From aef2e3450a6278f94ec087c3f1ae441c34c9c16b Mon Sep 17 00:00:00 2001 From: Michael Hirsch Date: Wed, 22 Jun 2016 15:46:43 +0200 Subject: [PATCH 1/3] remove special health security check because this can be made with spring security out-of-the box Signed-off-by: Michael Hirsch --- .../SecurityManagedConfiguration.java | 20 ++----------------- 1 file changed, 2 insertions(+), 18 deletions(-) diff --git a/hawkbit-autoconfigure/src/main/java/org/eclipse/hawkbit/autoconfigure/security/SecurityManagedConfiguration.java b/hawkbit-autoconfigure/src/main/java/org/eclipse/hawkbit/autoconfigure/security/SecurityManagedConfiguration.java index 0b68246ff..1e4dbfb27 100644 --- a/hawkbit-autoconfigure/src/main/java/org/eclipse/hawkbit/autoconfigure/security/SecurityManagedConfiguration.java +++ b/hawkbit-autoconfigure/src/main/java/org/eclipse/hawkbit/autoconfigure/security/SecurityManagedConfiguration.java @@ -271,20 +271,6 @@ public class SecurityManagedConfiguration { return filterRegBean; } - /** - * Security configuration for the REST management API of the health url. - */ - @Configuration - @Order(310) - public static class HealthSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter { - - @Override - protected void configure(final HttpSecurity http) throws Exception { - http.regexMatcher("/system/health").csrf().disable().httpBasic().and().sessionManagement() - .sessionCreationPolicy(SessionCreationPolicy.STATELESS); - } - } - /** * Security configuration for the REST management API. */ @@ -310,7 +296,7 @@ public class SecurityManagedConfiguration { final BasicAuthenticationEntryPoint basicAuthEntryPoint = new BasicAuthenticationEntryPoint(); basicAuthEntryPoint.setRealmName(springSecurityProperties.getBasic().getRealm()); - HttpSecurity httpSec = http.regexMatcher("\\/rest.*|\\/system.*").csrf().disable(); + HttpSecurity httpSec = http.regexMatcher("\\/rest.*|\\/system/admin.*").csrf().disable(); if (springSecurityProperties.isRequireSsl()) { httpSec = httpSec.requiresChannel().anyRequest().requiresSecure().and(); } @@ -337,9 +323,7 @@ public class SecurityManagedConfiguration { SessionManagementFilter.class) .authorizeRequests().anyRequest().authenticated() .antMatchers(MgmtRestConstants.BASE_SYSTEM_MAPPING + "/admin/**") - .hasAnyAuthority(SpPermission.SYSTEM_ADMIN) - .antMatchers(MgmtRestConstants.BASE_SYSTEM_MAPPING + "/**") - .hasAnyAuthority(SpPermission.SYSTEM_DIAG); + .hasAnyAuthority(SpPermission.SYSTEM_ADMIN); httpSec.httpBasic().and().exceptionHandling().authenticationEntryPoint(basicAuthEntryPoint); } From 11f2232247276409643e7c4ebedcb8f482cd5061 Mon Sep 17 00:00:00 2001 From: Michael Hirsch Date: Wed, 22 Jun 2016 15:47:38 +0200 Subject: [PATCH 2/3] add prefixed ROLE_ to granted authorities to work with out-of-the-box spring security Signed-off-by: Michael Hirsch --- .../org/eclipse/hawkbit/im/authentication/PermissionUtils.java | 3 +++ 1 file changed, 3 insertions(+) diff --git a/hawkbit-security-core/src/main/java/org/eclipse/hawkbit/im/authentication/PermissionUtils.java b/hawkbit-security-core/src/main/java/org/eclipse/hawkbit/im/authentication/PermissionUtils.java index ae8b604bb..98cde9642 100644 --- a/hawkbit-security-core/src/main/java/org/eclipse/hawkbit/im/authentication/PermissionUtils.java +++ b/hawkbit-security-core/src/main/java/org/eclipse/hawkbit/im/authentication/PermissionUtils.java @@ -36,6 +36,9 @@ public final class PermissionUtils { for (final String role : roles) { authorities.add(new SimpleGrantedAuthority(role)); + // add spring security ROLE authority which is indicated by the + // `ROLE_` prefix + authorities.add(new SimpleGrantedAuthority("ROLE_" + role)); } return authorities; From 27005b1ae74eab7e88ae116c5c24f9e0813022ad Mon Sep 17 00:00:00 2001 From: Michael Hirsch Date: Wed, 22 Jun 2016 17:33:09 +0200 Subject: [PATCH 3/3] fix test Signed-off-by: Michael Hirsch --- .../eclipse/hawkbit/im/authentication/PermissionTest.java | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/hawkbit-security-core/src/test/java/org/eclipse/hawkbit/im/authentication/PermissionTest.java b/hawkbit-security-core/src/test/java/org/eclipse/hawkbit/im/authentication/PermissionTest.java index bca7fd1c1..2c948206e 100644 --- a/hawkbit-security-core/src/test/java/org/eclipse/hawkbit/im/authentication/PermissionTest.java +++ b/hawkbit-security-core/src/test/java/org/eclipse/hawkbit/im/authentication/PermissionTest.java @@ -36,7 +36,8 @@ public final class PermissionTest { final Collection allAuthorities = SpPermission.getAllAuthorities(); final List allAuthoritiesList = PermissionUtils.createAllAuthorityList(); assertThat(allAuthorities).hasSize(allPermission); - assertThat(allAuthoritiesList).hasSize(allPermission); + // times 2 because we add also all authorities as prefix 'ROLE_'; + assertThat(allAuthoritiesList).hasSize(allPermission * 2); assertThat(allAuthoritiesList.stream().map(authority -> authority.getAuthority()).collect(Collectors.toList())) .containsAll(allAuthorities); @@ -46,7 +47,8 @@ public final class PermissionTest { .getAllAuthorities(SpPermission.SYSTEM_ADMIN, SpPermission.SYSTEM_DIAG, SpPermission.SYSTEM_MONITOR)); assertThat(authoritiesWithoutSystem).hasSize(permissionWithoutSystem); - assertThat(authoritiesListWithoutSystem).hasSize(permissionWithoutSystem); + // times 2 because we add also all authorities as prefix 'ROLE_'; + assertThat(authoritiesListWithoutSystem).hasSize(permissionWithoutSystem * 2); assertThat(authoritiesListWithoutSystem.stream().map(authority -> authority.getAuthority()) .collect(Collectors.toList())).containsAll(authoritiesWithoutSystem);