Commit 8a25a86f authored by Matija Obreza's avatar Matija Obreza

Merge branch 'ui-154-less-use-of-proxy' into 'master'

Preparing for CORS on /api

See merge request genesys-pgr/genesys-server!339
parents 5c4719d9 06341534
......@@ -18,12 +18,14 @@ package org.genesys2.spring.config;
import java.util.Arrays;
import org.genesys.blocks.oauth.service.OAuthServiceImpl;
import org.genesys.blocks.security.component.OAuthClientOriginCheckFilter;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.Primary;
import org.springframework.http.HttpMethod;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.http.SessionCreationPolicy;
......@@ -48,6 +50,7 @@ import org.springframework.security.oauth2.provider.token.TokenEnhancerChain;
import org.springframework.security.oauth2.provider.token.TokenStore;
import org.springframework.security.oauth2.provider.token.store.JwtAccessTokenConverter;
import org.springframework.security.oauth2.provider.token.store.JwtTokenStore;
import org.springframework.security.web.authentication.preauth.AbstractPreAuthenticatedProcessingFilter;
@Configuration
public class OAuth2ServerConfig {
......@@ -101,7 +104,13 @@ public class OAuth2ServerConfig {
@Configuration
@EnableResourceServer
protected class ResourceServerConfiguration extends ResourceServerConfigurerAdapter {
// OAuth2 CORS Origin header checker
// @Bean
// public OAuthClientOriginCheckFilter clientOriginCheckFilter() {
// return new OAuthClientOriginCheckFilter();
// }
@Override
public void configure(final ResourceServerSecurityConfigurer resources) {
final DefaultTokenServices defaultTokenServices = new DefaultTokenServices();
......@@ -113,32 +122,43 @@ public class OAuth2ServerConfig {
@Override
public void configure(final HttpSecurity http) throws Exception {
/*@formatter:off*/
http.requestMatchers().antMatchers("/oauth/**", "/api/**").and()
http
.requestMatchers().antMatchers("/oauth/**", "/api/**").and()
// no sessions
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.NEVER).and()
// no CSRF
.csrf().disable()
// CORS
.cors().and()
// Anons have ROLE_EVERYONE
.anonymous().authorities("ROLE_ANONYMOUS", "ROLE_EVERYONE").and()
// And exception handling
.exceptionHandling().accessDeniedHandler(new OAuth2AccessDeniedHandler()).and()
// CORS pre-flight unauthorized
.authorizeRequests().antMatchers(HttpMethod.OPTIONS, "/api/**").anonymous().and()
.antMatcher("/oauth/**")
// authorize everthing on this path
.authorizeRequests().anyRequest().fullyAuthenticated().and()
// disable CORS on /oauth
.cors().disable()
// authorize everthing on this path
.authorizeRequests().anyRequest().fullyAuthenticated().and()
// /api/**
// authorizations
.antMatcher("/api/v0/info/version").anonymous().and()
.antMatcher("/api/google/**").anonymous().and() // Allow anonymous request for google auth
// others must be authenticated
.antMatcher("/api/**").authorizeRequests().anyRequest().authenticated()
// Origins must match
;
/*@formatter:on*/
// http.addFilterAfter(clientOriginCheckFilter(), AbstractPreAuthenticatedProcessingFilter.class);
}
}
......@@ -189,6 +209,7 @@ public class OAuth2ServerConfig {
defaultTokenServices.setTokenEnhancer(accessTokenConverter());
return defaultTokenServices;
}
@Override
public void configure(final ClientDetailsServiceConfigurer clients) throws Exception {
......@@ -209,8 +230,7 @@ public class OAuth2ServerConfig {
@Override
public void configure(final AuthorizationServerSecurityConfigurer oauthServer) throws Exception {
oauthServer.allowFormAuthenticationForClients().checkTokenAccess("permitAll()").realm(APPLICATION_RESOURCE_ID + "/client").passwordEncoder(passwordEncoder); // added
// encoder
oauthServer.allowFormAuthenticationForClients().checkTokenAccess("permitAll()").realm(APPLICATION_RESOURCE_ID + "/client").passwordEncoder(passwordEncoder);
}
}
......
......@@ -5394,3 +5394,15 @@ databaseChangeLog:
name: listid
indexName: FK_io2guhjvbw0d25hwmghg18ccu
tableName: accession_listitem
- changeSet:
id: 1548604678-1
author: mobreza
comment: Extend OAuthClient with origins field
changes:
- addColumn:
tableName: oauthclient
columns:
- column:
name: origins
type: varchar(200)
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment