Skip to content
GitLab
Projects
Groups
Snippets
/
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in
Toggle navigation
Menu
Open sidebar
dariah
dariahsp
Commits
7155f292
Commit
7155f292
authored
Nov 18, 2020
by
Gradl, Tobias
Browse files
17: Improve method annotation security, access decision management
Task-Url:
#17
parent
f43d1645
Pipeline
#17957
passed with stage
in 2 minutes and 37 seconds
Changes
9
Pipelines
1
Hide whitespace changes
Inline
Side-by-side
.gitlab-ci.yml
View file @
7155f292
image
:
java:
8
-jdk
image
:
java:
11
-jdk
variables
:
GRADLE_OPTS
:
"
-Dorg.gradle.daemon=false"
...
...
build.gradle
View file @
7155f292
...
...
@@ -5,7 +5,9 @@ plugins {
allprojects
{
group
=
'eu.dariah.de'
version
=
'2.1.0-SNAPSHOT'
version
=
'2.1.0-SNAPSHOT'
apply
plugin:
'eclipse'
repositories
{
maven
{
...
...
@@ -40,7 +42,6 @@ allprojects {
subprojects
{
apply
plugin:
'java'
apply
plugin:
'maven-publish'
apply
plugin:
'eclipse'
apply
plugin:
'io.spring.dependency-management'
dependencyManagement
{
...
...
dariahsp-core/src/main/java/eu/dariah/de/dariahsp/config/SecurityConfig.java
View file @
7155f292
...
...
@@ -24,7 +24,6 @@ import org.springframework.security.access.hierarchicalroles.RoleHierarchy;
import
org.springframework.security.access.hierarchicalroles.RoleHierarchyImpl
;
import
org.springframework.security.access.vote.RoleHierarchyVoter
;
import
org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder
;
import
eu.dariah.de.dariahsp.CustomizableProfileManager
;
import
eu.dariah.de.dariahsp.ProfileActionHandler
;
import
eu.dariah.de.dariahsp.authentication.LocalUsernamePasswordAuthenticator
;
...
...
@@ -96,7 +95,7 @@ public class SecurityConfig {
public
RoleHierarchyVoter
roleVoter
()
{
return
new
RoleHierarchyVoter
(
roleHierarchy
());
}
@Bean
@SuppressWarnings
(
"rawtypes"
)
public
Config
config
(
Optional
<
ProfileActionHandler
>
profileActionHandler
)
throws
URISyntaxException
{
...
...
dariahsp-core/src/main/java/eu/dariah/de/dariahsp/config/web/GlobalMethodSecurityConfig.java
View file @
7155f292
package
eu.dariah.de.dariahsp.config.web
;
import
java.util.Array
List
;
import
java.util.Array
s
;
import
java.util.List
;
import
org.springframework.beans.factory.annotation.Autowired
;
import
org.springframework.security.access.AccessDecisionManager
;
import
org.springframework.security.access.AccessDecisionVoter
;
import
org.springframework.security.access.annotation.Jsr250Voter
;
import
org.springframework.security.access.expression.method.ExpressionBasedPreInvocationAdvice
;
import
org.springframework.security.access.prepost.PreInvocationAuthorizationAdviceVoter
;
import
org.springframework.security.access.vote.AffirmativeBased
;
import
org.springframework.security.access.vote.AuthenticatedVoter
;
import
org.springframework.security.access.vote.RoleHierarchyVoter
;
import
org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity
;
import
org.springframework.security.config.annotation.method.configuration.GlobalMethodSecurityConfiguration
;
...
...
@@ -15,9 +20,15 @@ public class GlobalMethodSecurityConfig extends GlobalMethodSecurityConfiguratio
@Autowired
private
RoleHierarchyVoter
roleVoter
;
@Override
public
AffirmativeBased
accessDecisionManager
()
{
List
<
AccessDecisionVoter
<?>>
decisionVoters
=
new
ArrayList
<>();
decisionVoters
.
add
(
roleVoter
);
public
AccessDecisionManager
accessDecisionManager
()
{
ExpressionBasedPreInvocationAdvice
expressionAdvice
=
new
ExpressionBasedPreInvocationAdvice
();
expressionAdvice
.
setExpressionHandler
(
getExpressionHandler
());
List
<
AccessDecisionVoter
<?>>
decisionVoters
=
Arrays
.
asList
(
new
PreInvocationAuthorizationAdviceVoter
(
expressionAdvice
),
new
Jsr250Voter
(),
roleVoter
,
new
AuthenticatedVoter
());
return
new
AffirmativeBased
(
decisionVoters
);
}
}
\ No newline at end of file
dariahsp-core/src/main/java/eu/dariah/de/dariahsp/config/web/SecurityConfigurerAdapter.java
View file @
7155f292
...
...
@@ -28,6 +28,7 @@ public class SecurityConfigurerAdapter extends BaseSecurityConfigurerAdapter {
.antMatchers("/saml/**", "/form/**")
.and()
.authorizeRequests()
.expressionHandler(this.hierarchicalExpressionHandler())
.antMatchers("/saml/admin.html").hasRole("ADMINISTRATOR")
.antMatchers("/saml/**").authenticated()*/
//.and()
...
...
dariahsp-sample-boot/src/main/java/eu/dariah/de/dariahsp/sample/config/SampleWebSecurityConfig.java
View file @
7155f292
...
...
@@ -16,7 +16,7 @@ import eu.dariah.de.dariahsp.config.web.DefaultFiltersConfigurerAdapter;
*/
@EnableWebSecurity
public
class
SampleWebSecurityConfig
extends
WebSecurityConfigurerAdapter
{
/**
* Adapt this as required in a target application
*
...
...
@@ -24,7 +24,7 @@ public class SampleWebSecurityConfig extends WebSecurityConfigurerAdapter {
*/
@Configuration
@Order
(
1
)
public
static
class
WebSecurityConfigAdapter
extends
SecurityConfigurerAdapter
{
public
class
WebSecurityConfigAdapter
extends
SecurityConfigurerAdapter
{
@Override
protected
void
configure
(
final
HttpSecurity
http
)
throws
Exception
{
http
...
...
@@ -49,5 +49,5 @@ public class SampleWebSecurityConfig extends WebSecurityConfigurerAdapter {
*/
@Configuration
@Order
(
2
)
public
static
class
CallbackLoginLogoutConfigurationAdapter
extends
DefaultFiltersConfigurerAdapter
{}
public
class
CallbackLoginLogoutConfigurationAdapter
extends
DefaultFiltersConfigurerAdapter
{}
}
dariahsp-sample-boot/src/main/java/eu/dariah/de/dariahsp/sample/controller/SampleController.java
View file @
7155f292
...
...
@@ -10,6 +10,7 @@ import org.pac4j.core.http.adapter.JEEHttpActionAdapter;
import
org.pac4j.http.client.indirect.FormClient
;
import
org.springframework.beans.factory.annotation.Autowired
;
import
org.springframework.security.access.annotation.Secured
;
import
org.springframework.security.access.prepost.PreAuthorize
;
import
org.springframework.stereotype.Controller
;
import
org.springframework.web.bind.annotation.GetMapping
;
import
org.springframework.web.bind.annotation.RequestMapping
;
...
...
@@ -53,6 +54,15 @@ public class SampleController {
return
INDEX_PAGE
;
}
@PreAuthorize
(
"isAuthenticated()"
)
@RequestMapping
(
"/method/authenticated"
)
public
String
protectedMethodAuthenticated
(
Map
<
String
,
Object
>
map
)
{
this
.
assembleMap
(
map
,
"/method/authenticated"
,
"Authentication (no particular role) required (method) config)"
);
return
INDEX_PAGE
;
}
@RequestMapping
(
"/protected/authenticated"
)
public
String
protectedAuthenticated
(
Map
<
String
,
Object
>
map
)
{
this
.
assembleMap
(
map
,
...
...
dariahsp-sample-boot/src/main/resources/application.yml
View file @
7155f292
contextPath
:
/contextpath
#baseUrl: http://
localhost:8080
${contextPath:/}
baseUrl
:
http
s
://
externally.visible.example.com${contextPath:/}
#
contextPath: /contextpath
#baseUrl: http
s
://
externally.visible.example.com
${contextPath:/}
baseUrl
:
http://
localhost:8080
spring
:
mvc
:
...
...
@@ -49,7 +49,7 @@ auth:
passhash
:
'
$2y$10$nmTcpRxs.RFUstkJJms6U.AW61Jmr64s9VNQLuhpU8gYrgzCapwka'
roles
:
[
"
application_user"
]
saml
:
enabled
:
tru
e
enabled
:
fals
e
authorizerName
:
saml
keystore
:
#path: /path/to/keystore.jks
...
...
dariahsp-sample-boot/src/main/webapp/WEB-INF/views/index.jsp
View file @
7155f292
...
...
@@ -29,6 +29,7 @@
<h2>
Pages
</h2>
<a
href=
"
<s:url
value=
"/"
/>
"
>
Unprotected base url
</a><br
/>
<a
href=
"
<s:url
value=
"/protected/authenticated"
/>
"
>
Protected url: authentication required
</a><br
/>
<a
href=
"
<s:url
value=
"/method/authenticated"
/>
"
>
Protected url: authentication required (method annotation)
</a><br
/>
<a
href=
"
<s:url
value=
"/method/contributor"
/>
"
>
Protected url: CONTRIBUTOR role or higher required (method annotation)
</a><br
/>
<a
href=
"
<s:url
value=
"/protected/contributor"
/>
"
>
Protected url: CONTRIBUTOR role or higher required (security config)
</a><br
/>
<a
href=
"
<s:url
value=
"/protected/admin"
/>
"
>
Protected url: ADMINISTRATOR role required
</a><br
/>
...
...
Write
Preview
Supports
Markdown
0%
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment