|
1
|
package eu.dnetlib.repo.manager.config;
|
|
2
|
|
|
3
|
import org.mitre.oauth2.model.ClientDetailsEntity.AuthMethod;
|
|
4
|
import org.mitre.oauth2.model.RegisteredClient;
|
|
5
|
import org.mitre.openid.connect.client.OIDCAuthenticationFilter;
|
|
6
|
import org.mitre.openid.connect.client.OIDCAuthenticationProvider;
|
|
7
|
import org.mitre.openid.connect.client.service.impl.*;
|
|
8
|
import org.mitre.openid.connect.config.ServerConfiguration;
|
|
9
|
import org.springframework.beans.factory.annotation.Value;
|
|
10
|
import org.springframework.context.annotation.Bean;
|
|
11
|
import org.springframework.context.annotation.Configuration;
|
|
12
|
import org.springframework.security.authentication.AuthenticationManager;
|
|
13
|
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
|
|
14
|
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
|
|
15
|
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
|
|
16
|
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
|
|
17
|
import org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint;
|
|
18
|
import org.springframework.security.web.authentication.preauth.AbstractPreAuthenticatedProcessingFilter;
|
|
19
|
|
|
20
|
import java.util.*;
|
|
21
|
|
|
22
|
@Configuration
|
|
23
|
@EnableWebSecurity
|
|
24
|
public class AaiSecurityConfiguration extends WebSecurityConfigurerAdapter {
|
|
25
|
|
|
26
|
@Value("${webapp.dev.front}")
|
|
27
|
private String logoutSuccessUrl;
|
|
28
|
|
|
29
|
@Value("${oidc.issuer}")
|
|
30
|
private String oidcIssuer;
|
|
31
|
|
|
32
|
@Value("${oidc.id}")
|
|
33
|
private String oidcId;
|
|
34
|
|
|
35
|
@Value("${oidc.secret}")
|
|
36
|
private String oidcSecret;
|
|
37
|
|
|
38
|
@Value("${oidc.dev.home}")
|
|
39
|
private String oidcDevHome;
|
|
40
|
|
|
41
|
@Value("${webapp.dev.front}")
|
|
42
|
private String webAppFrontEnd;
|
|
43
|
|
|
44
|
private Map<String, String> userRoles = new HashMap<String, String>(){{
|
|
45
|
put("urn:geant:openaire.eu:group:Super+Administrator#aai.openaire.eu", "ROLE_ADMIN");
|
|
46
|
put("urn:geant:openaire.eu:group:Content+Provider+Dashboard+Administrator#aai.openaire.eu","ROLE_PROVIDE_ADMIN");
|
|
47
|
}};
|
|
48
|
|
|
49
|
@Bean
|
|
50
|
@Override
|
|
51
|
public AuthenticationManager authenticationManagerBean() throws Exception {
|
|
52
|
return authenticationManager();
|
|
53
|
}
|
|
54
|
|
|
55
|
@Override
|
|
56
|
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
|
|
57
|
auth.authenticationProvider(openIdConnectAuthenticationProvider());
|
|
58
|
}
|
|
59
|
|
|
60
|
@Override
|
|
61
|
protected void configure(HttpSecurity http) throws Exception {
|
|
62
|
http.csrf().disable()
|
|
63
|
.anonymous().disable()
|
|
64
|
.authorizeRequests()
|
|
65
|
.anyRequest().authenticated()
|
|
66
|
.and()
|
|
67
|
.httpBasic()
|
|
68
|
.authenticationEntryPoint(authenticationEntryPoint())
|
|
69
|
.and()
|
|
70
|
.logout().logoutUrl("/openid_logout")
|
|
71
|
.invalidateHttpSession(true)
|
|
72
|
.deleteCookies("openAIRESession")
|
|
73
|
.logoutSuccessUrl(logoutSuccessUrl)
|
|
74
|
.and()
|
|
75
|
.addFilterBefore(openIdConnectAuthenticationFilter(), AbstractPreAuthenticatedProcessingFilter.class)
|
|
76
|
;
|
|
77
|
}
|
|
78
|
|
|
79
|
@Bean
|
|
80
|
public OIDCAuthenticationProvider openIdConnectAuthenticationProvider(){
|
|
81
|
OIDCAuthenticationProvider oidcProvider = new OIDCAuthenticationProvider();
|
|
82
|
oidcProvider.setAuthoritiesMapper(authoritiesMapper());
|
|
83
|
return oidcProvider;
|
|
84
|
}
|
|
85
|
|
|
86
|
@Bean
|
|
87
|
public OpenAireProviderAuthoritiesMapper authoritiesMapper(){
|
|
88
|
OpenAireProviderAuthoritiesMapper authoritiesMapper = new OpenAireProviderAuthoritiesMapper(userRoles);
|
|
89
|
return authoritiesMapper;
|
|
90
|
}
|
|
91
|
|
|
92
|
@Bean
|
|
93
|
public StaticServerConfigurationService staticServerConfigurationService(){
|
|
94
|
StaticServerConfigurationService staticServerConfigurationService = new StaticServerConfigurationService();
|
|
95
|
Map<String, ServerConfiguration> servers = new HashMap<>();
|
|
96
|
servers.put(oidcIssuer, serverConfiguration());
|
|
97
|
staticServerConfigurationService.setServers(servers);
|
|
98
|
return staticServerConfigurationService;
|
|
99
|
}
|
|
100
|
|
|
101
|
@Bean
|
|
102
|
public StaticClientConfigurationService staticClientConfigurationService(){
|
|
103
|
StaticClientConfigurationService staticClientConfigurationService = new StaticClientConfigurationService();
|
|
104
|
Map<String, RegisteredClient> clients = new HashMap<>();
|
|
105
|
clients.put(oidcIssuer,registeredClient());
|
|
106
|
staticClientConfigurationService.setClients(clients);
|
|
107
|
return staticClientConfigurationService;
|
|
108
|
}
|
|
109
|
|
|
110
|
@Bean
|
|
111
|
public RegisteredClient registeredClient(){
|
|
112
|
RegisteredClient registeredClient = new RegisteredClient();
|
|
113
|
registeredClient.setClientId(oidcId);
|
|
114
|
registeredClient.setClientSecret(oidcSecret);
|
|
115
|
registeredClient.setScope(new HashSet<>(Arrays.asList("openid","eduperson_entitlement","profile", "email")));
|
|
116
|
registeredClient.setTokenEndpointAuthMethod(AuthMethod.SECRET_BASIC);
|
|
117
|
registeredClient.setRedirectUris(new HashSet<>(Collections.singletonList(oidcDevHome)));
|
|
118
|
return registeredClient;
|
|
119
|
}
|
|
120
|
|
|
121
|
@Bean
|
|
122
|
public StaticAuthRequestOptionsService staticAuthRequestOptionsService(){
|
|
123
|
return new StaticAuthRequestOptionsService();
|
|
124
|
}
|
|
125
|
|
|
126
|
@Bean
|
|
127
|
public PlainAuthRequestUrlBuilder plainAuthRequestUrlBuilder(){
|
|
128
|
return new PlainAuthRequestUrlBuilder();
|
|
129
|
}
|
|
130
|
|
|
131
|
@Bean
|
|
132
|
public ServerConfiguration serverConfiguration(){
|
|
133
|
ServerConfiguration serverConfiguration = new ServerConfiguration();
|
|
134
|
serverConfiguration.setIssuer(oidcIssuer);
|
|
135
|
serverConfiguration.setAuthorizationEndpointUri(oidcIssuer+"authorize");
|
|
136
|
serverConfiguration.setTokenEndpointUri(oidcIssuer+"token");
|
|
137
|
serverConfiguration.setUserInfoUri(oidcIssuer+"userinfo");
|
|
138
|
serverConfiguration.setJwksUri(oidcIssuer+"jwk");
|
|
139
|
serverConfiguration.setRevocationEndpointUri(oidcIssuer+"revoke");
|
|
140
|
return serverConfiguration;
|
|
141
|
}
|
|
142
|
|
|
143
|
@Bean
|
|
144
|
public LoginUrlAuthenticationEntryPoint authenticationEntryPoint(){
|
|
145
|
return new LoginUrlAuthenticationEntryPoint("/openid_connect_login");
|
|
146
|
}
|
|
147
|
|
|
148
|
|
|
149
|
@Bean
|
|
150
|
public OIDCAuthenticationFilter openIdConnectAuthenticationFilter() throws Exception {
|
|
151
|
OIDCAuthenticationFilter oidc = new OIDCAuthenticationFilter();
|
|
152
|
oidc.setAuthenticationManager(authenticationManagerBean());
|
|
153
|
oidc.setIssuerService(staticSingleIssuerService());
|
|
154
|
oidc.setServerConfigurationService(staticServerConfigurationService());
|
|
155
|
oidc.setClientConfigurationService(staticClientConfigurationService());
|
|
156
|
oidc.setAuthRequestOptionsService(staticAuthRequestOptionsService());
|
|
157
|
oidc.setAuthRequestUrlBuilder(plainAuthRequestUrlBuilder());
|
|
158
|
oidc.setAuthenticationSuccessHandler(frontEndRedirect());
|
|
159
|
return oidc;
|
|
160
|
}
|
|
161
|
|
|
162
|
@Bean
|
|
163
|
public StaticSingleIssuerService staticSingleIssuerService(){
|
|
164
|
StaticSingleIssuerService staticSingleIssuerService = new StaticSingleIssuerService();
|
|
165
|
staticSingleIssuerService.setIssuer(oidcIssuer);
|
|
166
|
return staticSingleIssuerService;
|
|
167
|
}
|
|
168
|
|
|
169
|
@Bean(initMethod = "init")
|
|
170
|
public FrontEndLinkURIAuthenticationSuccessHandler frontEndRedirect(){
|
|
171
|
FrontEndLinkURIAuthenticationSuccessHandler frontEnd = new FrontEndLinkURIAuthenticationSuccessHandler();
|
|
172
|
frontEnd.setFrontEndURI(webAppFrontEnd);
|
|
173
|
return frontEnd;
|
|
174
|
}
|
|
175
|
|
|
176
|
}
|