Feature: BPN authorisation validation

[borisrizov-zf]

Description

The MIW currently hosts a method called getBPNFromToken which is hidden away in a controller base class. For the purposes of Catena-X, the BPN number will always be present in the JWT provided for authorisation, which means we can use the spring-security facilities to ensure that we don't even go near the business logic, unless a BPN claim is provided.

The task is to remove the base controller and add a validator to the security filter chain which will intercept the validated JWT and validate it has a BPN claim.

This is also a great opportunity to fix the injection of Principal into various methods. The correct way would be to use the spring class Authentication (sub-class of the java Principal).

The relevant information is provided in the spring-security resource server JWT docs: https://docs.spring.io/spring-security/reference/servlet/oauth2/resource-server/jwt.html

One way which would work is to provide a custom @Bean jwtDecoder and inject our validator there.

Sidenote: This will guarantee that developers can use the Authentication injection and directly read the BPN claim, without doing any extra checks, which will, in turn, clean up the code quite a lot.

Acceptance Criteria

• [x] Authorisation checks for a BPN claim and rejects tokens which do not include it
• [x] BaseController removed
• [x] Injection of Principal changed to Authentication

[nitin-vavdiya]

Maybe we can unitise exiting CustomAuthenticationConverter and return a subclass of JwtAuthenticationToken (which takes BPN as a constructor) and we can directly inject this in the controller when needed

[borisrizov-zf]

Hi @nitin-vavdiya,

this isn't needed, as the Authentication object is already a rich JWT object, which means there's no need to do extra work in the converter.