BAEL-1418 - spring security with extra login fields (#3413)

* BAEL-1418 - spring security with extra login fields

* change delimeter for username/domain concatenation

* remove unnecessary class

* move source to spring-5-security module

* finish moving example code to spring-5-security module

* fix formatting in pom

* adjust spacing

spring-5-security/pom.xml

@@ -30,6 +30,10 @@
 			<groupId>org.springframework.boot</groupId>
 			<artifactId>spring-boot-starter-thymeleaf</artifactId>
 		</dependency>
+		<dependency>
+			<groupId>org.thymeleaf.extras</groupId>
+			<artifactId>thymeleaf-extras-springsecurity4</artifactId>
+		</dependency>
 
 		<!-- oauth2 -->
 		<dependency>
@@ -40,6 +44,21 @@
 			<groupId>org.springframework.security</groupId>
 			<artifactId>spring-security-oauth2-jose</artifactId>
 		</dependency>
+
+		<dependency>
+			<groupId>org.springframework</groupId>
+			<artifactId>spring-test</artifactId>
+		</dependency>
+		<dependency>
+			<groupId>org.springframework.boot</groupId>
+			<artifactId>spring-boot-starter-test</artifactId>
+			<scope>test</scope>
+		</dependency>
+		<dependency>
+			<groupId>org.springframework.security</groupId>
+			<artifactId>spring-security-test</artifactId>
+			<scope>test</scope>
+		</dependency>
 	</dependencies>
 
 	<build>

spring-5-security/src/main/java/com/baeldung/securityextrafields/CustomAuthenticationFilter.java

@@ -0,0 +1,54 @@
+package com.baeldung.securityextrafields;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.springframework.security.authentication.AuthenticationServiceException;
+import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
+
+public class CustomAuthenticationFilter extends UsernamePasswordAuthenticationFilter {
+
+    public static final String SPRING_SECURITY_FORM_DOMAIN_KEY = "domain";
+
+    @Override
+    public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) 
+        throws AuthenticationException {
+
+        if (!request.getMethod()
+            .equals("POST")) {
+            throw new AuthenticationServiceException("Authentication method not supported: " + request.getMethod());
+        }
+
+        UsernamePasswordAuthenticationToken authRequest = getAuthRequest(request);
+        setDetails(request, authRequest);
+        return this.getAuthenticationManager()
+            .authenticate(authRequest);
+    }
+
+    private UsernamePasswordAuthenticationToken getAuthRequest(HttpServletRequest request) {
+        String username = obtainUsername(request);
+        String password = obtainPassword(request);
+        String domain = obtainDomain(request);
+
+        if (username == null) {
+            username = "";
+        }
+        if (password == null) {
+            password = "";
+        }
+        if (domain == null) {
+            domain = "";
+        }
+
+        String usernameDomain = String.format("%s%s%s", username.trim(), 
+            String.valueOf(Character.LINE_SEPARATOR), domain);
+        return new UsernamePasswordAuthenticationToken(usernameDomain, password);        
+    }
+
+    private String obtainDomain(HttpServletRequest request) {
+        return request.getParameter(SPRING_SECURITY_FORM_DOMAIN_KEY);
+    }
+}

spring-5-security/src/main/java/com/baeldung/securityextrafields/CustomUserDetailsService.java

@@ -0,0 +1,32 @@
+package com.baeldung.securityextrafields;
+
+import org.apache.commons.lang3.StringUtils;
+import org.springframework.security.core.userdetails.UserDetails;
+import org.springframework.security.core.userdetails.UserDetailsService;
+import org.springframework.security.core.userdetails.UsernameNotFoundException;
+import org.springframework.stereotype.Service;
+
+@Service("userDetailsService")
+public class CustomUserDetailsService implements UserDetailsService {
+
+    private final UserRepository userRepository;
+ 
+    public CustomUserDetailsService(UserRepository userRepository) {
+        this.userRepository = userRepository;
+    }
+
+    @Override
+    public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
+        String[] usernameAndDomain = StringUtils.split(username, String.valueOf(Character.LINE_SEPARATOR));
+        if (usernameAndDomain == null || usernameAndDomain.length != 2) {
+            throw new UsernameNotFoundException("Username and domain must be provided");
+        }
+        User user = userRepository.findUser(usernameAndDomain[0], usernameAndDomain[1]);
+        if (user == null) {
+            throw new UsernameNotFoundException(
+                String.format("Username not found for domain, username=%s, domain=%s", 
+                    usernameAndDomain[0], usernameAndDomain[1]));
+        }
+        return user;
+    }
+}

spring-5-security/src/main/java/com/baeldung/securityextrafields/CustomUserRepository.java

@@ -0,0 +1,26 @@
+package com.baeldung.securityextrafields;
+
+import java.util.ArrayList;
+import java.util.Collection;
+
+import org.apache.commons.lang3.StringUtils;
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.stereotype.Repository;
+
+@Repository("userRepository")
+public class CustomUserRepository implements UserRepository {
+
+    @Override
+    public User findUser(String username, String domain) {
+        if (StringUtils.isAnyBlank(username, domain)) {
+            return null;
+        } else {
+            Collection<? extends GrantedAuthority> authorities = new ArrayList<>();
+            User user =  new User(username, domain, 
+                "$2a$10$U3GhSMpsMSOE8Kqsbn58/edxDBKlVuYMh7qk/7ErApYFjJzi2VG5K", true, 
+                true, true, true, authorities);
+            return user;
+        }
+    }
+
+}

spring-5-security/src/main/java/com/baeldung/securityextrafields/SecurityConfig.java

@@ -0,0 +1,65 @@
+package com.baeldung.securityextrafields;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.context.annotation.PropertySource;
+import org.springframework.security.authentication.AuthenticationProvider;
+import org.springframework.security.authentication.dao.DaoAuthenticationProvider;
+import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.core.userdetails.UserDetailsService;
+import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
+import org.springframework.security.crypto.password.PasswordEncoder;
+import org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler;
+import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
+
+@EnableWebSecurity
+@PropertySource("classpath:/application-extrafields.properties")
+public class SecurityConfig extends WebSecurityConfigurerAdapter {
+
+    @Autowired
+    private UserDetailsService userDetailsService;
+
+    @Override
+    protected void configure(HttpSecurity http) throws Exception {
+        
+        http
+            .addFilterBefore(authenticationFilter(), UsernamePasswordAuthenticationFilter.class)
+            .authorizeRequests()
+                .antMatchers("/css/**", "/index").permitAll()
+                .antMatchers("/user/**").authenticated()
+            .and()
+            .formLogin().loginPage("/login")
+            .and()
+            .logout()
+            .logoutUrl("/logout");
+    }
+
+    public CustomAuthenticationFilter authenticationFilter() throws Exception {
+        CustomAuthenticationFilter filter = new CustomAuthenticationFilter();
+        filter.setAuthenticationManager(authenticationManagerBean());
+        filter.setAuthenticationFailureHandler(failureHandler());
+        return filter;
+    }
+
+    @Autowired
+    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
+        auth.authenticationProvider(authProvider());
+    }
+
+    public AuthenticationProvider authProvider() {
+        DaoAuthenticationProvider provider = new DaoAuthenticationProvider();
+        provider.setUserDetailsService(userDetailsService);
+        provider.setPasswordEncoder(passwordEncoder());
+        return provider;
+    }
+
+    public SimpleUrlAuthenticationFailureHandler failureHandler() {
+        return new SimpleUrlAuthenticationFailureHandler("/login?error=true");
+    }
+
+    public PasswordEncoder passwordEncoder() {
+        return new BCryptPasswordEncoder();
+    }
+}

spring-5-security/src/main/java/com/baeldung/securityextrafields/SpringExtraLoginFieldsApplication.java

@@ -0,0 +1,13 @@
+package com.baeldung.securityextrafields;
+
+import org.springframework.boot.SpringApplication;
+import org.springframework.boot.autoconfigure.SpringBootApplication;
+
+@SpringBootApplication
+public class SpringExtraLoginFieldsApplication {
+
+    public static void main(String[] args) {
+        SpringApplication.run(SpringExtraLoginFieldsApplication.class, args);
+    }
+
+}

spring-5-security/src/main/java/com/baeldung/securityextrafields/User.java

@@ -0,0 +1,23 @@
+package com.baeldung.securityextrafields;
+
+import java.util.Collection;
+
+import org.springframework.security.core.GrantedAuthority;
+
+public class User extends org.springframework.security.core.userdetails.User {
+
+    private static final long serialVersionUID = 1L;
+
+    private final String domain;
+
+    public User(String username, String domain, String password, boolean enabled, 
+        boolean accountNonExpired, boolean credentialsNonExpired, 
+        boolean accountNonLocked, Collection<? extends GrantedAuthority> authorities) {
+        super(username, password, enabled, accountNonExpired, credentialsNonExpired, accountNonLocked, authorities);
+        this.domain = domain;
+    }
+
+    public String getDomain() {
+        return domain;
+    }
+}

spring-5-security/src/main/java/com/baeldung/securityextrafields/UserRepository.java

@@ -0,0 +1,7 @@
+package com.baeldung.securityextrafields;
+
+public interface UserRepository {
+
+    public User findUser(String username, String domain);
+    
+}

spring-5-security/src/main/java/com/baeldung/securityextrafields/WebController.java

@@ -0,0 +1,51 @@
+package com.baeldung.securityextrafields;
+
+import java.util.Optional;
+
+import org.springframework.security.authentication.AnonymousAuthenticationToken;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.stereotype.Controller;
+import org.springframework.ui.Model;
+import org.springframework.web.bind.annotation.RequestMapping;
+
+@Controller
+public class WebController {
+
+    @RequestMapping("/")
+    public String root() {
+        return "redirect:/index";
+    }
+
+    @RequestMapping("/index")
+    public String index(Model model) {
+        getDomain().ifPresent(d -> {
+            model.addAttribute("domain", d);
+        });
+        return "index";
+    }
+
+    @RequestMapping("/user/index")
+    public String userIndex(Model model) {
+        getDomain().ifPresent(d -> {
+            model.addAttribute("domain", d);
+        });
+        return "user/index";
+    }
+
+    @RequestMapping("/login")
+    public String login() {
+        return "login";
+    }
+
+    private Optional<String> getDomain() {
+        Authentication auth = SecurityContextHolder.getContext()
+            .getAuthentication(); 
+        String domain = null;
+        if (auth != null && !auth.getClass().equals(AnonymousAuthenticationToken.class)) {
+            User user = (User) auth.getPrincipal();
+            domain = user.getDomain();
+        }
+        return Optional.ofNullable(domain);
+    }
+}

spring-5-security/src/main/resources/application-extrafields.properties

@@ -0,0 +1 @@
+spring.thymeleaf.prefix = classpath:/templatesextrafields/

spring-5-security/src/main/resources/static/css/main.css

@@ -0,0 +1,18 @@
+body {
+    font-family: sans;
+    font-size: 1em;
+}
+
+p.error {
+    font-weight: bold;
+    color: red;
+}
+
+div.logout {
+    float: right;
+}
+
+.formfield {
+	margin: 0.5em;
+	padding: 0.3em;
+}

spring-5-security/src/main/resources/templatesextrafields/index.html

@@ -0,0 +1,24 @@
+<!DOCTYPE html>
+<html xmlns="http://www.w3.org/1999/xhtml" xmlns:th="http://www.thymeleaf.org" xmlns:sec="http://www.thymeleaf.org/thymeleaf-extras-springsecurity4">
+    <head>
+        <title>Spring Security - Login With Extra Fields</title>
+        <meta charset="utf-8" />
+        <link rel="stylesheet" href="/css/main.css" th:href="@{/css/main.css}" />
+    </head>
+    <body>
+        <div th:fragment="logout" class="logout" sec:authorize="isAuthenticated()">
+            Logged in user: <span sec:authentication="name"></span> |
+            domain: <span th:text="${domain}">Some Domain</span>
+            <div>
+                <form action="#" th:action="@{/logout}" method="post">
+                    <input type="submit" value="Logout" />
+                </form>
+            </div>
+        </div>
+        <h1>Hello Spring Security</h1>
+        <p>This is an unsecured page, but you can access the secured pages after authenticating.</p>
+        <ul>
+            <li>Go to the <a href="/user/index" th:href="@{/user/index}">secured pages</a></li>
+        </ul>
+    </body>
+</html>

spring-5-security/src/main/resources/templatesextrafields/login.html

@@ -0,0 +1,23 @@
+<!DOCTYPE html>
+<html xmlns="http://www.w3.org/1999/xhtml" xmlns:th="http://www.thymeleaf.org">
+    <head>
+        <title>Login page</title>
+        <meta charset="utf-8" />
+        <link rel="stylesheet" href="/css/main.css" th:href="@{/css/main.css}" />
+	</head>
+    <body>
+        <h1>Login page</h1>
+        <p>Example: user / domain / password</p>
+        <p th:if="${param.error}" class="error">Invalid user, password, or domain</p>
+        <form th:action="@{/login}" method="post">
+            <label for="username">Username</label>:
+            <input class="formfield" type="text" id="username" name="username" autofocus="autofocus" /> <br />
+            <label for="domain">Domain</label>:
+            <input class="formfield" type="text" id="domain" name="domain" /> <br />
+            <label for="password">Password</label>:
+            <input class="formfield" type="password" id="password" name="password" /> <br />
+            <input type="submit" value="Log in" />
+        </form>
+        <p><a href="/index" th:href="@{/index}">Back to home page</a></p>
+    </body>
+</html>

spring-5-security/src/main/resources/templatesextrafields/user/index.html

@@ -0,0 +1,13 @@
+<!DOCTYPE html>
+<html xmlns="http://www.w3.org/1999/xhtml" xmlns:th="http://www.thymeleaf.org">
+    <head>
+        <title>Spring Security - Login With Extra Fields</title>
+        <meta charset="utf-8" />
+        <link rel="stylesheet" href="/css/main.css" th:href="@{/css/main.css}" />
+    </head>
+    <body>
+        <div th:replace="index::logout"></div>
+        <h1>This is a secured page!</h1>
+        <p><a href="/index" th:href="@{/index}">Back to home page</a></p>
+    </body>
+</html>

spring-5-security/src/test/java/com/baeldung/securityextrafields/SecurityExtraFieldsTest.java

@@ -0,0 +1,103 @@
+package com.baeldung.securityextrafields;
+
+import static org.junit.Assert.assertEquals;
+import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.csrf;
+import static org.springframework.security.test.web.servlet.setup.SecurityMockMvcConfigurers.springSecurity;
+import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
+import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.redirectedUrlPattern;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
+
+import java.util.ArrayList;
+import java.util.Collection;
+
+import org.junit.Before;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.boot.test.context.SpringBootTest;
+import org.springframework.mock.web.MockHttpSession;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.context.SecurityContext;
+import org.springframework.security.web.FilterChainProxy;
+import org.springframework.security.web.context.HttpSessionSecurityContextRepository;
+import org.springframework.test.context.junit.jupiter.web.SpringJUnitWebConfig;
+import org.springframework.test.context.junit4.SpringRunner;
+import org.springframework.test.web.servlet.MockMvc;
+import org.springframework.test.web.servlet.MvcResult;
+import org.springframework.test.web.servlet.request.MockHttpServletRequestBuilder;
+import org.springframework.test.web.servlet.setup.MockMvcBuilders;
+import org.springframework.web.context.WebApplicationContext;
+
+@RunWith(SpringRunner.class)
+@SpringJUnitWebConfig
+@SpringBootTest(classes = SpringExtraLoginFieldsApplication.class)
+public class SecurityExtraFieldsTest {
+    
+    @Autowired
+    private FilterChainProxy springSecurityFilterChain;
+    
+    @Autowired
+    private WebApplicationContext wac;
+
+    private MockMvc mockMvc;  
+
+    @Before
+    public void setup() {
+        this.mockMvc = MockMvcBuilders.webAppContextSetup(wac)
+            .apply(springSecurity(springSecurityFilterChain)).build();
+    }
+
+    @Test
+    public void givenRootPathAccess_thenRedirectToIndex() throws Exception {
+        this.mockMvc.perform(get("/"))
+                .andExpect(status().is3xxRedirection())
+                .andExpect(redirectedUrlPattern("/index*"));
+    }
+
+    @Test
+    public void givenSecuredResource_whenAccessUnauthenticated_thenRequiresAuthentication() throws Exception {
+        this.mockMvc.perform(get("/user/index"))
+            .andExpect(status().is3xxRedirection())
+            .andExpect(redirectedUrlPattern("**/login"));
+    }
+
+    @Test
+    public void givenAccessSecuredResource_whenAuthenticated_thenAuthHasExtraFields() throws Exception {
+        MockHttpServletRequestBuilder securedResourceAccess = get("/user/index");
+        MvcResult unauthenticatedResult = mockMvc.perform(securedResourceAccess)
+            .andExpect(status().is3xxRedirection())
+            .andReturn();
+
+        MockHttpSession session = (MockHttpSession) unauthenticatedResult.getRequest()
+            .getSession();
+        String loginUrl = unauthenticatedResult.getResponse()
+            .getRedirectedUrl();
+
+        User user = getUser();
+
+        mockMvc.perform(post(loginUrl)
+            .param("username", user.getUsername())
+            .param("password", user.getPassword())
+            .param("domain", user.getDomain())
+            .session(session)
+            .with(csrf()))
+            .andExpect(status().is3xxRedirection())
+            .andExpect(redirectedUrlPattern("**/user/index"))
+            .andReturn();
+
+        mockMvc.perform(securedResourceAccess.session(session))
+            .andExpect(status().isOk());
+        
+        SecurityContext securityContext 
+            = (SecurityContext) session.getAttribute(HttpSessionSecurityContextRepository.SPRING_SECURITY_CONTEXT_KEY);
+        Authentication auth = securityContext.getAuthentication();
+        assertEquals(((User)auth.getPrincipal()).getDomain(), user.getDomain());
+    }
+
+    private User getUser() {
+        Collection<? extends GrantedAuthority> authorities = new ArrayList<>();
+        return new User("myusername", "mydomain", "password", true, true, true, true, authorities);
+    }
+}