Revision 57921
Added by Katerina Iatropoulou over 4 years ago
| modules/dnet-openaire-users/trunk/src/main/java/eu/dnetlib/openaire/usermanagement/security/FrontEndLinkURIAuthenticationSuccessHandler.java | ||
|---|---|---|
| 1 |
package eu.dnetlib.openaire.usermanagement.security; |
|
| 2 |
|
|
| 3 |
import com.google.gson.Gson; |
|
| 4 |
import org.apache.log4j.Logger; |
|
| 5 |
import org.mitre.openid.connect.model.OIDCAuthenticationToken; |
|
| 6 |
import org.springframework.security.core.Authentication; |
|
| 7 |
import org.springframework.security.web.authentication.AuthenticationSuccessHandler; |
|
| 8 |
|
|
| 9 |
import javax.servlet.http.Cookie; |
|
| 10 |
import javax.servlet.http.HttpServletRequest; |
|
| 11 |
import javax.servlet.http.HttpServletResponse; |
|
| 12 |
import java.io.IOException; |
|
| 13 |
|
|
| 14 |
/** |
|
| 15 |
* Created by stefanos on 9/5/2017. |
|
| 16 |
*/ |
|
| 17 |
public class FrontEndLinkURIAuthenticationSuccessHandler implements AuthenticationSuccessHandler {
|
|
| 18 |
|
|
| 19 |
private static final Logger logger = Logger.getLogger(FrontEndLinkURIAuthenticationSuccessHandler.class); |
|
| 20 |
|
|
| 21 |
private String frontEndURI; |
|
| 22 |
private String frontPath; |
|
| 23 |
private String frontDomain; |
|
| 24 |
|
|
| 25 |
@Override |
|
| 26 |
public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws IllegalArgumentException, IOException {
|
|
| 27 |
|
|
| 28 |
OIDCAuthenticationToken authOIDC = (OIDCAuthenticationToken) authentication; |
|
| 29 |
|
|
| 30 |
try {
|
|
| 31 |
|
|
| 32 |
// Cookie jwt = new Cookie("XCsrfToken", JWTGenerator.generateToken(authOIDC, "my-very-secret"));
|
|
| 33 |
Cookie openAIREUser = new Cookie("openAIREUser", new Gson().toJson(JWTGenerator.generateJsonToken(authOIDC)));
|
|
| 34 |
Cookie accessToken = new Cookie("AccessToken", authOIDC.getAccessTokenValue());
|
|
| 35 |
|
|
| 36 |
// Expire the cookies in four hours (4 * 3600) |
|
| 37 |
// jwt.setMaxAge(14400); |
|
| 38 |
openAIREUser.setMaxAge(14400); |
|
| 39 |
accessToken.setMaxAge(14400); |
|
| 40 |
|
|
| 41 |
//TODO DELETE LOG |
|
| 42 |
logger.info("\n////////////////////////////////////////////////////////////////////////////////////////////////\n");
|
|
| 43 |
// logger.info("jwt: " + JWTGenerator.generateToken(authOIDC, "my-very-secret"));
|
|
| 44 |
logger.info("access token: " + authOIDC.getAccessTokenValue());
|
|
| 45 |
logger.info("openAIREUser: " + JWTGenerator.generateJsonToken(authOIDC));
|
|
| 46 |
logger.info("\n////////////////////////////////////////////////////////////////////////////////////////////////\n");
|
|
| 47 |
|
|
| 48 |
//TODO DELETE LOG |
|
| 49 |
// logger.info("\n////////////////////////////////////////////////////////////////////////////////////////////////\n");
|
|
| 50 |
// logger.info("refresh token: " + authOIDC.getRefreshTokenValue());
|
|
| 51 |
// logger.info("\n////////////////////////////////////////////////////////////////////////////////////////////////\n");
|
|
| 52 |
|
|
| 53 |
|
|
| 54 |
// jwt.setPath(frontPath); |
|
| 55 |
openAIREUser.setPath(frontPath); |
|
| 56 |
accessToken.setPath(frontPath); |
|
| 57 |
|
|
| 58 |
if (frontDomain!=null) {
|
|
| 59 |
// jwt.setDomain(frontDomain); |
|
| 60 |
openAIREUser.setDomain(frontDomain); |
|
| 61 |
accessToken.setDomain(frontDomain); |
|
| 62 |
} |
|
| 63 |
|
|
| 64 |
// response.addCookie(jwt); |
|
| 65 |
response.addCookie(openAIREUser); |
|
| 66 |
response.addCookie(accessToken); |
|
| 67 |
response.sendRedirect(frontEndURI); |
|
| 68 |
|
|
| 69 |
} catch (IOException e) {
|
|
| 70 |
logger.error("IOException in redirection ", e);
|
|
| 71 |
throw new IOException(e); |
|
| 72 |
}catch (IllegalArgumentException e) {
|
|
| 73 |
logger.error("IllegalArgumentException in redirection ", e);
|
|
| 74 |
throw new IllegalArgumentException(e); |
|
| 75 |
} |
|
| 76 |
|
|
| 77 |
} |
|
| 78 |
|
|
| 79 |
public String getFrontEndURI() {
|
|
| 80 |
return frontEndURI; |
|
| 81 |
} |
|
| 82 |
|
|
| 83 |
public void setFrontEndURI(String frontEndURI) {
|
|
| 84 |
this.frontEndURI = frontEndURI; |
|
| 85 |
} |
|
| 86 |
|
|
| 87 |
public String getFrontPath() {
|
|
| 88 |
return frontPath; |
|
| 89 |
} |
|
| 90 |
|
|
| 91 |
public void setFrontPath(String frontPath) {
|
|
| 92 |
this.frontPath = frontPath; |
|
| 93 |
} |
|
| 94 |
|
|
| 95 |
public String getFrontDomain() {
|
|
| 96 |
return frontDomain; |
|
| 97 |
} |
|
| 98 |
|
|
| 99 |
public void setFrontDomain(String frontDomain) {
|
|
| 100 |
this.frontDomain = frontDomain; |
|
| 101 |
} |
|
| 102 |
} |
|
| 103 |
|
|
| 104 |
|
|
| modules/dnet-openaire-users/trunk/src/main/java/eu/dnetlib/openaire/usermanagement/security/JWTGenerator.java | ||
|---|---|---|
| 1 |
package eu.dnetlib.openaire.usermanagement.security; |
|
| 2 |
|
|
| 3 |
import com.google.gson.JsonObject; |
|
| 4 |
import eu.dnetlib.openaire.user.pojos.migration.MigrationUser; |
|
| 5 |
import io.jsonwebtoken.Claims; |
|
| 6 |
import io.jsonwebtoken.Jwts; |
|
| 7 |
import io.jsonwebtoken.SignatureAlgorithm; |
|
| 8 |
import org.apache.log4j.Logger; |
|
| 9 |
import org.mitre.openid.connect.model.OIDCAuthenticationToken; |
|
| 10 |
import org.mitre.openid.connect.model.UserInfo; |
|
| 11 |
|
|
| 12 |
import java.io.UnsupportedEncodingException; |
|
| 13 |
import java.net.URLEncoder; |
|
| 14 |
import java.text.ParseException; |
|
| 15 |
import java.util.Date; |
|
| 16 |
|
|
| 17 |
public class JWTGenerator {
|
|
| 18 |
|
|
| 19 |
private static final Logger logger = Logger.getLogger(JWTGenerator.class); |
|
| 20 |
|
|
| 21 |
public static String generateToken(MigrationUser u, String secret) {
|
|
| 22 |
Claims claims = Jwts.claims().setSubject(u.getUsername()); |
|
| 23 |
claims.put("fullname", u.getFullname() + "");
|
|
| 24 |
claims.put("userId", u.getId() + "");
|
|
| 25 |
claims.put("email", u.getEmail() + "");
|
|
| 26 |
claims.put("role", u.getRoleId());
|
|
| 27 |
|
|
| 28 |
//expiration |
|
| 29 |
long nowMillis = System.currentTimeMillis(); |
|
| 30 |
Date now = new Date(nowMillis); |
|
| 31 |
long ttlMillis = 1800000; |
|
| 32 |
long expMillis = nowMillis + ttlMillis; |
|
| 33 |
Date exp = new Date(expMillis); |
|
| 34 |
|
|
| 35 |
return Jwts.builder() |
|
| 36 |
.setClaims(claims) |
|
| 37 |
.setExpiration(exp) |
|
| 38 |
.signWith(SignatureAlgorithm.HS512, secret) |
|
| 39 |
.compact(); |
|
| 40 |
} |
|
| 41 |
|
|
| 42 |
public static String generateToken(OIDCAuthenticationToken authOIDC, String secret) {
|
|
| 43 |
|
|
| 44 |
try {
|
|
| 45 |
|
|
| 46 |
JsonObject userInfo = authOIDC.getUserInfo().getSource(); |
|
| 47 |
Claims claims = Jwts.claims().setSubject(authOIDC.getUserInfo().getSub()); |
|
| 48 |
claims.put("fullname", URLEncoder.encode(authOIDC.getUserInfo().getName(), "UTF-8") + "");
|
|
| 49 |
|
|
| 50 |
if (authOIDC.getUserInfo().getGivenName() == null){
|
|
| 51 |
logger.info("User: " + authOIDC.getUserInfo().getName() + "doesn't have first name");
|
|
| 52 |
claims.put("firstname", URLEncoder.encode(" ", "UTF-8") + "");
|
|
| 53 |
} else {
|
|
| 54 |
claims.put("firstname", URLEncoder.encode(authOIDC.getUserInfo().getGivenName(), "UTF-8") + "");
|
|
| 55 |
} |
|
| 56 |
if (authOIDC.getUserInfo().getFamilyName() == null){
|
|
| 57 |
logger.info("User: " + authOIDC.getUserInfo().getName() + "doesn't have first name");
|
|
| 58 |
claims.put("lastname", URLEncoder.encode(" ", "UTF-8") + "");
|
|
| 59 |
} else {
|
|
| 60 |
claims.put("lastname", URLEncoder.encode(authOIDC.getUserInfo().getFamilyName(), "UTF-8") + "");
|
|
| 61 |
} |
|
| 62 |
claims.put("email", authOIDC.getUserInfo().getEmail() + "");
|
|
| 63 |
|
|
| 64 |
// if (userInfo.getAsJsonArray("eduPersonScopedAffiliation").toString() != null) {
|
|
| 65 |
// claims.put("role", URLEncoder.encode(userInfo.getAsJsonArray("edu_person_scoped_affiliations").toString(), "UTF-8") + "");
|
|
| 66 |
// } |
|
| 67 |
|
|
| 68 |
if (userInfo.getAsJsonArray("edu_person_entitlements") == null){
|
|
| 69 |
logger.info("User: " + authOIDC.getUserInfo().getName() + "doesn't have role");
|
|
| 70 |
claims.put("role", URLEncoder.encode(" ", "UTF-8") + "");
|
|
| 71 |
} else {
|
|
| 72 |
claims.put("role", URLEncoder.encode(userInfo.getAsJsonArray("edu_person_entitlements").toString(), "UTF-8") + "");
|
|
| 73 |
} |
|
| 74 |
|
|
| 75 |
//TODO remove, We don't need it but if we are going to use it, we need to check if the user has affiliation |
|
| 76 |
//claims.put("edu_person_scoped_affiliations", URLEncoder.encode(userInfo.getAsJsonArray("edu_person_scoped_affiliations").toString(), "UTF-8") + "");
|
|
| 77 |
|
|
| 78 |
//TODO remove |
|
| 79 |
//TODO THIS IS TEST |
|
| 80 |
// claims.put("fullname", URLEncoder.encode("Σοφία Μπαλτζή", "UTF-8") + "");
|
|
| 81 |
// claims.put("firstname", URLEncoder.encode("Σοφία", "UTF-8") + "");
|
|
| 82 |
// claims.put("lastname", URLEncoder.encode("Μπαλτζή", "UTF-8") + "");
|
|
| 83 |
// claims.put("email", "sofie.mpl@gmail.com" + "");
|
|
| 84 |
// claims.put("edu_person_scoped_affiliations", "faculty");
|
|
| 85 |
|
|
| 86 |
Date exp = new Date(authOIDC.getIdToken().getJWTClaimsSet().getExpirationTime().getTime()); |
|
| 87 |
// logger.info("expirationTime: "+ exp);
|
|
| 88 |
|
|
| 89 |
//TODO DELETE LOGS |
|
| 90 |
// logger.info("\n////////////////////////////////////////////////////////////////////////////////////////////////\n");
|
|
| 91 |
// logger.info("fullName: " + authOIDC.getUserInfo().getName());
|
|
| 92 |
// logger.info("firstName: " + authOIDC.getUserInfo().getGivenName());
|
|
| 93 |
// logger.info("lastName: " + authOIDC.getUserInfo().getFamilyName());
|
|
| 94 |
// logger.info("email: " + authOIDC.getUserInfo().getEmail());
|
|
| 95 |
// //logger.info("Check everything");
|
|
| 96 |
// logger.info("locale: " + authOIDC.getUserInfo().getSource());
|
|
| 97 |
// logger.info("role: " + userInfo.getAsJsonArray("edu_person_entitlements").toString());
|
|
| 98 |
// //logger.info("affiliation: " + userInfo.getAsJsonArray("edu_person_scoped_affiliations").toString());
|
|
| 99 |
// logger.info("expirationTime: " + exp);
|
|
| 100 |
// logger.info("\n////////////////////////////////////////////////////////////////////////////////////////////////\n");
|
|
| 101 |
|
|
| 102 |
return Jwts.builder() |
|
| 103 |
.setClaims(claims) |
|
| 104 |
.setExpiration(exp) |
|
| 105 |
.signWith(SignatureAlgorithm.HS512, secret) |
|
| 106 |
.compact(); |
|
| 107 |
|
|
| 108 |
} catch (ParseException e) {
|
|
| 109 |
e.printStackTrace(); |
|
| 110 |
logger.error("JWT Parse Exception from getting Expiration Time ", e);
|
|
| 111 |
return "error"; |
|
| 112 |
} catch (UnsupportedEncodingException e) {
|
|
| 113 |
e.printStackTrace(); |
|
| 114 |
logger.error("UnsupportedEncodingException UTF-8 ", e);
|
|
| 115 |
return "error"; |
|
| 116 |
} |
|
| 117 |
} |
|
| 118 |
|
|
| 119 |
|
|
| 120 |
public static JsonObject generateJsonToken(OIDCAuthenticationToken authOIDC) {
|
|
| 121 |
try {
|
|
| 122 |
|
|
| 123 |
JsonObject userInfo = authOIDC.getUserInfo().getSource(); |
|
| 124 |
JsonObject userInfo2 = new JsonObject(); |
|
| 125 |
|
|
| 126 |
if (authOIDC.getUserInfo().getSub() == null) {
|
|
| 127 |
logger.info("User doesn't have sub");
|
|
| 128 |
userInfo2.addProperty("sub", "");
|
|
| 129 |
} else {
|
|
| 130 |
userInfo2.addProperty("sub", URLEncoder.encode(authOIDC.getUserInfo().getSub(), "UTF-8"));
|
|
| 131 |
} |
|
| 132 |
if (authOIDC.getUserInfo().getName() == null) {
|
|
| 133 |
logger.info("User doesn't have fullname");
|
|
| 134 |
userInfo2.addProperty("fullname", "");
|
|
| 135 |
} else {
|
|
| 136 |
userInfo2.addProperty("fullname", URLEncoder.encode(authOIDC.getUserInfo().getName(), "UTF-8"));
|
|
| 137 |
} |
|
| 138 |
if (authOIDC.getUserInfo().getGivenName() == null){
|
|
| 139 |
logger.info("User: " + authOIDC.getUserInfo().getName() + "doesn't have first name");
|
|
| 140 |
// userInfo2.addProperty("firstname", URLEncoder.encode(" ", "UTF-8") + "");
|
|
| 141 |
userInfo2.addProperty("firstname", "");
|
|
| 142 |
} else {
|
|
| 143 |
userInfo2.addProperty("firstname", URLEncoder.encode(authOIDC.getUserInfo().getGivenName(), "UTF-8") + "");
|
|
| 144 |
} |
|
| 145 |
if (authOIDC.getUserInfo().getFamilyName() == null){
|
|
| 146 |
logger.info("User: " + authOIDC.getUserInfo().getName() + "doesn't have first name");
|
|
| 147 |
// userInfo2.addProperty("lastname", URLEncoder.encode(" ", "UTF-8") + "");
|
|
| 148 |
userInfo2.addProperty("lastname", "");
|
|
| 149 |
} else {
|
|
| 150 |
userInfo2.addProperty("lastname", URLEncoder.encode(authOIDC.getUserInfo().getFamilyName(), "UTF-8") + "");
|
|
| 151 |
} |
|
| 152 |
userInfo2.addProperty("email", authOIDC.getUserInfo().getEmail() + "");
|
|
| 153 |
|
|
| 154 |
if (userInfo.getAsJsonArray("edu_person_entitlements") == null){
|
|
| 155 |
logger.info("User: " + authOIDC.getUserInfo().getName() + "doesn't have role");
|
|
| 156 |
// userInfo2.addProperty("role", URLEncoder.encode(" ", "UTF-8") + "");
|
|
| 157 |
userInfo2.addProperty("role", "");
|
|
| 158 |
} else {
|
|
| 159 |
userInfo2.addProperty("role", URLEncoder.encode(userInfo.getAsJsonArray("edu_person_entitlements").toString(), "UTF-8") + "");
|
|
| 160 |
} |
|
| 161 |
|
|
| 162 |
logger.info("UserINFO: " + userInfo2.toString());
|
|
| 163 |
return userInfo2; |
|
| 164 |
|
|
| 165 |
} catch (UnsupportedEncodingException e) {
|
|
| 166 |
e.printStackTrace(); |
|
| 167 |
logger.error("UnsupportedEncodingException UTF-8 ", e);
|
|
| 168 |
JsonObject error = new JsonObject(); |
|
| 169 |
error.addProperty("error", "UnsupportedEncodingException UTF-8 " + e);
|
|
| 170 |
return error; |
|
| 171 |
} |
|
| 172 |
|
|
| 173 |
} |
|
| 174 |
|
|
| 175 |
//TODO DELETE IF IT IS NOT NECESSARY |
|
| 176 |
public static String generateAccessToken(OIDCAuthenticationToken authOIDC, String secret) {
|
|
| 177 |
Claims claims = Jwts.claims().setId(authOIDC.getAccessTokenValue()); |
|
| 178 |
|
|
| 179 |
//TODO DELETE LOGS |
|
| 180 |
logger.info("\n////////////////////////////////////////////////////////////////////////////////////////////////\n");
|
|
| 181 |
logger.info("access token: " + authOIDC.getAccessTokenValue());
|
|
| 182 |
logger.info("\n////////////////////////////////////////////////////////////////////////////////////////////////\n");
|
|
| 183 |
|
|
| 184 |
return Jwts.builder() |
|
| 185 |
.setClaims(claims) |
|
| 186 |
.signWith(SignatureAlgorithm.HS512, secret) |
|
| 187 |
.compact(); |
|
| 188 |
} |
|
| 189 |
|
|
| 190 |
|
|
| 191 |
public static String generateToken(UserInfo user, String secret) {
|
|
| 192 |
try {
|
|
| 193 |
|
|
| 194 |
JsonObject userInfo = user.getSource(); |
|
| 195 |
|
|
| 196 |
Claims claims = Jwts.claims().setSubject(user.getSub()); |
|
| 197 |
claims.put("email", user.getEmail() + "");
|
|
| 198 |
claims.put("role", URLEncoder.encode(userInfo.getAsJsonArray("edu_person_entitlements").toString(), "UTF-8") + "");
|
|
| 199 |
|
|
| 200 |
return Jwts.builder() |
|
| 201 |
.setClaims(claims) |
|
| 202 |
.signWith(SignatureAlgorithm.HS512, secret) |
|
| 203 |
.compact(); |
|
| 204 |
} catch (UnsupportedEncodingException e) {
|
|
| 205 |
e.printStackTrace(); |
|
| 206 |
logger.error("UnsupportedEncodingException UTF-8 ", e);
|
|
| 207 |
return "error"; |
|
| 208 |
} |
|
| 209 |
} |
|
| 210 |
|
|
| 211 |
} |
|
| 212 |
|
|
| 213 |
|
|
| 214 |
|
|
| 215 |
|
|
| 216 |
// How to add it manually |
|
| 217 |
// long nowMillis = System.currentTimeMillis(); |
|
| 218 |
// //This is my token |
|
| 219 |
// try {
|
|
| 220 |
// String jwt = Jwts.builder() |
|
| 221 |
// .setSubject("Argiro")
|
|
| 222 |
// .setExpiration(new Date(nowMillis+1800000)) |
|
| 223 |
// .claim("fullname", "Argiro Kokogianaki")
|
|
| 224 |
// .claim("id", "8")
|
|
| 225 |
// .claim("email", "argiro@gmail.com")
|
|
| 226 |
// .claim("role","2")
|
|
| 227 |
// .signWith( |
|
| 228 |
// SignatureAlgorithm.HS512, |
|
| 229 |
// "my-very-secret".getBytes("UTF-8")
|
|
| 230 |
// ) |
|
| 231 |
// .compact(); |
|
| modules/dnet-openaire-users/trunk/src/main/java/eu/dnetlib/openaire/usermanagement/registry/beans/Config.java | ||
|---|---|---|
| 1 |
package eu.dnetlib.openaire.usermanagement.registry.beans; |
|
| 2 |
|
|
| 3 |
import org.apache.log4j.Logger; |
|
| 4 |
import org.springframework.beans.factory.annotation.Value; |
|
| 5 |
import org.springframework.context.annotation.Bean; |
|
| 6 |
import org.springframework.context.annotation.Configuration; |
|
| 7 |
import org.springframework.context.annotation.PropertySource; |
|
| 8 |
import org.springframework.data.redis.connection.lettuce.LettuceConnectionFactory; |
|
| 9 |
import org.springframework.session.data.redis.config.annotation.web.http.EnableRedisHttpSession; |
|
| 10 |
import org.springframework.session.web.http.CookieSerializer; |
|
| 11 |
import org.springframework.session.web.http.DefaultCookieSerializer; |
|
| 12 |
|
|
| 13 |
/** |
|
| 14 |
* Created by stefanos on 14/6/2017. |
|
| 15 |
*/ |
|
| 16 |
@PropertySource(value = { "classpath:eu/dnet/openaire/usermanagement/redis.properties", "classpath:eu/dnet/openaire/usermanagement/springContext-dnetOpenaireUsersService.properties"} )
|
|
| 17 |
@Configuration |
|
| 18 |
@EnableRedisHttpSession |
|
| 19 |
public class Config {
|
|
| 20 |
|
|
| 21 |
private static Logger logger = Logger.getLogger(Config.class); |
|
| 22 |
|
|
| 23 |
@Value("${redis.host:localhost}")
|
|
| 24 |
private String host; |
|
| 25 |
|
|
| 26 |
@Value("${redis.port:6379}")
|
|
| 27 |
private String port; |
|
| 28 |
|
|
| 29 |
@Value("${redis.password:#{null}}")
|
|
| 30 |
private String password; |
|
| 31 |
|
|
| 32 |
@Value("${webbapp.front.domain:.openaire.eu}")
|
|
| 33 |
private String domain; |
|
| 34 |
|
|
| 35 |
@Bean |
|
| 36 |
public LettuceConnectionFactory connectionFactory() {
|
|
| 37 |
logger.info(String.format("Redis connection listens to %s:%s ",host,port));
|
|
| 38 |
LettuceConnectionFactory factory = new LettuceConnectionFactory(host,Integer.parseInt(port)); |
|
| 39 |
if(password != null) factory.setPassword(password); |
|
| 40 |
return factory; |
|
| 41 |
} |
|
| 42 |
|
|
| 43 |
@Bean |
|
| 44 |
public CookieSerializer cookieSerializer() {
|
|
| 45 |
logger.info("Cookie Serializer: Domain is "+domain);
|
|
| 46 |
DefaultCookieSerializer serializer = new DefaultCookieSerializer(); |
|
| 47 |
serializer.setCookieName("openAIRESession"); // <1>
|
|
| 48 |
serializer.setCookiePath("/"); // <2>
|
|
| 49 |
// serializer.setDomainNamePattern(""); //with value "" set's the domain of the service e.g scoobydoo.di.uoa.gr
|
|
| 50 |
serializer.setDomainName(domain); |
|
| 51 |
return serializer; |
|
| 52 |
} |
|
| 53 |
} |
|
| modules/dnet-openaire-users/trunk/src/main/java/eu/dnetlib/openaire/usermanagement/api/Test3Service.java | ||
|---|---|---|
| 14 | 14 |
import eu.dnetlib.openaire.user.dao.SQLMigrationUserDAO; |
| 15 | 15 |
import eu.dnetlib.openaire.user.ldap.MUserActionsLDAP; |
| 16 | 16 |
import eu.dnetlib.openaire.user.store.DataSourceConnector; |
| 17 |
import eu.dnetlib.openaire.usermanagement.security.JWTGenerator; |
|
| 17 |
import org.apache.commons.io.IOUtils; |
|
| 18 |
import org.apache.http.HttpResponse; |
|
| 19 |
import org.apache.http.NameValuePair; |
|
| 20 |
import org.apache.http.client.entity.UrlEncodedFormEntity; |
|
| 21 |
import org.apache.http.client.methods.HttpPost; |
|
| 22 |
import org.apache.http.impl.client.CloseableHttpClient; |
|
| 23 |
import org.apache.http.impl.client.HttpClients; |
|
| 24 |
import org.apache.http.message.BasicNameValuePair; |
|
| 18 | 25 |
import org.apache.log4j.Logger; |
| 19 | 26 |
import org.mitre.openid.connect.model.OIDCAuthenticationToken; |
| 20 | 27 |
import org.mitre.openid.connect.model.UserInfo; |
| ... | ... | |
| 22 | 29 |
import org.springframework.beans.factory.annotation.Value; |
| 23 | 30 |
import org.springframework.http.*; |
| 24 | 31 |
import org.springframework.http.HttpMethod; |
| 32 |
import org.springframework.security.access.prepost.PreAuthorize; |
|
| 33 |
import org.springframework.security.core.annotation.AuthenticationPrincipal; |
|
| 25 | 34 |
import org.springframework.security.core.context.SecurityContextHolder; |
| 35 |
import org.springframework.security.core.userdetails.UserDetails; |
|
| 26 | 36 |
import org.springframework.stereotype.Component; |
| 27 | 37 |
import org.springframework.web.client.DefaultResponseErrorHandler; |
| 28 | 38 |
import org.springframework.web.client.RestTemplate; |
| 39 |
import sun.net.www.http.HttpClient; |
|
| 29 | 40 |
|
| 30 | 41 |
import javax.ws.rs.*; |
| 31 | 42 |
import javax.ws.rs.core.MediaType; |
| 32 | 43 |
import javax.ws.rs.core.Response; |
| 44 |
import java.io.IOException; |
|
| 45 |
import java.io.InputStream; |
|
| 46 |
import java.io.UnsupportedEncodingException; |
|
| 47 |
import java.nio.charset.StandardCharsets; |
|
| 33 | 48 |
import java.sql.SQLException; |
| 49 |
import java.util.ArrayList; |
|
| 50 |
import java.util.List; |
|
| 34 | 51 |
|
| 35 | 52 |
/** |
| 36 | 53 |
* Created by sofia on 24/11/2016. |
| ... | ... | |
| 53 | 70 |
@Value("${oidc.issuer}")
|
| 54 | 71 |
private String issuer; |
| 55 | 72 |
|
| 56 |
@GET |
|
| 57 |
@Path("/{userId}")
|
|
| 58 |
@Produces(MediaType.APPLICATION_JSON) |
|
| 59 |
public Response getUserById(@PathParam("userId") int userId) {
|
|
| 60 |
try {
|
|
| 61 |
MigrationUser mUser = sqlMigrationUserDAO.fetchById(userId); |
|
| 73 |
@Value("${oidc.secret}")
|
|
| 74 |
private String secret; |
|
| 62 | 75 |
|
| 63 |
// Invalide user ID |
|
| 64 |
if (mUser == null) {
|
|
| 65 |
String errorMessageJson = compose404Message("Cannot find user with id " + userId + ".");
|
|
| 76 |
@Value("${oidc.id}")
|
|
| 77 |
private String id; |
|
| 66 | 78 |
|
| 67 |
return Response |
|
| 68 |
.status(Response.Status.NOT_FOUND) |
|
| 69 |
.entity(errorMessageJson) |
|
| 70 |
.type(MediaType.APPLICATION_JSON) |
|
| 71 |
.build(); |
|
| 72 |
} |
|
| 73 |
|
|
| 74 |
return Response.status(200).entity(composeDataResponse(mUser)).build(); |
|
| 75 |
} |
|
| 76 |
catch (SQLException e) {
|
|
| 77 |
return Response |
|
| 78 |
.status(Response.Status.INTERNAL_SERVER_ERROR) |
|
| 79 |
.entity(compose500Message("Fail to fetch users.", e))
|
|
| 80 |
.type(MediaType.APPLICATION_JSON) |
|
| 81 |
.build(); |
|
| 82 |
} |
|
| 83 |
} |
|
| 84 |
|
|
| 85 |
/* How to check @browser ../authenticate/?username=MY_USERNAME&password=MY_PASSWORD |
|
| 86 |
* http://localhost:8080/uoa-user-management-1.0.0-SNAPSHOT/api/users/authenticate?username=sba&password=12345678 |
|
| 87 | 79 |
@GET |
| 88 |
@Path("/authenticate")
|
|
| 80 |
@Path("/getToken")
|
|
| 89 | 81 |
@Produces(MediaType.APPLICATION_JSON) |
| 90 |
public Response authenticateUserGET(@QueryParam("username") String username, @QueryParam("password") String password)
|
|
| 91 |
{
|
|
| 92 |
return commonAuthenticateFunction(username, password); |
|
| 82 |
public Response getToken(@QueryParam("accessToken") String accessToken){
|
|
| 83 |
logger.debug("Refresh token " + accessToken);
|
|
| 84 |
System.out.printf("HELLO PAPAGENA");
|
|
| 85 |
CloseableHttpClient httpclient = HttpClients.createDefault(); |
|
| 86 |
HttpPost httppost = new HttpPost(issuer+"/token"); |
|
| 93 | 87 |
|
| 94 |
}*/ |
|
| 95 |
|
|
| 96 |
@POST |
|
| 97 |
@Path("/authenticates")
|
|
| 98 |
@Produces(MediaType.APPLICATION_JSON) |
|
| 99 |
@Consumes(MediaType.APPLICATION_JSON) |
|
| 100 |
public Response authenticateUserPOST(String input) {
|
|
| 101 |
JsonObject jsonObject = new JsonParser().parse(input).getAsJsonObject(); |
|
| 102 |
|
|
| 103 |
String username = jsonObject.get("username").getAsString();
|
|
| 104 |
String password = jsonObject.get("password").getAsString();
|
|
| 105 |
|
|
| 106 |
return commonAuthenticateFunction(username, password); |
|
| 107 |
} |
|
| 108 |
|
|
| 109 |
private Response commonAuthenticateFunction(String username, String password) |
|
| 110 |
{
|
|
| 88 |
// Request parameters and other properties. |
|
| 89 |
List<NameValuePair> params = new ArrayList<NameValuePair>(); |
|
| 90 |
params.add(new BasicNameValuePair("client_id", id));
|
|
| 91 |
params.add(new BasicNameValuePair("client_secret", secret));
|
|
| 92 |
params.add(new BasicNameValuePair("grant_type", "refresh_token"));
|
|
| 93 |
params.add(new BasicNameValuePair("refresh_token", accessToken));
|
|
| 94 |
params.add(new BasicNameValuePair("scope", "openid email profile"));
|
|
| 111 | 95 |
try {
|
| 112 |
boolean usernameExists = mUserActionsLDAP.usernameExists(username); |
|
| 96 |
httppost.setEntity(new UrlEncodedFormEntity(params, "UTF-8")); |
|
| 97 |
//Execute and get the response. |
|
| 98 |
HttpResponse response = null; |
|
| 113 | 99 |
|
| 114 |
// if user was not found |
|
| 115 |
if (!usernameExists) {
|
|
| 116 |
String errorMessageJson = compose401Message("Wrong credentials.");
|
|
| 100 |
response = httpclient.execute(httppost); |
|
| 117 | 101 |
|
| 118 |
return Response |
|
| 119 |
.status(Response.Status.UNAUTHORIZED) |
|
| 120 |
.entity(errorMessageJson) |
|
| 121 |
.type(MediaType.APPLICATION_JSON) |
|
| 122 |
.build(); |
|
| 123 |
} |
|
| 102 |
org.apache.http.HttpEntity entity = response.getEntity(); |
|
| 124 | 103 |
|
| 125 |
boolean authenticated = mUserActionsLDAP.authenticate(username, password); |
|
| 126 |
|
|
| 127 |
// if user was not authenticated |
|
| 128 |
if (!authenticated) {
|
|
| 129 |
return Response |
|
| 130 |
.status(Response.Status.UNAUTHORIZED) |
|
| 131 |
.entity(compose401Message("User " + username + " could not be authenticated."))
|
|
| 132 |
.type(MediaType.APPLICATION_JSON) |
|
| 133 |
.build(); |
|
| 104 |
logger.debug("I am here");
|
|
| 105 |
if (entity != null) {
|
|
| 106 |
try (InputStream instream = entity.getContent()) {
|
|
| 107 |
logger.debug(IOUtils.toString(instream, StandardCharsets.UTF_8.name())); |
|
| 108 |
} |
|
| 134 | 109 |
} |
| 135 | 110 |
|
| 136 |
MigrationUser mUser = sqlMigrationUserDAO.fetchByUsername(username); |
|
| 111 |
} catch (UnsupportedEncodingException e) {
|
|
| 112 |
logger.error(e); |
|
| 137 | 113 |
|
| 138 |
// if user was not found in my db |
|
| 139 |
LDAPUser ldapUser = null; |
|
| 140 |
if (mUser == null) {
|
|
| 141 |
mUser = new MigrationUser(username); |
|
| 142 |
ldapUser = mUserActionsLDAP.getUser(username); |
|
| 143 |
mUser.setFullname(ldapUser.getDisplayName()); |
|
| 144 |
mUser.setEmail(ldapUser.getEmail()); |
|
| 145 |
mUser.setRoleId(2); |
|
| 146 |
|
|
| 147 |
|
|
| 148 |
sqlMigrationUserDAO.insert(mUser); |
|
| 149 |
} |
|
| 150 |
return Response.status(200).entity(composeDataResponse(mUser)).type(MediaType.APPLICATION_JSON).build(); |
|
| 151 |
|
|
| 152 |
} catch (LDAPException exc) {
|
|
| 153 |
logger.error("Fail to connect to LDAP. ", exc);
|
|
| 154 |
return Response |
|
| 155 |
.status(Response.Status.INTERNAL_SERVER_ERROR) |
|
| 156 |
.entity(compose500Message("LDAP error.", exc))
|
|
| 157 |
.type(MediaType.APPLICATION_JSON) |
|
| 158 |
.build(); |
|
| 159 |
|
|
| 160 |
} catch (SQLException exc) {
|
|
| 161 |
logger.error("Fail to fetch users. ", exc);
|
|
| 162 |
return Response |
|
| 163 |
.status(Response.Status.INTERNAL_SERVER_ERROR) |
|
| 164 |
.entity(compose500Message("Fail to fetch users.", exc))
|
|
| 165 |
.type(MediaType.APPLICATION_JSON) |
|
| 166 |
.build(); |
|
| 114 |
} catch (IOException e) {
|
|
| 115 |
logger.error(e); |
|
| 167 | 116 |
} |
| 168 | 117 |
|
| 169 |
}
|
|
| 118 |
logger.info("DDDDDDDD");
|
|
| 170 | 119 |
|
| 171 |
@GET |
|
| 172 |
@Path("/changeRole")
|
|
| 173 |
@Produces(MediaType.APPLICATION_JSON) |
|
| 174 |
public Response changeRole(@QueryParam("roleId") int roleId, @QueryParam("userId") int userId)
|
|
| 175 |
{
|
|
| 176 |
RoleDAO roleDAO = new RoleDAO(); |
|
| 177 |
try |
|
| 178 |
{
|
|
| 179 |
Role role = roleDAO.fetchById(roleId); |
|
| 180 |
if (role == null) |
|
| 181 |
{
|
|
| 182 |
//fetch all roleids TODO |
|
| 183 |
String errorMessageJson = compose404Message("Cannot find role with id" + roleId + ".");
|
|
| 184 |
|
|
| 185 |
return Response |
|
| 186 |
.status(Response.Status.NOT_FOUND) |
|
| 187 |
.entity(errorMessageJson) |
|
| 188 |
.type(MediaType.APPLICATION_JSON) |
|
| 189 |
.build(); |
|
| 190 |
} |
|
| 191 |
|
|
| 192 |
MigrationUser mUser = sqlMigrationUserDAO.fetchById(userId); |
|
| 193 |
|
|
| 194 |
if (mUser == null) |
|
| 195 |
{
|
|
| 196 |
String errorMessageJson = compose404Message("Cannot find user with id " + userId + ".");
|
|
| 197 |
|
|
| 198 |
return Response |
|
| 199 |
.status(Response.Status.NOT_FOUND) |
|
| 200 |
.entity(errorMessageJson) |
|
| 201 |
.type(MediaType.APPLICATION_JSON) |
|
| 202 |
.build(); |
|
| 203 |
} |
|
| 204 |
|
|
| 205 |
mUser.setRoleId(roleId); |
|
| 206 |
sqlMigrationUserDAO.update(mUser); |
|
| 207 |
|
|
| 208 |
return Response.status(200).entity(composeDataResponse(mUser)).build(); |
|
| 209 |
} |
|
| 210 |
catch (SQLException exc) |
|
| 211 |
{
|
|
| 212 |
return Response |
|
| 213 |
.status(Response.Status.INTERNAL_SERVER_ERROR) |
|
| 214 |
.entity(compose500Message("Fail to fetch users.", exc))
|
|
| 215 |
.type(MediaType.APPLICATION_JSON) |
|
| 216 |
.build(); |
|
| 217 |
} |
|
| 120 |
return Response.status(200).type(MediaType.APPLICATION_JSON).build(); |
|
| 218 | 121 |
} |
| 219 | 122 |
|
| 220 | 123 |
@GET |
| 221 | 124 |
@Path("/getUserInfo")
|
| 222 | 125 |
@Produces(MediaType.APPLICATION_JSON) |
| 126 |
//TODO REMOVE THIS and make the request directly to aai service {oidc.issuer} OR! see what is done with redis
|
|
| 223 | 127 |
public Response getUserInfo(@QueryParam("accessToken") String accessToken) throws JsonProcessingException {
|
| 224 | 128 |
//return Response.status(404).entity(compose404Message("This is a test message.")).type(MediaType.APPLICATION_JSON).build();
|
| 225 | 129 |
// call aai with accessToken |
| ... | ... | |
| 236 | 140 |
//logger.info(restTemplate.exchange(fooResourceUrl, HttpMethod.GET, request, Object.class)); |
| 237 | 141 |
ResponseEntity response1 = restTemplate.exchange(fooResourceUrl, HttpMethod.GET, request, Object.class); |
| 238 | 142 |
logger.info(response1.getBody().toString()); |
| 143 |
|
|
| 239 | 144 |
ObjectMapper mapper = new ObjectMapper(); |
| 240 | 145 |
|
| 241 | 146 |
return Response.status(response1.getStatusCode().value()).entity(mapper.writeValueAsString(response1.getBody())).type(MediaType.APPLICATION_JSON).build(); |
| ... | ... | |
| 278 | 183 |
} |
| 279 | 184 |
return Response.status(200).entity(userInfoJson.toString()).type(MediaType.APPLICATION_JSON).build(); |
| 280 | 185 |
} |
| 186 |
|
|
| 187 |
/* |
|
| 188 |
@GET |
|
| 189 |
@Path("/katerina")
|
|
| 190 |
@Produces(MediaType.APPLICATION_JSON) |
|
| 191 |
//@PreAuthorize("hasRole('ROLE_USER')")
|
|
| 192 |
@PreAuthorize("hasAuthority('urn:geant:openaire.eu:group:Registered+User#aai.openaire.eu')")
|
|
| 193 |
public Response getKaterina() {
|
|
| 194 |
return Response.status(200).build(); |
|
| 195 |
} |
|
| 196 |
|
|
| 197 |
@GET |
|
| 198 |
@Path("/skata")
|
|
| 199 |
@Produces(MediaType.APPLICATION_JSON) |
|
| 200 |
@PreAuthorize("hasRole('ROLE_USER')")
|
|
| 201 |
public Response getKaterina2() {
|
|
| 202 |
return Response.status(200).build(); |
|
| 203 |
} |
|
| 204 |
|
|
| 205 |
@GET |
|
| 206 |
@Path("/skata2")
|
|
| 207 |
@Produces(MediaType.APPLICATION_JSON) |
|
| 208 |
@PreAuthorize("hasAuthority('skata')")
|
|
| 209 |
public Response getKaterina3() {
|
|
| 210 |
return Response.status(200).build(); |
|
| 211 |
} |
|
| 212 |
|
|
| 213 |
|
|
| 214 |
@GET |
|
| 215 |
@Path("/me")
|
|
| 216 |
//@Produces(MediaType.APPLICATION_JSON) |
|
| 217 |
public Response getKaterina(@AuthenticationPrincipal UserDetails userDetails) {
|
|
| 218 |
//return Response.status(200).entity(userDetails).type(MediaType.APPLICATION_JSON).build(); |
|
| 219 |
return Response.status(200).build(); |
|
| 220 |
} |
|
| 221 |
*/ |
|
| 222 |
|
|
| 281 | 223 |
/* JSON Utility Methods */ |
| 282 |
|
|
| 283 | 224 |
private String compose401Message(String message) {
|
| 284 | 225 |
return "{ \"status\" : \"error\", \"code\" : \"401\", \"message\" : \" " + message +" \" }";
|
| 285 | 226 |
} |
| ... | ... | |
| 293 | 234 |
"\"description\" : \""+ exception.getMessage() +"\" }"; |
| 294 | 235 |
} |
| 295 | 236 |
|
| 296 |
private String composeDataResponse(UserInfo user) {
|
|
| 297 |
return "{ \"status\" : \"success\", \"code\": \"200\", " + "\"data\" : \"" + JWTGenerator.generateToken(user, "my-very-secret") + "\" }";
|
|
| 298 |
} |
|
| 299 |
|
|
| 300 |
private String composeDataResponse(MigrationUser user) {
|
|
| 301 |
//return "{ \"status\" : \"success\", \"code\": \"200\", " + "\"data\" : " + new Gson().toJson(user) + " }";
|
|
| 302 |
return "{ \"status\" : \"success\", \"code\": \"200\", " + "\"data\" : \"" + JWTGenerator.generateToken(user, "my-very-secret") + "\" }";
|
|
| 303 |
} |
|
| 304 |
|
|
| 305 | 237 |
private String composeDataResponse(LDAPUser user) {
|
| 306 | 238 |
return " { \"status\" : \"success\", \"code\": \"200\", " + "\"data\" : " + new Gson().toJson(user) + " }";
|
| 307 | 239 |
} |
| 308 | 240 |
|
| 309 |
// private String composeDataResponse(String username) {
|
|
| 310 |
// return " { \"status\" : \"success\", \"code\": \"200\", " + "\"data\" : " + new Gson().toJson(username) + " }";
|
|
| 311 |
// } |
|
| 312 |
|
|
| 313 | 241 |
private String composeDataResponse(String fullname) {
|
| 314 | 242 |
return " { \"status\" : \"success\", \"code\": \"200\", " + "\"data\" : " + new Gson().toJson(fullname) + " }";
|
| 315 | 243 |
} |
| modules/dnet-openaire-users/trunk/src/main/resources/eu/dnet/openaire/usermanagement/redis.properties | ||
|---|---|---|
| 1 |
redis.host = 127.0.0.1 |
|
| 2 |
#redis.port = 6379 |
|
| 3 |
#redis.password |
|
| 4 |
|
|
| 5 |
|
|
| modules/dnet-openaire-users/trunk/src/main/resources/eu/dnet/openaire/usermanagement/springContext-dnetOpenaireUsersService.properties | ||
|---|---|---|
| 1 |
oidc.id=767422b9-5461-4807-a80a-f9a2072d3a7d |
|
| 2 |
oidc.secret=AMQtGlbTXNjwjhF0st28LmM6V0XypMdaVS7tJmGuYFlmH36iIv4t7tVqYuLYrNPkhnZ_GPUJvhymBhFupdgb6aU |
|
| 3 |
oidc.issuer = https://aai.openaire.eu/oidc/ |
|
| 4 |
|
|
| 5 |
#oidc.home = https://beta.services.openaire.eu/admin-user-management/openid_connect_login |
|
| 6 |
#webbapp.front = https://beta.admin.connect.openaire.eu/reload |
|
| 7 |
#webbapp.front.path = / |
|
| 8 |
#webbapp.front.domain = .openaire.eu |
|
| 9 |
|
|
| 10 |
#testing |
|
| 11 |
oidc.home = http://scoobydoo.di.uoa.gr:8080/dnet-openaire-users-1.0.0-SNAPSHOT/openid_connect_login |
|
| 12 |
webbapp.front = https://scoobydoo.di.uoa.gr:4200/reload |
|
| 13 |
webbapp.front.path = / |
|
| 14 |
webbapp.front.domain =.di.uoa.gr |
|
| 15 |
|
|
| 16 | 1 |
google.recaptcha.secret = 6LfYrU8UAAAAADwrbImPvDo_XcxEZvrkkgMy9yU0 |
| 17 | 2 |
google.recaptcha.key = 6LfYrU8UAAAAAFsl3m2YhP1uavdmAdFEXBkoY_vd |
| modules/dnet-openaire-users/trunk/src/main/webapp/WEB-INF/springContext-dnetOpenaireUsersService.xml | ||
|---|---|---|
| 1 | 1 |
<?xml version="1.0" encoding="UTF-8"?> |
| 2 |
<!--<beans xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" |
|
| 3 |
xmlns:context="http://www.springframework.org/schema/context" |
|
| 4 |
xmlns="http://www.springframework.org/schema/beans" |
|
| 5 |
xmlns:security="http://www.springframework.org/schema/security" |
|
| 6 |
xmlns:util="http://www.springframework.org/schema/util" |
|
| 7 |
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.0.xsd |
|
| 8 |
http://www.springframework.org/schema/context |
|
| 9 |
http://www.springframework.org/schema/context/spring-context-4.0.xsd |
|
| 10 |
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd |
|
| 11 |
http://www.springframework.org/schema/util |
|
| 12 |
http://www.springframework.org/schema/util/spring-util.xsd" |
|
| 13 |
default-autowire="byName"> --> |
|
| 14 | 2 |
<beans xmlns="http://www.springframework.org/schema/beans" |
| 15 | 3 |
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" |
| 16 | 4 |
xmlns:context="http://www.springframework.org/schema/context" |
| 17 | 5 |
xmlns:security="http://www.springframework.org/schema/security" |
| 18 | 6 |
xmlns:util="http://www.springframework.org/schema/util" |
| 19 | 7 |
xsi:schemaLocation=" |
| 20 |
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-4.2.xsd
|
|
| 8 |
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-4.2.xsd
|
|
| 21 | 9 |
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.2.xsd |
| 22 | 10 |
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util-4.2.xsd |
| 23 | 11 |
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-4.2.xsd" |
| 24 | 12 |
default-autowire="byType"> |
| 25 | 13 |
|
| 26 |
|
|
| 27 |
<!--<bean id="dataSourceConnector" class="eu.dnetlib.openaire.user.store.DataSourceConnector" init-method="init" autowire="byName">--> |
|
| 28 |
<!--<property name="username" value="${openaire.users.db.username}"/>-->
|
|
| 29 |
<!--<property name="password" value="${openaire.users.db.password}"/>-->
|
|
| 30 |
<!--<property name="dbUrl" value="${openaire.users.db.url}" />-->
|
|
| 31 |
<!--<property name="driver" value="${openaire.users.db.driverClassName}" />-->
|
|
| 32 |
<!--</bean>--> |
|
| 33 |
|
|
| 34 |
<!--<bean id="sqlMigrationUserDAO" class="eu.dnetlib.openaire.user.dao.SQLMigrationUserDAO" autowire="byName"/>--> |
|
| 35 |
|
|
| 36 |
<!--<bean id="userVerificationDAO" class="eu.dnetlib.openaire.user.dao.UserVerificationDAO">--> |
|
| 37 |
<!--<property name="dataSourceConnector" ref="dataSourceConnector"/>--> |
|
| 38 |
<!--</bean>--> |
|
| 39 |
|
|
| 40 |
|
|
| 41 |
|
|
| 42 |
<!--<bean id="verificationActions" class="eu.dnetlib.openaire.user.utils.VerificationActions">--> |
|
| 43 |
<!--<property name="dataSourceConnector" ref="dataSourceConnector"/>--> |
|
| 44 |
<!--</bean>--> |
|
| 45 |
|
|
| 46 |
|
|
| 47 |
<security:global-method-security pre-post-annotations="enabled" proxy-target-class="true" authentication-manager-ref="authenticationManager"/> |
|
| 48 |
|
|
| 49 |
<security:http auto-config="false" use-expressions="true" |
|
| 50 |
disable-url-rewriting="true" entry-point-ref="authenticationEntryPoint" |
|
| 51 |
pattern="/**"> |
|
| 52 |
|
|
| 53 |
<security:custom-filter before="PRE_AUTH_FILTER" ref="openIdConnectAuthenticationFilter" /> |
|
| 54 |
|
|
| 55 |
<security:logout logout-url="/openid_logout" invalidate-session="true"/> |
|
| 56 |
|
|
| 57 |
</security:http> |
|
| 58 |
|
|
| 59 |
<bean id="requestContextFilter" class="org.springframework.web.filter.RequestContextFilter"/> |
|
| 60 |
|
|
| 61 |
<bean id="webexpressionHandler" |
|
| 62 |
class="org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler"/> |
|
| 63 |
|
|
| 64 |
<bean id="authenticationEntryPoint" class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint" > |
|
| 65 |
<constructor-arg type="java.lang.String" value="/openid_connect_login"/> |
|
| 66 |
</bean> |
|
| 67 |
|
|
| 68 |
<security:authentication-manager alias="authenticationManager"> |
|
| 69 |
<security:authentication-provider ref="openIdConnectAuthenticationProvider" /> |
|
| 70 |
</security:authentication-manager> |
|
| 71 |
|
|
| 72 |
<bean id="openIdConnectAuthenticationProvider" class="org.mitre.openid.connect.client.OIDCAuthenticationProvider"> |
|
| 73 |
<property name="authoritiesMapper"> |
|
| 74 |
<bean class="org.mitre.openid.connect.client.NamedAdminAuthoritiesMapper"> |
|
| 75 |
<property name="admins" ref="namedAdmins" /> |
|
| 76 |
</bean> |
|
| 77 |
</property> |
|
| 78 |
</bean> |
|
| 79 |
|
|
| 80 |
<util:set id="namedAdmins" value-type="org.mitre.openid.connect.client.SubjectIssuerGrantedAuthority"> |
|
| 81 |
<!-- |
|
| 82 |
This is an example of how to set up a user as an administrator: they'll be given ROLE_ADMIN in addition to ROLE_USER. |
|
| 83 |
Note that having an administrator role on the IdP doesn't grant administrator access on this client. |
|
| 84 |
|
|
| 85 |
These are values from the demo "openid-connect-server-webapp" project of MITREid Connect. |
|
| 86 |
--> |
|
| 87 |
<bean class="org.mitre.openid.connect.client.SubjectIssuerGrantedAuthority"> |
|
| 88 |
<constructor-arg name="subject" value="subject_value" /> |
|
| 89 |
<constructor-arg name="issuer" value="${oidc.issuer}" />
|
|
| 90 |
</bean> |
|
| 91 |
</util:set> |
|
| 92 |
|
|
| 93 |
|
|
| 94 |
<bean class="eu.dnetlib.openaire.usermanagement.security.FrontEndLinkURIAuthenticationSuccessHandler" id="frontEndRedirect"> |
|
| 95 |
<property name="frontEndURI" value="${webbapp.front}"/>
|
|
| 96 |
<property name="frontPath" value="${webbapp.front.path}"/>
|
|
| 97 |
<property name="frontDomain" value="${webbapp.front.domain:#{null}}"/>
|
|
| 98 |
</bean> |
|
| 99 |
|
|
| 100 |
<!--<bean id="securityContextLogoutHandler" class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler"/>--> |
|
| 101 |
<!--<bean id="logoutFilter" class="org.springframework.security.web.authentication.logout.LogoutFilter">--> |
|
| 102 |
<!--<property name="filterProcessesUrl" value="/logout"/>--> |
|
| 103 |
<!--<constructor-arg index="0" value="/"/>--> |
|
| 104 |
<!--<constructor-arg index="1">--> |
|
| 105 |
<!--<list>--> |
|
| 106 |
<!--<ref bean="securityContextLogoutHandler"/>--> |
|
| 107 |
<!--<!–ref bean="myLogoutHandler"/–>--> |
|
| 108 |
<!--</list>--> |
|
| 109 |
<!--</constructor-arg>--> |
|
| 110 |
<!--</bean>--> |
|
| 111 |
|
|
| 112 |
<!--<bean class="eu.dnetlib.openaire.user.security.FrontEndLinkURILogoutSuccessHandler" id="frontEndRedirectLogout"/>--> |
|
| 113 |
|
|
| 114 |
<!--<bean id="logoutFilter" class="org.springframework.security.web.authentication.logout.LogoutFilter">--> |
|
| 115 |
<!--<property name="filterProcessesUrl" value="/logout"/>--> |
|
| 116 |
<!--<constructor-arg index="0" value="/"/>--> |
|
| 117 |
<!--<constructor-arg index="1">--> |
|
| 118 |
<!--<list>--> |
|
| 119 |
<!--<ref bean="securityContextLogoutHandler"/>--> |
|
| 120 |
<!--<!–ref bean="myLogoutHandler"/–>--> |
|
| 121 |
<!--</list>--> |
|
| 122 |
<!--</constructor-arg>--> |
|
| 123 |
<!--</bean>--> |
|
| 124 |
<!-- |
|
| 125 |
- |
|
| 126 |
- The authentication filter |
|
| 127 |
- |
|
| 128 |
--> |
|
| 129 |
<bean id="openIdConnectAuthenticationFilter" class="org.mitre.openid.connect.client.OIDCAuthenticationFilter"> |
|
| 130 |
<property name="authenticationManager" ref="authenticationManager" /> |
|
| 131 |
<property name="issuerService" ref="staticIssuerService" /> |
|
| 132 |
<property name="serverConfigurationService" ref="staticServerConfigurationService" /> |
|
| 133 |
<property name="clientConfigurationService" ref="staticClientConfigurationService" /> |
|
| 134 |
<property name="authRequestOptionsService" ref="staticAuthRequestOptionsService" /> |
|
| 135 |
<property name="authRequestUrlBuilder" ref="plainAuthRequestUrlBuilder" /> |
|
| 136 |
<property name="authenticationSuccessHandler" ref="frontEndRedirect"/> |
|
| 137 |
|
|
| 138 |
</bean> |
|
| 139 |
|
|
| 140 |
<!-- |
|
| 141 |
Static issuer service, returns the same issuer for every request. |
|
| 142 |
--> |
|
| 143 |
<bean class="org.mitre.openid.connect.client.service.impl.StaticSingleIssuerService" id="staticIssuerService"> |
|
| 144 |
<property name="issuer" value="${oidc.issuer}" />
|
|
| 145 |
</bean> |
|
| 146 |
|
|
| 147 |
<!-- |
|
| 148 |
Dynamic server configuration, fetches the server's information using OIDC Discovery. |
|
| 149 |
--> |
|
| 150 |
<bean class="org.mitre.openid.connect.client.service.impl.StaticServerConfigurationService" id="staticServerConfigurationService"> |
|
| 151 |
<property name="servers"> |
|
| 152 |
<map> |
|
| 153 |
<entry key="${oidc.issuer}">
|
|
| 154 |
<bean class="org.mitre.openid.connect.config.ServerConfiguration"> |
|
| 155 |
<property name="issuer" value="${oidc.issuer}" />
|
|
| 156 |
<property name="authorizationEndpointUri" value="${oidc.issuer}authorize" />
|
|
| 157 |
<property name="tokenEndpointUri" value="${oidc.issuer}token" />
|
|
| 158 |
<property name="userInfoUri" value="${oidc.issuer}userinfo" />
|
|
| 159 |
<property name="jwksUri" value="${oidc.issuer}jwk" />
|
|
| 160 |
<property name="revocationEndpointUri" value="${oidc.issuer}revoke" />
|
|
| 161 |
</bean> |
|
| 162 |
</entry> |
|
| 163 |
</map> |
|
| 164 |
</property> |
|
| 165 |
</bean> |
|
| 166 |
|
|
| 167 |
|
|
| 168 |
<!-- |
|
| 169 |
Static Client Configuration. Configures a client statically by storing configuration on a per-issuer basis. |
|
| 170 |
|
|
| 171 |
<bean class="org.mitre.openid.connect.client.service.impl.StaticClientConfigurationService" id="staticClientConfigurationService"> |
|
| 172 |
<property name="clients"> |
|
| 173 |
<map> |
|
| 174 |
<entry key="${oidc.issuer}">
|
|
| 175 |
<bean class="org.mitre.oauth2.model.RegisteredClient"> |
|
| 176 |
<property name="clientId" value="${oidc.id}" />
|
|
| 177 |
<property name="clientSecret" value="${oidc.secret}" />
|
|
| 178 |
<property name="scope"> |
|
| 179 |
<set value-type="java.lang.String"> |
|
| 180 |
<value>openid</value> |
|
| 181 |
</set> |
|
| 182 |
</property> xmlns:oauth="http://www.springframework.org/schema/security/oauth2" |
|
| 183 |
|
|
| 184 |
<property name="tokenEndpointAuthMethod" value="SECRET_BASIC" /> |
|
| 185 |
<property name="redirectUris"> |
|
| 186 |
<set> |
|
| 187 |
<value>${oidc.home}</value>
|
|
| 188 |
</set> |
|
| 189 |
</property> |
|
| 190 |
</bean> |
|
| 191 |
</entry> |
|
| 192 |
</map> |
|
| 193 |
</property> |
|
| 194 |
</bean> |
|
| 195 |
--> |
|
| 196 |
|
|
| 197 |
|
|
| 198 |
<bean class="org.mitre.openid.connect.client.service.impl.StaticClientConfigurationService" id="staticClientConfigurationService"> |
|
| 199 |
<property name="clients"> |
|
| 200 |
<map> |
|
| 201 |
<entry key="${oidc.issuer}">
|
|
| 202 |
<bean class="org.mitre.oauth2.model.RegisteredClient"> |
|
| 203 |
<property name="clientId" value="${oidc.id}" />
|
|
| 204 |
<property name="clientSecret" value="${oidc.secret}" />
|
|
| 205 |
<property name="scope"> |
|
| 206 |
<set value-type="java.lang.String"> |
|
| 207 |
<value>openid</value> |
|
| 208 |
</set> |
|
| 209 |
</property> |
|
| 210 |
<property name="tokenEndpointAuthMethod" value="SECRET_BASIC" /> |
|
| 211 |
<property name="redirectUris"> |
|
| 212 |
<set> |
|
| 213 |
<value>${oidc.home}</value>
|
|
| 214 |
</set> |
|
| 215 |
</property> |
|
| 216 |
</bean> |
|
| 217 |
</entry> |
|
| 218 |
</map> |
|
| 219 |
</property> |
|
| 220 |
</bean> |
|
| 221 |
|
|
| 222 |
<!-- |
|
| 223 |
- |
|
| 224 |
- Auth request options service: returns the optional components of the request |
|
| 225 |
- |
|
| 226 |
--> |
|
| 227 |
<bean class="org.mitre.openid.connect.client.service.impl.StaticAuthRequestOptionsService" id="staticAuthRequestOptionsService"> |
|
| 228 |
<property name="options"> |
|
| 229 |
<map> |
|
| 230 |
<!-- Entries in this map are sent as key-value parameters to the auth request --> |
|
| 231 |
<!-- |
|
| 232 |
<entry key="display" value="page" /> |
|
| 233 |
<entry key="max_age" value="30" /> |
|
| 234 |
<entry key="prompt" value="none" /> |
|
| 235 |
--> |
|
| 236 |
</map> |
|
| 237 |
</property> |
|
| 238 |
</bean> |
|
| 239 |
|
|
| 240 |
<!-- |
|
| 241 |
Plain authorization request builder, puts all options as query parameters on the GET request |
|
| 242 |
--> |
|
| 243 |
<bean class="org.mitre.openid.connect.client.service.impl.PlainAuthRequestUrlBuilder" id="plainAuthRequestUrlBuilder" /> |
|
| 244 |
|
|
| 245 | 14 |
<context:component-scan base-package="eu.dnetlib.openaire.user.api.services" /> |
| 246 |
<context:component-scan base-package="eu.dnetlib.openaire.usermanagement.registry.beans" /> |
|
| 247 | 15 |
<context:annotation-config></context:annotation-config> |
| 248 | 16 |
|
| 249 | 17 |
</beans> |
| modules/dnet-openaire-users/trunk/src/main/webapp/WEB-INF/applicationContext.xml | ||
|---|---|---|
| 9 | 9 |
http://www.springframework.org/schema/context/spring-context-4.2.xsd"> |
| 10 | 10 |
|
| 11 | 11 |
|
| 12 |
<import resource="classpath*:/eu/dnetlib/openaire/user/springContext-userManagementService.xml" /> |
|
| 13 |
<import resource="classpath*:/eu/dnetlib/openaire/user/login/springContext-userLoginCore.xml" /> |
|
| 14 |
|
|
| 12 | 15 |
<context:component-scan base-package="eu.dnetlib.openaire.usermanagement.*"/> |
| 13 | 16 |
<context:annotation-config /> |
| 14 | 17 |
|
| 15 |
<import resource="classpath*:/eu/dnetlib/openaire/user/springContext-userManagementService.xml" /> |
|
| 16 |
|
|
| 17 | 18 |
<!--<bean id="webexpressionHandler"--> |
| 18 | 19 |
<!--class="org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler"/>--> |
| 19 | 20 |
|
| 20 |
<bean class="org.springframework.session.data.redis.config.annotation.web.http.RedisHttpSessionConfiguration"/> |
|
| 21 |
<bean class="org.springframework.data.redis.connection.lettuce.LettuceConnectionFactory"/> |
|
| 22 |
|
|
| 23 |
|
|
| 24 | 21 |
<bean class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer"> |
| 25 | 22 |
<property name="order" value="2" /> |
| 26 | 23 |
<property name="ignoreUnresolvablePlaceholders" value="true" /> |
| ... | ... | |
| 36 | 33 |
<value>classpath*:/eu/**/applicationContext*.properties</value> |
| 37 | 34 |
<value>classpath*:/eu/dnetlib/applicationContext-defaultProperties.properties</value> |
| 38 | 35 |
<value>classpath*:/eu/**/springContext-userManagementService.properties</value> |
| 39 |
<value>classpath*:/eu/**/springContext-dnetOpenaireUsersService.properties</value>
|
|
| 40 |
<value>classpath*:/eu/**/redis.properties</value>
|
|
| 36 |
<value>classpath*:/eu/**/springContext-userLoginCore.properties</value>
|
|
| 37 |
<value>classpath*:/eu/**/springContext-dnetOpenaireUsersService.properties</value>
|
|
| 41 | 38 |
<value>classpath*:/uoa-override.properties</value> |
| 42 | 39 |
<value>classpath*:/dnet-override.properties</value> |
| 43 | 40 |
</list> |
| modules/dnet-openaire-users/trunk/src/main/webapp/WEB-INF/log4j.properties | ||
|---|---|---|
| 1 |
log4j.rootLogger = INFO, R
|
|
| 1 |
log4j.rootLogger = DEBUG, R
|
|
| 2 | 2 |
|
| 3 |
log4j.logger.eu.dnetlib = INFO |
|
| 3 |
log4j.logger.eu.dnetlib = DEBUG, R |
|
| 4 |
log4j.logger.eu.dnetlib.openaire.user = DEBUG, R |
|
| 4 | 5 |
log4j.logger.org.mitre.openid = INFO |
| 5 |
log4j.logger.org.springframework = INFO, S |
|
| 6 |
log4j.logger.org.springframework = DEBUG, S |
|
| 7 |
log4j.logger.com.lambdaworks.redis.protocol = INFO, S |
|
| 8 |
log4j.logger.org.apache.http = INFO, S |
|
| 6 | 9 |
|
| 7 | 10 |
log4j.additivity.org.springframework = false |
| 8 | 11 |
|
| modules/dnet-openaire-users/trunk/src/main/webapp/WEB-INF/web.xml | ||
|---|---|---|
| 158 | 158 |
<param-name>cors.exposed.headers</param-name> |
| 159 | 159 |
<param-value>Access-Control-Allow-Origin,Access-Control-Allow-Credentials,Access-Control-Allow-Methods</param-value> |
| 160 | 160 |
</init-param> |
| 161 |
<init-param> |
|
| 162 |
<param-name>cors.support.credentials</param-name> |
|
| 163 |
<param-value>true</param-value> |
|
| 164 |
</init-param> |
|
| 165 | 161 |
</filter> |
| 166 | 162 |
<filter-mapping> |
| 167 | 163 |
<filter-name>CorsFilter</filter-name> |
| modules/dnet-openaire-users/trunk/pom.xml | ||
|---|---|---|
| 23 | 23 |
<version>[2.0.0-SNAPSHOT, 3.0.0)</version> |
| 24 | 24 |
</dependency> |
| 25 | 25 |
<dependency> |
| 26 |
<groupId>eu.dnetlib</groupId> |
|
| 27 |
<artifactId>uoa-login-core</artifactId> |
|
| 28 |
<version>[1.0.0-SNAPSHOT, 2.0.0)</version> |
|
| 29 |
</dependency> |
|
| 30 |
<dependency> |
|
| 26 | 31 |
<groupId>org.slf4j</groupId> |
| 27 | 32 |
<artifactId>slf4j-api</artifactId> |
| 28 | 33 |
<version>1.7.5</version> |
| ... | ... | |
| 83 | 88 |
<version>3.0.1</version> |
| 84 | 89 |
<scope>provided</scope> |
| 85 | 90 |
</dependency> |
| 86 |
|
|
| 87 | 91 |
<dependency> |
| 88 |
<groupId>org.mitre</groupId>
|
|
| 89 |
<artifactId>openid-connect-client</artifactId>
|
|
| 90 |
<version>1.3.0</version>
|
|
| 92 |
<groupId>commons-io</groupId>
|
|
| 93 |
<artifactId>commons-io</artifactId>
|
|
| 94 |
<version>2.6</version>
|
|
| 91 | 95 |
</dependency> |
| 92 |
|
|
| 93 |
|
|
| 94 |
<!-- About redis --> |
|
| 95 |
|
|
| 96 | 96 |
<dependency> |
| 97 |
<groupId>org.springframework.session</groupId> |
|
| 98 |
<artifactId>spring-session-data-redis</artifactId> |
|
| 99 |
<version>1.3.1.RELEASE</version> |
|
| 100 |
<type>pom</type> |
|
| 97 |
<groupId>javax.xml.bind</groupId> |
|
| 98 |
<artifactId>jaxb-api</artifactId> |
|
| 99 |
<version>2.3.1</version> |
|
| 101 | 100 |
</dependency> |
| 102 |
<dependency> |
|
| 103 |
<groupId>biz.paluch.redis</groupId> |
|
| 104 |
<artifactId>lettuce</artifactId> |
|
| 105 |
<version>3.5.0.Final</version> |
|
| 106 |
</dependency> |
|
| 107 |
<dependency> |
|
| 108 |
<groupId>org.springframework</groupId> |
|
| 109 |
<artifactId>spring-web</artifactId> |
|
| 110 |
<version>4.3.4.RELEASE</version> |
|
| 111 |
</dependency> |
|
| 112 |
|
|
| 113 | 101 |
</dependencies> |
| 114 | 102 |
</project> |
| 115 | 103 |
|
Also available in: Unified diff
MERGE login branch 56991:57920 using uoa-login-core