diff --git a/klab.engine/src/main/java/org/integratedmodelling/klab/engine/rest/security/SecurityConfig.java b/klab.engine/src/main/java/org/integratedmodelling/klab/engine/rest/security/SecurityConfig.java index 1e4f1f016..749585d51 100644 --- a/klab.engine/src/main/java/org/integratedmodelling/klab/engine/rest/security/SecurityConfig.java +++ b/klab.engine/src/main/java/org/integratedmodelling/klab/engine/rest/security/SecurityConfig.java @@ -11,6 +11,7 @@ import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; +import org.springframework.context.annotation.Profile; import org.springframework.security.authentication.AuthenticationManager; import org.springframework.security.authentication.AuthenticationProvider; import org.springframework.security.authentication.ProviderManager; @@ -18,6 +19,7 @@ import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; +import org.springframework.security.config.annotation.web.configurers.oauth2.server.resource.OAuth2ResourceServerConfigurer; import org.springframework.security.config.http.SessionCreationPolicy; import org.springframework.security.core.AuthenticationException; import org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper; @@ -27,76 +29,77 @@ import org.springframework.security.web.authentication.preauth.RequestHeaderAuthenticationFilter; @Configuration -@EnableWebSecurity -@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true) -class SecurityConfig extends WebSecurityConfigurerAdapter { - - @Autowired - private PreauthenticatedUserDetailsService customUserDetailsService; +class SecurityConfig { - @Autowired - private EngineDirectoryAuthenticationProvider authProvider; - - @Override - protected void configure(HttpSecurity http) throws Exception { - http - // disable automatic session creation to avoid use of cookie session - // and the consequent authentication failures in web ui - .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS) - .and() - .addFilterBefore(certFilter(), RequestHeaderAuthenticationFilter.class) -// .authorizeRequests().anyRequest().hasAnyRole("ADMIN") -// .and() - .authorizeRequests().antMatchers("/login**").permitAll() - .and() - .formLogin().permitAll() - .and() - .logout().permitAll() - .and() - .csrf().disable() - .exceptionHandling().authenticationEntryPoint(new AuthenticationEntryPoint() { + @Autowired + private PreauthenticatedUserDetailsService customUserDetailsService; + @Autowired + private EngineDirectoryAuthenticationProvider authProvider; + + @Profile("local") + @EnableWebSecurity + @EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true) + public class CertificateSecurityConfig extends WebSecurityConfigurerAdapter { + // disable automatic session creation to avoid use of cookie session + // and the consequent authentication failures in web ui @Override - public void commence(HttpServletRequest request, HttpServletResponse response, - AuthenticationException authException) throws IOException, ServletException { - // Pre-authenticated entry point called. Rejecting access - response.sendError(HttpServletResponse.SC_UNAUTHORIZED); + protected void configure(HttpSecurity http) throws Exception { + http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and() + .addFilterBefore(certFilter(), RequestHeaderAuthenticationFilter.class).authorizeRequests() + .antMatchers("/login**").permitAll().and().formLogin().permitAll().and().logout().permitAll().and() + .csrf().disable().exceptionHandling().authenticationEntryPoint(new AuthenticationEntryPoint() { + @Override + public void commence(HttpServletRequest request, HttpServletResponse response, + AuthenticationException authException) throws IOException, ServletException { + // Pre-authenticated entry point called. Rejecting access + response.sendError(HttpServletResponse.SC_UNAUTHORIZED); + } + }).and().headers().frameOptions().disable(); } - - }) - .and() - .headers().frameOptions().disable(); - } - @Bean - @Override - protected AuthenticationManager authenticationManager() { - final List providers = new ArrayList<>(2); - providers.add(preauthAuthProvider()); - providers.add(authProvider); - return new ProviderManager(providers); - } + @Bean + @Override + protected AuthenticationManager authenticationManager() { + final List providers = new ArrayList<>(2); + providers.add(preauthAuthProvider()); + providers.add(authProvider); + return new ProviderManager(providers); + } + + @Bean(name = "certFilter") + PreauthenticationFilter certFilter() { + PreauthenticationFilter ret = new PreauthenticationFilter(); + ret.setAuthenticationManager(authenticationManager()); + return ret; + } - @Bean(name="certFilter") - PreauthenticationFilter certFilter() { - PreauthenticationFilter ret = new PreauthenticationFilter(); - ret.setAuthenticationManager(authenticationManager()); - return ret; - } - - @Bean(name = "preAuthProvider") - PreAuthenticatedAuthenticationProvider preauthAuthProvider() { - PreAuthenticatedAuthenticationProvider provider = new PreAuthenticatedAuthenticationProvider(); - provider.setPreAuthenticatedUserDetailsService(userDetailsServiceWrapper()); - return provider; + @Bean(name = "preAuthProvider") + PreAuthenticatedAuthenticationProvider preauthAuthProvider() { + PreAuthenticatedAuthenticationProvider provider = new PreAuthenticatedAuthenticationProvider(); + provider.setPreAuthenticatedUserDetailsService(userDetailsServiceWrapper()); + return provider; + } + + @Bean + UserDetailsByNameServiceWrapper userDetailsServiceWrapper() { + UserDetailsByNameServiceWrapper wrapper = new UserDetailsByNameServiceWrapper<>(); + wrapper.setUserDetailsService(customUserDetailsService); + return wrapper; + } } - @Bean - UserDetailsByNameServiceWrapper userDetailsServiceWrapper() { - UserDetailsByNameServiceWrapper wrapper = new UserDetailsByNameServiceWrapper<>(); - wrapper.setUserDetailsService(customUserDetailsService); - return wrapper; + @Profile("remote") + @EnableWebSecurity + @EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true) + public static class RemoteSecurityConfig extends WebSecurityConfigurerAdapter { + + @Override + protected void configure(HttpSecurity http) throws Exception { + http.authorizeHttpRequests( + authorize -> authorize.mvcMatchers("/api/**").authenticated().mvcMatchers("/**").permitAll()) + .oauth2ResourceServer(OAuth2ResourceServerConfigurer::jwt); + } } - } diff --git a/klab.engine/src/main/resources/application.properties b/klab.engine/src/main/resources/application.properties index 7a6ddd7e3..c6b16a866 100644 --- a/klab.engine/src/main/resources/application.properties +++ b/klab.engine/src/main/resources/application.properties @@ -1 +1,2 @@ -spring.jackson.serialization.FAIL_ON_EMPTY_BEANS=false \ No newline at end of file +spring.jackson.serialization.FAIL_ON_EMPTY_BEANS=false +spring.profiles.default=local \ No newline at end of file diff --git a/products/cloud/pom.xml b/products/cloud/pom.xml index ca7e9d533..d6a9a9c4a 100644 --- a/products/cloud/pom.xml +++ b/products/cloud/pom.xml @@ -105,6 +105,16 @@ org.springframework.cloud spring-cloud-starter-consul-config + + org.springframework.security + spring-security-oauth2-resource-server + ${spring-security.version} + + + org.springframework.security + spring-security-oauth2-jose + ${spring-security.version} + com.fasterxml.jackson.datatype jackson-datatype-joda diff --git a/products/cloud/src/main/resources/bootstrap.yml b/products/cloud/src/main/resources/bootstrap.yml index ed5ffd37f..ec890f825 100644 --- a/products/cloud/src/main/resources/bootstrap.yml +++ b/products/cloud/src/main/resources/bootstrap.yml @@ -4,6 +4,11 @@ spring: cloud: consul: enabled: false + security: + oauth2: + resourceserver: + jwt: + issuer-uri: https://login-test.integratedmodelling.org/realms/im stats: server: