2020-07-03 12:09:22 +02:00
|
|
|
package eu.dnetlib.organizations;
|
|
|
|
|
2020-11-04 12:18:25 +01:00
|
|
|
import java.util.HashSet;
|
|
|
|
import java.util.Set;
|
|
|
|
|
2020-11-04 14:18:41 +01:00
|
|
|
import org.apache.commons.lang3.StringUtils;
|
2020-11-04 15:06:34 +01:00
|
|
|
import org.slf4j.Logger;
|
|
|
|
import org.slf4j.LoggerFactory;
|
2020-11-04 12:18:25 +01:00
|
|
|
import org.springframework.beans.factory.annotation.Autowired;
|
2020-09-29 11:34:31 +02:00
|
|
|
import org.springframework.beans.factory.annotation.Value;
|
2020-07-03 12:09:22 +02:00
|
|
|
import org.springframework.context.annotation.Configuration;
|
2020-11-23 12:02:33 +01:00
|
|
|
import org.springframework.context.annotation.Profile;
|
2020-07-03 12:09:22 +02:00
|
|
|
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
|
|
|
|
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
|
|
|
|
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
|
2020-11-04 15:06:34 +01:00
|
|
|
import org.springframework.security.core.Authentication;
|
2020-11-04 12:18:25 +01:00
|
|
|
import org.springframework.security.core.GrantedAuthority;
|
|
|
|
import org.springframework.security.core.authority.SimpleGrantedAuthority;
|
2020-11-04 15:06:34 +01:00
|
|
|
import org.springframework.security.core.context.SecurityContextHolder;
|
2020-11-04 12:18:25 +01:00
|
|
|
import org.springframework.security.oauth2.client.oidc.userinfo.OidcUserRequest;
|
|
|
|
import org.springframework.security.oauth2.client.oidc.userinfo.OidcUserService;
|
2020-11-04 15:06:34 +01:00
|
|
|
import org.springframework.security.oauth2.client.oidc.web.logout.OidcClientInitiatedLogoutSuccessHandler;
|
|
|
|
import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository;
|
2020-11-04 12:18:25 +01:00
|
|
|
import org.springframework.security.oauth2.client.userinfo.OAuth2UserService;
|
|
|
|
import org.springframework.security.oauth2.core.oidc.user.DefaultOidcUser;
|
|
|
|
import org.springframework.security.oauth2.core.oidc.user.OidcUser;
|
2020-11-04 14:18:41 +01:00
|
|
|
import org.springframework.security.web.access.AccessDeniedHandler;
|
2020-11-04 12:18:25 +01:00
|
|
|
|
2020-11-04 15:06:34 +01:00
|
|
|
import eu.dnetlib.organizations.controller.UserInfo;
|
2020-11-04 12:18:25 +01:00
|
|
|
import eu.dnetlib.organizations.controller.UserRole;
|
|
|
|
import eu.dnetlib.organizations.model.User;
|
2020-11-12 15:47:41 +01:00
|
|
|
import eu.dnetlib.organizations.utils.DatabaseUtils;
|
2020-11-23 12:02:33 +01:00
|
|
|
import eu.dnetlib.organizations.utils.OpenOrgsConstants;
|
2020-07-03 12:09:22 +02:00
|
|
|
|
2020-11-23 12:02:33 +01:00
|
|
|
@Profile("!dev")
|
2020-07-03 12:09:22 +02:00
|
|
|
@Configuration
|
|
|
|
@EnableWebSecurity
|
2020-11-23 12:02:33 +01:00
|
|
|
public class OAuth2WebSecurityConfig extends WebSecurityConfigurerAdapter {
|
2020-07-03 12:09:22 +02:00
|
|
|
|
2020-11-04 12:18:25 +01:00
|
|
|
@Autowired
|
2020-11-12 15:47:41 +01:00
|
|
|
private DatabaseUtils databaseUtils;
|
2020-07-03 12:09:22 +02:00
|
|
|
|
2020-11-04 14:18:41 +01:00
|
|
|
@Autowired
|
2020-11-04 15:06:34 +01:00
|
|
|
private ClientRegistrationRepository clientRegistrationRepository;
|
2020-11-04 14:18:41 +01:00
|
|
|
|
2020-09-29 11:34:31 +02:00
|
|
|
@Value("${openaire.api.valid.subnet}")
|
|
|
|
private String openaireApiValidSubnet;
|
|
|
|
|
2020-12-02 16:10:23 +01:00
|
|
|
@Value("${openaire.override.logout.url}")
|
|
|
|
private String openaireLogoutUrl;
|
|
|
|
|
2020-11-23 12:02:33 +01:00
|
|
|
private static Logger logger = LoggerFactory.getLogger(OAuth2WebSecurityConfig.class);
|
2020-11-04 14:18:41 +01:00
|
|
|
|
2020-07-03 12:09:22 +02:00
|
|
|
@Override
|
|
|
|
protected void configure(final HttpSecurity http) throws Exception {
|
2020-11-04 14:18:41 +01:00
|
|
|
http.csrf()
|
|
|
|
.disable()
|
|
|
|
.authorizeRequests()
|
2020-11-04 15:06:34 +01:00
|
|
|
.antMatchers("/main", "/api/**")
|
2020-11-23 12:02:33 +01:00
|
|
|
.hasAnyRole(OpenOrgsConstants.VALID_ROLES)
|
2020-11-04 14:18:41 +01:00
|
|
|
.antMatchers("/registration_api/**")
|
2020-11-23 12:02:33 +01:00
|
|
|
.hasRole(OpenOrgsConstants.NOT_AUTORIZED_ROLE)
|
2021-04-26 11:32:17 +02:00
|
|
|
.antMatchers("/", "/resources/**", "/webjars/**", "/metrics", "/health", "/dbmodel/**")
|
2020-11-04 14:18:41 +01:00
|
|
|
.permitAll()
|
|
|
|
.antMatchers("/oa_api/**")
|
|
|
|
.hasIpAddress(openaireApiValidSubnet)
|
|
|
|
.anyRequest()
|
|
|
|
.authenticated()
|
|
|
|
.and()
|
|
|
|
.exceptionHandling()
|
2020-11-04 15:06:34 +01:00
|
|
|
.accessDeniedHandler(accessDeniedHandler())
|
|
|
|
.and()
|
|
|
|
.logout()
|
|
|
|
.logoutSuccessHandler(oidcLogoutSuccessHandler())
|
2020-12-02 16:10:23 +01:00
|
|
|
.invalidateHttpSession(true)
|
|
|
|
.clearAuthentication(true)
|
|
|
|
.deleteCookies("JSESSIONID")
|
2020-11-04 14:18:41 +01:00
|
|
|
.and()
|
|
|
|
.oauth2Login(oauth2 -> oauth2.userInfoEndpoint(userInfo -> userInfo.oidcUserService(this.oidcUserService())));
|
2020-11-04 15:06:34 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
private AccessDeniedHandler accessDeniedHandler() {
|
|
|
|
return (req, res, e) -> {
|
|
|
|
final Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
|
|
|
|
if (authentication != null) {
|
|
|
|
logger.warn(String
|
2020-11-23 12:02:33 +01:00
|
|
|
.format("User '%s' (%s) attempted to access the protected URL: %s", UserInfo.getEmail(authentication), req
|
2020-11-04 15:06:34 +01:00
|
|
|
.getRemoteAddr(), req.getRequestURI()));
|
|
|
|
}
|
|
|
|
|
|
|
|
if (UserInfo.isNotAuthorized(authentication)) {
|
|
|
|
res.sendRedirect(req.getContextPath() + "/authorizationRequest");
|
|
|
|
} else {
|
|
|
|
res.sendRedirect(req.getContextPath() + "/alreadyRegistered");
|
|
|
|
}
|
|
|
|
};
|
|
|
|
}
|
2020-11-04 14:18:41 +01:00
|
|
|
|
2020-11-04 15:06:34 +01:00
|
|
|
private OidcClientInitiatedLogoutSuccessHandler oidcLogoutSuccessHandler() {
|
2020-11-05 09:55:02 +01:00
|
|
|
final OidcClientInitiatedLogoutSuccessHandler handler = new OidcClientInitiatedLogoutSuccessHandler(clientRegistrationRepository);
|
|
|
|
// NB:
|
|
|
|
// The same URL must be configured server side:
|
|
|
|
// Manage Clients > Edit Client > Other > Post-Logout Redirect
|
2020-12-02 16:10:23 +01:00
|
|
|
|
2020-11-05 09:55:02 +01:00
|
|
|
handler.setPostLogoutRedirectUri("{baseUrl}");
|
2020-12-02 16:10:23 +01:00
|
|
|
handler.setRedirectStrategy((req, res, url) -> {
|
|
|
|
if (StringUtils.isNotBlank(openaireLogoutUrl)) {
|
|
|
|
logger.info("Performing remote logout: " + openaireLogoutUrl);
|
|
|
|
res.sendRedirect(openaireLogoutUrl);
|
|
|
|
} else {
|
|
|
|
logger.info("Performing remote logout: " + url);
|
|
|
|
res.sendRedirect(url);
|
|
|
|
}
|
|
|
|
});
|
2020-11-05 09:55:02 +01:00
|
|
|
return handler;
|
|
|
|
|
2020-07-03 12:09:22 +02:00
|
|
|
}
|
|
|
|
|
2020-11-04 12:18:25 +01:00
|
|
|
private OAuth2UserService<OidcUserRequest, OidcUser> oidcUserService() {
|
|
|
|
final OidcUserService delegate = new OidcUserService();
|
|
|
|
|
|
|
|
return (userRequest) -> {
|
|
|
|
final OidcUser oidcUser = delegate.loadUser(userRequest);
|
|
|
|
|
2020-11-23 12:02:33 +01:00
|
|
|
final String role = "ROLE_" + OpenOrgsConstants.OPENORGS_ROLE_PREFIX + databaseUtils.findUser(oidcUser.getEmail())
|
2020-11-04 14:18:41 +01:00
|
|
|
.map(User::getRole)
|
|
|
|
.filter(StringUtils::isNotBlank)
|
|
|
|
.orElse(UserRole.NOT_AUTHORIZED.toString());
|
2020-11-04 12:18:25 +01:00
|
|
|
|
|
|
|
final Set<GrantedAuthority> mappedAuthorities = new HashSet<>();
|
2020-11-04 14:18:41 +01:00
|
|
|
mappedAuthorities.add(new SimpleGrantedAuthority(role));
|
2020-11-04 12:18:25 +01:00
|
|
|
|
|
|
|
return new DefaultOidcUser(mappedAuthorities, oidcUser.getIdToken(), oidcUser.getUserInfo());
|
|
|
|
};
|
|
|
|
}
|
2020-11-04 10:30:29 +01:00
|
|
|
|
|
|
|
// https://www.baeldung.com/spring-security-openid-connect
|
|
|
|
|
|
|
|
// https://github.com/mitreid-connect/
|
|
|
|
// https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/tree/master/openid-connect-client
|
|
|
|
// https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/wiki/Client-configuration
|
|
|
|
|
|
|
|
// https://svn.driver.research-infrastructures.eu/driver/dnet45/modules/uoa-login-core/trunk/
|
|
|
|
// https://svn.driver.research-infrastructures.eu/driver/dnet45/modules/uoa-user-management/trunk/
|
|
|
|
// https://svn.driver.research-infrastructures.eu/driver/dnet45/modules/dnet-openaire-users/trunk/
|
|
|
|
// https://svn.driver.research-infrastructures.eu/driver/dnet45/modules/dnet-login/trunk/
|
|
|
|
|
|
|
|
// Aprire Ticket a GRNET con Argiro e Katerina come watchers
|
2020-07-03 12:09:22 +02:00
|
|
|
|
|
|
|
}
|