Commit e6d4c2ae authored by Sherman Yang's avatar Sherman Yang
Browse files

invoke authenticationRequestFilter from AKS SecurityConfig

parent 0377dcd7
Pipeline #13002 failed with stage
in 41 seconds
......@@ -8,12 +8,10 @@ import org.opengroup.osdu.core.common.model.entitlements.EntitlementsException;
import org.opengroup.osdu.core.common.model.entitlements.Groups;
import org.opengroup.osdu.core.common.model.http.DpsHeaders;
import org.opengroup.osdu.crs.util.AppException;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.http.HttpHeaders;
import org.springframework.lang.NonNull;
import org.springframework.lang.Nullable;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.stereotype.Component;
import org.springframework.util.CollectionUtils;
import org.springframework.util.MultiValueMap;
import org.springframework.util.StringUtils;
......@@ -32,7 +30,6 @@ import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
@Component
public class AuthenticationRequestFilter extends OncePerRequestFilter {
private static Logger logger = Logger.getLogger(AuthenticationRequestFilter.class.getName());
......@@ -40,7 +37,7 @@ public class AuthenticationRequestFilter extends OncePerRequestFilter {
private final String entitlementsUrl;
private final HandlerExceptionResolver handlerExceptionResolver;
public AuthenticationRequestFilter(@Value("${osdu.entitlement.url}") String entitlementsUrl,
public AuthenticationRequestFilter(String entitlementsUrl,
HandlerExceptionResolver handlerExceptionResolver) {
this.entitlementsUrl = entitlementsUrl;
this.handlerExceptionResolver = handlerExceptionResolver;
......
......@@ -38,7 +38,7 @@ spec:
- containerPort: 80
readinessProbe:
httpGet:
path: /api/crs/catalog/_ah/readiness_check
path: /api/crs/catalog/swagger-ui.html
port: 80
volumeMounts:
- name: azure-keyvault
......
......@@ -61,6 +61,9 @@ stages:
testCoreMavenOptions: ''
skipDeploy: ${{ variables.SKIP_DEPLOY }}
skipTest: 'true'
runPythonTest: 'true'
testPythonFilePath: 'testing/catalog_test_azure'
testPythonFile: 'run-integration-tests.sh'
providers:
- name: Azure
environments: ['dev']
package org.opengroup.osdu.crs.security;
import com.fasterxml.jackson.databind.ObjectMapper;
import org.opengroup.osdu.core.common.model.http.AppError;
import org.opengroup.osdu.crs.middleware.AuthenticationRequestFilter;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.http.HttpStatus;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.web.AuthenticationEntryPoint;
import org.springframework.security.web.access.AccessDeniedHandler;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
import org.springframework.web.servlet.HandlerExceptionResolver;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.io.PrintWriter;
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {
public class SecurityConfig extends WebSecurityConfigurerAdapter implements AccessDeniedHandler, AuthenticationEntryPoint {
private AuthenticationRequestFilter authFilter;
private static final ObjectMapper OBJECT_MAPPER = new ObjectMapper();
private static final String[] AUTH_WHITELIST = {
"/",
......@@ -24,14 +46,54 @@ public class SecurityConfig extends WebSecurityConfigurerAdapter {
"/csrf"
};
//AuthenticationRequestFilter is not a recognized bean, so construct it manually
public SecurityConfig(@Value("${ENTITLEMENT_URL}") String entitlementsUrl, HandlerExceptionResolver handlerExceptionResolver) {
authFilter = new AuthenticationRequestFilter(entitlementsUrl, handlerExceptionResolver);
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.cors()
.and()
.csrf().disable()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.authorizeRequests().antMatchers(AUTH_WHITELIST).permitAll();
.cors()
.and()
.csrf().disable()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.authorizeRequests().antMatchers(AUTH_WHITELIST).permitAll()
.and()
.addFilterBefore(authFilter, UsernamePasswordAuthenticationFilter.class);
}
@Override
public void configure(WebSecurity web) {
web.ignoring().antMatchers(AUTH_WHITELIST);
}
@Override
public void commence(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationException e) throws IOException, ServletException {
writeUnauthorizedError(httpServletResponse);
}
@Override
public void handle(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AccessDeniedException e) throws IOException, ServletException {
writeUnauthorizedError(httpServletResponse);
}
private static void writeUnauthorizedError(HttpServletResponse response) throws IOException {
AppError appError = AppError.builder()
.code(HttpStatus.UNAUTHORIZED.value())
.message("The user is not authorized to perform this action")
.reason("Unauthorized")
.build();
String body = OBJECT_MAPPER.writeValueAsString(appError);
PrintWriter out = response.getWriter();
response.setStatus(HttpStatus.UNAUTHORIZED.value());
response.setContentType("application/json");
response.setCharacterEncoding("UTF-8");
out.print(body);
out.flush();
}
}
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment