Make Security to work
This commit is contained in:
parent
1fe6200d94
commit
36892093bd
|
@ -32,6 +32,15 @@
|
|||
<artifactId>oidc-authn</artifactId>
|
||||
<version>2.1.0</version>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>gr.cite</groupId>
|
||||
<artifactId>cache</artifactId>
|
||||
<version>2.1.0</version>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>org.springframework.boot</groupId>
|
||||
<artifactId>spring-boot-starter-cache</artifactId>
|
||||
</dependency>
|
||||
</dependencies>
|
||||
|
||||
<build>
|
||||
|
|
|
@ -5,7 +5,9 @@ import org.springframework.boot.autoconfigure.SpringBootApplication;
|
|||
|
||||
@SpringBootApplication(scanBasePackages = {
|
||||
"eu.eudat.deposit.*",
|
||||
"eu.eudat.depositinterface.*"
|
||||
"eu.eudat.depositinterface.*",
|
||||
"gr.cite.tools",
|
||||
"gr.cite.commons"
|
||||
})
|
||||
public class DepositApplication {
|
||||
|
||||
|
|
|
@ -0,0 +1,68 @@
|
|||
package eu.eudat.deposit.config;
|
||||
|
||||
import gr.cite.commons.web.oidc.configuration.WebSecurityProperties;
|
||||
import gr.cite.commons.web.oidc.configuration.filter.ApiKeyFilter;
|
||||
import jakarta.servlet.http.HttpServletRequest;
|
||||
import org.springframework.beans.factory.annotation.Autowired;
|
||||
import org.springframework.context.annotation.Bean;
|
||||
import org.springframework.context.annotation.Configuration;
|
||||
import org.springframework.security.authentication.AuthenticationManagerResolver;
|
||||
import org.springframework.security.config.Customizer;
|
||||
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
|
||||
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
|
||||
import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
|
||||
import org.springframework.security.config.http.SessionCreationPolicy;
|
||||
import org.springframework.security.web.SecurityFilterChain;
|
||||
import org.springframework.security.web.authentication.preauth.AbstractPreAuthenticatedProcessingFilter;
|
||||
|
||||
import java.util.Set;
|
||||
|
||||
@Configuration
|
||||
@EnableWebSecurity
|
||||
public class SecurityConfiguration {
|
||||
|
||||
private final ApiKeyFilter apiKeyFilter;
|
||||
private final WebSecurityProperties webSecurityProperties;
|
||||
private final AuthenticationManagerResolver<HttpServletRequest> authenticationManagerResolver;
|
||||
|
||||
@Autowired
|
||||
public SecurityConfiguration(ApiKeyFilter apiKeyFilter, WebSecurityProperties webSecurityProperties, AuthenticationManagerResolver<HttpServletRequest> authenticationManagerResolver) {
|
||||
this.apiKeyFilter = apiKeyFilter;
|
||||
this.webSecurityProperties = webSecurityProperties;
|
||||
this.authenticationManagerResolver = authenticationManagerResolver;
|
||||
}
|
||||
|
||||
@Bean
|
||||
protected SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
|
||||
http.csrf(AbstractHttpConfigurer::disable)
|
||||
.cors(Customizer.withDefaults())
|
||||
.addFilterBefore(apiKeyFilter, AbstractPreAuthenticatedProcessingFilter.class)
|
||||
.authorizeHttpRequests(authorizationManagerRequestMatcherRegistry -> authorizationManagerRequestMatcherRegistry
|
||||
.requestMatchers(buildAntPatterns(webSecurityProperties.getAuthorizedEndpoints())).authenticated()
|
||||
.requestMatchers(buildAntPatterns(webSecurityProperties.getAllowedEndpoints())).anonymous())
|
||||
.sessionManagement(httpSecuritySessionManagementConfigurer -> httpSecuritySessionManagementConfigurer.sessionCreationPolicy(SessionCreationPolicy.NEVER))
|
||||
.oauth2ResourceServer(oauth2 -> oauth2.authenticationManagerResolver(authenticationManagerResolver));
|
||||
return http.build();
|
||||
}
|
||||
|
||||
private String[] buildAntPatterns(Set<String> endpoints) {
|
||||
if (endpoints == null) {
|
||||
return new String[0];
|
||||
}
|
||||
return endpoints.stream()
|
||||
.filter(endpoint -> endpoint != null && !endpoint.isBlank())
|
||||
.map(endpoint -> "/" + stripUnnecessaryCharacters(endpoint) + "/**")
|
||||
.toArray(String[]::new);
|
||||
}
|
||||
|
||||
private String stripUnnecessaryCharacters(String endpoint) {
|
||||
endpoint = endpoint.strip();
|
||||
if (endpoint.startsWith("/")) {
|
||||
endpoint = endpoint.substring(1);
|
||||
}
|
||||
if (endpoint.endsWith("/")) {
|
||||
endpoint = endpoint.substring(0, endpoint.length() - 1);
|
||||
}
|
||||
return endpoint;
|
||||
}
|
||||
}
|
|
@ -8,4 +8,5 @@ spring:
|
|||
optional:classpath:config/pid.yml[.yml], optional:classpath:config/pid-${spring.profiles.active}.yml[.yml], optional:file:../config/pid-${spring.profiles.active}.yml[.yml],
|
||||
optional:classpath:config/funder.yml[.yml], optional:classpath:config/funder-${spring.profiles.active}.yml[.yml], optional:file:../config/funder-${spring.profiles.active}.yml[.yml],
|
||||
optional:classpath:config/identifiers.yml[.yml], optional:classpath:config/identifiers-${spring.profiles.active}.yml[.yml], optional:file:../config/identifiers-${spring.profiles.active}.yml[.yml],
|
||||
optional:classpath:config/security.yml[.yml], optional:classpath:config/security-${spring.profiles.active}.yml[.yml], optional:file:../config/security-${spring.profiles.active}.yml[.yml]
|
||||
optional:classpath:config/security.yml[.yml], optional:classpath:config/security-${spring.profiles.active}.yml[.yml], optional:file:../config/security-${spring.profiles.active}.yml[.yml],
|
||||
optional:classpath:config/cache.yml[.yml], optional:classpath:config/cache-${spring.profiles.active}.yml[.yml], optional:file:../config/cache-${spring.profiles.active}.yml[.yml]
|
||||
|
|
|
@ -0,0 +1,16 @@
|
|||
cache:
|
||||
manager:
|
||||
fallbackToNoOpCache: true
|
||||
caffeineCaches:
|
||||
- names: [ "apikey" ]
|
||||
allowNullValues: true
|
||||
initialCapacity: 100
|
||||
maximumSize: 500
|
||||
enableRecordStats: false
|
||||
expireAfterWriteMinutes: 10
|
||||
expireAfterAccessMinutes: 10
|
||||
refreshAfterWriteMinutes: 10
|
||||
mapCaches:
|
||||
apiKey:
|
||||
name: apikey
|
||||
keyPattern: resolve_$keyhash$:v0
|
|
@ -2,6 +2,7 @@ web:
|
|||
security:
|
||||
enabled: true
|
||||
authorized-endpoints: [ api ]
|
||||
allowed-endpoints: [ health ]
|
||||
idp:
|
||||
api-key:
|
||||
enabled: true
|
||||
|
|
Loading…
Reference in New Issue