Put back CORS config
+ minor formatting Signed-off-by: Dominic Schabel <dominic.schabel@bosch-si.com>
This commit is contained in:
@@ -94,6 +94,9 @@ import org.springframework.security.web.session.HttpSessionEventPublisher;
|
|||||||
import org.springframework.security.web.session.SessionManagementFilter;
|
import org.springframework.security.web.session.SessionManagementFilter;
|
||||||
import org.springframework.util.Assert;
|
import org.springframework.util.Assert;
|
||||||
import org.springframework.util.StringUtils;
|
import org.springframework.util.StringUtils;
|
||||||
|
import org.springframework.web.cors.CorsConfiguration;
|
||||||
|
import org.springframework.web.cors.CorsConfigurationSource;
|
||||||
|
import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
|
||||||
import org.vaadin.spring.security.VaadinSecurityContext;
|
import org.vaadin.spring.security.VaadinSecurityContext;
|
||||||
import org.vaadin.spring.security.annotation.EnableVaadinSecurity;
|
import org.vaadin.spring.security.annotation.EnableVaadinSecurity;
|
||||||
import org.vaadin.spring.security.web.VaadinRedirectStrategy;
|
import org.vaadin.spring.security.web.VaadinRedirectStrategy;
|
||||||
@@ -460,6 +463,7 @@ public class SecurityManagedConfiguration {
|
|||||||
*/
|
*/
|
||||||
@Configuration
|
@Configuration
|
||||||
@Order(350)
|
@Order(350)
|
||||||
|
@EnableWebSecurity
|
||||||
@ConditionalOnClass(MgmtApiConfiguration.class)
|
@ConditionalOnClass(MgmtApiConfiguration.class)
|
||||||
public static class RestSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter {
|
public static class RestSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter {
|
||||||
|
|
||||||
@@ -508,34 +512,37 @@ public class SecurityManagedConfiguration {
|
|||||||
protected void configure(final HttpSecurity http) throws Exception {
|
protected void configure(final HttpSecurity http) throws Exception {
|
||||||
|
|
||||||
HttpSecurity httpSec = http.regexMatcher("\\/rest.*|\\/system/admin.*").csrf().disable();
|
HttpSecurity httpSec = http.regexMatcher("\\/rest.*|\\/system/admin.*").csrf().disable();
|
||||||
|
|
||||||
|
if (securityProperties.getCors().isEnabled()) {
|
||||||
|
httpSec = httpSec.cors().and();
|
||||||
|
}
|
||||||
|
|
||||||
if (securityProperties.isRequireSsl()) {
|
if (securityProperties.isRequireSsl()) {
|
||||||
httpSec = httpSec.requiresChannel().anyRequest().requiresSecure().and();
|
httpSec = httpSec.requiresChannel().anyRequest().requiresSecure().and();
|
||||||
}
|
}
|
||||||
|
|
||||||
httpSec
|
httpSec.authorizeRequests().anyRequest().authenticated()
|
||||||
.authorizeRequests().anyRequest().authenticated()
|
|
||||||
.antMatchers(MgmtRestConstants.BASE_SYSTEM_MAPPING + "/admin/**")
|
.antMatchers(MgmtRestConstants.BASE_SYSTEM_MAPPING + "/admin/**")
|
||||||
.hasAnyAuthority(SpPermission.SYSTEM_ADMIN);
|
.hasAnyAuthority(SpPermission.SYSTEM_ADMIN);
|
||||||
|
|
||||||
if (oidcBearerTokenAuthenticationFilter != null) {
|
if (oidcBearerTokenAuthenticationFilter != null) {
|
||||||
|
|
||||||
// Only get the first client registration. Testing against every client could increase the
|
// Only get the first client registration. Testing against every
|
||||||
|
// client could increase the
|
||||||
// attack vector
|
// attack vector
|
||||||
ClientRegistration clientRegistration = null;
|
ClientRegistration clientRegistration = null;
|
||||||
for (ClientRegistration cr : clientRegistrationRepository) {
|
for (final ClientRegistration cr : clientRegistrationRepository) {
|
||||||
clientRegistration = cr;
|
clientRegistration = cr;
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
|
|
||||||
Assert.notNull(clientRegistration, "There must be a valid client registration");
|
Assert.notNull(clientRegistration, "There must be a valid client registration");
|
||||||
httpSec.oauth2ResourceServer()
|
httpSec.oauth2ResourceServer().jwt().jwkSetUri(clientRegistration.getProviderDetails().getJwkSetUri());
|
||||||
.jwt().jwkSetUri(clientRegistration.getProviderDetails().getJwkSetUri());
|
|
||||||
|
|
||||||
oidcBearerTokenAuthenticationFilter.setClientRegistration(clientRegistration);
|
oidcBearerTokenAuthenticationFilter.setClientRegistration(clientRegistration);
|
||||||
|
|
||||||
httpSec.addFilterAfter(oidcBearerTokenAuthenticationFilter, BearerTokenAuthenticationFilter.class);
|
httpSec.addFilterAfter(oidcBearerTokenAuthenticationFilter, BearerTokenAuthenticationFilter.class);
|
||||||
}
|
} else {
|
||||||
else {
|
|
||||||
final BasicAuthenticationEntryPoint basicAuthEntryPoint = new BasicAuthenticationEntryPoint();
|
final BasicAuthenticationEntryPoint basicAuthEntryPoint = new BasicAuthenticationEntryPoint();
|
||||||
basicAuthEntryPoint.setRealmName(securityProperties.getBasicRealm());
|
basicAuthEntryPoint.setRealmName(securityProperties.getBasicRealm());
|
||||||
|
|
||||||
@@ -547,7 +554,7 @@ public class SecurityManagedConfiguration {
|
|||||||
|
|
||||||
@Override
|
@Override
|
||||||
public void doFilter(final ServletRequest request, final ServletResponse response,
|
public void doFilter(final ServletRequest request, final ServletResponse response,
|
||||||
final FilterChain chain) throws IOException, ServletException {
|
final FilterChain chain) throws IOException, ServletException {
|
||||||
userAuthenticationFilter.doFilter(request, response, chain);
|
userAuthenticationFilter.doFilter(request, response, chain);
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -559,12 +566,29 @@ public class SecurityManagedConfiguration {
|
|||||||
httpSec.httpBasic().and().exceptionHandling().authenticationEntryPoint(basicAuthEntryPoint);
|
httpSec.httpBasic().and().exceptionHandling().authenticationEntryPoint(basicAuthEntryPoint);
|
||||||
}
|
}
|
||||||
|
|
||||||
httpSec.addFilterAfter(new AuthenticationSuccessTenantMetadataCreationFilter(systemManagement,
|
httpSec.addFilterAfter(
|
||||||
systemSecurityContext), SessionManagementFilter.class);
|
new AuthenticationSuccessTenantMetadataCreationFilter(systemManagement, systemSecurityContext),
|
||||||
|
SessionManagementFilter.class);
|
||||||
|
|
||||||
httpSec.anonymous().disable();
|
httpSec.anonymous().disable();
|
||||||
httpSec.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
|
httpSec.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@Bean
|
||||||
|
@ConditionalOnProperty(prefix = "hawkbit.server.security.cors", name = "enabled", matchIfMissing = false)
|
||||||
|
CorsConfigurationSource corsConfigurationSource() {
|
||||||
|
final CorsConfiguration restCorsConfiguration = new CorsConfiguration();
|
||||||
|
|
||||||
|
restCorsConfiguration.setAllowedOrigins(securityProperties.getCors().getAllowedOrigins());
|
||||||
|
restCorsConfiguration.setAllowCredentials(true);
|
||||||
|
restCorsConfiguration.setAllowedHeaders(securityProperties.getCors().getAllowedHeaders());
|
||||||
|
restCorsConfiguration.setAllowedMethods(securityProperties.getCors().getAllowedMethods());
|
||||||
|
|
||||||
|
final UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
|
||||||
|
source.registerCorsConfiguration("/rest/**", restCorsConfiguration);
|
||||||
|
|
||||||
|
return source;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
@@ -661,7 +685,7 @@ public class SecurityManagedConfiguration {
|
|||||||
@Override
|
@Override
|
||||||
protected void configure(final HttpSecurity http) throws Exception {
|
protected void configure(final HttpSecurity http) throws Exception {
|
||||||
|
|
||||||
boolean enableOidc = oidcUserService != null && oidcAuthenticationSuccessHandler != null
|
final boolean enableOidc = oidcUserService != null && oidcAuthenticationSuccessHandler != null
|
||||||
&& oidcLogoutHandler != null;
|
&& oidcLogoutHandler != null;
|
||||||
|
|
||||||
// workaround regex: we need to exclude the URL /UI/HEARTBEAT here
|
// workaround regex: we need to exclude the URL /UI/HEARTBEAT here
|
||||||
|
|||||||
Reference in New Issue
Block a user