Skip to content
Snippets Groups Projects
Commit 0f2f8bf0 authored by jerrypan44's avatar jerrypan44
Browse files

fix merge

parents 9e28626e a8a6d692
No related branches found
No related tags found
2 merge requests!7Features/keycloak integration,!6Features/keycloak integration
This commit is part of merge request !6. Comments created here will be created in the context of that merge request.
...@@ -36,7 +36,6 @@ docker build --build-arg BUILD_DATE=$(date -Iseconds) \ ...@@ -36,7 +36,6 @@ docker build --build-arg BUILD_DATE=$(date -Iseconds) \
--tag "$IMAGE:latest" \ --tag "$IMAGE:latest" \
--tag "jerrypan44/portal-backend:latest" \ --tag "jerrypan44/portal-backend:latest" \
. .
docker push "jerrypan44/portal-backend:latest" docker push "jerrypan44/portal-backend:latest"
BUGSNAG_KEY="" BUGSNAG_KEY=""
......
...@@ -16,6 +16,7 @@ ...@@ -16,6 +16,7 @@
<artifactId>spring-boot-starter-parent</artifactId> <artifactId>spring-boot-starter-parent</artifactId>
<version>1.3.8.RELEASE</version> <version>1.3.8.RELEASE</version>
<relativePath/> <relativePath/>
</parent> </parent>
<properties> <properties>
...@@ -256,8 +257,7 @@ ...@@ -256,8 +257,7 @@
</dependency> </dependency>
<dependency> <dependency>
<groupId>org.keycloak</groupId> <groupId>org.keycloak</groupId>
<artifactId>keycloak-spring-boot-2-starter</artifactId> <artifactId>keycloak-spring-boot-starter</artifactId>
<version>4.0.0.Final</version>
</dependency> </dependency>
...@@ -354,4 +354,15 @@ ...@@ -354,4 +354,15 @@
</plugins> </plugins>
</build> </build>
<dependencyManagement>
<dependencies>
<dependency>
<groupId>org.keycloak.bom</groupId>
<artifactId>keycloak-adapter-bom</artifactId>
<version>7.0.0</version>
<type>pom</type>
<scope>import</scope>
</dependency>
</dependencies>
</dependencyManagement>
</project> </project>
...@@ -49,177 +49,216 @@ import java.io.IOException; ...@@ -49,177 +49,216 @@ import java.io.IOException;
/** /**
* Configuration for security. * Configuration for security.
*/ */
@Configuration @KeycloakConfiguration
@EnableOAuth2Client public class SecurityConfiguration extends KeycloakWebSecurityConfigurerAdapter {
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
private static final Logger LOGGER = LoggerFactory.getLogger(SecurityConfiguration.class);
@Autowired @Autowired
private OAuth2ClientContext oauth2ClientContext; public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth.authenticationProvider(keycloakAuthenticationProvider());
/** }
* Enable HBP collab authentication (1) or disable it (0). Default is 1
*/
@Value("#{'${hbp.authentication.enabled:1}'}")
private boolean authentication;
/**
* Absolute URL to redirect to when login is required
*/
@Value("#{'${frontend.loginUrl:/login/hbp}'}")
private String loginUrl;
/**
* Absolute URL to redirect to after successful login
*/
@Value("#{'${frontend.redirectAfterLoginUrl:http://frontend/home}'}")
private String frontendRedirectAfterLogin;
/**
* Absolute URL to redirect to after logout has occurred
*/
@Value("#{'${frontend.redirectAfterLogoutUrl:/login/hbp}'}")
private String redirectAfterLogoutUrl;
/** /**
* URL to revoke auth token * Defines the session authentication strategy.
*/ */
@Value("#{'${hbp.resource.revokeTokenUri:https://services.humanbrainproject.eu/oidc/revoke}'}")
private String revokeTokenURI;
// @Autowired
// private HttpServletRequest request;
@Override
protected void configure(HttpSecurity http) throws Exception {
// @formatter:off
http.addFilterBefore(new CORSFilter(), ChannelProcessingFilter.class);
if (authentication) {
http.antMatcher("/**")
.authorizeRequests()
.antMatchers(
"/", "/login/**", "/health/**", "/info/**", "/metrics/**", "/trace/**", "/frontend/**", "/webjars/**", "/v2/api-docs", "/swagger-ui.html", "/swagger-resources/**"
).permitAll()
.anyRequest().authenticated()
.and().exceptionHandling().authenticationEntryPoint(new CustomLoginUrlAuthenticationEntryPoint(loginUrl))
.and().logout().addLogoutHandler(new CustomLogoutHandler()).logoutSuccessUrl(redirectAfterLogoutUrl)
.and().logout().permitAll()
.and().csrf().ignoringAntMatchers("/logout").csrfTokenRepository(csrfTokenRepository())
.and().addFilterAfter(csrfHeaderFilter(), CsrfFilter.class)
.addFilterBefore(ssoFilter(), BasicAuthenticationFilter.class);
}
else {
//keycloak
KeycloakConfiguration.getKeycloakSecurityContext();
// http.antMatcher("/**")
// .authorizeRequests()
// .antMatchers("/**").permitAll().and().csrf().disable();
}
}
private Filter ssoFilter() {
OAuth2ClientAuthenticationProcessingFilter hbpFilter = new OAuth2ClientAuthenticationProcessingFilter("/login/hbp");
OAuth2RestTemplate hbpTemplate = new OAuth2RestTemplate(hbp(), oauth2ClientContext);
hbpFilter.setAuthenticationSuccessHandler(new SimpleUrlAuthenticationSuccessHandler(frontendRedirectAfterLogin));
hbpFilter.setRestTemplate(hbpTemplate);
hbpFilter.setTokenServices(new UserInfoTokenServices(hbpResource().getUserInfoUri(), hbp().getClientId()));
return hbpFilter;
}
@Bean @Bean
public FilterRegistrationBean oauth2ClientFilterRegistration( @Override
OAuth2ClientContextFilter filter) { protected SessionAuthenticationStrategy sessionAuthenticationStrategy() {
FilterRegistrationBean registration = new FilterRegistrationBean(); return new NullAuthenticatedSessionStrategy();
registration.setFilter(filter);
registration.setOrder(-100);
return registration;
}
@Bean(name="hbp")
@ConfigurationProperties("hbp.client")
public OAuth2ProtectedResourceDetails hbp() {
return new AuthorizationCodeResourceDetails();
}
@Bean(name="hbpResource")
@ConfigurationProperties("hbp.resource")
public ResourceServerProperties hbpResource() {
return new ResourceServerProperties();
}
public boolean isAuthentication() {
return authentication;
}
public String getFrontendRedirectAfterLogin() {
return frontendRedirectAfterLogin;
}
private Filter csrfHeaderFilter() {
return new OncePerRequestFilter() {
@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response,
FilterChain filterChain) throws ServletException, IOException {
CsrfToken csrf = (CsrfToken) request.getAttribute(CsrfToken.class.getName());
if (csrf != null) {
Cookie cookie = WebUtils.getCookie(request, "XSRF-TOKEN");
String token = csrf.getToken();
if (cookie == null || token != null && !token.equals(cookie.getValue())) {
cookie = new Cookie("XSRF-TOKEN", token);
cookie.setPath("/");
response.addCookie(cookie);
}
}
filterChain.doFilter(request, response);
}
};
} }
private CsrfTokenRepository csrfTokenRepository() { @Override
HttpSessionCsrfTokenRepository repository = new HttpSessionCsrfTokenRepository(); protected void configure(HttpSecurity http) throws Exception
repository.setHeaderName("X-XSRF-TOKEN"); {
return repository; super.configure(http);
http
.authorizeRequests()
.antMatchers("/user*").authenticated()
.antMatchers("/public1*").hasAuthority("public13")
.antMatchers("/public2*").hasAuthority("public2")
.antMatchers("/public3*").hasAuthority("public3")
.antMatchers("/admin*").authenticated()
.anyRequest().permitAll()
.and()
.logout()
.addLogoutHandler(keycloakLogoutHandler())//.logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
.logoutUrl("/logout").permitAll()
.logoutSuccessUrl("/");
// .anyRequest().permitAll().and().logout().addLogoutHandler(new KeycloakLogoutHandler(new RestTemplate())).logoutRequestMatcher(new AntPathRequestMatcher("/logout"));
;
} }
private class CustomLogoutHandler implements LogoutHandler {
@Override
public void logout(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Authentication authentication) {
// Hackish way of accessing to this information...
final UserInfo userInfo = (UserInfo) httpServletRequest.getSession().getAttribute("userInfo");
if (userInfo != null) {
userInfo.setFakeAuth(false);
}
if (oauth2ClientContext == null || oauth2ClientContext.getAccessToken() == null)
{
return;
}
String idToken = oauth2ClientContext.getAccessToken().getAdditionalInformation().get("id_token").toString();
StringBuilder query = new StringBuilder();
query.append("{");
query.append("\"token\":");
query.append("\"").append(idToken).append("\"");
query.append("}");
try {
int responseCode = HTTPUtil.sendPost(revokeTokenURI, query.toString(), new StringBuilder());
if (responseCode != 200)
{
LOGGER.warn("Cannot send request to OIDC server for revocation ! ");
}
else{
LOGGER.info("Should be logged out");
}
} catch (IOException e) {
LOGGER.warn("Cannot notify logout to OIDC server !");
LOGGER.trace("Cannot notify logout", e);
}
}
}
} }
//@Configuration
//@EnableOAuth2Client
//public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
//
// private static final Logger LOGGER = LoggerFactory.getLogger(SecurityConfiguration.class);
//
// @Autowired
// private OAuth2ClientContext oauth2ClientContext;
//
// /**
// * Enable HBP collab authentication (1) or disable it (0). Default is 1
// */
// @Value("#{'${hbp.authentication.enabled:1}'}")
// private boolean authentication;
//
// /**
// * Absolute URL to redirect to when login is required
// */
// @Value("#{'${frontend.loginUrl:/login/hbp}'}")
// private String loginUrl;
//
// /**
// * Absolute URL to redirect to after successful login
// */
// @Value("#{'${frontend.redirectAfterLoginUrl:http://frontend/home}'}")
// private String frontendRedirectAfterLogin;
//
// /**
// * Absolute URL to redirect to after logout has occurred
// */
// @Value("#{'${frontend.redirectAfterLogoutUrl:/login/hbp}'}")
// private String redirectAfterLogoutUrl;
//
// /**
// * URL to revoke auth token
// */
// @Value("#{'${hbp.resource.revokeTokenUri:https://services.humanbrainproject.eu/oidc/revoke}'}")
// private String revokeTokenURI;
//
//// @Autowired
//// private HttpServletRequest request;
//
// @Override
// protected void configure(HttpSecurity http) throws Exception {
// // @formatter:off
// http.addFilterBefore(new CORSFilter(), ChannelProcessingFilter.class);
//
// if (authentication) {
// http.antMatcher("/**")
// .authorizeRequests()
// .antMatchers(
// "/", "/login/**", "/health/**", "/info/**", "/metrics/**", "/trace/**", "/frontend/**", "/webjars/**", "/v2/api-docs", "/swagger-ui.html", "/swagger-resources/**"
// ).permitAll()
// .anyRequest().authenticated()
// .and().exceptionHandling().authenticationEntryPoint(new CustomLoginUrlAuthenticationEntryPoint(loginUrl))
// .and().logout().addLogoutHandler(new CustomLogoutHandler()).logoutSuccessUrl(redirectAfterLogoutUrl)
// .and().logout().permitAll()
// .and().csrf().ignoringAntMatchers("/logout").csrfTokenRepository(csrfTokenRepository())
// .and().addFilterAfter(csrfHeaderFilter(), CsrfFilter.class)
// .addFilterBefore(ssoFilter(), BasicAuthenticationFilter.class);
// }
// else {
// //keycloak
// //KeycloakConfiguration.getKeycloakSecurityContext();
//// http.antMatcher("/**")
//// .authorizeRequests()
//// .antMatchers("/**").permitAll().and().csrf().disable();
// }
// }
//
// private Filter ssoFilter() {
// OAuth2ClientAuthenticationProcessingFilter hbpFilter = new OAuth2ClientAuthenticationProcessingFilter("/login/hbp");
// OAuth2RestTemplate hbpTemplate = new OAuth2RestTemplate(hbp(), oauth2ClientContext);
// hbpFilter.setAuthenticationSuccessHandler(new SimpleUrlAuthenticationSuccessHandler(frontendRedirectAfterLogin));
// hbpFilter.setRestTemplate(hbpTemplate);
// hbpFilter.setTokenServices(new UserInfoTokenServices(hbpResource().getUserInfoUri(), hbp().getClientId()));
// return hbpFilter;
// }
//
// @Bean
// public FilterRegistrationBean oauth2ClientFilterRegistration(
// OAuth2ClientContextFilter filter) {
// FilterRegistrationBean registration = new FilterRegistrationBean();
// registration.setFilter(filter);
// registration.setOrder(-100);
// return registration;
// }
//
// @Bean(name="hbp")
// @ConfigurationProperties("hbp.client")
// public OAuth2ProtectedResourceDetails hbp() {
// return new AuthorizationCodeResourceDetails();
// }
//
// @Bean(name="hbpResource")
// @ConfigurationProperties("hbp.resource")
// public ResourceServerProperties hbpResource() {
// return new ResourceServerProperties();
// }
//
// public boolean isAuthentication() {
// return authentication;
// }
//
// public String getFrontendRedirectAfterLogin() {
// return frontendRedirectAfterLogin;
// }
//
// private Filter csrfHeaderFilter() {
// return new OncePerRequestFilter() {
// @Override
// protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response,
// FilterChain filterChain) throws ServletException, IOException {
// CsrfToken csrf = (CsrfToken) request.getAttribute(CsrfToken.class.getName());
// if (csrf != null) {
// Cookie cookie = WebUtils.getCookie(request, "XSRF-TOKEN");
// String token = csrf.getToken();
// if (cookie == null || token != null && !token.equals(cookie.getValue())) {
// cookie = new Cookie("XSRF-TOKEN", token);
// cookie.setPath("/");
// response.addCookie(cookie);
// }
// }
// filterChain.doFilter(request, response);
// }
// };
// }
//
// private CsrfTokenRepository csrfTokenRepository() {
// HttpSessionCsrfTokenRepository repository = new HttpSessionCsrfTokenRepository();
// repository.setHeaderName("X-XSRF-TOKEN");
// return repository;
// }
//
// private class CustomLogoutHandler implements LogoutHandler {
// @Override
// public void logout(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Authentication authentication) {
//
// // Hackish way of accessing to this information...
// final UserInfo userInfo = (UserInfo) httpServletRequest.getSession().getAttribute("userInfo");
// if (userInfo != null) {
// userInfo.setFakeAuth(false);
// }
//
// if (oauth2ClientContext == null || oauth2ClientContext.getAccessToken() == null)
// {
// return;
// }
//
// String idToken = oauth2ClientContext.getAccessToken().getAdditionalInformation().get("id_token").toString();
//
// StringBuilder query = new StringBuilder();
// query.append("{");
// query.append("\"token\":");
// query.append("\"").append(idToken).append("\"");
// query.append("}");
//
// try {
// int responseCode = HTTPUtil.sendPost(revokeTokenURI, query.toString(), new StringBuilder());
// if (responseCode != 200)
// {
// LOGGER.warn("Cannot send request to OIDC server for revocation ! ");
// }
// else{
// LOGGER.info("Should be logged out");
// }
// } catch (IOException e) {
// LOGGER.warn("Cannot notify logout to OIDC server !");
// LOGGER.trace("Cannot notify logout", e);
// }
//
// }
// }
//}
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment