Securing your application landscape with Spring Cloud Security – Part 1

Securing an application is difficult. Securing an entire application landscape is even more difficult! In this modern era of blazing fast microservices we do not want the additional complexity of having to secure it all manually. This is where Spring Cloud Security comes in. By combining proven technologies, it helps us achieve performant, configurable end-to-end security across multiple applications.

So what technologies are being combined? Well, a lot… We will not mention them all here, but the foundation relies on Spring Boot and Spring Security OAuth.

OAuth, or, in our case, OAuth2 is basically an authorization delegation protocol. To quote Wikipedia, OAuth:

[…] specifies a process for resource owners to authorize third-party access to their server resources without sharing their credentials.

In our context, the resource owners are the users of our applications, server resources are the data we store about our users (e.g. the list of shop orders), and third-parties are the applications (or services) in our landscape which perform actions on the user data.

A common mistake people make is thinking that OAuth also provides authentication. It doesn’t, but that’s where Spring Security kicks in. For more information about the difference between authentication and authorization in an OAuth context, we refer you to this article.

Basically, the picture below visualizes the type of application landscape we want to achieve with this series of articles.

Overview

An overview of the type of application landscape we want to achieve

In the following series of articles, we will build a concrete implementation of the above displayed application landscape from the ground up, with as little code and configuration as possible. We will make some concessions regarding complexity and functionality, mainly to enable us to focus on the basic principles.

The project source code is available on Bitbucket, so feel free to clone the Git repository:

The master branch contains the complete solution. Each article in this series will represent a separate step in the development of the solution. Several Git tags have been created in the repository to be able to follow along with each step.

How to run it

To be able to run the applications, the following software is required:

  • Gradle (tested with version 2.12)
  • Java 8 Development Kit

All three applications in the Git repository can be run from the command line, by executing the following command from the root directory of the application to run:

Alternatively, it is possible to run the main method in the relevant Spring Boot Application class (MyAuthServerApplication / MyWebsiteApplication / MyRestApiApplication) from an IDE or command line.

It does not matter in which order the applications are started.

Securing a basic website with a separate Identity Provider

As a starting point, we have created a Spring Boot application, called My Website. The application is bootstrapped using Spring Initializr, with the Web and Thymeleaf dependencies.

The application is pretty straightforward, containing a single Spring MVC Controller, to render a web page which displays the current time (like mentioned before, the functionality of the application is irrelevant, so we keep this simple). For now, the application is not secured in any way.

Tip To see the application in its initial state (not secured), checkout the Git tag insecure-website from the repository. To see the end result of this step (the website is secured using an Identity Provider), checkout the tag secure-website.

To view the current time, run the My Website application (see How to run it), and navigate to: http://localhost:8080/time

Creating the Identity Provider

The first step in securing My Website involves creating My Auth Server. This application will function as an Identity Provider for My Website. To achieve this, we will be using Spring Cloud Security, in combination with Spring Security OAuth2.

In OAuth2, the role of Identity Provider is split in two parts. The first part, the Authorization Server, verifies the identity of a resource owner (the user) and provides some kind of access token to applications wanting to act as the user. The second part, the Resource Server, provides resources (e.g. information about the user), based on the given token.

Important The OAuth2 specification doesn’t state anything about authentication. It basically defines how to delegate authorizations to access protected resources to third parties. In our context: the Authorization Server tells our application(s) that it may act as some user (resource owner), and thus access their data (resources). So how does the Authorization Server know which user it concerns? That’s where Spring Security enters the picture. Spring Security will handle the authentication part, and Spring Security OAuth2 will do the rest. For more general information about user authentication with OAuth2, see here.

With Spring Security OAuth2 it is possible to create two separate applications, one acting as Authorization Server and one as Resource Server. But it is also possible to combine the two parts into one application, which is what we will be doing.

Again, we will use Spring Initializr to bootstrap the application, with the Web and Thymeleaf dependencies, but this time we also add the Cloud OAuth2 dependency. We configure the application to run at http://localhost:9090/auth (see the properties in my-auth-server/src/main/resources/application.yml).

My Auth Server application is configured as both an Authorization Server and Resource Server, and is secured with Spring Security, with the help of a few Spring configurer adapters. These are explained below.

Authorization Server configuration

The AuthorizationServerConfigurer allows you to modify the default configuration (enabled by the annotation @EnableAuthorizationServer) to be able to act as an OAuth2 Authorization Server. Furthermore, we configure the client details service. This service specifies details about the way ‘clients’ (== other applications) interact with the Authorization Server.

  1. We configure everything in-memory for simplicity, but it is also possible to get the details from e.g. a database
  2. The client authenticates with the credentials myauthserver / verysecretpassword
  3. Specify the allowed redirect URI patterns, this prevents random parties from gaining an access token (e.g. XSRF attacks)
  4. OAuth2 supports different grant types, of which the Authorization Code type is the most known. For more information about grant types, see here
  5. When a client (application) authorizes with the Authorization Server, the server can assign one or more scopes to the client. In simple terms, a client scope can be seen as a specific permission for this client. With client scopes, it is possible to allow some applications to have more access rights to user resources than other applications. This is out of scope (pun intended) for this article.
  6. It is possible to make the Authorization Server ask the user permission for the client to obtain rights to access their resources. In our case we automatically approve the request.

Resource Server configuration

An application acting as an OAuth2 client to My Auth Server may need to be able to fetch information about a user, given a valid OAuth2 access token. To serve this information, we add a REST Controller, and secure this resource by configuring the My Auth Server as an OAuth2 Resource Server.

The REST Controller is a standard Spring @RestController, with one request mapping:

  1. The currently logged in user is injected by Spring as an OAuth2Authentication object. This is basically a standard Java Principal, with some added OAuth2-specific details.
  2. We return a map containing the current username,
  3. and a set of user roles.

This is the minimal set of details required for a Spring-enabled OAuth2 client to reconstruct its own OAuth2 Principal object. It is possible to add more details here, if needed. Instead of a Map, some examples on the internet just return the Principal object directly. Although this saves you the overhead of creating a map, we feel it exposes too much unnecessary information. With our approach, we are in control of what information is shared about the user.

The next step is to secure this resource. Of course, we can only provide valid user information, if we have a logged in user. Therefore, we configure My Auth Server as an OAuth2 Resource Server, which basically is a server hosting protected resources, capable of serving these resources when presented with a valid access token. In this case, the protected resource is information about the logged in user. The Resource Server security configuration is defined in ResourceServerConfigurer, using the @EnableResourceServer annotation.

  1. We match our security configuration on the URL /user, matching the request mapping in our ResourceController.
  2. Only authenticated access is allowed.

Spring Security configuration

The last step for My Auth Server is to configure the application security, to define how we want our users to authenticate themselves. We use a pretty standard Spring Security setup, but for the sake of completeness, we describe the configuration below.

The WebSecurityConfigurer modifies the default Spring Security configuration (enabled by the annotation @EnableWebSecurity annotation). We configure the URLs to secure, enable Cross-Site Request Forgery protection, setup a login form, and add some user credentials.

  1. The login page is located at /login, and should be publicly available.
  2. All other requests should be authenticated.
  3. Enable Cross-Site Request Forgery (CSRF) protection.
  4. Configure the form login page at /login.
  5. For simplicity, we use an in-memory user database with two users: a normal user and an administrator.

The login form is a simple html form, generated using a Thymeleaf template. The template is located at my-auth-server/src/main/resources/templates/login.html, and made available using a Spring MVC View Controller, defined in my-auth-server/src/main/java/com/jdriven/example/cloudsecurity/config/WebMvcConfigurer.java.

Using the Identity Provider to secure My Website

Now that we have set up our Identity Provider (My Auth Server), we need to configure My Website to use it. This is a very easy task, consisting of three parts.

Spring Cloud Starter OAuth2

We add a dependency in the My Website project to Spring Cloud Starter OAuth2.

Spring Security Configuration

We configure the security in WebSecurityConfigurer (which is a Spring Web Security Configurer Adapter), using the @EnableOAuth2Sso annotation to enable OAuth2. The security configuration itself is pretty straightforward.

  1. Allow navigating to the index page at /.
  2. Secure all the other URLs.

Application configuration

The last step is to add some properties to our application configuration in application.yml. These properties configure My Website to use the URLs provided by My Auth Server.

  1. The URL used by an OAuth2 client to acquire an OAuth2 access token.
  2. The URL to which the user will be redirected to authorize access to a resource.
  3. The client ID specified earlier in the Authorization Server configuration.
  4. The client password specified earlier in the Authorization Server configuration.
  5. The user info resource URL, specified earlier in the Resource Server configuration.
Tip To see the resulting source code at this point, checkout the Git tag secure-website.

That’s it! If we run both the My Auth Server application and the My Website application (see How to run it), and navigate to http://localhost:8080/time, we will see that the URL is now secured, and we need to login first. Congratulations, your website is now secure!

Up next

In the next articles in this series, we will discuss the following topics:

  • After having secured a single application, we will add a new application, a REST service, which we will also secure through My Auth Server in a Single Sign On (SSO) configuration.
  • We will call the REST service from the browser using client side Javascript, proxying the service calls through My Website using Netflix Zuul.
  • Then, we will make the REST service stateless (no sessions), remaining secure by using JSON Web Tokens (JWT).
  • Finally, we will add the ability to login using a Google account.

Spring Batch and Feign OAuth2 RequestInterceptor

We have a microservice architecture with one of the microservices having a Spring Batch job which processes a CSV file and calling another microservice. Both microservices are OAuth2 protected ResourceServers. When we call the first microservice, a batch job is started and we want the Authorization header to be passed to the second microservice. The solution can be defined as:

In a Feign RequestInterceptor, grab the current OAuth access_token and pass it on the the RequestTemplate with Hystrix running in SEMAPHORE execution isolation strategy

Define Job execution

RequestInterceptor

Hystrix isolation strategy

Now we set the default isolation strategy of hystrix to SEMAPHORE. Otherwise we will get an error:
Method threw 'org.springframework.beans.factory.BeanCreationException' exception.... Scope 'session' is not active for the current thread;

Spicy Spring: Customize error JSON response with ErrorAttributes

The default JSON error body of Spring Boot can be customized or extended by defining our own ErrorAttributes implementation. In Spring Boot we get an error response JSON format for free. Any thrown Exception is automatically translated to this JSON format and returned with a corresponding HTTP status.

Default implementation

As soon as we throw an Exception in a @RequestMapping annotated method of a @Controller, the thrown Exception is translated to a HTTP status and a JSON error body.

The default JSON error body looks like:

Write your own ErrorAttributes implementation

What if we want extra attributes in this JSON error body?

Just define an implementation for ErrorAttributes and register it as a Spring @Component. The following example will result in a customized JSON error response body with the cause of the exception included.

Our resulting body will now look like:

Happy developing!

Spicy Spring: Creating a Fully Executable Jar

With a Spring (Boot/Cloud) application you can create a fully executable JAR, where the jar can be run from the command-line by just calling ./my-own-jar-0.0.1.jar.
My colleague Mr. Haki wrote a nice blog about creating a fully executable JAR for Grails.

Together with the famous one-liner of Josh Long in mind: “Make JAR not WAR!”, create a JAR whenever you develop a Spring Boot/Cloud application. As described in Mr. Haki’s blog, it is very easy to make our Spring application executable:

Maven configuration

Gradle configuration

You can find the description in the Spring Reference guide.

Happy Developing! And remember, “Make JAR not WAR!”

Generic Code Formatting with EditorConfig example

I love code. I take care of my code and I like my code to be formatted nicely. No matter if I’m on Eclipse, Netbeans or IntelliJ, I want my code to be formatted the same.

Nowadays we have EditorConfig. In the source code we can place a file .editorconfig with formatting instructions. These instructions can be read by many Tools like Eclipse, Netbeans, IntelliJ and VisualStudio. If we create an .editorconfig file with formatting instructions, these rules are automatically applied.

Example

An example of an .editorconfig file looks like:

As you see you can define specific formatting rules for different file types.

Happy coding and formatting!

Spicy Spring: Write your own AutoConfiguration

In Spring we use the @EnableAutoConfiguration each time when we use the @SpringBootApplication annotation. If we look at the @SpringBootApplication we can see that this automatically enables the @EnableAutoConfiguration. This last mentioned annotation triggers all the auto-configuration enabled configurations on the classpath. We can write an auto-configuration enabled @Configuration ourself in only two steps.

In /src/main/resources/META-INF/ create a file called spring.factories and add the following snippet to the file.

If you wrap this all in a JAR and add this as a classpath dependency to another Spring Application, the above MyOwnAutoConfiguration is triggered.

Happy developing!

Spicy Spring: Inject your custom method argument in Spring MVC using HandlerMethodArgumentResolver

In Spring MVC we get some method argument types resolved by default and injected in Spring MVC controller methods. Some examples are Model, Locale and OutputStream.
What if we want to inject a custom argument in Spring MVC controller methods? In this example we extract the X-Application-Version HTTP header from the request and inject that as a method argument called version.

Our controller class will look like the following:

This is where we need to write our own HandlerMethodArgumentResolver implementation which is responsible for extracting the X-Application-Version from the HttpHeader.

Continue reading

Building your own self refreshing cache in Java EE

If you have read my previous post about caching, The (non)sense of caching, and have not been discouraged by it, I invite you to build your own cache. In this post we will build a simple cache implementation that refreshes its data automatically, using Java EE features.

Context: A slow resource

Let’s describe the situation. We are building a service that uses an external resource with some reference data. The data is not frequently updated and it’s allright to use data that’s up to 1 hour old. The external resource is very slow, retrieving the data takes about 30 seconds.

Our service needs to respond within 2 seconds. Obviously we can’t call the resource each time we need it. To solve our problem we decide to introduce some caching. We are going to retrieve the entire dataset, keep it in memory and allow retrieval of specific cached values by their corresponding keys.

Step 1: Getting started

A very basic implementation of a key-value cache is a (java.util.)Map, so that’s where we’ll start. One step at a time we will extend this implementation untill we have a fully functional cache.

Step 2: Populating the cache

We will inject a bean that serves as a facade to our slow external resource. To keep things simple in this example, the bean returns a list of SomeData objects that contain a key and a value.

Step 3: Keeping state between requests

Now we can populate the cache we need to keep the state so that future requests can also make use of it. That’s where we use the Singleton bean. A singleton session bean is instantiated once per application and exists for the lifecycle of the application, see also the JEE tutorial page about Session Beans.

Note that, when we run our application in a clustered environment, each instance of our application will have its own Singleton bean instance.

Note that, when we run our application in a clustered environment, each instance of our application will have its own Singleton bean instance.

Step 4: Populating the cache before first use

We can use the @PostConstruct annotation to fill the cache with the reference data when the bean is created. If we want the cache to load at application startup instead of on first access, we use the @Startup annotation.

Step 5: Accessing the cached data

To make the data available, we create a public method getData, that will retrieve the cached value by its key.

Step 6: Refreshing the cache periodically

As the cached data becomes outdated over time, we want to refresh the het dataset automatically after a specified time period. JEE offers a solution with automatic timers. See also the JEE tutorial page about the Timer Service. We configure the timer to be not persistent.

Step 7: Manage concurrency

Finally, we need to make sure concurrency is handled correctly. In JEE, you can do this either Container-Managed or Bean-Managed. For Singleton Session Beans the default is Container-Managed Concurrrency with a Write Lock on each public method. Whenever the bean is called, all subsequent calls will be held until the lock is released. This is safe, even if you are modifying the data, hence the name Write Lock.

We can improve on this by allowing concurrent read acces on methods that are only reading data, in our case the getData method. To do that we add the @Lock(LockType.READ) annotation. This way, calls to the getData method are only held when a method with a Write Lock is being accessed.

(In our simple case we could get away without any locking at all because updating the object reference of our instance variable cache in the populateCache method is an atomic operation, but in practice you don’t want to depend on implementation details of the populateCache method.)

For more information about Container-Managed Concurrency check the JEE tutorial page about Managing Concurrent Access.

Practical use

Above example code is perfeclty usable, but there are several things to consider:

  • In the example we load the entire dataset into memory. This is only feasable if the dataset is not too big, e.g. a list of Currency Conversion Rates.
  • When you deploy on multiple servers, each of them will have its own cache. Because they will each be refreshing independently, they might not hold the exact same dataset. This might confuse the users of your application.

Conclusion

We have created a simple cache with a minimal amount of code. By making use of built-in Java EE features, a lot of complex tasks are managed by the JEE container, making our job easier.

Javaland 2016 Conference Report

It has already been a week since Javaland 2016 started on Tuesday March 8th. Javaland is 3-day community driven conference in the amusement park Phantasialand in Brühl, Germany. I had the fortune to attend the conference this year and speak about Asciidoctor on the first day with my talk “Writing documentation in Asciidoctor is Awesome”. The code and examples from the presentation are on Github. Also my colleague Rob Brinkman was at the conference for this talk about “Westy Tracking (turning a VW van into a Tesla)” and his presentation is online as well.

What I really liked about the conference is a lot of technical talks about all kind of Java subjects. Even for a non-German person there were a lot of talks in English to follow. Also the atmosphere was very nice, people are approachable and in between talks there was a nice community and sponsor exhibition room. The organization uses the knowledge and experience of 29 JUGs from Germany, Austria and Switzerland. And then the location is also great to have a conference. The amusement park wasn’t open for the public so we as Java developers had part of the park for ourselves. The location of the talks were partially in theaters and in business rooms. And at Tuesday night we were allowed to go on rides as well. (Remember: first rides, then eat and drink, if you alter the order you might get in trouble).

The first day started with an explanation about the program, talks, different community events from the organization. Next we attended a session about how to visualize relations between Wikipedia articles from James Weaver. He showed a Spring application backend with an Angular frontend running on Cloudfoundry. Next up was Rob Brinkman with his excellent talk on how he added electronics to an “old” VW van, so he could save his trips and tracking information. He showed the software architecture he used with Vert.x 3, Redis, Java 8 and Angular to make it all work together. It was time for lunch and that was very good organized. A lot of different things to choose from and it tasted very well. After lunch we attended a short talk about streams and reactive programming that was very informative given by Jan Carsten Lohmüller. In the afternoon we stayed a while at the community floor and stumbled upon a nice small presentation from Andres Almiray about a JSR for desktop applications. The setting was very informative and I really liked this aspect of the conference. Furthermore we attended a session about Lombok to reduce the boilerplate code in Java presented by Roel Spilker and Reinier Zwitserloot. Bert Jan Schrijver gave a good presentation about performance testing with Gatling. He even did live Scala coding on stage! Gatling looks like a very nice tool to define scenario’s for simulating multiple users accessing your application.

At night the park was open and some attractions were open, especially the roller coaster rides. Also there was a good diner organized at different locations.

The second day of the conference started for me with a talk by Josh Long about Spring Cloud. The Spring Cloud project has a lot of very useful subprojects to work with microservices in a distributed manner. Even though the session could only last 40 minutes Josh managed to show a lot of cool stuff with live coding small applications. At lunch time I attended a good talk which started with a cool Lego demo by Johan Janssen and Martin Kanters. They managed to control Lego trains and a fairy wheel from their browser. And it all worked as well. They used Akka on Raspberry Pi’s to make it all work and explained the software architecture.

After another tasteful lunch I learned more about monads in Java 8. Normally this is a very theoretical subject, but presenter Oleg Shelajev did a good job and showed real code on how monads appear in Java. The last session of the day was about using Groovy as a system scripting language by Andrey Adamovich. He showed the cool stuff of Groovy to make as script developer so much easier. Instead of relying on Bash or another script language, just use Groovy and all the Java libaries we already know.

The final day of the conference was a tutorial/workshop day. I attended a Vert.x 3 workshop given by Jochen Mader. Although it was in German I could still follow it very well. He presented some theory and then we could make small exercises in Vert.x 3. Then we would look at possible solutions for the exercise given by Jochen. I learned a lot during this day.

It was the first time I went to Javaland and it was a very good experience. The location, the organization and the content are all excellent. Although I already know I cannot make it next year, I still want to come back during the next years.

Original blog post