src/main/java/org/eclipse/openk/contactbasedata/config/auth/JwtAuthenticationTokenFilter.java

/*
 *******************************************************************************
 * Copyright (c) 2019 Contributors to the Eclipse Foundation
 *
 * See the NOTICE file(s) distributed with this work for additional
 * information regarding copyright ownership.
 *
 * This program and the accompanying materials are made available under the
 * terms of the Eclipse Public License v. 2.0 which is available at
 * http://www.eclipse.org/legal/epl-2.0.
 *
 * SPDX-License-Identifier: EPL-2.0
 *******************************************************************************
*/

package org.eclipse.openk.contactbasedata.config.auth;

import org.keycloak.TokenVerifier;
import org.keycloak.representations.AccessToken;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.context.SecurityContext;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.stereotype.Component;
import org.springframework.web.filter.OncePerRequestFilter;

import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.util.ArrayList;
import java.util.List;

@Component
public class JwtAuthenticationTokenFilter extends OncePerRequestFilter {

    @Value("${jwt.useStaticJwt}")
    private boolean useStaticJwt;

    @Value("${jwt.tokenHeader}")
    private String tokenHeader;

    @Value("${jwt.staticJwt}")
    private String staticJwt;

    @Override
    protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain) throws ServletException, IOException {
        String authenticationHeader = useStaticJwt ? staticJwt : request.getHeader(this.tokenHeader);
        try {
            SecurityContext context= SecurityContextHolder.getContext();

            if(authenticationHeader != null && !authenticationHeader.isEmpty()) {

                final String bearerTkn= authenticationHeader.replace("Bearer ", "");

                createToken(context, bearerTkn);

            }
            chain.doFilter(request, response);
        } catch(AuthenticationException ex) {
            throw new ServletException("Authentication exception.");
        }

    }

    private void createToken(SecurityContext context, String bearerTkn) throws ServletException {
        try {
            List<String> allRoles = new ArrayList<>();
            AccessToken token = TokenVerifier.create(bearerTkn, AccessToken.class).getToken();
            //Clientroles
            token.getResourceAccess().forEach((client, access) -> allRoles.addAll(access.getRoles()));

            //Realmroles
            if (token.getRealmAccess() != null) {
                allRoles.addAll(token.getRealmAccess().getRoles());
            }

            List<GrantedAuthority> authorities= new ArrayList<>();
            allRoles.forEach( x -> authorities.add(new SimpleGrantedAuthority("ROLE_"+x.toUpperCase())));

            UsernamePasswordAuthenticationToken auth = new UsernamePasswordAuthenticationToken(token.getPreferredUsername(), null, authorities);
            auth.setDetails(bearerTkn);

            context.setAuthentication(auth);

        } catch (Exception e) {
            throw new ServletException("Invalid token.");
        }
    }
}