2024-01-03 17:59:04 +00:00
|
|
|
package stirling.software.SPDF.config.security;
|
|
|
|
|
|
2024-05-03 20:43:48 +01:00
|
|
|
import java.util.*;
|
|
|
|
|
|
2024-01-03 17:59:04 +00:00
|
|
|
import org.springframework.beans.factory.annotation.Autowired;
|
|
|
|
|
import org.springframework.beans.factory.annotation.Qualifier;
|
2024-04-29 15:01:22 -06:00
|
|
|
import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
|
2024-01-03 17:59:04 +00:00
|
|
|
import org.springframework.context.annotation.Bean;
|
|
|
|
|
import org.springframework.context.annotation.Configuration;
|
|
|
|
|
import org.springframework.context.annotation.Lazy;
|
|
|
|
|
import org.springframework.security.authentication.dao.DaoAuthenticationProvider;
|
|
|
|
|
import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;
|
|
|
|
|
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
|
|
|
|
|
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
|
2024-02-18 15:47:19 +00:00
|
|
|
import org.springframework.security.config.http.SessionCreationPolicy;
|
2024-05-02 14:52:50 -06:00
|
|
|
import org.springframework.security.core.GrantedAuthority;
|
|
|
|
|
import org.springframework.security.core.authority.SimpleGrantedAuthority;
|
|
|
|
|
import org.springframework.security.core.authority.mapping.GrantedAuthoritiesMapper;
|
2024-02-18 15:47:19 +00:00
|
|
|
import org.springframework.security.core.session.SessionRegistry;
|
|
|
|
|
import org.springframework.security.core.session.SessionRegistryImpl;
|
2024-01-03 17:59:04 +00:00
|
|
|
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
|
|
|
|
|
import org.springframework.security.crypto.password.PasswordEncoder;
|
2024-04-29 15:01:22 -06:00
|
|
|
import org.springframework.security.oauth2.client.registration.ClientRegistration;
|
2024-05-03 20:43:48 +01:00
|
|
|
import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository;
|
|
|
|
|
import org.springframework.security.oauth2.client.registration.ClientRegistrations;
|
2024-04-29 15:01:22 -06:00
|
|
|
import org.springframework.security.oauth2.client.registration.InMemoryClientRegistrationRepository;
|
2024-05-02 14:52:50 -06:00
|
|
|
import org.springframework.security.oauth2.core.user.OAuth2UserAuthority;
|
2024-01-03 17:59:04 +00:00
|
|
|
import org.springframework.security.web.SecurityFilterChain;
|
|
|
|
|
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
|
|
|
|
|
import org.springframework.security.web.authentication.rememberme.PersistentTokenRepository;
|
|
|
|
|
import org.springframework.security.web.savedrequest.NullRequestCache;
|
|
|
|
|
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
|
|
|
|
|
|
2024-05-12 19:58:34 +02:00
|
|
|
import stirling.software.SPDF.config.security.oauth2.CustomOAuth2AuthenticationFailureHandler;
|
|
|
|
|
import stirling.software.SPDF.config.security.oauth2.CustomOAuth2AuthenticationSuccessHandler;
|
|
|
|
|
import stirling.software.SPDF.config.security.oauth2.CustomOAuth2LogoutSuccessHandler;
|
|
|
|
|
import stirling.software.SPDF.config.security.oauth2.CustomOAuth2UserService;
|
2024-04-29 15:01:22 -06:00
|
|
|
import stirling.software.SPDF.model.ApplicationProperties;
|
2024-05-12 19:58:34 +02:00
|
|
|
import stirling.software.SPDF.model.ApplicationProperties.Security.OAUTH2;
|
2024-05-02 14:52:50 -06:00
|
|
|
import stirling.software.SPDF.model.User;
|
2024-01-03 17:59:04 +00:00
|
|
|
import stirling.software.SPDF.repository.JPATokenRepositoryImpl;
|
|
|
|
|
|
|
|
|
|
@Configuration
|
|
|
|
|
@EnableWebSecurity()
|
|
|
|
|
@EnableMethodSecurity
|
|
|
|
|
public class SecurityConfiguration {
|
|
|
|
|
|
2024-05-12 19:58:34 +02:00
|
|
|
@Autowired private CustomUserDetailsService userDetailsService;
|
2024-01-03 17:59:04 +00:00
|
|
|
|
|
|
|
|
@Bean
|
|
|
|
|
public PasswordEncoder passwordEncoder() {
|
|
|
|
|
return new BCryptPasswordEncoder();
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
@Autowired @Lazy private UserService userService;
|
|
|
|
|
|
|
|
|
|
@Autowired
|
|
|
|
|
@Qualifier("loginEnabled")
|
|
|
|
|
public boolean loginEnabledValue;
|
|
|
|
|
|
2024-04-29 15:01:22 -06:00
|
|
|
@Autowired ApplicationProperties applicationProperties;
|
|
|
|
|
|
2024-01-03 17:59:04 +00:00
|
|
|
@Autowired private UserAuthenticationFilter userAuthenticationFilter;
|
|
|
|
|
|
|
|
|
|
@Autowired private LoginAttemptService loginAttemptService;
|
|
|
|
|
|
|
|
|
|
@Autowired private FirstLoginFilter firstLoginFilter;
|
|
|
|
|
|
2024-02-18 15:47:19 +00:00
|
|
|
@Bean
|
|
|
|
|
public SessionRegistry sessionRegistry() {
|
|
|
|
|
return new SessionRegistryImpl();
|
|
|
|
|
}
|
|
|
|
|
|
2024-01-03 17:59:04 +00:00
|
|
|
@Bean
|
|
|
|
|
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
|
|
|
|
|
http.addFilterBefore(userAuthenticationFilter, UsernamePasswordAuthenticationFilter.class);
|
|
|
|
|
|
|
|
|
|
if (loginEnabledValue) {
|
|
|
|
|
|
|
|
|
|
http.csrf(csrf -> csrf.disable());
|
|
|
|
|
http.addFilterBefore(rateLimitingFilter(), UsernamePasswordAuthenticationFilter.class);
|
|
|
|
|
http.addFilterAfter(firstLoginFilter, UsernamePasswordAuthenticationFilter.class);
|
2024-02-18 15:47:19 +00:00
|
|
|
http.sessionManagement(
|
|
|
|
|
sessionManagement ->
|
|
|
|
|
sessionManagement
|
|
|
|
|
.sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED)
|
2024-03-09 14:03:46 +00:00
|
|
|
.maximumSessions(10)
|
|
|
|
|
.maxSessionsPreventsLogin(false)
|
2024-02-18 15:47:19 +00:00
|
|
|
.sessionRegistry(sessionRegistry())
|
|
|
|
|
.expiredUrl("/login?logout=true"));
|
2024-03-09 14:03:46 +00:00
|
|
|
|
2024-01-03 17:59:04 +00:00
|
|
|
http.formLogin(
|
|
|
|
|
formLogin ->
|
|
|
|
|
formLogin
|
|
|
|
|
.loginPage("/login")
|
|
|
|
|
.successHandler(
|
|
|
|
|
new CustomAuthenticationSuccessHandler())
|
|
|
|
|
.defaultSuccessUrl("/")
|
|
|
|
|
.failureHandler(
|
|
|
|
|
new CustomAuthenticationFailureHandler(
|
2024-03-08 18:06:40 +00:00
|
|
|
loginAttemptService, userService))
|
2024-01-03 17:59:04 +00:00
|
|
|
.permitAll())
|
|
|
|
|
.requestCache(requestCache -> requestCache.requestCache(new NullRequestCache()))
|
|
|
|
|
.logout(
|
|
|
|
|
logout ->
|
|
|
|
|
logout.logoutRequestMatcher(
|
|
|
|
|
new AntPathRequestMatcher("/logout"))
|
2024-05-03 20:43:48 +01:00
|
|
|
.logoutSuccessHandler(new CustomLogoutSuccessHandler())
|
2024-01-03 17:59:04 +00:00
|
|
|
.invalidateHttpSession(true) // Invalidate session
|
2024-05-12 19:58:34 +02:00
|
|
|
.deleteCookies("JSESSIONID", "remember-me"))
|
2024-01-03 17:59:04 +00:00
|
|
|
.rememberMe(
|
|
|
|
|
rememberMeConfigurer ->
|
|
|
|
|
rememberMeConfigurer // Use the configurator directly
|
|
|
|
|
.key("uniqueAndSecret")
|
|
|
|
|
.tokenRepository(persistentTokenRepository())
|
|
|
|
|
.tokenValiditySeconds(1209600) // 2 weeks
|
|
|
|
|
)
|
|
|
|
|
.authorizeHttpRequests(
|
|
|
|
|
authz ->
|
|
|
|
|
authz.requestMatchers(
|
|
|
|
|
req -> {
|
|
|
|
|
String uri = req.getRequestURI();
|
|
|
|
|
String contextPath = req.getContextPath();
|
|
|
|
|
|
|
|
|
|
// Remove the context path from the URI
|
|
|
|
|
String trimmedUri =
|
|
|
|
|
uri.startsWith(contextPath)
|
|
|
|
|
? uri.substring(
|
|
|
|
|
contextPath
|
|
|
|
|
.length())
|
|
|
|
|
: uri;
|
|
|
|
|
|
|
|
|
|
return trimmedUri.startsWith("/login")
|
2024-04-29 15:01:22 -06:00
|
|
|
|| trimmedUri.startsWith("/oauth")
|
2024-01-03 17:59:04 +00:00
|
|
|
|| trimmedUri.endsWith(".svg")
|
|
|
|
|
|| trimmedUri.startsWith(
|
|
|
|
|
"/register")
|
|
|
|
|
|| trimmedUri.startsWith("/error")
|
|
|
|
|
|| trimmedUri.startsWith("/images/")
|
|
|
|
|
|| trimmedUri.startsWith("/public/")
|
|
|
|
|
|| trimmedUri.startsWith("/css/")
|
|
|
|
|
|| trimmedUri.startsWith("/js/")
|
|
|
|
|
|| trimmedUri.startsWith(
|
|
|
|
|
"/api/v1/info/status");
|
|
|
|
|
})
|
|
|
|
|
.permitAll()
|
|
|
|
|
.anyRequest()
|
|
|
|
|
.authenticated())
|
|
|
|
|
.userDetailsService(userDetailsService)
|
|
|
|
|
.authenticationProvider(authenticationProvider());
|
2024-04-29 15:01:22 -06:00
|
|
|
|
|
|
|
|
// Handle OAUTH2 Logins
|
|
|
|
|
if (applicationProperties.getSecurity().getOAUTH2().getEnabled()) {
|
|
|
|
|
|
2024-05-03 20:43:48 +01:00
|
|
|
http.oauth2Login(
|
2024-05-12 19:58:34 +02:00
|
|
|
oauth2 ->
|
|
|
|
|
oauth2.loginPage("/oauth2")
|
|
|
|
|
/*
|
|
|
|
|
This Custom handler is used to check if the OAUTH2 user trying to log in, already exists in the database.
|
|
|
|
|
If user exists, login proceeds as usual. If user does not exist, then it is autocreated but only if 'OAUTH2AutoCreateUser'
|
|
|
|
|
is set as true, else login fails with an error message advising the same.
|
|
|
|
|
*/
|
|
|
|
|
.successHandler(
|
|
|
|
|
new CustomOAuth2AuthenticationSuccessHandler(
|
|
|
|
|
applicationProperties, userService))
|
|
|
|
|
.failureHandler(
|
|
|
|
|
new CustomOAuth2AuthenticationFailureHandler())
|
|
|
|
|
// Add existing Authorities from the database
|
|
|
|
|
.userInfoEndpoint(
|
|
|
|
|
userInfoEndpoint ->
|
|
|
|
|
userInfoEndpoint
|
|
|
|
|
.oidcUserService(
|
|
|
|
|
new CustomOAuth2UserService(
|
|
|
|
|
applicationProperties))
|
|
|
|
|
.userAuthoritiesMapper(
|
|
|
|
|
userAuthoritiesMapper())))
|
|
|
|
|
.userDetailsService(userDetailsService)
|
|
|
|
|
.logout(
|
|
|
|
|
logout ->
|
|
|
|
|
logout.logoutSuccessHandler(
|
|
|
|
|
new CustomOAuth2LogoutSuccessHandler(
|
|
|
|
|
this.applicationProperties)));
|
2024-05-03 20:43:48 +01:00
|
|
|
}
|
2024-01-03 17:59:04 +00:00
|
|
|
} else {
|
|
|
|
|
http.csrf(csrf -> csrf.disable())
|
|
|
|
|
.authorizeHttpRequests(authz -> authz.anyRequest().permitAll());
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return http.build();
|
|
|
|
|
}
|
|
|
|
|
|
2024-04-29 15:01:22 -06:00
|
|
|
// Client Registration Repository for OAUTH2 OIDC Login
|
|
|
|
|
@Bean
|
2024-05-03 20:43:48 +01:00
|
|
|
@ConditionalOnProperty(
|
|
|
|
|
value = "security.oauth2.enabled",
|
|
|
|
|
havingValue = "true",
|
|
|
|
|
matchIfMissing = false)
|
|
|
|
|
public ClientRegistrationRepository clientRegistrationRepository() {
|
|
|
|
|
return new InMemoryClientRegistrationRepository(this.oidcClientRegistration());
|
|
|
|
|
}
|
2024-04-29 15:01:22 -06:00
|
|
|
|
2024-05-03 20:43:48 +01:00
|
|
|
private ClientRegistration oidcClientRegistration() {
|
2024-05-12 19:58:34 +02:00
|
|
|
OAUTH2 oauth = applicationProperties.getSecurity().getOAUTH2();
|
|
|
|
|
return ClientRegistrations.fromIssuerLocation(oauth.getIssuer())
|
2024-05-03 20:43:48 +01:00
|
|
|
.registrationId("oidc")
|
2024-05-12 19:58:34 +02:00
|
|
|
.clientId(oauth.getClientId())
|
|
|
|
|
.clientSecret(oauth.getClientSecret())
|
|
|
|
|
.scope(oauth.getScopes())
|
|
|
|
|
.userNameAttributeName(oauth.getUseAsUsername())
|
2024-05-03 20:43:48 +01:00
|
|
|
.clientName("OIDC")
|
|
|
|
|
.build();
|
|
|
|
|
}
|
2024-04-29 15:01:22 -06:00
|
|
|
|
2024-05-02 14:52:50 -06:00
|
|
|
/*
|
|
|
|
|
This following function is to grant Authorities to the OAUTH2 user from the values stored in the database.
|
|
|
|
|
This is required for the internal; 'hasRole()' function to give out the correct role.
|
|
|
|
|
*/
|
|
|
|
|
@Bean
|
2024-05-03 20:43:48 +01:00
|
|
|
@ConditionalOnProperty(
|
|
|
|
|
value = "security.oauth2.enabled",
|
|
|
|
|
havingValue = "true",
|
|
|
|
|
matchIfMissing = false)
|
2024-05-02 14:52:50 -06:00
|
|
|
GrantedAuthoritiesMapper userAuthoritiesMapper() {
|
|
|
|
|
return (authorities) -> {
|
|
|
|
|
Set<GrantedAuthority> mappedAuthorities = new HashSet<>();
|
|
|
|
|
|
2024-05-03 20:43:48 +01:00
|
|
|
authorities.forEach(
|
|
|
|
|
authority -> {
|
|
|
|
|
// Add existing OAUTH2 Authorities
|
|
|
|
|
mappedAuthorities.add(new SimpleGrantedAuthority(authority.getAuthority()));
|
2024-05-02 14:52:50 -06:00
|
|
|
|
2024-05-03 20:43:48 +01:00
|
|
|
// Add Authorities from database for existing user, if user is present.
|
|
|
|
|
if (authority instanceof OAuth2UserAuthority oauth2Auth) {
|
2024-05-12 19:58:34 +02:00
|
|
|
String useAsUsername =
|
|
|
|
|
applicationProperties
|
|
|
|
|
.getSecurity()
|
|
|
|
|
.getOAUTH2()
|
|
|
|
|
.getUseAsUsername();
|
2024-05-03 20:43:48 +01:00
|
|
|
Optional<User> userOpt =
|
|
|
|
|
userService.findByUsernameIgnoreCase(
|
2024-05-12 19:58:34 +02:00
|
|
|
(String) oauth2Auth.getAttributes().get(useAsUsername));
|
2024-05-03 20:43:48 +01:00
|
|
|
if (userOpt.isPresent()) {
|
|
|
|
|
User user = userOpt.get();
|
|
|
|
|
if (user != null) {
|
|
|
|
|
mappedAuthorities.add(
|
|
|
|
|
new SimpleGrantedAuthority(
|
|
|
|
|
userService.findRole(user).getAuthority()));
|
|
|
|
|
}
|
|
|
|
|
}
|
2024-05-02 14:52:50 -06:00
|
|
|
}
|
2024-05-03 20:43:48 +01:00
|
|
|
});
|
2024-05-02 14:52:50 -06:00
|
|
|
return mappedAuthorities;
|
|
|
|
|
};
|
|
|
|
|
}
|
|
|
|
|
|
2024-01-03 17:59:04 +00:00
|
|
|
@Bean
|
|
|
|
|
public IPRateLimitingFilter rateLimitingFilter() {
|
|
|
|
|
int maxRequestsPerIp = 1000000; // Example limit TODO add config level
|
|
|
|
|
return new IPRateLimitingFilter(maxRequestsPerIp, maxRequestsPerIp);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
@Bean
|
|
|
|
|
public DaoAuthenticationProvider authenticationProvider() {
|
|
|
|
|
DaoAuthenticationProvider authProvider = new DaoAuthenticationProvider();
|
|
|
|
|
authProvider.setUserDetailsService(userDetailsService);
|
|
|
|
|
authProvider.setPasswordEncoder(passwordEncoder());
|
|
|
|
|
return authProvider;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
@Bean
|
|
|
|
|
public PersistentTokenRepository persistentTokenRepository() {
|
|
|
|
|
return new JPATokenRepositoryImpl();
|
|
|
|
|
}
|
2024-04-21 22:16:39 +02:00
|
|
|
|
|
|
|
|
@Bean
|
|
|
|
|
public boolean activSecurity() {
|
|
|
|
|
return true;
|
|
|
|
|
}
|
2024-01-03 17:59:04 +00:00
|
|
|
}
|
