Skip to content

Commit

Permalink
IM-459 Configure 'Remote Engine' as OAuth2 resource server
Browse files Browse the repository at this point in the history
  • Loading branch information
iperdomo committed Nov 15, 2024
1 parent 2b98d94 commit d2cb989
Show file tree
Hide file tree
Showing 4 changed files with 82 additions and 63 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -11,13 +11,15 @@
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.Profile;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.authentication.ProviderManager;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.annotation.web.configurers.oauth2.server.resource.OAuth2ResourceServerConfigurer;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper;
Expand All @@ -27,76 +29,77 @@
import org.springframework.security.web.authentication.preauth.RequestHeaderAuthenticationFilter;

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true)
class SecurityConfig extends WebSecurityConfigurerAdapter {

@Autowired
private PreauthenticatedUserDetailsService customUserDetailsService;
class SecurityConfig {

@Autowired
private EngineDirectoryAuthenticationProvider authProvider;

@Override
protected void configure(HttpSecurity http) throws Exception {
http
// disable automatic session creation to avoid use of cookie session
// and the consequent authentication failures in web ui
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.addFilterBefore(certFilter(), RequestHeaderAuthenticationFilter.class)
// .authorizeRequests().anyRequest().hasAnyRole("ADMIN")
// .and()
.authorizeRequests().antMatchers("/login**").permitAll()
.and()
.formLogin().permitAll()
.and()
.logout().permitAll()
.and()
.csrf().disable()
.exceptionHandling().authenticationEntryPoint(new AuthenticationEntryPoint() {
@Autowired
private PreauthenticatedUserDetailsService customUserDetailsService;

@Autowired
private EngineDirectoryAuthenticationProvider authProvider;

@Profile("local")
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true)
public class CertificateSecurityConfig extends WebSecurityConfigurerAdapter {
// disable automatic session creation to avoid use of cookie session
// and the consequent authentication failures in web ui
@Override
public void commence(HttpServletRequest request, HttpServletResponse response,
AuthenticationException authException) throws IOException, ServletException {
// Pre-authenticated entry point called. Rejecting access
response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
protected void configure(HttpSecurity http) throws Exception {
http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()
.addFilterBefore(certFilter(), RequestHeaderAuthenticationFilter.class).authorizeRequests()
.antMatchers("/login**").permitAll().and().formLogin().permitAll().and().logout().permitAll().and()
.csrf().disable().exceptionHandling().authenticationEntryPoint(new AuthenticationEntryPoint() {
@Override
public void commence(HttpServletRequest request, HttpServletResponse response,
AuthenticationException authException) throws IOException, ServletException {
// Pre-authenticated entry point called. Rejecting access
response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
}
}).and().headers().frameOptions().disable();
}

})
.and()
.headers().frameOptions().disable();
}

@Bean
@Override
protected AuthenticationManager authenticationManager() {
final List<AuthenticationProvider> providers = new ArrayList<>(2);
providers.add(preauthAuthProvider());
providers.add(authProvider);
return new ProviderManager(providers);
}
@Bean
@Override
protected AuthenticationManager authenticationManager() {
final List<AuthenticationProvider> providers = new ArrayList<>(2);
providers.add(preauthAuthProvider());
providers.add(authProvider);
return new ProviderManager(providers);
}

@Bean(name = "certFilter")
PreauthenticationFilter certFilter() {
PreauthenticationFilter ret = new PreauthenticationFilter();
ret.setAuthenticationManager(authenticationManager());
return ret;
}

@Bean(name="certFilter")
PreauthenticationFilter certFilter() {
PreauthenticationFilter ret = new PreauthenticationFilter();
ret.setAuthenticationManager(authenticationManager());
return ret;
}

@Bean(name = "preAuthProvider")
PreAuthenticatedAuthenticationProvider preauthAuthProvider() {
PreAuthenticatedAuthenticationProvider provider = new PreAuthenticatedAuthenticationProvider();
provider.setPreAuthenticatedUserDetailsService(userDetailsServiceWrapper());
return provider;
@Bean(name = "preAuthProvider")
PreAuthenticatedAuthenticationProvider preauthAuthProvider() {
PreAuthenticatedAuthenticationProvider provider = new PreAuthenticatedAuthenticationProvider();
provider.setPreAuthenticatedUserDetailsService(userDetailsServiceWrapper());
return provider;
}

@Bean
UserDetailsByNameServiceWrapper<PreAuthenticatedAuthenticationToken> userDetailsServiceWrapper() {
UserDetailsByNameServiceWrapper<PreAuthenticatedAuthenticationToken> wrapper = new UserDetailsByNameServiceWrapper<>();
wrapper.setUserDetailsService(customUserDetailsService);
return wrapper;
}
}

@Bean
UserDetailsByNameServiceWrapper<PreAuthenticatedAuthenticationToken> userDetailsServiceWrapper() {
UserDetailsByNameServiceWrapper<PreAuthenticatedAuthenticationToken> wrapper = new UserDetailsByNameServiceWrapper<>();
wrapper.setUserDetailsService(customUserDetailsService);
return wrapper;
@Profile("remote")
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true)
public static class RemoteSecurityConfig extends WebSecurityConfigurerAdapter {

@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeHttpRequests(
authorize -> authorize.mvcMatchers("/api/**").authenticated().mvcMatchers("/**").permitAll())
.oauth2ResourceServer(OAuth2ResourceServerConfigurer::jwt);
}
}


}
3 changes: 2 additions & 1 deletion klab.engine/src/main/resources/application.properties
Original file line number Diff line number Diff line change
@@ -1 +1,2 @@
spring.jackson.serialization.FAIL_ON_EMPTY_BEANS=false
spring.jackson.serialization.FAIL_ON_EMPTY_BEANS=false
spring.profiles.default=local
10 changes: 10 additions & 0 deletions products/cloud/pom.xml
Original file line number Diff line number Diff line change
Expand Up @@ -105,6 +105,16 @@
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-consul-config</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-oauth2-resource-server</artifactId>
<version>${spring-security.version}</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-oauth2-jose</artifactId>
<version>${spring-security.version}</version>
</dependency>
<dependency>
<groupId>com.fasterxml.jackson.datatype</groupId>
<artifactId>jackson-datatype-joda</artifactId>
Expand Down
5 changes: 5 additions & 0 deletions products/cloud/src/main/resources/bootstrap.yml
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,11 @@ spring:
cloud:
consul:
enabled: false
security:
oauth2:
resourceserver:
jwt:
issuer-uri: https://login-test.integratedmodelling.org/realms/im

stats:
server:
Expand Down

0 comments on commit d2cb989

Please sign in to comment.