2018-11-15 11:24:18 +01:00
|
|
|
/*
|
|
|
|
|
* Copyright (c) 2018 ETH Zürich, Educational Development and Technology (LET)
|
|
|
|
|
*
|
|
|
|
|
* This Source Code Form is subject to the terms of the Mozilla Public
|
|
|
|
|
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
|
|
|
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
package ch.ethz.seb.sebserver;
|
|
|
|
|
|
2019-02-27 12:44:03 +01:00
|
|
|
import java.io.File;
|
2019-01-31 22:45:37 +01:00
|
|
|
import java.io.FileNotFoundException;
|
2019-01-28 16:58:06 +01:00
|
|
|
import java.io.IOException;
|
2019-01-31 22:45:37 +01:00
|
|
|
import java.net.HttpURLConnection;
|
|
|
|
|
import java.security.KeyManagementException;
|
|
|
|
|
import java.security.KeyStoreException;
|
|
|
|
|
import java.security.NoSuchAlgorithmException;
|
|
|
|
|
import java.security.cert.CertificateException;
|
2019-01-28 16:58:06 +01:00
|
|
|
|
2019-01-31 22:45:37 +01:00
|
|
|
import javax.net.ssl.SSLContext;
|
2019-01-28 16:58:06 +01:00
|
|
|
import javax.servlet.http.HttpServletResponse;
|
|
|
|
|
|
2019-01-31 22:45:37 +01:00
|
|
|
import org.apache.http.client.HttpClient;
|
|
|
|
|
import org.apache.http.impl.client.HttpClients;
|
|
|
|
|
import org.apache.http.ssl.SSLContextBuilder;
|
2019-02-27 12:44:03 +01:00
|
|
|
import org.slf4j.Logger;
|
|
|
|
|
import org.slf4j.LoggerFactory;
|
2019-01-28 16:58:06 +01:00
|
|
|
import org.springframework.beans.factory.annotation.Value;
|
2019-03-12 11:34:01 +01:00
|
|
|
import org.springframework.boot.web.servlet.FilterRegistrationBean;
|
2019-01-28 16:58:06 +01:00
|
|
|
import org.springframework.boot.web.servlet.error.ErrorController;
|
2018-11-15 11:24:18 +01:00
|
|
|
import org.springframework.context.annotation.Bean;
|
|
|
|
|
import org.springframework.context.annotation.Configuration;
|
2019-01-28 16:58:06 +01:00
|
|
|
import org.springframework.core.annotation.Order;
|
2019-01-31 22:45:37 +01:00
|
|
|
import org.springframework.core.env.Environment;
|
2019-05-09 11:26:11 +02:00
|
|
|
import org.springframework.http.HttpHeaders;
|
2019-01-31 22:45:37 +01:00
|
|
|
import org.springframework.http.client.ClientHttpRequestFactory;
|
|
|
|
|
import org.springframework.http.client.HttpComponentsClientHttpRequestFactory;
|
|
|
|
|
import org.springframework.http.client.SimpleClientHttpRequestFactory;
|
2019-01-28 16:58:06 +01:00
|
|
|
import org.springframework.security.config.annotation.web.builders.WebSecurity;
|
|
|
|
|
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
|
2018-11-15 11:24:18 +01:00
|
|
|
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
|
|
|
|
|
import org.springframework.security.crypto.password.PasswordEncoder;
|
2019-01-31 22:45:37 +01:00
|
|
|
import org.springframework.util.ResourceUtils;
|
2019-01-28 16:58:06 +01:00
|
|
|
import org.springframework.web.bind.annotation.RequestMapping;
|
|
|
|
|
import org.springframework.web.bind.annotation.RestController;
|
2019-03-12 11:34:01 +01:00
|
|
|
import org.springframework.web.filter.CharacterEncodingFilter;
|
2018-11-15 11:24:18 +01:00
|
|
|
|
2019-01-31 22:45:37 +01:00
|
|
|
import ch.ethz.seb.sebserver.gbl.profile.DevGuiProfile;
|
|
|
|
|
import ch.ethz.seb.sebserver.gbl.profile.DevWebServiceProfile;
|
2018-11-15 11:24:18 +01:00
|
|
|
import ch.ethz.seb.sebserver.gbl.profile.GuiProfile;
|
2019-01-31 22:45:37 +01:00
|
|
|
import ch.ethz.seb.sebserver.gbl.profile.ProdGuiProfile;
|
|
|
|
|
import ch.ethz.seb.sebserver.gbl.profile.ProdWebServiceProfile;
|
2018-11-15 11:24:18 +01:00
|
|
|
import ch.ethz.seb.sebserver.gbl.profile.WebServiceProfile;
|
|
|
|
|
|
|
|
|
|
/** This is the overall seb-server Spring web-configuration that is loaded for all profiles.
|
|
|
|
|
* Defines some overall web-security beans needed on both -- web-service and web-gui -- profiles */
|
|
|
|
|
@Configuration
|
|
|
|
|
@WebServiceProfile
|
|
|
|
|
@GuiProfile
|
2019-01-28 16:58:06 +01:00
|
|
|
@RestController
|
2019-05-09 11:26:11 +02:00
|
|
|
@Order(7)
|
2019-01-28 16:58:06 +01:00
|
|
|
public class WebSecurityConfig extends WebSecurityConfigurerAdapter implements ErrorController {
|
|
|
|
|
|
2019-02-27 12:44:03 +01:00
|
|
|
private static final Logger log = LoggerFactory.getLogger(WebSecurityConfig.class);
|
|
|
|
|
|
2019-05-09 11:26:11 +02:00
|
|
|
// @Value("${sebserver.webservice.api.admin.endpoint}")
|
|
|
|
|
// private String adminEndpoint;
|
2019-01-28 16:58:06 +01:00
|
|
|
@Value("${sebserver.webservice.api.redirect.unauthorized}")
|
|
|
|
|
private String unauthorizedRedirect;
|
2019-06-03 11:44:55 +02:00
|
|
|
@Value("${sebserver.webservice.api.exam.endpoint.discovery}")
|
|
|
|
|
private String examAPIDiscoveryEndpoint;
|
2018-11-15 11:24:18 +01:00
|
|
|
|
|
|
|
|
/** Spring bean name of user password encoder */
|
|
|
|
|
public static final String USER_PASSWORD_ENCODER_BEAN_NAME = "userPasswordEncoder";
|
|
|
|
|
/** Spring bean name of client (application) password encoder */
|
|
|
|
|
public static final String CLIENT_PASSWORD_ENCODER_BEAN_NAME = "clientPasswordEncoder";
|
|
|
|
|
|
2019-03-12 11:34:01 +01:00
|
|
|
@Bean
|
|
|
|
|
public FilterRegistrationBean<CharacterEncodingFilter> filterRegistrationBean() {
|
|
|
|
|
final FilterRegistrationBean<CharacterEncodingFilter> registrationBean = new FilterRegistrationBean<>();
|
|
|
|
|
final CharacterEncodingFilter characterEncodingFilter = new CharacterEncodingFilter();
|
|
|
|
|
characterEncodingFilter.setForceEncoding(true);
|
|
|
|
|
characterEncodingFilter.setEncoding("UTF-8");
|
|
|
|
|
registrationBean.setFilter(characterEncodingFilter);
|
|
|
|
|
return registrationBean;
|
|
|
|
|
}
|
|
|
|
|
|
2018-11-15 11:24:18 +01:00
|
|
|
/** Password encoder used for user passwords (stronger protection) */
|
|
|
|
|
@Bean(USER_PASSWORD_ENCODER_BEAN_NAME)
|
|
|
|
|
public PasswordEncoder userPasswordEncoder() {
|
|
|
|
|
return new BCryptPasswordEncoder(8);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/** Password encode used for client (application) passwords */
|
|
|
|
|
@Bean(CLIENT_PASSWORD_ENCODER_BEAN_NAME)
|
|
|
|
|
public PasswordEncoder clientPasswordEncoder() {
|
|
|
|
|
return new BCryptPasswordEncoder(4);
|
|
|
|
|
}
|
|
|
|
|
|
2019-01-28 16:58:06 +01:00
|
|
|
@Override
|
|
|
|
|
public void configure(final WebSecurity web) {
|
|
|
|
|
web
|
|
|
|
|
.ignoring()
|
2019-02-10 21:07:15 +01:00
|
|
|
.antMatchers("/error")
|
2019-06-03 11:44:55 +02:00
|
|
|
.antMatchers(this.examAPIDiscoveryEndpoint);
|
2019-01-28 16:58:06 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
@RequestMapping("/error")
|
|
|
|
|
public void handleError(final HttpServletResponse response) throws IOException {
|
2019-05-09 11:26:11 +02:00
|
|
|
response.setStatus(HttpServletResponse.SC_MOVED_PERMANENTLY);
|
|
|
|
|
response.setHeader(HttpHeaders.LOCATION, this.unauthorizedRedirect);
|
|
|
|
|
response.flushBuffer();
|
2019-01-28 16:58:06 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
@Override
|
|
|
|
|
public String getErrorPath() {
|
|
|
|
|
return "/error";
|
|
|
|
|
}
|
|
|
|
|
|
2019-01-31 22:45:37 +01:00
|
|
|
/** A ClientHttpRequestFactory for development profile with no TSL SSL protocol and
|
|
|
|
|
* not following redirects on redirect responses.
|
|
|
|
|
*
|
|
|
|
|
* @return ClientHttpRequestFactory bean for development profiles */
|
|
|
|
|
@Bean
|
|
|
|
|
@DevGuiProfile
|
|
|
|
|
@DevWebServiceProfile
|
|
|
|
|
public ClientHttpRequestFactory clientHttpRequestFactory() {
|
2019-05-09 11:26:11 +02:00
|
|
|
|
2019-02-27 12:44:03 +01:00
|
|
|
log.info("Initialize with insecure ClientHttpRequestFactory for development");
|
2019-05-09 11:26:11 +02:00
|
|
|
|
2019-02-27 12:44:03 +01:00
|
|
|
return new DevClientHttpRequestFactory();
|
2019-01-31 22:45:37 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/** A ClientHttpRequestFactory used in production with TSL SSL configuration.
|
|
|
|
|
*
|
|
|
|
|
* NOTE:
|
|
|
|
|
* environment property: sebserver.gui.truststore.pwd is expected to have the correct truststore password set
|
|
|
|
|
* environment property: sebserver.gui.truststore.type is expected to set to the correct type of truststore
|
|
|
|
|
* truststore.jks is expected to be on the classpath containing all trusted certificates for request
|
|
|
|
|
* to SSL secured SEB Server webservice
|
|
|
|
|
*
|
|
|
|
|
* @return ClientHttpRequestFactory with TLS / SSL configuration
|
|
|
|
|
* @throws IOException
|
|
|
|
|
* @throws FileNotFoundException
|
|
|
|
|
* @throws CertificateException
|
|
|
|
|
* @throws KeyStoreException
|
|
|
|
|
* @throws NoSuchAlgorithmException
|
|
|
|
|
* @throws KeyManagementException */
|
|
|
|
|
@Bean
|
|
|
|
|
@ProdGuiProfile
|
|
|
|
|
@ProdWebServiceProfile
|
|
|
|
|
public ClientHttpRequestFactory clientHttpRequestFactoryTLS(final Environment env) throws KeyManagementException,
|
|
|
|
|
NoSuchAlgorithmException, KeyStoreException, CertificateException, FileNotFoundException, IOException {
|
|
|
|
|
|
2019-02-27 12:44:03 +01:00
|
|
|
log.info("Initialize with secure ClientHttpRequestFactory for production");
|
|
|
|
|
|
2019-01-31 22:45:37 +01:00
|
|
|
final char[] password = env
|
2019-02-27 12:44:03 +01:00
|
|
|
.getProperty("sebserver.gui.truststore.pwd", "")
|
2019-01-31 22:45:37 +01:00
|
|
|
.toCharArray();
|
|
|
|
|
|
2019-02-27 12:44:03 +01:00
|
|
|
if (password.length < 3) {
|
|
|
|
|
log.error("Missing or incorrect trust-store password: " + String.valueOf(password));
|
|
|
|
|
throw new IllegalArgumentException("Missing or incorrect trust-store password");
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
final File trustStoreFile = ResourceUtils.getFile("classpath:truststore.jks");
|
|
|
|
|
|
2019-01-31 22:45:37 +01:00
|
|
|
final SSLContext sslContext = SSLContextBuilder
|
|
|
|
|
.create()
|
2019-02-27 12:44:03 +01:00
|
|
|
.loadTrustMaterial(trustStoreFile, password)
|
2019-01-31 22:45:37 +01:00
|
|
|
.build();
|
|
|
|
|
|
|
|
|
|
final HttpClient client = HttpClients.custom()
|
|
|
|
|
.setSSLContext(sslContext)
|
|
|
|
|
.build();
|
|
|
|
|
|
|
|
|
|
// TODO set connection and read timeout!? configurable!?
|
|
|
|
|
return new HttpComponentsClientHttpRequestFactory(client);
|
|
|
|
|
}
|
|
|
|
|
|
2019-02-27 12:44:03 +01:00
|
|
|
// TODO set connection and read timeout!? configurable!?
|
|
|
|
|
private static class DevClientHttpRequestFactory extends SimpleClientHttpRequestFactory {
|
|
|
|
|
|
|
|
|
|
@Override
|
|
|
|
|
protected void prepareConnection(
|
|
|
|
|
final HttpURLConnection connection,
|
|
|
|
|
final String httpMethod) throws IOException {
|
|
|
|
|
|
|
|
|
|
super.prepareConnection(connection, httpMethod);
|
|
|
|
|
connection.setInstanceFollowRedirects(false);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2018-11-15 11:24:18 +01:00
|
|
|
}
|
