Closed borisrizov-zf closed 2 months ago
Maybe we can unitise exiting CustomAuthenticationConverter
and return a subclass of JwtAuthenticationToken
(which takes BPN as a constructor) and we can directly inject this in the controller when needed
Hi @nitin-vavdiya,
this isn't needed, as the Authentication object is already a rich JWT object, which means there's no need to do extra work in the converter.
Description
The MIW currently hosts a method called
getBPNFromToken
which is hidden away in a controller base class. For the purposes of Catena-X, the BPN number will always be present in the JWT provided for authorisation, which means we can use the spring-security facilities to ensure that we don't even go near the business logic, unless a BPN claim is provided.The task is to remove the base controller and add a validator to the security filter chain which will intercept the validated JWT and validate it has a BPN claim.
This is also a great opportunity to fix the injection of
Principal
into various methods. The correct way would be to use the spring classAuthentication
(sub-class of the javaPrincipal
).The relevant information is provided in the spring-security resource server JWT docs: https://docs.spring.io/spring-security/reference/servlet/oauth2/resource-server/jwt.html
One way which would work is to provide a custom
@Bean
jwtDecoder and inject our validator there.Sidenote: This will guarantee that developers can use the
Authentication
injection and directly read the BPN claim, without doing any extra checks, which will, in turn, clean up the code quite a lot.Acceptance Criteria
Principal
changed toAuthentication