Skip to content
Snippets Groups Projects
Normal view Permalink
SecurityConfiguration.java 6.24 KiB
Newer Older
  • Learn to ignore specific revisions
    • OZGCloud's avatar
    Pull request #24: Feature/BUP-1125 ozg cloud authentication for antragsraum backend
    OZGCloud committed
    1 
    /*
    OZGCloud's avatar
    updated to new package structure in info-manager interface  
    OZGCloud committed
    2 
     * Copyright (c) 2023-2024.
    OZGCloud's avatar
    Pull request #24: Feature/BUP-1125 ozg cloud authentication for antragsraum backend
    OZGCloud committed
    3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 
     * Lizenziert unter der EUPL, Version 1.2 oder - sobald
 * diese von der Europäischen Kommission genehmigt wurden -
 * Folgeversionen der EUPL ("Lizenz");
 * Sie dürfen dieses Werk ausschließlich gemäß
 * dieser Lizenz nutzen.
 * Eine Kopie der Lizenz finden Sie hier:
 *
 * https://joinup.ec.europa.eu/collection/eupl/eupl-text-eupl-12
 *
 * Sofern nicht durch anwendbare Rechtsvorschriften
 * gefordert oder in schriftlicher Form vereinbart, wird
 * die unter der Lizenz verbreitete Software "so wie sie
 * ist", OHNE JEGLICHE GEWÄHRLEISTUNG ODER BEDINGUNGEN -
 * ausdrücklich oder stillschweigend - verbreitet.
 * Die sprachspezifischen Genehmigungen und Beschränkungen
 * unter der Lizenz sind dem Lizenztext zu entnehmen.
 */
    OZGCloud's avatar
    updated to new package structure in info-manager interface  
    OZGCloud committed
    21 
    package de.ozgcloud.antragsraum;
    OZGCloud's avatar
    Pull request #24: Feature/BUP-1125 ozg cloud authentication for antragsraum backend
    OZGCloud committed
    22 23 24 
    
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
    OZGCloud's avatar
    Added authentication for frontend  
    OZGCloud committed
    25 
    import org.springframework.security.config.Customizer;
    OZGCloud's avatar
    Pull request #24: Feature/BUP-1125 ozg cloud authentication for antragsraum backend
    OZGCloud committed
    26 27 
    import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
    OZGCloud's avatar
    Added authentication for frontend  
    OZGCloud committed
    28 29 30 31 32 33 
    import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistrationRepository;
import org.springframework.security.saml2.provider.service.web.DefaultRelyingPartyRegistrationResolver;
import org.springframework.security.saml2.provider.service.web.authentication.OpenSaml4AuthenticationRequestResolver;
import org.springframework.security.saml2.provider.service.web.authentication.Saml2AuthenticationRequestResolver;
    OZGCloud's avatar
    Pull request #24: Feature/BUP-1125 ozg cloud authentication for antragsraum backend
    OZGCloud committed
    34 
    import org.springframework.security.web.SecurityFilterChain;
    OZGCloud's avatar
    Added authentication for frontend  
    OZGCloud committed
    35 
    import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
    OZGCloud's avatar
    OZG-6306 CR Kommentare  
    OZGCloud committed
    36 
    import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
    OZGCloud's avatar
    OZG-6860 call logout service on logout  
    OZGCloud committed
    37 
    import org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler;
    OZGCloud's avatar
    OZG-6896 Security Headers ergänzt  
    OZGCloud committed
    38 
    import org.springframework.security.web.header.writers.ReferrerPolicyHeaderWriter;
    OZGCloud's avatar
    Added authentication for frontend  
    OZGCloud committed
    39 40 
    import org.springframework.web.servlet.config.annotation.CorsRegistry;
import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
    OZGCloud's avatar
    Pull request #24: Feature/BUP-1125 ozg cloud authentication for antragsraum backend
    OZGCloud committed
    41
    OZGCloud's avatar
    Fixed Sonar issues  
    OZGCloud committed
    42 43 44 
    import de.ozgcloud.antragsraum.security.AntragsraumLogoutSuccessHandler;
import de.ozgcloud.antragsraum.security.AntragsraumProperties;
import de.ozgcloud.antragsraum.security.BayernIdProperties;
    OZGCloud's avatar
    OZG-5393 Auflösung von Mergekonflikten  
    OZGCloud committed
    45 
    import de.ozgcloud.antragsraum.security.BayernIdSaml2Extension;
    OZGCloud's avatar
    OZG-6306 CR Kommentare  
    OZGCloud committed
    46 
    import de.ozgcloud.antragsraum.security.JwtTokenFilter;
    OZGCloud's avatar
    OZG-5393 Auflösung von Mergekonflikten  
    OZGCloud committed
    47 
    import de.ozgcloud.antragsraum.security.SamlUrlAuthenticationSuccessHandler;
    OZGCloud's avatar
    Bugfix BayernId SAML Auth Signaturalgorithmus  
    OZGCloud committed
    48 
    import de.ozgcloud.antragsraum.security.SecurityProvider;
    OZGCloud's avatar
    Fixed Sonar issues  
    OZGCloud committed
    49 50 51 
    import lombok.NonNull;
import lombok.RequiredArgsConstructor;
    OZGCloud's avatar
    Pull request #24: Feature/BUP-1125 ozg cloud authentication for antragsraum backend
    OZGCloud committed
    52 53 
    @Configuration
@EnableWebSecurity
    OZGCloud's avatar
    Added authentication for frontend  
    OZGCloud committed
    54 
    @RequiredArgsConstructor
    OZGCloud's avatar
    Pull request #24: Feature/BUP-1125 ozg cloud authentication for antragsraum backend
    OZGCloud committed
    55 
    public class SecurityConfiguration {
    OZGCloud's avatar
    OZG-6306 Refactoring + Auth Bugfix  
    OZGCloud committed
    56 57 
    	private static final String OPTIONS = "OPTIONS";
	private static final String GET = "GET";
    OZGCloud's avatar
    OZG-6896 Security Headers ergänzt  
    OZGCloud committed
    58 
    	private static final String POLICY_DIRECTIVES = "object-src 'none'; child-src 'self'; frame-ancestors 'none'; base-uri 'none'; upgrade-insecure-requests; require-trusted-types-for 'script'";
    OZGCloud's avatar
    OZG-6306 Refactoring + Auth Bugfix  
    OZGCloud committed
    59
    OZGCloud's avatar
    Fixed Sonar issues  
    OZGCloud committed
    60 
    	@NonNull
    OZGCloud's avatar
    OZG-5393 Auflösung von Mergekonflikten  
    OZGCloud committed
    61 
    	private final BayernIdSaml2Extension bayernIdSaml2Extension;
    OZGCloud's avatar
    Fixed Sonar issues  
    OZGCloud committed
    62 63 64 65 66 
    	@NonNull
	private final BayernIdProperties bayernIdProperties;
	@NonNull
	private final UserDetailsService userDetailsService;
	@NonNull
    OZGCloud's avatar
    OZG-6306 CR Kommentare  
    OZGCloud committed
    67 68 
    	private final JwtTokenFilter tokenAuthenticationFilter;
	@NonNull
    OZGCloud's avatar
    Fixed Sonar issues  
    OZGCloud committed
    69 70 
    	private final AntragsraumProperties properties;
    OZGCloud's avatar
    Bugfix BayernId SAML Auth Signaturalgorithmus  
    OZGCloud committed
    71 72 73 74 75 
    	@Bean
	public SecurityProvider securityProvider() {
		return new SecurityProvider();
	}
    OZGCloud's avatar
    OZG-6860 call logout service on logout  
    OZGCloud committed
    76 77 78 79 80 
    	@Bean
	public SecurityContextLogoutHandler logoutHandler() {
		return new SecurityContextLogoutHandler();
	}
    OZGCloud's avatar
    Fixed Sonar issues  
    OZGCloud committed
    81 82 
    	@Bean
	Saml2AuthenticationRequestResolver authenticationRequestResolver(RelyingPartyRegistrationRepository registrations) {
    OZGCloud's avatar
    OZG-6306 Refactoring + Auth Bugfix  
    OZGCloud committed
    83 84 
    		var registrationResolver = new DefaultRelyingPartyRegistrationResolver(registrations);
		var authenticationRequestResolver = new OpenSaml4AuthenticationRequestResolver(registrationResolver);
    OZGCloud's avatar
    Fixed Sonar issues  
    OZGCloud committed
    85 86 
    		authenticationRequestResolver.setAuthnRequestCustomizer(context -> {
			context.getAuthnRequest().setForceAuthn(true);
    OZGCloud's avatar
    OZG-5393 Auflösung von Mergekonflikten  
    OZGCloud committed
    87 
    			context.getAuthnRequest().setExtensions(bayernIdSaml2Extension.createAkdbExtension());
    OZGCloud's avatar
    Fixed Sonar issues  
    OZGCloud committed
    88 89 
    		});
    OZGCloud's avatar
    OZG-6306 Refactoring + Auth Bugfix  
    OZGCloud committed
    90 
    		return authenticationRequestResolver;
    OZGCloud's avatar
    Fixed Sonar issues  
    OZGCloud committed
    91 92 93 94 95 96 
    	}

	@Bean
	public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
		http
		  .authorizeHttpRequests(authorize -> authorize
    OZGCloud's avatar
    OZG-6306 Refactoring + Auth Bugfix  
    OZGCloud committed
    97 98 
    			.requestMatchers("/", "/actuator/**", "/swagger-ui/**", "/v3/api-docs/**", "/error", "/favicon.ico", "/auth/**", "/login", "/api/e2e/**")
			.permitAll()
    OZGCloud's avatar
    Fixed Sonar issues  
    OZGCloud committed
    99 100 
    			.requestMatchers("/api/**").authenticated()
			.anyRequest().denyAll())
    OZGCloud's avatar
    OZG-6306 CR Kommentare  
    OZGCloud committed
    101 
    		  .addFilterBefore(tokenAuthenticationFilter, UsernamePasswordAuthenticationFilter.class)
    OZGCloud's avatar
    OZG-6896 Security Headers ergänzt  
    OZGCloud committed
    102 103 104 105 106 
    		  .csrf(AbstractHttpConfigurer::disable)
		  .headers(headers -> headers.contentSecurityPolicy(
			csp -> csp.policyDirectives(POLICY_DIRECTIVES)))
		  .headers(headers -> headers.referrerPolicy(
			referrerPolicyConfig -> referrerPolicyConfig.policy(ReferrerPolicyHeaderWriter.ReferrerPolicy.NO_REFERRER)));
    OZGCloud's avatar
    Fixed Sonar issues  
    OZGCloud committed
    107
    OZGCloud's avatar
    OZG-6306 Refactoring + Auth Bugfix  
    OZGCloud committed
    108 109 110 
    		http.saml2Login(samlLogin -> samlLogin.successHandler(getSamlUrlAuthenticationSuccessHandler()))
		  .saml2Logout(Customizer.withDefaults())
		  .logout(logoutConfigurer -> logoutConfigurer.logoutSuccessHandler(getLogoutSuccessHandler()));
    OZGCloud's avatar
    Fixed Sonar issues  
    OZGCloud committed
    111 112 113 114 
    
		return http.build();
	}
    OZGCloud's avatar
    OZG-5393 Auflösung von Mergekonflikten  
    OZGCloud committed
    115 116 117 118 
    	AuthenticationSuccessHandler getSamlUrlAuthenticationSuccessHandler() {
		return new SamlUrlAuthenticationSuccessHandler(bayernIdProperties.getRedirectUrl(), userDetailsService);
	}
    OZGCloud's avatar
    OZG-6306 Refactoring + Auth Bugfix  
    OZGCloud committed
    119 
    	AntragsraumLogoutSuccessHandler getLogoutSuccessHandler() {
    OZGCloud's avatar
    Fixed Sonar issues  
    OZGCloud committed
    120 121 
    		var handler = new AntragsraumLogoutSuccessHandler(userDetailsService);
		handler.setDefaultTargetUrl(properties.getLogoutSuccessUrl());
    OZGCloud's avatar
    OZG-6306 Refactoring + Auth Bugfix  
    OZGCloud committed
    122
    OZGCloud's avatar
    Fixed Sonar issues  
    OZGCloud committed
    123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 
    		return handler;
	}

	@Bean
	public WebMvcConfigurer corsConfigurer() {
		return new WebMvcConfigurer() {
			@Override
			public void addCorsMappings(@NonNull CorsRegistry registry) {
				registry.addMapping("/auth/**").allowedOrigins(properties.getAuthOrigins())
				  .allowedMethods(GET, OPTIONS, "POST").allowCredentials(true);
				registry.addMapping("/api/**").allowedOrigins(properties.getApiOrigins())
				  .allowedMethods(GET, OPTIONS, "PUT", "POST").allowCredentials(true);
				registry.addMapping("/**").allowedOrigins(properties.getOtherOrigins()).allowedMethods(GET, OPTIONS)
				  .allowCredentials(true);
			}
		};
	}
    OZGCloud's avatar
    Pull request #24: Feature/BUP-1125 ozg cloud authentication for antragsraum backend
    OZGCloud committed
    140 
    }

    Impressum - Datenschutz - Barrierefreiheit