Customizing Spring Security for Shopify

In order to create a custom application for a Shopify based client store, I need to customize the security framework I am using in my online application. In the previous blog post, I have given some details about the Filter Chain that gets build by the Spring Boot application when using OAuth2

In order to customize the out of the box Filter Chain which comes with Spring Boot security version 5.5.2, a few challenges coming from the target server need to be considered:

  • First, Shopify allows individual stores to be treated individually. Authorization tokens and accesses to resources are individual to the the domain of a shop

  • Second, Shopify signs all its public communication with a hmac token

Although there are components of the Spring Security OAuth2 Web Client package that could address the needs of a typical OAuth2 client, I felt that writing my own OAuth2AuthorizationCodeGrantFilter would be a simpler solution to the problem that to create an custom OAuth2AuthorizationCodeAuthenticationProvider together with injecting the out of the box component OAuth2AuthorizationCodeGrantFilter. This is because the OAuth2 Web Client has a very intricate integration with the base Context Manager and it takes the constructions of just too many intermediate object with lots of type conversions in between to finally create an Authorization object from the Token received from Shopify at the end of a typical OAuth2 flow

The new ShopifyOAuth2AuthorizationCodeGrantFilter intercepts the request to install the client into a shop page (either in the admin page, or client page). It validates the request by computing and comparing its Hmac If all good, the filter gets the Authorization Token from the server. With that token, the filter then:

  1. Adds a record in the AuthorizationRequestRepository

  2. Adds a record in the OAuth2AutorizedClientRepository

The ladder record also creates a Authentication object with credentials for the store which the filter than adds to a new Context into the current ContextHolder

In order to allow future references to the same Authentication object, my implementation of the OAuth2SecurityContextRepository uses a persistence layer (a database) in which it associates the Authorization Token with a key which is passed than into the response to the user browser as a new header

As long as the header is returned together with the same session cookie, the application run on multiple instance can restore the Context from the database

43 views0 comments

Recent Posts

See All

I am taking some course on mastering watercolour where I find interesting references from inspirational master artists of the past. This blog post is a non comprehensive list of such artists with refe