search

spring-attic / spring-security-oauth

Support for adding OAuth1(a) and OAuth2 features (consumer and provider) for Spring web applications.
http://github.com/spring-projects/spring-security-oauth
Apache License 2.0
4.7k stars 4.04k forks source link

How to create filter after OAuth2 success Authentication #805

Open ismorodin opened 8 years ago

ismorodin commented 8 years ago

How to create filter after OAuth2 success Authentication, i need to receive value from a token and to make validation on it! I'm using custom UserAuthenticationConverter

@Component
public class PersonAuthenticationConverter extends DefaultUserAuthenticationConverter {

    private static final String TOKEN_PAYLOAD = "tokenPayload";

    @Autowired
    private ClientService clientService;

    @Autowired
    private SessionService sessionService;

    @Override
    public Map<String, ?> convertUserAuthentication(Authentication authentication) {
        @SuppressWarnings("unchecked")
        Map<String, Object> result = (Map<String, Object>) super.convertUserAuthentication(authentication);
        final Client client = clientService.findByLogin(authentication.getName());
        final AuthSession session = sessionService.findLastAuthSessionByIdClient(client.getId(), new Sort(Sort.Direction.DESC, "dateIns"));
        final TokenPayload.TokenPayloadBuilder payloadBuilder = TokenPayload.builder();
        payloadBuilder.cuid(client.getCuid());
        if (session != null) {
//            dfp is device fingerprint
            payloadBuilder.dfpHash(BCrypt.hashpw(session.getDfpHash(), BCrypt.gensalt(4)));
        }
        result.put(TOKEN_PAYLOAD, payloadBuilder.build());
        return result;
    }

    @Override
    public Authentication extractAuthentication(Map<String, ?> map) {
        UsernamePasswordAuthenticationToken authentication = (UsernamePasswordAuthenticationToken) super.extractAuthentication(map);
        if (authentication != null) {
            return new PersonAuthenticationToken(authentication.getPrincipal(), authentication.getCredentials(), authentication.getAuthorities(), (LinkedHashMap) map.get(TOKEN_PAYLOAD));
        }
        return null;
    }
}
dsyer commented 8 years ago

Can you describe the scenario a bit more (UserAuthenticationConverter is used in a few places)? What do you need to validate, and when?

klyall commented 7 years ago

The scenario I have is a Spring Boot application secured by Spring Security OAuth SSO using Github.

I would like to restrict access to the application to members of a specific Github org.

Is the above code along the right lines?

Thanks.

dsyer commented 7 years ago

@klyall I don't think so. It would be easier to use one of the *Extractor strategies in spring boot (https://github.com/spring-projects/spring-boot/tree/1.5.x/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/resource), probably. There's always more than one way to do things, but the code above is aware of the client details service which is not a client app concern.