alexanoid alexanoid - 2 months ago 20
Java Question

Neo4J TokenStore Spring oauth2

I'm working on Spring REST webservices secured with oauth2. I'd like to separate AuthorizationServer from ResourceServer with two different applications - AuthorizationServer is oauth2 SSO(single sign-on) and ResourceServer is the second application for business REST services. This way I can't use inmemory tokenstore because my applications will live on different hosts. I need some shared mechanism for TokenStore, for example database. There is JdbcTokenStore implementation in Spring framework but in my projects I'm using Neo4J graph database.

So, I have a questions - should I try to store oauth2 tokens in Neo4J(for example create custom implementtation of Neo4JTokenStore(already exists ?)) or in some other database ? What is best practice for this case ?

Answer

I implemented successfully Token Store for Neo4j.

AbstractDomainEntity.java

@NodeEntity
public abstract class AbstractDomainEntity implements DomainEntity {
    private static final long serialVersionUID = 1L;

@GraphId
private Long nodeId;

@Indexed(unique=true)
String id;

private Date createdDate;
@Indexed
private Date lastModifiedDate;
@Indexed
private String createduser;
private String lastModifieduser;

protected AbstractDomainEntity(String id) {
    this.id = id;
}

protected AbstractDomainEntity() {
}
//gets sets

OAuth2AuthenticationAccessToken.java

@NodeEntity
public class OAuth2AuthenticationAccessToken extends AbstractDomainEntity {
    private static final long serialVersionUID = -3919074495651349876L;

@Indexed
private String tokenId;
@GraphProperty(propertyType = String.class)
private OAuth2AccessToken oAuth2AccessToken;
@Indexed
private String authenticationId;
@Indexed
private String userName;
@Indexed
private String clientId;
@GraphProperty(propertyType = String.class)
private OAuth2Authentication authentication;
@Indexed
private String refreshToken;

public OAuth2AuthenticationAccessToken(){
    super();
}

public OAuth2AuthenticationAccessToken(final OAuth2AccessToken oAuth2AccessToken, final OAuth2Authentication authentication, final String authenticationId) {
    super(UUID.randomUUID().toString());
    this.tokenId = oAuth2AccessToken.getValue();
    this.oAuth2AccessToken = oAuth2AccessToken;
    this.authenticationId = authenticationId;
    this.userName = authentication.getName();
    this.clientId = authentication.getOAuth2Request().getClientId();
    this.authentication = authentication;
    this.refreshToken = oAuth2AccessToken.getRefreshToken() != null ? 

oAuth2AccessToken.getRefreshToken().getValue() : null;
    }
//getters setters

OAuth2AuthenticationRefreshToken.java

@NodeEntity
public class OAuth2AuthenticationRefreshToken extends AbstractDomainEntity {
    private static final long serialVersionUID = -3269934495553717378L;

    @Indexed
    private String tokenId;

    @GraphProperty(propertyType = String.class)
    private OAuth2RefreshToken oAuth2RefreshToken;

    @GraphProperty(propertyType = String.class)
    private OAuth2Authentication authentication;

    public OAuth2AuthenticationRefreshToken(){
        super();
    }

    public OAuth2AuthenticationRefreshToken(final OAuth2RefreshToken oAuth2RefreshToken, final OAuth2Authentication authentication) {
        super(UUID.randomUUID().toString());
        this.oAuth2RefreshToken = oAuth2RefreshToken;
        this.authentication = authentication;
        this.tokenId = oAuth2RefreshToken.getValue();
    }
//gets sets

OAuth2AccessTokenRepository.java

public interface OAuth2AccessTokenRepository extends GraphRepository<OAuth2AuthenticationAccessToken>, CypherDslRepository<OAuth2AuthenticationAccessToken>, OAuth2AccessTokenRepositoryCustom {
    public OAuth2AuthenticationAccessToken findByTokenId(String tokenId);
    public OAuth2AuthenticationAccessToken findByRefreshToken(String refreshToken);
    public OAuth2AuthenticationAccessToken findByAuthenticationId(String authenticationId);
    public List<OAuth2AuthenticationAccessToken> findByClientIdAndUserName(String clientId, String userName);
    public List<OAuth2AuthenticationAccessToken> findByClientId(String clientId);
}

OAuth2RefreshTokenRepository.java

public interface OAuth2RefreshTokenRepository extends GraphRepository<OAuth2AuthenticationRefreshToken>, CypherDslRepository<OAuth2AuthenticationRefreshToken>, OAuth2RefreshTokenRepositoryCustom {
    public OAuth2AuthenticationRefreshToken findByTokenId(String tokenId);
}

OAuth2TokenStoreRepositoryImpl.java

public class OAuth2TokenStoreRepositoryImpl implements TokenStore {
    @Autowired
    private OAuth2AccessTokenRepository oAuth2AccessTokenRepository;
    @Autowired
    private OAuth2RefreshTokenRepository oAuth2RefreshTokenRepository;
    private AuthenticationKeyGenerator authenticationKeyGenerator = new DefaultAuthenticationKeyGenerator();

    /* (non-Javadoc)
     * @see org.springframework.security.oauth2.provider.token.TokenStore#readAuthentication(org.springframework.security.oauth2.common.OAuth2AccessToken)
     */
    @Override
    public OAuth2Authentication readAuthentication(OAuth2AccessToken token) {
        return readAuthentication(token.getValue());
    }

    /* (non-Javadoc)
     * @see org.springframework.security.oauth2.provider.token.TokenStore#readAuthentication(java.lang.String)
     */
    @Override
    public OAuth2Authentication readAuthentication(String tokenId) {
        OAuth2AuthenticationAccessToken accessToken = oAuth2AccessTokenRepository.findByTokenId(tokenId);
        OAuth2Authentication oauth2Authentication = null;
        if(accessToken != null){
            oauth2Authentication = accessToken.getAuthentication();
        }
        return oauth2Authentication;
    }

    /* (non-Javadoc)
     * @see org.springframework.security.oauth2.provider.token.TokenStore#storeAccessToken(org.springframework.security.oauth2.common.OAuth2AccessToken, org.springframework.security.oauth2.provider.OAuth2Authentication)
     */
    @Override
    public void storeAccessToken(OAuth2AccessToken token, OAuth2Authentication authentication) {
        // remove existing token & add new
        removeAccessToken(token);

        OAuth2AuthenticationAccessToken oAuth2AuthenticationAccessToken = new OAuth2AuthenticationAccessToken(token,
                authentication, authenticationKeyGenerator.extractKey(authentication));
        oAuth2AccessTokenRepository.save(oAuth2AuthenticationAccessToken);
    }

    /* (non-Javadoc)
     * @see org.springframework.security.oauth2.provider.token.TokenStore#readAccessToken(java.lang.String)
     */
    @Override
    public OAuth2AccessToken readAccessToken(String tokenValue) {
        OAuth2AuthenticationAccessToken token = oAuth2AccessTokenRepository.findByTokenId(tokenValue);
        if(token == null) {
            return null; //let spring security handle the invalid token
        }
        OAuth2AccessToken accessToken = token.getoAuth2AccessToken();
        return accessToken;
    }

    /* (non-Javadoc)
     * @see org.springframework.security.oauth2.provider.token.TokenStore#removeAccessToken(org.springframework.security.oauth2.common.OAuth2AccessToken)
     */
    @Override
    public void removeAccessToken(OAuth2AccessToken token) {
        OAuth2AuthenticationAccessToken accessToken = oAuth2AccessTokenRepository.findByTokenId(token.getValue());
        if(accessToken != null) {
            oAuth2AccessTokenRepository.delete(accessToken);
        }

    }

    /* (non-Javadoc)
     * @see org.springframework.security.oauth2.provider.token.TokenStore#storeRefreshToken(org.springframework.security.oauth2.common.OAuth2RefreshToken, org.springframework.security.oauth2.provider.OAuth2Authentication)
     */
    @Override
    public void storeRefreshToken(OAuth2RefreshToken refreshToken, OAuth2Authentication authentication) {
        oAuth2RefreshTokenRepository.save(new OAuth2AuthenticationRefreshToken(refreshToken, authentication));

    }

    /* (non-Javadoc)
     * @see org.springframework.security.oauth2.provider.token.TokenStore#readRefreshToken(java.lang.String)
     */
    @Override
    public OAuth2RefreshToken readRefreshToken(String tokenValue) {
        OAuth2AuthenticationRefreshToken refreshAuth = oAuth2RefreshTokenRepository.findByTokenId(tokenValue);
        OAuth2RefreshToken refreshToken = null;
        if(refreshAuth != null){
            refreshToken = refreshAuth.getoAuth2RefreshToken();
        }
        return refreshToken;
    }

    /* (non-Javadoc)
     * @see org.springframework.security.oauth2.provider.token.TokenStore#readAuthenticationForRefreshToken(org.springframework.security.oauth2.common.OAuth2RefreshToken)
     */
    @Override
    public OAuth2Authentication readAuthenticationForRefreshToken( OAuth2RefreshToken token) {
        OAuth2AuthenticationRefreshToken refreshAuth = oAuth2RefreshTokenRepository.findByTokenId(token.getValue());
        OAuth2Authentication oAuth2Authentication = null;
        if(refreshAuth != null){
            oAuth2Authentication = refreshAuth.getAuthentication();
        }
        return oAuth2Authentication;
    }

    /* (non-Javadoc)
     * @see org.springframework.security.oauth2.provider.token.TokenStore#removeRefreshToken(org.springframework.security.oauth2.common.OAuth2RefreshToken)
     */
    @Override
    public void removeRefreshToken(OAuth2RefreshToken token) {
        OAuth2AuthenticationRefreshToken refreshAuth = oAuth2RefreshTokenRepository.findByTokenId(token.getValue());
        if(refreshAuth != null){
            oAuth2RefreshTokenRepository.delete(refreshAuth);
        }
    }

    /* (non-Javadoc)
     * @see org.springframework.security.oauth2.provider.token.TokenStore#removeAccessTokenUsingRefreshToken(org.springframework.security.oauth2.common.OAuth2RefreshToken)
     */
    @Override
    public void removeAccessTokenUsingRefreshToken(OAuth2RefreshToken refreshToken) {
        OAuth2AuthenticationAccessToken accessToken = oAuth2AccessTokenRepository.findByRefreshToken(refreshToken.getValue());
        if(accessToken != null){
            oAuth2AccessTokenRepository.delete(accessToken);
        }
    }

    /* (non-Javadoc)
     * @see org.springframework.security.oauth2.provider.token.TokenStore#getAccessToken(org.springframework.security.oauth2.provider.OAuth2Authentication)
     */
    @Override
    public OAuth2AccessToken getAccessToken(OAuth2Authentication authentication) {
        OAuth2AuthenticationAccessToken token =  oAuth2AccessTokenRepository.findByAuthenticationId(authenticationKeyGenerator.extractKey(authentication));
        return token == null ? null : token.getoAuth2AccessToken();
    }

    /* (non-Javadoc)
     * @see org.springframework.security.oauth2.provider.token.TokenStore#findTokensByClientIdAndUserName(java.lang.String, java.lang.String)
     */
    @Override
    public Collection<OAuth2AccessToken> findTokensByClientIdAndUserName(String clientId, String userName) {
        List<OAuth2AuthenticationAccessToken> tokens = oAuth2AccessTokenRepository.findByClientIdAndUserName(clientId, userName);
        return extractAccessTokens(tokens);
    }

    /* (non-Javadoc)
     * @see org.springframework.security.oauth2.provider.token.TokenStore#findTokensByClientId(java.lang.String)
     */
    @Override
    public Collection<OAuth2AccessToken> findTokensByClientId(String clientId) {
        List<OAuth2AuthenticationAccessToken> tokens = oAuth2AccessTokenRepository.findByClientId(clientId);
        return extractAccessTokens(tokens);
    }

    private Collection<OAuth2AccessToken> extractAccessTokens(List<OAuth2AuthenticationAccessToken> tokens) {
        List<OAuth2AccessToken> accessTokens = new ArrayList<OAuth2AccessToken>();
        for(OAuth2AuthenticationAccessToken token : tokens) {
            accessTokens.add(token.getoAuth2AccessToken());
        }
        return accessTokens;
    }
}

I used GraphProperty to convert String for two object OAuth2AccessToken and OAuth2Authentication in OAuth2AuthenticationAccessToken.java and OAuth2AuthenticationAccessToken.java as below.

@GraphProperty(propertyType = String.class)
private OAuth2AccessToken oAuth2AccessToken;

@GraphProperty(propertyType = String.class)
private OAuth2Authentication authentication;

So, I implemented four convertors for them

public class OAuth2AccessTokenToStringConverter implements Converter<OAuth2AccessToken, String> {

    @Override
    public String convert(final OAuth2AccessToken source) {
        //some code that takes your object and returns a String
        ObjectMapper mapper = new ObjectMapper();
        String json = null;
        try {
            json = mapper.writeValueAsString(source);
            //remove white space
            json = json.replace("\"scope\":\" ","\"scope\":\"");
        } catch (IOException e) {
            e.printStackTrace();
        }
        return json;
    }
}

public class OAuth2AuthenticationToStringConverter implements Converter<OAuth2Authentication, String> {

    @Override
    public  String convert(final OAuth2Authentication source) {
        //some code that takes your object and returns a String
        ObjectMapper mapper = new ObjectMapper();
        String json = null;
        try {
            json = mapper.writeValueAsString(source);
        } catch (IOException e) {
            e.printStackTrace();
        }
        return json;
    }
}


public class StringToOAuth2AccessTokenConverter implements Converter<String, OAuth2AccessToken> {

    @Override
    public OAuth2AccessToken convert(final String source) {
        //some code that takes a String and returns an object of your type
        ObjectMapper mapper = new ObjectMapper();
        OAuth2AccessToken deserialised = null;
        try {
            deserialised = mapper.readValue(source, OAuth2AccessToken.class);
        } catch (IOException e) {
            e.printStackTrace();
        }
        return deserialised;
    }
}


public class StringToOAuth2AuthenticationConverter implements Converter<String, OAuth2Authentication> {

    @Override
    public OAuth2Authentication convert(final String source) {
        // some code that takes a String and returns an object of your type
        OAuth2Authentication oAuth2Authentication = null;
        try {
            ObjectMapper mapper = new ObjectMapper();
            JsonNode  rootNode = mapper.readTree(source);
            OAuth2Request oAuth2Request = getOAuth2Request(rootNode.get("oauth2Request"), mapper);
            JsonNode userAuthentication = rootNode.get("userAuthentication");
            JsonNode principal = userAuthentication.get("principal");
            UserAccount userAccount = mapper.readValue(principal.get("userAccount"), UserAccount.class);
            CTGUserDetails userDetails = new CTGUserDetails(userAccount);
            List<Map<String, String>> authorities = mapper.readValue(userAuthentication.get("authorities"), new TypeReference<List<Map<String, String>>>() {});
            UsernamePasswordAuthenticationToken authentication = new UsernamePasswordAuthenticationToken(userDetails, null, getAuthorities(authorities));
            oAuth2Authentication = new OAuth2Authentication(oAuth2Request, authentication);
        } catch (IOException e) {
            e.printStackTrace();
        }
        return oAuth2Authentication;
    }

    private OAuth2Request getOAuth2Request(final JsonNode jsonNode, ObjectMapper mapper) throws JsonParseException, JsonMappingException, IOException{
        Map<String, String> requestParameters = mapper.readValue(jsonNode.get("requestParameters"),new TypeReference<Map<String, String>>() {});
        String clientId = jsonNode.get("clientId").getTextValue();
        List<Map<String, String>> authorities = mapper.readValue(jsonNode.get("authorities"), new TypeReference<List<Map<String, String>>>() {});
        Set<String> scope = mapper.readValue(jsonNode.get("scope"), new TypeReference<HashSet<String>>() {});
        Set<String> resourceIds =   mapper.readValue(jsonNode.get("resourceIds"), new TypeReference<HashSet<String>>() {});
        return new OAuth2Request(requestParameters, clientId, getAuthorities(authorities) , true, scope, resourceIds, null, null, null);
    }

    private Collection<? extends GrantedAuthority> getAuthorities(
            List<Map<String, String>> authorities) {
        List<GrantedAuthority> grantedAuthorities = new ArrayList<GrantedAuthority>(authorities.size());
        for (Map<String, String> authority : authorities) {
            grantedAuthorities.add(new SimpleGrantedAuthority(authority.get("authority")));
        }
        return grantedAuthorities;
    }

}

In bean xml, I declared to Spring as then:

<bean id="conversionService" 
      class="org.springframework.context.support.ConversionServiceFactoryBean">
      <property name="converters">
        <set>
          <bean class="com.<yourpackage>.convertor.OAuth2AuthenticationToStringConverter"/>
          <bean class="com.<yourpackage>.convertor.OAuth2AccessTokenToStringConverter"/>
          <bean class="com.<yourpackage>.convertor.StringToOAuth2AccessTokenConverter"/>
          <bean class="com.<yourpackage>.convertor.StringToOAuth2AuthenticationConverter"/>
        </set>
      </property>
    </bean>

End. :) Welcome any feedback.

Comments