Skip to content
Snippets Groups Projects
Normal view History Permalink
SecurityConfiguration.java 5.47 KiB
Newer Older
ThanKarab's avatar
Cleanup and beautification.  
ThanKarab committed
1 
package eu.hbp.mip.configurations;
Mirco Nasuti's avatar
split configuration
Mirco Nasuti committed
2
ThanKarab's avatar
CORS Filter added when authentication is disabled.  
ThanKarab committed
3 
import eu.hbp.mip.utils.CORSFilter;
ThanKarab's avatar
Configuring keycloak security.  
ThanKarab committed
4 5 6 7 8 
import org.keycloak.adapters.KeycloakConfigResolver;
import org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver;
import org.keycloak.adapters.springsecurity.KeycloakConfiguration;
import org.keycloak.adapters.springsecurity.authentication.KeycloakAuthenticationProvider;
import org.keycloak.adapters.springsecurity.config.KeycloakWebSecurityConfigurerAdapter;
Mirco Nasuti's avatar
split configuration
Mirco Nasuti committed
9 10 11 
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Bean;
ThanKarab's avatar
Configuring keycloak security.  
ThanKarab committed
12 
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
Mirco Nasuti's avatar
split configuration
Mirco Nasuti committed
13 
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
ThanKarab's avatar
Configuring keycloak security.  
ThanKarab committed
14 15 
import org.springframework.security.core.authority.mapping.SimpleAuthorityMapper;
import org.springframework.security.core.session.SessionRegistryImpl;
ThanKarab's avatar
CORS Filter added when authentication is disabled.  
ThanKarab committed
16 
import org.springframework.security.web.access.channel.ChannelProcessingFilter;
ThanKarab's avatar
Configuring keycloak security.  
ThanKarab committed
17 18 
import org.springframework.security.web.authentication.session.RegisterSessionAuthenticationStrategy;
import org.springframework.security.web.authentication.session.SessionAuthenticationStrategy;
ThanKarab's avatar
XSRF protection added.  
ThanKarab committed
19 20 21 22 
import org.springframework.security.web.csrf.CsrfFilter;
import org.springframework.security.web.csrf.CsrfToken;
import org.springframework.security.web.csrf.CsrfTokenRepository;
import org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository;
ThanKarab's avatar
Keycloak security authentication/authorization fixed.  
ThanKarab committed
23 24 
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.GetMapping;
ThanKarab's avatar
XSRF protection added.  
ThanKarab committed
25 26 
import org.springframework.web.filter.OncePerRequestFilter;
import org.springframework.web.util.WebUtils;
Mirco Nasuti's avatar
split configuration
Mirco Nasuti committed
27
ThanKarab's avatar
CORS Filter added when authentication is disabled.  
ThanKarab committed
28 
import javax.servlet.*;
ThanKarab's avatar
XSRF protection added.  
ThanKarab committed
29 
import javax.servlet.http.Cookie;
Mirco Nasuti's avatar
split configuration
Mirco Nasuti committed
30 
import javax.servlet.http.HttpServletRequest;
ThanKarab's avatar
XSRF protection added.  
ThanKarab committed
31 32 
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
Mirco Nasuti's avatar
split configuration
Mirco Nasuti committed
33
jerry's avatar
disabling certificate validation for parametrized IP address  
jerry committed
34
ThanKarab's avatar
Keycloak security authentication/authorization fixed.  
ThanKarab committed
35 
@Controller
ThanKarab's avatar
Configuring keycloak security.  
ThanKarab committed
36 37 
@KeycloakConfiguration
public class SecurityConfiguration extends KeycloakWebSecurityConfigurerAdapter {
Mirco Nasuti's avatar
add option to disable the authentication for testing  
Mirco Nasuti committed
38
ThanKarab's avatar
User updated if info changed and csrf disabled on development.  
ThanKarab committed
39 
    // Upon logout, redirect to login page url
ThanKarab's avatar
Keycloak security authentication/authorization fixed.  
ThanKarab committed
40 
    private static final String logoutRedirectURL = "/sso/login";
ThanKarab's avatar
Changed LogAction function.  
ThanKarab committed
41
ThanKarab's avatar
Removing webjars endpoint.  
ThanKarab committed
42 43 44 
    @Value("#{'${authentication.enabled}'}")
    private boolean authenticationEnabled;
kostas's avatar
Update the ClaimUtils according to the keycloak refactoring.  
kostas committed
45 46 47 48 
    public SecurityConfiguration(HttpServletRequest request) {
        this.request = request;
    }
ThanKarab's avatar
Keycloak security authentication/authorization fixed.  
ThanKarab committed
49 50 51 
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        super.configure(http);
ThanKarab's avatar
Changed LogAction function.  
ThanKarab committed
52
ThanKarab's avatar
Keycloak security authentication/authorization fixed.  
ThanKarab committed
53 54 55 
        if (authenticationEnabled) {
            http.authorizeRequests()
                    .antMatchers(
ThanKarab's avatar
Fixed portal-backend unhealthy container status.  
ThanKarab committed
56 
                            "/sso/login", "/actuator/**",
ThanKarab's avatar
Keycloak security authentication/authorization fixed.  
ThanKarab committed
57 58 
                            "/v2/api-docs", "/swagger-ui/**", "/swagger-resources/**"  // Swagger URLs
                    ).permitAll()
kostas's avatar
Updated result to results to be able to save multiple results and fixed...  
kostas committed
59 
                    .antMatchers("/galaxy*", "/galaxy/*").hasRole("WORKFLOW_ADMIN")
kostas's avatar
Update the ClaimUtils according to the keycloak refactoring.  
kostas committed
60 
                    .antMatchers("/**").authenticated()
ThanKarab's avatar
Removing deployed on production env variable, not needed.  
ThanKarab committed
61 62 
                    .and().csrf().ignoringAntMatchers("/logout").csrfTokenRepository(csrfTokenRepository())
                    .and().addFilterAfter(csrfHeaderFilter(), CsrfFilter.class);
ThanKarab's avatar
Keycloak security authentication/authorization fixed.  
ThanKarab committed
63 
        } else {
ThanKarab's avatar
CORS Filter added when authentication is disabled.  
ThanKarab committed
64 
            http.addFilterBefore(new CORSFilter(), ChannelProcessingFilter.class);
ThanKarab's avatar
Keycloak security authentication/authorization fixed.  
ThanKarab committed
65 66 
            http.antMatcher("/**")
                    .authorizeRequests()
ThanKarab's avatar
Removing deployed on production env variable, not needed.  
ThanKarab committed
67 68 
                    .antMatchers("/**").permitAll()
                    .and().csrf().disable();
ThanKarab's avatar
Keycloak security authentication/authorization fixed.  
ThanKarab committed
69 
        }
ThanKarab's avatar
Configuring keycloak security.  
ThanKarab committed
70 71 
    }
ThanKarab's avatar
XSRF protection added.  
ThanKarab committed
72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 
    private Filter csrfHeaderFilter() {
        return new OncePerRequestFilter() {
            @Override
            protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response,
                                            FilterChain filterChain) throws ServletException, IOException {
                CsrfToken csrf = (CsrfToken) request.getAttribute(CsrfToken.class.getName());
                if (csrf != null) {
                    Cookie cookie = WebUtils.getCookie(request, "XSRF-TOKEN");
                    String token = csrf.getToken();
                    if (cookie == null || token != null && !token.equals(cookie.getValue())) {
                        cookie = new Cookie("XSRF-TOKEN", token);
                        cookie.setPath("/");
                        response.addCookie(cookie);
                    }
                }
                filterChain.doFilter(request, response);
            }
        };
    }

    private CsrfTokenRepository csrfTokenRepository() {
        HttpSessionCsrfTokenRepository repository = new HttpSessionCsrfTokenRepository();
        repository.setHeaderName("X-XSRF-TOKEN");
        return repository;
    }
kostas's avatar
Update the ClaimUtils according to the keycloak refactoring.  
kostas committed
98 
    private final HttpServletRequest request;
ThanKarab's avatar
Keycloak security authentication/authorization fixed.  
ThanKarab committed
99 100 101 102 

    @GetMapping(value = "/logout")
    public String logout() throws ServletException {
        request.logout();
ThanKarab's avatar
Cleanup and beautification.  
ThanKarab committed
103 
        return String.format("redirect:%s", logoutRedirectURL);
ThanKarab's avatar
Configuring keycloak security.  
ThanKarab committed
104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 
    }

    @Bean
    public KeycloakConfigResolver KeycloakConfigResolver() {
        return new KeycloakSpringBootConfigResolver();
    }

    @Override
    protected SessionAuthenticationStrategy sessionAuthenticationStrategy() {
        return new RegisterSessionAuthenticationStrategy(new SessionRegistryImpl());
    }

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) {
        SimpleAuthorityMapper grantedAuthorityMapper = new SimpleAuthorityMapper();
        grantedAuthorityMapper.setConvertToUpperCase(true);

        KeycloakAuthenticationProvider keycloakAuthenticationProvider = keycloakAuthenticationProvider();
        keycloakAuthenticationProvider.setGrantedAuthoritiesMapper(grantedAuthorityMapper);
        auth.authenticationProvider(keycloakAuthenticationProvider);
    }
ThanKarab's avatar
Changed LogAction function.  
ThanKarab committed
125
jerrypan44's avatar
WIP committed working features roles and keycloak integration  
jerrypan44 committed
126 
}