Commit 8a25a86f authored by Matija Obreza's avatar Matija Obreza

Merge branch 'ui-154-less-use-of-proxy' into 'master'

Preparing for CORS on /api

See merge request genesys-pgr/genesys-server!339
parents 5c4719d9 06341534
...@@ -18,12 +18,14 @@ package org.genesys2.spring.config; ...@@ -18,12 +18,14 @@ package org.genesys2.spring.config;
import java.util.Arrays; import java.util.Arrays;
import org.genesys.blocks.oauth.service.OAuthServiceImpl; import org.genesys.blocks.oauth.service.OAuthServiceImpl;
import org.genesys.blocks.security.component.OAuthClientOriginCheckFilter;
import org.springframework.beans.factory.annotation.Autowired; import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier; import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.beans.factory.annotation.Value; import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration; import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.Primary; import org.springframework.context.annotation.Primary;
import org.springframework.http.HttpMethod;
import org.springframework.security.authentication.AuthenticationManager; import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.http.SessionCreationPolicy; import org.springframework.security.config.http.SessionCreationPolicy;
...@@ -48,6 +50,7 @@ import org.springframework.security.oauth2.provider.token.TokenEnhancerChain; ...@@ -48,6 +50,7 @@ import org.springframework.security.oauth2.provider.token.TokenEnhancerChain;
import org.springframework.security.oauth2.provider.token.TokenStore; import org.springframework.security.oauth2.provider.token.TokenStore;
import org.springframework.security.oauth2.provider.token.store.JwtAccessTokenConverter; import org.springframework.security.oauth2.provider.token.store.JwtAccessTokenConverter;
import org.springframework.security.oauth2.provider.token.store.JwtTokenStore; import org.springframework.security.oauth2.provider.token.store.JwtTokenStore;
import org.springframework.security.web.authentication.preauth.AbstractPreAuthenticatedProcessingFilter;
@Configuration @Configuration
public class OAuth2ServerConfig { public class OAuth2ServerConfig {
...@@ -101,7 +104,13 @@ public class OAuth2ServerConfig { ...@@ -101,7 +104,13 @@ public class OAuth2ServerConfig {
@Configuration @Configuration
@EnableResourceServer @EnableResourceServer
protected class ResourceServerConfiguration extends ResourceServerConfigurerAdapter { protected class ResourceServerConfiguration extends ResourceServerConfigurerAdapter {
// OAuth2 CORS Origin header checker
// @Bean
// public OAuthClientOriginCheckFilter clientOriginCheckFilter() {
// return new OAuthClientOriginCheckFilter();
// }
@Override @Override
public void configure(final ResourceServerSecurityConfigurer resources) { public void configure(final ResourceServerSecurityConfigurer resources) {
final DefaultTokenServices defaultTokenServices = new DefaultTokenServices(); final DefaultTokenServices defaultTokenServices = new DefaultTokenServices();
...@@ -113,32 +122,43 @@ public class OAuth2ServerConfig { ...@@ -113,32 +122,43 @@ public class OAuth2ServerConfig {
@Override @Override
public void configure(final HttpSecurity http) throws Exception { public void configure(final HttpSecurity http) throws Exception {
/*@formatter:off*/ /*@formatter:off*/
http.requestMatchers().antMatchers("/oauth/**", "/api/**").and() http
.requestMatchers().antMatchers("/oauth/**", "/api/**").and()
// no sessions // no sessions
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.NEVER).and() .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.NEVER).and()
// no CSRF // no CSRF
.csrf().disable() .csrf().disable()
// CORS
.cors().and()
// Anons have ROLE_EVERYONE // Anons have ROLE_EVERYONE
.anonymous().authorities("ROLE_ANONYMOUS", "ROLE_EVERYONE").and() .anonymous().authorities("ROLE_ANONYMOUS", "ROLE_EVERYONE").and()
// And exception handling // And exception handling
.exceptionHandling().accessDeniedHandler(new OAuth2AccessDeniedHandler()).and() .exceptionHandling().accessDeniedHandler(new OAuth2AccessDeniedHandler()).and()
// CORS pre-flight unauthorized
.authorizeRequests().antMatchers(HttpMethod.OPTIONS, "/api/**").anonymous().and()
.antMatcher("/oauth/**") .antMatcher("/oauth/**")
// authorize everthing on this path // disable CORS on /oauth
.authorizeRequests().anyRequest().fullyAuthenticated().and() .cors().disable()
// authorize everthing on this path
.authorizeRequests().anyRequest().fullyAuthenticated().and()
// /api/** // /api/**
// authorizations // authorizations
.antMatcher("/api/v0/info/version").anonymous().and() .antMatcher("/api/v0/info/version").anonymous().and()
.antMatcher("/api/google/**").anonymous().and() // Allow anonymous request for google auth .antMatcher("/api/google/**").anonymous().and() // Allow anonymous request for google auth
// others must be authenticated // others must be authenticated
.antMatcher("/api/**").authorizeRequests().anyRequest().authenticated() .antMatcher("/api/**").authorizeRequests().anyRequest().authenticated()
// Origins must match
; ;
/*@formatter:on*/ /*@formatter:on*/
// http.addFilterAfter(clientOriginCheckFilter(), AbstractPreAuthenticatedProcessingFilter.class);
} }
} }
...@@ -189,6 +209,7 @@ public class OAuth2ServerConfig { ...@@ -189,6 +209,7 @@ public class OAuth2ServerConfig {
defaultTokenServices.setTokenEnhancer(accessTokenConverter()); defaultTokenServices.setTokenEnhancer(accessTokenConverter());
return defaultTokenServices; return defaultTokenServices;
} }
@Override @Override
public void configure(final ClientDetailsServiceConfigurer clients) throws Exception { public void configure(final ClientDetailsServiceConfigurer clients) throws Exception {
...@@ -209,8 +230,7 @@ public class OAuth2ServerConfig { ...@@ -209,8 +230,7 @@ public class OAuth2ServerConfig {
@Override @Override
public void configure(final AuthorizationServerSecurityConfigurer oauthServer) throws Exception { public void configure(final AuthorizationServerSecurityConfigurer oauthServer) throws Exception {
oauthServer.allowFormAuthenticationForClients().checkTokenAccess("permitAll()").realm(APPLICATION_RESOURCE_ID + "/client").passwordEncoder(passwordEncoder); // added oauthServer.allowFormAuthenticationForClients().checkTokenAccess("permitAll()").realm(APPLICATION_RESOURCE_ID + "/client").passwordEncoder(passwordEncoder);
// encoder
} }
} }
......
...@@ -5394,3 +5394,15 @@ databaseChangeLog: ...@@ -5394,3 +5394,15 @@ databaseChangeLog:
name: listid name: listid
indexName: FK_io2guhjvbw0d25hwmghg18ccu indexName: FK_io2guhjvbw0d25hwmghg18ccu
tableName: accession_listitem tableName: accession_listitem
- changeSet:
id: 1548604678-1
author: mobreza
comment: Extend OAuthClient with origins field
changes:
- addColumn:
tableName: oauthclient
columns:
- column:
name: origins
type: varchar(200)
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment