nlsongs.rest.security;
import javax.ws.rs.container.ContainerRequestContext;
import javax.ws.rs.container.ContainerRequestFilter;
import javax.ws.rs.container.PreMatching;
import javax.ws.rs.ext.Provider;
import com.jdbernard.nlsongs.servlet.NLSongsContext;
@Provider
@PreMatching
public class SecurityRequestFilter implements ContainerRequestFilter {
@Override
public void filter(ContainerRequestContext reqCtx) {
reqCtx.setSecurityContext(new NLSongsSecurityContext(reqCtx)); }
}

35
src/main/groovy/com/jdbernard/nlsongs/rest/security/TokenPrincipal.java Normal file

@ -0,0 +1,35 @@
package com.jdbernard.nlsongs.rest.security;
import java.security.Principal;
import com.jdbernard.nlsongs.model.Token;
public class TokenPrincipal implements Principal {
public final Token token;
public TokenPrincipal(Token token) { this.token = token; }
@Override
public boolean equals(Object thatObj) {
if (thatObj == null) return false;
if (!(thatObj instanceof TokenPrincipal)) return false;
TokenPrincipal that = (TokenPrincipal) thatObj;
if (this.token == null) { return that.token == null; }
else { return this.token.equals(that.token); } }
@Override
public String getName() {
if (this.token == null) return null;
else return this.token.getUser().getUsername(); }
@Override
public int hashCode() {
if (this.token == null) return 0;
return this.token.getUser().getUsername().hashCode(); }
@Override
public String toString() { return getName(); }
}

21
src/main/sql/create-db.sql

@ -46,15 +46,18 @@ CREATE TABLE IF NOT EXISTS performances (
FOREIGN KEY (song_id) REFERENCES songs (id));
DROP TABLE IF EXISTS api_keys;
CREATE TABLE IF NOT EXISTS api_keys (
key VARCHAR(32) NOT NULL,
description VARCHAR(256) NOT NULL,
PRIMARY KEY (key));
DROP TABLE IF EXISTS users;
CREATE TABLE IF NOT EXISTS users (
id SERIAL,
username VARCHAR(64),
pwd VARCHAR(80));
username VARCHAR(64) UNIQUE NOT NULL,
pwd VARCHAR(80),
role VARCHAR(16) NOT NULL,
PRIMARY KEY (id));
DROP TABLE IF EXISTS tokens;
CREATE TABLE IF NOT EXISTS tokens (
token VARCHAR(64),
user_id INTEGER NOT NULL,
expires TIMESTAMP NOT NULL,
PRIMARY KEY (token),
FOREIGN KEY (user_id) REFERENCES users (id) ON DELETE CASCADE);

5
src/main/webapp/WEB-INF/web.xml

@ -21,6 +21,11 @@
<param-value>com.jdbernard.nlsongs.rest</param-value>
</init-param>
<init-param>
<param-name>jersey.config.server.provider.classnames</param-name>
<param-value>org.glassfish.jersey.server.filter.RolesAllowedDynamicFeature</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>