1 |
57908
|
ioannis.di
|
package eu.dnetlib.repo.manager.config;
|
2 |
|
|
|
3 |
|
|
import org.mitre.oauth2.model.ClientDetailsEntity.AuthMethod;
|
4 |
|
|
import org.mitre.oauth2.model.RegisteredClient;
|
5 |
|
|
import org.mitre.openid.connect.client.OIDCAuthenticationFilter;
|
6 |
|
|
import org.mitre.openid.connect.client.OIDCAuthenticationProvider;
|
7 |
|
|
import org.mitre.openid.connect.client.service.impl.*;
|
8 |
|
|
import org.mitre.openid.connect.config.ServerConfiguration;
|
9 |
|
|
import org.springframework.beans.factory.annotation.Value;
|
10 |
|
|
import org.springframework.context.annotation.Bean;
|
11 |
|
|
import org.springframework.context.annotation.Configuration;
|
12 |
|
|
import org.springframework.security.authentication.AuthenticationManager;
|
13 |
|
|
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
|
14 |
|
|
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
|
15 |
58701
|
antonis.le
|
import org.springframework.security.config.annotation.web.builders.WebSecurity;
|
16 |
57908
|
ioannis.di
|
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
|
17 |
|
|
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
|
18 |
|
|
import org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint;
|
19 |
|
|
import org.springframework.security.web.authentication.preauth.AbstractPreAuthenticatedProcessingFilter;
|
20 |
|
|
|
21 |
58215
|
antonis.le
|
import java.util.*;
|
22 |
57908
|
ioannis.di
|
|
23 |
|
|
@Configuration
|
24 |
|
|
@EnableWebSecurity
|
25 |
|
|
public class AaiSecurityConfiguration extends WebSecurityConfigurerAdapter {
|
26 |
|
|
|
27 |
|
|
@Value("${webapp.dev.front}")
|
28 |
|
|
private String logoutSuccessUrl;
|
29 |
|
|
|
30 |
|
|
@Value("${oidc.issuer}")
|
31 |
|
|
private String oidcIssuer;
|
32 |
|
|
|
33 |
|
|
@Value("${oidc.id}")
|
34 |
|
|
private String oidcId;
|
35 |
|
|
|
36 |
|
|
@Value("${oidc.secret}")
|
37 |
|
|
private String oidcSecret;
|
38 |
|
|
|
39 |
|
|
@Value("${oidc.dev.home}")
|
40 |
|
|
private String oidcDevHome;
|
41 |
|
|
|
42 |
|
|
@Value("${webapp.dev.front}")
|
43 |
|
|
private String webAppFrontEnd;
|
44 |
|
|
|
45 |
|
|
@Bean
|
46 |
|
|
@Override
|
47 |
|
|
public AuthenticationManager authenticationManagerBean() throws Exception {
|
48 |
|
|
return authenticationManager();
|
49 |
|
|
}
|
50 |
|
|
|
51 |
|
|
@Override
|
52 |
61318
|
spyroukon
|
protected void configure(AuthenticationManagerBuilder auth) {
|
53 |
57908
|
ioannis.di
|
auth.authenticationProvider(openIdConnectAuthenticationProvider());
|
54 |
|
|
}
|
55 |
|
|
|
56 |
|
|
@Override
|
57 |
61318
|
spyroukon
|
public void configure(WebSecurity web) {
|
58 |
58701
|
antonis.le
|
web.ignoring().antMatchers("/stats/**");
|
59 |
|
|
}
|
60 |
|
|
|
61 |
|
|
@Override
|
62 |
57908
|
ioannis.di
|
protected void configure(HttpSecurity http) throws Exception {
|
63 |
|
|
http.csrf().disable()
|
64 |
|
|
.anonymous().disable()
|
65 |
|
|
.authorizeRequests()
|
66 |
|
|
.anyRequest().authenticated()
|
67 |
|
|
.and()
|
68 |
61318
|
spyroukon
|
.httpBasic()
|
69 |
|
|
.authenticationEntryPoint(authenticationEntryPoint())
|
70 |
57908
|
ioannis.di
|
.and()
|
71 |
61318
|
spyroukon
|
.logout().logoutUrl("/openid_logout")
|
72 |
|
|
.invalidateHttpSession(true)
|
73 |
|
|
.deleteCookies("openAIRESession")
|
74 |
|
|
.logoutSuccessUrl(logoutSuccessUrl)
|
75 |
57908
|
ioannis.di
|
.and()
|
76 |
61318
|
spyroukon
|
.addFilterBefore(openIdConnectAuthenticationFilter(), AbstractPreAuthenticatedProcessingFilter.class)
|
77 |
57908
|
ioannis.di
|
;
|
78 |
|
|
}
|
79 |
|
|
|
80 |
|
|
@Bean
|
81 |
61318
|
spyroukon
|
public OIDCAuthenticationProvider openIdConnectAuthenticationProvider() {
|
82 |
57908
|
ioannis.di
|
OIDCAuthenticationProvider oidcProvider = new OIDCAuthenticationProvider();
|
83 |
|
|
oidcProvider.setAuthoritiesMapper(authoritiesMapper());
|
84 |
|
|
return oidcProvider;
|
85 |
|
|
}
|
86 |
|
|
|
87 |
|
|
@Bean
|
88 |
61318
|
spyroukon
|
public OpenAIREAuthoritiesMapper authoritiesMapper() {
|
89 |
|
|
OpenAIREAuthoritiesMapper authoritiesMapper = new OpenAIREAuthoritiesMapper();
|
90 |
57908
|
ioannis.di
|
return authoritiesMapper;
|
91 |
|
|
}
|
92 |
|
|
|
93 |
|
|
@Bean
|
94 |
61318
|
spyroukon
|
public StaticServerConfigurationService staticServerConfigurationService() {
|
95 |
57908
|
ioannis.di
|
StaticServerConfigurationService staticServerConfigurationService = new StaticServerConfigurationService();
|
96 |
|
|
Map<String, ServerConfiguration> servers = new HashMap<>();
|
97 |
|
|
servers.put(oidcIssuer, serverConfiguration());
|
98 |
|
|
staticServerConfigurationService.setServers(servers);
|
99 |
|
|
return staticServerConfigurationService;
|
100 |
|
|
}
|
101 |
|
|
|
102 |
|
|
@Bean
|
103 |
61318
|
spyroukon
|
public StaticClientConfigurationService staticClientConfigurationService() {
|
104 |
57908
|
ioannis.di
|
StaticClientConfigurationService staticClientConfigurationService = new StaticClientConfigurationService();
|
105 |
|
|
Map<String, RegisteredClient> clients = new HashMap<>();
|
106 |
61318
|
spyroukon
|
clients.put(oidcIssuer, registeredClient());
|
107 |
57908
|
ioannis.di
|
staticClientConfigurationService.setClients(clients);
|
108 |
|
|
return staticClientConfigurationService;
|
109 |
|
|
}
|
110 |
|
|
|
111 |
|
|
@Bean
|
112 |
61318
|
spyroukon
|
public RegisteredClient registeredClient() {
|
113 |
57908
|
ioannis.di
|
RegisteredClient registeredClient = new RegisteredClient();
|
114 |
|
|
registeredClient.setClientId(oidcId);
|
115 |
|
|
registeredClient.setClientSecret(oidcSecret);
|
116 |
61318
|
spyroukon
|
registeredClient.setScope(new HashSet<>(Arrays.asList("openid", "eduperson_entitlement", "profile", "email")));
|
117 |
57908
|
ioannis.di
|
registeredClient.setTokenEndpointAuthMethod(AuthMethod.SECRET_BASIC);
|
118 |
|
|
registeredClient.setRedirectUris(new HashSet<>(Collections.singletonList(oidcDevHome)));
|
119 |
|
|
return registeredClient;
|
120 |
|
|
}
|
121 |
|
|
|
122 |
|
|
@Bean
|
123 |
61318
|
spyroukon
|
public StaticAuthRequestOptionsService staticAuthRequestOptionsService() {
|
124 |
57908
|
ioannis.di
|
return new StaticAuthRequestOptionsService();
|
125 |
|
|
}
|
126 |
|
|
|
127 |
|
|
@Bean
|
128 |
61318
|
spyroukon
|
public PlainAuthRequestUrlBuilder plainAuthRequestUrlBuilder() {
|
129 |
57908
|
ioannis.di
|
return new PlainAuthRequestUrlBuilder();
|
130 |
|
|
}
|
131 |
|
|
|
132 |
|
|
@Bean
|
133 |
61318
|
spyroukon
|
public ServerConfiguration serverConfiguration() {
|
134 |
57908
|
ioannis.di
|
ServerConfiguration serverConfiguration = new ServerConfiguration();
|
135 |
|
|
serverConfiguration.setIssuer(oidcIssuer);
|
136 |
61318
|
spyroukon
|
serverConfiguration.setAuthorizationEndpointUri(oidcIssuer + "authorize");
|
137 |
|
|
serverConfiguration.setTokenEndpointUri(oidcIssuer + "token");
|
138 |
|
|
serverConfiguration.setUserInfoUri(oidcIssuer + "userinfo");
|
139 |
|
|
serverConfiguration.setJwksUri(oidcIssuer + "jwk");
|
140 |
|
|
serverConfiguration.setRevocationEndpointUri(oidcIssuer + "revoke");
|
141 |
57908
|
ioannis.di
|
return serverConfiguration;
|
142 |
|
|
}
|
143 |
|
|
|
144 |
|
|
@Bean
|
145 |
61318
|
spyroukon
|
public LoginUrlAuthenticationEntryPoint authenticationEntryPoint() {
|
146 |
57908
|
ioannis.di
|
return new LoginUrlAuthenticationEntryPoint("/openid_connect_login");
|
147 |
|
|
}
|
148 |
|
|
|
149 |
|
|
|
150 |
|
|
@Bean
|
151 |
|
|
public OIDCAuthenticationFilter openIdConnectAuthenticationFilter() throws Exception {
|
152 |
|
|
OIDCAuthenticationFilter oidc = new OIDCAuthenticationFilter();
|
153 |
|
|
oidc.setAuthenticationManager(authenticationManagerBean());
|
154 |
|
|
oidc.setIssuerService(staticSingleIssuerService());
|
155 |
|
|
oidc.setServerConfigurationService(staticServerConfigurationService());
|
156 |
|
|
oidc.setClientConfigurationService(staticClientConfigurationService());
|
157 |
|
|
oidc.setAuthRequestOptionsService(staticAuthRequestOptionsService());
|
158 |
|
|
oidc.setAuthRequestUrlBuilder(plainAuthRequestUrlBuilder());
|
159 |
|
|
oidc.setAuthenticationSuccessHandler(frontEndRedirect());
|
160 |
|
|
return oidc;
|
161 |
|
|
}
|
162 |
|
|
|
163 |
|
|
@Bean
|
164 |
61318
|
spyroukon
|
public StaticSingleIssuerService staticSingleIssuerService() {
|
165 |
57908
|
ioannis.di
|
StaticSingleIssuerService staticSingleIssuerService = new StaticSingleIssuerService();
|
166 |
|
|
staticSingleIssuerService.setIssuer(oidcIssuer);
|
167 |
|
|
return staticSingleIssuerService;
|
168 |
|
|
}
|
169 |
|
|
|
170 |
|
|
@Bean(initMethod = "init")
|
171 |
61318
|
spyroukon
|
public FrontEndLinkURIAuthenticationSuccessHandler frontEndRedirect() {
|
172 |
57908
|
ioannis.di
|
FrontEndLinkURIAuthenticationSuccessHandler frontEnd = new FrontEndLinkURIAuthenticationSuccessHandler();
|
173 |
|
|
frontEnd.setFrontEndURI(webAppFrontEnd);
|
174 |
|
|
return frontEnd;
|
175 |
|
|
}
|
176 |
|
|
|
177 |
|
|
}
|