Commit 1e8a9d66 authored by Gradl, Tobias's avatar Gradl, Tobias
Browse files

2: Migrate core behavior to new base

Task-Url: #2
parent 17d8a62d
Pipeline #17543 failed with stage
in 1 minute and 3 seconds
......@@ -17,6 +17,8 @@ dependencies {
implementation "org.pac4j:spring-webmvc-pac4j:$webmvcPac4jVersion"
implementation "org.pac4j:pac4j-saml:$pac4jVersion"
implementation "org.pac4j:pac4j-http:$pac4jVersion"
implementation "org.aspectj:aspectjweaver"
testImplementation librarySets.commonTest
}
......
package eu.dariah.de.dariahsp.config;
import java.util.List;
import java.util.stream.Collectors;
import org.pac4j.core.client.Client;
import org.pac4j.core.config.Config;
import org.pac4j.springframework.security.web.Pac4jEntryPoint;
import org.pac4j.springframework.security.web.SecurityFilter;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.security.access.expression.SecurityExpressionHandler;
import org.springframework.security.access.hierarchicalroles.RoleHierarchy;
import org.springframework.security.access.hierarchicalroles.RoleHierarchyImpl;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.web.FilterInvocation;
import org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler;
import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
public class CombinedSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter {
@Autowired private Config config;
@Bean
public RoleHierarchy roleHierarchy() {
RoleHierarchyImpl r = new RoleHierarchyImpl();
r.setHierarchy("ROLE_ADMINISTRATOR > ROLE_CONTRIBUTOR > ROLE_USER");
return r;
}
@Override
protected void configure(final HttpSecurity http) throws Exception {
List<String> enabledClientNames = config.getClients().findAllClients().stream()
.map(Client::getName)
.collect(Collectors.toList());
final SecurityFilter filter = new SecurityFilter(config, enabledClientNames.stream().collect(Collectors.joining(",")));
http
/*.requestMatchers()
.antMatchers("/saml/**", "/form/**")
.and()
.authorizeRequests()
.antMatchers("/saml/admin.html").hasRole("ADMINISTRATOR")
.antMatchers("/saml/**").authenticated()*/
//.and()
.addFilterBefore(filter, BasicAuthenticationFilter.class)
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.ALWAYS);
if (!enabledClientNames.isEmpty() && enabledClientNames.get(0).equals("FormClient")) {
http.exceptionHandling().authenticationEntryPoint(new Pac4jEntryPoint(config, "FormClient"));
}
}
protected SecurityExpressionHandler<FilterInvocation> webExpressionHandler() {
DefaultWebSecurityExpressionHandler defaultWebSecurityExpressionHandler = new DefaultWebSecurityExpressionHandler();
defaultWebSecurityExpressionHandler.setRoleHierarchy(roleHierarchy());
return defaultWebSecurityExpressionHandler;
}
}
package eu.dariah.de.dariahsp.config;
import org.pac4j.core.config.Config;
import org.pac4j.springframework.security.web.CallbackFilter;
import org.pac4j.springframework.security.web.LogoutFilter;
import org.pac4j.springframework.security.web.Pac4jEntryPoint;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.security.access.expression.SecurityExpressionHandler;
import org.springframework.security.access.hierarchicalroles.RoleHierarchy;
import org.springframework.security.access.hierarchicalroles.RoleHierarchyImpl;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.web.FilterInvocation;
import org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler;
import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
public class DefaultFiltersConfigurationAdapter extends WebSecurityConfigurerAdapter {
@Autowired private Config config;
protected void configure(final HttpSecurity http) throws Exception {
final CallbackFilter callbackFilter = new CallbackFilter(config);
callbackFilter.setMultiProfile(true);
final LogoutFilter logoutFilter = new LogoutFilter(config, "/?defaulturlafterlogout");
logoutFilter.setDestroySession(true);
logoutFilter.setSuffix("/pac4jLogout");
final LogoutFilter centralLogoutFilter = new LogoutFilter(config, "http://localhost:8080/?defaulturlafterlogoutafteridp");
centralLogoutFilter.setLocalLogout(false);
centralLogoutFilter.setCentralLogout(true);
centralLogoutFilter.setLogoutUrlPattern("http://localhost:8080/.*");
centralLogoutFilter.setSuffix("/pac4jCentralLogout");
http
.authorizeRequests().anyRequest().permitAll()
.and()
.exceptionHandling().authenticationEntryPoint(new Pac4jEntryPoint(config, "FormClient"))
.and()
.addFilterBefore(callbackFilter, BasicAuthenticationFilter.class)
.addFilterBefore(logoutFilter, CallbackFilter.class)
.addFilterAfter(centralLogoutFilter, CallbackFilter.class)
.csrf().disable()
.logout()
.logoutSuccessUrl("/");
}
}
\ No newline at end of file
......@@ -19,8 +19,11 @@ import org.pac4j.springframework.annotation.AnnotationConfig;
import org.pac4j.springframework.component.ComponentConfig;
import org.springframework.boot.context.properties.ConfigurationProperties;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.ComponentScan;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.Import;
import org.springframework.security.access.hierarchicalroles.RoleHierarchy;
import org.springframework.security.access.hierarchicalroles.RoleHierarchyImpl;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import eu.dariah.de.dariahsp.CustomAuthorizer;
......@@ -32,6 +35,7 @@ import lombok.extern.slf4j.Slf4j;
@Data
@Slf4j
@Configuration
@ComponentScan
@ConfigurationProperties(prefix = "auth")
@Import({ComponentConfig.class, AnnotationConfig.class})
public class SecurityConfig {
......
package eu.dariah.de.dariahsp.config;
import java.util.List;
import java.util.stream.Collectors;
import org.pac4j.core.client.Client;
import org.pac4j.core.config.Config;
import org.pac4j.springframework.security.web.CallbackFilter;
import org.pac4j.springframework.security.web.LogoutFilter;
import org.pac4j.springframework.security.web.Pac4jEntryPoint;
import org.pac4j.springframework.security.web.SecurityFilter;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.annotation.Order;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
@EnableWebSecurity
public class WebSecurityConfig {
@Configuration
@Order(7)
public static class Saml2WebSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter {
@Autowired
private Config config;
protected void configure(final HttpSecurity http) throws Exception {
List<String> enabledClientNames = config.getClients().findAllClients().stream()
.map(Client::getName)
.collect(Collectors.toList());
final SecurityFilter filter = new SecurityFilter(config, enabledClientNames.stream().collect(Collectors.joining(",")));
http
.requestMatchers()
.antMatchers("/saml/**", "/form/**")
.and()
.authorizeRequests()
.antMatchers("/saml/admin.html").hasRole("ADMINISTRATOR")
.antMatchers("/saml/**").authenticated()
.and()
.addFilterBefore(filter, BasicAuthenticationFilter.class)
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.ALWAYS);
if (!enabledClientNames.isEmpty() && enabledClientNames.get(0).equals("FormClient")) {
http.exceptionHandling().authenticationEntryPoint(new Pac4jEntryPoint(config, "FormClient"));
}
http
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.ALWAYS);
}
}
@Configuration
@Order(15)
public static class DefaultWebSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter {
@Autowired
private Config config;
protected void configure(final HttpSecurity http) throws Exception {
final CallbackFilter callbackFilter = new CallbackFilter(config);
callbackFilter.setMultiProfile(true);
final LogoutFilter logoutFilter = new LogoutFilter(config, "/?defaulturlafterlogout");
logoutFilter.setDestroySession(true);
logoutFilter.setSuffix("/pac4jLogout");
final LogoutFilter centralLogoutFilter = new LogoutFilter(config, "http://localhost:8080/?defaulturlafterlogoutafteridp");
centralLogoutFilter.setLocalLogout(false);
centralLogoutFilter.setCentralLogout(true);
centralLogoutFilter.setLogoutUrlPattern("http://localhost:8080/.*");
centralLogoutFilter.setSuffix("/pac4jCentralLogout");
http
.authorizeRequests().anyRequest().permitAll()
.and()
.exceptionHandling().authenticationEntryPoint(new Pac4jEntryPoint(config, "FormClient"))
.and()
.addFilterBefore(callbackFilter, BasicAuthenticationFilter.class)
.addFilterBefore(logoutFilter, CallbackFilter.class)
.addFilterAfter(centralLogoutFilter, CallbackFilter.class)
.csrf().disable()
.logout()
.logoutSuccessUrl("/");
}
}
}
package eu.dariah.de.dariahsp.sample.config;
import org.pac4j.springframework.annotation.AnnotationConfig;
import org.pac4j.springframework.component.ComponentConfig;
import org.springframework.context.annotation.Import;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.annotation.Order;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import eu.dariah.de.dariahsp.config.CombinedSecurityConfigurationAdapter;
import eu.dariah.de.dariahsp.config.DefaultFiltersConfigurationAdapter;
import eu.dariah.de.dariahsp.config.WebSecurityConfig;
@EnableWebSecurity
@Import({WebSecurityConfig.class})
public class SampleWebSecurityConfig {
public class SampleWebSecurityConfig extends WebSecurityConfigurerAdapter {
@Configuration
@Order(1)
public static class WebSecurityConfigAdapter extends CombinedSecurityConfigurationAdapter {
@Override
protected void configure(final HttpSecurity http) throws Exception {
http
.requestMatchers()
.antMatchers("/saml/**", "/form/**")
.and()
.authorizeRequests()
.antMatchers("/saml/admin.html").hasRole("CONTRIBUTOR")
.antMatchers("/saml/**").authenticated();
super.configure(http);
}
}
@Configuration
@Order(2)
public static class CallbackLoginLogoutConfigurationAdapter extends DefaultFiltersConfigurationAdapter {}
}
......@@ -44,8 +44,10 @@ public class SampleController {
@Autowired private MetadataHelper metadataHelper;
@GetMapping("/")
public String greeting(@RequestParam(name="name", required=false, defaultValue="World") String name, Model model) {
model.addAttribute("name", name);
public String greeting(@RequestParam(name="name", required=false, defaultValue="World") String name, Map<String, Object> map) {
map.put("name", name);
map.put(PROFILES, profileManager.getAll(true));
map.put(SESSION_ID, jeeContext.getSessionStore().getOrCreateSessionId(jeeContext));
return "home";
}
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment