add: oauth2 jwt

Author: ThisAster

pom.xml

@@ -51,6 +51,15 @@
             <scope>provided</scope>
             <optional>true</optional>
         </dependency>
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-oauth2-resource-server</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.springframework.security</groupId>
+            <artifactId>spring-security-oauth2-authorization-server</artifactId>
+            <version>1.4.3</version>
+        </dependency>
         <dependency>
             <groupId>io.jsonwebtoken</groupId>
             <artifactId>jjwt-api</artifactId>

src/main/java/com/thisaster/testtask/auth/config/EncodersConfig.java

@@ -0,0 +1,43 @@
+package com.thisaster.testtask.auth.config;
+
+import com.nimbusds.jose.jwk.RSAKey;
+import com.nimbusds.jose.jwk.JWKSet;
+import com.nimbusds.jose.jwk.source.ImmutableJWKSet;
+import com.nimbusds.jose.jwk.source.JWKSource;
+import com.nimbusds.jose.proc.SecurityContext;
+import com.thisaster.testtask.auth.config.RsaKeyConfig.RsaKeyPair;
+import lombok.RequiredArgsConstructor;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
+import org.springframework.security.crypto.password.PasswordEncoder;
+import org.springframework.security.oauth2.jwt.JwtDecoder;
+import org.springframework.security.oauth2.jwt.JwtEncoder;
+import org.springframework.security.oauth2.jwt.NimbusJwtDecoder;
+import org.springframework.security.oauth2.jwt.NimbusJwtEncoder;
+
+@Configuration
+@RequiredArgsConstructor
+public class EncodersConfig {
+
+    private final RsaKeyPair rsaKeys;
+
+    @Bean
+    public PasswordEncoder passwordEncoder() {
+        return new BCryptPasswordEncoder(12);
+    }
+
+    @Bean
+    public JwtEncoder jwtEncoder() {
+        RSAKey jwk = new RSAKey.Builder(rsaKeys.publicKey())
+                .privateKey(rsaKeys.privateKey())
+                .build();
+        JWKSource<SecurityContext> jwkSource = new ImmutableJWKSet<>(new JWKSet(jwk));
+        return new NimbusJwtEncoder(jwkSource);
+    }
+
+    @Bean
+    public JwtDecoder jwtDecoder() {
+        return NimbusJwtDecoder.withPublicKey(rsaKeys.publicKey()).build();
+    }
+}

src/main/java/com/thisaster/testtask/auth/config/JwtAuthenticationFilter.java

@@ -0,0 +1,42 @@
+package com.thisaster.testtask.auth.config;
+
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+
+import java.security.KeyFactory;
+import java.security.interfaces.RSAPrivateKey;
+import java.security.interfaces.RSAPublicKey;
+import java.security.spec.PKCS8EncodedKeySpec;
+import java.security.spec.X509EncodedKeySpec;
+import java.util.Base64;
+
+@Configuration
+public class RsaKeyConfig {
+
+    @Value("${jwt.privateKey}")
+    private String privateKeyStr;
+
+    @Value("${jwt.publicKey}")
+    private String publicKeyStr;
+
+    @Bean
+    public RsaKeyPair rsaKeys() {
+        try {
+            byte[] privateBytes = Base64.getDecoder().decode(privateKeyStr.replaceAll("\\s+", ""));
+            byte[] publicBytes = Base64.getDecoder().decode(publicKeyStr.replaceAll("\\s+", ""));
+
+            KeyFactory keyFactory = KeyFactory.getInstance("RSA");
+
+            RSAPrivateKey privateKey = (RSAPrivateKey) keyFactory.generatePrivate(new PKCS8EncodedKeySpec(privateBytes));
+            RSAPublicKey publicKey = (RSAPublicKey) keyFactory.generatePublic(new X509EncodedKeySpec(publicBytes));
+
+            return new RsaKeyPair(publicKey, privateKey);
+        } catch (Exception e) {
+            throw new RuntimeException("Failed to parse RSA keys", e);
+        }
+    }
+
+    public record RsaKeyPair(RSAPublicKey publicKey, RSAPrivateKey privateKey) {
+    }
+}

src/main/java/com/thisaster/testtask/auth/config/PasswordEncoderConfig.java

@@ -4,55 +4,62 @@
 import lombok.RequiredArgsConstructor;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
-import org.springframework.security.access.hierarchicalroles.RoleHierarchy;
-import org.springframework.security.access.hierarchicalroles.RoleHierarchyImpl;
 import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.authentication.AuthenticationProvider;
 import org.springframework.security.authentication.dao.DaoAuthenticationProvider;
+import org.springframework.security.authorization.AuthorityAuthorizationManager;
 import org.springframework.security.config.annotation.authentication.configuration.AuthenticationConfiguration;
 import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
 import org.springframework.security.config.http.SessionCreationPolicy;
 import org.springframework.security.crypto.password.PasswordEncoder;
+import org.springframework.security.oauth2.jwt.JwtDecoder;
+import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationConverter;
+import org.springframework.security.oauth2.server.resource.authentication.JwtGrantedAuthoritiesConverter;
 import org.springframework.security.web.SecurityFilterChain;
-import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
 
 @Configuration
 @EnableWebSecurity
 @EnableMethodSecurity
 @RequiredArgsConstructor
 public class SecurityConfiguration {
 
-    private final JwtAuthenticationFilter jwtAuthenticationFilter;
     private final SecurityUserDetailsService userDetailsService;
     private final JwtAuthenticationEntryPoint jwtAuthEntryPoint;
     private final PasswordEncoder passwordEncoder;
+    private final JwtDecoder jwtDecoder;
 
     @Bean
     public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
         http
                 .csrf(AbstractHttpConfigurer::disable)
                 .authorizeHttpRequests(request -> request
+                        .requestMatchers("/api/auth/register").access(AuthorityAuthorizationManager.hasRole("SUPERVISOR"))
                         .requestMatchers("/api", "/swagger-ui/**", "/v1/api-docs/**").permitAll()
                         .requestMatchers("/api/auth/login").permitAll()
                         .anyRequest().authenticated())
                 .exceptionHandling(ex -> ex
                         .authenticationEntryPoint(jwtAuthEntryPoint))
                 .sessionManagement(manager -> manager.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
-                .addFilterBefore(jwtAuthenticationFilter, UsernamePasswordAuthenticationFilter.class)
+                .oauth2ResourceServer(rs -> rs
+                        .jwt((jwt) -> jwt.decoder(jwtDecoder).jwtAuthenticationConverter(jwtAuthenticationConverter()))
+                )
                 .authenticationProvider(authenticationProvider());
 
         return http.build();
     }
 
     @Bean
-    public RoleHierarchy roleHierarchy() {
-        return RoleHierarchyImpl.fromHierarchy("""
-            ROLE_SUPERVISOR > ROLE_ADMIN
-            ROLE_ADMIN > ROLE_USER
-        """);
+    public JwtAuthenticationConverter jwtAuthenticationConverter() {
+        JwtGrantedAuthoritiesConverter converter = new JwtGrantedAuthoritiesConverter();
+        converter.setAuthorityPrefix("");
+        converter.setAuthoritiesClaimName("roles");
+
+        JwtAuthenticationConverter jwtConverter = new JwtAuthenticationConverter();
+        jwtConverter.setJwtGrantedAuthoritiesConverter(converter);
+        return jwtConverter;
     }
 
 

src/main/java/com/thisaster/testtask/auth/config/RsaKeyConfig.java

@@ -2,15 +2,14 @@
 
 import com.thisaster.testtask.auth.config.UserPrincipal;
 import com.thisaster.testtask.auth.service.AuthService;
-import com.thisaster.testtask.auth.service.JwtService;
+import com.thisaster.testtask.auth.utils.JWTUtils;
 import com.thisaster.testtask.user.dto.UserDTO;
 import com.thisaster.testtask.user.entity.User;
 import com.thisaster.testtask.user.service.UserService;
 import lombok.RequiredArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.ResponseEntity;
-import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
 import org.springframework.validation.annotation.Validated;
@@ -27,7 +26,7 @@ public class AuthController {
 
     private final AuthService authService;
     private final AuthenticationManager authenticationManager;
-    private final JwtService jwtService;
+    private final JWTUtils jwtUtils;
     private final UserService userService;
 
     @PostMapping("/login")
@@ -38,14 +37,13 @@ public ResponseEntity<Void> login(@RequestBody @Validated UserDTO request) {
         authenticationManager.authenticate(authentication);
 
         User user = userService.getUserByLogin(request.getUsername());
-        String jwt = jwtService.generateToken(new UserPrincipal(user));
+        String jwt = jwtUtils.generateToken(new UserPrincipal(user));
         log.debug("Пользователь {} успешно авторизирован", request.getUsername());
         return ResponseEntity.ok()
                 .header("Authorization", "Bearer " + jwt)
                 .build();
     }
 
-    @PreAuthorize("hasRole('SUPERVISOR')")
     @PostMapping("/register")
     public ResponseEntity<?> register(@RequestBody @Validated UserDTO request) {
         authService.registerUser(request);