forked from operaton/operaton
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat(oauth2): revalidate access tokens (#4603)
related to camunda/camunda-bpm-platform#4585 Backported commit f8142ef3e1 from the camunda-bpm-platform repository. Original author: Daniel Kelemen <[email protected]>
- Loading branch information
1 parent
2179228
commit c21499d
Showing
2 changed files
with
127 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
116 changes: 116 additions & 0 deletions
116
.../java/org/operaton/bpm/spring/boot/starter/security/oauth2/impl/AuthorizeTokenFilter.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,116 @@ | ||
/* | ||
* Copyright Camunda Services GmbH and/or licensed to Camunda Services GmbH | ||
* under one or more contributor license agreements. See the NOTICE file | ||
* distributed with this work for additional information regarding copyright | ||
* ownership. Camunda licenses this file to you under the Apache License, | ||
* Version 2.0; you may not use this file except in compliance with the License. | ||
* You may obtain a copy of the License at | ||
* | ||
* http://www.apache.org/licenses/LICENSE-2.0 | ||
* | ||
* Unless required by applicable law or agreed to in writing, software | ||
* distributed under the License is distributed on an "AS IS" BASIS, | ||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
* See the License for the specific language governing permissions and | ||
* limitations under the License. | ||
*/ | ||
package org.operaton.bpm.spring.boot.starter.security.oauth2.impl; | ||
|
||
import jakarta.annotation.Nonnull; | ||
import jakarta.servlet.FilterChain; | ||
import jakarta.servlet.ServletException; | ||
import jakarta.servlet.http.HttpServletRequest; | ||
import jakarta.servlet.http.HttpServletResponse; | ||
import org.operaton.bpm.engine.impl.util.ClockUtil; | ||
import org.slf4j.Logger; | ||
import org.slf4j.LoggerFactory; | ||
import org.springframework.security.core.Authentication; | ||
import org.springframework.security.core.context.SecurityContextHolder; | ||
import org.springframework.security.oauth2.client.OAuth2AuthorizationContext; | ||
import org.springframework.security.oauth2.client.OAuth2AuthorizeRequest; | ||
import org.springframework.security.oauth2.client.OAuth2AuthorizedClientManager; | ||
import org.springframework.security.oauth2.client.authentication.OAuth2AuthenticationToken; | ||
import org.springframework.security.oauth2.core.OAuth2AuthorizationException; | ||
import org.springframework.security.oauth2.core.OAuth2Token; | ||
import org.springframework.web.filter.OncePerRequestFilter; | ||
|
||
import java.io.IOException; | ||
import java.util.Date; | ||
|
||
/** | ||
* Authorize or re-authorize (if required) oauth2 client using {@link OAuth2AuthorizedClientManager}. | ||
* <ul> | ||
* <li>If the access token is valid, then does nothing. | ||
* <li>If the access token is expired, then refreshes it. | ||
* <li>If authorize failed, then clears the {@link org.springframework.security.core.context.SecurityContext} and {@link jakarta.servlet.http.HttpSession}. | ||
* </ul> | ||
* <p> | ||
* References: | ||
* <ul> | ||
* <li> {@link OAuth2AuthorizedClientManager#authorize(OAuth2AuthorizeRequest)} | ||
* <li> {@link org.springframework.security.oauth2.client.OAuth2AuthorizedClientProvider#authorize(OAuth2AuthorizationContext)} | ||
* <li> {@link org.springframework.security.oauth2.client.DelegatingOAuth2AuthorizedClientProvider#authorize(OAuth2AuthorizationContext)} | ||
* <li> {@link org.springframework.security.oauth2.client.RefreshTokenOAuth2AuthorizedClientProvider#authorize(OAuth2AuthorizationContext)} | ||
* </ul> | ||
*/ | ||
public class AuthorizeTokenFilter extends OncePerRequestFilter { | ||
|
||
private static final Logger logger = LoggerFactory.getLogger(AuthorizeTokenFilter.class); | ||
private final OAuth2AuthorizedClientManager clientManager; | ||
|
||
public AuthorizeTokenFilter(OAuth2AuthorizedClientManager clientManager) { | ||
this.clientManager = clientManager; | ||
} | ||
|
||
@Override | ||
protected void doFilterInternal(@Nonnull HttpServletRequest request, | ||
@Nonnull HttpServletResponse response, | ||
@Nonnull FilterChain filterChain) throws ServletException, IOException { | ||
|
||
Authentication authentication = SecurityContextHolder.getContext().getAuthentication(); | ||
if (authentication instanceof OAuth2AuthenticationToken) { | ||
var token = (OAuth2AuthenticationToken) authentication; | ||
authorizeToken(token, request, response); | ||
} | ||
filterChain.doFilter(request, response); | ||
} | ||
|
||
protected boolean hasTokenExpired(OAuth2Token token) { | ||
return token.getExpiresAt() == null || ClockUtil.now().after(Date.from(token.getExpiresAt())); | ||
} | ||
|
||
protected void clearContext(HttpServletRequest request) { | ||
SecurityContextHolder.clearContext(); | ||
try { | ||
request.getSession().invalidate(); | ||
} catch (Exception ignored) { | ||
} | ||
} | ||
|
||
protected void authorizeToken(OAuth2AuthenticationToken token, | ||
HttpServletRequest request, | ||
HttpServletResponse response) { | ||
// @formatter:off | ||
var authRequest = OAuth2AuthorizeRequest | ||
.withClientRegistrationId(token.getAuthorizedClientRegistrationId()) | ||
.principal(token) | ||
.attributes(attrs -> { | ||
attrs.put(HttpServletRequest.class.getName(), request); | ||
attrs.put(HttpServletResponse.class.getName(), response); | ||
}).build(); | ||
// @formatter:on | ||
|
||
try { | ||
var res = clientManager.authorize(authRequest); | ||
if (res == null || hasTokenExpired(res.getAccessToken())) { | ||
logger.warn("Authorize failed: could not re-authorize expired access token"); | ||
clearContext(request); | ||
} else { | ||
logger.debug("Authorize successful, access token expiry: {}", res.getAccessToken().getExpiresAt()); | ||
} | ||
} catch (OAuth2AuthorizationException e) { | ||
logger.warn("Authorize failed: {}", e.getMessage()); | ||
clearContext(request); | ||
} | ||
} | ||
} |