parent
c2bee61c34
commit
2d1732bec6
|
@ -0,0 +1,26 @@
|
||||||
|
plugins {
|
||||||
|
id 'io.spring.dependency-management' version '1.0.10.RELEASE'
|
||||||
|
id 'org.springframework.boot' version '2.4.0'
|
||||||
|
id "nebula.integtest" version "7.0.9"
|
||||||
|
id 'java'
|
||||||
|
}
|
||||||
|
|
||||||
|
repositories {
|
||||||
|
jcenter()
|
||||||
|
maven { url "https://repo.spring.io/snapshot" }
|
||||||
|
}
|
||||||
|
|
||||||
|
dependencies {
|
||||||
|
implementation 'org.springframework.boot:spring-boot-starter-security'
|
||||||
|
implementation 'org.springframework.boot:spring-boot-starter-thymeleaf'
|
||||||
|
implementation 'org.springframework.boot:spring-boot-starter-web'
|
||||||
|
|
||||||
|
implementation 'com.j256.two-factor-auth:two-factor-auth:1.3'
|
||||||
|
|
||||||
|
testImplementation 'org.springframework.boot:spring-boot-starter-test'
|
||||||
|
testImplementation 'org.springframework.security:spring-security-test'
|
||||||
|
}
|
||||||
|
|
||||||
|
tasks.withType(Test).configureEach {
|
||||||
|
useJUnitPlatform()
|
||||||
|
}
|
|
@ -0,0 +1,2 @@
|
||||||
|
version=5.5.0-SNAPSHOT
|
||||||
|
spring-security.version=5.5.0-SNAPSHOT
|
BIN
servlet/spring-boot/java/authentication/username-password/mfa/gradle/wrapper/gradle-wrapper.jar
vendored
Normal file
BIN
servlet/spring-boot/java/authentication/username-password/mfa/gradle/wrapper/gradle-wrapper.jar
vendored
Normal file
Binary file not shown.
|
@ -0,0 +1,5 @@
|
||||||
|
distributionBase=GRADLE_USER_HOME
|
||||||
|
distributionPath=wrapper/dists
|
||||||
|
distributionUrl=https\://services.gradle.org/distributions/gradle-6.7-bin.zip
|
||||||
|
zipStoreBase=GRADLE_USER_HOME
|
||||||
|
zipStorePath=wrapper/dists
|
|
@ -0,0 +1,185 @@
|
||||||
|
#!/usr/bin/env sh
|
||||||
|
|
||||||
|
#
|
||||||
|
# Copyright 2015 the original author or authors.
|
||||||
|
#
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
# you may not use this file except in compliance with the License.
|
||||||
|
# You may obtain a copy of the License at
|
||||||
|
#
|
||||||
|
# https://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
# See the License for the specific language governing permissions and
|
||||||
|
# limitations under the License.
|
||||||
|
#
|
||||||
|
|
||||||
|
##############################################################################
|
||||||
|
##
|
||||||
|
## Gradle start up script for UN*X
|
||||||
|
##
|
||||||
|
##############################################################################
|
||||||
|
|
||||||
|
# Attempt to set APP_HOME
|
||||||
|
# Resolve links: $0 may be a link
|
||||||
|
PRG="$0"
|
||||||
|
# Need this for relative symlinks.
|
||||||
|
while [ -h "$PRG" ] ; do
|
||||||
|
ls=`ls -ld "$PRG"`
|
||||||
|
link=`expr "$ls" : '.*-> \(.*\)$'`
|
||||||
|
if expr "$link" : '/.*' > /dev/null; then
|
||||||
|
PRG="$link"
|
||||||
|
else
|
||||||
|
PRG=`dirname "$PRG"`"/$link"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
SAVED="`pwd`"
|
||||||
|
cd "`dirname \"$PRG\"`/" >/dev/null
|
||||||
|
APP_HOME="`pwd -P`"
|
||||||
|
cd "$SAVED" >/dev/null
|
||||||
|
|
||||||
|
APP_NAME="Gradle"
|
||||||
|
APP_BASE_NAME=`basename "$0"`
|
||||||
|
|
||||||
|
# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script.
|
||||||
|
DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"'
|
||||||
|
|
||||||
|
# Use the maximum available, or set MAX_FD != -1 to use that value.
|
||||||
|
MAX_FD="maximum"
|
||||||
|
|
||||||
|
warn () {
|
||||||
|
echo "$*"
|
||||||
|
}
|
||||||
|
|
||||||
|
die () {
|
||||||
|
echo
|
||||||
|
echo "$*"
|
||||||
|
echo
|
||||||
|
exit 1
|
||||||
|
}
|
||||||
|
|
||||||
|
# OS specific support (must be 'true' or 'false').
|
||||||
|
cygwin=false
|
||||||
|
msys=false
|
||||||
|
darwin=false
|
||||||
|
nonstop=false
|
||||||
|
case "`uname`" in
|
||||||
|
CYGWIN* )
|
||||||
|
cygwin=true
|
||||||
|
;;
|
||||||
|
Darwin* )
|
||||||
|
darwin=true
|
||||||
|
;;
|
||||||
|
MINGW* )
|
||||||
|
msys=true
|
||||||
|
;;
|
||||||
|
NONSTOP* )
|
||||||
|
nonstop=true
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
|
||||||
|
CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar
|
||||||
|
|
||||||
|
|
||||||
|
# Determine the Java command to use to start the JVM.
|
||||||
|
if [ -n "$JAVA_HOME" ] ; then
|
||||||
|
if [ -x "$JAVA_HOME/jre/sh/java" ] ; then
|
||||||
|
# IBM's JDK on AIX uses strange locations for the executables
|
||||||
|
JAVACMD="$JAVA_HOME/jre/sh/java"
|
||||||
|
else
|
||||||
|
JAVACMD="$JAVA_HOME/bin/java"
|
||||||
|
fi
|
||||||
|
if [ ! -x "$JAVACMD" ] ; then
|
||||||
|
die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME
|
||||||
|
|
||||||
|
Please set the JAVA_HOME variable in your environment to match the
|
||||||
|
location of your Java installation."
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
JAVACMD="java"
|
||||||
|
which java >/dev/null 2>&1 || die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH.
|
||||||
|
|
||||||
|
Please set the JAVA_HOME variable in your environment to match the
|
||||||
|
location of your Java installation."
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Increase the maximum file descriptors if we can.
|
||||||
|
if [ "$cygwin" = "false" -a "$darwin" = "false" -a "$nonstop" = "false" ] ; then
|
||||||
|
MAX_FD_LIMIT=`ulimit -H -n`
|
||||||
|
if [ $? -eq 0 ] ; then
|
||||||
|
if [ "$MAX_FD" = "maximum" -o "$MAX_FD" = "max" ] ; then
|
||||||
|
MAX_FD="$MAX_FD_LIMIT"
|
||||||
|
fi
|
||||||
|
ulimit -n $MAX_FD
|
||||||
|
if [ $? -ne 0 ] ; then
|
||||||
|
warn "Could not set maximum file descriptor limit: $MAX_FD"
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
warn "Could not query maximum file descriptor limit: $MAX_FD_LIMIT"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
# For Darwin, add options to specify how the application appears in the dock
|
||||||
|
if $darwin; then
|
||||||
|
GRADLE_OPTS="$GRADLE_OPTS \"-Xdock:name=$APP_NAME\" \"-Xdock:icon=$APP_HOME/media/gradle.icns\""
|
||||||
|
fi
|
||||||
|
|
||||||
|
# For Cygwin or MSYS, switch paths to Windows format before running java
|
||||||
|
if [ "$cygwin" = "true" -o "$msys" = "true" ] ; then
|
||||||
|
APP_HOME=`cygpath --path --mixed "$APP_HOME"`
|
||||||
|
CLASSPATH=`cygpath --path --mixed "$CLASSPATH"`
|
||||||
|
|
||||||
|
JAVACMD=`cygpath --unix "$JAVACMD"`
|
||||||
|
|
||||||
|
# We build the pattern for arguments to be converted via cygpath
|
||||||
|
ROOTDIRSRAW=`find -L / -maxdepth 1 -mindepth 1 -type d 2>/dev/null`
|
||||||
|
SEP=""
|
||||||
|
for dir in $ROOTDIRSRAW ; do
|
||||||
|
ROOTDIRS="$ROOTDIRS$SEP$dir"
|
||||||
|
SEP="|"
|
||||||
|
done
|
||||||
|
OURCYGPATTERN="(^($ROOTDIRS))"
|
||||||
|
# Add a user-defined pattern to the cygpath arguments
|
||||||
|
if [ "$GRADLE_CYGPATTERN" != "" ] ; then
|
||||||
|
OURCYGPATTERN="$OURCYGPATTERN|($GRADLE_CYGPATTERN)"
|
||||||
|
fi
|
||||||
|
# Now convert the arguments - kludge to limit ourselves to /bin/sh
|
||||||
|
i=0
|
||||||
|
for arg in "$@" ; do
|
||||||
|
CHECK=`echo "$arg"|egrep -c "$OURCYGPATTERN" -`
|
||||||
|
CHECK2=`echo "$arg"|egrep -c "^-"` ### Determine if an option
|
||||||
|
|
||||||
|
if [ $CHECK -ne 0 ] && [ $CHECK2 -eq 0 ] ; then ### Added a condition
|
||||||
|
eval `echo args$i`=`cygpath --path --ignore --mixed "$arg"`
|
||||||
|
else
|
||||||
|
eval `echo args$i`="\"$arg\""
|
||||||
|
fi
|
||||||
|
i=`expr $i + 1`
|
||||||
|
done
|
||||||
|
case $i in
|
||||||
|
0) set -- ;;
|
||||||
|
1) set -- "$args0" ;;
|
||||||
|
2) set -- "$args0" "$args1" ;;
|
||||||
|
3) set -- "$args0" "$args1" "$args2" ;;
|
||||||
|
4) set -- "$args0" "$args1" "$args2" "$args3" ;;
|
||||||
|
5) set -- "$args0" "$args1" "$args2" "$args3" "$args4" ;;
|
||||||
|
6) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" ;;
|
||||||
|
7) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" ;;
|
||||||
|
8) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" ;;
|
||||||
|
9) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" "$args8" ;;
|
||||||
|
esac
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Escape application args
|
||||||
|
save () {
|
||||||
|
for i do printf %s\\n "$i" | sed "s/'/'\\\\''/g;1s/^/'/;\$s/\$/' \\\\/" ; done
|
||||||
|
echo " "
|
||||||
|
}
|
||||||
|
APP_ARGS=`save "$@"`
|
||||||
|
|
||||||
|
# Collect all arguments for the java command, following the shell quoting and substitution rules
|
||||||
|
eval set -- $DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS "\"-Dorg.gradle.appname=$APP_BASE_NAME\"" -classpath "\"$CLASSPATH\"" org.gradle.wrapper.GradleWrapperMain "$APP_ARGS"
|
||||||
|
|
||||||
|
exec "$JAVACMD" "$@"
|
|
@ -0,0 +1,104 @@
|
||||||
|
@rem
|
||||||
|
@rem Copyright 2015 the original author or authors.
|
||||||
|
@rem
|
||||||
|
@rem Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
@rem you may not use this file except in compliance with the License.
|
||||||
|
@rem You may obtain a copy of the License at
|
||||||
|
@rem
|
||||||
|
@rem https://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
@rem
|
||||||
|
@rem Unless required by applicable law or agreed to in writing, software
|
||||||
|
@rem distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
@rem WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
@rem See the License for the specific language governing permissions and
|
||||||
|
@rem limitations under the License.
|
||||||
|
@rem
|
||||||
|
|
||||||
|
@if "%DEBUG%" == "" @echo off
|
||||||
|
@rem ##########################################################################
|
||||||
|
@rem
|
||||||
|
@rem Gradle startup script for Windows
|
||||||
|
@rem
|
||||||
|
@rem ##########################################################################
|
||||||
|
|
||||||
|
@rem Set local scope for the variables with windows NT shell
|
||||||
|
if "%OS%"=="Windows_NT" setlocal
|
||||||
|
|
||||||
|
set DIRNAME=%~dp0
|
||||||
|
if "%DIRNAME%" == "" set DIRNAME=.
|
||||||
|
set APP_BASE_NAME=%~n0
|
||||||
|
set APP_HOME=%DIRNAME%
|
||||||
|
|
||||||
|
@rem Resolve any "." and ".." in APP_HOME to make it shorter.
|
||||||
|
for %%i in ("%APP_HOME%") do set APP_HOME=%%~fi
|
||||||
|
|
||||||
|
@rem Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script.
|
||||||
|
set DEFAULT_JVM_OPTS="-Xmx64m" "-Xms64m"
|
||||||
|
|
||||||
|
@rem Find java.exe
|
||||||
|
if defined JAVA_HOME goto findJavaFromJavaHome
|
||||||
|
|
||||||
|
set JAVA_EXE=java.exe
|
||||||
|
%JAVA_EXE% -version >NUL 2>&1
|
||||||
|
if "%ERRORLEVEL%" == "0" goto init
|
||||||
|
|
||||||
|
echo.
|
||||||
|
echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH.
|
||||||
|
echo.
|
||||||
|
echo Please set the JAVA_HOME variable in your environment to match the
|
||||||
|
echo location of your Java installation.
|
||||||
|
|
||||||
|
goto fail
|
||||||
|
|
||||||
|
:findJavaFromJavaHome
|
||||||
|
set JAVA_HOME=%JAVA_HOME:"=%
|
||||||
|
set JAVA_EXE=%JAVA_HOME%/bin/java.exe
|
||||||
|
|
||||||
|
if exist "%JAVA_EXE%" goto init
|
||||||
|
|
||||||
|
echo.
|
||||||
|
echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME%
|
||||||
|
echo.
|
||||||
|
echo Please set the JAVA_HOME variable in your environment to match the
|
||||||
|
echo location of your Java installation.
|
||||||
|
|
||||||
|
goto fail
|
||||||
|
|
||||||
|
:init
|
||||||
|
@rem Get command-line arguments, handling Windows variants
|
||||||
|
|
||||||
|
if not "%OS%" == "Windows_NT" goto win9xME_args
|
||||||
|
|
||||||
|
:win9xME_args
|
||||||
|
@rem Slurp the command line arguments.
|
||||||
|
set CMD_LINE_ARGS=
|
||||||
|
set _SKIP=2
|
||||||
|
|
||||||
|
:win9xME_args_slurp
|
||||||
|
if "x%~1" == "x" goto execute
|
||||||
|
|
||||||
|
set CMD_LINE_ARGS=%*
|
||||||
|
|
||||||
|
:execute
|
||||||
|
@rem Setup the command line
|
||||||
|
|
||||||
|
set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar
|
||||||
|
|
||||||
|
|
||||||
|
@rem Execute Gradle
|
||||||
|
"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %CMD_LINE_ARGS%
|
||||||
|
|
||||||
|
:end
|
||||||
|
@rem End local scope for the variables with windows NT shell
|
||||||
|
if "%ERRORLEVEL%"=="0" goto mainEnd
|
||||||
|
|
||||||
|
:fail
|
||||||
|
rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of
|
||||||
|
rem the _cmd.exe /c_ return code!
|
||||||
|
if not "" == "%GRADLE_EXIT_CONSOLE%" exit 1
|
||||||
|
exit /b 1
|
||||||
|
|
||||||
|
:mainEnd
|
||||||
|
if "%OS%"=="Windows_NT" endlocal
|
||||||
|
|
||||||
|
:omega
|
|
@ -0,0 +1 @@
|
||||||
|
|
|
@ -0,0 +1,75 @@
|
||||||
|
/*
|
||||||
|
* Copyright 2021 the original author or authors.
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* https://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
|
||||||
|
package example;
|
||||||
|
|
||||||
|
import com.fasterxml.jackson.annotation.JsonCreator;
|
||||||
|
import com.fasterxml.jackson.annotation.JsonIgnore;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* A custom user representation.
|
||||||
|
*
|
||||||
|
* @author Rob Winch
|
||||||
|
*/
|
||||||
|
public class CustomUser {
|
||||||
|
|
||||||
|
private final long id;
|
||||||
|
|
||||||
|
private final String email;
|
||||||
|
|
||||||
|
@JsonIgnore
|
||||||
|
private final String password;
|
||||||
|
|
||||||
|
@JsonIgnore
|
||||||
|
private final String secret;
|
||||||
|
|
||||||
|
@JsonIgnore
|
||||||
|
private final String answer;
|
||||||
|
|
||||||
|
@JsonCreator
|
||||||
|
public CustomUser(long id, String email, String password, String secret, String answer) {
|
||||||
|
this.id = id;
|
||||||
|
this.email = email;
|
||||||
|
this.password = password;
|
||||||
|
this.secret = secret;
|
||||||
|
this.answer = answer;
|
||||||
|
}
|
||||||
|
|
||||||
|
public CustomUser(CustomUser user) {
|
||||||
|
this(user.id, user.email, user.password, user.secret, user.answer);
|
||||||
|
}
|
||||||
|
|
||||||
|
public long getId() {
|
||||||
|
return this.id;
|
||||||
|
}
|
||||||
|
|
||||||
|
public String getEmail() {
|
||||||
|
return this.email;
|
||||||
|
}
|
||||||
|
|
||||||
|
public String getPassword() {
|
||||||
|
return this.password;
|
||||||
|
}
|
||||||
|
|
||||||
|
public String getSecret() {
|
||||||
|
return this.secret;
|
||||||
|
}
|
||||||
|
|
||||||
|
public String getAnswer() {
|
||||||
|
return this.answer;
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
|
@ -0,0 +1,23 @@
|
||||||
|
/*
|
||||||
|
* Copyright 2021 the original author or authors.
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* https://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
|
||||||
|
package example;
|
||||||
|
|
||||||
|
public interface CustomUserRepository {
|
||||||
|
|
||||||
|
CustomUser findCustomUserByEmail(String email);
|
||||||
|
|
||||||
|
}
|
|
@ -0,0 +1,89 @@
|
||||||
|
/*
|
||||||
|
* Copyright 2021 the original author or authors.
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* https://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
|
||||||
|
package example;
|
||||||
|
|
||||||
|
import java.util.Collection;
|
||||||
|
import java.util.Collections;
|
||||||
|
import java.util.List;
|
||||||
|
|
||||||
|
import org.springframework.security.core.GrantedAuthority;
|
||||||
|
import org.springframework.security.core.authority.AuthorityUtils;
|
||||||
|
import org.springframework.security.core.userdetails.UserDetails;
|
||||||
|
import org.springframework.security.core.userdetails.UserDetailsService;
|
||||||
|
import org.springframework.security.core.userdetails.UsernameNotFoundException;
|
||||||
|
import org.springframework.stereotype.Service;
|
||||||
|
|
||||||
|
@Service
|
||||||
|
public class CustomUserRepositoryUserDetailsService implements UserDetailsService {
|
||||||
|
|
||||||
|
private final CustomUserRepository userRepository;
|
||||||
|
|
||||||
|
public CustomUserRepositoryUserDetailsService(CustomUserRepository userRepository) {
|
||||||
|
this.userRepository = userRepository;
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
|
||||||
|
CustomUser customUser = this.userRepository.findCustomUserByEmail(username);
|
||||||
|
if (customUser == null) {
|
||||||
|
throw new UsernameNotFoundException("username " + username + " is not found");
|
||||||
|
}
|
||||||
|
return new CustomUserDetails(customUser);
|
||||||
|
}
|
||||||
|
|
||||||
|
static final class CustomUserDetails extends CustomUser implements UserDetails {
|
||||||
|
|
||||||
|
private static final List<GrantedAuthority> ROLE_USER = Collections
|
||||||
|
.unmodifiableList(AuthorityUtils.createAuthorityList("ROLE_USER"));
|
||||||
|
|
||||||
|
CustomUserDetails(CustomUser customUser) {
|
||||||
|
super(customUser);
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public Collection<? extends GrantedAuthority> getAuthorities() {
|
||||||
|
return ROLE_USER;
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public String getUsername() {
|
||||||
|
return getEmail();
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public boolean isAccountNonExpired() {
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public boolean isAccountNonLocked() {
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public boolean isCredentialsNonExpired() {
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public boolean isEnabled() {
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
|
@ -0,0 +1,34 @@
|
||||||
|
/*
|
||||||
|
* Copyright 2021 the original author or authors.
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* https://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
|
||||||
|
package example;
|
||||||
|
|
||||||
|
import java.util.Map;
|
||||||
|
|
||||||
|
public class MapCustomUserRepository implements CustomUserRepository {
|
||||||
|
|
||||||
|
private final Map<String, CustomUser> emailToCustomUser;
|
||||||
|
|
||||||
|
public MapCustomUserRepository(Map<String, CustomUser> emailToCustomUser) {
|
||||||
|
this.emailToCustomUser = emailToCustomUser;
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public CustomUser findCustomUserByEmail(String email) {
|
||||||
|
return this.emailToCustomUser.get(email);
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
|
@ -0,0 +1,71 @@
|
||||||
|
/*
|
||||||
|
* Copyright 2021 the original author or authors.
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* https://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
package example;
|
||||||
|
|
||||||
|
import java.util.HashMap;
|
||||||
|
import java.util.Map;
|
||||||
|
|
||||||
|
import org.springframework.boot.SpringApplication;
|
||||||
|
import org.springframework.boot.autoconfigure.SpringBootApplication;
|
||||||
|
import org.springframework.context.annotation.Bean;
|
||||||
|
import org.springframework.security.crypto.codec.Hex;
|
||||||
|
import org.springframework.security.crypto.encrypt.BytesEncryptor;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Hello Security application.
|
||||||
|
*
|
||||||
|
* @author Josh Cummings
|
||||||
|
*/
|
||||||
|
@SpringBootApplication
|
||||||
|
public class MfaApplication {
|
||||||
|
|
||||||
|
public static void main(String[] args) {
|
||||||
|
SpringApplication.run(MfaApplication.class, args);
|
||||||
|
}
|
||||||
|
|
||||||
|
@Bean
|
||||||
|
MapCustomUserRepository userRepository(BytesEncryptor encryptor) {
|
||||||
|
// the hashed password was calculated using the following code
|
||||||
|
// the hash should be done up front, so malicious users cannot discover the
|
||||||
|
// password
|
||||||
|
// PasswordEncoder encoder =
|
||||||
|
// PasswordEncoderFactories.createDelegatingPasswordEncoder();
|
||||||
|
// String encodedPassword = encoder.encode("password");
|
||||||
|
|
||||||
|
// the raw password is "password"
|
||||||
|
String encodedPassword = "{bcrypt}$2a$10$h/AJueu7Xt9yh3qYuAXtk.WZJ544Uc2kdOKlHu2qQzCh/A3rq46qm";
|
||||||
|
|
||||||
|
// to sync your phone with the Google Authenticator secret, hand enter the value
|
||||||
|
// in base32Key
|
||||||
|
// String base32Key = "QDWSM3OYBPGTEVSPB5FKVDM3CSNCWHVK";
|
||||||
|
// Base32 base32 = new Base32();
|
||||||
|
// byte[] b = base32.decode(base32Key);
|
||||||
|
// String secret = Hex.encodeHexString(b);
|
||||||
|
|
||||||
|
String hexSecret = "80ed266dd80bcd32564f0f4aaa8d9b149a2b1eaa";
|
||||||
|
String encrypted = new String(Hex.encode(encryptor.encrypt(hexSecret.getBytes())));
|
||||||
|
|
||||||
|
// the raw security answer is "smith"
|
||||||
|
String encodedSecurityAnswer = "{bcrypt}$2a$10$JIXMjAszy3RUu8y5T0zH0enGJCGumI8YE.K7w3wsM5xXDfeVIsJhq";
|
||||||
|
|
||||||
|
CustomUser customUser = new CustomUser(1L, "user@example.com", encodedPassword, encrypted,
|
||||||
|
encodedSecurityAnswer);
|
||||||
|
Map<String, CustomUser> emailToCustomUser = new HashMap<>();
|
||||||
|
emailToCustomUser.put(customUser.getEmail(), customUser);
|
||||||
|
return new MapCustomUserRepository(emailToCustomUser);
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
|
@ -0,0 +1,60 @@
|
||||||
|
/*
|
||||||
|
* Copyright 2021 the original author or authors.
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* https://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
|
||||||
|
package example;
|
||||||
|
|
||||||
|
import java.util.Collections;
|
||||||
|
|
||||||
|
import org.springframework.security.authentication.AbstractAuthenticationToken;
|
||||||
|
import org.springframework.security.core.Authentication;
|
||||||
|
import org.springframework.security.core.CredentialsContainer;
|
||||||
|
|
||||||
|
public class MfaAuthentication extends AbstractAuthenticationToken {
|
||||||
|
|
||||||
|
private final Authentication first;
|
||||||
|
|
||||||
|
public MfaAuthentication(Authentication first) {
|
||||||
|
super(Collections.emptyList());
|
||||||
|
this.first = first;
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public Object getPrincipal() {
|
||||||
|
return this.first.getPrincipal();
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public Object getCredentials() {
|
||||||
|
return this.first.getCredentials();
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public void eraseCredentials() {
|
||||||
|
if (this.first instanceof CredentialsContainer) {
|
||||||
|
((CredentialsContainer) this.first).eraseCredentials();
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public boolean isAuthenticated() {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
public Authentication getFirst() {
|
||||||
|
return this.first;
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
|
@ -0,0 +1,72 @@
|
||||||
|
/*
|
||||||
|
* Copyright 2021 the original author or authors.
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* https://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
|
||||||
|
package example;
|
||||||
|
|
||||||
|
import java.io.IOException;
|
||||||
|
|
||||||
|
import javax.servlet.ServletException;
|
||||||
|
import javax.servlet.http.HttpServletRequest;
|
||||||
|
import javax.servlet.http.HttpServletResponse;
|
||||||
|
|
||||||
|
import org.springframework.security.authentication.AnonymousAuthenticationToken;
|
||||||
|
import org.springframework.security.core.Authentication;
|
||||||
|
import org.springframework.security.core.AuthenticationException;
|
||||||
|
import org.springframework.security.core.authority.AuthorityUtils;
|
||||||
|
import org.springframework.security.core.context.SecurityContextHolder;
|
||||||
|
import org.springframework.security.web.authentication.AuthenticationFailureHandler;
|
||||||
|
import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
|
||||||
|
import org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* An authentication handler that saves an authentication either way.
|
||||||
|
*
|
||||||
|
* The reason for this is so that the rest of the factors are collected, even if earlier
|
||||||
|
* factors failed.
|
||||||
|
*
|
||||||
|
* @author Josh Cummings
|
||||||
|
*/
|
||||||
|
public class MfaAuthenticationHandler implements AuthenticationSuccessHandler, AuthenticationFailureHandler {
|
||||||
|
|
||||||
|
private final AuthenticationSuccessHandler successHandler;
|
||||||
|
|
||||||
|
public MfaAuthenticationHandler(String url) {
|
||||||
|
SimpleUrlAuthenticationSuccessHandler successHandler = new SimpleUrlAuthenticationSuccessHandler(url);
|
||||||
|
successHandler.setAlwaysUseDefaultTargetUrl(true);
|
||||||
|
this.successHandler = successHandler;
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response,
|
||||||
|
AuthenticationException exception) throws IOException, ServletException {
|
||||||
|
Authentication anonymous = new AnonymousAuthenticationToken("key", "anonymousUser",
|
||||||
|
AuthorityUtils.createAuthorityList("ROLE_ANONYMOUS"));
|
||||||
|
saveMfaAuthentication(request, response, new MfaAuthentication(anonymous));
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response,
|
||||||
|
Authentication authentication) throws IOException, ServletException {
|
||||||
|
saveMfaAuthentication(request, response, authentication);
|
||||||
|
}
|
||||||
|
|
||||||
|
private void saveMfaAuthentication(HttpServletRequest request, HttpServletResponse response,
|
||||||
|
Authentication authentication) throws IOException, ServletException {
|
||||||
|
SecurityContextHolder.getContext().setAuthentication(new MfaAuthentication(authentication));
|
||||||
|
this.successHandler.onAuthenticationSuccess(request, response, authentication);
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
|
@ -0,0 +1,129 @@
|
||||||
|
/*
|
||||||
|
* Copyright 2021 the original author or authors.
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* https://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
|
||||||
|
package example;
|
||||||
|
|
||||||
|
import java.security.SecureRandom;
|
||||||
|
|
||||||
|
import javax.servlet.http.HttpServletRequest;
|
||||||
|
import javax.servlet.http.HttpServletResponse;
|
||||||
|
|
||||||
|
import org.springframework.security.authentication.BadCredentialsException;
|
||||||
|
import org.springframework.security.core.context.SecurityContextHolder;
|
||||||
|
import org.springframework.security.crypto.codec.Hex;
|
||||||
|
import org.springframework.security.crypto.encrypt.BytesEncryptor;
|
||||||
|
import org.springframework.security.crypto.password.PasswordEncoder;
|
||||||
|
import org.springframework.security.web.authentication.AuthenticationFailureHandler;
|
||||||
|
import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
|
||||||
|
import org.springframework.stereotype.Controller;
|
||||||
|
import org.springframework.web.bind.annotation.GetMapping;
|
||||||
|
import org.springframework.web.bind.annotation.PostMapping;
|
||||||
|
import org.springframework.web.bind.annotation.RequestParam;
|
||||||
|
|
||||||
|
@Controller
|
||||||
|
public class MfaController {
|
||||||
|
|
||||||
|
private final MfaService mfaService;
|
||||||
|
|
||||||
|
private final BytesEncryptor encryptor;
|
||||||
|
|
||||||
|
private final PasswordEncoder encoder;
|
||||||
|
|
||||||
|
private final AuthenticationSuccessHandler successHandler;
|
||||||
|
|
||||||
|
private final AuthenticationFailureHandler failureHandler;
|
||||||
|
|
||||||
|
private final String failedAuthenticationSecret;
|
||||||
|
|
||||||
|
private final String failedAuthenticationSecurityAnswer;
|
||||||
|
|
||||||
|
public MfaController(MfaService mfaService, BytesEncryptor encryptor, PasswordEncoder encoder,
|
||||||
|
AuthenticationSuccessHandler successHandler, AuthenticationFailureHandler failureHandler) {
|
||||||
|
|
||||||
|
this.mfaService = mfaService;
|
||||||
|
this.encryptor = encryptor;
|
||||||
|
this.encoder = encoder;
|
||||||
|
this.successHandler = successHandler;
|
||||||
|
this.failureHandler = failureHandler;
|
||||||
|
|
||||||
|
this.failedAuthenticationSecret = randomValue();
|
||||||
|
this.failedAuthenticationSecurityAnswer = this.encoder.encode(randomValue());
|
||||||
|
}
|
||||||
|
|
||||||
|
@GetMapping("/second-factor")
|
||||||
|
public String requestSecondFactor() {
|
||||||
|
return "second-factor";
|
||||||
|
}
|
||||||
|
|
||||||
|
@PostMapping("/second-factor")
|
||||||
|
public void processSecondFactor(@RequestParam("code") String code, MfaAuthentication authentication,
|
||||||
|
HttpServletRequest request, HttpServletResponse response) throws Exception {
|
||||||
|
MfaAuthenticationHandler handler = new MfaAuthenticationHandler("/third-factor");
|
||||||
|
String secret = getSecret(authentication);
|
||||||
|
if (this.mfaService.check(secret, code)) {
|
||||||
|
handler.onAuthenticationSuccess(request, response, authentication.getFirst());
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
handler.onAuthenticationFailure(request, response, new BadCredentialsException("bad credentials"));
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
@GetMapping("/third-factor")
|
||||||
|
public String requestThirdFactor() {
|
||||||
|
return "third-factor";
|
||||||
|
}
|
||||||
|
|
||||||
|
@PostMapping("/third-factor")
|
||||||
|
public void processThirdFactor(@RequestParam("answer") String answer, MfaAuthentication authentication,
|
||||||
|
HttpServletRequest request, HttpServletResponse response) throws Exception {
|
||||||
|
String encodedAnswer = getAnswer(authentication);
|
||||||
|
if (this.encoder.matches(answer, encodedAnswer)) {
|
||||||
|
SecurityContextHolder.getContext().setAuthentication(authentication.getFirst());
|
||||||
|
this.successHandler.onAuthenticationSuccess(request, response, authentication.getFirst());
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
this.failureHandler.onAuthenticationFailure(request, response,
|
||||||
|
new BadCredentialsException("bad credentials"));
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
private String getSecret(MfaAuthentication authentication) throws Exception {
|
||||||
|
if (authentication.getPrincipal() instanceof CustomUser) {
|
||||||
|
CustomUser user = (CustomUser) authentication.getPrincipal();
|
||||||
|
byte[] bytes = Hex.decode(user.getSecret());
|
||||||
|
return new String(this.encryptor.decrypt(bytes));
|
||||||
|
}
|
||||||
|
// earlier factor failed
|
||||||
|
return this.failedAuthenticationSecret;
|
||||||
|
}
|
||||||
|
|
||||||
|
private String getAnswer(MfaAuthentication authentication) {
|
||||||
|
if (authentication.getPrincipal() instanceof CustomUser) {
|
||||||
|
CustomUser user = (CustomUser) authentication.getPrincipal();
|
||||||
|
return user.getAnswer();
|
||||||
|
}
|
||||||
|
// earlier factor failed
|
||||||
|
return this.failedAuthenticationSecurityAnswer;
|
||||||
|
}
|
||||||
|
|
||||||
|
private static String randomValue() {
|
||||||
|
SecureRandom random = new SecureRandom();
|
||||||
|
byte[] bytes = new byte[20];
|
||||||
|
random.nextBytes(bytes);
|
||||||
|
return new String(Hex.encode(bytes));
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
|
@ -0,0 +1,37 @@
|
||||||
|
/*
|
||||||
|
* Copyright 2021 the original author or authors.
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* https://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
|
||||||
|
package example;
|
||||||
|
|
||||||
|
import java.security.GeneralSecurityException;
|
||||||
|
|
||||||
|
import com.j256.twofactorauth.TimeBasedOneTimePasswordUtil;
|
||||||
|
|
||||||
|
import org.springframework.stereotype.Service;
|
||||||
|
|
||||||
|
@Service
|
||||||
|
public class MfaService {
|
||||||
|
|
||||||
|
public boolean check(String hexKey, String code) {
|
||||||
|
try {
|
||||||
|
return TimeBasedOneTimePasswordUtil.validateCurrentNumberHex(hexKey, Integer.parseInt(code), 10000);
|
||||||
|
}
|
||||||
|
catch (GeneralSecurityException ex) {
|
||||||
|
throw new IllegalArgumentException(ex);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
|
@ -0,0 +1,37 @@
|
||||||
|
/*
|
||||||
|
* Copyright 2021 the original author or authors.
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* https://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
|
||||||
|
package example;
|
||||||
|
|
||||||
|
import org.springframework.security.authentication.AuthenticationTrustResolver;
|
||||||
|
import org.springframework.security.authentication.AuthenticationTrustResolverImpl;
|
||||||
|
import org.springframework.security.core.Authentication;
|
||||||
|
|
||||||
|
public class MfaTrustResolver implements AuthenticationTrustResolver {
|
||||||
|
|
||||||
|
private final AuthenticationTrustResolver delegate = new AuthenticationTrustResolverImpl();
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public boolean isAnonymous(Authentication authentication) {
|
||||||
|
return this.delegate.isAnonymous(authentication) || authentication instanceof MfaAuthentication;
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public boolean isRememberMe(Authentication authentication) {
|
||||||
|
return this.delegate.isRememberMe(authentication);
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
|
@ -0,0 +1,94 @@
|
||||||
|
/*
|
||||||
|
* Copyright 2021 the original author or authors.
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* https://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
|
||||||
|
package example;
|
||||||
|
|
||||||
|
import javax.crypto.KeyGenerator;
|
||||||
|
import javax.crypto.SecretKey;
|
||||||
|
|
||||||
|
import org.springframework.context.annotation.Bean;
|
||||||
|
import org.springframework.context.annotation.Configuration;
|
||||||
|
import org.springframework.security.authorization.AuthorizationDecision;
|
||||||
|
import org.springframework.security.authorization.AuthorizationManager;
|
||||||
|
import org.springframework.security.config.annotation.ObjectPostProcessor;
|
||||||
|
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
|
||||||
|
import org.springframework.security.crypto.encrypt.AesBytesEncryptor;
|
||||||
|
import org.springframework.security.crypto.factory.PasswordEncoderFactories;
|
||||||
|
import org.springframework.security.crypto.keygen.KeyGenerators;
|
||||||
|
import org.springframework.security.crypto.password.PasswordEncoder;
|
||||||
|
import org.springframework.security.web.SecurityFilterChain;
|
||||||
|
import org.springframework.security.web.access.ExceptionTranslationFilter;
|
||||||
|
import org.springframework.security.web.access.intercept.RequestAuthorizationContext;
|
||||||
|
import org.springframework.security.web.authentication.AuthenticationFailureHandler;
|
||||||
|
import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
|
||||||
|
import org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler;
|
||||||
|
import org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler;
|
||||||
|
|
||||||
|
@Configuration
|
||||||
|
public class SecurityConfig {
|
||||||
|
|
||||||
|
@Bean
|
||||||
|
SecurityFilterChain web(HttpSecurity http,
|
||||||
|
AuthorizationManager<RequestAuthorizationContext> mfaAuthorizationManager) throws Exception {
|
||||||
|
MfaAuthenticationHandler mfaAuthenticationHandler = new MfaAuthenticationHandler("/second-factor");
|
||||||
|
http.authorizeHttpRequests((authz) -> authz.mvcMatchers("/second-factor", "/third-factor")
|
||||||
|
.access(mfaAuthorizationManager).anyRequest().authenticated())
|
||||||
|
.formLogin((form) -> form.successHandler(mfaAuthenticationHandler)
|
||||||
|
.failureHandler(mfaAuthenticationHandler))
|
||||||
|
.exceptionHandling((exceptions) -> exceptions
|
||||||
|
.withObjectPostProcessor(new ObjectPostProcessor<ExceptionTranslationFilter>() {
|
||||||
|
@Override
|
||||||
|
public <O extends ExceptionTranslationFilter> O postProcess(O filter) {
|
||||||
|
filter.setAuthenticationTrustResolver(new MfaTrustResolver());
|
||||||
|
return filter;
|
||||||
|
}
|
||||||
|
}));
|
||||||
|
|
||||||
|
return http.build();
|
||||||
|
}
|
||||||
|
|
||||||
|
@Bean
|
||||||
|
AuthorizationManager<RequestAuthorizationContext> mfaAuthorizationManager() {
|
||||||
|
return (authentication,
|
||||||
|
context) -> new AuthorizationDecision(authentication.get() instanceof MfaAuthentication);
|
||||||
|
}
|
||||||
|
|
||||||
|
// for the second-factor
|
||||||
|
@Bean
|
||||||
|
AesBytesEncryptor encryptor() throws Exception {
|
||||||
|
KeyGenerator generator = KeyGenerator.getInstance("AES");
|
||||||
|
generator.init(128);
|
||||||
|
SecretKey key = generator.generateKey();
|
||||||
|
return new AesBytesEncryptor(key, KeyGenerators.secureRandom(12), AesBytesEncryptor.CipherAlgorithm.GCM);
|
||||||
|
}
|
||||||
|
|
||||||
|
// for the third-factor
|
||||||
|
@Bean
|
||||||
|
PasswordEncoder encoder() {
|
||||||
|
return PasswordEncoderFactories.createDelegatingPasswordEncoder();
|
||||||
|
}
|
||||||
|
|
||||||
|
@Bean
|
||||||
|
AuthenticationSuccessHandler successHandler() {
|
||||||
|
return new SavedRequestAwareAuthenticationSuccessHandler();
|
||||||
|
}
|
||||||
|
|
||||||
|
@Bean
|
||||||
|
AuthenticationFailureHandler failureHandler() {
|
||||||
|
return new SimpleUrlAuthenticationFailureHandler("/login?error");
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
|
@ -0,0 +1,9 @@
|
||||||
|
<html xmlns:th="https://www.thymeleaf.org">
|
||||||
|
<head>
|
||||||
|
<title>Hello Security!</title>
|
||||||
|
</head>
|
||||||
|
<body>
|
||||||
|
<h1>Hello Security</h1>
|
||||||
|
<a th:href="@{/logout}">Log Out</a>
|
||||||
|
</body>
|
||||||
|
</html>
|
|
@ -0,0 +1,24 @@
|
||||||
|
<!--
|
||||||
|
~ Copyright 2021 the original author or authors.
|
||||||
|
~
|
||||||
|
~ Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
~ you may not use this file except in compliance with the License.
|
||||||
|
~ You may obtain a copy of the License at
|
||||||
|
~
|
||||||
|
~ https://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
~
|
||||||
|
~ Unless required by applicable law or agreed to in writing, software
|
||||||
|
~ distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
~ See the License for the specific language governing permissions and
|
||||||
|
~ limitations under the License.
|
||||||
|
-->
|
||||||
|
|
||||||
|
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:th="https://www.thymeleaf.org">
|
||||||
|
<body>
|
||||||
|
<form th:action="@{/second-factor}" method="post">
|
||||||
|
<input name="code" placeholder="Enter Code"/>
|
||||||
|
<input type="submit" value="Submit"/>
|
||||||
|
</form>
|
||||||
|
</body>
|
||||||
|
</html>
|
|
@ -0,0 +1,24 @@
|
||||||
|
<!--
|
||||||
|
~ Copyright 2021 the original author or authors.
|
||||||
|
~
|
||||||
|
~ Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
~ you may not use this file except in compliance with the License.
|
||||||
|
~ You may obtain a copy of the License at
|
||||||
|
~
|
||||||
|
~ https://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
~
|
||||||
|
~ Unless required by applicable law or agreed to in writing, software
|
||||||
|
~ distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
~ See the License for the specific language governing permissions and
|
||||||
|
~ limitations under the License.
|
||||||
|
-->
|
||||||
|
|
||||||
|
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:th="https://www.thymeleaf.org">
|
||||||
|
<body>
|
||||||
|
<form th:action="@{/third-factor}" method="post">
|
||||||
|
<input name="answer" placeholder="Mother's Maiden Name"/>
|
||||||
|
<input type="submit" value="Submit"/>
|
||||||
|
</form>
|
||||||
|
</body>
|
||||||
|
</html>
|
|
@ -0,0 +1,188 @@
|
||||||
|
/*
|
||||||
|
* Copyright 2021 the original author or authors.
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* https://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
package example;
|
||||||
|
|
||||||
|
import javax.servlet.http.HttpSession;
|
||||||
|
|
||||||
|
import com.j256.twofactorauth.TimeBasedOneTimePasswordUtil;
|
||||||
|
import org.junit.jupiter.api.Test;
|
||||||
|
|
||||||
|
import org.springframework.beans.factory.annotation.Autowired;
|
||||||
|
import org.springframework.boot.test.autoconfigure.web.servlet.AutoConfigureMockMvc;
|
||||||
|
import org.springframework.boot.test.context.SpringBootTest;
|
||||||
|
import org.springframework.mock.web.MockHttpSession;
|
||||||
|
import org.springframework.test.web.servlet.MockMvc;
|
||||||
|
import org.springframework.test.web.servlet.MvcResult;
|
||||||
|
|
||||||
|
import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestBuilders.formLogin;
|
||||||
|
import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.csrf;
|
||||||
|
import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
|
||||||
|
import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post;
|
||||||
|
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.redirectedUrl;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @author Rob Winch
|
||||||
|
*/
|
||||||
|
@SpringBootTest
|
||||||
|
@AutoConfigureMockMvc
|
||||||
|
public class MfaApplicationTests {
|
||||||
|
|
||||||
|
private static final String hexKey = "80ed266dd80bcd32564f0f4aaa8d9b149a2b1eaa";
|
||||||
|
|
||||||
|
@Autowired
|
||||||
|
private MockMvc mockMvc;
|
||||||
|
|
||||||
|
@Test
|
||||||
|
void mfaWhenAllFactorsSucceedMatchesThenWorks() throws Exception {
|
||||||
|
// @formatter:off
|
||||||
|
MvcResult result = this.mockMvc.perform(formLogin()
|
||||||
|
.user("user@example.com")
|
||||||
|
.password("password"))
|
||||||
|
.andExpect(redirectedUrl("/second-factor"))
|
||||||
|
.andReturn();
|
||||||
|
|
||||||
|
HttpSession session = result.getRequest().getSession();
|
||||||
|
|
||||||
|
Integer code = TimeBasedOneTimePasswordUtil.generateCurrentNumberHex(hexKey);
|
||||||
|
this.mockMvc.perform(post("/second-factor")
|
||||||
|
.session((MockHttpSession) session)
|
||||||
|
.param("code", String.valueOf(code))
|
||||||
|
.with(csrf()))
|
||||||
|
.andExpect(redirectedUrl("/third-factor"));
|
||||||
|
|
||||||
|
this.mockMvc.perform(post("/third-factor")
|
||||||
|
.session((MockHttpSession) session)
|
||||||
|
.param("answer", "smith")
|
||||||
|
.with(csrf()))
|
||||||
|
.andExpect(redirectedUrl("/"));
|
||||||
|
// @formatter:on
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
void mfaWhenBadCredsThenStillRequestsRemainingFactorsAndRedirects() throws Exception {
|
||||||
|
// @formatter:off
|
||||||
|
MvcResult result = this.mockMvc.perform(formLogin()
|
||||||
|
.user("user@example.com")
|
||||||
|
.password("wrongpassword"))
|
||||||
|
.andExpect(redirectedUrl("/second-factor"))
|
||||||
|
.andReturn();
|
||||||
|
|
||||||
|
HttpSession session = result.getRequest().getSession();
|
||||||
|
|
||||||
|
Integer code = TimeBasedOneTimePasswordUtil.generateCurrentNumberHex(hexKey);
|
||||||
|
this.mockMvc.perform(post("/second-factor")
|
||||||
|
.session((MockHttpSession) session)
|
||||||
|
.param("code", String.valueOf(code))
|
||||||
|
.with(csrf()))
|
||||||
|
.andExpect(redirectedUrl("/third-factor"));
|
||||||
|
|
||||||
|
this.mockMvc.perform(post("/third-factor")
|
||||||
|
.session((MockHttpSession) session)
|
||||||
|
.param("answer", "smith")
|
||||||
|
.with(csrf()))
|
||||||
|
.andExpect(redirectedUrl("/login?error"));
|
||||||
|
// @formatter:on
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
void mfaWhenWrongCodeThenRedirects() throws Exception {
|
||||||
|
// @formatter:off
|
||||||
|
MvcResult result = this.mockMvc.perform(formLogin()
|
||||||
|
.user("user@example.com")
|
||||||
|
.password("password"))
|
||||||
|
.andExpect(redirectedUrl("/second-factor"))
|
||||||
|
.andReturn();
|
||||||
|
|
||||||
|
HttpSession session = result.getRequest().getSession();
|
||||||
|
|
||||||
|
Integer code = TimeBasedOneTimePasswordUtil.generateCurrentNumberHex(hexKey) - 1;
|
||||||
|
this.mockMvc.perform(post("/second-factor")
|
||||||
|
.session((MockHttpSession) session)
|
||||||
|
.param("code", String.valueOf(code))
|
||||||
|
.with(csrf()))
|
||||||
|
.andExpect(redirectedUrl("/third-factor"));
|
||||||
|
|
||||||
|
this.mockMvc.perform(post("/third-factor")
|
||||||
|
.session((MockHttpSession) session)
|
||||||
|
.param("answer", "smith")
|
||||||
|
.with(csrf()))
|
||||||
|
.andExpect(redirectedUrl("/login?error"));
|
||||||
|
// @formatter:on
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
void mfaWhenWrongSecurityAnswerThenRedirects() throws Exception {
|
||||||
|
// @formatter:off
|
||||||
|
MvcResult result = this.mockMvc.perform(formLogin()
|
||||||
|
.user("user@example.com")
|
||||||
|
.password("password"))
|
||||||
|
.andExpect(redirectedUrl("/second-factor"))
|
||||||
|
.andReturn();
|
||||||
|
|
||||||
|
HttpSession session = result.getRequest().getSession();
|
||||||
|
|
||||||
|
Integer code = TimeBasedOneTimePasswordUtil.generateCurrentNumberHex(hexKey);
|
||||||
|
this.mockMvc.perform(post("/second-factor")
|
||||||
|
.session((MockHttpSession) session)
|
||||||
|
.param("code", String.valueOf(code))
|
||||||
|
.with(csrf()))
|
||||||
|
.andExpect(redirectedUrl("/third-factor"));
|
||||||
|
|
||||||
|
this.mockMvc.perform(post("/third-factor")
|
||||||
|
.session((MockHttpSession) session)
|
||||||
|
.param("answer", "wilson")
|
||||||
|
.with(csrf()))
|
||||||
|
.andExpect(redirectedUrl("/login?error"));
|
||||||
|
// @formatter:on
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
void mfaWhenInProcessThenCantViewOtherPages() throws Exception {
|
||||||
|
// @formatter:off
|
||||||
|
MvcResult result = this.mockMvc.perform(formLogin()
|
||||||
|
.user("user@example.com")
|
||||||
|
.password("password"))
|
||||||
|
.andExpect(redirectedUrl("/second-factor"))
|
||||||
|
.andReturn();
|
||||||
|
|
||||||
|
HttpSession session = result.getRequest().getSession();
|
||||||
|
|
||||||
|
this.mockMvc.perform(get("/")
|
||||||
|
.session((MockHttpSession) session))
|
||||||
|
.andExpect(redirectedUrl("http://localhost/login"));
|
||||||
|
|
||||||
|
result = this.mockMvc.perform(formLogin()
|
||||||
|
.user("user@example.com")
|
||||||
|
.password("password"))
|
||||||
|
.andExpect(redirectedUrl("/second-factor"))
|
||||||
|
.andReturn();
|
||||||
|
|
||||||
|
session = result.getRequest().getSession();
|
||||||
|
|
||||||
|
Integer code = TimeBasedOneTimePasswordUtil.generateCurrentNumberHex(hexKey);
|
||||||
|
this.mockMvc.perform(post("/second-factor")
|
||||||
|
.session((MockHttpSession) session)
|
||||||
|
.param("code", String.valueOf(code))
|
||||||
|
.with(csrf()))
|
||||||
|
.andExpect(redirectedUrl("/third-factor"));
|
||||||
|
|
||||||
|
this.mockMvc.perform(get("/")
|
||||||
|
.session((MockHttpSession) session))
|
||||||
|
.andExpect(redirectedUrl("http://localhost/login"));
|
||||||
|
// @formatter:on
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
|
@ -40,6 +40,7 @@ include ":servlet:java-configuration:hello-security"
|
||||||
include ":servlet:java-configuration:hello-security-explicit"
|
include ":servlet:java-configuration:hello-security-explicit"
|
||||||
include ":servlet:java-configuration:max-sessions"
|
include ":servlet:java-configuration:max-sessions"
|
||||||
include ":servlet:spring-boot:java:authentication:username-password:user-details-service:custom-user"
|
include ":servlet:spring-boot:java:authentication:username-password:user-details-service:custom-user"
|
||||||
|
include ":servlet:spring-boot:java:authentication:username-password:mfa"
|
||||||
include ":servlet:spring-boot:java:hello"
|
include ":servlet:spring-boot:java:hello"
|
||||||
include ":servlet:spring-boot:java:hello-security"
|
include ":servlet:spring-boot:java:hello-security"
|
||||||
include ":servlet:spring-boot:java:hello-security-explicit"
|
include ":servlet:spring-boot:java:hello-security-explicit"
|
||||||
|
@ -52,4 +53,4 @@ include ":servlet:spring-boot:java:oauth2:resource-server:opaque"
|
||||||
include ":servlet:spring-boot:java:oauth2:resource-server:static"
|
include ":servlet:spring-boot:java:oauth2:resource-server:static"
|
||||||
include ":servlet:spring-boot:java:oauth2:webclient"
|
include ":servlet:spring-boot:java:oauth2:webclient"
|
||||||
include ":servlet:spring-boot:java:saml2-login"
|
include ":servlet:spring-boot:java:saml2-login"
|
||||||
include ":servlet:spring-boot:kotlin:hello-security"
|
include ":servlet:spring-boot:kotlin:hello-security"
|
||||||
|
|
Loading…
Reference in New Issue