2: Migrate core behavior to new base

Task-Url: #2

2: Migrate core behavior to new base
Task-Url: #2
1e8a9d66 · Gradl, Tobias · 17d8a62d · 1e8a9d66 · 1e8a9d66 · 1e8a9d66
Commit 1e8a9d66 authored Oct 30, 2020 by Gradl, Tobias
--- a/dariahsp-core/build.gradle
+++ b/dariahsp-core/build.gradle
@@ -17,6 +17,8 @@ dependencies {
 	implementation "org.pac4j:spring-webmvc-pac4j:$webmvcPac4jVersion"
 	implementation "org.pac4j:pac4j-saml:$pac4jVersion"
 	implementation "org.pac4j:pac4j-http:$pac4jVersion"
+	
+	implementation "org.aspectj:aspectjweaver"

    testImplementation librarySets.commonTest
 }

--- a/dariahsp-core/src/main/java/eu/dariah/de/dariahsp/config/CombinedSecurityConfigurationAdapter.java
+++ b/dariahsp-core/src/main/java/eu/dariah/de/dariahsp/config/CombinedSecurityConfigurationAdapter.java
+package eu.dariah.de.dariahsp.config;
+
+import java.util.List;
+import java.util.stream.Collectors;
+
+import org.pac4j.core.client.Client;
+import org.pac4j.core.config.Config;
+import org.pac4j.springframework.security.web.Pac4jEntryPoint;
+import org.pac4j.springframework.security.web.SecurityFilter;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.context.annotation.Bean;
+import org.springframework.security.access.expression.SecurityExpressionHandler;
+import org.springframework.security.access.hierarchicalroles.RoleHierarchy;
+import org.springframework.security.access.hierarchicalroles.RoleHierarchyImpl;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.config.http.SessionCreationPolicy;
+import org.springframework.security.web.FilterInvocation;
+import org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler;
+import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
+
+public class CombinedSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter {
+
+    @Autowired private Config config;
+    
+    @Bean
+	public RoleHierarchy roleHierarchy() {
+	  RoleHierarchyImpl r = new RoleHierarchyImpl();
+	  r.setHierarchy("ROLE_ADMINISTRATOR > ROLE_CONTRIBUTOR > ROLE_USER");
+	  return r;
+	}
+
+    @Override
+    protected void configure(final HttpSecurity http) throws Exception {
+
+    	List<String> enabledClientNames = config.getClients().findAllClients().stream()
+    											.map(Client::getName)
+    											.collect(Collectors.toList());
+    	
+        final SecurityFilter filter = new SecurityFilter(config, enabledClientNames.stream().collect(Collectors.joining(",")));
+
+        http
+        	/*.requestMatchers()
+        		.antMatchers("/saml/**", "/form/**")
+        	.and()
+        	.authorizeRequests()
+                .antMatchers("/saml/admin.html").hasRole("ADMINISTRATOR")
+                .antMatchers("/saml/**").authenticated()*/
+        	//.and()
+        	.addFilterBefore(filter, BasicAuthenticationFilter.class)
+        	.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.ALWAYS);
+    		
+        if (!enabledClientNames.isEmpty() && enabledClientNames.get(0).equals("FormClient")) {
+        	http.exceptionHandling().authenticationEntryPoint(new Pac4jEntryPoint(config, "FormClient"));
+        }
+    }
+    
+    protected SecurityExpressionHandler<FilterInvocation> webExpressionHandler() {
+        DefaultWebSecurityExpressionHandler defaultWebSecurityExpressionHandler = new DefaultWebSecurityExpressionHandler();
+        defaultWebSecurityExpressionHandler.setRoleHierarchy(roleHierarchy());
+        return defaultWebSecurityExpressionHandler;
+    }
+}
--- a/dariahsp-core/src/main/java/eu/dariah/de/dariahsp/config/DefaultFiltersConfigurationAdapter.java
+++ b/dariahsp-core/src/main/java/eu/dariah/de/dariahsp/config/DefaultFiltersConfigurationAdapter.java
+package eu.dariah.de.dariahsp.config;
+
+import org.pac4j.core.config.Config;
+import org.pac4j.springframework.security.web.CallbackFilter;
+import org.pac4j.springframework.security.web.LogoutFilter;
+import org.pac4j.springframework.security.web.Pac4jEntryPoint;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.context.annotation.Bean;
+import org.springframework.security.access.expression.SecurityExpressionHandler;
+import org.springframework.security.access.hierarchicalroles.RoleHierarchy;
+import org.springframework.security.access.hierarchicalroles.RoleHierarchyImpl;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.web.FilterInvocation;
+import org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler;
+import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
+
+public class DefaultFiltersConfigurationAdapter extends WebSecurityConfigurerAdapter {
+
+    @Autowired private Config config;
+    
+    protected void configure(final HttpSecurity http) throws Exception {
+
+        final CallbackFilter callbackFilter = new CallbackFilter(config);
+        callbackFilter.setMultiProfile(true);
+
+        final LogoutFilter logoutFilter = new LogoutFilter(config, "/?defaulturlafterlogout");
+        logoutFilter.setDestroySession(true);
+        logoutFilter.setSuffix("/pac4jLogout");
+
+        final LogoutFilter centralLogoutFilter = new LogoutFilter(config, "http://localhost:8080/?defaulturlafterlogoutafteridp");
+        centralLogoutFilter.setLocalLogout(false);
+        centralLogoutFilter.setCentralLogout(true);
+        centralLogoutFilter.setLogoutUrlPattern("http://localhost:8080/.*");
+        centralLogoutFilter.setSuffix("/pac4jCentralLogout");
+
+        http
+                .authorizeRequests().anyRequest().permitAll()
+                .and()
+                .exceptionHandling().authenticationEntryPoint(new Pac4jEntryPoint(config, "FormClient"))
+                .and()
+                .addFilterBefore(callbackFilter, BasicAuthenticationFilter.class)
+                .addFilterBefore(logoutFilter, CallbackFilter.class)
+                .addFilterAfter(centralLogoutFilter, CallbackFilter.class)
+                .csrf().disable()
+                .logout()
+                    .logoutSuccessUrl("/");
+    }
+}
\ No newline at end of file
--- a/dariahsp-core/src/main/java/eu/dariah/de/dariahsp/config/SecurityConfig.java
+++ b/dariahsp-core/src/main/java/eu/dariah/de/dariahsp/config/SecurityConfig.java
@@ -19,8 +19,11 @@ import org.pac4j.springframework.annotation.AnnotationConfig;
 import org.pac4j.springframework.component.ComponentConfig;
 import org.springframework.boot.context.properties.ConfigurationProperties;
 import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.ComponentScan;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.context.annotation.Import;
+import org.springframework.security.access.hierarchicalroles.RoleHierarchy;
+import org.springframework.security.access.hierarchicalroles.RoleHierarchyImpl;
 import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;

 import eu.dariah.de.dariahsp.CustomAuthorizer;
@@ -32,6 +35,7 @@ import lombok.extern.slf4j.Slf4j;
 @Data
 @Slf4j
 @Configuration
+@ComponentScan
 @ConfigurationProperties(prefix = "auth")
 @Import({ComponentConfig.class, AnnotationConfig.class})
 public class SecurityConfig {

--- a/dariahsp-core/src/main/java/eu/dariah/de/dariahsp/config/WebSecurityConfig.java
+++ b/dariahsp-core/src/main/java/eu/dariah/de/dariahsp/config/WebSecurityConfig.java
-package eu.dariah.de.dariahsp.config;
-
-import java.util.List;
-import java.util.stream.Collectors;
-
-import org.pac4j.core.client.Client;
-import org.pac4j.core.config.Config;
-import org.pac4j.springframework.security.web.CallbackFilter;
-import org.pac4j.springframework.security.web.LogoutFilter;
-import org.pac4j.springframework.security.web.Pac4jEntryPoint;
-import org.pac4j.springframework.security.web.SecurityFilter;
-import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.context.annotation.Configuration;
-import org.springframework.core.annotation.Order;
-import org.springframework.security.config.annotation.web.builders.HttpSecurity;
-import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
-import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
-import org.springframework.security.config.http.SessionCreationPolicy;
-import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
-
-@EnableWebSecurity
-public class WebSecurityConfig {
-
-
-    @Configuration
-    @Order(7)
-    public static class Saml2WebSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter {
-
-        @Autowired
-        private Config config;
-
-        protected void configure(final HttpSecurity http) throws Exception {
-
-        	List<String> enabledClientNames = config.getClients().findAllClients().stream()
-        											.map(Client::getName)
-        											.collect(Collectors.toList());
-        	
-            final SecurityFilter filter = new SecurityFilter(config, enabledClientNames.stream().collect(Collectors.joining(",")));
-
-            http
-            	.requestMatchers()
-            		.antMatchers("/saml/**", "/form/**")
-            	.and()
-            	.authorizeRequests()
-                    .antMatchers("/saml/admin.html").hasRole("ADMINISTRATOR")
-                    .antMatchers("/saml/**").authenticated()
-            	.and()
-            	.addFilterBefore(filter, BasicAuthenticationFilter.class)
-            	.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.ALWAYS);
-        		
-            if (!enabledClientNames.isEmpty() && enabledClientNames.get(0).equals("FormClient")) {
-            	http.exceptionHandling().authenticationEntryPoint(new Pac4jEntryPoint(config, "FormClient"));
-            }
-            
-            
-            http 
-            .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.ALWAYS);
-        }
-    }
-        
-    
-    @Configuration
-    @Order(15)
-    public static class DefaultWebSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter {
-
-        @Autowired
-        private Config config;
-
-        protected void configure(final HttpSecurity http) throws Exception {
-
-            final CallbackFilter callbackFilter = new CallbackFilter(config);
-            callbackFilter.setMultiProfile(true);
-
-            final LogoutFilter logoutFilter = new LogoutFilter(config, "/?defaulturlafterlogout");
-            logoutFilter.setDestroySession(true);
-            logoutFilter.setSuffix("/pac4jLogout");
-
-            final LogoutFilter centralLogoutFilter = new LogoutFilter(config, "http://localhost:8080/?defaulturlafterlogoutafteridp");
-            centralLogoutFilter.setLocalLogout(false);
-            centralLogoutFilter.setCentralLogout(true);
-            centralLogoutFilter.setLogoutUrlPattern("http://localhost:8080/.*");
-            centralLogoutFilter.setSuffix("/pac4jCentralLogout");
-
-            
-            http
-                    .authorizeRequests().anyRequest().permitAll()
-                    .and()
-                    .exceptionHandling().authenticationEntryPoint(new Pac4jEntryPoint(config, "FormClient"))
-                    .and()
-                    .addFilterBefore(callbackFilter, BasicAuthenticationFilter.class)
-                    .addFilterBefore(logoutFilter, CallbackFilter.class)
-                    .addFilterAfter(centralLogoutFilter, CallbackFilter.class)
-                    .csrf().disable()
-                    .logout()
-                        .logoutSuccessUrl("/");
-        }
-    }
-}
--- a/dariahsp-sample/src/main/java/eu/dariah/de/dariahsp/sample/config/SampleWebSecurityConfig.java
+++ b/dariahsp-sample/src/main/java/eu/dariah/de/dariahsp/sample/config/SampleWebSecurityConfig.java
 package eu.dariah.de.dariahsp.sample.config;

-import org.pac4j.springframework.annotation.AnnotationConfig;
-import org.pac4j.springframework.component.ComponentConfig;
-import org.springframework.context.annotation.Import;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.core.annotation.Order;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+
+import eu.dariah.de.dariahsp.config.CombinedSecurityConfigurationAdapter;
+import eu.dariah.de.dariahsp.config.DefaultFiltersConfigurationAdapter;

-import eu.dariah.de.dariahsp.config.WebSecurityConfig;

 @EnableWebSecurity
-@Import({WebSecurityConfig.class})
-public class SampleWebSecurityConfig {
+public class SampleWebSecurityConfig extends WebSecurityConfigurerAdapter {

+	@Configuration
+    @Order(1)
+	public static class WebSecurityConfigAdapter extends CombinedSecurityConfigurationAdapter {
+		@Override
+		protected void configure(final HttpSecurity http) throws Exception {
+			 http
+	        	.requestMatchers()
+	        		.antMatchers("/saml/**", "/form/**")
+	        	.and()
+	        	.authorizeRequests()
+	                .antMatchers("/saml/admin.html").hasRole("CONTRIBUTOR")
+	                .antMatchers("/saml/**").authenticated();
+			 
+			 super.configure(http);
+		}
+	}
+	
+	@Configuration
+    @Order(2)
+    public static class CallbackLoginLogoutConfigurationAdapter extends DefaultFiltersConfigurationAdapter {}
 }
--- a/dariahsp-sample/src/main/java/eu/dariah/de/dariahsp/sample/controller/SampleController.java
+++ b/dariahsp-sample/src/main/java/eu/dariah/de/dariahsp/sample/controller/SampleController.java
@@ -44,8 +44,10 @@ public class SampleController {
    @Autowired private MetadataHelper metadataHelper;
 	
 	@GetMapping("/")
-	public String greeting(@RequestParam(name="name", required=false, defaultValue="World") String name, Model model) {
-		model.addAttribute("name", name);
+	public String greeting(@RequestParam(name="name", required=false, defaultValue="World") String name, Map<String, Object> map) {
+		map.put("name", name);
+		map.put(PROFILES, profileManager.getAll(true));
+        map.put(SESSION_ID, jeeContext.getSessionStore().getOrCreateSessionId(jeeContext));
 		return "home";
 	}