Loading gms/src/main/java/it/inaf/ia2/gms/GmsApplication.java +8 −58 Original line number Diff line number Diff line Loading @@ -2,15 +2,8 @@ package it.inaf.ia2.gms; import it.inaf.ia2.aa.AuthConfig; import it.inaf.ia2.aa.ServiceLocator; import it.inaf.ia2.aa.data.ServletCodeRequestData; import it.inaf.ia2.client.QueryStringBuilder; import it.inaf.ia2.client.UriCustomizer; import static it.inaf.ia2.gms.authn.ClientDbFilter.CLIENT_DB; import it.inaf.ia2.gms.exception.BadRequestException; import it.inaf.ia2.rap.client.RapClient; import java.net.URI; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpSession; import it.inaf.ia2.aa.UserManager; import it.inaf.ia2.gms.authn.ServletRapClient; import org.springframework.boot.SpringApplication; import org.springframework.boot.autoconfigure.SpringBootApplication; import org.springframework.context.annotation.Bean; Loading @@ -32,55 +25,12 @@ public class GmsApplication { } @Bean public RapClient rapClient(AuthConfig authConfig) { URI defaultAuthorizationUri = URI.create(authConfig.getRapBaseUri()) .resolve(authConfig.getUserAuthorizationEndpoint()); URI defaultAccessTokenUri = URI.create(authConfig.getRapBaseUri()) .resolve(authConfig.getAccessTokenEndpoint()); RapClient rapClient = ServiceLocator.getInstance().getRapClient(); rapClient.setAuthorizationUriCustomizer(new UriCustomizer<HttpServletRequest>() { @Override public URI getBaseUri(HttpServletRequest req) { // for a better security we should check for allowed redirects String redirect = req.getParameter("redirect"); if (redirect != null) { return URI.create(redirect); } return defaultAuthorizationUri; public UserManager userManager() { return ServiceLocator.getInstance().getUserManager(); } @Override public void customizeQueryString(HttpServletRequest req, QueryStringBuilder queryStringBuilder) { String clientDb = req.getParameter(CLIENT_DB); if (clientDb == null) { HttpSession session = req.getSession(false); if (session != null) { clientDb = (String) session.getAttribute(CLIENT_DB); } } if (clientDb == null) { throw new BadRequestException("client_db not set"); } queryStringBuilder.param(CLIENT_DB, clientDb); } }); rapClient.setAccessTokenUriCustomizer(new UriCustomizer<ServletCodeRequestData>() { @Override public URI getBaseUri(ServletCodeRequestData req) { String redirect = req.getCodeRequest().getParameter("token_uri"); if (redirect != null) { return URI.create(redirect); } return defaultAccessTokenUri; } }); return rapClient; @Bean public ServletRapClient servletRapClient() { return (ServletRapClient) ServiceLocator.getInstance().getRapClient(); } } gms/src/main/java/it/inaf/ia2/gms/authn/JWTFilter.java +8 −10 Original line number Diff line number Diff line package it.inaf.ia2.gms.authn; import it.inaf.ia2.aa.UserManager; import it.inaf.ia2.aa.data.User; import it.inaf.ia2.gms.persistence.LoggingDAO; import it.inaf.ia2.rap.client.RapClient; import java.io.IOException; import java.security.Principal; import java.util.Map; Loading @@ -19,11 +19,11 @@ import javax.servlet.http.HttpSession; public class JWTFilter implements Filter { private final LoggingDAO loggingDAO; private final RapClient rapClient; private final UserManager userManager; public JWTFilter(LoggingDAO loggingDAO, RapClient rapClient) { public JWTFilter(LoggingDAO loggingDAO, UserManager userManager) { this.loggingDAO = loggingDAO; this.rapClient = rapClient; this.userManager = userManager; } @Override Loading @@ -40,7 +40,6 @@ public class JWTFilter implements Filter { HttpSession session = request.getSession(false); User user = (User) session.getAttribute("user_data"); if (user != null) { rapClient.setAccessToken(user.getAccessToken()); ServletRequestWithSessionPrincipal wrappedRequest = new ServletRequestWithSessionPrincipal(request, user); fc.doFilter(wrappedRequest, res); return; Loading @@ -53,8 +52,7 @@ public class JWTFilter implements Filter { String token = authHeader.replace("Bearer", "").trim(); rapClient.setAccessToken(token); Map<String, Object> claims = rapClient.parseIdTokenClaims(token); Map<String, Object> claims = userManager.parseIdTokenClaims(token); if (claims.get("sub") == null) { loggingDAO.logAction("Attempt to access WS with invalid token", request); Loading @@ -62,7 +60,7 @@ public class JWTFilter implements Filter { return; } ServletRequestWithJWTPrincipal wrappedRequest = new ServletRequestWithJWTPrincipal(request, claims); ServletRequestWithJWTPrincipal wrappedRequest = new ServletRequestWithJWTPrincipal(request, token, claims); loggingDAO.logAction("WS access from " + wrappedRequest.getUserPrincipal().getName(), request); fc.doFilter(wrappedRequest, res); Loading @@ -87,9 +85,9 @@ public class JWTFilter implements Filter { private final RapPrincipal principal; public ServletRequestWithJWTPrincipal(HttpServletRequest request, Map<String, Object> jwtClaims) { public ServletRequestWithJWTPrincipal(HttpServletRequest request, String token, Map<String, Object> jwtClaims) { super(request); this.principal = new RapPrincipal(jwtClaims); this.principal = new RapPrincipal(token, jwtClaims); } @Override Loading gms/src/main/java/it/inaf/ia2/gms/authn/RapClient.java 0 → 100644 +17 −0 Original line number Diff line number Diff line package it.inaf.ia2.gms.authn; import it.inaf.ia2.rap.client.BoundedRapClient; import javax.servlet.http.HttpServletRequest; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Component; import org.springframework.web.context.annotation.RequestScope; @Component @RequestScope public class RapClient extends BoundedRapClient<HttpServletRequest> { @Autowired public RapClient(ServletRapClient servletRapClient, HttpServletRequest request) { super(servletRapClient, request); } } gms/src/main/java/it/inaf/ia2/gms/authn/RapPrincipal.java +7 −1 Original line number Diff line number Diff line Loading @@ -5,10 +5,12 @@ import java.util.Map; public class RapPrincipal implements Principal { private final String token; private final String sub; private final String altSub; public RapPrincipal(Map<String, Object> jwtClaims) { public RapPrincipal(String token, Map<String, Object> jwtClaims) { this.token = token; sub = (String) jwtClaims.get("sub"); altSub = (String) jwtClaims.get("alt_sub"); } Loading @@ -24,4 +26,8 @@ public class RapPrincipal implements Principal { public String getAlternativeName() { return altSub; } public String getToken() { return token; } } gms/src/main/java/it/inaf/ia2/gms/authn/SecurityConfig.java +5 −5 Original line number Diff line number Diff line package it.inaf.ia2.gms.authn; import it.inaf.ia2.aa.AuthConfig; import it.inaf.ia2.aa.UserManager; import it.inaf.ia2.gms.persistence.LoggingDAO; import it.inaf.ia2.rap.client.RapClient; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.beans.factory.annotation.Value; Loading Loading @@ -46,9 +46,9 @@ public class SecurityConfig { } @Bean public FilterRegistrationBean clientDbFilter(AuthConfig authConfig, RapClient rapClient) { public FilterRegistrationBean clientDbFilter(AuthConfig authConfig, UserManager userManager) { FilterRegistrationBean bean = new FilterRegistrationBean(); bean.setFilter(new ClientDbFilter(authConfig, rapClient)); bean.setFilter(new ClientDbFilter(authConfig, userManager)); bean.addUrlPatterns("/*"); bean.setOrder(Ordered.HIGHEST_PRECEDENCE); return bean; Loading @@ -58,9 +58,9 @@ public class SecurityConfig { * Checks JWT for web services. */ @Bean public FilterRegistrationBean serviceJWTFilter(LoggingDAO loggingDAO, RapClient rapClient) { public FilterRegistrationBean serviceJWTFilter(LoggingDAO loggingDAO, UserManager userManager) { FilterRegistrationBean bean = new FilterRegistrationBean(); bean.setFilter(new JWTFilter(loggingDAO, rapClient)); bean.setFilter(new JWTFilter(loggingDAO, userManager)); bean.addUrlPatterns("/*"); bean.setOrder(Ordered.HIGHEST_PRECEDENCE); return bean; Loading Loading
gms/src/main/java/it/inaf/ia2/gms/GmsApplication.java +8 −58 Original line number Diff line number Diff line Loading @@ -2,15 +2,8 @@ package it.inaf.ia2.gms; import it.inaf.ia2.aa.AuthConfig; import it.inaf.ia2.aa.ServiceLocator; import it.inaf.ia2.aa.data.ServletCodeRequestData; import it.inaf.ia2.client.QueryStringBuilder; import it.inaf.ia2.client.UriCustomizer; import static it.inaf.ia2.gms.authn.ClientDbFilter.CLIENT_DB; import it.inaf.ia2.gms.exception.BadRequestException; import it.inaf.ia2.rap.client.RapClient; import java.net.URI; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpSession; import it.inaf.ia2.aa.UserManager; import it.inaf.ia2.gms.authn.ServletRapClient; import org.springframework.boot.SpringApplication; import org.springframework.boot.autoconfigure.SpringBootApplication; import org.springframework.context.annotation.Bean; Loading @@ -32,55 +25,12 @@ public class GmsApplication { } @Bean public RapClient rapClient(AuthConfig authConfig) { URI defaultAuthorizationUri = URI.create(authConfig.getRapBaseUri()) .resolve(authConfig.getUserAuthorizationEndpoint()); URI defaultAccessTokenUri = URI.create(authConfig.getRapBaseUri()) .resolve(authConfig.getAccessTokenEndpoint()); RapClient rapClient = ServiceLocator.getInstance().getRapClient(); rapClient.setAuthorizationUriCustomizer(new UriCustomizer<HttpServletRequest>() { @Override public URI getBaseUri(HttpServletRequest req) { // for a better security we should check for allowed redirects String redirect = req.getParameter("redirect"); if (redirect != null) { return URI.create(redirect); } return defaultAuthorizationUri; public UserManager userManager() { return ServiceLocator.getInstance().getUserManager(); } @Override public void customizeQueryString(HttpServletRequest req, QueryStringBuilder queryStringBuilder) { String clientDb = req.getParameter(CLIENT_DB); if (clientDb == null) { HttpSession session = req.getSession(false); if (session != null) { clientDb = (String) session.getAttribute(CLIENT_DB); } } if (clientDb == null) { throw new BadRequestException("client_db not set"); } queryStringBuilder.param(CLIENT_DB, clientDb); } }); rapClient.setAccessTokenUriCustomizer(new UriCustomizer<ServletCodeRequestData>() { @Override public URI getBaseUri(ServletCodeRequestData req) { String redirect = req.getCodeRequest().getParameter("token_uri"); if (redirect != null) { return URI.create(redirect); } return defaultAccessTokenUri; } }); return rapClient; @Bean public ServletRapClient servletRapClient() { return (ServletRapClient) ServiceLocator.getInstance().getRapClient(); } }
gms/src/main/java/it/inaf/ia2/gms/authn/JWTFilter.java +8 −10 Original line number Diff line number Diff line package it.inaf.ia2.gms.authn; import it.inaf.ia2.aa.UserManager; import it.inaf.ia2.aa.data.User; import it.inaf.ia2.gms.persistence.LoggingDAO; import it.inaf.ia2.rap.client.RapClient; import java.io.IOException; import java.security.Principal; import java.util.Map; Loading @@ -19,11 +19,11 @@ import javax.servlet.http.HttpSession; public class JWTFilter implements Filter { private final LoggingDAO loggingDAO; private final RapClient rapClient; private final UserManager userManager; public JWTFilter(LoggingDAO loggingDAO, RapClient rapClient) { public JWTFilter(LoggingDAO loggingDAO, UserManager userManager) { this.loggingDAO = loggingDAO; this.rapClient = rapClient; this.userManager = userManager; } @Override Loading @@ -40,7 +40,6 @@ public class JWTFilter implements Filter { HttpSession session = request.getSession(false); User user = (User) session.getAttribute("user_data"); if (user != null) { rapClient.setAccessToken(user.getAccessToken()); ServletRequestWithSessionPrincipal wrappedRequest = new ServletRequestWithSessionPrincipal(request, user); fc.doFilter(wrappedRequest, res); return; Loading @@ -53,8 +52,7 @@ public class JWTFilter implements Filter { String token = authHeader.replace("Bearer", "").trim(); rapClient.setAccessToken(token); Map<String, Object> claims = rapClient.parseIdTokenClaims(token); Map<String, Object> claims = userManager.parseIdTokenClaims(token); if (claims.get("sub") == null) { loggingDAO.logAction("Attempt to access WS with invalid token", request); Loading @@ -62,7 +60,7 @@ public class JWTFilter implements Filter { return; } ServletRequestWithJWTPrincipal wrappedRequest = new ServletRequestWithJWTPrincipal(request, claims); ServletRequestWithJWTPrincipal wrappedRequest = new ServletRequestWithJWTPrincipal(request, token, claims); loggingDAO.logAction("WS access from " + wrappedRequest.getUserPrincipal().getName(), request); fc.doFilter(wrappedRequest, res); Loading @@ -87,9 +85,9 @@ public class JWTFilter implements Filter { private final RapPrincipal principal; public ServletRequestWithJWTPrincipal(HttpServletRequest request, Map<String, Object> jwtClaims) { public ServletRequestWithJWTPrincipal(HttpServletRequest request, String token, Map<String, Object> jwtClaims) { super(request); this.principal = new RapPrincipal(jwtClaims); this.principal = new RapPrincipal(token, jwtClaims); } @Override Loading
gms/src/main/java/it/inaf/ia2/gms/authn/RapClient.java 0 → 100644 +17 −0 Original line number Diff line number Diff line package it.inaf.ia2.gms.authn; import it.inaf.ia2.rap.client.BoundedRapClient; import javax.servlet.http.HttpServletRequest; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Component; import org.springframework.web.context.annotation.RequestScope; @Component @RequestScope public class RapClient extends BoundedRapClient<HttpServletRequest> { @Autowired public RapClient(ServletRapClient servletRapClient, HttpServletRequest request) { super(servletRapClient, request); } }
gms/src/main/java/it/inaf/ia2/gms/authn/RapPrincipal.java +7 −1 Original line number Diff line number Diff line Loading @@ -5,10 +5,12 @@ import java.util.Map; public class RapPrincipal implements Principal { private final String token; private final String sub; private final String altSub; public RapPrincipal(Map<String, Object> jwtClaims) { public RapPrincipal(String token, Map<String, Object> jwtClaims) { this.token = token; sub = (String) jwtClaims.get("sub"); altSub = (String) jwtClaims.get("alt_sub"); } Loading @@ -24,4 +26,8 @@ public class RapPrincipal implements Principal { public String getAlternativeName() { return altSub; } public String getToken() { return token; } }
gms/src/main/java/it/inaf/ia2/gms/authn/SecurityConfig.java +5 −5 Original line number Diff line number Diff line package it.inaf.ia2.gms.authn; import it.inaf.ia2.aa.AuthConfig; import it.inaf.ia2.aa.UserManager; import it.inaf.ia2.gms.persistence.LoggingDAO; import it.inaf.ia2.rap.client.RapClient; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.beans.factory.annotation.Value; Loading Loading @@ -46,9 +46,9 @@ public class SecurityConfig { } @Bean public FilterRegistrationBean clientDbFilter(AuthConfig authConfig, RapClient rapClient) { public FilterRegistrationBean clientDbFilter(AuthConfig authConfig, UserManager userManager) { FilterRegistrationBean bean = new FilterRegistrationBean(); bean.setFilter(new ClientDbFilter(authConfig, rapClient)); bean.setFilter(new ClientDbFilter(authConfig, userManager)); bean.addUrlPatterns("/*"); bean.setOrder(Ordered.HIGHEST_PRECEDENCE); return bean; Loading @@ -58,9 +58,9 @@ public class SecurityConfig { * Checks JWT for web services. */ @Bean public FilterRegistrationBean serviceJWTFilter(LoggingDAO loggingDAO, RapClient rapClient) { public FilterRegistrationBean serviceJWTFilter(LoggingDAO loggingDAO, UserManager userManager) { FilterRegistrationBean bean = new FilterRegistrationBean(); bean.setFilter(new JWTFilter(loggingDAO, rapClient)); bean.setFilter(new JWTFilter(loggingDAO, userManager)); bean.addUrlPatterns("/*"); bean.setOrder(Ordered.HIGHEST_PRECEDENCE); return bean; Loading
