From 28765b168cc38115e98e02adc2465f301b6363af Mon Sep 17 00:00:00 2001 From: kaizimmerm Date: Wed, 17 May 2017 17:46:07 +0200 Subject: [PATCH] Fix to many request filter URL configuration, order and added a config for the UI. Signed-off-by: kaizimmerm --- .../SecurityManagedConfiguration.java | 64 ++++++++++++++----- .../main/resources/hawkbitdefaults.properties | 3 + .../eclipse/hawkbit/security/DosFilter.java | 6 +- .../security/HawkbitSecurityProperties.java | 8 ++- 4 files changed, 61 insertions(+), 20 deletions(-) diff --git a/hawkbit-autoconfigure/src/main/java/org/eclipse/hawkbit/autoconfigure/security/SecurityManagedConfiguration.java b/hawkbit-autoconfigure/src/main/java/org/eclipse/hawkbit/autoconfigure/security/SecurityManagedConfiguration.java index e6d4ccc5f..ce1a43ea9 100644 --- a/hawkbit-autoconfigure/src/main/java/org/eclipse/hawkbit/autoconfigure/security/SecurityManagedConfiguration.java +++ b/hawkbit-autoconfigure/src/main/java/org/eclipse/hawkbit/autoconfigure/security/SecurityManagedConfiguration.java @@ -9,6 +9,7 @@ package org.eclipse.hawkbit.autoconfigure.security; import java.io.IOException; +import java.util.Arrays; import javax.annotation.PostConstruct; import javax.servlet.Filter; @@ -49,8 +50,8 @@ import org.springframework.beans.factory.annotation.Autowired; import org.springframework.boot.autoconfigure.condition.ConditionalOnClass; import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean; import org.springframework.boot.autoconfigure.security.SecurityProperties; -import org.springframework.boot.context.embedded.FilterRegistrationBean; -import org.springframework.boot.context.embedded.ServletListenerRegistrationBean; +import org.springframework.boot.web.servlet.FilterRegistrationBean; +import org.springframework.boot.web.servlet.ServletListenerRegistrationBean; import org.springframework.context.annotation.AdviceMode; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; @@ -100,11 +101,13 @@ public class SecurityManagedConfiguration { private static final Logger LOG = LoggerFactory.getLogger(SecurityManagedConfiguration.class); + private static final int DOS_FILTER_ORDER = 1; + @Autowired private AuthenticationConfiguration configuration; /** - * @return the {@link UserAuthenticationFilter} to include into the SP + * @return the {@link UserAuthenticationFilter} to include into the hawkBit * security configuration. * @throws Exception * lazy bean exception maybe if the authentication manager @@ -167,8 +170,11 @@ public class SecurityManagedConfiguration { @ConditionalOnClass(DdiApiConfiguration.class) public FilterRegistrationBean dosDDiFilter(final HawkbitSecurityProperties securityProperties) { - final FilterRegistrationBean filterRegBean = dosFilter(securityProperties); - filterRegBean.addUrlPatterns("/{tenant}/controller/v1/**"); + final FilterRegistrationBean filterRegBean = dosFilter(securityProperties.getDos().getFilter(), + securityProperties.getClients()); + filterRegBean.addUrlPatterns("/{tenant}/controller/v1/*"); + filterRegBean.setOrder(DOS_FILTER_ORDER); + filterRegBean.setName("dosDDiFilter"); return filterRegBean; } @@ -253,23 +259,25 @@ public class SecurityManagedConfiguration { * service protection filter in the filter chain */ @Bean - @Order(52) public FilterRegistrationBean dosSystemFilter(final HawkbitSecurityProperties securityProperties) { - final FilterRegistrationBean filterRegBean = dosFilter(securityProperties); - filterRegBean.addUrlPatterns("/system/*"); + final FilterRegistrationBean filterRegBean = dosFilter(securityProperties.getDos().getFilter(), + securityProperties.getClients()); + filterRegBean.setUrlPatterns(Arrays.asList("/system/*")); + filterRegBean.setOrder(DOS_FILTER_ORDER); + filterRegBean.setName("dosSystemFilter"); return filterRegBean; } - private static FilterRegistrationBean dosFilter(final HawkbitSecurityProperties securityProperties) { + private static FilterRegistrationBean dosFilter(final HawkbitSecurityProperties.Dos.Filter filterProperties, + final HawkbitSecurityProperties.Clients clientProperties) { final FilterRegistrationBean filterRegBean = new FilterRegistrationBean(); - filterRegBean.setFilter(new DosFilter(securityProperties.getDos().getFilter().getMaxRead(), - securityProperties.getDos().getFilter().getMaxWrite(), - securityProperties.getDos().getFilter().getWhitelist(), securityProperties.getClients().getBlacklist(), - securityProperties.getClients().getRemoteIpHeader())); + filterRegBean.setFilter(new DosFilter(filterProperties.getMaxRead(), filterProperties.getMaxWrite(), + filterProperties.getWhitelist(), clientProperties.getBlacklist(), + clientProperties.getRemoteIpHeader())); return filterRegBean; } @@ -330,8 +338,11 @@ public class SecurityManagedConfiguration { @Bean public FilterRegistrationBean dosMgmtFilter(final HawkbitSecurityProperties securityProperties) { - final FilterRegistrationBean filterRegBean = dosFilter(securityProperties); - filterRegBean.addUrlPatterns("/rest/**"); + final FilterRegistrationBean filterRegBean = dosFilter(securityProperties.getDos().getFilter(), + securityProperties.getClients()); + filterRegBean.setUrlPatterns(Arrays.asList("/rest/*", "/api/*")); + filterRegBean.setOrder(DOS_FILTER_ORDER); + filterRegBean.setName("dosMgmtFilter"); return filterRegBean; } @@ -383,12 +394,35 @@ public class SecurityManagedConfiguration { @EnableVaadinSecurity @ConditionalOnClass(MgmtUiConfiguration.class) public static class UISecurityConfigurationAdapter extends WebSecurityConfigurerAdapter { + @Autowired private VaadinSecurityContext vaadinSecurityContext; @Autowired private SecurityProperties springSecurityProperties; + /** + * Filter to protect the hawkBit management UI against to many requests. + * + * @param securityProperties + * for filter configuration + * + * @return the spring filter registration bean for registering a denial + * of service protection filter in the filter chain + */ + @Bean + public FilterRegistrationBean dosMgmtUiFilter(final HawkbitSecurityProperties securityProperties) { + + final FilterRegistrationBean filterRegBean = dosFilter(securityProperties.getDos().getUiFilter(), + securityProperties.getClients()); + // All URLs that can be called anonymous + filterRegBean.setUrlPatterns(Arrays.asList("/UI/login", "/UI/login/*", "/UI/logout", "/UI/logout/*")); + filterRegBean.setOrder(DOS_FILTER_ORDER); + filterRegBean.setName("dosMgmtUiFilter"); + + return filterRegBean; + } + /** * post construct for setting the authentication success handler for the * vaadin security context. diff --git a/hawkbit-autoconfigure/src/main/resources/hawkbitdefaults.properties b/hawkbit-autoconfigure/src/main/resources/hawkbitdefaults.properties index cd97b7c49..fe951eda9 100644 --- a/hawkbit-autoconfigure/src/main/resources/hawkbitdefaults.properties +++ b/hawkbit-autoconfigure/src/main/resources/hawkbitdefaults.properties @@ -15,6 +15,9 @@ security.basic.realm=HawkBit security.user.name=admin security.user.password=admin +# Ensure that DosFilter runs before Spring Security +security.filter-order=5 + # Spring cloud bus and stream spring.cloud.bus.enabled=false # Disable Cloud Bus default events diff --git a/hawkbit-security-core/src/main/java/org/eclipse/hawkbit/security/DosFilter.java b/hawkbit-security-core/src/main/java/org/eclipse/hawkbit/security/DosFilter.java index a5c1f39c9..f84c327c5 100644 --- a/hawkbit-security-core/src/main/java/org/eclipse/hawkbit/security/DosFilter.java +++ b/hawkbit-security-core/src/main/java/org/eclipse/hawkbit/security/DosFilter.java @@ -48,8 +48,8 @@ public class DosFilter extends OncePerRequestFilter { private final Cache writeCountCache = CacheBuilder.newBuilder() .expireAfterAccess(1, TimeUnit.SECONDS).build(); - private final Integer maxRead; - private final Integer maxWrite; + private final int maxRead; + private final int maxWrite; private final Pattern whitelist; @@ -73,7 +73,7 @@ public class DosFilter extends OncePerRequestFilter { * the header containing the forwarded IP address e.g. * {@code x-forwarded-for} */ - public DosFilter(final Integer maxRead, final Integer maxWrite, final String ipDosWhiteListPattern, + public DosFilter(final int maxRead, final int maxWrite, final String ipDosWhiteListPattern, final String ipBlackListPattern, final String forwardHeader) { this.maxRead = maxRead; diff --git a/hawkbit-security-core/src/main/java/org/eclipse/hawkbit/security/HawkbitSecurityProperties.java b/hawkbit-security-core/src/main/java/org/eclipse/hawkbit/security/HawkbitSecurityProperties.java index 47165a26b..f5fe893ad 100644 --- a/hawkbit-security-core/src/main/java/org/eclipse/hawkbit/security/HawkbitSecurityProperties.java +++ b/hawkbit-security-core/src/main/java/org/eclipse/hawkbit/security/HawkbitSecurityProperties.java @@ -40,8 +40,7 @@ public class HawkbitSecurityProperties { private String blacklist = ""; /** - * Name of the http header from which the remote ip is extracted for DDI - * connected clients. + * Name of the http header from which the remote ip is extracted. */ private String remoteIpHeader = "X-Forwarded-For"; @@ -98,6 +97,11 @@ public class HawkbitSecurityProperties { private int maxRolloutGroupsPerRollout = 500; private final Filter filter = new Filter(); + private final Filter uiFilter = new Filter(); + + public Filter getUiFilter() { + return uiFilter; + } public Filter getFilter() { return filter;