Revision 61318
Added by Konstantinos Spyrou almost 3 years ago
| AaiSecurityConfiguration.java | ||
|---|---|---|
| 1 | 1 |
package eu.dnetlib.repo.manager.config; |
| 2 | 2 |
|
| 3 |
import com.google.common.collect.ImmutableList; |
|
| 4 | 3 |
import org.mitre.oauth2.model.ClientDetailsEntity.AuthMethod; |
| 5 | 4 |
import org.mitre.oauth2.model.RegisteredClient; |
| 6 | 5 |
import org.mitre.openid.connect.client.OIDCAuthenticationFilter; |
| ... | ... | |
| 18 | 17 |
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; |
| 19 | 18 |
import org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint; |
| 20 | 19 |
import org.springframework.security.web.authentication.preauth.AbstractPreAuthenticatedProcessingFilter; |
| 21 |
import org.springframework.web.cors.CorsConfiguration; |
|
| 22 |
import org.springframework.web.cors.CorsConfigurationSource; |
|
| 23 |
import org.springframework.web.cors.UrlBasedCorsConfigurationSource; |
|
| 24 | 20 |
|
| 25 | 21 |
import java.util.*; |
| 26 | 22 |
|
| ... | ... | |
| 46 | 42 |
@Value("${webapp.dev.front}")
|
| 47 | 43 |
private String webAppFrontEnd; |
| 48 | 44 |
|
| 49 |
private Map<String, String> userRoles = new HashMap<String, String>(){{
|
|
| 50 |
put("urn:geant:openaire.eu:group:Super+Administrator#aai.openaire.eu", "ROLE_ADMIN");
|
|
| 51 |
put("urn:geant:openaire.eu:group:Content+Provider+Dashboard+Administrator#aai.openaire.eu","ROLE_PROVIDE_ADMIN");
|
|
| 52 |
}}; |
|
| 53 |
|
|
| 54 | 45 |
@Bean |
| 55 | 46 |
@Override |
| 56 | 47 |
public AuthenticationManager authenticationManagerBean() throws Exception {
|
| ... | ... | |
| 58 | 49 |
} |
| 59 | 50 |
|
| 60 | 51 |
@Override |
| 61 |
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
|
|
| 52 |
protected void configure(AuthenticationManagerBuilder auth) {
|
|
| 62 | 53 |
auth.authenticationProvider(openIdConnectAuthenticationProvider()); |
| 63 | 54 |
} |
| 64 | 55 |
|
| 65 | 56 |
@Override |
| 66 |
public void configure(WebSecurity web) throws Exception {
|
|
| 57 |
public void configure(WebSecurity web) {
|
|
| 67 | 58 |
web.ignoring().antMatchers("/stats/**");
|
| 68 | 59 |
} |
| 69 | 60 |
|
| ... | ... | |
| 74 | 65 |
.authorizeRequests() |
| 75 | 66 |
.anyRequest().authenticated() |
| 76 | 67 |
.and() |
| 77 |
.httpBasic()
|
|
| 78 |
.authenticationEntryPoint(authenticationEntryPoint())
|
|
| 68 |
.httpBasic() |
|
| 69 |
.authenticationEntryPoint(authenticationEntryPoint()) |
|
| 79 | 70 |
.and() |
| 80 |
.logout().logoutUrl("/openid_logout")
|
|
| 81 |
.invalidateHttpSession(true)
|
|
| 82 |
.deleteCookies("openAIRESession")
|
|
| 83 |
.logoutSuccessUrl(logoutSuccessUrl)
|
|
| 71 |
.logout().logoutUrl("/openid_logout")
|
|
| 72 |
.invalidateHttpSession(true) |
|
| 73 |
.deleteCookies("openAIRESession")
|
|
| 74 |
.logoutSuccessUrl(logoutSuccessUrl) |
|
| 84 | 75 |
.and() |
| 85 |
.addFilterBefore(openIdConnectAuthenticationFilter(), AbstractPreAuthenticatedProcessingFilter.class)
|
|
| 76 |
.addFilterBefore(openIdConnectAuthenticationFilter(), AbstractPreAuthenticatedProcessingFilter.class) |
|
| 86 | 77 |
; |
| 87 | 78 |
} |
| 88 | 79 |
|
| 89 | 80 |
@Bean |
| 90 |
public OIDCAuthenticationProvider openIdConnectAuthenticationProvider(){
|
|
| 81 |
public OIDCAuthenticationProvider openIdConnectAuthenticationProvider() {
|
|
| 91 | 82 |
OIDCAuthenticationProvider oidcProvider = new OIDCAuthenticationProvider(); |
| 92 | 83 |
oidcProvider.setAuthoritiesMapper(authoritiesMapper()); |
| 93 | 84 |
return oidcProvider; |
| 94 | 85 |
} |
| 95 | 86 |
|
| 96 | 87 |
@Bean |
| 97 |
public OpenAireProviderAuthoritiesMapper authoritiesMapper(){
|
|
| 98 |
OpenAireProviderAuthoritiesMapper authoritiesMapper = new OpenAireProviderAuthoritiesMapper(userRoles);
|
|
| 88 |
public OpenAIREAuthoritiesMapper authoritiesMapper() {
|
|
| 89 |
OpenAIREAuthoritiesMapper authoritiesMapper = new OpenAIREAuthoritiesMapper();
|
|
| 99 | 90 |
return authoritiesMapper; |
| 100 | 91 |
} |
| 101 | 92 |
|
| 102 | 93 |
@Bean |
| 103 |
public StaticServerConfigurationService staticServerConfigurationService(){
|
|
| 94 |
public StaticServerConfigurationService staticServerConfigurationService() {
|
|
| 104 | 95 |
StaticServerConfigurationService staticServerConfigurationService = new StaticServerConfigurationService(); |
| 105 | 96 |
Map<String, ServerConfiguration> servers = new HashMap<>(); |
| 106 | 97 |
servers.put(oidcIssuer, serverConfiguration()); |
| ... | ... | |
| 109 | 100 |
} |
| 110 | 101 |
|
| 111 | 102 |
@Bean |
| 112 |
public StaticClientConfigurationService staticClientConfigurationService(){
|
|
| 103 |
public StaticClientConfigurationService staticClientConfigurationService() {
|
|
| 113 | 104 |
StaticClientConfigurationService staticClientConfigurationService = new StaticClientConfigurationService(); |
| 114 | 105 |
Map<String, RegisteredClient> clients = new HashMap<>(); |
| 115 |
clients.put(oidcIssuer,registeredClient()); |
|
| 106 |
clients.put(oidcIssuer, registeredClient());
|
|
| 116 | 107 |
staticClientConfigurationService.setClients(clients); |
| 117 | 108 |
return staticClientConfigurationService; |
| 118 | 109 |
} |
| 119 | 110 |
|
| 120 | 111 |
@Bean |
| 121 |
public RegisteredClient registeredClient(){
|
|
| 112 |
public RegisteredClient registeredClient() {
|
|
| 122 | 113 |
RegisteredClient registeredClient = new RegisteredClient(); |
| 123 | 114 |
registeredClient.setClientId(oidcId); |
| 124 | 115 |
registeredClient.setClientSecret(oidcSecret); |
| 125 |
registeredClient.setScope(new HashSet<>(Arrays.asList("openid","eduperson_entitlement","profile", "email")));
|
|
| 116 |
registeredClient.setScope(new HashSet<>(Arrays.asList("openid", "eduperson_entitlement", "profile", "email")));
|
|
| 126 | 117 |
registeredClient.setTokenEndpointAuthMethod(AuthMethod.SECRET_BASIC); |
| 127 | 118 |
registeredClient.setRedirectUris(new HashSet<>(Collections.singletonList(oidcDevHome))); |
| 128 | 119 |
return registeredClient; |
| 129 | 120 |
} |
| 130 | 121 |
|
| 131 | 122 |
@Bean |
| 132 |
public StaticAuthRequestOptionsService staticAuthRequestOptionsService(){
|
|
| 123 |
public StaticAuthRequestOptionsService staticAuthRequestOptionsService() {
|
|
| 133 | 124 |
return new StaticAuthRequestOptionsService(); |
| 134 | 125 |
} |
| 135 | 126 |
|
| 136 | 127 |
@Bean |
| 137 |
public PlainAuthRequestUrlBuilder plainAuthRequestUrlBuilder(){
|
|
| 128 |
public PlainAuthRequestUrlBuilder plainAuthRequestUrlBuilder() {
|
|
| 138 | 129 |
return new PlainAuthRequestUrlBuilder(); |
| 139 | 130 |
} |
| 140 | 131 |
|
| 141 | 132 |
@Bean |
| 142 |
public ServerConfiguration serverConfiguration(){
|
|
| 133 |
public ServerConfiguration serverConfiguration() {
|
|
| 143 | 134 |
ServerConfiguration serverConfiguration = new ServerConfiguration(); |
| 144 | 135 |
serverConfiguration.setIssuer(oidcIssuer); |
| 145 |
serverConfiguration.setAuthorizationEndpointUri(oidcIssuer+"authorize");
|
|
| 146 |
serverConfiguration.setTokenEndpointUri(oidcIssuer+"token");
|
|
| 147 |
serverConfiguration.setUserInfoUri(oidcIssuer+"userinfo");
|
|
| 148 |
serverConfiguration.setJwksUri(oidcIssuer+"jwk");
|
|
| 149 |
serverConfiguration.setRevocationEndpointUri(oidcIssuer+"revoke");
|
|
| 136 |
serverConfiguration.setAuthorizationEndpointUri(oidcIssuer + "authorize");
|
|
| 137 |
serverConfiguration.setTokenEndpointUri(oidcIssuer + "token");
|
|
| 138 |
serverConfiguration.setUserInfoUri(oidcIssuer + "userinfo");
|
|
| 139 |
serverConfiguration.setJwksUri(oidcIssuer + "jwk");
|
|
| 140 |
serverConfiguration.setRevocationEndpointUri(oidcIssuer + "revoke");
|
|
| 150 | 141 |
return serverConfiguration; |
| 151 | 142 |
} |
| 152 | 143 |
|
| 153 | 144 |
@Bean |
| 154 |
public LoginUrlAuthenticationEntryPoint authenticationEntryPoint(){
|
|
| 145 |
public LoginUrlAuthenticationEntryPoint authenticationEntryPoint() {
|
|
| 155 | 146 |
return new LoginUrlAuthenticationEntryPoint("/openid_connect_login");
|
| 156 | 147 |
} |
| 157 | 148 |
|
| ... | ... | |
| 170 | 161 |
} |
| 171 | 162 |
|
| 172 | 163 |
@Bean |
| 173 |
public StaticSingleIssuerService staticSingleIssuerService(){
|
|
| 164 |
public StaticSingleIssuerService staticSingleIssuerService() {
|
|
| 174 | 165 |
StaticSingleIssuerService staticSingleIssuerService = new StaticSingleIssuerService(); |
| 175 | 166 |
staticSingleIssuerService.setIssuer(oidcIssuer); |
| 176 | 167 |
return staticSingleIssuerService; |
| 177 | 168 |
} |
| 178 | 169 |
|
| 179 | 170 |
@Bean(initMethod = "init") |
| 180 |
public FrontEndLinkURIAuthenticationSuccessHandler frontEndRedirect(){
|
|
| 171 |
public FrontEndLinkURIAuthenticationSuccessHandler frontEndRedirect() {
|
|
| 181 | 172 |
FrontEndLinkURIAuthenticationSuccessHandler frontEnd = new FrontEndLinkURIAuthenticationSuccessHandler(); |
| 182 | 173 |
frontEnd.setFrontEndURI(webAppFrontEnd); |
| 183 | 174 |
return frontEnd; |
Also available in: Unified diff
1. fixed authorization in RepositoryController
2. created new methods and classes
3. made authorities mapping the same as with other openaire projects
4. refactoring