17: Improve method annotation security, access decision management

Task-Url: #17

.gitlab-ci.yml

-image: java:8-jdk
+image: java:11-jdk
 
 variables:
   GRADLE_OPTS: "-Dorg.gradle.daemon=false"

build.gradle

@@ -5,7 +5,9 @@ plugins {
 
 allprojects {
 	group = 'eu.dariah.de'
-    version = '2.1.0-SNAPSHOT'
+	version = '2.1.0-SNAPSHOT'
+
+	apply plugin: 'eclipse'
 
 	repositories {
 		maven {
@@ -40,7 +42,6 @@ allprojects {
 subprojects {
 	apply plugin: 'java'
  	apply plugin: 'maven-publish'
- 	apply plugin: 'eclipse'
 	apply plugin: 'io.spring.dependency-management'
 
 	dependencyManagement {

dariahsp-core/src/main/java/eu/dariah/de/dariahsp/config/SecurityConfig.java

@@ -24,7 +24,6 @@ import org.springframework.security.access.hierarchicalroles.RoleHierarchy;
 import org.springframework.security.access.hierarchicalroles.RoleHierarchyImpl;
 import org.springframework.security.access.vote.RoleHierarchyVoter;
 import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
-
 import eu.dariah.de.dariahsp.CustomizableProfileManager;
 import eu.dariah.de.dariahsp.ProfileActionHandler;
 import eu.dariah.de.dariahsp.authentication.LocalUsernamePasswordAuthenticator;
@@ -96,7 +95,7 @@ public class SecurityConfig {
     public RoleHierarchyVoter roleVoter() {     
         return new RoleHierarchyVoter(roleHierarchy());
     }
-	
+		
 	@Bean
 	@SuppressWarnings("rawtypes")
 	public Config config(Optional<ProfileActionHandler> profileActionHandler) throws URISyntaxException {

dariahsp-core/src/main/java/eu/dariah/de/dariahsp/config/web/GlobalMethodSecurityConfig.java

 package eu.dariah.de.dariahsp.config.web;
 
-import java.util.ArrayList;
+import java.util.Arrays;
 import java.util.List;
 
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.access.AccessDecisionManager;
 import org.springframework.security.access.AccessDecisionVoter;
+import org.springframework.security.access.annotation.Jsr250Voter;
+import org.springframework.security.access.expression.method.ExpressionBasedPreInvocationAdvice;
+import org.springframework.security.access.prepost.PreInvocationAuthorizationAdviceVoter;
 import org.springframework.security.access.vote.AffirmativeBased;
+import org.springframework.security.access.vote.AuthenticatedVoter;
 import org.springframework.security.access.vote.RoleHierarchyVoter;
 import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
 import org.springframework.security.config.annotation.method.configuration.GlobalMethodSecurityConfiguration;
@@ -15,9 +20,15 @@ public class GlobalMethodSecurityConfig extends GlobalMethodSecurityConfiguratio
 	@Autowired private RoleHierarchyVoter roleVoter;
 		
     @Override
-    public AffirmativeBased accessDecisionManager() {       
-        List<AccessDecisionVoter<?>> decisionVoters = new ArrayList<>();
-        decisionVoters.add(roleVoter);
+    public AccessDecisionManager accessDecisionManager() {       
+    	ExpressionBasedPreInvocationAdvice expressionAdvice = new ExpressionBasedPreInvocationAdvice();
+		expressionAdvice.setExpressionHandler(getExpressionHandler());
+    	
+        List<AccessDecisionVoter<?>> decisionVoters = Arrays.asList(
+        		new PreInvocationAuthorizationAdviceVoter(expressionAdvice),
+        		new Jsr250Voter(),
+    	        roleVoter,
+    	        new AuthenticatedVoter());
         return new AffirmativeBased(decisionVoters);
     }
 }
\ No newline at end of file

dariahsp-core/src/main/java/eu/dariah/de/dariahsp/config/web/SecurityConfigurerAdapter.java

@@ -28,6 +28,7 @@ public class SecurityConfigurerAdapter extends BaseSecurityConfigurerAdapter {
         		.antMatchers("/saml/**", "/form/**")
         	.and()
         	.authorizeRequests()
+        		.expressionHandler(this.hierarchicalExpressionHandler())
                 .antMatchers("/saml/admin.html").hasRole("ADMINISTRATOR")
                 .antMatchers("/saml/**").authenticated()*/
         	//.and()

dariahsp-sample-boot/src/main/java/eu/dariah/de/dariahsp/sample/config/SampleWebSecurityConfig.java

@@ -16,7 +16,7 @@ import eu.dariah.de.dariahsp.config.web.DefaultFiltersConfigurerAdapter;
  */
 @EnableWebSecurity
 public class SampleWebSecurityConfig extends WebSecurityConfigurerAdapter {
-
+	
 	/**
 	 * Adapt this as required in a target application
 	 * 
@@ -24,7 +24,7 @@ public class SampleWebSecurityConfig extends WebSecurityConfigurerAdapter {
 	 */
 	@Configuration
     @Order(1)
-	public static class WebSecurityConfigAdapter extends SecurityConfigurerAdapter {
+	public class WebSecurityConfigAdapter extends SecurityConfigurerAdapter {
 		@Override
 		protected void configure(final HttpSecurity http) throws Exception {
 			 http
@@ -49,5 +49,5 @@ public class SampleWebSecurityConfig extends WebSecurityConfigurerAdapter {
 	 */
 	@Configuration
     @Order(2)
-    public static class CallbackLoginLogoutConfigurationAdapter extends DefaultFiltersConfigurerAdapter {}
+    public class CallbackLoginLogoutConfigurationAdapter extends DefaultFiltersConfigurerAdapter {}
 }

dariahsp-sample-boot/src/main/java/eu/dariah/de/dariahsp/sample/controller/SampleController.java

@@ -10,6 +10,7 @@ import org.pac4j.core.http.adapter.JEEHttpActionAdapter;
 import org.pac4j.http.client.indirect.FormClient;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.security.access.annotation.Secured;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.RequestMapping;
@@ -53,6 +54,15 @@ public class SampleController {
 		return INDEX_PAGE;
     }
 	
+	@PreAuthorize("isAuthenticated()")
+	@RequestMapping("/method/authenticated")
+    public String protectedMethodAuthenticated(Map<String, Object> map) {
+		this.assembleMap(map, 
+				"/method/authenticated", 
+				"Authentication (no particular role) required (method) config)");
+		return INDEX_PAGE;
+    }
+	
 	@RequestMapping("/protected/authenticated")
     public String protectedAuthenticated(Map<String, Object> map) {
 		this.assembleMap(map, 

dariahsp-sample-boot/src/main/resources/application.yml

-contextPath: /contextpath
-#baseUrl: http://localhost:8080${contextPath:/}
-baseUrl: https://externally.visible.example.com${contextPath:/}
+#contextPath: /contextpath
+#baseUrl: https://externally.visible.example.com${contextPath:/}
+baseUrl: http://localhost:8080
 
 spring:
   mvc:
@@ -49,7 +49,7 @@ auth:
         passhash: '$2y$10$nmTcpRxs.RFUstkJJms6U.AW61Jmr64s9VNQLuhpU8gYrgzCapwka'
         roles: ["application_user"]
   saml:
-    enabled: true
+    enabled: false
     authorizerName: saml
     keystore:
       #path: /path/to/keystore.jks

dariahsp-sample-boot/src/main/webapp/WEB-INF/views/index.jsp

@@ -29,6 +29,7 @@
 	<h2>Pages</h2>
 	<a href="<s:url value="/" />">Unprotected base url</a><br />
 	<a href="<s:url value="/protected/authenticated" />">Protected url: authentication required</a><br />
+	<a href="<s:url value="/method/authenticated" />">Protected url: authentication required (method annotation)</a><br />
 	<a href="<s:url value="/method/contributor" />">Protected url: CONTRIBUTOR role or higher required (method annotation)</a><br />
 	<a href="<s:url value="/protected/contributor" />">Protected url: CONTRIBUTOR role or higher required (security config)</a><br />
 	<a href="<s:url value="/protected/admin" />">Protected url: ADMINISTRATOR role required</a><br />