Project

General

Profile

Revision c05f3fc5

IDc05f3fc567c3839ded9d89c6c0f81834fe11e1d2
Parent f70049c0
Child 61d32ca1

Added by Andreas Kohlbecker over 3 years ago

fix #6248 implementing global management users for machine clients

View differences:

cdmlib-remote/src/main/java/eu/etaxonomy/cdm/remote/config/MultiWebSecurityConfiguration.java
8 8
 */
9 9
package eu.etaxonomy.cdm.remote.config;
10 10

  
11
import java.io.File;
12
import java.io.FileInputStream;
13
import java.io.IOException;
14
import java.util.Properties;
15

  
16
import org.apache.commons.io.FileUtils;
17
import org.springframework.beans.factory.annotation.Autowired;
11 18
import org.springframework.context.annotation.Configuration;
12 19
import org.springframework.context.annotation.Import;
13 20
import org.springframework.core.annotation.Order;
21
import org.springframework.security.authentication.dao.DaoAuthenticationProvider;
22
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
23
import org.springframework.security.config.annotation.authentication.configurers.provisioning.InMemoryUserDetailsManagerConfigurer;
14 24
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
15 25
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
16 26
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
17 27

  
28
import eu.etaxonomy.cdm.common.CdmUtils;
29

  
18 30
/**
19 31
 *
20 32
 * <b>NOTE</b> on nested @Configuration classes:
......
32 44
@Import(OAuth2ServerConfiguration.class)
33 45
public class MultiWebSecurityConfiguration {
34 46

  
47
    public static final String MANAGE_CLIENT = "MANAGE_CLIENT";
48

  
49
    public static final String ROLE_MANAGE_CLIENT = "ROLE_" + MANAGE_CLIENT;
50

  
51
    private static final String MANAGING_USERS_PROPERTIES = "managing-users.properties";
52

  
35 53
    /**
36 54
     * Check for full authentication for remoting services
37 55
     * @author a.kohlbecker
......
92 110
     */
93 111
    @Configuration
94 112
    public static class DefaultWebSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter {
113

  
95 114
        @Override
96 115
        protected void configure(HttpSecurity http) throws Exception {
97 116
              // @formatter:off
......
104 123
        }
105 124
    }
106 125

  
126
    @Autowired
127
    public void configureGlobal(AuthenticationManagerBuilder auth, DaoAuthenticationProvider daoAuthenticationProvider) throws Exception {
128

  
129
        // add the DaoAuthenticationProvider which is defined in
130
        // /cdmlib-services/src/main/resources/eu/etaxonomy/cdm/services_security.xml
131
        // if not added here it will not be added to the context as long as we are doing the
132
        // configuration explicitly here.
133
        auth.authenticationProvider(daoAuthenticationProvider);
134

  
135
        // Add an inMemoryUserManager to  enable access to the global ROLE_MANAGE_CLIENTs.
136
        // This is the casue for the need to do the configuration explicitly.
137
        InMemoryUserDetailsManagerConfigurer<AuthenticationManagerBuilder> inMemoryAuthConf = auth.inMemoryAuthentication();
138
        File managingUsersFile = new File(CdmUtils.getCdmHomeDir(), MANAGING_USERS_PROPERTIES);
139
        if(!managingUsersFile.exists()){
140
            makeManagingUsersPropertiesFile(managingUsersFile);
141
        }
142
        Properties users = new Properties();
143
        users.load(new FileInputStream(managingUsersFile));
144
        for(Object userName : users.keySet()){
145
            inMemoryAuthConf.withUser(userName.toString()).password(users.get(userName).toString()).roles(MANAGE_CLIENT);
146
        }
147
    }
148

  
149
    /**
150
     * @param globalManagementClients
151
     * @throws IOException
152
     */
153
    private void makeManagingUsersPropertiesFile(File propertiesFile) throws IOException {
154
        propertiesFile.createNewFile();
155
        FileUtils.write(
156
                propertiesFile,
157
                "# Managing users properties file\n"
158
                + "#\n"
159
                + "# This file has been autogenerated by the cdmlib.\n"
160
                + "# In case the file is deleted the cdmlib will re-create it during the next start up.\n"
161
                + "#\n"
162
                + "# This is a java properties file to populate the InMemoryUserDetailsManager in any of \n"
163
                + "# the cdm-remote instances with special global management users which are granted to \n"
164
                + "# access special web services. Among these are the /manage/ web services and those\n"
165
                + "# triggering long running tasks. For more details please refer to\n"
166
                + "# https://dev.e-taxonomy.eu/redmine/projects/edit/wiki/CdmAuthorisationAndAccessControl\n"
167
                + "# \n"
168
                + "# Global management users have the role " + ROLE_MANAGE_CLIENT + ".\n"
169
                + "# and will be available in each of the cdm-remote instances.\n"
170
                + "# Changes made to this file are applied after restarting a cdm instance.\n"
171
                + "#\n"
172
                + "# This properties file should contain entries in the form\n"
173
                + "#    username=password\n"
174
                + "# -------------------------------------------------------------------------------------------\n"
175
                + "#\n"
176
                );
177
        }
107 178
}
cdmlib-remote/src/main/java/eu/etaxonomy/cdm/remote/config/OAuth2ServerConfiguration.java
8 8
 */
9 9
package eu.etaxonomy.cdm.remote.config;
10 10

  
11
import org.apache.log4j.Logger;
11 12
import org.springframework.beans.factory.annotation.Autowired;
12 13
import org.springframework.context.annotation.Bean;
13 14
import org.springframework.context.annotation.Configuration;
......
17 18
import org.springframework.security.authentication.AuthenticationManager;
18 19
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
19 20
import org.springframework.security.config.http.SessionCreationPolicy;
21
import org.springframework.security.oauth2.config.annotation.builders.InMemoryClientDetailsServiceBuilder;
20 22
import org.springframework.security.oauth2.config.annotation.configurers.ClientDetailsServiceConfigurer;
21 23
import org.springframework.security.oauth2.config.annotation.web.configuration.AuthorizationServerConfigurerAdapter;
22 24
import org.springframework.security.oauth2.config.annotation.web.configuration.EnableAuthorizationServer;
......
39 41

  
40 42
    private static final String CDM_RESOURCE_ID = "cdm";
41 43

  
42
    // @Configuration
43 44
    @EnableResourceServer
44 45
    protected static class ResourceServerConfiguration extends ResourceServerConfigurerAdapter {
45 46

  
......
58 59
            .and() // TODO do we need this?
59 60
                .requestMatchers()
60 61
                    .antMatchers(
61
                        //"/manage/**",
62
                        "/manage/**",
62 63
                        "/user/**"
63 64
                        // "/oauth/users/**",
64 65
                        // "/oauth/clients/**")
......
71 72
                    //      or
72 73
                    //   org.springframework.security.access.expression.SecurityExpressionRoot
73 74
                    // - org.springframework.security.oauth2.provider.expression.OAuth2SecurityExpressionMethods
74
                    //.antMatchers("/manage/**").access("#oauth2.clientHasRole('ROLE_CLIENT') or (!#oauth2.isOAuth() and hasRole('ROLE_ADMIN'))")
75
                    .antMatchers("/manage/**").access(
76
                              "#oauth2.clientHasRole('ROLE_CLIENT') "
77
                            + "or (!#oauth2.isOAuth() and ( "
78
                            + "      hasRole('ROLE_ADMIN') or hasRole('" + MultiWebSecurityConfiguration.ROLE_MANAGE_CLIENT + "')"
79
                            + "   )"
80
                            + ")")
75 81
                    .antMatchers("/user/me").access("isAuthenticated()")
76 82
                    .regexMatchers("/user/.*|/user\\..*").access("hasAnyRole('ROLE_ADMIN', 'ROLE_USER_MANAGER')")
77 83

  
......
106 112

  
107 113
        private static final String CLIENT_ID = "any-client";
108 114

  
115
        public static final Logger logger = Logger.getLogger(AuthorizationServerConfiguration.class);
116

  
109 117
        @Autowired
110 118
        private UserApprovalHandler userApprovalHandler;
111 119

  
......
120 128

  
121 129
        @Override
122 130
        public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
131

  
132
            InMemoryClientDetailsServiceBuilder builder = clients.inMemory();
133

  
123 134
            // @formatter:off
124
            clients
125
            .inMemory()
126
            .withClient(CLIENT_ID)
135
            /*
136
             * Client for 'implicit grant'
137
             */
138
            builder.withClient(CLIENT_ID)
127 139
            //.resourceIds(RESOURCE_ID)
128 140
            .authorizedGrantTypes("authorization_code", "refresh_token", "implicit")
129 141
            .authorities("ROLE_CLIENT")
......
131 143
            .secret("secret") // secret for login of the client into /oauth/token
132 144
            .autoApprove("read");
133 145
            // @formatter:on
146

  
134 147
        }
135 148

  
149

  
136 150
        @Override
137 151
        public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
138 152
            endpoints.tokenStore(tokenStore()).userApprovalHandler(userApprovalHandler)
......
141 155

  
142 156
    }
143 157

  
158

  
144 159
   protected static class CommonBeans {
145 160

  
146 161
        @Autowired

Also available in: Unified diff

Add picture from clipboard (Maximum size: 40 MB)