Fixed some Spring security related warnings and converted http.ignore paths to http...permitAll configs where possible
This commit is contained in:
anhefti
parent
9e82fac386
commit
d20883c2fd
4 changed files with 41 additions and 27 deletions
|
|
@ -40,9 +40,6 @@ import ch.ethz.seb.sebserver.gbl.profile.WebServiceProfile;
|
|||
@Order(7)
|
||||
public class WebSecurityConfig extends WebSecurityConfigurerAdapter implements ErrorController {
|
||||
|
||||
private static final String ERROR_PATH = "/sebserver/error";
|
||||
private static final String CHECK_PATH = "/sebserver/check";
|
||||
|
||||
@Value("${sebserver.webservice.http.redirect.gui}")
|
||||
private String guiRedirect;
|
||||
@Value("${sebserver.webservice.api.exam.endpoint.discovery}")
|
||||
|
|
@ -77,23 +74,11 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter implements E
|
|||
return new BCryptPasswordEncoder(4);
|
||||
}
|
||||
|
||||
@Override
|
||||
public void configure(final WebSecurity web) {
|
||||
web
|
||||
.ignoring()
|
||||
.antMatchers(ERROR_PATH)
|
||||
.antMatchers(CHECK_PATH)
|
||||
.antMatchers(this.examAPIDiscoveryEndpoint)
|
||||
.antMatchers(this.adminAPIEndpoint + API.INFO_ENDPOINT + API.LOGO_PATH_SEGMENT + "/**")
|
||||
.antMatchers(this.adminAPIEndpoint + API.INFO_ENDPOINT + API.INFO_INST_PATH_SEGMENT + "/**")
|
||||
.antMatchers(this.adminAPIEndpoint + API.REGISTER_ENDPOINT);
|
||||
}
|
||||
|
||||
@RequestMapping(CHECK_PATH)
|
||||
@RequestMapping(API.CHECK_PATH)
|
||||
public void check() throws IOException {
|
||||
}
|
||||
|
||||
@RequestMapping(ERROR_PATH)
|
||||
@RequestMapping(API.ERROR_PATH)
|
||||
public void handleError(final HttpServletResponse response) throws IOException {
|
||||
response.getOutputStream().print(response.getStatus());
|
||||
response.setHeader(HttpHeaders.LOCATION, this.guiRedirect);
|
||||
|
|
|
|||
|
|
@ -42,6 +42,10 @@ public class GuiWebsecurityConfig extends WebSecurityConfigurerAdapter {
|
|||
private String remoteProctoringViewServletEndpoint;
|
||||
@Value("${springdoc.api-docs.enabled:false}")
|
||||
private boolean springDocsAPIEnabled;
|
||||
@Value("${sebserver.webservice.api.exam.endpoint.discovery}")
|
||||
private String examAPIDiscoveryEndpoint;
|
||||
@Value("${sebserver.webservice.api.admin.endpoint}")
|
||||
private String adminAPIEndpoint;
|
||||
|
||||
/** Gui-service related public URLS from spring web security perspective */
|
||||
public static final RequestMatcher PUBLIC_URLS = new OrRequestMatcher(
|
||||
|
|
@ -52,28 +56,40 @@ public class GuiWebsecurityConfig extends WebSecurityConfigurerAdapter {
|
|||
// project specific static resources
|
||||
new AntPathRequestMatcher("/images/**"),
|
||||
|
||||
new AntPathRequestMatcher("/favicon.ico"));
|
||||
new AntPathRequestMatcher("/favicon.ico")
|
||||
);
|
||||
|
||||
@Override
|
||||
public void configure(final WebSecurity web) {
|
||||
web
|
||||
.ignoring()
|
||||
.requestMatchers(PUBLIC_URLS)
|
||||
.antMatchers(this.guiEntryPoint)
|
||||
.antMatchers(this.remoteProctoringEndpoint)
|
||||
.antMatchers(this.remoteProctoringEndpoint + this.remoteProctoringViewServletEndpoint + "/*");
|
||||
.ignoring()
|
||||
.antMatchers(this.guiEntryPoint)
|
||||
;
|
||||
|
||||
if (this.springDocsAPIEnabled) {
|
||||
web.ignoring().antMatchers("/swagger-ui.html", "/swagger-ui/**", "/v3/api-docs/**");
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
|
||||
@Override
|
||||
public void configure(final HttpSecurity http) throws Exception {
|
||||
http
|
||||
.sessionManagement()
|
||||
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
|
||||
.and()
|
||||
.authorizeRequests()
|
||||
.antMatchers(this.remoteProctoringEndpoint).permitAll()
|
||||
.antMatchers(this.remoteProctoringEndpoint + this.remoteProctoringViewServletEndpoint + "/*").permitAll()
|
||||
.requestMatchers(PUBLIC_URLS).permitAll()
|
||||
.antMatchers(API.ERROR_PATH).permitAll()
|
||||
.antMatchers(API.CHECK_PATH).permitAll()
|
||||
.antMatchers(this.examAPIDiscoveryEndpoint).permitAll()
|
||||
.antMatchers(adminAPIEndpoint + API.INFO_ENDPOINT + API.LOGO_PATH_SEGMENT + "/**").permitAll()
|
||||
.antMatchers(adminAPIEndpoint + API.INFO_ENDPOINT + API.INFO_INST_PATH_SEGMENT + "/**").permitAll()
|
||||
.antMatchers(adminAPIEndpoint + API.REGISTER_ENDPOINT).permitAll()
|
||||
.and()
|
||||
.antMatcher("/**")
|
||||
.authorizeRequests()
|
||||
.anyRequest()
|
||||
|
|
|
|||
|
|
@ -13,6 +13,7 @@ import java.io.IOException;
|
|||
import javax.servlet.http.HttpServletRequest;
|
||||
import javax.servlet.http.HttpServletResponse;
|
||||
|
||||
import ch.ethz.seb.sebserver.gbl.api.API;
|
||||
import org.apache.catalina.filters.RemoteIpFilter;
|
||||
import org.slf4j.Logger;
|
||||
import org.slf4j.LoggerFactory;
|
||||
|
|
@ -50,18 +51,18 @@ import ch.ethz.seb.sebserver.webservice.weblayer.oauth.WebClientDetailsService;
|
|||
import ch.ethz.seb.sebserver.webservice.weblayer.oauth.WebserviceResourceConfiguration;
|
||||
|
||||
/** This is the main web-security Spring configuration for SEB-Server webservice API
|
||||
*
|
||||
* <p>
|
||||
* Currently two separated Rest API's are implemented, one for administration and maintenance
|
||||
* of the SEB-Server (AdminAPI) and one for SEB-Client connection on running exams and eventually
|
||||
* also for LMS communication), if needed (ExamAPI). The AdministrationAPI uses OAuth 2 password
|
||||
* grant with refresh-token, same as in the prototype and the ExamAPI uses the client_credential grant.
|
||||
*
|
||||
* <p>
|
||||
* There is a Spring Authorization-Server defining this two clients (AdminAPIClient and ExamAPIClient) as well as
|
||||
* two Spring Resource-Server for the separation of the different API's
|
||||
*
|
||||
* <p>
|
||||
* The endpoint of the AdministrationAPI can be configured within the key; sebserver.webservice.api.admin.endpoint
|
||||
* and is by default set to "/admin-api/**"
|
||||
*
|
||||
* <p>
|
||||
* The endpoint of the ExamAPI can be configured within the key; sebserver.webservice.api.exam.endpoint
|
||||
* and is by default set to "/exam-api/**" */
|
||||
@WebServiceProfile
|
||||
|
|
|
|||
|
|
@ -11,6 +11,8 @@ package ch.ethz.seb.sebserver.webservice.weblayer.oauth;
|
|||
import java.util.Arrays;
|
||||
import java.util.List;
|
||||
|
||||
import ch.ethz.seb.sebserver.gbl.api.API;
|
||||
import org.springframework.beans.factory.annotation.Value;
|
||||
import org.springframework.security.authentication.AuthenticationManager;
|
||||
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
|
||||
import org.springframework.security.config.http.SessionCreationPolicy;
|
||||
|
|
@ -30,6 +32,8 @@ public abstract class WebserviceResourceConfiguration extends ResourceServerConf
|
|||
public static final String ADMIN_API_RESOURCE_ID = "seb-server-administration-api";
|
||||
/** The resource identifier of the Exam API resources */
|
||||
public static final String EXAM_API_RESOURCE_ID = "seb-server-exam-api";
|
||||
@Value("${sebserver.webservice.api.exam.endpoint.discovery}")
|
||||
private String examAPIDiscoveryEndpoint;
|
||||
|
||||
public WebserviceResourceConfiguration(
|
||||
final TokenStore tokenStore,
|
||||
|
|
@ -74,6 +78,14 @@ public abstract class WebserviceResourceConfiguration extends ResourceServerConf
|
|||
.sessionManagement()
|
||||
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
|
||||
.and()
|
||||
.authorizeRequests()
|
||||
.antMatchers(API.ERROR_PATH).permitAll()
|
||||
.antMatchers(API.CHECK_PATH).permitAll()
|
||||
.antMatchers(this.examAPIDiscoveryEndpoint).permitAll()
|
||||
.antMatchers(configurerAdapter.apiEndpoint + API.INFO_ENDPOINT + API.LOGO_PATH_SEGMENT + "/**").permitAll()
|
||||
.antMatchers(configurerAdapter.apiEndpoint + API.INFO_ENDPOINT + API.INFO_INST_PATH_SEGMENT + "/**").permitAll()
|
||||
.antMatchers(configurerAdapter.apiEndpoint + API.REGISTER_ENDPOINT).permitAll()
|
||||
.and()
|
||||
.antMatcher(configurerAdapter.apiEndpoint + "/**")
|
||||
.authorizeRequests()
|
||||
.anyRequest()
|
||||
|
|
|
|||
Loading…
Reference in a new issue