D-Net
/
dnet-applications
23
1
Fork 0
Code Issues Pull Requests Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
master
new_funders_api
flatten_index
new-is-app
newDirectIndex
old_wf_history_for_beta_and_prod
scholexplorer
openid-authentication
dnet-applications-3.5.3
dnet-applications-3.5.2
dnet-applications-3.5.1
dnet-applications-3.5.0
dnet-applications-3.4.4
dnet-applications-3.4.3
dnet-applications-3.4.2
dnet-applications-3.4.1
dnet-applications-3.4.0
dnet-applications-3.3.3
dnet-applications-3.3.2
dnet-applications-3.3.1
3.3.0
dnet-applications-3.2.8
dnet-applications-3.2.7
dnet-applications-3.2.6
dnet-applications-3.2.5
dnet-applications-3.2.4
dnet-applications-3.2.3
dnet-applications-3.2.2
dnet-applications-3.2.1
3.2.0
dnet-applications-3.1.8
dnet-applications-3.1.7
dnet-applications-3.1.6
dnet-applications-3.1.5
dnet-applications-3.1.4
dnet-applications-3.1.3
dnet-applications-3.1.2
dnet-applications-3.1.1
dnet-applications-3.1.0
dnet-applications-3.0.0
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'aba94db0c8'
${ noResults }
dnet-applications/apps/dnet-orgs-database-application/src/main/java/eu/dnetlib/organizations/OAuth2WebSecurityConfig.java

151 lines
5.9 KiB
Java
Raw Blame History

package eu.dnetlib.organizations;
import java.util.HashSet;
import java.util.Set;
import org.apache.commons.lang3.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.Profile;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.oauth2.client.oidc.userinfo.OidcUserRequest;
import org.springframework.security.oauth2.client.oidc.userinfo.OidcUserService;
import org.springframework.security.oauth2.client.oidc.web.logout.OidcClientInitiatedLogoutSuccessHandler;
import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository;
import org.springframework.security.oauth2.client.userinfo.OAuth2UserService;
import org.springframework.security.oauth2.core.oidc.user.DefaultOidcUser;
import org.springframework.security.oauth2.core.oidc.user.OidcUser;
import org.springframework.security.web.access.AccessDeniedHandler;
import eu.dnetlib.organizations.controller.UserInfo;
import eu.dnetlib.organizations.controller.UserRole;
import eu.dnetlib.organizations.model.User;
import eu.dnetlib.organizations.utils.DatabaseUtils;
import eu.dnetlib.organizations.utils.OpenOrgsConstants;
@Profile("!dev")
@Configuration
@EnableWebSecurity
public class OAuth2WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private DatabaseUtils databaseUtils;
@Autowired
private ClientRegistrationRepository clientRegistrationRepository;
@Value("${openaire.api.valid.subnet}")
private String openaireApiValidSubnet;
@Value("${openaire.override.logout.url}")
private String openaireLogoutUrl;
private static Logger logger = LoggerFactory.getLogger(OAuth2WebSecurityConfig.class);
@Override
protected void configure(final HttpSecurity http) throws Exception {
http.csrf()
.disable()
.authorizeRequests()
.antMatchers("/main", "/api/**")
.hasAnyRole(OpenOrgsConstants.VALID_ROLES)
.antMatchers("/registration_api/**")
.hasRole(OpenOrgsConstants.NOT_AUTORIZED_ROLE)
.antMatchers("/", "/resources/**", "/webjars/**")
.permitAll()
.antMatchers("/oa_api/**")
.hasIpAddress(openaireApiValidSubnet)
.anyRequest()
.authenticated()
.and()
.exceptionHandling()
.accessDeniedHandler(accessDeniedHandler())
.and()
.logout()
.logoutSuccessHandler(oidcLogoutSuccessHandler())
.invalidateHttpSession(true)
.clearAuthentication(true)
.deleteCookies("JSESSIONID")
.and()
.oauth2Login(oauth2 -> oauth2.userInfoEndpoint(userInfo -> userInfo.oidcUserService(this.oidcUserService())));
}
private AccessDeniedHandler accessDeniedHandler() {
return (req, res, e) -> {
final Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
if (authentication != null) {
logger.warn(String
.format("User '%s' (%s) attempted to access the protected URL: %s", UserInfo.getEmail(authentication), req
.getRemoteAddr(), req.getRequestURI()));
}
if (UserInfo.isNotAuthorized(authentication)) {
res.sendRedirect(req.getContextPath() + "/authorizationRequest");
} else {
res.sendRedirect(req.getContextPath() + "/alreadyRegistered");
}
};
}
private OidcClientInitiatedLogoutSuccessHandler oidcLogoutSuccessHandler() {
final OidcClientInitiatedLogoutSuccessHandler handler = new OidcClientInitiatedLogoutSuccessHandler(clientRegistrationRepository);
// NB:
// The same URL must be configured server side:
// Manage Clients > Edit Client > Other > Post-Logout Redirect
handler.setPostLogoutRedirectUri("{baseUrl}");
handler.setRedirectStrategy((req, res, url) -> {
if (StringUtils.isNotBlank(openaireLogoutUrl)) {
logger.info("Performing remote logout: " + openaireLogoutUrl);
res.sendRedirect(openaireLogoutUrl);
} else {
logger.info("Performing remote logout: " + url);
res.sendRedirect(url);
}
});
return handler;
}
private OAuth2UserService<OidcUserRequest, OidcUser> oidcUserService() {
final OidcUserService delegate = new OidcUserService();
return (userRequest) -> {
final OidcUser oidcUser = delegate.loadUser(userRequest);
final String role = "ROLE_" + OpenOrgsConstants.OPENORGS_ROLE_PREFIX + databaseUtils.findUser(oidcUser.getEmail())
.map(User::getRole)
.filter(StringUtils::isNotBlank)
.orElse(UserRole.NOT_AUTHORIZED.toString());
final Set<GrantedAuthority> mappedAuthorities = new HashSet<>();
mappedAuthorities.add(new SimpleGrantedAuthority(role));
return new DefaultOidcUser(mappedAuthorities, oidcUser.getIdToken(), oidcUser.getUserInfo());
};
}
// https://www.baeldung.com/spring-security-openid-connect
// https://github.com/mitreid-connect/
// https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/tree/master/openid-connect-client
// https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/wiki/Client-configuration
// https://svn.driver.research-infrastructures.eu/driver/dnet45/modules/uoa-login-core/trunk/
// https://svn.driver.research-infrastructures.eu/driver/dnet45/modules/uoa-user-management/trunk/
// https://svn.driver.research-infrastructures.eu/driver/dnet45/modules/dnet-openaire-users/trunk/
// https://svn.driver.research-infrastructures.eu/driver/dnet45/modules/dnet-login/trunk/
// Aprire Ticket a GRNET con Argiro e Katerina come watchers
}
Reference in New Issue View Git Blame Copy Permalink