Category Archives: Java

Json Web Token (JWT) – Introduction

If you have worked in OAuth or OpenID or authorization part of security, you must have across a term called JSON Web Token – JWT (Pronounced as JOT).

In this post, I will explain its components and a few tips and tricks. In previous securing spring boot rest api post, I showed how to use JWT to secure a REST API.

JSON Web Token (JWT) is a JSON object defined in a way where participating parties agree with a certain norm. This object contains information that can identify a user or a participating party.

JWT is encrypted and signed, so it is used securely. Even if a third party gets access to JWT, that party will ever be able to decrypt it if it has a public key with which it was signed. Also usually JWT is valid for a limited time, so a hacker will not be able to use JWT if it has expired and the hacker was able to decrypt JWT.

There are a few use cases when you can use JWT.

  1. Single Sign-On – In some authorization scenarios, JWT is used to encrypt user information in a token for authentication purposes.
  2. JWT offers a lot of security, so it helps to exchange information between parties secretly.

 

Components

JSON Web Token consists of three parts – header, payload, and signature. Once you create a JWT using these three parts, you compact that JWT. So every JWT is in a compact form.

hhhhhh.pppppppp.ssssss

Header of JSON Web Token

Every Json Web Token contains header, payload and signature part. In header part, you will have two important elements – algorithm type as alg and key id as kid , but instead of these two elements, it can also contain alg and type to indicate what type of the token this is.

{
   "alg":"HS256",
   "kid": "NHAS42KWE49825JADTWWQRWR"
}

Payload

The payload is the part that contains actual data in JWT. Basically this data is in the form of claims. Claims are identifying information about the user or entity. But other than user information (sub), it also contains some important information at what time the token was issued – iat, who is the issuer – iss, what is the expiration time exp , what is the not before used time nbf .

Example of JWT payload will look like below:

{
  "sub": "betterjavacode\\userabc",
  "created": 1571755568798,
  "iss": "betterjavacode.com",
  "client_id": "randomclient",
  "nbf": 1571755569,
  "scope": "[Email]",
  "exp": 1571759169,
  "expires_in": "3600",
  "iat": 1571755569,
  "jti": "qqwrwe-wewewt-34343re-343gtrtr-323222"
}

Signature

Signature to sign JWT is created by Base64 URL encoding of header + Base64 URL encoding of body and a secret key and all this will be signed by using a signature algorithm of server choice, for this example it is HMACSHA256. The server which is creating JWT, will not share a secret key with anyone and will have its own policies to create that secret key. It can make the public key available to requested clients.

When to use JWT?

The usual use case for JWT is for authentication purposes since it can contain user data. Tokens are valid for a short duration, so they can’t be compromised. When the user accesses a protected resource, the user agent sends JWT in authorization header using Bearer schema. As a precaution, a token should not contain any secret information. In that case, even if a JWT is stolen, nobody can use JWT data for any other purposes.

JWT is a more compact version of token which was usually exchanged through Security Assertion Markup Language (SAML).

Conclusion

In this post, we discussed the details of JWT and when to use it.

References

  1. Specification of JSON Web Token – Specifications
  2. JSON Web Token – Open Id Specifications

 

 

Forgot Password Feature in Spring Boot Application

In this post, we will show how to implement a forgot password feature for your Spring Boot Application. In my old post, I had shown how to create social login for an application.

Most web applications will have forgot password page and there are different policies about password creation and resetting the password. Overall, you can assume that user will forget a password and will need to reset password.

Flow for Forgot Password

  1. User visits login screen and clicks on forgot password option.
  2. User enters email address in forgot password box.
  3. On Server side, we verify if a user with that email exists or not.
  4. On Server side, we create a time-bound security reset token affiliated with that user and send it in an email, provided that the user exists.
  5. User receives an email to reset password.
  6. Once the user clicks the reset password link which includes the reset token.
  7. User redirects to a page where the user can reset the password.
  8. Then the user submits a new password along with reset token. Based on reset token, we first verify if the user is correct and then saves the new password.
  9. User redirects to login page.

Once now, we have described the flow, we can show how to implement this feature.

Forgot Password UI

A screen where user will enter email address to reset the password, will look like below:

Feature of Forgot Password

Forgot Password

Once the user enters his email address, server side implementation will validate if a user with that email exists or not. In LoginController , this posting of Reset Password will look like below:


        String email = ServletUtil.getAttribute(request, "email");
        User user = userRepository.findUserByEmail(email);

        if(user == null)
        {
            model.addAttribute("error", "We didn't find this user");
            return "forgotpassword";
        }
        PasswordResetToken token = new PasswordResetToken();
        token.setToken(UUID.randomUUID().toString());
        token.setUser(user);
        token.setExpiryDate(30);
        passwordResetTokenRepository.save(token);
        
        Mail mail = new Mail();
        Map<String, Object> modelObj = new HashMap<>();
        modelObj.put("token",token);
        modelObj.put("user", user);
        String url =
                request.getScheme() + "://" + request.getServerName() + ":" + request.getServerPort();
        modelObj.put("resetUrl", url + "/resetpassword?token=" + token.getToken());
        mail.setModel(modelObj);
        emailService.sendEmail(mail);

As you see in this code token object is one-to-one mapped with user.  Once the user submits email address, we send him a password reset email with URL.

So this email will look like below:

Once the user clicks on the link from email, user will be redirected to a form to submit new password. When displaying the form, first the reset token will be validated if it has not expired and exists. GET request for reset form will present the form.

POST request will submit the form to reset user password.


    @GetMapping
    public String getPasswordResetPage(@RequestParam(required=false) String token, Model model)
    {
        PasswordResetToken passwordResetToken = passwordResetTokenRepository.findByToken(token);
        if(passwordResetToken == null)
        {
            model.addAttribute("error","Could not find reset token");
        }
        else if(passwordResetToken.isExpired())
        {
            model.addAttribute("error","Reset Token is expired");
        }
        else
        {
            model.addAttribute("token",passwordResetToken.getToken());
        }
        return "resetpassword";
    }

    @PostMapping
    public String handlePasswordReset(HttpServletRequest request, Model model)
    {
        String token = ServletUtil.getAttribute(request, "token");
        PasswordResetToken passwordResetToken = passwordResetTokenRepository.findByToken(token);
        User user = passwordResetToken.getUser();
        String password = ServletUtil.getAttribute(request, "password");
        String confirmPassword = ServletUtil.getAttribute(request, "confirmPassword");
        
        user.setPassword(updatedPassword);
        user.setPasswordConfirm(updatedPassword);
        userRepository.save(user);
        passwordResetTokenRepository.delete(passwordResetToken);

        return "redirect:/login?resetSuccess";

    }

After new password is saved, the reset token is deleted, so it can’t be reused.

Conclusion

In this post, we showed how to implement the user story of forgot password. There are usually different possibilities to reset the password. It mostly depends on what password policies you adapt.

References

  1. Forgot Password Feature – Forgot Password

 

How to set up IIS as Reverse Proxy to Jetty

Recently I came across an interesting scenario where we have to redirect an old application to a new application. Mainly this was to support backward compatibility with the new application if any existing customers start using it. So mostly these customers don’t have to change anything on their end, but just use the old product that could still redirect to a new application. The old application was using IIS Webserver. In this post, I will show how to set up IIS as a reverse proxy to jetty.

Scenario

The use case is that an application https://abccompany.com/salesapp is running as an ASP.NET application behind IIS web server. The new application https://abccompany.com/newsalesapp is built using JAVA and running on Jetty web server.

Some of the existing customers are still using the old application. For easiest way to make them still use new application is redirect the requests for old application to new application.

Implementation

We implemented this measure with only purpose of backward compatibility and reducing customer’s issues if they want to use new application. It helps them how simple and smoothly this can take place.

To make IIS as a proxy to Jetty web server, we will need Application Request Routing and URL Rewrite module installed on IIS. Remember these modules are free, but not installed by default.

IIS Proxy Settings

Once you have Application Request Routing module installed, go to your IIS Manager for your server and open the module.

In Server Proxy Settings, configure to Enable Proxy and keep rest of the settings as it is. The picture below shows the configuration:

Rewrite/Redirect Rules

Now we will use URL Rewrite module for the site that is part of IIS server. Once you open URL rewrite module, click on Add Rule and it will show the following screen to create rule, so select Blank Rule option

Add a name for rule in new window of blank rule. Now you can add pattern of your old application URL that will be redirected, with action type Redirect to new REDIRECT URL.

Pattern for old URL will be regular expression, so make sure you use right expression for your application’s URL. In my case, it will look like below:

This rule will take of any query string parameters you have in old application URL and will add them in the new URL.

Example. https://abccompany.com/salesapp?productid=1&customerid=2 will become https://abccompany.com/newsalesapp?productid=1&customerid=2. Of course, the assumption is that your new application is using the same parameter with same names.

Conclusion

So this was a simple way to redirect any request from IIS server to Jetty. This will simply great if you only have REDIRECT OR GET requests. What if a user is submitting a form OR using a POST request. In that case, we will need some modification.

  1. Application Pool for your site should be classic.
  2. Instead of redirect, you should be writing rewrite rule type.

References

  1. IIS as Reverse Proxy with application request routing and URL rewrite – Request routing

 

How to add Stripe Payment to Spring Boot Application

In this post, we will show how to add Stripe Payment to Spring boot application. Most enterprise applications offer a way where customer can pay online. Online payments are the backbone of internet world in current times. If you ever built an application for a customer, previously there were physical cheques OR credit card payments. With the applications becoming more web based, it has become utmost necessary to integrate your application with some kind of payment gateway. Payment gateway will handle all tax and financial regulation related complications which the application doesn’t have to deal with.

The functionality is part of the application Social KPI that I am building.

What are we trying to achieve here?

Story for Stripe Payment

An administrator comes on the billing page and pays the bill for that month. Once the bill is paid, the billing page will show that the bill has been paid for that month. So the option to enter credit card details will only be shown if the bill has not been paid.

As part of payment service, we will be using Stripe . Once the user enters credit card details and she can enter Pay Now button which will contact Stripe API to get token, this token will be used to create a charge on Stripe and Stripe will respond with success or failure of the charge.

Flow

To summarize the flow

  1. User clicks Pay Now to pay the charges
  2. Frontend Stripe javascript API contacts Stripe to create token using enter billing details
  3. Frontend Stripe javascript API sends this token to server to handle billing on server side
  4. On server side, controller uses the token and amount to create charge for that customer for application usage.
  5. For paid bills, the status is marked as paid for the customer for that month.

Frontend Implementation

To use Stripe APIs, we must first create account on stripe.com as a developer and get the keys. Good thing is Stripe offers API keys for test and live environments. For this post and demo, we will be using test keys only. Once we have API keys, we will use them in our frontend and backend implementation.

In following screenshot, you will see how the billing page will look:

Billing Page

Once the user clicks on Pay Now, the javascript function from Stripe for mounting card and creating token will be called. Once the token is available, the same function will pass it server by submitting a POST request. Sample of this code will look like below:


            var form = document.getElementById('payment-form');
            form.addEventListener('submit',function(event){
                event.preventDefault();
                payTheBill();
            });

            function payTheBill(){
                stripe.createToken(card).then(function(result){
                    if(result.error){
                        var errorElement = document.getElementById('card-errors');
                        errorElement.textContent = result.error.message;
                    } else {
                        var token = result.token.id;
                        var email = $('#email').val();
                        var companyid = $('#companyid').val();
                        var amount = $('#amount').val();
                        $.get(
                            "/createcharge",
                            {email:email,token:token,companyid : companyid, amount:amount},
                            function(data){
                                alert(data.details);
                            },'json');
                    }
                })
            }

Backend Implementation

As part of the application Social KPI, I have a database table billing to track customer’s paid bills. The PaymentController is a REST controller which will have a POST request mapping for creating a charge and storing in the database table and mark the bill as paid. As shown above in javascript code, once the token is available it will be sent to server side to controller to handle the charge. This will be a REST call, so the controller is also RestController.


 @RequestMapping(value="/createcharge",method = RequestMethod.GET)
    @ResponseBody
    public Response createCharge(String email, String token, String companyid, double amount)
    {
        LOGGER.info("Enter >> createCharge() ");

        if(token == null)
        {
            throw new RuntimeException("Can't create a charge, try again");
        }

        Billing billing = billingRepository.findByCompanyId(Integer.parseInt(companyid));

        double billedAmount = amount * 100;

        String chargeId = paymentService.createCharge(email,token,billedAmount);

        if(chargeId != null && !chargeId.equals(""))
        {
            LOGGER.info("bill has been charged on consumer's account");
            billing.setStatus(true);
            billing.setPaiddate(new Date());
            billingRepository.save(billing);
        }

        LOGGER.info("Exit << createCharge() ");
        return new Response(true,"Congratulations, your card has been charged, chargeId= "+chargeId);
    }

As shown above, Service called paymentService will create a charge on Stripe. To implement paymentService, you will need to include stripe java library in your implementation.

compile('com.stripe:stripe-java:10.5.0')

So the service class PaymentService will look like below to create charge:


    public String createCharge(String email, String token, double amount)
    {
        String id = null;
        try
        {
            Stripe.apiKey = API_SECRET_KEY;
            Map chargeParams = new HashMap<>();
            chargeParams.put("amount", (int)(amount*100));
            chargeParams.put("currency", "USD");
            chargeParams.put("description", "Charge for " + email);
            chargeParams.put("source", token);
            Charge charge = Charge.create(chargeParams);
            id = charge.getId();
        }
        catch(StripeException e)
        {
            throw new RuntimeException("Unable to process the charge", e);
        }
        return id;
    }

Once the bill is paid, administrator will see this as the bill paid for that month.

Conclusion

In this post, we showed how to integrate Spring boot application with Stripe payment gateway.

References

  1. Stripe API reference - https://stripe.com/docs/api/charges
  2. Integrate Stripe with Spring boot - Stripe with Spring boot

How to file upload using Spring Boot

In this post, I will show how I added file upload functionality in my Spring Boot application, social KPI.

On the outskirts, it looks very simple functionality and it is indeed simple with Spring Boot. As part of this post, we will build a web form where an administrator will add additional users for his/her company by importing a CSV file in a particular format.

Basic functionality is to provide a way for an administrator to import a CSV file, read and validate the data, and save it in the database if proper data.

Now once we have defined our user story, let’s get started with the post.

Form For File Upload In a Spring Boot Application

We are using thymeleaf templates for our spring boot based application. So writing a simple html page with a form to upload a file is very straight forward as below:

<div class="container importuser">
    <div class="form-group">
    <form method="POST" th:action="@{/uploadUsers}" enctype="multipart/form-data">
        <input type="hidden" name="companyGuid" th:value="${companyGuid}"/>
        <input type="file" name="file"/></br></br>
        <button type="submit" class="btn btn-primary btn-lg" value="Import">Import
        </button>
    </form>
    </div>
</div>

As you see in this form, clicking on Import button will kick the action to upload users.

Controller to handle file upload on backend side

A controller to handle upload users functionality will look like below:

    @RequestMapping(value = "/uploadUsers",method= RequestMethod.POST)
    public String fileUpload (@RequestParam("file") MultipartFile file, @RequestParam(
            "companyGuid") String companyGuid,
                              RedirectAttributes redirectAttributes)
    {
        LOGGER.info("File is {}", file.getName());
        LOGGER.info("Company Guid is {}", companyGuid);

        if (file.isEmpty())
        {
            redirectAttributes.addFlashAttribute("message", "Please select a file to upload");
            return "redirect:/uploadStatus";
        }

        List userList = FileUtil.readAndValidateFile(file, roleRepository);
        for(User user: userList)
        {
            User createdUser = userManager.createUser(companyGuid, user);
        }

        redirectAttributes.addFlashAttribute("message",
                "You successfully uploaded " + file.getOriginalFilename() + " and added " + userList.size() + " users");


        return "redirect:/uploadStatus";
    }

The method to readAndValidateFile is simply reading the data from file, validating to make sure all the fields in CSV file exists, if wrong format, it will throw an error. If a valid file, it will create a list of users. UserManager will create each user.

The class FileUtil is as below:

package com.betterjavacode.socialpie.utils;

import com.betterjavacode.socialpie.models.Role;
import com.betterjavacode.socialpie.models.User;

import com.betterjavacode.socialpie.repositories.RoleRepository;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.web.multipart.MultipartFile;

import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.util.ArrayList;
import java.util.List;

public class FileUtil
{
    private static final String FIRST_NAME = "firstname";
    private static final String LAST_NAME = "lastname";


    public static List readAndValidateFile (MultipartFile file, RoleRepository roleRepository)
    {
        BufferedReader bufferedReader;
        List result = new ArrayList<>();
        try
        {
            String line;
            InputStream inputStream = file.getInputStream();
            bufferedReader = new BufferedReader(new InputStreamReader(inputStream));
            while((line = bufferedReader.readLine()) != null)
            {
                String[] userData = line.split(",");
                if(userData == null || userData.length != 5)
                {
                    throw new RuntimeException("File data not in correct format");
                }
                if(FIRST_NAME.equalsIgnoreCase(userData[0]) && LAST_NAME.equalsIgnoreCase(userData[2]))
                {
                    continue; // first line is header
                }
                User user = new User();
                user.setFirstName(userData[0]);
                user.setMiddleName(userData[1]);
                user.setLastName(userData[2]);
                user.setEmail(userData[3]);
                Role role = roleRepository.findByRoleName(userData[4]);
                user.setRole(role);
                result.add(user);
            }
        }
        catch(IOException e)
        {
            throw new RuntimeException("Unable to open the file " + e.getMessage());
        }
        return result;
    }
}

A working demo

Once I log into the application Social KPI, I click on Add Users and it will take me to upload the users screen which will look below:

Import Users

Once you choose a file in CSV format to upload and click on Import, it will show the screen as below:

File Upload Status

Conclusion

So in this post, we showed how to import a file while using Spring Boot multipart form.

References

  1. Uploading files – uploading files