Provide x-auth-token authentication method

[julienboulay]

When no cache system is enabled on the server side, x-auth-token could provide a better stateless and simpler authentication method compared to OAuth2.
An example here : https://github.com/joshlong/boot-examples/tree/4b14c1634e7cfa0e5ab5313fe5a14121ef7c10f7/x-auth-security/src/main/java/demo/xauth

[julienboulay]

I've implemented an X-Auth-Token authentication on a Jhipster project with MongoDB.
It is available here : https://github.com/Ekito/jhipster-xauth
Could you please review this implementation and tell me if it could be integrated in the generator.
If yes, I would implement it and make a pull request.
Thanks

[mpages]

@julienboulay why do you implement generic filter and not AbstractPreAuthenticatedProcessingFilter ?

[julienboulay]

Hi Michael,

I didn't know AbstractPreAuthenticatedProcessingFilter. Thanks for the tip. I will have a look at it.

[mpages]

i ve used it on a Jhipster project, where user id were inject in http header by a security provider.
With this filter i extract info and as usual spring check user & role using UserDetailsService

[jmirc]

Great stuff. I can see it as another option. Could you please send us a PR?

[julienboulay]

@mpages, hi Michael,
I've just given a look at AbstractPreAuthenticatedProcessingFilter documentation. I'm not sure that it will fit the needs.
Here is an extract of the documentation :

There are situations where you want to use Spring Security for authorization, but the user has already been reliably authenticated by some external system prior to accessing the application. We refer to these situations as “pre-authenticated” scenarios.

In XAuthToken authentication, the user must be authenticated for each request and is not authenticated by an external application.

[julienboulay]

@jmirc : Thanks, I will try to implement a new option for jhipster generator and make a pull request as soon as it will be ready.

[jdubois]

I've looked at your PR and I'm trying to better understand how x-auth-token is supposed to work:

• Do you have some documentation? I couldn't find anything clear by Googling it, which I find quite disturbing
• From my understanding (reading at your code), you authenticate users only using a MD5 hash and a secret key. Isn't this easy to hack? I would create a couple of user names, then use them to find the secret key, and when I get it, I could log in using anybody's login. Do you have some documentation on this, too?

[julienboulay]

• x-auth-token authentication is not a "standard" as such : it is more a convention for authenticating users on Restful services. You will find multiple example of its implementation, but no official documentation. The principle is quite simple :
  • the user authenticate the first time to retrieve a token.
  • The token can then be provided in the next request headers (as of OAuth).
• You're right, users are authenticated using an MD5 hash and a secret key. You can refer to this stackoverflow post to understand that it would be difficult to find the secret key. Reverting an MD5 hash is quite easy for simple and short password. But, in our case, the MD5 will hash username/expires/password/secretkey. It makes it very diffult to revert the MD5.

[jdubois]

OK, that looks good to me.

[jmirc]

I confirm it is pretty impossible to revert the MD5. You need to have power and dictionary files.

[jdubois]

Yes, I thought it was only a MD5 of the username+secret key, but if you add expires and password then you can't revert it.
If it was only username+secret key, you need to create 2 usernames, and then try all the combinaisons and see which one matches, that way you could get the key.

[jdubois]

This is merged!

[alchemistgo87]

Do we have refresh token option in x-auth-token authentication. If not, do we have to save username and password of the user in client's local storage or do we have to set the expiration time of token to be infinity.

[julienboulay]

Hi,
there's no refresh token option with x-auth-token. The user will need to signup another time when the token has expired. Refreshing the token could be done each time a new request is send to the server, extending the expiration limit.

[DarkmanMuMoo]

Hi i just wonder that is it more better to implement some AbstractAuthenticationFilter for doing login process instead of let UserXAuthTokenController do this. ???