Use Spring credentials expiration check instead of JWT's

Author: Denis Kokorin

README.md

@@ -0,0 +1,35 @@
+# Spring JWT integration done right
+
+On github you can find many examples how to integrate JWT with Spring.
+
+Many of them use OncePerRequestFilter with custom logic to authenticate user
+ which put Authentication into SecurityContextHolder.
+
+Such solutions IMHO are not beautiful and are error-prone.
+
+This repository shows how to do the same but using standard Spring Security filter:
+ UsernamePasswordAuthenticationFilter and AbstractPreAuthenticatedProcessingFilter
+
+# How to use
+
+## Login (get JWT)
+
+```
+curl -X POST http://localhost:8080/login -v -d username=user -d password=user
+```
+
+Check AUTHORIZATION header
+
+## Invoke (use JWT)
+
+```
+curl http://localhost:8080/greet -H "Authorization: Bearer JWT_YOU_RECEIVED_ON_LOGIN" -v
+```
+
+## Check JWT expiration
+
+Use the following JWT: `eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ1c2VyIiwiaWF0IjoxNTQ5NjM1NjMyLCJleHAiOjE1NDk2MzU2NDIsImF1dGhvcml0aWVzIjoiUk9MRV9VU0VSIn0.aVJVydkEAO-sJ29_7SveFTDipl2yEcmAIZt-DyB6UV0`:
+
+```
+curl http://localhost:8080/greet -H "Authorization: Bearer eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ1c2VyIiwiaWF0IjoxNTQ5NjM1NjMyLCJleHAiOjE1NDk2MzU2NDIsImF1dGhvcml0aWVzIjoiUk9MRV9VU0VSIn0.aVJVydkEAO-sJ29_7SveFTDipl2yEcmAIZt-DyB6UV0" -v
+```

pom.xml

@@ -39,6 +39,12 @@
 			<version>${jjwt.version}</version>
 			<scope>runtime</scope>
 		</dependency>
+		<dependency>
+			<groupId>io.jsonwebtoken</groupId>
+			<artifactId>jjwt-jackson</artifactId>
+			<version>${jjwt.version}</version>
+			<scope>runtime</scope>
+		</dependency>
 
 		<dependency>
 			<groupId>org.springframework.boot</groupId>

src/main/java/com/github/kokorin/springjwtdoneright/GreetController.java

@@ -1,21 +1,19 @@
 package com.github.kokorin.springjwtdoneright;
 
+import org.springframework.http.MediaType;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.annotation.AuthenticationPrincipal;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.bind.annotation.RestController;
 
-import java.security.Principal;
 import java.sql.Date;
 import java.util.stream.Collectors;
 
-@RestController("/greet")
+@RestController
 public class GreetController {
-    @RequestMapping(method = RequestMethod.GET, path = "/")
-    public UserDetailsDto greet(@AuthenticationPrincipal Principal principal) {
-        SimpleUserDetails userDetails = (SimpleUserDetails) principal;
-
+    @RequestMapping(method = RequestMethod.GET,path = "/greet", produces = MediaType.APPLICATION_JSON_VALUE)
+    public UserDetailsDto greet(@AuthenticationPrincipal SimpleUserDetails userDetails) {
         return new UserDetailsDto(
                 userDetails.getUsername(),
                 userDetails.getAuthorities().stream()

src/main/java/com/github/kokorin/springjwtdoneright/SimpleAuthenticationUserDetailsService.java renamed to src/main/java/com/github/kokorin/springjwtdoneright/JwtAuthenticationUserDetailsService.java

@@ -6,7 +6,7 @@
 import org.springframework.security.core.userdetails.UsernameNotFoundException;
 import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken;
 
-public class SimpleAuthenticationUserDetailsService implements AuthenticationUserDetailsService<PreAuthenticatedAuthenticationToken> {
+public class JwtAuthenticationUserDetailsService implements AuthenticationUserDetailsService<PreAuthenticatedAuthenticationToken> {
     @Autowired
     private JwtService jwtService;
 

src/main/java/com/github/kokorin/springjwtdoneright/JwtService.java

@@ -41,6 +41,12 @@ public String toJwt(SimpleUserDetails userDetails) {
     public SimpleUserDetails fromJwt(String jwt) {
         Claims claims = (Claims) Jwts.parser()
                 .setSigningKey(key)
+                // Disable expiration check in JWT, never throw ExpiredJwtException
+                // Expiration is controlled by Spring through UserDetails.isCredentialsNonExpired
+                // SimpleUserDetails knows expiration time.
+                // It's checked in  org.springframework.security.core.userdetails.UserDetailsChecker.check()
+                // at org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider.authenticate()
+                .setAllowedClockSkewSeconds(Integer.MAX_VALUE)
                 .parse(jwt)
                 .getBody();
 

src/main/java/com/github/kokorin/springjwtdoneright/WebSecurityConfig.java

@@ -3,9 +3,12 @@
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.security.authentication.AuthenticationProvider;
+import org.springframework.security.authentication.dao.DaoAuthenticationProvider;
+import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.config.http.SessionCreationPolicy;
 import org.springframework.security.core.userdetails.AuthenticationUserDetailsService;
 import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.crypto.password.PasswordEncoder;
@@ -18,17 +21,25 @@
 @Configuration
 @EnableWebSecurity
 public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
+    @Override
+    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
+        auth
+                .authenticationProvider(daoAuthenticationProvider())
+                .authenticationProvider(preAuthenticationProvider());
+    }
 
     @Override
     protected void configure(HttpSecurity http) throws Exception {
         http
                 .csrf().disable()
 
+                .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
+
+                .and()
+
                 .addFilter(usernamePasswordFilter())
                 .addFilter(authenticationFilter())
 
-                .authenticationProvider(preAuthenticationProvider())
-
                 .authorizeRequests()
                 .antMatchers("/login").permitAll()
                 .antMatchers("/**").authenticated();
@@ -80,6 +91,14 @@ public JwtService jwtService() {
         return new JwtService();
     }
 
+    @Bean
+    public AuthenticationProvider daoAuthenticationProvider() {
+        DaoAuthenticationProvider provider = new DaoAuthenticationProvider();
+        provider.setUserDetailsService(simpleUserDetailsService());
+        provider.setPasswordEncoder(plaintextPasswordEncoder());
+        return provider;
+    }
+
     @Bean
     public AuthenticationProvider preAuthenticationProvider() {
         PreAuthenticatedAuthenticationProvider provider = new PreAuthenticatedAuthenticationProvider();
@@ -92,7 +111,7 @@ public AuthenticationProvider preAuthenticationProvider() {
 
     @Bean
     public AuthenticationUserDetailsService<PreAuthenticatedAuthenticationToken> preAuthenticatedUserDetailsService() {
-        return new SimpleAuthenticationUserDetailsService();
+        return new JwtAuthenticationUserDetailsService();
     }
 
     @Bean