Revision 60747
Added by Antonis Koulalis about 3 years ago
AaiSecurityConfiguration.java | ||
---|---|---|
1 |
package eu.dnetlib.repo.manager.config; |
|
2 |
|
|
3 |
import com.google.common.collect.ImmutableList; |
|
4 |
import org.mitre.oauth2.model.ClientDetailsEntity.AuthMethod; |
|
5 |
import org.mitre.oauth2.model.RegisteredClient; |
|
6 |
import org.mitre.openid.connect.client.OIDCAuthenticationFilter; |
|
7 |
import org.mitre.openid.connect.client.OIDCAuthenticationProvider; |
|
8 |
import org.mitre.openid.connect.client.service.impl.*; |
|
9 |
import org.mitre.openid.connect.config.ServerConfiguration; |
|
10 |
import org.springframework.beans.factory.annotation.Value; |
|
11 |
import org.springframework.context.annotation.Bean; |
|
12 |
import org.springframework.context.annotation.Configuration; |
|
13 |
import org.springframework.security.authentication.AuthenticationManager; |
|
14 |
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; |
|
15 |
import org.springframework.security.config.annotation.web.builders.HttpSecurity; |
|
16 |
import org.springframework.security.config.annotation.web.builders.WebSecurity; |
|
17 |
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; |
|
18 |
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; |
|
19 |
import org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint; |
|
20 |
import org.springframework.security.web.authentication.preauth.AbstractPreAuthenticatedProcessingFilter; |
|
21 |
import org.springframework.web.cors.CorsConfiguration; |
|
22 |
import org.springframework.web.cors.CorsConfigurationSource; |
|
23 |
import org.springframework.web.cors.UrlBasedCorsConfigurationSource; |
|
24 |
|
|
25 |
import java.util.*; |
|
26 |
|
|
27 |
@Configuration |
|
28 |
@EnableWebSecurity |
|
29 |
public class AaiSecurityConfiguration extends WebSecurityConfigurerAdapter { |
|
30 |
|
|
31 |
@Value("${webapp.dev.front}") |
|
32 |
private String logoutSuccessUrl; |
|
33 |
|
|
34 |
@Value("${oidc.issuer}") |
|
35 |
private String oidcIssuer; |
|
36 |
|
|
37 |
@Value("${oidc.id}") |
|
38 |
private String oidcId; |
|
39 |
|
|
40 |
@Value("${oidc.secret}") |
|
41 |
private String oidcSecret; |
|
42 |
|
|
43 |
@Value("${oidc.dev.home}") |
|
44 |
private String oidcDevHome; |
|
45 |
|
|
46 |
@Value("${webapp.dev.front}") |
|
47 |
private String webAppFrontEnd; |
|
48 |
|
|
49 |
private Map<String, String> userRoles = new HashMap<String, String>(){{ |
|
50 |
put("urn:geant:openaire.eu:group:Super+Administrator#aai.openaire.eu", "ROLE_ADMIN"); |
|
51 |
put("urn:geant:openaire.eu:group:Content+Provider+Dashboard+Administrator#aai.openaire.eu","ROLE_PROVIDE_ADMIN"); |
|
52 |
}}; |
|
53 |
|
|
54 |
@Bean |
|
55 |
@Override |
|
56 |
public AuthenticationManager authenticationManagerBean() throws Exception { |
|
57 |
return authenticationManager(); |
|
58 |
} |
|
59 |
|
|
60 |
@Override |
|
61 |
protected void configure(AuthenticationManagerBuilder auth) throws Exception { |
|
62 |
auth.authenticationProvider(openIdConnectAuthenticationProvider()); |
|
63 |
} |
|
64 |
|
|
65 |
@Override |
|
66 |
public void configure(WebSecurity web) throws Exception { |
|
67 |
web.ignoring().antMatchers("/stats/**"); |
|
68 |
} |
|
69 |
|
|
70 |
@Override |
|
71 |
protected void configure(HttpSecurity http) throws Exception { |
|
72 |
http.csrf().disable() |
|
73 |
.anonymous().disable() |
|
74 |
.authorizeRequests() |
|
75 |
.anyRequest().authenticated() |
|
76 |
.and() |
|
77 |
.httpBasic() |
|
78 |
.authenticationEntryPoint(authenticationEntryPoint()) |
|
79 |
.and() |
|
80 |
.logout().logoutUrl("/openid_logout") |
|
81 |
.invalidateHttpSession(true) |
|
82 |
.deleteCookies("openAIRESession") |
|
83 |
.logoutSuccessUrl(logoutSuccessUrl) |
|
84 |
.and() |
|
85 |
.addFilterBefore(openIdConnectAuthenticationFilter(), AbstractPreAuthenticatedProcessingFilter.class) |
|
86 |
; |
|
87 |
} |
|
88 |
|
|
89 |
@Bean |
|
90 |
public OIDCAuthenticationProvider openIdConnectAuthenticationProvider(){ |
|
91 |
OIDCAuthenticationProvider oidcProvider = new OIDCAuthenticationProvider(); |
|
92 |
oidcProvider.setAuthoritiesMapper(authoritiesMapper()); |
|
93 |
return oidcProvider; |
|
94 |
} |
|
95 |
|
|
96 |
@Bean |
|
97 |
public OpenAireProviderAuthoritiesMapper authoritiesMapper(){ |
|
98 |
OpenAireProviderAuthoritiesMapper authoritiesMapper = new OpenAireProviderAuthoritiesMapper(userRoles); |
|
99 |
return authoritiesMapper; |
|
100 |
} |
|
101 |
|
|
102 |
@Bean |
|
103 |
public StaticServerConfigurationService staticServerConfigurationService(){ |
|
104 |
StaticServerConfigurationService staticServerConfigurationService = new StaticServerConfigurationService(); |
|
105 |
Map<String, ServerConfiguration> servers = new HashMap<>(); |
|
106 |
servers.put(oidcIssuer, serverConfiguration()); |
|
107 |
staticServerConfigurationService.setServers(servers); |
|
108 |
return staticServerConfigurationService; |
|
109 |
} |
|
110 |
|
|
111 |
@Bean |
|
112 |
public StaticClientConfigurationService staticClientConfigurationService(){ |
|
113 |
StaticClientConfigurationService staticClientConfigurationService = new StaticClientConfigurationService(); |
|
114 |
Map<String, RegisteredClient> clients = new HashMap<>(); |
|
115 |
clients.put(oidcIssuer,registeredClient()); |
|
116 |
staticClientConfigurationService.setClients(clients); |
|
117 |
return staticClientConfigurationService; |
|
118 |
} |
|
119 |
|
|
120 |
@Bean |
|
121 |
public RegisteredClient registeredClient(){ |
|
122 |
RegisteredClient registeredClient = new RegisteredClient(); |
|
123 |
registeredClient.setClientId(oidcId); |
|
124 |
registeredClient.setClientSecret(oidcSecret); |
|
125 |
registeredClient.setScope(new HashSet<>(Arrays.asList("openid","eduperson_entitlement","profile", "email"))); |
|
126 |
registeredClient.setTokenEndpointAuthMethod(AuthMethod.SECRET_BASIC); |
|
127 |
registeredClient.setRedirectUris(new HashSet<>(Collections.singletonList(oidcDevHome))); |
|
128 |
return registeredClient; |
|
129 |
} |
|
130 |
|
|
131 |
@Bean |
|
132 |
public StaticAuthRequestOptionsService staticAuthRequestOptionsService(){ |
|
133 |
return new StaticAuthRequestOptionsService(); |
|
134 |
} |
|
135 |
|
|
136 |
@Bean |
|
137 |
public PlainAuthRequestUrlBuilder plainAuthRequestUrlBuilder(){ |
|
138 |
return new PlainAuthRequestUrlBuilder(); |
|
139 |
} |
|
140 |
|
|
141 |
@Bean |
|
142 |
public ServerConfiguration serverConfiguration(){ |
|
143 |
ServerConfiguration serverConfiguration = new ServerConfiguration(); |
|
144 |
serverConfiguration.setIssuer(oidcIssuer); |
|
145 |
serverConfiguration.setAuthorizationEndpointUri(oidcIssuer+"authorize"); |
|
146 |
serverConfiguration.setTokenEndpointUri(oidcIssuer+"token"); |
|
147 |
serverConfiguration.setUserInfoUri(oidcIssuer+"userinfo"); |
|
148 |
serverConfiguration.setJwksUri(oidcIssuer+"jwk"); |
|
149 |
serverConfiguration.setRevocationEndpointUri(oidcIssuer+"revoke"); |
|
150 |
return serverConfiguration; |
|
151 |
} |
|
152 |
|
|
153 |
@Bean |
|
154 |
public LoginUrlAuthenticationEntryPoint authenticationEntryPoint(){ |
|
155 |
return new LoginUrlAuthenticationEntryPoint("/openid_connect_login"); |
|
156 |
} |
|
157 |
|
|
158 |
|
|
159 |
@Bean |
|
160 |
public OIDCAuthenticationFilter openIdConnectAuthenticationFilter() throws Exception { |
|
161 |
OIDCAuthenticationFilter oidc = new OIDCAuthenticationFilter(); |
|
162 |
oidc.setAuthenticationManager(authenticationManagerBean()); |
|
163 |
oidc.setIssuerService(staticSingleIssuerService()); |
|
164 |
oidc.setServerConfigurationService(staticServerConfigurationService()); |
|
165 |
oidc.setClientConfigurationService(staticClientConfigurationService()); |
|
166 |
oidc.setAuthRequestOptionsService(staticAuthRequestOptionsService()); |
|
167 |
oidc.setAuthRequestUrlBuilder(plainAuthRequestUrlBuilder()); |
|
168 |
oidc.setAuthenticationSuccessHandler(frontEndRedirect()); |
|
169 |
return oidc; |
|
170 |
} |
|
171 |
|
|
172 |
@Bean |
|
173 |
public StaticSingleIssuerService staticSingleIssuerService(){ |
|
174 |
StaticSingleIssuerService staticSingleIssuerService = new StaticSingleIssuerService(); |
|
175 |
staticSingleIssuerService.setIssuer(oidcIssuer); |
|
176 |
return staticSingleIssuerService; |
|
177 |
} |
|
178 |
|
|
179 |
@Bean(initMethod = "init") |
|
180 |
public FrontEndLinkURIAuthenticationSuccessHandler frontEndRedirect(){ |
|
181 |
FrontEndLinkURIAuthenticationSuccessHandler frontEnd = new FrontEndLinkURIAuthenticationSuccessHandler(); |
|
182 |
frontEnd.setFrontEndURI(webAppFrontEnd); |
|
183 |
return frontEnd; |
|
184 |
} |
|
185 |
|
|
186 |
} |
Also available in: Unified diff