Some minor code and documentation improvments.

Signed-off-by: Paulo Silva <paulos@criticalblue.com>

Author: Exadra37

README.md

@@ -34,8 +34,8 @@ Approov JWT token.
 
 A custom payload claim in an Approov token is a base64 encoded sha256 hash of
 some unique identifier we may want to tie with the Approov token to enhance
-the security on that request, like an OAUTH2 token, but you are free to use what
-so ever you may want.
+the security on that request, like an Authorization token, but you are free to
+use what so ever you may want.
 
 Dummy example for the JWT token middle part, the payload:
 
@@ -56,24 +56,24 @@ The custom payload claim in an Approov token is the one in the `pay` key:
 >
 > Please bear in mind that the custom payload claim is not meant to pass
 > application data to the API server, or any data that changes in every request,
-> but if this is an hard requirement for your use case, please contact us for
+> but if this is a hard requirement for your use case, please contact us for
 > further discussion.
 
 
 ## SYSTEM CLOCK
 
 In order to correctly check for the expiration times of the Approov tokens is
-very important that the Java server is synchronizing automatically the system
-clock over the network with an authoritative time source. In Linux this is usual
-done with a NTP server.
+important that the system clock for the Java server is synchronized
+automatically over the network with an authoritative time source. In Linux this
+is usual done with an NTP server.
 
 
 ## REQUIREMENTS
 
 We will use Java `11.0.3` with the Spring Boot `2.1.3.RELEASE`, and Gradle
 `5.2.1` to compile, build and run this demo.
 
-Docker is required for the ones wanting to use the Java docker stack provided
+Docker is only required for developers wanting to use the Java docker stack provided
 by the [stack](./stack) bash script, that is a wrapper around docker commands.
 
 ```bash
@@ -110,15 +110,15 @@ the API, but feel free to use any other tool of your preference.
 We recommend the use of the included Docker stack to play with this Approov
 integration.
 
-For details in how to use it you need to follow the setup instructions in the
+For details on how to use it you need to follow the setup instructions in the
 [Approov Shapes Demo Server](./docs/approov-shapes-demo-server.md#development-environment)
 walk-through, but feel free to use your local environment to play with this
 Approov integration.
 
 
 ## THE POSTMAN COLLECTION
 
-Import this [Postman collection](https://gitlab.com/snippets/1799104/raw) that
+Import this [Postman collection](https://gitlab.com/snippets/1852520/raw) that
 contains all the API endpoints for the Approov Shapes Demo Server and we
 strongly recommend you to follow
 [this demo walk-through](./docs/approov-shapes-demo-server.md) after finishing
@@ -127,8 +127,8 @@ the Approov integration that we are about to start.
 The Approov tokens used in the headers of this Postman collection where
 generated by [this helper script](./bin/generate-token) and
 they cover all necessary scenarios, but feel free to use the script to generate
-some more valid and invalid tokens, with different expire times and custom
-payload claims. Some examples of using it can be found [here](./docs/approov-shapes-demo-server.md#approov-tokens-generation).
+some more valid and invalid tokens, with different expiration times and custom
+payload claims. Some examples of using it can be found [here](./docs/approov-shapes-demo-server.md#Approov-Tokens-generation).
 
 
 ## DEPENDENCIES
@@ -153,6 +153,7 @@ We will learn how to integrate Approov in a skeleton generated with Spring Boot,
 where we added 3 endpoints:
 
 * `/` - Not protected with Approov.
+* `/hello` - Not protected with Approov.
 * `/shapes` - Approov protected.
 * `/forms` - Approov protected, and with a check for the Approov custom payload claim.
 
@@ -174,7 +175,7 @@ When implementing Approov is required to always check if the signature and
 expiration time of the Approov token is valid, and optionally to check if the
 custom payload claim matches the one in the header.
 
-For the required and optional checks we always need to configure the Spring
+For both the required and optional checks we always need to configure the Spring
 framework security with the `ApproovAuthenticationProvider(approovConfig)`.
 
 Now we need to configure what endpoints will perform the required and optional
@@ -193,9 +194,9 @@ tell if the custom payload claim is to be checked or not, and this is done with
 the boolean flag `checkCustomPayload`.
 
 In order to be able to have endpoints that perform only the required checks in
-the Approov token, while at same time having others endpoints where both the
+the Approov token, while at the same time having others endpoints where both the
 required and optional checks must take place, we need to configure the Spring
-framework security context with static sub classes of the main `WebSecurityConfig`
+framework security context with static subclasses of the main `WebSecurityConfig`
 class, and this sub classes also need to implement the abstract
 `WebSecurityConfigurerAdapter` class. This subclasses will be annotated with a
 configuration order `@Order(n)`, thus their configuration order is important. So
@@ -265,7 +266,6 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
  CorsConfiguration configuration = new CorsConfiguration();
  configuration.setAllowedOrigins(Arrays.asList("http://localhost:5000"));
  configuration.setAllowedMethods(Arrays.asList("GET"));
- configuration.addAllowedHeader("Approov-Token");
  UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
  source.registerCorsConfiguration("/**", configuration);
  return source;
@@ -311,8 +311,8 @@ custom payload claim in the Approov token.
 As already mentioned we will need to add to the `WebSecurityConfig` a subclass
 for the endpoints we want to secure with only the required checks for an Approov
 token, another for the endpoints secured with the required and optional checks
-for an Aprroov token, and finally a subclass for the endpoints that do not
-require authentication.
+for an Aprroov token, and finally a subclass for endpoints that do not require
+authentication.
 
 So let's prepare the `WebSecurityConfig` with only a subclass that maintains the
 access to all endpoints without any authentication.
@@ -348,7 +348,6 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
  CorsConfiguration configuration = new CorsConfiguration();
  configuration.setAllowedOrigins(Arrays.asList("http://localhost:5000"));
  configuration.setAllowedMethods(Arrays.asList("GET"));
- configuration.addAllowedHeader("approov-token");
  UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
  source.registerCorsConfiguration("/**", configuration);
  return source;
@@ -390,6 +389,39 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
 }
 ```
 
+#### CORS Configuration
+
+In order to integrate Approov we will need to use an `Approov-Token`, thus we
+need to allow it in the CORS configuration.
+
+If our Approov integration also uses the Approov custom payload check, then we
+also need to allow the header from where we want to retrieve the value we bind
+to the Approov token custom payload in the mobile app, that in this demo is the
+`Authorization` header.
+
+So we add to the CORS configuration this 2 new lines:
+
+```java
+configuration.addAllowedHeader("Authorization");
+configuration.addAllowedHeader("Approov-Token");
+```
+
+That will give us this new CORS configuration:
+
+```java
+@Bean
+CorsConfigurationSource corsConfigurationSource() {
+ CorsConfiguration configuration = new CorsConfiguration();
+ configuration.setAllowedOrigins(Arrays.asList("http://localhost:5000"));
+ configuration.setAllowedMethods(Arrays.asList("GET"));
+ configuration.addAllowedHeader("Authorization");
+ configuration.addAllowedHeader("Approov-Token");
+ UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
+ source.registerCorsConfiguration("/**", configuration);
+ return source;
+}
+```
+
 #### Protecting the `/shapes` endpoint
 
 To protect the `/shapes` endpoint we will add the subclass `ApproovWebSecurityConfig`:
@@ -555,7 +587,8 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
  CorsConfiguration configuration = new CorsConfiguration();
  configuration.setAllowedOrigins(Arrays.asList("http://localhost:5000"));
  configuration.setAllowedMethods(Arrays.asList("GET"));
- configuration.addAllowedHeader("approov-token");
+ configuration.addAllowedHeader("Authorization");
+ configuration.addAllowedHeader("Approov-Token");
  UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
  source.registerCorsConfiguration("/**", configuration);
  return source;
@@ -617,12 +650,12 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
  .securityContext()
  .securityContextRepository(new ApproovSecurityContextRepository(approovConfig, true))
  .and()
- .exceptionHandling()
- .authenticationEntryPoint(new ApproovAuthenticationEntryPoint())
+  .exceptionHandling()
+  .authenticationEntryPoint(new ApproovAuthenticationEntryPoint())
  .and()
- .antMatcher("/forms")
- .authorizeRequests()
- .antMatchers(HttpMethod.GET, "/forms").authenticated();
+  .antMatcher("/forms")
+  .authorizeRequests()
+  .antMatchers(HttpMethod.GET, "/forms").authenticated();
  }
  }
 
@@ -658,8 +691,7 @@ If we compare the initial implementation with the final result for the class
 
 ```java
 --- untitled (Previous)
-+--- untitled (Previous)
-+++ untitled (Current)
++++ /home/sublime/workspace/java/spring/src/main/java/com/criticalblue/approov/jwt/WebSecurityConfig.java
 @@ -1,6 +1,7 @@
  package com.criticalblue.approov.jwt;
 
@@ -668,16 +700,16 @@ If we compare the initial implementation with the final result for the class
  import org.springframework.security.config.annotation.web.builders.WebSecurity;
  import org.springframework.security.config.http.SessionCreationPolicy;
  import org.springframework.web.cors.CorsConfiguration;
-@@ -25,7 +26,7 @@
+@@ -25,6 +26,8 @@
  CorsConfiguration configuration = new CorsConfiguration();
  configuration.setAllowedOrigins(Arrays.asList("http://localhost:5000"));
  configuration.setAllowedMethods(Arrays.asList("GET"));
-- configuration.addAllowedHeader("Approov-Token");
-+ configuration.addAllowedHeader("approov-token");
++ configuration.addAllowedHeader("Authorization");
++ configuration.addAllowedHeader("Approov-Token");
  UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
  source.registerCorsConfiguration("/**", configuration);
  return source;
-@@ -36,27 +37,86 @@
+@@ -35,27 +38,86 @@
  web.ignoring().antMatchers("/error");
  }
 
@@ -727,7 +759,8 @@ If we compare the initial implementation with the final result for the class
 + .authorizeRequests()
 + .antMatchers(HttpMethod.GET, "/shapes").authenticated();
 + }
-+ }
+ }
+-}
 +
 + @Configuration
 + @Order(2)
@@ -750,12 +783,12 @@ If we compare the initial implementation with the final result for the class
 + .securityContext()
 + .securityContextRepository(new ApproovSecurityContextRepository(approovConfig, true))
 + .and()
-+ .exceptionHandling()
-+ .authenticationEntryPoint(new ApproovAuthenticationEntryPoint())
++  .exceptionHandling()
++  .authenticationEntryPoint(new ApproovAuthenticationEntryPoint())
 + .and()
-+ .antMatcher("/forms")
-+ .authorizeRequests()
-+ .antMatchers(HttpMethod.GET, "/forms").authenticated();
++  .antMatcher("/forms")
++  .authorizeRequests()
++  .antMatchers(HttpMethod.GET, "/forms").authenticated();
 + }
 + }
 +
@@ -780,8 +813,8 @@ If we compare the initial implementation with the final result for the class
 + .authorizeRequests()
 + .antMatchers(HttpMethod.GET, "/**").permitAll();
 + }
-  }
- }
++ }
++}
 ```
 
 

docs/approov-shapes-demo-server.md

@@ -232,11 +232,15 @@ Feel free to try all the options...
 To start the server we want to issue the command:
 
 ```bash
-./gradlew bootRun
+source .env && ./gradlew bootRun
 ```
 
-After the Java server is up and running it will be available at http://localhost:5000.
+> **NOTE**:
+>
+> If you decide to run the Java server from your IDE, then you need to set all
+> the environments variables in the `.env` file in your IDE.
 
+After the Java server is up and running it will be available at http://localhost:5000.
 
 ### Endpoint Not Protected by Approov
 

src/main/java/com/criticalblue/approov/jwt/WebSecurityConfig.java

@@ -26,6 +26,7 @@ CorsConfigurationSource corsConfigurationSource() {
  CorsConfiguration configuration = new CorsConfiguration();
  configuration.setAllowedOrigins(Arrays.asList("http://localhost:5000"));
  configuration.setAllowedMethods(Arrays.asList("GET"));
+ configuration.addAllowedHeader("Authorization");
  configuration.addAllowedHeader("Approov-Token");
  UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
  source.registerCorsConfiguration("/**", configuration);

src/main/java/com/criticalblue/approov/jwt/authentication/ApproovAuthenticationProvider.java

@@ -24,7 +24,7 @@ public class ApproovAuthenticationProvider implements AuthenticationProvider {
  * @param approovConfig Extracted from the .env file in the root of the package.
  */
  public ApproovAuthenticationProvider(ApproovConfig approovConfig) {
- this.approovSecret = Base64.decodeBase64(approovConfig.getBase64Secret());
+ this.approovSecret = Base64.decodeBase64(approovConfig.getApproovBase64Secret());
  }
 
  @Override

src/main/java/com/criticalblue/approov/jwt/authentication/ApproovConfig.java

@@ -9,9 +9,9 @@ final public class ApproovConfig {
 
  private String approovHeaderName = "Approov-Token";
 
- private final String approovClaimHeaderName;
+ private String approovBase64Secret;
 
- private String base64Secret = System.getenv("APPROOV_BASE64_SECRET");
+ private final String approovClaimHeaderName;
 
  private boolean toAbortRequestOnInvalidToken;
 
@@ -21,6 +21,7 @@ final public class ApproovConfig {
  * Constructs the Approov Config singleton with values retrieved from the .env file in the root of the project.
  */
  private ApproovConfig() {
+ this.approovBase64Secret = retrieveApproovBase64Secret();
  this.approovClaimHeaderName = retrieveStringValueFromEnv("APPROOV_CLAIM_HEADER_NAME", "Authorization");
  this.toAbortRequestOnInvalidToken = retrieveBooleanValueFromEnv("APPROOV_ABORT_REQUEST_ON_INVALID_TOKEN", true);
  this.toAbortRequestOnInvalidCustomPayloadClaim = retrieveBooleanValueFromEnv("APPROOV_ABORT_REQUEST_ON_INVALID_CUSTOM_PAYLOAD_CLAIM", true);
@@ -38,8 +39,8 @@ String getApproovClaimHeaderName() {
  return approovClaimHeaderName;
  }
 
- String getBase64Secret() {
- return base64Secret;
+ String getApproovBase64Secret() {
+ return approovBase64Secret;
  }
 
  boolean isToAbortRequestOnInvalidToken() {
@@ -50,6 +51,16 @@ boolean isToAbortRequestOnInvalidCustomPayloadClaim() {
  return toAbortRequestOnInvalidCustomPayloadClaim;
  }
 
+ private String retrieveApproovBase64Secret() {
+ approovBase64Secret = System.getenv("APPROOV_BASE64_SECRET");
+
+ if (approovBase64Secret == null) {
+ throw new ApproovAuthenticationException("Cannot retrieve APPROOV_BASE64_SECRET from the environment.");
+ }
+
+ return approovBase64Secret;
+ }
+
  private String retrieveStringValueFromEnv(String key, String defaultValue) {
 
  String value = System.getenv(key);