correcting security logic

2025-06-23 16:05:09 +00:00 · 2025-06-03 17:15:50 +01:00 · 2025-06-03 17:15:50 +01:00 · 8802d190e2
commit 8802d190e2
parent 1efd57a10c
11 changed files with 46 additions and 26 deletions
--- a/build.gradle
+++ b/build.gradle
@ -9,7 +9,7 @@ plugins {
    id "com.diffplug.spotless" version "7.0.4"
    id "com.github.jk1.dependency-license-report" version "2.9"
    //id "nebula.lint" version "19.0.3"
-    id("org.panteleyev.jpackageplugin") version "1.6.1"
+    id "org.panteleyev.jpackageplugin" version "1.6.1"
    id "org.sonarqube" version "6.2.0.5505"
 }

@ -51,9 +51,9 @@ licenseReport {
 sourceSets {
    main {
        java {
-            if (System.getenv('DOCKER_ENABLE_SECURITY') == 'false' || System.getenv('ADDITIONAL_FEATURES_OFF') == 'false'
+            if (System.getenv('DOCKER_ENABLE_SECURITY') == 'false' || System.getenv('ADDITIONAL_FEATURES_OFF') == 'true'
                || (project.hasProperty('ADDITIONAL_FEATURES_OFF')
-                && System.getProperty('ADDITIONAL_FEATURES_OFF'))) {
+                && System.getProperty('ADDITIONAL_FEATURES_OFF') == 'true')) {
                exclude 'stirling/software/proprietary/security/**'
            }

@ -66,9 +66,9 @@ sourceSets {

    test {
        java {
-            if (System.getenv('DOCKER_ENABLE_SECURITY') == 'false' || System.getenv('ADDITIONAL_FEATURES_OFF') == 'false'
+            if (System.getenv('DOCKER_ENABLE_SECURITY') == 'false' || System.getenv('ADDITIONAL_FEATURES_OFF') == 'true'
                || (project.hasProperty('ADDITIONAL_FEATURES_OFF')
-                && System.getProperty('ADDITIONAL_FEATURES_OFF'))) {
+                && System.getProperty('ADDITIONAL_FEATURES_OFF') == 'true')) {
                exclude 'stirling/software/proprietary/security/**'
            }

@ -285,18 +285,18 @@ tasks.register('downloadTempJre') {
            def jreArchive = new File(tmpDir, 'jre.tar.gz')
            def jreDir = new File(tmpDir, 'jre')

-            println "🔽 Downloading JRE to $jreArchive..."
+            println "Downloading JRE to $jreArchive..."
            jreArchive.withOutputStream { out ->
                new URI(jreUrl).toURL().withInputStream { from -> out << from }
            }

-            println "📦 Extracting JRE to $jreDir..."
+            println "Extracting JRE to $jreDir..."
            jreDir.mkdirs()
            providers.exec {
                commandLine 'tar', '-xzf', jreArchive.absolutePath, '-C', jreDir.absolutePath, '--strip-components=1'
            }.result.get()

-            println "✅ JRE ready at: $jreDir"
+            println "JRE ready at: $jreDir"
            ext.tempJrePath = jreDir.absolutePath
            project.ext.tempJrePath = jreDir.absolutePath
        } catch (Exception e) {
@ -431,7 +431,7 @@ dependencies {
    implementation 'com.googlecode.owasp-java-html-sanitizer:owasp-java-html-sanitizer:20240325.1'
    implementation 'org.snakeyaml:snakeyaml-engine:2.9'

-    if (System.getenv("DOCKER_ENABLE_SECURITY") != "false" || System.getenv("ADDITIONAL_FEATURES_OFF") == "false") {
+    if (System.getenv("DOCKER_ENABLE_SECURITY") != "false" && System.getenv("ADDITIONAL_FEATURES_OFF") != "true") {
        implementation project(':proprietary')
    }

--- a/common/src/main/java/stirling/software/common/configuration/AppConfig.java
+++ b/common/src/main/java/stirling/software/common/configuration/AppConfig.java
@ -148,10 +148,16 @@ public class AppConfig {
    }

    @Bean(name = "activeSecurity")
-    @ConditionalOnClass(
-            name = "stirling.software.proprietary.security.configuration.SecurityConfiguration")
    public boolean activeSecurity() {
-        return true;
+        String additionalFeaturesOff = env.getProperty("ADDITIONAL_FEATURES_OFF");
+
+        if (additionalFeaturesOff != null) {
+            // ADDITIONAL_FEATURES_OFF=true means security OFF, so return false
+            // ADDITIONAL_FEATURES_OFF=false means security ON, so return true
+            return !Boolean.parseBoolean(additionalFeaturesOff);
+        }
+
+        return env.getProperty("DOCKER_ENABLE_SECURITY", Boolean.class, true);
    }

    @Bean(name = "missingActiveSecurity")
--- a/proprietary/src/main/java/stirling/software/proprietary/security/configuration/MailConfig.java
+++ b/proprietary/src/main/java/stirling/software/proprietary/security/configuration/MailConfig.java
@ -10,6 +10,7 @@ import org.springframework.mail.javamail.JavaMailSenderImpl;

 import lombok.AllArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
+
 import stirling.software.common.model.ApplicationProperties;

 /**
--- a/proprietary/src/main/java/stirling/software/proprietary/security/model/User.java
+++ b/proprietary/src/main/java/stirling/software/proprietary/security/model/User.java
@ -14,7 +14,6 @@ import lombok.Getter;
 import lombok.NoArgsConstructor;
 import lombok.Setter;
 import lombok.ToString;
-import stirling.software.common.model.enumeration.Role;

 import stirling.software.common.model.enumeration.Role;

--- a/proprietary/src/main/java/stirling/software/proprietary/security/oauth2/CustomOAuth2AuthenticationFailureHandler.java
+++ b/proprietary/src/main/java/stirling/software/proprietary/security/oauth2/CustomOAuth2AuthenticationFailureHandler.java
@ -1,10 +1,7 @@
 package stirling.software.proprietary.security.oauth2;

-import jakarta.servlet.ServletException;
-import jakarta.servlet.http.HttpServletRequest;
-import jakarta.servlet.http.HttpServletResponse;
 import java.io.IOException;
-import lombok.extern.slf4j.Slf4j;
+
 import org.springframework.security.authentication.BadCredentialsException;
 import org.springframework.security.authentication.DisabledException;
 import org.springframework.security.authentication.LockedException;
@ -13,6 +10,12 @@ import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
 import org.springframework.security.oauth2.core.OAuth2Error;
 import org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler;

+import jakarta.servlet.ServletException;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+
+import lombok.extern.slf4j.Slf4j;
+
@Slf4j
 public class CustomOAuth2AuthenticationFailureHandler
        extends SimpleUrlAuthenticationFailureHandler {
--- a/proprietary/src/main/java/stirling/software/proprietary/security/saml2/CertificateUtils.java
+++ b/proprietary/src/main/java/stirling/software/proprietary/security/saml2/CertificateUtils.java
@ -6,6 +6,7 @@ import java.nio.charset.StandardCharsets;
 import java.security.cert.CertificateFactory;
 import java.security.cert.X509Certificate;
 import java.security.interfaces.RSAPrivateKey;
+
 import org.bouncycastle.asn1.pkcs.PrivateKeyInfo;
 import org.bouncycastle.openssl.PEMKeyPair;
 import org.bouncycastle.openssl.PEMParser;
--- a/proprietary/src/main/java/stirling/software/proprietary/security/saml2/CustomSaml2AuthenticatedPrincipal.java
+++ b/proprietary/src/main/java/stirling/software/proprietary/security/saml2/CustomSaml2AuthenticatedPrincipal.java
@ -3,6 +3,7 @@ package stirling.software.proprietary.security.saml2;
 import java.io.Serializable;
 import java.util.List;
 import java.util.Map;
+
 import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
 import org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticatedPrincipal;

--- a/proprietary/src/main/java/stirling/software/proprietary/security/saml2/CustomSaml2AuthenticationFailureHandler.java
+++ b/proprietary/src/main/java/stirling/software/proprietary/security/saml2/CustomSaml2AuthenticationFailureHandler.java
@ -1,9 +1,7 @@
 package stirling.software.proprietary.security.saml2;

-import jakarta.servlet.http.HttpServletRequest;
-import jakarta.servlet.http.HttpServletResponse;
 import java.io.IOException;
-import lombok.extern.slf4j.Slf4j;
+
 import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
 import org.springframework.security.authentication.ProviderNotFoundException;
 import org.springframework.security.core.AuthenticationException;
@ -11,6 +9,11 @@ import org.springframework.security.saml2.core.Saml2Error;
 import org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticationException;
 import org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler;

+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+
+import lombok.extern.slf4j.Slf4j;
+
@Slf4j
@ConditionalOnProperty(name = "security.saml2.enabled", havingValue = "true")
 public class CustomSaml2AuthenticationFailureHandler extends SimpleUrlAuthenticationFailureHandler {
--- a/proprietary/src/main/java/stirling/software/proprietary/security/saml2/SAML2Configuration.java
+++ b/proprietary/src/main/java/stirling/software/proprietary/security/saml2/SAML2Configuration.java
@ -1,11 +1,9 @@
 package stirling.software.proprietary.security.saml2;

-import jakarta.servlet.http.HttpServletRequest;
 import java.security.cert.X509Certificate;
 import java.util.Collections;
 import java.util.UUID;
-import lombok.RequiredArgsConstructor;
-import lombok.extern.slf4j.Slf4j;
+
 import org.opensaml.saml.saml2.core.AuthnRequest;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnBooleanProperty;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
@ -21,6 +19,12 @@ import org.springframework.security.saml2.provider.service.registration.RelyingP
 import org.springframework.security.saml2.provider.service.registration.Saml2MessageBinding;
 import org.springframework.security.saml2.provider.service.web.HttpSessionSaml2AuthenticationRequestRepository;
 import org.springframework.security.saml2.provider.service.web.authentication.OpenSaml4AuthenticationRequestResolver;
+
+import jakarta.servlet.http.HttpServletRequest;
+
+import lombok.RequiredArgsConstructor;
+import lombok.extern.slf4j.Slf4j;
+
 import stirling.software.common.model.ApplicationProperties;
 import stirling.software.common.model.ApplicationProperties.Security.SAML2;

--- a/proprietary/src/main/java/stirling/software/proprietary/security/session/SessionRegistryConfig.java
+++ b/proprietary/src/main/java/stirling/software/proprietary/security/session/SessionRegistryConfig.java
@ -3,7 +3,6 @@ package stirling.software.proprietary.security.session;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.security.core.session.SessionRegistryImpl;
-import stirling.software.proprietary.security.database.repository.SessionRepository;

 import stirling.software.proprietary.security.database.repository.SessionRepository;

@ -16,7 +15,8 @@ public class SessionRegistryConfig {
    }

    @Bean
-    public SessionPersistentRegistry sessionPersistentRegistry(SessionRepository sessionRepository) {
+    public SessionPersistentRegistry sessionPersistentRegistry(
+            SessionRepository sessionRepository) {
        return new SessionPersistentRegistry(sessionRepository);
    }
 }
--- a/proprietary/src/main/java/stirling/software/proprietary/security/session/SessionScheduled.java
+++ b/proprietary/src/main/java/stirling/software/proprietary/security/session/SessionScheduled.java
@ -4,11 +4,13 @@ import java.time.Instant;
 import java.time.temporal.ChronoUnit;
 import java.util.Date;
 import java.util.List;
-import lombok.RequiredArgsConstructor;
+
 import org.springframework.scheduling.annotation.Scheduled;
 import org.springframework.security.core.session.SessionInformation;
 import org.springframework.stereotype.Component;

+import lombok.RequiredArgsConstructor;
+
@Component
@RequiredArgsConstructor
 public class SessionScheduled {