Revision 61318
Added by Konstantinos Spyrou almost 3 years ago
AaiSecurityConfiguration.java | ||
---|---|---|
1 | 1 |
package eu.dnetlib.repo.manager.config; |
2 | 2 |
|
3 |
import com.google.common.collect.ImmutableList; |
|
4 | 3 |
import org.mitre.oauth2.model.ClientDetailsEntity.AuthMethod; |
5 | 4 |
import org.mitre.oauth2.model.RegisteredClient; |
6 | 5 |
import org.mitre.openid.connect.client.OIDCAuthenticationFilter; |
... | ... | |
18 | 17 |
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; |
19 | 18 |
import org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint; |
20 | 19 |
import org.springframework.security.web.authentication.preauth.AbstractPreAuthenticatedProcessingFilter; |
21 |
import org.springframework.web.cors.CorsConfiguration; |
|
22 |
import org.springframework.web.cors.CorsConfigurationSource; |
|
23 |
import org.springframework.web.cors.UrlBasedCorsConfigurationSource; |
|
24 | 20 |
|
25 | 21 |
import java.util.*; |
26 | 22 |
|
... | ... | |
46 | 42 |
@Value("${webapp.dev.front}") |
47 | 43 |
private String webAppFrontEnd; |
48 | 44 |
|
49 |
private Map<String, String> userRoles = new HashMap<String, String>(){{ |
|
50 |
put("urn:geant:openaire.eu:group:Super+Administrator#aai.openaire.eu", "ROLE_ADMIN"); |
|
51 |
put("urn:geant:openaire.eu:group:Content+Provider+Dashboard+Administrator#aai.openaire.eu","ROLE_PROVIDE_ADMIN"); |
|
52 |
}}; |
|
53 |
|
|
54 | 45 |
@Bean |
55 | 46 |
@Override |
56 | 47 |
public AuthenticationManager authenticationManagerBean() throws Exception { |
... | ... | |
58 | 49 |
} |
59 | 50 |
|
60 | 51 |
@Override |
61 |
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
|
|
52 |
protected void configure(AuthenticationManagerBuilder auth) { |
|
62 | 53 |
auth.authenticationProvider(openIdConnectAuthenticationProvider()); |
63 | 54 |
} |
64 | 55 |
|
65 | 56 |
@Override |
66 |
public void configure(WebSecurity web) throws Exception {
|
|
57 |
public void configure(WebSecurity web) { |
|
67 | 58 |
web.ignoring().antMatchers("/stats/**"); |
68 | 59 |
} |
69 | 60 |
|
... | ... | |
74 | 65 |
.authorizeRequests() |
75 | 66 |
.anyRequest().authenticated() |
76 | 67 |
.and() |
77 |
.httpBasic()
|
|
78 |
.authenticationEntryPoint(authenticationEntryPoint())
|
|
68 |
.httpBasic() |
|
69 |
.authenticationEntryPoint(authenticationEntryPoint()) |
|
79 | 70 |
.and() |
80 |
.logout().logoutUrl("/openid_logout")
|
|
81 |
.invalidateHttpSession(true)
|
|
82 |
.deleteCookies("openAIRESession")
|
|
83 |
.logoutSuccessUrl(logoutSuccessUrl)
|
|
71 |
.logout().logoutUrl("/openid_logout") |
|
72 |
.invalidateHttpSession(true) |
|
73 |
.deleteCookies("openAIRESession") |
|
74 |
.logoutSuccessUrl(logoutSuccessUrl) |
|
84 | 75 |
.and() |
85 |
.addFilterBefore(openIdConnectAuthenticationFilter(), AbstractPreAuthenticatedProcessingFilter.class)
|
|
76 |
.addFilterBefore(openIdConnectAuthenticationFilter(), AbstractPreAuthenticatedProcessingFilter.class) |
|
86 | 77 |
; |
87 | 78 |
} |
88 | 79 |
|
89 | 80 |
@Bean |
90 |
public OIDCAuthenticationProvider openIdConnectAuthenticationProvider(){ |
|
81 |
public OIDCAuthenticationProvider openIdConnectAuthenticationProvider() {
|
|
91 | 82 |
OIDCAuthenticationProvider oidcProvider = new OIDCAuthenticationProvider(); |
92 | 83 |
oidcProvider.setAuthoritiesMapper(authoritiesMapper()); |
93 | 84 |
return oidcProvider; |
94 | 85 |
} |
95 | 86 |
|
96 | 87 |
@Bean |
97 |
public OpenAireProviderAuthoritiesMapper authoritiesMapper(){
|
|
98 |
OpenAireProviderAuthoritiesMapper authoritiesMapper = new OpenAireProviderAuthoritiesMapper(userRoles);
|
|
88 |
public OpenAIREAuthoritiesMapper authoritiesMapper() {
|
|
89 |
OpenAIREAuthoritiesMapper authoritiesMapper = new OpenAIREAuthoritiesMapper();
|
|
99 | 90 |
return authoritiesMapper; |
100 | 91 |
} |
101 | 92 |
|
102 | 93 |
@Bean |
103 |
public StaticServerConfigurationService staticServerConfigurationService(){ |
|
94 |
public StaticServerConfigurationService staticServerConfigurationService() {
|
|
104 | 95 |
StaticServerConfigurationService staticServerConfigurationService = new StaticServerConfigurationService(); |
105 | 96 |
Map<String, ServerConfiguration> servers = new HashMap<>(); |
106 | 97 |
servers.put(oidcIssuer, serverConfiguration()); |
... | ... | |
109 | 100 |
} |
110 | 101 |
|
111 | 102 |
@Bean |
112 |
public StaticClientConfigurationService staticClientConfigurationService(){ |
|
103 |
public StaticClientConfigurationService staticClientConfigurationService() {
|
|
113 | 104 |
StaticClientConfigurationService staticClientConfigurationService = new StaticClientConfigurationService(); |
114 | 105 |
Map<String, RegisteredClient> clients = new HashMap<>(); |
115 |
clients.put(oidcIssuer,registeredClient()); |
|
106 |
clients.put(oidcIssuer, registeredClient());
|
|
116 | 107 |
staticClientConfigurationService.setClients(clients); |
117 | 108 |
return staticClientConfigurationService; |
118 | 109 |
} |
119 | 110 |
|
120 | 111 |
@Bean |
121 |
public RegisteredClient registeredClient(){ |
|
112 |
public RegisteredClient registeredClient() {
|
|
122 | 113 |
RegisteredClient registeredClient = new RegisteredClient(); |
123 | 114 |
registeredClient.setClientId(oidcId); |
124 | 115 |
registeredClient.setClientSecret(oidcSecret); |
125 |
registeredClient.setScope(new HashSet<>(Arrays.asList("openid","eduperson_entitlement","profile", "email")));
|
|
116 |
registeredClient.setScope(new HashSet<>(Arrays.asList("openid", "eduperson_entitlement", "profile", "email")));
|
|
126 | 117 |
registeredClient.setTokenEndpointAuthMethod(AuthMethod.SECRET_BASIC); |
127 | 118 |
registeredClient.setRedirectUris(new HashSet<>(Collections.singletonList(oidcDevHome))); |
128 | 119 |
return registeredClient; |
129 | 120 |
} |
130 | 121 |
|
131 | 122 |
@Bean |
132 |
public StaticAuthRequestOptionsService staticAuthRequestOptionsService(){ |
|
123 |
public StaticAuthRequestOptionsService staticAuthRequestOptionsService() {
|
|
133 | 124 |
return new StaticAuthRequestOptionsService(); |
134 | 125 |
} |
135 | 126 |
|
136 | 127 |
@Bean |
137 |
public PlainAuthRequestUrlBuilder plainAuthRequestUrlBuilder(){ |
|
128 |
public PlainAuthRequestUrlBuilder plainAuthRequestUrlBuilder() {
|
|
138 | 129 |
return new PlainAuthRequestUrlBuilder(); |
139 | 130 |
} |
140 | 131 |
|
141 | 132 |
@Bean |
142 |
public ServerConfiguration serverConfiguration(){ |
|
133 |
public ServerConfiguration serverConfiguration() {
|
|
143 | 134 |
ServerConfiguration serverConfiguration = new ServerConfiguration(); |
144 | 135 |
serverConfiguration.setIssuer(oidcIssuer); |
145 |
serverConfiguration.setAuthorizationEndpointUri(oidcIssuer+"authorize");
|
|
146 |
serverConfiguration.setTokenEndpointUri(oidcIssuer+"token");
|
|
147 |
serverConfiguration.setUserInfoUri(oidcIssuer+"userinfo");
|
|
148 |
serverConfiguration.setJwksUri(oidcIssuer+"jwk");
|
|
149 |
serverConfiguration.setRevocationEndpointUri(oidcIssuer+"revoke");
|
|
136 |
serverConfiguration.setAuthorizationEndpointUri(oidcIssuer + "authorize");
|
|
137 |
serverConfiguration.setTokenEndpointUri(oidcIssuer + "token");
|
|
138 |
serverConfiguration.setUserInfoUri(oidcIssuer + "userinfo");
|
|
139 |
serverConfiguration.setJwksUri(oidcIssuer + "jwk");
|
|
140 |
serverConfiguration.setRevocationEndpointUri(oidcIssuer + "revoke");
|
|
150 | 141 |
return serverConfiguration; |
151 | 142 |
} |
152 | 143 |
|
153 | 144 |
@Bean |
154 |
public LoginUrlAuthenticationEntryPoint authenticationEntryPoint(){ |
|
145 |
public LoginUrlAuthenticationEntryPoint authenticationEntryPoint() {
|
|
155 | 146 |
return new LoginUrlAuthenticationEntryPoint("/openid_connect_login"); |
156 | 147 |
} |
157 | 148 |
|
... | ... | |
170 | 161 |
} |
171 | 162 |
|
172 | 163 |
@Bean |
173 |
public StaticSingleIssuerService staticSingleIssuerService(){ |
|
164 |
public StaticSingleIssuerService staticSingleIssuerService() {
|
|
174 | 165 |
StaticSingleIssuerService staticSingleIssuerService = new StaticSingleIssuerService(); |
175 | 166 |
staticSingleIssuerService.setIssuer(oidcIssuer); |
176 | 167 |
return staticSingleIssuerService; |
177 | 168 |
} |
178 | 169 |
|
179 | 170 |
@Bean(initMethod = "init") |
180 |
public FrontEndLinkURIAuthenticationSuccessHandler frontEndRedirect(){ |
|
171 |
public FrontEndLinkURIAuthenticationSuccessHandler frontEndRedirect() {
|
|
181 | 172 |
FrontEndLinkURIAuthenticationSuccessHandler frontEnd = new FrontEndLinkURIAuthenticationSuccessHandler(); |
182 | 173 |
frontEnd.setFrontEndURI(webAppFrontEnd); |
183 | 174 |
return frontEnd; |
Also available in: Unified diff
1. fixed authorization in RepositoryController
2. created new methods and classes
3. made authorities mapping the same as with other openaire projects
4. refactoring