Go to file
Konstantinos Triantafyllou 8efabf06a8 Update spring boot parent 2024-09-13 11:30:14 +03:00
src/main Change Exception Handler for Exception to RuntimeException. 2024-09-10 10:28:18 +03:00
.gitignore [springboot3]: Refactor websecurity logic 2024-08-13 17:08:06 +03:00
README.md [springboot3]: Refactor websecurity logic 2024-08-13 17:08:06 +03:00
pom.xml Update spring boot parent 2024-09-13 11:30:14 +03:00

README.md

Authorization Library

Authorization library is a library that provides a Spring Security (6.x.x) process in order to authorize the endpoints of a service base on OpenAIRE Authorities. It can be used with two different session strategies, a stateless and a Redis http session. Also, it includes swagger configuration.

Stateless

In stateless strategy, there is not a session. A filter makes a request to an "userinfo" endpoint and creates an Authentication base on the response. The advantage of this method is that it doesn't need any storage to store user's session, but with a cost of an extra http request per request.

Usage

pom.xml

<dependency>
    <groupId>eu.dnetlib</groupId>
    <artifactId>uoa-authorization-library</artifactId>
    <version>3.0.1</version>
</dependency>

Spring Application/Configuration

import eu.dnetlib.uoaauthorizationlibrary.authorization.SecurityConfiguration;    

@PropertySources({@PropertySource("classpath:authorization.securityProperties")})
@Import(SecurityConfiguration.class)
public class Application {
    public static void main(String[] args) {
        SpringApplication.run(Application.class, args);
    }
}

Configuration

authorization.security.userInfoUrl = http://<domain>/login-service/userInfo # Required, default ""
authorization.security.session=<session-cookie-name> # Default openAIRESession
authorization.security.domain=<domain-suffix> # e.g openaire.eu Default: di.uoa.gr

Redis

In Redis strategy, session is stored to a Redis database when a user authenticates himself through a login service. The disadvantage of this strategy is that it needs access to the Redis database where session is stored.

Usage

pom.xml

<dependency>
    <groupId>eu.dnetlib</groupId>
    <artifactId>uoa-authorization-library</artifactId>
    <version>3.0.1</version>
    <classifier>redis</classifier>
</dependency>

Spring Application/Configuration

import eu.dnetlib.uoaauthorizationlibrary.authorization.SecurityConfiguration;    

@PropertySources({@PropertySource("classpath:authorization.securityProperties")})
@Import(SecurityConfiguration.class)
public class Application {
    public static void main(String[] args) {
        SpringApplication.run(Application.class, args);
    }
}

Configuration

authorization.secuirty.redis.host=<redis-ip> # Default localhost
authorization.secuirty.redis.port=<redis-port> # Default 6379
authorization.secuirty.redis.password=<redis-password> # Default ""
authorization.security.domain=<domain-suffix> # e.g openaire.eu Default: di.uoa.gr
authorization.security.session=<session-cookie-name> # Default openAIRESession

Custom WebSecurity

In case you want to create a custom WebSecurity Configuration you have to:

  1. @Import(AuthorizationConfiguration.class) instead of SecurityConfiguration.
  2. (Optional) On your WebSecurity Configuration inject WebSecurity component and use security method in order to pre-build HttpSecurity with the default security.

e.g

@EnableWebSecurity
@EnableMethodSecurity(securedEnabled = true, proxyTargetClass = true)
@Configuration
public class WebSecurityConfig {

    private final WebSecurity webSecurity;

    @Autowired
    public WebSecurityConfig(WebSecurity webSecurity) {
        this.webSecurity = webSecurity;
    }

    @Bean
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        http = webSecurity.security(http);
        // Custom Security Configuration
        
        return http.build();
    }
}

Authorize Requests

Authorization Service

In order to simplify the format of the Authorities, you can use this spring component to authorize your endpoints. There is also methods to get user's information.

public final String PORTAL_ADMIN = "PORTAL_ADMINISTRATOR";
public final String ANONYMOUS_USER = "ROLE_ANONYMOUS";
public final String REGISTERED_USER = "REGISTERED_USER";

/**
 * Type = FUNDER | COMMUNITY | INSTITUTION | PROJECT
 */
public String curator(String type) {}

/**
 * Type = FUNDER | COMMUNITY | INSTITUTION | PROJECT
 * 
 * Id = EE, EGI, etc
 */
public String manager(String type, String id) { }

/**
 * Type = FUNDER | COMMUNITY | RI | INSTITUTION | PROJECT
 * 
 * Id = EE, EGI, etc
 */
public String member(String type, String id)

e.g

@PreAuthorize("hasAnyAuthority("
    + "@AuthorizationService.PORTAL_ADMIN, "
    + "@AuthorizationService.curator(#type), "
    + "@AuthorizationService.manager(#type, #id)) "
+ ")")
@RequestMapping(value = "{type}/{id}", method = RequestMethod.GET)
public Entity getEntity(@PathVariable("type") String type, @PathVariable("id") String id) {}

Exception Handling

This library provides exception handling if an error is occurred.

Know Http Exceptions

  • UnauthorizedException (401)
  • ForbiddenException (403)
  • NotFoundException (404)
  • ConflictException (409)
  • UnprocessableException (422)

Create your own Exception with HttpStatus by extending HttpException class. By default, any other Exception produces Http Status 400 (BAD REQUEST).

Swagger configuration

This library by default includes swagger configuration, which is accessible only by PORTAL ADMIN users. Optional set API info securityProperties in your project configuration file:

api.title = <Title>
api.description = <Description>
api.version = ${project.version}

Disable UI and/or API-docs

springdoc.swagger-ui.enabled=false
springdoc.api-docs.enabled=false