IM-459 Configure 'Remote Engine' as OAuth2 resource server

klab.engine/src/main/java/org/integratedmodelling/klab/engine/rest/security/SecurityConfig.java

@@ -11,13 +11,15 @@
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.context.annotation.Profile;
 import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.authentication.AuthenticationProvider;
 import org.springframework.security.authentication.ProviderManager;
 import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.config.annotation.web.configurers.oauth2.server.resource.OAuth2ResourceServerConfigurer;
 import org.springframework.security.config.http.SessionCreationPolicy;
 import org.springframework.security.core.AuthenticationException;
 import org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper;
@@ -27,76 +29,77 @@
 import org.springframework.security.web.authentication.preauth.RequestHeaderAuthenticationFilter;
 
 @Configuration
-@EnableWebSecurity
-@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true)
-class SecurityConfig extends WebSecurityConfigurerAdapter {
-
-  @Autowired
-  private PreauthenticatedUserDetailsService customUserDetailsService;
+class SecurityConfig {
 
-  @Autowired
-  private EngineDirectoryAuthenticationProvider authProvider;
-
-  @Override
-  protected void configure(HttpSecurity http) throws Exception {
-	  http
-	  // disable automatic session creation to avoid use of cookie session
-	  // and the consequent authentication failures in web ui
-	  .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
-	  .and()
-	  .addFilterBefore(certFilter(), RequestHeaderAuthenticationFilter.class)
-//	  .authorizeRequests().anyRequest().hasAnyRole("ADMIN")
-//      .and()
-      .authorizeRequests().antMatchers("/login**").permitAll()
-      .and()
-      .formLogin().permitAll()
-      .and()
-      .logout().permitAll() 
-      .and()
-      .csrf().disable()
-      .exceptionHandling().authenticationEntryPoint(new AuthenticationEntryPoint() {
+	@Autowired
+	private PreauthenticatedUserDetailsService customUserDetailsService;
 
+	@Autowired
+	private EngineDirectoryAuthenticationProvider authProvider;
+
+	@Profile("local")
+	@EnableWebSecurity
+	@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true)
+	public class CertificateSecurityConfig extends WebSecurityConfigurerAdapter {
+		// disable automatic session creation to avoid use of cookie session
+		// and the consequent authentication failures in web ui
 		@Override
-		public void commence(HttpServletRequest request, HttpServletResponse response,
-				AuthenticationException authException) throws IOException, ServletException {
-			// Pre-authenticated entry point called. Rejecting access
-	        response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
+		protected void configure(HttpSecurity http) throws Exception {
+			http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()
+					.addFilterBefore(certFilter(), RequestHeaderAuthenticationFilter.class).authorizeRequests()
+					.antMatchers("/login**").permitAll().and().formLogin().permitAll().and().logout().permitAll().and()
+					.csrf().disable().exceptionHandling().authenticationEntryPoint(new AuthenticationEntryPoint() {
+						@Override
+						public void commence(HttpServletRequest request, HttpServletResponse response,
+								AuthenticationException authException) throws IOException, ServletException {
+							// Pre-authenticated entry point called. Rejecting access
+							response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
+						}
+					}).and().headers().frameOptions().disable();
 		}
-
-      })
-      .and()
-      .headers().frameOptions().disable();
-  }
 
-	@Bean
-	@Override
-	protected AuthenticationManager authenticationManager()  {
-		final List<AuthenticationProvider> providers = new ArrayList<>(2);
-		providers.add(preauthAuthProvider());
-		providers.add(authProvider);
-		return new ProviderManager(providers);
-	}
+		@Bean
+		@Override
+		protected AuthenticationManager authenticationManager() {
+			final List<AuthenticationProvider> providers = new ArrayList<>(2);
+			providers.add(preauthAuthProvider());
+			providers.add(authProvider);
+			return new ProviderManager(providers);
+		}
+
+		@Bean(name = "certFilter")
+		PreauthenticationFilter certFilter() {
+			PreauthenticationFilter ret = new PreauthenticationFilter();
+			ret.setAuthenticationManager(authenticationManager());
+			return ret;
+		}
 
-  	@Bean(name="certFilter")
-  	PreauthenticationFilter certFilter() {
-  		PreauthenticationFilter ret = new PreauthenticationFilter();
-		ret.setAuthenticationManager(authenticationManager());
-  		return ret;
-  	}
-
-	@Bean(name = "preAuthProvider")
-	PreAuthenticatedAuthenticationProvider preauthAuthProvider()  {
-		PreAuthenticatedAuthenticationProvider provider = new PreAuthenticatedAuthenticationProvider();
-		provider.setPreAuthenticatedUserDetailsService(userDetailsServiceWrapper());
-		return provider;
+		@Bean(name = "preAuthProvider")
+		PreAuthenticatedAuthenticationProvider preauthAuthProvider() {
+			PreAuthenticatedAuthenticationProvider provider = new PreAuthenticatedAuthenticationProvider();
+			provider.setPreAuthenticatedUserDetailsService(userDetailsServiceWrapper());
+			return provider;
+		}
+
+		@Bean
+		UserDetailsByNameServiceWrapper<PreAuthenticatedAuthenticationToken> userDetailsServiceWrapper() {
+			UserDetailsByNameServiceWrapper<PreAuthenticatedAuthenticationToken> wrapper = new UserDetailsByNameServiceWrapper<>();
+			wrapper.setUserDetailsService(customUserDetailsService);
+			return wrapper;
+		}
 	}
 
-	@Bean
-	UserDetailsByNameServiceWrapper<PreAuthenticatedAuthenticationToken> userDetailsServiceWrapper()  {
-		UserDetailsByNameServiceWrapper<PreAuthenticatedAuthenticationToken> wrapper = new UserDetailsByNameServiceWrapper<>();
-		wrapper.setUserDetailsService(customUserDetailsService);
-		return wrapper;
+	@Profile("remote")
+	@EnableWebSecurity
+	@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true)
+	public static class RemoteSecurityConfig extends WebSecurityConfigurerAdapter {
+
+		@Override
+		protected void configure(HttpSecurity http) throws Exception {
+			http.authorizeHttpRequests(
+					authorize -> authorize.mvcMatchers("/api/**").authenticated().mvcMatchers("/**").permitAll())
+					.oauth2ResourceServer(OAuth2ResourceServerConfigurer::jwt);
+		}
 	}
 
-
 }

klab.engine/src/main/resources/application.properties

@@ -1 +1,2 @@
-spring.jackson.serialization.FAIL_ON_EMPTY_BEANS=false
+spring.jackson.serialization.FAIL_ON_EMPTY_BEANS=false
+spring.profiles.default=local

products/cloud/pom.xml

@@ -105,6 +105,16 @@
 			<groupId>org.springframework.cloud</groupId>
 			<artifactId>spring-cloud-starter-consul-config</artifactId>
 		</dependency>
+		<dependency>
+			<groupId>org.springframework.security</groupId>
+			<artifactId>spring-security-oauth2-resource-server</artifactId>
+			<version>${spring-security.version}</version>
+		</dependency>
+		<dependency>
+			<groupId>org.springframework.security</groupId>
+			<artifactId>spring-security-oauth2-jose</artifactId>
+			<version>${spring-security.version}</version>
+		</dependency>
 		<dependency>
 			<groupId>com.fasterxml.jackson.datatype</groupId>
 			<artifactId>jackson-datatype-joda</artifactId>

products/cloud/src/main/resources/bootstrap.yml

@@ -4,6 +4,11 @@ spring:
   cloud:
     consul:
       enabled: false
+  security:
+    oauth2:
+      resourceserver:
+        jwt:
+          issuer-uri: https://login-test.integratedmodelling.org/realms/im
 
 stats:
   server: