Approov integration example using the Java Spring framework for stateless API.

00-Approov-Integration-in-a-Java-Spring-Stateless-API.md

APPROOV INTEGRATION IN A JAVA SPRING STATELESS API

The blog post can be found here

TLDR

This Approov Integaration example will show us how simple it is to integrate Approov in a stateless API server using Java and the Spring framework.

We will see the requirements, dependencies and a step by step walk-through of the code necessary to implement Approov in a Java Spring stateless API.

01-WebSecurityConfig.java

package com.criticalblue.approov.jwt;

import com.criticalblue.approov.jwt.authentication.*;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.web.cors.CorsConfiguration;
import org.springframework.web.cors.CorsConfigurationSource;
import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.http.HttpMethod;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import java.util.Arrays;

@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    private static ApproovConfig approovConfig = ApproovConfig.getInstance();

    @Bean
    CorsConfigurationSource corsConfigurationSource() {
        CorsConfiguration configuration = new CorsConfiguration();
        configuration.setAllowedMethods(Arrays.asList("GET"));
        UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
        source.registerCorsConfiguration("/**", configuration);
        return source;
    }

    @Override
    public void configure(WebSecurity web) throws Exception {
        web.ignoring().antMatchers("/error");
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {

        http.cors();

        http
            .httpBasic().disable()
            .formLogin().disable()
            .logout().disable()
            .csrf().disable()
            .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);

        http
            .authorizeRequests()
            .antMatchers(HttpMethod.GET, "/").permitAll()
            .antMatchers(HttpMethod.GET, "/hello").permitAll()
            .antMatchers(HttpMethod.GET, "/shapes").permitAll()
            .antMatchers(HttpMethod.GET, "/forms").permitAll();

        // the above endpoints declaration can be resumed to:
        // .antMatchers(HttpMethod.GET, "/**").permitAll()
    }
}

02-WebSecurityConfig.java

package com.criticalblue.approov.jwt;

import com.criticalblue.approov.jwt.authentication.*;
import org.springframework.core.annotation.Order;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.web.cors.CorsConfiguration;
import org.springframework.web.cors.CorsConfigurationSource;
import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.http.HttpMethod;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import java.util.Arrays;

@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    private static ApproovConfig approovConfig = ApproovConfig.getInstance();

    @Bean
    CorsConfigurationSource corsConfigurationSource() {
        CorsConfiguration configuration = new CorsConfiguration();
        configuration.setAllowedMethods(Arrays.asList("GET"));
        UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
        source.registerCorsConfiguration("/**", configuration);
        return source;
    }

    @Override
    public void configure(WebSecurity web) throws Exception {
        web.ignoring().antMatchers("/error");
    }

    @Configuration
    @Order(1)
    public static class ApiWebSecurityConfig extends WebSecurityConfigurerAdapter {

        @Override
        protected void configure(HttpSecurity http) throws Exception {

            http.cors();

            http
                .httpBasic().disable()
                .formLogin().disable()
                .logout().disable()
                .csrf().disable()
                .authenticationProvider(new ApproovAuthenticationProvider(approovConfig))
                .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);

            http
                .authorizeRequests()
                .antMatchers(HttpMethod.GET, "/").permitAll()
                .antMatchers(HttpMethod.GET, "/v2/hello").permitAll()
                .antMatchers(HttpMethod.GET, "/v2/shapes").permitAll()
                .antMatchers(HttpMethod.GET, "/v2/forms").permitAll();

            // the above endpoints declaration can be resumed to:
            // .antMatchers(HttpMethod.GET, "/**").permitAll()
        }
    }
}

03-cors-add-allowed-header.java

configuration.addAllowedHeader("Authorization");
configuration.addAllowedHeader("Approov-Token");

04-cors-configuration-source-bean.java

@Bean
CorsConfigurationSource corsConfigurationSource() {
    CorsConfiguration configuration = new CorsConfiguration();
    configuration.setAllowedMethods(Arrays.asList("GET"));
    configuration.addAllowedHeader("Authorization");
    configuration.addAllowedHeader("Approov-Token");
    UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
    source.registerCorsConfiguration("/**", configuration);
    return source;
}

05-ApproovWebSecurityConfig.java

@Configuration
@Order(1)
public static class ApproovWebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {

        http.cors();

            http
                .httpBasic().disable()
                .formLogin().disable()
                .logout().disable()
                .csrf().disable()
                .authenticationProvider(new ApproovAuthenticationProvider(approovConfig))
                .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);

            http
                .securityContext()
                .securityContextRepository(new ApproovSecurityContextRepository(approovConfig, false))
                .and()
                    .exceptionHandling()
                    .authenticationEntryPoint(new ApproovAuthenticationEntryPoint())
                .and()
                    .antMatcher("/v2/shapes")
                        .authorizeRequests()
                        .antMatchers(HttpMethod.GET, "/v2/shapes").authenticated();

            // Add here more endpoints that you need to protect with the required
            // checks for the Approov token.
            // .and()
            //     .antMatcher("/another-endpoint")
            //         .authorizeRequests()
            //         .antMatchers(HttpMethod.GET, "/another-endpoint").authenticated();
    }
}

06-ApiWebSecurityConfig.java

@Configuration
@Order(2)
public static class ApiWebSecurityConfig extends WebSecurityConfigurerAdapter {
    // omitted code ...

    // REMOVE ALSO THIS LINE
    .antMatchers(HttpMethod.GET, "/v2/shapes").permitAll()

    // omitted code ...
}

07-AproovPayloadWebSecurityConfig.java

    @Configuration
    @Order(2)
    public static class ApproovTokenBindingWebSecurityConfig extends WebSecurityConfigurerAdapter {

        @Override
        protected void configure(HttpSecurity http) throws Exception {

            http.cors();

            http
                .httpBasic().disable()
                .formLogin().disable()
                .logout().disable()
                .csrf().disable()
                .authenticationProvider(new ApproovAuthenticationProvider(approovConfig))
                .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);

            http
                .securityContext()
                .securityContextRepository(new ApproovSecurityContextRepository(approovConfig, true))
                .and()
                    .exceptionHandling()
                    .authenticationEntryPoint(new ApproovAuthenticationEntryPoint())
                .and()
                    .antMatcher("/v2/forms")
                        .authorizeRequests()
                        .antMatchers(HttpMethod.GET, "/v2/forms").authenticated();

            // Add here more endpoints that you need to protect with the
            // required and optional checks for the Approov token.
            // .and()
            //     .antMatcher("/another-endpoint")
            //         .authorizeRequests()
            //         .antMatchers(HttpMethod.GET, "/another-endpoint").authenticated();
    }
}

08-ApiWebSecurityConfig.java

@Configuration
@Order(3)
public static class ApiWebSecurityConfig extends WebSecurityConfigurerAdapter {
    // omitted code ...

    // REMOVE ALSO THIS LINE
    .antMatchers(HttpMethod.GET, "/v2/forms").permitAll()

    // omitted code ...
}

09-WebSecurityConfig.java

package com.criticalblue.approov.jwt;

import com.criticalblue.approov.jwt.authentication.*;
import org.springframework.core.annotation.Order;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.web.cors.CorsConfiguration;
import org.springframework.web.cors.CorsConfigurationSource;
import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.http.HttpMethod;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import java.util.Arrays;

@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    private static ApproovConfig approovConfig = ApproovConfig.getInstance();

    @Bean
    CorsConfigurationSource corsConfigurationSource() {
        CorsConfiguration configuration = new CorsConfiguration();
        configuration.setAllowedMethods(Arrays.asList("GET"));
        configuration.addAllowedHeader("Authorization");
        configuration.addAllowedHeader("Approov-Token");
        UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
        source.registerCorsConfiguration("/**", configuration);
        return source;
    }

    @Override
    public void configure(WebSecurity web) throws Exception {
        web.ignoring().antMatchers("/error");
    }

    @Configuration
    @Order(1)
    public static class ApproovWebSecurityConfig extends WebSecurityConfigurerAdapter {

        @Override
        protected void configure(HttpSecurity http) throws Exception {

            http.cors();

            http
                .httpBasic().disable()
                .formLogin().disable()
                .logout().disable()
                .csrf().disable()
                .authenticationProvider(new ApproovAuthenticationProvider(approovConfig))
                .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);

            http
                .securityContext()
                .securityContextRepository(new ApproovSecurityContextRepository(approovConfig, false))
                .and()
                    .exceptionHandling()
                    .authenticationEntryPoint(new ApproovAuthenticationEntryPoint())
                .and()
                    .antMatcher("/v2/shapes")
                        .authorizeRequests()
                        .antMatchers(HttpMethod.GET, "/v2/shapes").authenticated();
        }
    }

    @Configuration
    @Order(2)
    public static class ApproovTokenBindingWebSecurityConfig extends WebSecurityConfigurerAdapter {

        @Override
        protected void configure(HttpSecurity http) throws Exception {

            http.cors();

            http
                .httpBasic().disable()
                .formLogin().disable()
                .logout().disable()
                .csrf().disable()
                .authenticationProvider(new ApproovAuthenticationProvider(approovConfig))
                .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);

            http
                .securityContext()
                .securityContextRepository(new ApproovSecurityContextRepository(approovConfig, true))
                .and()
                    .exceptionHandling()
                    .authenticationEntryPoint(new ApproovAuthenticationEntryPoint())
                .and()
                    .antMatcher("/v2/forms")
                        .authorizeRequests()
                        .antMatchers(HttpMethod.GET, "/v2/forms").authenticated();
        }
    }

    @Configuration
    @Order(3)
    public static class ApiWebSecurityConfig extends WebSecurityConfigurerAdapter {

        @Override
        protected void configure(HttpSecurity http) throws Exception {

            http.cors();

            http
                .httpBasic().disable()
                .formLogin().disable()
                .logout().disable()
                .csrf().disable()
                .authenticationProvider(new ApproovAuthenticationProvider(approovConfig))
                .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);

            http
                .authorizeRequests()
                .antMatchers(HttpMethod.GET, "/**").permitAll();
        }
    }
}

10-the-code-difference.java

--- untitled (Previous)
+++ /home/sublime/workspace/java/spring/src/main/java/com/criticalblue/approov/jwt/WebSecurityConfig.java
@@ -1,6 +1,7 @@
 package com.criticalblue.approov.jwt;
 
 import com.criticalblue.approov.jwt.authentication.*;
+import org.springframework.core.annotation.Order;
 import org.springframework.security.config.annotation.web.builders.WebSecurity;
 import org.springframework.security.config.http.SessionCreationPolicy;
 import org.springframework.web.cors.CorsConfiguration;
@@ -19,11 +20,13 @@
 public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
 
     private static ApproovConfig approovConfig = ApproovConfig.getInstance();
-// sd
+
     @Bean
     CorsConfigurationSource corsConfigurationSource() {
         CorsConfiguration configuration = new CorsConfiguration();
         configuration.setAllowedMethods(Arrays.asList("GET"));
+        configuration.addAllowedHeader("Authorization");
+        configuration.addAllowedHeader("Approov-Token");
         UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
         source.registerCorsConfiguration("/**", configuration);
         return source;
@@ -34,23 +37,86 @@
         web.ignoring().antMatchers("/error");
     }
 
-    @Override
-    protected void configure(HttpSecurity http) throws Exception {
+    @Configuration
+    @Order(1)
+    public static class ApproovWebSecurityConfig extends WebSecurityConfigurerAdapter {
 
-        http.cors();
+        @Override
+        protected void configure(HttpSecurity http) throws Exception {
 
-        http
-            .httpBasic().disable()
-            .formLogin().disable()
-            .logout().disable()
-            .csrf().disable()
-            .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
+            http.cors();
 
-        http
-            .authorizeRequests()
-            .antMatchers(HttpMethod.GET, "/").permitAll()
-            .antMatchers(HttpMethod.GET, "/hello").permitAll()
-            .antMatchers(HttpMethod.GET, "/shapes").permitAll()
-            .antMatchers(HttpMethod.GET, "/forms").permitAll();
+            http
+                .httpBasic().disable()
+                .formLogin().disable()
+                .logout().disable()
+                .csrf().disable()
+                .authenticationProvider(new ApproovAuthenticationProvider(approovConfig))
+                .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
+
+            http
+                .securityContext()
+                .securityContextRepository(new ApproovSecurityContextRepository(approovConfig, false))
+                .and()
+                    .exceptionHandling()
+                    .authenticationEntryPoint(new ApproovAuthenticationEntryPoint())
+                .and()
+                    .antMatcher("/v2/shapes")
+                        .authorizeRequests()
+                        .antMatchers(HttpMethod.GET, "/v2/shapes").authenticated();
+        }
+    }
+
+    @Configuration
+    @Order(2)
+    public static class ApproovTokenBindingWebSecurityConfig extends WebSecurityConfigurerAdapter {
+
+        @Override
+        protected void configure(HttpSecurity http) throws Exception {
+
+            http.cors();
+
+            http
+                .httpBasic().disable()
+                .formLogin().disable()
+                .logout().disable()
+                .csrf().disable()
+                .authenticationProvider(new ApproovAuthenticationProvider(approovConfig))
+                .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
+
+            http
+                .securityContext()
+                .securityContextRepository(new ApproovSecurityContextRepository(approovConfig, true))
+                .and()
+                    .exceptionHandling()
+                    .authenticationEntryPoint(new ApproovAuthenticationEntryPoint())
+                .and()
+                    .antMatcher("/v2/forms")
+                        .authorizeRequests()
+                        .antMatchers(HttpMethod.GET, "/v2/forms").authenticated();
+        }
+    }
+
+    @Configuration
+    @Order(3)
+    public static class ApiWebSecurityConfig extends WebSecurityConfigurerAdapter {
+
+        @Override
+        protected void configure(HttpSecurity http) throws Exception {
+
+            http.cors();
+
+            http
+                .httpBasic().disable()
+                .formLogin().disable()
+                .logout().disable()
+                .csrf().disable()
+                .authenticationProvider(new ApproovAuthenticationProvider(approovConfig))
+                .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
+
+            http
+                .authorizeRequests()
+                .antMatchers(HttpMethod.GET, "/**").permitAll();
+        }
     }
 }