Skip to content
Snippets Groups Projects
SecurityConfiguration.java 5.47 KiB
Newer Older
ThanKarab's avatar
ThanKarab committed
package eu.hbp.mip.configurations;
Mirco Nasuti's avatar
Mirco Nasuti committed

import eu.hbp.mip.utils.CORSFilter;
import org.keycloak.adapters.KeycloakConfigResolver;
import org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver;
import org.keycloak.adapters.springsecurity.KeycloakConfiguration;
import org.keycloak.adapters.springsecurity.authentication.KeycloakAuthenticationProvider;
import org.keycloak.adapters.springsecurity.config.KeycloakWebSecurityConfigurerAdapter;
Mirco Nasuti's avatar
Mirco Nasuti committed
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Bean;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
Mirco Nasuti's avatar
Mirco Nasuti committed
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.core.authority.mapping.SimpleAuthorityMapper;
import org.springframework.security.core.session.SessionRegistryImpl;
import org.springframework.security.web.access.channel.ChannelProcessingFilter;
import org.springframework.security.web.authentication.session.RegisterSessionAuthenticationStrategy;
import org.springframework.security.web.authentication.session.SessionAuthenticationStrategy;
ThanKarab's avatar
ThanKarab committed
import org.springframework.security.web.csrf.CsrfFilter;
import org.springframework.security.web.csrf.CsrfToken;
import org.springframework.security.web.csrf.CsrfTokenRepository;
import org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.GetMapping;
ThanKarab's avatar
ThanKarab committed
import org.springframework.web.filter.OncePerRequestFilter;
import org.springframework.web.util.WebUtils;
Mirco Nasuti's avatar
Mirco Nasuti committed

import javax.servlet.*;
ThanKarab's avatar
ThanKarab committed
import javax.servlet.http.Cookie;
Mirco Nasuti's avatar
Mirco Nasuti committed
import javax.servlet.http.HttpServletRequest;
ThanKarab's avatar
ThanKarab committed
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
Mirco Nasuti's avatar
Mirco Nasuti committed

@KeycloakConfiguration
public class SecurityConfiguration extends KeycloakWebSecurityConfigurerAdapter {
    // Upon logout, redirect to login page url
    private static final String logoutRedirectURL = "/sso/login";
ThanKarab's avatar
ThanKarab committed
    @Value("#{'${authentication.enabled}'}")
    private boolean authenticationEnabled;

    public SecurityConfiguration(HttpServletRequest request) {
        this.request = request;
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        super.configure(http);
        if (authenticationEnabled) {
            http.authorizeRequests()
                    .antMatchers(
                            "/sso/login", "/actuator/**", 
                            "/v2/api-docs", "/swagger-ui/**", "/swagger-resources/**"  // Swagger URLs
                    ).permitAll()
                    .antMatchers("/galaxy*", "/galaxy/*").hasRole("WORKFLOW_ADMIN")
                    .antMatchers("/**").authenticated()
                    .and().csrf().ignoringAntMatchers("/logout").csrfTokenRepository(csrfTokenRepository())
                    .and().addFilterAfter(csrfHeaderFilter(), CsrfFilter.class);
            http.addFilterBefore(new CORSFilter(), ChannelProcessingFilter.class);
            http.antMatcher("/**")
                    .authorizeRequests()
                    .antMatchers("/**").permitAll()
                    .and().csrf().disable();
ThanKarab's avatar
ThanKarab committed
    private Filter csrfHeaderFilter() {
        return new OncePerRequestFilter() {
            @Override
            protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response,
                                            FilterChain filterChain) throws ServletException, IOException {
                CsrfToken csrf = (CsrfToken) request.getAttribute(CsrfToken.class.getName());
                if (csrf != null) {
                    Cookie cookie = WebUtils.getCookie(request, "XSRF-TOKEN");
                    String token = csrf.getToken();
                    if (cookie == null || token != null && !token.equals(cookie.getValue())) {
                        cookie = new Cookie("XSRF-TOKEN", token);
                        cookie.setPath("/");
                        response.addCookie(cookie);
                    }
                }
                filterChain.doFilter(request, response);
            }
        };
    }

    private CsrfTokenRepository csrfTokenRepository() {
        HttpSessionCsrfTokenRepository repository = new HttpSessionCsrfTokenRepository();
        repository.setHeaderName("X-XSRF-TOKEN");
        return repository;
    }

    private final HttpServletRequest request;

    @GetMapping(value = "/logout")
    public String logout() throws ServletException {
        request.logout();
ThanKarab's avatar
ThanKarab committed
        return String.format("redirect:%s", logoutRedirectURL);
    }

    @Bean
    public KeycloakConfigResolver KeycloakConfigResolver() {
        return new KeycloakSpringBootConfigResolver();
    }

    @Override
    protected SessionAuthenticationStrategy sessionAuthenticationStrategy() {
        return new RegisterSessionAuthenticationStrategy(new SessionRegistryImpl());
    }

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) {
        SimpleAuthorityMapper grantedAuthorityMapper = new SimpleAuthorityMapper();
        grantedAuthorityMapper.setConvertToUpperCase(true);

        KeycloakAuthenticationProvider keycloakAuthenticationProvider = keycloakAuthenticationProvider();
        keycloakAuthenticationProvider.setGrantedAuthoritiesMapper(grantedAuthorityMapper);
        auth.authenticationProvider(keycloakAuthenticationProvider);
    }