diff --git a/src/main/java/eu/hbp/mip/configuration/SecurityConfiguration.java b/src/main/java/eu/hbp/mip/configuration/SecurityConfiguration.java
index f6a82a57133ff56f77471157c65a130c7cb3cc9b..adc3df815fbc74d27f78e8bbf661ff31fc168a89 100644
--- a/src/main/java/eu/hbp/mip/configuration/SecurityConfiguration.java
+++ b/src/main/java/eu/hbp/mip/configuration/SecurityConfiguration.java
@@ -1,10 +1,7 @@
package eu.hbp.mip.configuration;
import eu.hbp.mip.model.UserInfo;
-import eu.hbp.mip.utils.CORSFilter;
-import eu.hbp.mip.utils.CustomLoginUrlAuthenticationEntryPoint;
-import eu.hbp.mip.utils.HTTPUtil;
-import eu.hbp.mip.utils.UserActionLogging;
+import eu.hbp.mip.utils.*;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
@@ -17,7 +14,6 @@ import org.springframework.boot.context.properties.ConfigurationProperties;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.http.*;
-import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.core.Authentication;
@@ -40,8 +36,6 @@ import org.springframework.security.web.csrf.CsrfTokenRepository;
import org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository;
import org.springframework.util.LinkedMultiValueMap;
import org.springframework.util.MultiValueMap;
-import org.springframework.web.bind.annotation.ControllerAdvice;
-import org.springframework.web.bind.annotation.ExceptionHandler;
import org.springframework.web.client.RestTemplate;
import org.springframework.web.filter.OncePerRequestFilter;
import org.springframework.web.util.WebUtils;
@@ -111,15 +105,6 @@ public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
@Value("#{'${hbp.resource.revokeTokenUri:https://services.humanbrainproject.eu/oidc/revoke}'}")
private String revokeTokenURI;
- @ControllerAdvice
- class AccessDeniedExceptionHandler {
-
- @ExceptionHandler(value = AccessDeniedException.class)
- public void handleConflict(HttpServletResponse response) throws IOException {
- response.sendError(403, "Access is denied. Please contact the system administrator to request access.");
- }
- }
-
@Override
protected void configure(HttpSecurity http) throws Exception {
disableCertificateValidation();
@@ -137,6 +122,7 @@ public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
//.anyRequest().authenticated()
.anyRequest().hasRole("Researcher")
.and().exceptionHandling().authenticationEntryPoint(new CustomLoginUrlAuthenticationEntryPoint(loginUrl))
+ .accessDeniedHandler(new CustomAccessDeniedHandler())
.and().logout().addLogoutHandler(authLogoutHandler()).logoutSuccessUrl(redirectAfterLogoutUrl)
.and().logout().permitAll()
.and().csrf().ignoringAntMatchers("/logout").csrfTokenRepository(csrfTokenRepository())
diff --git a/src/main/java/eu/hbp/mip/controllers/ExperimentApi.java b/src/main/java/eu/hbp/mip/controllers/ExperimentApi.java
index 262b6512f6d22428979bbb98b8c6b428a6b1e5ea..0c027d4978eab28fdd61633a8b68c320598c50ec 100644
--- a/src/main/java/eu/hbp/mip/controllers/ExperimentApi.java
+++ b/src/main/java/eu/hbp/mip/controllers/ExperimentApi.java
@@ -64,7 +64,7 @@ public class ExperimentApi {
@Value("#{'${services.workflows.workflowUrl}'}")
private String workflowUrl;
- @Value("#{'${services.workflows.jwtSecret}'}")Α
+ @Value("#{'${services.workflows.jwtSecret}'}")
private String jwtSecret;
@Value("#{'${services.galaxy.galaxyUrl}'}")
diff --git a/src/main/java/eu/hbp/mip/controllers/SecurityApi.java b/src/main/java/eu/hbp/mip/controllers/SecurityApi.java
index ee24f17d97573ffe2a416c6cc4cba766a94e4cbd..397f1ae6c149a3693632a0b7817709d6cb2318f3 100644
--- a/src/main/java/eu/hbp/mip/controllers/SecurityApi.java
+++ b/src/main/java/eu/hbp/mip/controllers/SecurityApi.java
@@ -5,20 +5,19 @@ import com.fasterxml.jackson.databind.ObjectMapper;
import com.google.gson.Gson;
import com.google.gson.JsonObject;
import eu.hbp.mip.configuration.SecurityConfiguration;
-import org.springframework.beans.factory.annotation.Value;
import eu.hbp.mip.model.User;
import eu.hbp.mip.model.UserInfo;
import eu.hbp.mip.repositories.UserRepository;
+import eu.hbp.mip.utils.UserActionLogging;
import io.swagger.annotations.ApiParam;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.beans.factory.annotation.Value;
import org.springframework.boot.autoconfigure.condition.ConditionalOnExpression;
import org.springframework.http.HttpStatus;
import org.springframework.http.ResponseEntity;
-import org.springframework.web.bind.annotation.*;
+import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.access.prepost.PreAuthorize;
-import eu.hbp.mip.utils.UserActionLogging;
+import org.springframework.web.bind.annotation.*;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletResponse;
@@ -45,8 +44,8 @@ public class SecurityApi {
@RequestMapping(path = "/user", method = RequestMethod.GET)
public Object user(Principal principal, HttpServletResponse response) {
ObjectMapper mapper = new ObjectMapper();
-
- UserActionLogging.LogUserAction(userInfo.getUser().getUsername(), "get user from /user","");
+
+ UserActionLogging.LogUserAction(userInfo.getUser().getUsername(), "get user from /user", "");
try {
String userJSON = mapper.writeValueAsString(userInfo.getUser());
Cookie cookie = new Cookie("user", URLEncoder.encode(userJSON, "UTF-8"));
@@ -77,9 +76,9 @@ public class SecurityApi {
user.setAgreeNDA(agreeNDA);
userRepository.save(user);
}
-
- UserActionLogging.LogUserAction(userInfo.getUser().getUsername(), "user agreeNDA","");
-
+
+ UserActionLogging.LogUserAction(userInfo.getUser().getUsername(), "user agreeNDA", "");
+
return new ResponseEntity<>(HttpStatus.NO_CONTENT);
}
@@ -106,16 +105,15 @@ public class SecurityApi {
*/
@RequestMapping(path = "/galaxy", method = RequestMethod.GET, produces = "application/json")
- @PreAuthorize("hasRole('Data Manager')")
+ @PreAuthorize("hasRole('Data Manager')")
@ResponseStatus(value = HttpStatus.OK)
- public ResponseEntity getGalaxyConfiguration(){
+ public ResponseEntity getGalaxyConfiguration() {
String stringEncoded = Base64.getEncoder().encodeToString((galaxyUsername + ":" + galaxyPassword).getBytes());
JsonObject object = new JsonObject();
object.addProperty("authorization", stringEncoded);
object.addProperty("context", galaxyContext);
- UserActionLogging.LogUserAction(userInfo.getUser().getUsername(), "get galaxy information","");
-
+ UserActionLogging.LogUserAction(userInfo.getUser().getUsername(), "get galaxy information", "");
+
return ResponseEntity.ok(gson.toJson(object));
}
-
}
diff --git a/src/main/java/eu/hbp/mip/utils/CustomAccessDeniedHandler.java b/src/main/java/eu/hbp/mip/utils/CustomAccessDeniedHandler.java
new file mode 100644
index 0000000000000000000000000000000000000000..783e4a3ff68ab3384a798d9fc70f68f29c114bd6
--- /dev/null
+++ b/src/main/java/eu/hbp/mip/utils/CustomAccessDeniedHandler.java
@@ -0,0 +1,33 @@
+package eu.hbp.mip.utils;
+
+import org.codehaus.jettison.json.JSONException;
+import org.codehaus.jettison.json.JSONObject;
+import org.springframework.security.access.AccessDeniedException;
+import org.springframework.security.web.access.AccessDeniedHandler;
+
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+import java.sql.Timestamp;
+
+public class CustomAccessDeniedHandler implements AccessDeniedHandler {
+ @Override
+ public void handle(HttpServletRequest request, HttpServletResponse response,
+ AccessDeniedException accessDeniedException) throws IOException, ServletException {
+ response.setContentType("application/json;charset=UTF-8");
+ response.setStatus(403);
+ try {
+ response.getWriter().write(new JSONObject()
+ .put("timestamp", new Timestamp(System.currentTimeMillis()))
+ .put("status", 403)
+ .put("error", "Forbidden")
+ .put("message", "Access Denied. Please contact the system administrator to request access.")
+ .put("path", request.getServletPath())
+ .toString());
+ } catch (JSONException e) {
+ response.getWriter().write("");
+ e.printStackTrace();
+ }
+ }
+}