0

I don't know if I worded this question correctly, Spring Security is something I'm not very familiar with.

In my spring boot application the login is done with OAuth 2.0 and gluu. So far it works well and without issue. However, after the user logs in I check whether a user with the ID provided by the gluu server exists in our database because I need additional information on the user. Now, this is done after the login when checking things like permissions and fetching user-specific properties like settings. If the user does not exist on our end I get a NullPointerException. This case should (in an ideal world) not happen but I'd still like to handle it properly.

I'd like to make that check happen as part of the authorization process, so the login fails if we don't have any information on the user instead of checking it after the login has completed.

Does that make sense? I'm having a hard time wording it properly so I couldn't find any useful results on google. A link to some tutorial or docs would be greatly appreciated!

mackesmilian
  • 91
  • 8

2 Answers2

0

You can handle this with an Interception Script. And you will also need to add customAuthParamz in oxAuth configuration (JSON Configuration > OxAuth).

Christian H
  • 3,779
  • 2
  • 7
  • 17
0

If you want to do it in spring-security, you can provide a Converter<Jwt, AbstractAuthenticationToken> @Bean (to replace default JwtAuthenticationConverter).

This bean would call your user repo (maybe on a @Cachable method) and could even return an Authentication of your own with all user data you need for your security rules (maybe either create missing user record in databse or return AnonymousAuthenticationToken when user is not known in your system).

I have something a bit like that in this tutorial (extra user data is retrieved from token private claims and not from a database, but you get the idea).

ch4mp
  • 6,622
  • 6
  • 29
  • 49