#12 authentication

- keycloak connected with API Gateway
- keycloak JWT Tokens passed to services

README.md

@@ -190,7 +190,10 @@ kubectl apply -f ms-stock-service/k8s
 
 Users are stored in Keycloak. <br />
 Predefined users: </br>
-Admin:
+Keycloak admin users:
+- admin/admin
+
+</br>Admin role users:
 
 - admin_user_1/admin_user_1 role `admin`
 - admin_user_2/admin_user_2 role `admin`

ms-api-gateway/pom.xml

@@ -22,6 +22,10 @@
             <groupId>org.springframework.cloud</groupId>
             <artifactId>spring-cloud-starter-circuitbreaker-reactor-resilience4j</artifactId>
         </dependency>
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-oauth2-resource-server</artifactId>
+        </dependency>
         <dependency>
             <groupId>io.github.resilience4j</groupId>
             <artifactId>resilience4j-micrometer</artifactId>
@@ -38,7 +42,6 @@
             <groupId>org.springframework.boot</groupId>
             <artifactId>spring-boot-starter-data-redis-reactive</artifactId>
         </dependency>
-
         <dependency>
             <groupId>org.projectlombok</groupId>
             <artifactId>lombok</artifactId>

ms-api-gateway/src/main/java/pl/mg/ms/gw/resolvers/ProductKeyResolver.java

@@ -14,7 +14,7 @@ public class ProductKeyResolver implements KeyResolver {
 
     @Override
     public Mono<String> resolve(ServerWebExchange exchange) {
-        log.info("Request from {}", Objects.requireNonNull(exchange.getRequest().getLocalAddress().getHostName()));
+        log.debug("Request from {}", Objects.requireNonNull(exchange.getRequest().getLocalAddress().getHostName()));
         return Mono.just(Objects.requireNonNull(exchange.getRequest().getLocalAddress().getHostName()));
     }
 }

ms-api-gateway/src/main/java/pl/mg/ms/gw/security/WebSecurityConfiguration.java

@@ -0,0 +1,40 @@
+package pl.mg.ms.gw.security;
+
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.core.annotation.Order;
+import org.springframework.security.config.Customizer;
+import org.springframework.security.config.annotation.web.reactive.EnableWebFluxSecurity;
+import org.springframework.security.config.web.server.ServerHttpSecurity;
+import org.springframework.security.web.server.SecurityWebFilterChain;
+import org.springframework.security.web.server.util.matcher.PathPatternParserServerWebExchangeMatcher;
+
+@Configuration
+@EnableWebFluxSecurity
+public class WebSecurityConfiguration {
+
+    @Order(1)
+    @Bean
+    SecurityWebFilterChain actuatorHttpSecurity(ServerHttpSecurity http) {
+        http
+                .securityMatcher(new PathPatternParserServerWebExchangeMatcher("/actuator/**"))
+                .authorizeExchange((exchanges) -> exchanges
+                        .anyExchange().permitAll()
+                );
+        return http.build();
+    }
+
+    @Bean
+    SecurityWebFilterChain apiHttpSecurity(ServerHttpSecurity http) {
+        http
+                .securityMatcher(new PathPatternParserServerWebExchangeMatcher("/api/**"))
+                .authorizeExchange((exchanges) -> exchanges
+                        .anyExchange().authenticated()
+                )
+                .oauth2ResourceServer(oAuth2ResourceServerSpec -> oAuth2ResourceServerSpec
+                        .jwt(Customizer.withDefaults()))
+                .csrf(Customizer.withDefaults());
+        return http.build();
+    }
+
+}

ms-api-gateway/src/main/resources/application-docker.yml

@@ -12,6 +12,11 @@ management:
 
 ## API Gateway routes
 spring:
+  security:
+    oauth2:
+      resourceserver:
+        jwt:
+          jwk-set-uri: http://localhost:8082/realms/ms/protocol/openid-connect/certs
   cloud:
     gateway:
       routes:

ms-api-gateway/src/main/resources/application-local.yml

@@ -12,6 +12,11 @@ management:
 
 ## API Gateway routes
 spring:
+  security:
+    oauth2:
+      resourceserver:
+        jwt:
+          jwk-set-uri: http://localhost:8082/realms/ms/protocol/openid-connect/certs
   cloud:
     gateway:
       routes:
@@ -89,3 +94,10 @@ spring:
               args:
                 name: cms-api-group-1-cb
                 fallbackUri: forward:/fallback/cms
+
+logging:
+  level:
+    root: INFO
+    pl.mg: DEBUG
+    org.springframework.cloud.gateway: DEBUG
+    org.springframework.security: TRACE

ms-cms-service/pom.xml

@@ -34,6 +34,10 @@
             <groupId>org.springframework.boot</groupId>
             <artifactId>spring-boot-starter-web</artifactId>
         </dependency>
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-oauth2-resource-server</artifactId>
+        </dependency>
         <!-- kafka -->
         <dependency>
             <groupId>org.springframework.kafka</groupId>

ms-cms-service/src/main/java/pl/mg/search/cms/config/SecurityConfig.java

@@ -0,0 +1,40 @@
+package pl.mg.search.cms.config;
+
+
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.core.annotation.Order;
+import org.springframework.security.config.Customizer;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.web.SecurityFilterChain;
+
+@EnableWebSecurity
+@Configuration
+public class SecurityConfig {
+
+    @Order(1)
+    @Bean
+    public SecurityFilterChain actuatorHttpSecurity(HttpSecurity http) throws Exception {
+        http
+                .securityMatcher(request -> request.getServletPath().startsWith("/actuator/"))
+                .authorizeHttpRequests((requests) -> requests
+                        .anyRequest().permitAll()
+                );
+        return http.build();
+    }
+
+    @Bean
+    public SecurityFilterChain apiSecurity(HttpSecurity http) throws Exception {
+        http
+                .securityMatcher(request -> request.getServletPath().startsWith("/api/"))
+                .authorizeHttpRequests((exchanges) -> exchanges
+                        .anyRequest().authenticated()
+                )
+                .oauth2ResourceServer(oAuth2ResourceServerSpec -> oAuth2ResourceServerSpec
+                        .jwt(Customizer.withDefaults()))
+                .csrf(Customizer.withDefaults());
+        return http.build();
+    }
+
+}

ms-cms-service/src/main/java/pl/mg/search/cms/controller/RestSearchController.java

@@ -7,6 +7,9 @@
 import org.springframework.data.domain.Page;
 import org.springframework.data.domain.Pageable;
 import org.springframework.http.ResponseEntity;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.oauth2.jwt.Jwt;
 import org.springframework.transaction.annotation.Transactional;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.RequestMapping;
@@ -40,7 +43,16 @@ public ResponseEntity<Page<CmsProduct>> filter(
             HttpServletRequest request,
             Pageable page,
             @RequestParam(name = "q") String query
+
     ) {
+
+        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
+        String username = authentication.getName();
+        log.debug("user authenticated as: {}", username);
+        org.springframework.security.oauth2.jwt.Jwt jwt = (Jwt) authentication.getPrincipal();
+
+        log.debug(jwt.getSubject());
+
         log.debug("Request: {}", request.getRequestURI());
         Page<CmsProduct> products = repository.findByTitleContainingIgnoreCaseOrDescriptionContainingIgnoreCase(query, query, page);
         return ResponseEntity.ok(products);

ms-cms-service/src/main/resources/application-docker.properties

@@ -0,0 +1 @@
+spring.security.oauth2.resourceserver.jwt.jwk-set-uri=http://localhost:8082/realms/ms/protocol/openid-connect/certs

ms-cms-service/src/main/resources/application-local.properties

@@ -0,0 +1 @@
+spring.security.oauth2.resourceserver.jwt.jwk-set-uri=http://localhost:8082/realms/ms/protocol/openid-connect/certs

ms-stock-service/pom.xml

@@ -34,6 +34,10 @@
             <groupId>org.springframework.boot</groupId>
             <artifactId>spring-boot-starter-web</artifactId>
         </dependency>
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-oauth2-resource-server</artifactId>
+        </dependency>
         <dependency>
             <groupId>org.springframework.data</groupId>
             <artifactId>spring-data-jpa</artifactId>

ms-stock-service/src/main/java/pl/mg/search/stock/config/SecurityConfig.java

@@ -0,0 +1,38 @@
+package pl.mg.search.stock.config;
+
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.core.annotation.Order;
+import org.springframework.security.config.Customizer;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.web.SecurityFilterChain;
+
+@EnableWebSecurity
+@Configuration
+public class SecurityConfig {
+    @Order(1)
+    @Bean
+    public SecurityFilterChain actuatorHttpSecurity(HttpSecurity http) throws Exception {
+        http
+                .securityMatcher(request -> request.getServletPath().startsWith("/actuator/"))
+                .authorizeHttpRequests((requests) -> requests
+                        .anyRequest().permitAll()
+                );
+        return http.build();
+    }
+
+    @Bean
+    public SecurityFilterChain apiSecurity(HttpSecurity http) throws Exception {
+        http
+                .securityMatcher(request -> request.getServletPath().startsWith("/api/"))
+                .authorizeHttpRequests((exchanges) -> exchanges
+                        .anyRequest().authenticated()
+                )
+                .oauth2ResourceServer(oAuth2ResourceServerSpec -> oAuth2ResourceServerSpec
+                        .jwt(Customizer.withDefaults()))
+                .csrf(Customizer.withDefaults());
+        return http.build();
+    }
+
+}

ms-stock-service/src/main/resources/application-docker.properties

@@ -0,0 +1 @@
+spring.security.oauth2.resourceserver.jwt.jwk-set-uri=http://localhost:8082/realms/ms/protocol/openid-connect/certs

ms-stock-service/src/main/resources/application-local.properties

@@ -0,0 +1 @@
+spring.security.oauth2.resourceserver.jwt.jwk-set-uri=http://localhost:8082/realms/ms/protocol/openid-connect/certs