Support for simultaneous base and OAuth authentication (#1785)

* Remove _OidcAuthenticationSuccessHandler_:
  * _OAuth2AuthenticationToken.setDetails_ is made by jwt authentication converter
  * get tenant data (with potentially creating tenant) is done via a filter added in filterChainREST
* _filterChainREST_ uses _Customizer<OAuth2ResourceServerConfigurer<HttpSecurity>>_ as configuration for OAuth. Thus it is not bound with oauth client configuration
* _OidcUserManagementAutoConfiguration_ - now registers (if conditions are met) Customizer<OAuth2ResourceServerConfigurer<HttpSecurity>> which covers both - oauth legacy filter from filterChainREST and OidcBearerTokenAuthenticationFilter
* Since oauth clients are not related to hawkBit anymore (since removal of legacy UI) and the proper configuration would be via resource server or whatever, the _OidcUserManagementAutoConfiguration_ is DEPRECATED and for removal
* _UserAuthenticationFilter_ is removed
* Enabled sumiltaneous base and oauth authentication. Still, by default, if OAuth configured http authentication is disabled. However, if OAuth it is configured (via _Customizer<OAuth2ResourceServerConfigurer<HttpSecurity>>)_ and **hawkbit.server.security.allowHttpBasicOnOAuthEnabled** is set to **true** then http auth would be also enabled
* _OidcUserManagementAutoConfiguration_ could be disabled with **hawkbit.server.security.oAuth2OnClientsConfig.enabled=false**

Signed-off-by: Marinov Avgustin <Avgustin.Marinov@bosch.com>
This commit is contained in:
Avgustin Marinov
2024-07-26 10:59:15 +03:00
committed by GitHub
parent 6b8917e229
commit 3a34ded4f6
5 changed files with 100 additions and 351 deletions

View File

@@ -1,66 +0,0 @@
/**
* Copyright (c) 2015 Bosch Software Innovations GmbH and others
*
* This program and the accompanying materials are made
* available under the terms of the Eclipse Public License 2.0
* which is available at https://www.eclipse.org/legal/epl-2.0/
*
* SPDX-License-Identifier: EPL-2.0
*/
package org.eclipse.hawkbit.im.authentication;
import java.io.IOException;
import jakarta.servlet.Filter;
import jakarta.servlet.FilterChain;
import jakarta.servlet.FilterConfig;
import jakarta.servlet.ServletException;
import jakarta.servlet.ServletRequest;
import jakarta.servlet.ServletResponse;
/**
* Filter to integrate into the SP security filter-chain. The filter is called
* in any remote call through HTTP except the SP login screen. E.g. using the SP
* REST-API. To authenticate user e.g. using Basic-Authentication implement the
* {@link #doFilter(jakarta.servlet.ServletRequest, jakarta.servlet.ServletResponse, jakarta.servlet.FilterChain)}
* method.
*
*
*
*/
public interface UserAuthenticationFilter {
/**
* @see Filter#init(FilterConfig)
*
* @param filterConfig
* the filter config
*/
void init(FilterConfig filterConfig) throws ServletException;
/**
* @see Filter#doFilter(ServletRequest, ServletResponse, FilterChain)
*
* @param request
* the servlet request
* @param response
* the servlet response
* @param chain
* the filterchain
* @throws IOException
* cannot read from request
* @throws ServletException
* servlet exception
*/
// this declaration of multiple checked exception is necessary so it's
// aligned with the servlet API.
@SuppressWarnings("squid:S1160")
void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
throws IOException, ServletException;
/**
* @see Filter#destroy()
*/
void destroy();
}

View File

@@ -49,6 +49,10 @@ public class HawkbitSecurityProperties {
* Basic authentication realm, see https://tools.ietf.org/html/rfc2617#page-3 .
*/
private String basicRealm = "hawkBit";
/**
* If to allow http authentication when there is OAuth2 authentication enabled.
*/
private boolean allowHttpBasicOnOAuthEnabled = false;
/**
* Security configuration related to CORS.