Merge branch 'ibm-security-impl' into 'master'

IBM security config changes See merge request !42

Merge branch 'ibm-security-impl' into 'master'
00bcff59 · Anuj Gupta · 022a8a06 · f25b624e · 00bcff59
Commit 00bcff59 authored 4 years ago by Anuj Gupta
--- a/provider/crs-catalog-ibm/crs-catalog-ocp/src/main/java/org/opengroup/osdu/crs/security/SecurityConfig.java
+++ b/provider/crs-catalog-ibm/crs-catalog-ocp/src/main/java/org/opengroup/osdu/crs/security/SecurityConfig.java
@@ -3,39 +3,98 @@

 package org.opengroup.osdu.crs.security;

+import java.io.IOException;
+import java.io.PrintWriter;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.opengroup.osdu.crs.middleware.AuthenticationRequestFilter;
+import org.opengroup.osdu.crs.util.AppError;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.http.HttpStatus;
+import org.springframework.security.access.AccessDeniedException;
 import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.builders.WebSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 import org.springframework.security.config.http.SessionCreationPolicy;
+import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.web.AuthenticationEntryPoint;
+import org.springframework.security.web.access.AccessDeniedHandler;
+import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
+import org.springframework.web.servlet.HandlerExceptionResolver;
+
+import com.fasterxml.jackson.databind.ObjectMapper;

 @EnableWebSecurity
 @EnableGlobalMethodSecurity(prePostEnabled = true)
-public class SecurityConfig extends WebSecurityConfigurerAdapter  {
+public class SecurityConfig extends WebSecurityConfigurerAdapter implements AccessDeniedHandler, AuthenticationEntryPoint {

+	private AuthenticationRequestFilter authFilter;
+    private static final ObjectMapper OBJECT_MAPPER = new ObjectMapper();
+
+    private static final String[] AUTH_WHITELIST = {
+        "/",
+        "/actuator/**",
+        "/_ah/*",
+        "/v2/api-docs",
+        "/configuration/ui",
+        "/swagger-resources/**",
+        "/configuration/security",
+        "/swagger-ui.html",
+        "/webjars/**",
+        "/csrf",
+        "/api/crs/catalog/actuator",
+        "/api/crs/catalog/actuator/**",
+        "/api/crs/catalog/actuator/health",
+    };
+    
+    public SecurityConfig(@Value("${osdu.entitlement.url}") String entitlementsUrl, HandlerExceptionResolver handlerExceptionResolver) {
+        authFilter = new AuthenticationRequestFilter(entitlementsUrl, handlerExceptionResolver);
+    }
   
    @Override
    protected void configure(HttpSecurity http) throws Exception {
-       
- http.csrf().disable()
-        .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.NEVER)
-        .and()
-        .authorizeRequests()
-        //.antMatchers(ALLOWED_URLS).permitAll()
-        .antMatchers("/", "/index.html",
-                        "/v2/api-docs",
-                        "/configuration/ui",
-                        "/swagger-resources/**",
-                        "/configuration/security",
-                        "/swagger",
-                        "/swagger-ui.html",
-                        "/webjars/**").permitAll()
-        .anyRequest().authenticated()
-        .and()
-        .oauth2ResourceServer().jwt();      
-
-	 
+        http.csrf().disable()
+                .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.NEVER)
+                .and()
+                .authorizeRequests()
+                .antMatchers(AUTH_WHITELIST).permitAll()
+                .anyRequest().authenticated()
+                .and()
+                .addFilterBefore(authFilter, UsernamePasswordAuthenticationFilter.class);
    }
-
    
+    @Override
+    public void configure(WebSecurity web) {
+        web.ignoring().antMatchers(AUTH_WHITELIST);
+    }
+
+    @Override
+    public void handle(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AccessDeniedException e) throws IOException {
+        writeUnauthorizedError(httpServletResponse);
+    }
+
+    @Override
+    public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException authException) throws IOException {
+        writeUnauthorizedError(response);
+    }
+
+    private static void writeUnauthorizedError(HttpServletResponse response) throws IOException {
+        AppError appError = AppError.builder()
+                .code(HttpStatus.UNAUTHORIZED.value())
+                .message("The user is not authorized to perform this action")
+                .reason("Unauthorized")
+                .build();
+        String body = OBJECT_MAPPER.writeValueAsString(appError);
+
+        PrintWriter out = response.getWriter();
+        response.setStatus(HttpStatus.UNAUTHORIZED.value());
+        response.setContentType("application/json");
+        response.setCharacterEncoding("UTF-8");
+        out.print(body);
+        out.flush();
+    }
 }