{"id":331481,"date":"2022-04-04T15:01:01","date_gmt":"2022-04-04T15:01:01","guid":{"rendered":"http:\/\/savepearlharbor.com\/?p=331481"},"modified":"-0001-11-30T00:00:00","modified_gmt":"-0001-11-29T21:00:00","slug":"","status":"publish","type":"post","link":"https:\/\/savepearlharbor.com\/?p=331481","title":{"rendered":"Security \u043c\u0438\u043a\u0440\u043e\u0441\u0435\u0440\u0432\u0438\u0441\u043e\u0432 \u0441 \u043f\u043e\u043c\u043e\u0449\u044c\u044e Spring, OAuth2, JWT \u0438 Service Account<\/span>"},"content":{"rendered":"
<\/div>\n
\n
\n
\n
\n

\u041d\u0435 \u0442\u0430\u043a \u0434\u0430\u0432\u043d\u043e \u044f \u043d\u0430\u0447\u0438\u043d\u0430\u043b \u0441\u0432\u043e\u0439 \u043f\u0435\u0440\u0432\u044b\u0439 \u043f\u0440\u043e\u0435\u043a\u0442 \u0441 \u043c\u0438\u043a\u0440\u043e\u0441\u0435\u0440\u0432\u0438\u0441\u0430\u043c\u0438 \u0438 \u043d\u0435 \u0437\u043d\u0430\u043b \u043a\u0430\u043a \u0440\u0435\u0430\u043b\u0438\u0437\u043e\u0432\u0430\u0442\u044c security. \u0421\u0435\u0439\u0447\u0430\u0441 \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u0438 \u043f\u043e \u044d\u0442\u043e\u043c\u0443 \u0432\u043e\u043f\u0440\u043e\u0441\u0443 \u0443\u0436\u0435 \u0431\u043e\u043b\u044c\u0448\u0435 \u043e\u0434\u043d\u0430\u043a\u043e \u043e\u043d\u0430 \u043d\u0435 \u0432\u0441\u0435\u0433\u0434\u0430 \u0430\u043a\u0442\u0443\u0430\u043b\u044c\u043d\u0430 \u0438 \u043a\u0430\u043a \u043f\u0440\u0430\u0432\u0438\u043b\u043e \u043d\u0435 \u0440\u0430\u0441\u043a\u0440\u044b\u0432\u0430\u0435\u0442 \u043f\u0440\u043e\u0431\u043b\u0435\u043c\u0443 security \u043c\u0435\u0436\u0441\u0435\u0440\u0432\u0438\u0441\u043d\u043e\u0433\u043e \u0432\u0437\u0430\u0438\u043c\u043e\u0434\u0435\u0439\u0441\u0442\u0432\u0438\u044f. \u041f\u043e\u044d\u0442\u043e\u043c\u0443 \u044f \u0440\u0435\u0448\u0438\u043b \u043d\u0430\u043f\u0438\u0441\u0430\u0442\u044c \u043a\u0430\u043a \u0431\u044b \u044f \u0440\u0435\u0448\u0430\u043b \u044d\u0442\u0443 \u043f\u0440\u043e\u0431\u043b\u0435\u043c\u0443 \u043d\u0430 \u0441\u0435\u0433\u043e\u0434\u043d\u044f\u0448\u043d\u0438\u0439 \u0434\u0435\u043d\u044c.<\/p>\n

<\/figcaption><\/figure>\n

\u0417\u0430\u0434\u0430\u0447\u0430<\/h2>\n

\u0415\u0441\u0442\u044c \u0434\u0432\u0430 \u043c\u0438\u043a\u0440\u043e\u0441\u0435\u0440\u0432\u0438\u0441\u0430: Account<\/em> \u0438 Notification<\/em>. Account<\/em> \u0445\u0440\u0430\u043d\u0438\u0442 \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044e \u043e \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044f\u0445, Notification<\/em> \u0440\u0430\u0441\u0441\u044b\u043b\u0430\u0435\u0442 \u0443\u0432\u0435\u0434\u043e\u043c\u043b\u0435\u043d\u0438\u044f. \u041f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044e \u043d\u0435\u043e\u0431\u0445\u043e\u0434\u0438\u043c\u043e \u043f\u043e\u0434\u0442\u0432\u0435\u0440\u0434\u0438\u0442\u044c \u0440\u0430\u043d\u0435\u0435 \u0441\u043e\u0445\u0440\u0430\u043d\u0451\u043d\u043d\u044b\u0439 email, \u0432\u044b\u0437\u0432\u0430\u0432 endpoint \u0432 Notification<\/em>. \u0412 \u0442\u0435\u043b\u0435 \u043f\u0438\u0441\u044c\u043c\u0430 \u043f\u043e\u0434\u0442\u0432\u0435\u0440\u0436\u0434\u0435\u043d\u0438\u044f \u043d\u0443\u0436\u043d\u043e \u043f\u043e\u043a\u0430\u0437\u0430\u0442\u044c \u0434\u0435\u0430\u0442\u043b\u0438 \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044f, \u043a\u043e\u0442\u043e\u0440\u044b\u0435 \u0445\u0440\u0430\u043d\u044f\u0442\u0441\u044f \u0432 Account. <\/em>\u0414\u043b\u044f \u044d\u0442\u043e\u0433\u043e \u0431\u0443\u0434\u0435\u043c \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u044c \u043c\u0435\u0436\u0441\u0435\u0440\u0432\u0438\u0441\u043d\u044b\u0439 http endpoint, \u0430 \u043c\u0435\u0436\u0441\u0435\u0440\u0432\u0438\u0441\u043d\u044b\u0435 \u0437\u0430\u043f\u0440\u043e\u0441\u044b \u0434\u043e\u043b\u0436\u043d\u044b \u0431\u044b\u0442\u044c \u0434\u043e\u0441\u0442\u0443\u043f\u043d\u044b \u0442\u043e\u043b\u044c\u043a\u043e authenticated users. <\/p>\n

<\/figcaption><\/figure>\n

\u0421\u0431\u043e\u0440\u043a\u0430 \u043f\u0440\u043e\u0435\u043a\u0442\u0430<\/h2>\n

\u0414\u043b\u044f \u0441\u0431\u043e\u0440\u043a\u0438 \u043f\u0440\u043e\u0435\u043a\u0442\u0430 \u044f \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u044e gradle \u0438 \u043f\u043e\u0441\u043b\u0435\u0434\u043d\u0438\u0435 \u0432\u0435\u0440\u0441\u0438\u0438 spring boot \u0438 \u043f\u0440\u043e\u0447\u0438\u0445 \u0431\u0438\u0431\u043b\u0438\u043e\u0442\u0435\u043a \u043d\u0430 \u043c\u043e\u043c\u0435\u043d\u0442 \u043d\u0430\u043f\u0438\u0441\u0430\u043d\u0438\u044f \u0441\u0442\u0430\u0442\u044c\u0438. \u0427\u0442\u043e\u0431 \u0442\u0435\u043a\u0441\u0442 \u043d\u0435 \u043f\u043e\u043b\u0443\u0447\u0438\u043b\u0441\u044f \u0441\u043b\u0438\u0448\u043a\u043e\u043c \u0431\u043e\u043b\u044c\u0448\u043e\u0439 gradle \u043a\u043e\u0434 \u0434\u043e\u0441\u0442\u0443\u043f\u0435\u043d \u0432 github(\u0441\u0441\u044b\u043b\u043a\u0430 \u0432 \u043a\u043e\u043d\u0446\u0435).<\/p>\n

\u041f\u043e\u043b\u0443\u0447\u0435\u043d\u0438\u0435 JWT \u0442\u043e\u043a\u0435\u043d\u0430<\/h2>\n

\u0427\u0442\u043e\u0431 \u043d\u0435 \u043e\u0442\u0445\u043e\u0434\u0438\u0442\u044c \u043e\u0442 \u0441\u0442\u0430\u043d\u0434\u0430\u0440\u0442\u043e\u0432 \u043c\u0438\u043a\u0440\u043e\u0441\u0435\u0440\u0432\u0438\u0441\u043e\u0432 \u0431\u0443\u0434\u0435\u043c \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u044c JWT \u0442\u043e\u043a\u0435\u043d. \u0414\u043e\u0431\u0430\u0432\u0438\u043c endpoint \u0432 Account<\/em> \u0434\u043b\u044f \u043f\u043e\u043b\u0443\u0447\u0435\u043d\u0438\u044f \u0442\u043e\u043a\u0435\u043d\u0430:<\/p>\n

@RestController class AuthController(     private val jwtHelper: JwtHelper,     private val userDetailsService: UserDetailsService,     private val passwordEncoder: PasswordEncoder ) {     @PostMapping(path = [\"login\"], consumes = [MediaType.APPLICATION_FORM_URLENCODED_VALUE])     fun login(         @RequestParam username: String,         @RequestParam password: String     ): LoginResult {         val userDetails = try {             userDetailsService.loadUserByUsername(username)         } catch (e: UsernameNotFoundException) {             throw ResponseStatusException(HttpStatus.UNAUTHORIZED, \"User not found\")         }         if (passwordEncoder.matches(password, userDetails.password)) {             val claims: MutableMap<String, String> = HashMap()             claims[\"username\"] = username             val authorities = userDetails.authorities.joinToString { it.authority.toString() }             claims[\"authorities\"] = authorities             claims[\"userId\"] = 1.toString()             val jwt = jwtHelper.createJwtForClaims(username, claims)             return LoginResult(jwt)         }         throw ResponseStatusException(HttpStatus.UNAUTHORIZED, \"User not authenticated\")     } }<\/code><\/pre>\n
 Jwt \u0442\u043e\u043a\u0435\u043d \u0441\u043e\u0437\u0434\u0430\u0451\u0442\u0441\u044f \u0441\u043b\u0435\u0434\u0443\u044e\u0449\u0438\u043c \u043e\u0431\u0440\u0430\u0437\u043e\u043c:<\/p>\n
@Component class JwtHelper(     @Value(\"\\${app.security.jwt.secret}\")     private val jwtSecret: String ) {     fun createJwtForClaims(subject: String, claims: Map<String, String>): String {         val jwtBuilder = JWT.create().withSubject(subject)         claims.forEach { (name: String, value: String) -> jwtBuilder.withClaim(name, value) }         return jwtBuilder             .withNotBefore(Date())             .withExpiresAt(DateUtils.addDays(Date(), 1))             .sign(Algorithm.HMAC256(jwtSecret))     } }<\/code><\/pre>\n
\n\u041f\u043e\u0447\u0435\u043c\u0443 \u043d\u0435 \u0440\u0435\u0430\u043b\u0438\u0437\u043e\u0432\u0430\u0442\u044c \u0441\u0432\u043e\u0439 Authorization server<\/summary>\n
\n
Resource Owner Password Credentials Grant \u0431\u044b\u043b \u0438\u0441\u043a\u043b\u044e\u0447\u0435\u043d <\/a>\u0438\u0437 \u0441\u043f\u0435\u0446\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u0438 OAuth 2.1. \u041e\u0441\u0442\u0430\u043b\u044c\u043d\u044b\u0435 grant types \u043f\u043e\u0434\u0445\u043e\u0434\u044f\u0442 \u0434\u043b\u044f third party authorization servers. \u0415\u0441\u043b\u0438 \u043c\u044b \u0445\u043e\u0442\u0438\u043c \u0438\u043c\u0435\u0442 \u0432\u043e\u0437\u043c\u043e\u0436\u043d\u043e\u0441\u0442\u044c \u043b\u043e\u0433\u0438\u043d\u0430 \u0441 \u043f\u043e\u043c\u043e\u0449\u044c\u044e \u043f\u0430\u0440\u043e\u043b\u044f — endpoint \u043c\u043e\u0436\u0435\u0442 \u043f\u043e\u0441\u043b\u0443\u0436\u0438\u0442\u044c \u0445\u043e\u0440\u043e\u0448\u0438\u043c \u0441\u0442\u0430\u0440\u0442\u043e\u043c. \u041f\u043e\u0437\u0436\u0435 \u043c\u043e\u0436\u043d\u043e \u043d\u0430\u0441\u0442\u0440\u043e\u0438\u0442\u044c third party authentication, \u043d\u0430\u043f\u0440\u0438\u043c\u0435\u0440 \u0441 \u043f\u043e\u043c\u043e\u0449\u044c\u044e firebase<\/a>.<\/p>\n<\/div>\n<\/details>\n
\n\u041f\u043e\u0447\u0435\u043c\u0443 \u0432 \u0434\u0430\u043d\u043d\u043e\u043c \u043f\u0440\u0438\u043c\u0435\u0440\u0435 \u043d\u0435 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u0435\u0442\u0441\u044f Keycloak<\/summary>\n
\n
Keycloak \u044d\u0442\u043e \u043e\u0442\u0434\u0435\u043b\u044c\u043d\u043e\u0435 \u043f\u0440\u0438\u043b\u043e\u0436\u0435\u043d\u0438\u0435 \u0441\u043e \u0441\u0432\u043e\u0435\u0439 \u0411\u0414. \u0414\u043b\u044f \u043e\u043f\u0438\u0442\u043c\u0438\u0437\u0430\u0446\u0438\u0438 \u0440\u0435\u0441\u0443\u0440\u0441\u043e\u0432 \u0438 \u043f\u0440\u043e\u0441\u0442\u043e\u0442\u044b \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438 \u043b\u0435\u0433\u0447\u0435 \u043f\u043e\u0434\u0434\u0435\u0440\u0436\u0438\u0432\u0430\u0442\u044c \u043c\u043e\u0434\u0435\u043b\u044c \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u0435\u0439 \u0441\u0432\u043e\u0435\u0433\u043e \u0431\u0438\u0437\u043d\u0435\u0441\u0430 \u0430 \u043d\u0435 \u0443\u043d\u0438\u0432\u0435\u0440\u0441\u0430\u043b\u044c\u043d\u0443\u044e \u043c\u043e\u0434\u0435\u043b\u044c <\/a>\u043e\u0442 Red Hat.<\/p>\n<\/div>\n<\/details>\n
\u0410\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u044f<\/h2>\n
\u0414\u043b\u044f \u0430\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u0438 \u0431\u0443\u0434\u0435\u043c \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u044c OAuth2 Resource Server<\/a>. \u0414\u043b\u044f \u044d\u0442\u043e\u0433\u043e \u0441\u043a\u043e\u043d\u0444\u0438\u0433\u0443\u0440\u0438\u0440\u0443\u0435\u043c JwtDecoder:<\/p>\n
@Configuration class JwtConfiguration(     @Value(\"\\${app.security.jwt.secret}\")     private val jwtSecret: String ) {     @Bean     fun jwtDecoder(): JwtDecoder {         val key = jwtSecret.toByteArray()         val originalKey: SecretKey = SecretKeySpec(key, 0, key.size, \"AES\")         return NimbusJwtDecoder.withSecretKey(originalKey).build()     } }<\/code><\/pre>\n
\u0422\u0430\u043a \u0436\u0435 \u043d\u0435\u043e\u0431\u0445\u043e\u0434\u0438\u043c\u043e \u0441\u043a\u043e\u043d\u0444\u0438\u0433\u0443\u0440\u0438\u0440\u043e\u0432\u0430\u0442\u044c WebSecurityConfig:<\/p>\n
@Configuration @EnableWebSecurity @EnableGlobalMethodSecurity(prePostEnabled = true) class WebSecurityConfig : WebSecurityConfigurerAdapter() {     override fun configure(http: HttpSecurity) {         http             .cors()             .and()             .csrf().disable()             .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)             .and()             .authorizeRequests{ configurer ->                 configurer                     .anyRequest()                     .authenticated()             }             .oauth2ResourceServer { obj: OAuth2ResourceServerConfigurer<HttpSecurity?> -> obj.jwt() }     } }<\/code><\/pre>\n
\u041f\u0440\u043e\u0431\u0440\u043e\u0441 JWT \u0442\u043e\u043a\u0435\u043d\u0430 \u0434\u043b\u044f \u043c\u0435\u0436\u0441\u0435\u0440\u0432\u0438\u0441\u043d\u044b\u0445 \u0437\u0430\u043f\u0440\u043e\u0441\u043e\u0432<\/h2>\n
\u041d\u0438\u0436\u0435 \u043f\u0440\u0435\u0434\u0441\u0442\u0430\u0432\u043b\u0435\u043d endpoint \u0434\u043b\u044f \u043f\u043e\u0441\u044b\u043b\u043a\u0438 \u043f\u0438\u0441\u044c\u043c\u0430 \u043f\u043e\u0434\u0442\u0432\u0435\u0440\u0436\u0434\u0435\u043d\u0438\u044f email. \u041e\u0431\u0440\u0430\u0442\u0438\u0442\u0435 \u0432\u043d\u0438\u043c\u0430\u043d\u0438\u0435 \u0447\u0442\u043e Authorization header \u043f\u0440\u043e\u0431\u0440\u0430\u0441\u044b\u0432\u0430\u0435\u0442\u0441\u044f \u0432 \u043c\u0435\u0436\u0441\u0435\u0440\u0432\u0438\u0441\u043d\u044b\u0439 \u0437\u0430\u043f\u0440\u043e\u0441.<\/p>\n
@RestController class NotificationController() {      private val logger = KotlinLogging.logger {  }      @PostMapping(\"\/verifyEmail\")     fun verifyEmail(@RequestHeader(\"Authorization\") authHeader: String) {         val headers = HttpHeaders()         headers.set(\"Authorization\", authHeader)          val restTemplate = RestTemplate()         val response = restTemplate.exchange(             \"http:\/\/localhost:8087\/internal\/userDetails\",             HttpMethod.GET,             HttpEntity<Any>(headers),             object : ParameterizedTypeReference<String>() {})         logger.info { \"TODO: sent verify email to ${response.body}\" }     } }<\/code><\/pre>\n
\u041c\u0435\u0436\u0441\u0435\u0440\u0432\u0438\u0441\u043d\u044b\u0439 \u043a\u043e\u043d\u0442\u0440\u043e\u043b\u043b\u0435\u0440 \u0434\u043b\u044f \u043f\u043e\u043b\u0443\u0447\u0435\u043d\u0438\u044f userDetails:<\/p>\n
@RestController @RequestMapping(\"\/internal\") class InternalController() {      private val logger = KotlinLogging.logger {  }      @GetMapping(\"\/userDetails\")     fun getUser(authentication: Authentication): String {         logger.info { \"TODO: obtain user name for user ${authentication.name}\" }         return \"John Doe\"     } }<\/code><\/pre>\n
\u0418\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 service account \u0434\u043b\u044f scheduled job<\/h2>\n
\u0414\u043e\u043f\u0443\u0441\u0442\u0438\u043c \u0432 Notification <\/em>\u0435\u0441\u0442\u044c \u0435\u0436\u0435\u0434\u043d\u0435\u0432\u043d\u0430\u044f \u0437\u0430\u0434\u0430\u0447\u0430 \u043f\u043e \u0440\u0430\u0441\u0441\u044b\u043b\u043a\u0435 \u0443\u0432\u0435\u0434\u043e\u043c\u043b\u0435\u043d\u0438\u0439 \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044f\u043c. \u0414\u043b\u044f \u044d\u0442\u043e\u0433\u043e \u043d\u0443\u0436\u043d\u043e \u043f\u043e\u043b\u0443\u0447\u0438\u0442\u044c \u0441\u043f\u0438\u0441\u043e\u043a \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u0435\u0439 \u0438\u0437 Account. <\/em>\u0414\u043e\u0431\u0430\u0432\u0438\u043c \u0432 InternalController<\/code> endpoint:<\/p>\n
@GetMapping(\"\/users\") fun getUsers(): List<String> {     return listOf(\"user@mail.com\") }<\/code><\/pre>\n
\u041e\u0434\u043d\u0430\u043a\u043e \u043f\u0435\u0440\u0435\u043e\u0434\u0438\u0447\u0435\u0441\u043a\u0430\u044f \u0437\u0430\u0434\u0430\u0447\u0430 \u043d\u0435 \u0438\u043d\u0438\u0446\u0438\u0440\u043e\u0432\u0430\u043d\u043d\u0430 \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u0435\u043c. \u041f\u043e\u044d\u0442\u043e\u043c\u0443 \u0434\u043b\u044f \u0431\u0435\u0437\u043e\u043f\u0430\u0441\u043d\u043e\u0433\u043e \u0434\u043e\u0441\u0442\u0443\u043f\u0430 \u043a endpoint \u043c\u043e\u0436\u043d\u043e \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u044c service account(\u043f\u043e \u043f\u0440\u0438\u043c\u0435\u0440\u0443 google cloud<\/a> \u0438\u043b\u0438 kubernetes<\/a>). \u041e\u0431\u044a\u044f\u0432\u0438\u043c ServiceAuthenticationToken<\/code> \u0434\u043b\u044f \u043d\u043e\u0432\u043e\u0433\u043e \u0442\u0438\u043f\u0430 Authentication<\/em>:<\/p>\n
class ServiceAuthenticationToken(     val token: String ): AbstractAuthenticationToken(emptyList()) {     override fun getCredentials(): Any {         return token     }     override fun getPrincipal(): Any {         return token     } }<\/code><\/pre>\n
\u0414\u0430\u043b\u0435\u0435 \u043d\u0435\u043e\u0431\u0445\u043e\u0434\u0438\u043c\u043e \u043e\u043f\u0440\u0435\u0434\u0435\u043b\u0438\u0442\u044c ServiceAuthenticationProvider<\/code>:<\/p>\n
@Component class ServiceAuthenticationProvider(     @Value(\"\\${app.security.service.token}\")     private val serviceToken: String, ) : AuthenticationProvider {      override fun authenticate(authentication: Authentication): Authentication {         val name = authentication.name         val password = authentication.credentials.toString()         return if (isServiceTokenValid(authentication as ServiceAuthenticationToken)) {             UsernamePasswordAuthenticationToken(name, password, emptyList())         } else {             throw AuthenticationServiceException(\"Unknown service ${authentication.name}\")         }     }      private fun isServiceTokenValid(authentication: ServiceAuthenticationToken) = authentication.token == serviceToken      override fun supports(authentication: Class<*>): Boolean {         return authentication == ServiceAuthenticationToken::class.java     } }<\/code><\/pre>\n
\u0422\u0430\u043a\u0436\u0435 \u043d\u0430\u0434\u043e \u043e\u043f\u0440\u0435\u0434\u0435\u043b\u0438\u0442\u044c ServiceTokenAuthenticationFilter:<\/p>\n
class ServiceTokenAuthenticationFilter(     private val authenticationManager: ServiceAuthenticationProvider, ) : OncePerRequestFilter() {      override fun doFilterInternal(         request: HttpServletRequest,         response: HttpServletResponse,         filterChain: FilterChain     ) {         val authorizationHeader = request.getHeader(HttpHeaders.AUTHORIZATION)         if (!StringUtils.startsWithIgnoreCase(authorizationHeader, \"service\")) {             filterChain.doFilter(request, response)             return         }         val matcher = authorizationPattern.matcher(authorizationHeader)         if (!matcher.matches()) {             throw AuthenticationServiceException(\"Service token is malformed\")         }         val token = matcher.group(\"token\")          try {             val authenticationResult = authenticationManager.authenticate(ServiceAuthenticationToken(token))             val context = SecurityContextHolder.createEmptyContext()             context.authentication = authenticationResult             SecurityContextHolder.setContext(context)             if (logger.isDebugEnabled) {                 this.logger.debug(LogMessage.format(\"Set SecurityContextHolder to %s\", authenticationResult))             }             filterChain.doFilter(request, response)         } catch (failed: AuthenticationException) {             SecurityContextHolder.clearContext()             logger.trace(\"Failed to process authentication request\", failed)             authenticationEntryPoint.commence(request, response, failed)         }     }      companion object {         val authorizationPattern = Pattern.compile(             \"^Service (?<token>[a-zA-Z0-9-._~+\/]+=*)$\",             Pattern.CASE_INSENSITIVE         )         val authenticationEntryPoint = AuthenticationEntryPoint {                 request, response, authException -> response.sendError(HttpServletResponse.SC_UNAUTHORIZED)         }     } }<\/code><\/pre>\n
\u0415\u0449\u0451 \u043d\u0430\u0434\u043e \u0434\u043e\u0431\u0430\u0432\u0438\u0442\u044c \u0434\u043e\u043f\u043e\u043b\u043d\u0438\u0442\u0435\u043b\u044c\u043d\u044b\u0439 \u0444\u0438\u043b\u044c\u0442\u0440  \u0432 WebSecurityConfig<\/code>:<\/p>\n
@Component class WebSecurityConfig(     private val passwordEncoder: PasswordEncoder,     private val serviceAuthenticationProvider: ServiceAuthenticationProvider, ) : WebSecurityConfigurerAdapter() {      override fun configure(builder: AuthenticationManagerBuilder) {         builder.authenticationProvider(serviceAuthenticationProvider)     }      override fun configure(http: HttpSecurity) {         http             .addFilterAfter(                 ServiceTokenAuthenticationFilter(serviceAuthenticationProvider),                 BasicAuthenticationFilter::class.java)             .cors()             .and()             .csrf().disable()             .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)             .and()             .authorizeRequests{ configurer ->                     configurer                         .antMatchers(                             \"\/error\",                             \"\/login\"                         )                         .permitAll()                         .anyRequest()                         .authenticated()                 }             .oauth2ResourceServer { obj: OAuth2ResourceServerConfigurer<HttpSecurity?> -> obj.jwt() }     }      @Bean     override fun userDetailsService(): UserDetailsService {         val user1 = User             .withUsername(\"user@mail.com\")             .authorities(\"USER\")             .passwordEncoder { rawPassword: String? -> passwordEncoder.encode(rawPassword) }             .password(\"1234\")             .build()         val userDetailsManager = InMemoryUserDetailsManager()         userDetailsManager.createUser(user1)         return userDetailsManager     } }<\/code><\/pre>\n
\u0422\u0435\u043f\u0435\u0440\u044c \u043e\u0441\u0442\u0430\u043b\u043e\u0441\u044c \u0441\u043e\u0437\u0434\u0430\u0442\u044c Daily Job \u0432 Notification<\/em>: <\/p>\n
@Component class DailyNotificationJob(     @Value(\"\\${app.security.service.token}\")     private val serviceToken: String, ) {      private val logger = KotlinLogging.logger {  }      @Scheduled(fixedDelay = DateUtils.MILLIS_PER_DAY)     fun process() {         val headers = HttpHeaders()         headers.set(\"Authorization\", \"Service $serviceToken\")          val restTemplate = RestTemplate()         val response = restTemplate.exchange(             \"http:\/\/localhost:8087\/internal\/users\",             HttpMethod.GET,             HttpEntity<Any>(headers),             object : ParameterizedTypeReference<List<String>>() {})         logger.info { \"TODO: notify user: ${response.body}\" }     } }<\/code><\/pre>\n
DailyNotificationJob<\/code> \u0437\u0430\u043f\u0443\u0441\u0442\u0438\u0442\u0441\u044f \u0441\u0440\u0430\u0437\u0443 \u043f\u043e\u0441\u043b\u0435 \u0437\u0430\u043f\u0443\u0441\u043a\u0430 Notification<\/em> \u0438 \u0431\u0443\u0434\u0435\u0442 \u043f\u043e\u0432\u0442\u043e\u0440\u044f\u0442\u044c\u0441\u044f \u043a\u0430\u0436\u0434\u044b\u0439 \u0434\u0435\u043d\u044c. \u041f\u043e\u0434\u0435\u0440\u0433\u0430\u0442\u044c \u0437\u0430\u043f\u0440\u043e\u0441\u044b \u043c\u043e\u0436\u043d\u043e \u0441 \u043f\u043e\u043c\u043e\u0449\u044c\u044e Postman collection<\/a>. \u0412\u0441\u0435 \u0438\u0441\u0445\u043e\u0434\u043d\u0438\u043a\u0438 \u043c\u043e\u0436\u043d\u043e \u043f\u043e\u0441\u043c\u043e\u0442\u0440\u0435\u0442\u044c \u0432 github<\/a>.<\/p>\n<\/div>\n<\/div>\n<\/div>\n
<\/div>\n<\/div>\n
  
 \u0441\u0441\u044b\u043b\u043a\u0430 \u043d\u0430 \u043e\u0440\u0438\u0433\u0438\u043d\u0430\u043b \u0441\u0442\u0430\u0442\u044c\u0438  https:\/\/habr.com\/ru\/post\/658973\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
<\/div>\n
\n
\n
\n
\n
\u041d\u0435 \u0442\u0430\u043a \u0434\u0430\u0432\u043d\u043e \u044f \u043d\u0430\u0447\u0438\u043d\u0430\u043b \u0441\u0432\u043e\u0439 \u043f\u0435\u0440\u0432\u044b\u0439 \u043f\u0440\u043e\u0435\u043a\u0442 \u0441 \u043c\u0438\u043a\u0440\u043e\u0441\u0435\u0440\u0432\u0438\u0441\u0430\u043c\u0438 \u0438 \u043d\u0435 \u0437\u043d\u0430\u043b \u043a\u0430\u043a \u0440\u0435\u0430\u043b\u0438\u0437\u043e\u0432\u0430\u0442\u044c security. \u0421\u0435\u0439\u0447\u0430\u0441 \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u0438 \u043f\u043e \u044d\u0442\u043e\u043c\u0443 \u0432\u043e\u043f\u0440\u043e\u0441\u0443 \u0443\u0436\u0435 \u0431\u043e\u043b\u044c\u0448\u0435 \u043e\u0434\u043d\u0430\u043a\u043e \u043e\u043d\u0430 \u043d\u0435 \u0432\u0441\u0435\u0433\u0434\u0430 \u0430\u043a\u0442\u0443\u0430\u043b\u044c\u043d\u0430 \u0438 \u043a\u0430\u043a \u043f\u0440\u0430\u0432\u0438\u043b\u043e \u043d\u0435 \u0440\u0430\u0441\u043a\u0440\u044b\u0432\u0430\u0435\u0442 \u043f\u0440\u043e\u0431\u043b\u0435\u043c\u0443 security \u043c\u0435\u0436\u0441\u0435\u0440\u0432\u0438\u0441\u043d\u043e\u0433\u043e \u0432\u0437\u0430\u0438\u043c\u043e\u0434\u0435\u0439\u0441\u0442\u0432\u0438\u044f. \u041f\u043e\u044d\u0442\u043e\u043c\u0443 \u044f \u0440\u0435\u0448\u0438\u043b \u043d\u0430\u043f\u0438\u0441\u0430\u0442\u044c \u043a\u0430\u043a \u0431\u044b \u044f \u0440\u0435\u0448\u0430\u043b \u044d\u0442\u0443 \u043f\u0440\u043e\u0431\u043b\u0435\u043c\u0443 \u043d\u0430 \u0441\u0435\u0433\u043e\u0434\u043d\u044f\u0448\u043d\u0438\u0439 \u0434\u0435\u043d\u044c.<\/p>\n
<\/figcaption><\/figure>\n
\u0417\u0430\u0434\u0430\u0447\u0430<\/h2>\n
\u0415\u0441\u0442\u044c \u0434\u0432\u0430 \u043c\u0438\u043a\u0440\u043e\u0441\u0435\u0440\u0432\u0438\u0441\u0430: Account<\/em> \u0438 Notification<\/em>. Account<\/em> \u0445\u0440\u0430\u043d\u0438\u0442 \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044e \u043e \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044f\u0445, Notification<\/em> \u0440\u0430\u0441\u0441\u044b\u043b\u0430\u0435\u0442 \u0443\u0432\u0435\u0434\u043e\u043c\u043b\u0435\u043d\u0438\u044f. \u041f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044e \u043d\u0435\u043e\u0431\u0445\u043e\u0434\u0438\u043c\u043e \u043f\u043e\u0434\u0442\u0432\u0435\u0440\u0434\u0438\u0442\u044c \u0440\u0430\u043d\u0435\u0435 \u0441\u043e\u0445\u0440\u0430\u043d\u0451\u043d\u043d\u044b\u0439 email, \u0432\u044b\u0437\u0432\u0430\u0432 endpoint \u0432 Notification<\/em>. \u0412 \u0442\u0435\u043b\u0435 \u043f\u0438\u0441\u044c\u043c\u0430 \u043f\u043e\u0434\u0442\u0432\u0435\u0440\u0436\u0434\u0435\u043d\u0438\u044f \u043d\u0443\u0436\u043d\u043e \u043f\u043e\u043a\u0430\u0437\u0430\u0442\u044c \u0434\u0435\u0430\u0442\u043b\u0438 \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044f, \u043a\u043e\u0442\u043e\u0440\u044b\u0435 \u0445\u0440\u0430\u043d\u044f\u0442\u0441\u044f \u0432 Account. <\/em>\u0414\u043b\u044f \u044d\u0442\u043e\u0433\u043e \u0431\u0443\u0434\u0435\u043c \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u044c \u043c\u0435\u0436\u0441\u0435\u0440\u0432\u0438\u0441\u043d\u044b\u0439 http endpoint, \u0430 \u043c\u0435\u0436\u0441\u0435\u0440\u0432\u0438\u0441\u043d\u044b\u0435 \u0437\u0430\u043f\u0440\u043e\u0441\u044b \u0434\u043e\u043b\u0436\u043d\u044b \u0431\u044b\u0442\u044c \u0434\u043e\u0441\u0442\u0443\u043f\u043d\u044b \u0442\u043e\u043b\u044c\u043a\u043e authenticated users. <\/p>\n
<\/figcaption><\/figure>\n
\u0421\u0431\u043e\u0440\u043a\u0430 \u043f\u0440\u043e\u0435\u043a\u0442\u0430<\/h2>\n
\u0414\u043b\u044f \u0441\u0431\u043e\u0440\u043a\u0438 \u043f\u0440\u043e\u0435\u043a\u0442\u0430 \u044f \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u044e gradle \u0438 \u043f\u043e\u0441\u043b\u0435\u0434\u043d\u0438\u0435 \u0432\u0435\u0440\u0441\u0438\u0438 spring boot \u0438 \u043f\u0440\u043e\u0447\u0438\u0445 \u0431\u0438\u0431\u043b\u0438\u043e\u0442\u0435\u043a \u043d\u0430 \u043c\u043e\u043c\u0435\u043d\u0442 \u043d\u0430\u043f\u0438\u0441\u0430\u043d\u0438\u044f \u0441\u0442\u0430\u0442\u044c\u0438. \u0427\u0442\u043e\u0431 \u0442\u0435\u043a\u0441\u0442 \u043d\u0435 \u043f\u043e\u043b\u0443\u0447\u0438\u043b\u0441\u044f \u0441\u043b\u0438\u0448\u043a\u043e\u043c \u0431\u043e\u043b\u044c\u0448\u043e\u0439 gradle \u043a\u043e\u0434 \u0434\u043e\u0441\u0442\u0443\u043f\u0435\u043d \u0432 github(\u0441\u0441\u044b\u043b\u043a\u0430 \u0432 \u043a\u043e\u043d\u0446\u0435).<\/p>\n
\u041f\u043e\u043b\u0443\u0447\u0435\u043d\u0438\u0435 JWT \u0442\u043e\u043a\u0435\u043d\u0430<\/h2>\n
\u0427\u0442\u043e\u0431 \u043d\u0435 \u043e\u0442\u0445\u043e\u0434\u0438\u0442\u044c \u043e\u0442 \u0441\u0442\u0430\u043d\u0434\u0430\u0440\u0442\u043e\u0432 \u043c\u0438\u043a\u0440\u043e\u0441\u0435\u0440\u0432\u0438\u0441\u043e\u0432 \u0431\u0443\u0434\u0435\u043c \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u044c JWT \u0442\u043e\u043a\u0435\u043d. \u0414\u043e\u0431\u0430\u0432\u0438\u043c endpoint \u0432 Account<\/em> \u0434\u043b\u044f \u043f\u043e\u043b\u0443\u0447\u0435\u043d\u0438\u044f \u0442\u043e\u043a\u0435\u043d\u0430:<\/p>\n
@RestController class AuthController(     private val jwtHelper: JwtHelper,     private val userDetailsService: UserDetailsService,     private val passwordEncoder: PasswordEncoder ) {     @PostMapping(path = [\"login\"], consumes = [MediaType.APPLICATION_FORM_URLENCODED_VALUE])     fun login(         @RequestParam username: String,         @RequestParam password: String     ): LoginResult {         val userDetails = try {             userDetailsService.loadUserByUsername(username)         } catch (e: UsernameNotFoundException) {             throw ResponseStatusException(HttpStatus.UNAUTHORIZED, \"User not found\")         }         if (passwordEncoder.matches(password, userDetails.password)) {             val claims: MutableMap<String, String> = HashMap()             claims[\"username\"] = username             val authorities = userDetails.authorities.joinToString { it.authority.toString() }             claims[\"authorities\"] = authorities             claims[\"userId\"] = 1.toString()             val jwt = jwtHelper.createJwtForClaims(username, claims)             return LoginResult(jwt)         }         throw ResponseStatusException(HttpStatus.UNAUTHORIZED, \"User not authenticated\")     } }<\/code><\/pre>\n
 Jwt \u0442\u043e\u043a\u0435\u043d \u0441\u043e\u0437\u0434\u0430\u0451\u0442\u0441\u044f \u0441\u043b\u0435\u0434\u0443\u044e\u0449\u0438\u043c \u043e\u0431\u0440\u0430\u0437\u043e\u043c:<\/p>\n
@Component class JwtHelper(     @Value(\"\\${app.security.jwt.secret}\")     private val jwtSecret: String ) {     fun createJwtForClaims(subject: String, claims: Map<String, String>): String {         val jwtBuilder = JWT.create().withSubject(subject)         claims.forEach { (name: String, value: String) -> jwtBuilder.withClaim(name, value) }         return jwtBuilder             .withNotBefore(Date())             .withExpiresAt(DateUtils.addDays(Date(), 1))             .sign(Algorithm.HMAC256(jwtSecret))     } }<\/code><\/pre>\n
\n\u041f\u043e\u0447\u0435\u043c\u0443 \u043d\u0435 \u0440\u0435\u0430\u043b\u0438\u0437\u043e\u0432\u0430\u0442\u044c \u0441\u0432\u043e\u0439 Authorization server<\/summary>\n
\n
Resource Owner Password Credentials Grant \u0431\u044b\u043b \u0438\u0441\u043a\u043b\u044e\u0447\u0435\u043d <\/a>\u0438\u0437 \u0441\u043f\u0435\u0446\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u0438 OAuth 2.1. \u041e\u0441\u0442\u0430\u043b\u044c\u043d\u044b\u0435 grant types \u043f\u043e\u0434\u0445\u043e\u0434\u044f\u0442 \u0434\u043b\u044f third party authorization servers. \u0415\u0441\u043b\u0438 \u043c\u044b \u0445\u043e\u0442\u0438\u043c \u0438\u043c\u0435\u0442 \u0432\u043e\u0437\u043c\u043e\u0436\u043d\u043e\u0441\u0442\u044c \u043b\u043e\u0433\u0438\u043d\u0430 \u0441 \u043f\u043e\u043c\u043e\u0449\u044c\u044e \u043f\u0430\u0440\u043e\u043b\u044f — endpoint \u043c\u043e\u0436\u0435\u0442 \u043f\u043e\u0441\u043b\u0443\u0436\u0438\u0442\u044c \u0445\u043e\u0440\u043e\u0448\u0438\u043c \u0441\u0442\u0430\u0440\u0442\u043e\u043c. \u041f\u043e\u0437\u0436\u0435 \u043c\u043e\u0436\u043d\u043e \u043d\u0430\u0441\u0442\u0440\u043e\u0438\u0442\u044c third party authentication, \u043d\u0430\u043f\u0440\u0438\u043c\u0435\u0440 \u0441 \u043f\u043e\u043c\u043e\u0449\u044c\u044e firebase<\/a>.<\/p>\n<\/div>\n<\/details>\n
\n\u041f\u043e\u0447\u0435\u043c\u0443 \u0432 \u0434\u0430\u043d\u043d\u043e\u043c \u043f\u0440\u0438\u043c\u0435\u0440\u0435 \u043d\u0435 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u0435\u0442\u0441\u044f Keycloak<\/summary>\n
\n
Keycloak \u044d\u0442\u043e \u043e\u0442\u0434\u0435\u043b\u044c\u043d\u043e\u0435 \u043f\u0440\u0438\u043b\u043e\u0436\u0435\u043d\u0438\u0435 \u0441\u043e \u0441\u0432\u043e\u0435\u0439 \u0411\u0414. \u0414\u043b\u044f \u043e\u043f\u0438\u0442\u043c\u0438\u0437\u0430\u0446\u0438\u0438 \u0440\u0435\u0441\u0443\u0440\u0441\u043e\u0432 \u0438 \u043f\u0440\u043e\u0441\u0442\u043e\u0442\u044b \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438 \u043b\u0435\u0433\u0447\u0435 \u043f\u043e\u0434\u0434\u0435\u0440\u0436\u0438\u0432\u0430\u0442\u044c \u043c\u043e\u0434\u0435\u043b\u044c \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u0435\u0439 \u0441\u0432\u043e\u0435\u0433\u043e \u0431\u0438\u0437\u043d\u0435\u0441\u0430 \u0430 \u043d\u0435 \u0443\u043d\u0438\u0432\u0435\u0440\u0441\u0430\u043b\u044c\u043d\u0443\u044e \u043c\u043e\u0434\u0435\u043b\u044c <\/a>\u043e\u0442 Red Hat.<\/p>\n<\/div>\n<\/details>\n
\u0410\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u044f<\/h2>\n
\u0414\u043b\u044f \u0430\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u0438 \u0431\u0443\u0434\u0435\u043c \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u044c OAuth2 Resource Server<\/a>. \u0414\u043b\u044f \u044d\u0442\u043e\u0433\u043e \u0441\u043a\u043e\u043d\u0444\u0438\u0433\u0443\u0440\u0438\u0440\u0443\u0435\u043c JwtDecoder:<\/p>\n
@Configuration class JwtConfiguration(     @Value(\"\\${app.security.jwt.secret}\")     private val jwtSecret: String ) {     @Bean     fun jwtDecoder(): JwtDecoder {         val key = jwtSecret.toByteArray()         val originalKey: SecretKey = SecretKeySpec(key, 0, key.size, \"AES\")         return NimbusJwtDecoder.withSecretKey(originalKey).build()     } }<\/code><\/pre>\n
\u0422\u0430\u043a \u0436\u0435 \u043d\u0435\u043e\u0431\u0445\u043e\u0434\u0438\u043c\u043e \u0441\u043a\u043e\u043d\u0444\u0438\u0433\u0443\u0440\u0438\u0440\u043e\u0432\u0430\u0442\u044c WebSecurityConfig:<\/p>\n
@Configuration @EnableWebSecurity @EnableGlobalMethodSecurity(prePostEnabled = true) class WebSecurityConfig : WebSecurityConfigurerAdapter() {     override fun configure(http: HttpSecurity) {         http             .cors()             .and()             .csrf().disable()             .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)             .and()             .authorizeRequests{ configurer ->                 configurer                     .anyRequest()                     .authenticated()             }             .oauth2ResourceServer { obj: OAuth2ResourceServerConfigurer<HttpSecurity?> -> obj.jwt() }     } }<\/code><\/pre>\n
\u041f\u0440\u043e\u0431\u0440\u043e\u0441 JWT \u0442\u043e\u043a\u0435\u043d\u0430 \u0434\u043b\u044f \u043c\u0435\u0436\u0441\u0435\u0440\u0432\u0438\u0441\u043d\u044b\u0445 \u0437\u0430\u043f\u0440\u043e\u0441\u043e\u0432<\/h2>\n
\u041d\u0438\u0436\u0435 \u043f\u0440\u0435\u0434\u0441\u0442\u0430\u0432\u043b\u0435\u043d endpoint \u0434\u043b\u044f \u043f\u043e\u0441\u044b\u043b\u043a\u0438 \u043f\u0438\u0441\u044c\u043c\u0430 \u043f\u043e\u0434\u0442\u0432\u0435\u0440\u0436\u0434\u0435\u043d\u0438\u044f email. \u041e\u0431\u0440\u0430\u0442\u0438\u0442\u0435 \u0432\u043d\u0438\u043c\u0430\u043d\u0438\u0435 \u0447\u0442\u043e Authorization header \u043f\u0440\u043e\u0431\u0440\u0430\u0441\u044b\u0432\u0430\u0435\u0442\u0441\u044f \u0432 \u043c\u0435\u0436\u0441\u0435\u0440\u0432\u0438\u0441\u043d\u044b\u0439 \u0437\u0430\u043f\u0440\u043e\u0441.<\/p>\n
@RestController class NotificationController() {      private val logger = KotlinLogging.logger {  }      @PostMapping(\"\/verifyEmail\")     fun verifyEmail(@RequestHeader(\"Authorization\") authHeader: String) {         val headers = HttpHeaders()         headers.set(\"Authorization\", authHeader)          val restTemplate = RestTemplate()         val response = restTemplate.exchange(             \"http:\/\/localhost:8087\/internal\/userDetails\",             HttpMethod.GET,             HttpEntity<Any>(headers),             object : ParameterizedTypeReference<String>() {})         logger.info { \"TODO: sent verify email to ${response.body}\" }     } }<\/code><\/pre>\n
\u041c\u0435\u0436\u0441\u0435\u0440\u0432\u0438\u0441\u043d\u044b\u0439 \u043a\u043e\u043d\u0442\u0440\u043e\u043b\u043b\u0435\u0440 \u0434\u043b\u044f \u043f\u043e\u043b\u0443\u0447\u0435\u043d\u0438\u044f userDetails:<\/p>\n
@RestController @RequestMapping(\"\/internal\") class InternalController() {      private val logger = KotlinLogging.logger {  }      @GetMapping(\"\/userDetails\")     fun getUser(authentication: Authentication): String {         logger.info { \"TODO: obtain user name for user ${authentication.name}\" }         return \"John Doe\"     } }<\/code><\/pre>\n
\u0418\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 service account \u0434\u043b\u044f scheduled job<\/h2>\n
\u0414\u043e\u043f\u0443\u0441\u0442\u0438\u043c \u0432 Notification <\/em>\u0435\u0441\u0442\u044c \u0435\u0436\u0435\u0434\u043d\u0435\u0432\u043d\u0430\u044f \u0437\u0430\u0434\u0430\u0447\u0430 \u043f\u043e \u0440\u0430\u0441\u0441\u044b\u043b\u043a\u0435 \u0443\u0432\u0435\u0434\u043e\u043c\u043b\u0435\u043d\u0438\u0439 \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044f\u043c. \u0414\u043b\u044f \u044d\u0442\u043e\u0433\u043e \u043d\u0443\u0436\u043d\u043e \u043f\u043e\u043b\u0443\u0447\u0438\u0442\u044c \u0441\u043f\u0438\u0441\u043e\u043a \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u0435\u0439 \u0438\u0437 Account. <\/em>\u0414\u043e\u0431\u0430\u0432\u0438\u043c \u0432 InternalController<\/code> endpoint:<\/p>\n
@GetMapping(\"\/users\") fun getUsers(): List<String> {     return listOf(\"user@mail.com\") }<\/code><\/pre>\n
\u041e\u0434\u043d\u0430\u043a\u043e \u043f\u0435\u0440\u0435\u043e\u0434\u0438\u0447\u0435\u0441\u043a\u0430\u044f \u0437\u0430\u0434\u0430\u0447\u0430 \u043d\u0435 \u0438\u043d\u0438\u0446\u0438\u0440\u043e\u0432\u0430\u043d\u043d\u0430 \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u0435\u043c. \u041f\u043e\u044d\u0442\u043e\u043c\u0443 \u0434\u043b\u044f \u0431\u0435\u0437\u043e\u043f\u0430\u0441\u043d\u043e\u0433\u043e \u0434\u043e\u0441\u0442\u0443\u043f\u0430 \u043a endpoint \u043c\u043e\u0436\u043d\u043e \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u044c service account(\u043f\u043e \u043f\u0440\u0438\u043c\u0435\u0440\u0443 google cloud<\/a> \u0438\u043b\u0438 kubernetes<\/a>). \u041e\u0431\u044a\u044f\u0432\u0438\u043c ServiceAuthenticationToken<\/code> \u0434\u043b\u044f \u043d\u043e\u0432\u043e\u0433\u043e \u0442\u0438\u043f\u0430 Authentication<\/em>:<\/p>\n
class ServiceAuthenticationToken(     val token: String ): AbstractAuthenticationToken(emptyList()) {     override fun getCredentials(): Any {         return token     }     override fun getPrincipal(): Any {         return token     } }<\/code><\/pre>\n
\u0414\u0430\u043b\u0435\u0435 \u043d\u0435\u043e\u0431\u0445\u043e\u0434\u0438\u043c\u043e \u043e\u043f\u0440\u0435\u0434\u0435\u043b\u0438\u0442\u044c ServiceAuthenticationProvider<\/code>:<\/p>\n
@Component class ServiceAuthenticationProvider(     @Value(\"\\${app.security.service.token}\")     private val serviceToken: String, ) : AuthenticationProvider {      override fun authenticate(authentication: Authentication): Authentication {         val name = authentication.name         val password = authentication.credentials.toString()         return if (isServiceTokenValid(authentication as ServiceAuthenticationToken)) {             UsernamePasswordAuthenticationToken(name, password, emptyList())         } else {             throw AuthenticationServiceException(\"Unknown service ${authentication.name}\")         }     }      private fun isServiceTokenValid(authentication: ServiceAuthenticationToken) = authentication.token == serviceToken      override fun supports(authentication: Class<*>): Boolean {         return authentication == ServiceAuthenticationToken::class.java     } }<\/code><\/pre>\n
\u0422\u0430\u043a\u0436\u0435 \u043d\u0430\u0434\u043e \u043e\u043f\u0440\u0435\u0434\u0435\u043b\u0438\u0442\u044c ServiceTokenAuthenticationFilter:<\/p>\n
class ServiceTokenAuthenticationFilter(     private val authenticationManager: ServiceAuthenticationProvider, ) : OncePerRequestFilter() {      override fun doFilterInternal(         request: HttpServletRequest,         response: HttpServletResponse,         filterChain: FilterChain     ) {         val authorizationHeader = request.getHeader(HttpHeaders.AUTHORIZATION)         if (!StringUtils.startsWithIgnoreCase(authorizationHeader, \"service\")) {             filterChain.doFilter(request, response)             return         }         val matcher = authorizationPattern.matcher(authorizationHeader)         if (!matcher.matches()) {             throw AuthenticationServiceException(\"Service token is malformed\")         }         val token = matcher.group(\"token\")          try {             val authenticationResult = authenticationManager.authenticate(ServiceAuthenticationToken(token))             val context = SecurityContextHolder.createEmptyContext()             context.authentication = authenticationResult             SecurityContextHolder.setContext(context)             if (logger.isDebugEnabled) {                 this.logger.debug(LogMessage.format(\"Set SecurityContextHolder to %s\", authenticationResult))             }             filterChain.doFilter(request, response)         } catch (failed: AuthenticationException) {             SecurityContextHolder.clearContext()             logger.trace(\"Failed to process authentication request\", failed)             authenticationEntryPoint.commence(request, response, failed)         }     }      companion object {         val authorizationPattern = Pattern.compile(             \"^Service (?<token>[a-zA-Z0-9-._~+\/]+=*)$\",             Pattern.CASE_INSENSITIVE         )         val authenticationEntryPoint = AuthenticationEntryPoint {                 request, response, authException -> response.sendError(HttpServletResponse.SC_UNAUTHORIZED)         }     } }<\/code><\/pre>\n
\u0415\u0449\u0451 \u043d\u0430\u0434\u043e \u0434\u043e\u0431\u0430\u0432\u0438\u0442\u044c \u0434\u043e\u043f\u043e\u043b\u043d\u0438\u0442\u0435\u043b\u044c\u043d\u044b\u0439 \u0444\u0438\u043b\u044c\u0442\u0440  \u0432 WebSecurityConfig<\/code>:<\/p>\n
@Component class WebSecurityConfig(     private val passwordEncoder: PasswordEncoder,     private val serviceAuthenticationProvider: ServiceAuthenticationProvider, ) : WebSecurityConfigurerAdapter() {      override fun configure(builder: AuthenticationManagerBuilder) {<\/code><\/pre>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[],"tags":[],"class_list":["post-331481","post","type-post","status-publish","format-standard","hentry"],"_links":{"self":[{"href":"https:\/\/savepearlharbor.com\/index.php?rest_route=\/wp\/v2\/posts\/331481","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/savepearlharbor.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/savepearlharbor.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/savepearlharbor.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/savepearlharbor.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=331481"}],"version-history":[{"count":0,"href":"https:\/\/savepearlharbor.com\/index.php?rest_route=\/wp\/v2\/posts\/331481\/revisions"}],"wp:attachment":[{"href":"https:\/\/savepearlharbor.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=331481"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/savepearlharbor.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=331481"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/savepearlharbor.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=331481"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}