The blog post can be found here
This Approov Integaration example will show us how simple it is to integrate Approov in a stateless API server using Java and the Spring framework.
We will see the requirements, dependencies and a step by step walk-through of the code necessary to implement Approov in a Java Spring stateless API.
| package com.criticalblue.approov.jwt; | |
| import com.criticalblue.approov.jwt.authentication.*; | |
| import org.springframework.security.config.annotation.web.builders.WebSecurity; | |
| import org.springframework.security.config.http.SessionCreationPolicy; | |
| import org.springframework.web.cors.CorsConfiguration; | |
| import org.springframework.web.cors.CorsConfigurationSource; | |
| import org.springframework.web.cors.UrlBasedCorsConfigurationSource; | |
| import org.springframework.context.annotation.Bean; | |
| import org.springframework.context.annotation.Configuration; | |
| import org.springframework.http.HttpMethod; | |
| import org.springframework.security.config.annotation.web.builders.HttpSecurity; | |
| import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; | |
| import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; | |
| import java.util.Arrays; | |
| @Configuration | |
| @EnableWebSecurity | |
| public class WebSecurityConfig extends WebSecurityConfigurerAdapter { | |
| private static ApproovConfig approovConfig = ApproovConfig.getInstance(); | |
| @Bean | |
| CorsConfigurationSource corsConfigurationSource() { | |
| CorsConfiguration configuration = new CorsConfiguration(); | |
| configuration.setAllowedMethods(Arrays.asList("GET")); | |
| UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource(); | |
| source.registerCorsConfiguration("/**", configuration); | |
| return source; | |
| } | |
| @Override | |
| public void configure(WebSecurity web) throws Exception { | |
| web.ignoring().antMatchers("/error"); | |
| } | |
| @Override | |
| protected void configure(HttpSecurity http) throws Exception { | |
| http.cors(); | |
| http | |
| .httpBasic().disable() | |
| .formLogin().disable() | |
| .logout().disable() | |
| .csrf().disable() | |
| .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS); | |
| http | |
| .authorizeRequests() | |
| .antMatchers(HttpMethod.GET, "/").permitAll() | |
| .antMatchers(HttpMethod.GET, "/hello").permitAll() | |
| .antMatchers(HttpMethod.GET, "/shapes").permitAll() | |
| .antMatchers(HttpMethod.GET, "/forms").permitAll(); | |
| // the above endpoints declaration can be resumed to: | |
| // .antMatchers(HttpMethod.GET, "/**").permitAll() | |
| } | |
| } |
| package com.criticalblue.approov.jwt; | |
| import com.criticalblue.approov.jwt.authentication.*; | |
| import org.springframework.core.annotation.Order; | |
| import org.springframework.security.config.annotation.web.builders.WebSecurity; | |
| import org.springframework.security.config.http.SessionCreationPolicy; | |
| import org.springframework.web.cors.CorsConfiguration; | |
| import org.springframework.web.cors.CorsConfigurationSource; | |
| import org.springframework.web.cors.UrlBasedCorsConfigurationSource; | |
| import org.springframework.context.annotation.Bean; | |
| import org.springframework.context.annotation.Configuration; | |
| import org.springframework.http.HttpMethod; | |
| import org.springframework.security.config.annotation.web.builders.HttpSecurity; | |
| import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; | |
| import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; | |
| import java.util.Arrays; | |
| @Configuration | |
| @EnableWebSecurity | |
| public class WebSecurityConfig extends WebSecurityConfigurerAdapter { | |
| private static ApproovConfig approovConfig = ApproovConfig.getInstance(); | |
| @Bean | |
| CorsConfigurationSource corsConfigurationSource() { | |
| CorsConfiguration configuration = new CorsConfiguration(); | |
| configuration.setAllowedMethods(Arrays.asList("GET")); | |
| UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource(); | |
| source.registerCorsConfiguration("/**", configuration); | |
| return source; | |
| } | |
| @Override | |
| public void configure(WebSecurity web) throws Exception { | |
| web.ignoring().antMatchers("/error"); | |
| } | |
| @Configuration | |
| @Order(1) | |
| public static class ApiWebSecurityConfig extends WebSecurityConfigurerAdapter { | |
| @Override | |
| protected void configure(HttpSecurity http) throws Exception { | |
| http.cors(); | |
| http | |
| .httpBasic().disable() | |
| .formLogin().disable() | |
| .logout().disable() | |
| .csrf().disable() | |
| .authenticationProvider(new ApproovAuthenticationProvider(approovConfig)) | |
| .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS); | |
| http | |
| .authorizeRequests() | |
| .antMatchers(HttpMethod.GET, "/").permitAll() | |
| .antMatchers(HttpMethod.GET, "/v2/hello").permitAll() | |
| .antMatchers(HttpMethod.GET, "/v2/shapes").permitAll() | |
| .antMatchers(HttpMethod.GET, "/v2/forms").permitAll(); | |
| // the above endpoints declaration can be resumed to: | |
| // .antMatchers(HttpMethod.GET, "/**").permitAll() | |
| } | |
| } | |
| } |
| configuration.addAllowedHeader("Authorization"); | |
| configuration.addAllowedHeader("Approov-Token"); |
| @Bean | |
| CorsConfigurationSource corsConfigurationSource() { | |
| CorsConfiguration configuration = new CorsConfiguration(); | |
| configuration.setAllowedMethods(Arrays.asList("GET")); | |
| configuration.addAllowedHeader("Authorization"); | |
| configuration.addAllowedHeader("Approov-Token"); | |
| UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource(); | |
| source.registerCorsConfiguration("/**", configuration); | |
| return source; | |
| } |
| @Configuration | |
| @Order(1) | |
| public static class ApproovWebSecurityConfig extends WebSecurityConfigurerAdapter { | |
| @Override | |
| protected void configure(HttpSecurity http) throws Exception { | |
| http.cors(); | |
| http | |
| .httpBasic().disable() | |
| .formLogin().disable() | |
| .logout().disable() | |
| .csrf().disable() | |
| .authenticationProvider(new ApproovAuthenticationProvider(approovConfig)) | |
| .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS); | |
| http | |
| .securityContext() | |
| .securityContextRepository(new ApproovSecurityContextRepository(approovConfig, false)) | |
| .and() | |
| .exceptionHandling() | |
| .authenticationEntryPoint(new ApproovAuthenticationEntryPoint()) | |
| .and() | |
| .antMatcher("/v2/shapes") | |
| .authorizeRequests() | |
| .antMatchers(HttpMethod.GET, "/v2/shapes").authenticated(); | |
| // Add here more endpoints that you need to protect with the required | |
| // checks for the Approov token. | |
| // .and() | |
| // .antMatcher("/another-endpoint") | |
| // .authorizeRequests() | |
| // .antMatchers(HttpMethod.GET, "/another-endpoint").authenticated(); | |
| } | |
| } |
| @Configuration | |
| @Order(2) | |
| public static class ApiWebSecurityConfig extends WebSecurityConfigurerAdapter { | |
| // omitted code ... | |
| // REMOVE ALSO THIS LINE | |
| .antMatchers(HttpMethod.GET, "/v2/shapes").permitAll() | |
| // omitted code ... | |
| } |
| @Configuration | |
| @Order(2) | |
| public static class ApproovTokenBindingWebSecurityConfig extends WebSecurityConfigurerAdapter { | |
| @Override | |
| protected void configure(HttpSecurity http) throws Exception { | |
| http.cors(); | |
| http | |
| .httpBasic().disable() | |
| .formLogin().disable() | |
| .logout().disable() | |
| .csrf().disable() | |
| .authenticationProvider(new ApproovAuthenticationProvider(approovConfig)) | |
| .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS); | |
| http | |
| .securityContext() | |
| .securityContextRepository(new ApproovSecurityContextRepository(approovConfig, true)) | |
| .and() | |
| .exceptionHandling() | |
| .authenticationEntryPoint(new ApproovAuthenticationEntryPoint()) | |
| .and() | |
| .antMatcher("/v2/forms") | |
| .authorizeRequests() | |
| .antMatchers(HttpMethod.GET, "/v2/forms").authenticated(); | |
| // Add here more endpoints that you need to protect with the | |
| // required and optional checks for the Approov token. | |
| // .and() | |
| // .antMatcher("/another-endpoint") | |
| // .authorizeRequests() | |
| // .antMatchers(HttpMethod.GET, "/another-endpoint").authenticated(); | |
| } | |
| } |
| @Configuration | |
| @Order(3) | |
| public static class ApiWebSecurityConfig extends WebSecurityConfigurerAdapter { | |
| // omitted code ... | |
| // REMOVE ALSO THIS LINE | |
| .antMatchers(HttpMethod.GET, "/v2/forms").permitAll() | |
| // omitted code ... | |
| } |
| package com.criticalblue.approov.jwt; | |
| import com.criticalblue.approov.jwt.authentication.*; | |
| import org.springframework.core.annotation.Order; | |
| import org.springframework.security.config.annotation.web.builders.WebSecurity; | |
| import org.springframework.security.config.http.SessionCreationPolicy; | |
| import org.springframework.web.cors.CorsConfiguration; | |
| import org.springframework.web.cors.CorsConfigurationSource; | |
| import org.springframework.web.cors.UrlBasedCorsConfigurationSource; | |
| import org.springframework.context.annotation.Bean; | |
| import org.springframework.context.annotation.Configuration; | |
| import org.springframework.http.HttpMethod; | |
| import org.springframework.security.config.annotation.web.builders.HttpSecurity; | |
| import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; | |
| import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; | |
| import java.util.Arrays; | |
| @Configuration | |
| @EnableWebSecurity | |
| public class WebSecurityConfig extends WebSecurityConfigurerAdapter { | |
| private static ApproovConfig approovConfig = ApproovConfig.getInstance(); | |
| @Bean | |
| CorsConfigurationSource corsConfigurationSource() { | |
| CorsConfiguration configuration = new CorsConfiguration(); | |
| configuration.setAllowedMethods(Arrays.asList("GET")); | |
| configuration.addAllowedHeader("Authorization"); | |
| configuration.addAllowedHeader("Approov-Token"); | |
| UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource(); | |
| source.registerCorsConfiguration("/**", configuration); | |
| return source; | |
| } | |
| @Override | |
| public void configure(WebSecurity web) throws Exception { | |
| web.ignoring().antMatchers("/error"); | |
| } | |
| @Configuration | |
| @Order(1) | |
| public static class ApproovWebSecurityConfig extends WebSecurityConfigurerAdapter { | |
| @Override | |
| protected void configure(HttpSecurity http) throws Exception { | |
| http.cors(); | |
| http | |
| .httpBasic().disable() | |
| .formLogin().disable() | |
| .logout().disable() | |
| .csrf().disable() | |
| .authenticationProvider(new ApproovAuthenticationProvider(approovConfig)) | |
| .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS); | |
| http | |
| .securityContext() | |
| .securityContextRepository(new ApproovSecurityContextRepository(approovConfig, false)) | |
| .and() | |
| .exceptionHandling() | |
| .authenticationEntryPoint(new ApproovAuthenticationEntryPoint()) | |
| .and() | |
| .antMatcher("/v2/shapes") | |
| .authorizeRequests() | |
| .antMatchers(HttpMethod.GET, "/v2/shapes").authenticated(); | |
| } | |
| } | |
| @Configuration | |
| @Order(2) | |
| public static class ApproovTokenBindingWebSecurityConfig extends WebSecurityConfigurerAdapter { | |
| @Override | |
| protected void configure(HttpSecurity http) throws Exception { | |
| http.cors(); | |
| http | |
| .httpBasic().disable() | |
| .formLogin().disable() | |
| .logout().disable() | |
| .csrf().disable() | |
| .authenticationProvider(new ApproovAuthenticationProvider(approovConfig)) | |
| .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS); | |
| http | |
| .securityContext() | |
| .securityContextRepository(new ApproovSecurityContextRepository(approovConfig, true)) | |
| .and() | |
| .exceptionHandling() | |
| .authenticationEntryPoint(new ApproovAuthenticationEntryPoint()) | |
| .and() | |
| .antMatcher("/v2/forms") | |
| .authorizeRequests() | |
| .antMatchers(HttpMethod.GET, "/v2/forms").authenticated(); | |
| } | |
| } | |
| @Configuration | |
| @Order(3) | |
| public static class ApiWebSecurityConfig extends WebSecurityConfigurerAdapter { | |
| @Override | |
| protected void configure(HttpSecurity http) throws Exception { | |
| http.cors(); | |
| http | |
| .httpBasic().disable() | |
| .formLogin().disable() | |
| .logout().disable() | |
| .csrf().disable() | |
| .authenticationProvider(new ApproovAuthenticationProvider(approovConfig)) | |
| .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS); | |
| http | |
| .authorizeRequests() | |
| .antMatchers(HttpMethod.GET, "/**").permitAll(); | |
| } | |
| } | |
| } |
| --- untitled (Previous) | |
| +++ /home/sublime/workspace/java/spring/src/main/java/com/criticalblue/approov/jwt/WebSecurityConfig.java | |
| @@ -1,6 +1,7 @@ | |
| package com.criticalblue.approov.jwt; | |
| import com.criticalblue.approov.jwt.authentication.*; | |
| +import org.springframework.core.annotation.Order; | |
| import org.springframework.security.config.annotation.web.builders.WebSecurity; | |
| import org.springframework.security.config.http.SessionCreationPolicy; | |
| import org.springframework.web.cors.CorsConfiguration; | |
| @@ -19,11 +20,13 @@ | |
| public class WebSecurityConfig extends WebSecurityConfigurerAdapter { | |
| private static ApproovConfig approovConfig = ApproovConfig.getInstance(); | |
| -// sd | |
| + | |
| @Bean | |
| CorsConfigurationSource corsConfigurationSource() { | |
| CorsConfiguration configuration = new CorsConfiguration(); | |
| configuration.setAllowedMethods(Arrays.asList("GET")); | |
| + configuration.addAllowedHeader("Authorization"); | |
| + configuration.addAllowedHeader("Approov-Token"); | |
| UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource(); | |
| source.registerCorsConfiguration("/**", configuration); | |
| return source; | |
| @@ -34,23 +37,86 @@ | |
| web.ignoring().antMatchers("/error"); | |
| } | |
| - @Override | |
| - protected void configure(HttpSecurity http) throws Exception { | |
| + @Configuration | |
| + @Order(1) | |
| + public static class ApproovWebSecurityConfig extends WebSecurityConfigurerAdapter { | |
| - http.cors(); | |
| + @Override | |
| + protected void configure(HttpSecurity http) throws Exception { | |
| - http | |
| - .httpBasic().disable() | |
| - .formLogin().disable() | |
| - .logout().disable() | |
| - .csrf().disable() | |
| - .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS); | |
| + http.cors(); | |
| - http | |
| - .authorizeRequests() | |
| - .antMatchers(HttpMethod.GET, "/").permitAll() | |
| - .antMatchers(HttpMethod.GET, "/hello").permitAll() | |
| - .antMatchers(HttpMethod.GET, "/shapes").permitAll() | |
| - .antMatchers(HttpMethod.GET, "/forms").permitAll(); | |
| + http | |
| + .httpBasic().disable() | |
| + .formLogin().disable() | |
| + .logout().disable() | |
| + .csrf().disable() | |
| + .authenticationProvider(new ApproovAuthenticationProvider(approovConfig)) | |
| + .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS); | |
| + | |
| + http | |
| + .securityContext() | |
| + .securityContextRepository(new ApproovSecurityContextRepository(approovConfig, false)) | |
| + .and() | |
| + .exceptionHandling() | |
| + .authenticationEntryPoint(new ApproovAuthenticationEntryPoint()) | |
| + .and() | |
| + .antMatcher("/v2/shapes") | |
| + .authorizeRequests() | |
| + .antMatchers(HttpMethod.GET, "/v2/shapes").authenticated(); | |
| + } | |
| + } | |
| + | |
| + @Configuration | |
| + @Order(2) | |
| + public static class ApproovTokenBindingWebSecurityConfig extends WebSecurityConfigurerAdapter { | |
| + | |
| + @Override | |
| + protected void configure(HttpSecurity http) throws Exception { | |
| + | |
| + http.cors(); | |
| + | |
| + http | |
| + .httpBasic().disable() | |
| + .formLogin().disable() | |
| + .logout().disable() | |
| + .csrf().disable() | |
| + .authenticationProvider(new ApproovAuthenticationProvider(approovConfig)) | |
| + .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS); | |
| + | |
| + http | |
| + .securityContext() | |
| + .securityContextRepository(new ApproovSecurityContextRepository(approovConfig, true)) | |
| + .and() | |
| + .exceptionHandling() | |
| + .authenticationEntryPoint(new ApproovAuthenticationEntryPoint()) | |
| + .and() | |
| + .antMatcher("/v2/forms") | |
| + .authorizeRequests() | |
| + .antMatchers(HttpMethod.GET, "/v2/forms").authenticated(); | |
| + } | |
| + } | |
| + | |
| + @Configuration | |
| + @Order(3) | |
| + public static class ApiWebSecurityConfig extends WebSecurityConfigurerAdapter { | |
| + | |
| + @Override | |
| + protected void configure(HttpSecurity http) throws Exception { | |
| + | |
| + http.cors(); | |
| + | |
| + http | |
| + .httpBasic().disable() | |
| + .formLogin().disable() | |
| + .logout().disable() | |
| + .csrf().disable() | |
| + .authenticationProvider(new ApproovAuthenticationProvider(approovConfig)) | |
| + .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS); | |
| + | |
| + http | |
| + .authorizeRequests() | |
| + .antMatchers(HttpMethod.GET, "/**").permitAll(); | |
| + } | |
| } | |
| } |