Client authentication filter #64
Conversation
src/main/java/sample/ClientCredentialsAuthenticationFilter.java
Outdated
Show resolved
Hide resolved
src/main/java/sample/ClientCredentialsAuthenticationFilter.java
Outdated
Show resolved
Hide resolved
| if (!clientId.equals("myclientid") || !clientSecret.equals("myclientsecret")) { | ||
| throw new BadCredentialsException("Invalid client credentials"); | ||
| } |
There was a problem hiding this comment.
still pretty much hardcoded
| } | ||
| return null; | ||
| } | ||
|
|
There was a problem hiding this comment.
the pitfals of mockito.
you will surely never get a request in which you will be able to get the client_secret as a parameter from the request-object. The client_secret is always encoded in the Authorization header.
Besides you wrote that you only implemented the client credentials grant.
https://tools.ietf.org/html/rfc6749#section-4.4.2
RFC6749 does neither define the client_id nor the client_secret in the "client credentials grant" "access token request".
The only required parameter is "grant_type"
There was a problem hiding this comment.
@Captain-P-Goldfish Please see 4.4.2. Access Token Request
The client MUST authenticate with the authorization server as described in Section 3.2.1.
There was a problem hiding this comment.
right but this does not nullify my issue does it?
The client_id and client_secret must be extracted from the Authorization-header not from the requests parameters
EDIT:
sorry forgot the other authentication methods from chapter 2.3
| } | ||
|
|
||
| // Taken from BasicAuthenticationFilter (spring-security-web) | ||
| private String[] extractAndDecodeHeader(String header, HttpServletRequest request) { |
There was a problem hiding this comment.
why give the header name as parameter? At least I do only know one header ("Authorization") that may contain the content that is necessary for this method to operate successfully. If I am wrong please correct me.
|
|
||
| String token = new String(decoded, getCredentialsCharset(request)); | ||
|
|
||
| int delim = token.indexOf(":"); |
There was a problem hiding this comment.
why not "split" and spare yourself the substring methods below?
| throw new BadCredentialsException("Invalid basic authentication token"); | ||
| } | ||
| return new String[] { token.substring(0, delim), token.substring(delim + 1) }; | ||
| } |
There was a problem hiding this comment.
You got the same problem here as I mentioned in this pull request:
#63
There was a problem hiding this comment.
Thanks for the PR @tomvandenberge. Please see my review comments.
Also, can you please squash commits and force push on next update.
src/main/java/sample/ClientCredentialsAuthenticationFilter.java
Outdated
Show resolved
Hide resolved
src/main/java/sample/ClientCredentialsAuthenticationFilter.java
Outdated
Show resolved
Hide resolved
| } | ||
| return null; | ||
| } | ||
|
|
There was a problem hiding this comment.
@Captain-P-Goldfish Please see 4.4.2. Access Token Request
The client MUST authenticate with the authorization server as described in Section 3.2.1.
|
@jgrandja I'm struggling with how to correctly respond to your review comments. I'm not very familiar with working with pull requests and reviews in github. I think I've resolved the things you've mentioned, and committed and pushed them. But I'm really not sure if you're able to see them now. I have been looking for some more details on the reviewing process, but couldn't find anything useful. Please let met know. |
|
@tomvandenberge I'm still seeing some files that should have been removed as per my last review comments. Can you be more specific on the struggles you are having? Have you reviewed contributing, as it provides links to working with pull requests, squashing commits using interactive rebasing, etc. Please let me know exactly what you need help with and I'll point you in the right direction. |
|
@jgrandja I don't understand why you want me to remove e.g. build.gradle, and the other gradle files. Without these, gradle doesn't work, or am I missing something? |
|
@jgrandja Thanks for pointing me to these docs. I'm having a better understanding of rebasing and squashing now, and I'll try it with my next changes. My previous attempt to squash commits in Intellij was a disaster ;-) Is it recommended to rebase (instead of merge) when pulling updates from the upstream repository? |
The project has been setup with gradle multi modules via 5ed7c8f. And the sample project already has a gradle file
Yes, please rebase on top of master |
|
@jgrandja it must be my lack of experience with gradle. When I remove |
|
@tomvandenberge what they mean is that you should remove the files from the commit, not from your harddrive itself. You still need them localy to run your build, but they should not be commited in your PR. |
|
@Tandolf Thanks for your clarification. I'm afraid my next question is how do I remove specific files from a commit? |
|
@tomvandenberge you use the command git rm. Git rm on stack overflow And i believe for you to understand how you ended up in this situation. Before you commit you should always check with the You should never commit files you havn't touched. My belive is that you are facing the "CRLF" issue. If you have no idea what im talking about i recommend you reading up on what "CR" and "LF" is, the problems with it and how git can handle it, because it is too long to explain here. |
|
@Tandolf These files were not added or modified accidentally. I've initially added them for another PR, and while I was working on this one, somebody changed them. I merged these upstream changes into my branch, which I maybe shouldn't have done (?), or maybe I should have used rebasing instead of merging when I did this, I don't know if that would have made a difference. I've tried to remove the files with No doubt that the git workflow I'm using is causing these problems. That's what probably got me into this mess. Any help to get me out of it is greatly appreciated! |
The gradle script already exists in the project root. You can run the build (from project root) using I'm seeing 20 commits in this PR, which most of them are in master. I think the best approach to get back on track with this PR, is to start from |
I'm aware of that (assuming you mean
I'm afraid I don't understand this. What do you mean exactly by "to start from master"? My changes are already in my master branch, and therefore in the PR, so I can't add them again. Or is there some way to "reset" the PR? (I start to realize that some of the problems I'm facing might be caused by the fact that I'm working from my master branch, and not a feature branch) Thanks for you patience ;-) |
I mean start from
It's recommended to work in a feature branch for each PR you plan on submitting. |
What should I do in this branch? Could you please be more specific? As I said, it already contains my changes. |
|
@tomvandenberge I'm suggesting that you create a feature branch and submit that branch for the PR. You could close the existing PR after you submit the new one. I just feel it's easier with this approach as your Create a new feature branch:
** Assuming Now, manually apply the changes from your After you manually apply the changes then commit. At this point you will have 1 commit that sits on top of latest commit from Now submit a new PR based on this branch. Close the other PR. All changes going forward should be rebased on (current) |
I suspect Joe is asking you to start over after reading from the master branch. An approach you might consider doing the following steps: Then update the new branch with your code changes. Once the changes use:
That way you will retain the files being asked to remove from the submission in your local repository as "untracked" files Once all of the above is done issue a PR:
The above will get conflicting issues corrected. |
|
If it helps we can conference and pair to help resolve the issue |
That would be very helpful! Can I send you a message on [email protected] to get this started? |
A new branch sounds like the most practical way forward, I agree. What I don't understand is why you think that my Because my |
Yes, I mean |
Yes. I'm in Georgia to help set up a time we are both available |
This adds a rather simple filter for client authentication (#5) for the Token Endpoint. It can currently only be used for the Client Credentials Grant.
This PR contains some files that shouldn't be there. This is probably a result of my earlier failed attempts to squash/rebase for another PR. I hope it doesn't mess it up too badly. This PR should only contain the filter, the tests for the filter, and three exception classes.