Put back CORS config

+ minor formatting

Signed-off-by: Dominic Schabel <dominic.schabel@bosch-si.com>
This commit is contained in:
Dominic Schabel
2020-01-14 13:25:53 +01:00
parent 1bcced9838
commit 67ecd875a7

View File

@@ -94,6 +94,9 @@ import org.springframework.security.web.session.HttpSessionEventPublisher;
import org.springframework.security.web.session.SessionManagementFilter; import org.springframework.security.web.session.SessionManagementFilter;
import org.springframework.util.Assert; import org.springframework.util.Assert;
import org.springframework.util.StringUtils; import org.springframework.util.StringUtils;
import org.springframework.web.cors.CorsConfiguration;
import org.springframework.web.cors.CorsConfigurationSource;
import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
import org.vaadin.spring.security.VaadinSecurityContext; import org.vaadin.spring.security.VaadinSecurityContext;
import org.vaadin.spring.security.annotation.EnableVaadinSecurity; import org.vaadin.spring.security.annotation.EnableVaadinSecurity;
import org.vaadin.spring.security.web.VaadinRedirectStrategy; import org.vaadin.spring.security.web.VaadinRedirectStrategy;
@@ -460,6 +463,7 @@ public class SecurityManagedConfiguration {
*/ */
@Configuration @Configuration
@Order(350) @Order(350)
@EnableWebSecurity
@ConditionalOnClass(MgmtApiConfiguration.class) @ConditionalOnClass(MgmtApiConfiguration.class)
public static class RestSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter { public static class RestSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter {
@@ -508,34 +512,37 @@ public class SecurityManagedConfiguration {
protected void configure(final HttpSecurity http) throws Exception { protected void configure(final HttpSecurity http) throws Exception {
HttpSecurity httpSec = http.regexMatcher("\\/rest.*|\\/system/admin.*").csrf().disable(); HttpSecurity httpSec = http.regexMatcher("\\/rest.*|\\/system/admin.*").csrf().disable();
if (securityProperties.getCors().isEnabled()) {
httpSec = httpSec.cors().and();
}
if (securityProperties.isRequireSsl()) { if (securityProperties.isRequireSsl()) {
httpSec = httpSec.requiresChannel().anyRequest().requiresSecure().and(); httpSec = httpSec.requiresChannel().anyRequest().requiresSecure().and();
} }
httpSec httpSec.authorizeRequests().anyRequest().authenticated()
.authorizeRequests().anyRequest().authenticated()
.antMatchers(MgmtRestConstants.BASE_SYSTEM_MAPPING + "/admin/**") .antMatchers(MgmtRestConstants.BASE_SYSTEM_MAPPING + "/admin/**")
.hasAnyAuthority(SpPermission.SYSTEM_ADMIN); .hasAnyAuthority(SpPermission.SYSTEM_ADMIN);
if (oidcBearerTokenAuthenticationFilter != null) { if (oidcBearerTokenAuthenticationFilter != null) {
// Only get the first client registration. Testing against every client could increase the // Only get the first client registration. Testing against every
// client could increase the
// attack vector // attack vector
ClientRegistration clientRegistration = null; ClientRegistration clientRegistration = null;
for (ClientRegistration cr : clientRegistrationRepository) { for (final ClientRegistration cr : clientRegistrationRepository) {
clientRegistration = cr; clientRegistration = cr;
break; break;
} }
Assert.notNull(clientRegistration, "There must be a valid client registration"); Assert.notNull(clientRegistration, "There must be a valid client registration");
httpSec.oauth2ResourceServer() httpSec.oauth2ResourceServer().jwt().jwkSetUri(clientRegistration.getProviderDetails().getJwkSetUri());
.jwt().jwkSetUri(clientRegistration.getProviderDetails().getJwkSetUri());
oidcBearerTokenAuthenticationFilter.setClientRegistration(clientRegistration); oidcBearerTokenAuthenticationFilter.setClientRegistration(clientRegistration);
httpSec.addFilterAfter(oidcBearerTokenAuthenticationFilter, BearerTokenAuthenticationFilter.class); httpSec.addFilterAfter(oidcBearerTokenAuthenticationFilter, BearerTokenAuthenticationFilter.class);
} } else {
else {
final BasicAuthenticationEntryPoint basicAuthEntryPoint = new BasicAuthenticationEntryPoint(); final BasicAuthenticationEntryPoint basicAuthEntryPoint = new BasicAuthenticationEntryPoint();
basicAuthEntryPoint.setRealmName(securityProperties.getBasicRealm()); basicAuthEntryPoint.setRealmName(securityProperties.getBasicRealm());
@@ -547,7 +554,7 @@ public class SecurityManagedConfiguration {
@Override @Override
public void doFilter(final ServletRequest request, final ServletResponse response, public void doFilter(final ServletRequest request, final ServletResponse response,
final FilterChain chain) throws IOException, ServletException { final FilterChain chain) throws IOException, ServletException {
userAuthenticationFilter.doFilter(request, response, chain); userAuthenticationFilter.doFilter(request, response, chain);
} }
@@ -559,12 +566,29 @@ public class SecurityManagedConfiguration {
httpSec.httpBasic().and().exceptionHandling().authenticationEntryPoint(basicAuthEntryPoint); httpSec.httpBasic().and().exceptionHandling().authenticationEntryPoint(basicAuthEntryPoint);
} }
httpSec.addFilterAfter(new AuthenticationSuccessTenantMetadataCreationFilter(systemManagement, httpSec.addFilterAfter(
systemSecurityContext), SessionManagementFilter.class); new AuthenticationSuccessTenantMetadataCreationFilter(systemManagement, systemSecurityContext),
SessionManagementFilter.class);
httpSec.anonymous().disable(); httpSec.anonymous().disable();
httpSec.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS); httpSec.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
} }
@Bean
@ConditionalOnProperty(prefix = "hawkbit.server.security.cors", name = "enabled", matchIfMissing = false)
CorsConfigurationSource corsConfigurationSource() {
final CorsConfiguration restCorsConfiguration = new CorsConfiguration();
restCorsConfiguration.setAllowedOrigins(securityProperties.getCors().getAllowedOrigins());
restCorsConfiguration.setAllowCredentials(true);
restCorsConfiguration.setAllowedHeaders(securityProperties.getCors().getAllowedHeaders());
restCorsConfiguration.setAllowedMethods(securityProperties.getCors().getAllowedMethods());
final UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
source.registerCorsConfiguration("/rest/**", restCorsConfiguration);
return source;
}
} }
/** /**
@@ -661,7 +685,7 @@ public class SecurityManagedConfiguration {
@Override @Override
protected void configure(final HttpSecurity http) throws Exception { protected void configure(final HttpSecurity http) throws Exception {
boolean enableOidc = oidcUserService != null && oidcAuthenticationSuccessHandler != null final boolean enableOidc = oidcUserService != null && oidcAuthenticationSuccessHandler != null
&& oidcLogoutHandler != null; && oidcLogoutHandler != null;
// workaround regex: we need to exclude the URL /UI/HEARTBEAT here // workaround regex: we need to exclude the URL /UI/HEARTBEAT here