Commit 16b36f5a authored by Matija Obreza's avatar Matija Obreza
Browse files

Security configuration updated

- Anonymous users have ROLE_ANONYMOUS and ROLE_EVERYONE
- Registered users have ROLE_USER and ROLE_EVERYONE
parent 5c56d0fd
......@@ -26,7 +26,10 @@ public enum UserRole implements GrantedAuthority {
USER,
/** The administrator. */
ADMINISTRATOR;
ADMINISTRATOR,
/** Everyone role */
EVERYONE;
/**
* GrantedAuthorities start with ROLE_.
......
......@@ -15,6 +15,7 @@
*/
package org.genesys.catalog.service.impl;
import java.util.Collection;
import java.util.Collections;
import java.util.List;
import java.util.UUID;
......@@ -67,6 +68,11 @@ public class UserServiceImpl extends BasicUserServiceImpl<UserRole, User> implem
public UserRole getDefaultUserRole() {
return UserRole.USER;
}
@Override
public Collection<UserRole> getDefaultUserRoles() {
return Sets.newHashSet(UserRole.USER, UserRole.EVERYONE);
}
@Override
public List<UserRole> listAvailableRoles() {
......
......@@ -82,14 +82,14 @@ public class UserServiceTest extends ServiceTest {
@Test
public void grantRoles() throws NotUniqueUserException, PasswordPolicyException, UserException {
User u = userService.createUser(USER_EMAIL, null, USER_PASSWORD, BasicUser.AccountType.LOCAL);
assertThat("Account must have default role assigned", u.getRoles(), containsInAnyOrder(UserRole.USER));
assertThat("Account must have default role assigned", u.getRoles(), containsInAnyOrder(UserRole.USER, UserRole.EVERYONE));
u = userService.setRoles(u, Sets.newHashSet(UserRole.USER, UserRole.ADMINISTRATOR));
assertThat("Account must have USER and ADMINISTRATOR roles", u.getRoles(), containsInAnyOrder(UserRole.USER, UserRole.ADMINISTRATOR));
assertThat("Account must have USER and ADMINISTRATOR roles", u.getRoles(), containsInAnyOrder(UserRole.USER, UserRole.EVERYONE, UserRole.ADMINISTRATOR));
u = userService.getUser(u.getId());
assertThat("Account must have USER and ADMINISTRATOR roles", u.getRoles(), containsInAnyOrder(UserRole.USER, UserRole.ADMINISTRATOR));
assertThat("Account must have USER and ADMINISTRATOR roles", u.getRoles(), containsInAnyOrder(UserRole.USER, UserRole.EVERYONE, UserRole.ADMINISTRATOR));
userService.setRoles(u, Sets.newHashSet(UserRole.USER));
u = userService.getUser(u.getId());
assertThat("Account must have USER role", u.getRoles(), containsInAnyOrder(UserRole.USER));
assertThat("Account must have USER role", u.getRoles(), containsInAnyOrder(UserRole.USER, UserRole.EVERYONE));
}
}
......@@ -59,8 +59,8 @@ public class OAuth2ServerConfig {
@Value("${default.oauth.refreshToken.validity}")
private int refreshTokenValiditySeconds;
@Value("${default.jwt.signingKey}")
private String jwtSigningKey;
@Value("${default.jwt.signingKey}")
private String jwtSigningKey;
@Autowired
private UserDetailsService userDetailsService;
......@@ -114,21 +114,28 @@ public class OAuth2ServerConfig {
@Override
public void configure(final HttpSecurity http) throws Exception {
/*@formatter:off*/
http
// Since we want the protected resources to be accessible in the UI as well we
// need
// session creation to be allowed (it's disabled by default in 2.0.6)
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
// cors
.and().cors()
// TODO 1.7 Delete "/token" URL
.and().requestMatchers().antMatchers("/api/**", "/google/verify-token", "/token")
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
// TODO 1.7 Delete "/token" URL
.and().authorizeRequests().antMatchers("/api/**", "/google/verify-token", "/token").authenticated()
.and().exceptionHandling().accessDeniedHandler(new OAuth2AccessDeniedHandler());
// CORS
.and().cors()
// TODO 1.7 Delete "/token" URL
.and().requestMatchers()
.antMatchers("/api/**", "/google/verify-token", "/token")
// TODO 1.7 Delete "/token" URL
.and().authorizeRequests()
.antMatchers("/api/**", "/google/verify-token", "/token").authenticated()
.and().exceptionHandling()
.accessDeniedHandler(new OAuth2AccessDeniedHandler());
/*@formatter:on*/
}
@Override
......
......@@ -50,34 +50,59 @@ public class SecurityConfig extends WebSecurityConfigurerAdapter {
return new BCryptPasswordEncoder();
}
// @Bean
// public AuthenticationProvider runAsAuthenticationProvider() {
// RunAsImplAuthenticationProvider authProvider = new RunAsImplAuthenticationProvider();
// authProvider.setKey("MyRunAsKey");
// return authProvider;
// }
// @Bean
// public AuthenticationProvider runAsAuthenticationProvider() {
// RunAsImplAuthenticationProvider authProvider = new
// RunAsImplAuthenticationProvider();
// authProvider.setKey("MyRunAsKey");
// return authProvider;
// }
@Override
protected void configure(final AuthenticationManagerBuilder auth) throws Exception {
auth
//.authenticationProvider(runAsAuthenticationProvider())
// .authenticationProvider(runAsAuthenticationProvider())
.userDetailsService(userDetailsService).passwordEncoder(passwordEncoder());
}
@Override
protected void configure(final HttpSecurity http) throws Exception {
/*@formatter:off*/
http
// No JSESSIONID in URL
.sessionManagement().enableSessionUrlRewriting(false) // Authorizations
.sessionManagement()
.enableSessionUrlRewriting(false)
// Anon
.and().anonymous()
.authorities("ROLE_ANONYMOUS", "ROLE_EVERYONE")
// Authorizations
.and().authorizeRequests()
// Rules
.antMatchers("/user/login").permitAll().antMatchers("/browse.jsp").permitAll().antMatchers("/").hasAnyRole("USER").and().exceptionHandling()
// access denied
.accessDeniedPage("/user/login?authorization_error=true").and().csrf().requireCsrfProtectionMatcher(new AntPathRequestMatcher("/oauth/authorize")).disable()
.antMatchers("/user/login").permitAll()
.antMatchers("/browse.jsp").permitAll()
.antMatchers("/").hasAnyRole("USER")
// Error handling
.and().exceptionHandling()
// access denied
.accessDeniedPage("/user/login?authorization_error=true")
// CSRF
.and().csrf()
// Disabled on /oauth/authorize
.requireCsrfProtectionMatcher(new AntPathRequestMatcher("/oauth/authorize")).disable()
// Logout and login
.logout().logoutUrl("/logout").logoutSuccessUrl("/")
.and().formLogin().permitAll().loginPage("/user/login").loginProcessingUrl("/login-attempt").failureUrl("/user/login?authentication_error=true");
.logout()
.logoutUrl("/logout")
.logoutSuccessUrl("/")
.and().formLogin()
.permitAll()
.loginPage("/user/login")
.loginProcessingUrl("/login-attempt")
.failureUrl("/user/login?authentication_error=true");
/*@formatter:on*/
}
@Override
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment