feat: add ssl authentication

client/src/app/services/token.interceptor.ts

@@ -23,24 +23,42 @@ export class TokenInterceptor implements HttpInterceptor {
   }
 
   intercept(request: HttpRequest<any>, next: HttpHandler): any {
-    if (!request.url.includes('/public/') && !request.url.includes('oauth')) {
-      return next.handle(this.addTokenToHeader(request, null)).pipe(catchError(
-        error => {
-          if (error && error.status === 400 && error.error && error.error.error === 'invalid_grant') {
+    console.log(request);
+
+    const secureReq = request.clone({
+      url: request.url.replace('http://', 'https://'),
+    });
+
+    if (
+      !secureReq.url.includes('/public/') &&
+      !secureReq.url.includes('oauth')
+    ) {
+      return next.handle(this.addTokenToHeader(secureReq, null)).pipe(
+        catchError((error) => {
+          if (
+            error &&
+            error.status === 400 &&
+            error.error &&
+            error.error.error === 'invalid_grant'
+          ) {
             // If we get a 400 and the error message is 'invalid_grant', the token is no longer valid so logout.
             this.store.dispatch(new AuthActions.SignOut());
           }
 
-          if (error && error.status === 401 && error.error && error.error.error === 'invalid_token') {
-            return this.handle401Error(request, next);
+          if (
+            error &&
+            error.status === 401 &&
+            error.error &&
+            error.error.error === 'invalid_token'
+          ) {
+            return this.handle401Error(secureReq, next);
           }
 
           return throwError(error);
-        }
-      ));
-
+        })
+      );
     } else {
-      return next.handle(request);
+      return next.handle(secureReq);
     }
 
   }

client/src/config/local.ts

@@ -2,26 +2,26 @@ import { Configuration } from './model';
 
 
 export const config: Configuration = {
-  apiUrl: 'http://localhost:8080',
+  apiUrl: 'https://localhost:8080',
   authUrl: 'http://localhost:8081',
   clientId: 'test',
   clientSecret: 'test',
   carausel: [
     {
       title: 'Title',
       text: 'Text',
-      imageUrl: ''
+      imageUrl: '',
     },
     {
       title: 'Title',
       text: 'Text',
-      imageUrl: ''
+      imageUrl: '',
     },
     {
       title: 'Title',
       text: 'Text',
-      imageUrl: ''
-    }
+      imageUrl: '',
+    },
   ],
-  bannerUrl: ''
+  bannerUrl: '',
 };

docker-compose.yml

@@ -43,7 +43,7 @@ services:
         SPRING_DATASOURCE_URL=jdbc:mysql://mysql:3306/keyist?useSSL=false&useUnicode=yes&characterEncoding=UTF-8&allowPublicKeyRetrieval=true
       - SPRING_DATASOURCE_USERNAME=keyistuser
       - SPRING_DATASOURCE_PASSWORD=keyistpassword
-      - 'SECURITY_AUTH_URL=http://authorization_server:8081/oauth/check_token'
+      - 'SECURITY_AUTH_URL=https://authorization_server:8081/oauth/check_token'
       - SECURITY_AUTH_CLIENT_ID=test
       - >-
         SECURITY_AUTH_CLIENT_PASSWORD=test

resource_server/Dockerfile

@@ -10,6 +10,8 @@ RUN mvn package -DskipTests
 FROM adoptopenjdk:11-jre-hotspot
 WORKDIR /app
 
+COPY keyist-resource.jks .
+
 COPY --from=build /build/target/*.jar resource_server.jar
 
 EXPOSE 8080

resource_server/src/main/java/com/commerce/backend/BackendApplication.java

@@ -2,6 +2,11 @@
 
 import org.springframework.boot.SpringApplication;
 import org.springframework.boot.autoconfigure.SpringBootApplication;
+import org.springframework.context.annotation.Bean;
+import org.springframework.web.servlet.config.annotation.CorsRegistry;
+import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
+
+import java.util.Objects;
 
 @SpringBootApplication
 public class BackendApplication {
@@ -10,4 +15,16 @@ public static void main(String[] args) {
         SpringApplication.run(BackendApplication.class, args);
     }
 
+    @Bean
+    public WebMvcConfigurer corsConfigurer() {
+        return new WebMvcConfigurer() {
+            @Override
+            public void addCorsMappings(CorsRegistry registry) {
+                Objects.requireNonNull(registry).addMapping("/api/**")
+                        .allowedOrigins("http://localhost:4200")
+                        .allowedMethods("GET", "POST", "PUT", "DELETE", "OPTIONS");
+            }
+        };
+    }
+
 }

resource_server/src/main/java/com/commerce/backend/security/SecurityConfiguration.java

@@ -38,6 +38,7 @@ public OpaqueTokenIntrospector introspector() {
     public void configure(final HttpSecurity http) throws Exception {
         http.cors().and()
                 .csrf().disable()
+                .requiresChannel(channelRequestMatcherRegistry -> channelRequestMatcherRegistry.anyRequest().requiresSecure())
                 .authorizeRequests()
                 .antMatchers(securityConstants.getWhitelist()).permitAll()
                 .antMatchers("/api/**").hasAnyRole("ADMIN", "MANAGER", "USER")

resource_server/src/main/resources/application.yml

@@ -4,6 +4,18 @@ logging:
       hibernate:
         SQL: INFO
 server:
+  ssl:
+    key-store: /app/keyist-resource.jks
+    key-store-password: password1
+    key-alias: keyist_resource
+    enabled: true
+    trust-store: /app/keyist-resource.jks
+    trust-store-password: password1
+    ciphers:
+      - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+      - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+      - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+      - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
   error:
     whitelabel:
       enabled: true