Fixed some Spring security related warnings and converted http.ignore paths to http...permitAll configs where possible
This commit is contained in:
anhefti
parent
9e82fac386
commit
d20883c2fd
4 changed files with 41 additions and 27 deletions
|
|
@ -40,9 +40,6 @@ import ch.ethz.seb.sebserver.gbl.profile.WebServiceProfile;
|
||||||
@Order(7)
|
@Order(7)
|
||||||
public class WebSecurityConfig extends WebSecurityConfigurerAdapter implements ErrorController {
|
public class WebSecurityConfig extends WebSecurityConfigurerAdapter implements ErrorController {
|
||||||
|
|
||||||
private static final String ERROR_PATH = "/sebserver/error";
|
|
||||||
private static final String CHECK_PATH = "/sebserver/check";
|
|
||||||
|
|
||||||
@Value("${sebserver.webservice.http.redirect.gui}")
|
@Value("${sebserver.webservice.http.redirect.gui}")
|
||||||
private String guiRedirect;
|
private String guiRedirect;
|
||||||
@Value("${sebserver.webservice.api.exam.endpoint.discovery}")
|
@Value("${sebserver.webservice.api.exam.endpoint.discovery}")
|
||||||
|
|
@ -77,23 +74,11 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter implements E
|
||||||
return new BCryptPasswordEncoder(4);
|
return new BCryptPasswordEncoder(4);
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
@RequestMapping(API.CHECK_PATH)
|
||||||
public void configure(final WebSecurity web) {
|
|
||||||
web
|
|
||||||
.ignoring()
|
|
||||||
.antMatchers(ERROR_PATH)
|
|
||||||
.antMatchers(CHECK_PATH)
|
|
||||||
.antMatchers(this.examAPIDiscoveryEndpoint)
|
|
||||||
.antMatchers(this.adminAPIEndpoint + API.INFO_ENDPOINT + API.LOGO_PATH_SEGMENT + "/**")
|
|
||||||
.antMatchers(this.adminAPIEndpoint + API.INFO_ENDPOINT + API.INFO_INST_PATH_SEGMENT + "/**")
|
|
||||||
.antMatchers(this.adminAPIEndpoint + API.REGISTER_ENDPOINT);
|
|
||||||
}
|
|
||||||
|
|
||||||
@RequestMapping(CHECK_PATH)
|
|
||||||
public void check() throws IOException {
|
public void check() throws IOException {
|
||||||
}
|
}
|
||||||
|
|
||||||
@RequestMapping(ERROR_PATH)
|
@RequestMapping(API.ERROR_PATH)
|
||||||
public void handleError(final HttpServletResponse response) throws IOException {
|
public void handleError(final HttpServletResponse response) throws IOException {
|
||||||
response.getOutputStream().print(response.getStatus());
|
response.getOutputStream().print(response.getStatus());
|
||||||
response.setHeader(HttpHeaders.LOCATION, this.guiRedirect);
|
response.setHeader(HttpHeaders.LOCATION, this.guiRedirect);
|
||||||
|
|
|
||||||
|
|
@ -42,6 +42,10 @@ public class GuiWebsecurityConfig extends WebSecurityConfigurerAdapter {
|
||||||
private String remoteProctoringViewServletEndpoint;
|
private String remoteProctoringViewServletEndpoint;
|
||||||
@Value("${springdoc.api-docs.enabled:false}")
|
@Value("${springdoc.api-docs.enabled:false}")
|
||||||
private boolean springDocsAPIEnabled;
|
private boolean springDocsAPIEnabled;
|
||||||
|
@Value("${sebserver.webservice.api.exam.endpoint.discovery}")
|
||||||
|
private String examAPIDiscoveryEndpoint;
|
||||||
|
@Value("${sebserver.webservice.api.admin.endpoint}")
|
||||||
|
private String adminAPIEndpoint;
|
||||||
|
|
||||||
/** Gui-service related public URLS from spring web security perspective */
|
/** Gui-service related public URLS from spring web security perspective */
|
||||||
public static final RequestMatcher PUBLIC_URLS = new OrRequestMatcher(
|
public static final RequestMatcher PUBLIC_URLS = new OrRequestMatcher(
|
||||||
|
|
@ -52,28 +56,40 @@ public class GuiWebsecurityConfig extends WebSecurityConfigurerAdapter {
|
||||||
// project specific static resources
|
// project specific static resources
|
||||||
new AntPathRequestMatcher("/images/**"),
|
new AntPathRequestMatcher("/images/**"),
|
||||||
|
|
||||||
new AntPathRequestMatcher("/favicon.ico"));
|
new AntPathRequestMatcher("/favicon.ico")
|
||||||
|
);
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public void configure(final WebSecurity web) {
|
public void configure(final WebSecurity web) {
|
||||||
web
|
web
|
||||||
.ignoring()
|
.ignoring()
|
||||||
.requestMatchers(PUBLIC_URLS)
|
.antMatchers(this.guiEntryPoint)
|
||||||
.antMatchers(this.guiEntryPoint)
|
;
|
||||||
.antMatchers(this.remoteProctoringEndpoint)
|
|
||||||
.antMatchers(this.remoteProctoringEndpoint + this.remoteProctoringViewServletEndpoint + "/*");
|
|
||||||
|
|
||||||
if (this.springDocsAPIEnabled) {
|
if (this.springDocsAPIEnabled) {
|
||||||
web.ignoring().antMatchers("/swagger-ui.html", "/swagger-ui/**", "/v3/api-docs/**");
|
web.ignoring().antMatchers("/swagger-ui.html", "/swagger-ui/**", "/v3/api-docs/**");
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public void configure(final HttpSecurity http) throws Exception {
|
public void configure(final HttpSecurity http) throws Exception {
|
||||||
http
|
http
|
||||||
.sessionManagement()
|
.sessionManagement()
|
||||||
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
|
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
|
||||||
.and()
|
.and()
|
||||||
|
.authorizeRequests()
|
||||||
|
.antMatchers(this.remoteProctoringEndpoint).permitAll()
|
||||||
|
.antMatchers(this.remoteProctoringEndpoint + this.remoteProctoringViewServletEndpoint + "/*").permitAll()
|
||||||
|
.requestMatchers(PUBLIC_URLS).permitAll()
|
||||||
|
.antMatchers(API.ERROR_PATH).permitAll()
|
||||||
|
.antMatchers(API.CHECK_PATH).permitAll()
|
||||||
|
.antMatchers(this.examAPIDiscoveryEndpoint).permitAll()
|
||||||
|
.antMatchers(adminAPIEndpoint + API.INFO_ENDPOINT + API.LOGO_PATH_SEGMENT + "/**").permitAll()
|
||||||
|
.antMatchers(adminAPIEndpoint + API.INFO_ENDPOINT + API.INFO_INST_PATH_SEGMENT + "/**").permitAll()
|
||||||
|
.antMatchers(adminAPIEndpoint + API.REGISTER_ENDPOINT).permitAll()
|
||||||
|
.and()
|
||||||
.antMatcher("/**")
|
.antMatcher("/**")
|
||||||
.authorizeRequests()
|
.authorizeRequests()
|
||||||
.anyRequest()
|
.anyRequest()
|
||||||
|
|
|
||||||
|
|
@ -13,6 +13,7 @@ import java.io.IOException;
|
||||||
import javax.servlet.http.HttpServletRequest;
|
import javax.servlet.http.HttpServletRequest;
|
||||||
import javax.servlet.http.HttpServletResponse;
|
import javax.servlet.http.HttpServletResponse;
|
||||||
|
|
||||||
|
import ch.ethz.seb.sebserver.gbl.api.API;
|
||||||
import org.apache.catalina.filters.RemoteIpFilter;
|
import org.apache.catalina.filters.RemoteIpFilter;
|
||||||
import org.slf4j.Logger;
|
import org.slf4j.Logger;
|
||||||
import org.slf4j.LoggerFactory;
|
import org.slf4j.LoggerFactory;
|
||||||
|
|
@ -50,18 +51,18 @@ import ch.ethz.seb.sebserver.webservice.weblayer.oauth.WebClientDetailsService;
|
||||||
import ch.ethz.seb.sebserver.webservice.weblayer.oauth.WebserviceResourceConfiguration;
|
import ch.ethz.seb.sebserver.webservice.weblayer.oauth.WebserviceResourceConfiguration;
|
||||||
|
|
||||||
/** This is the main web-security Spring configuration for SEB-Server webservice API
|
/** This is the main web-security Spring configuration for SEB-Server webservice API
|
||||||
*
|
* <p>
|
||||||
* Currently two separated Rest API's are implemented, one for administration and maintenance
|
* Currently two separated Rest API's are implemented, one for administration and maintenance
|
||||||
* of the SEB-Server (AdminAPI) and one for SEB-Client connection on running exams and eventually
|
* of the SEB-Server (AdminAPI) and one for SEB-Client connection on running exams and eventually
|
||||||
* also for LMS communication), if needed (ExamAPI). The AdministrationAPI uses OAuth 2 password
|
* also for LMS communication), if needed (ExamAPI). The AdministrationAPI uses OAuth 2 password
|
||||||
* grant with refresh-token, same as in the prototype and the ExamAPI uses the client_credential grant.
|
* grant with refresh-token, same as in the prototype and the ExamAPI uses the client_credential grant.
|
||||||
*
|
* <p>
|
||||||
* There is a Spring Authorization-Server defining this two clients (AdminAPIClient and ExamAPIClient) as well as
|
* There is a Spring Authorization-Server defining this two clients (AdminAPIClient and ExamAPIClient) as well as
|
||||||
* two Spring Resource-Server for the separation of the different API's
|
* two Spring Resource-Server for the separation of the different API's
|
||||||
*
|
* <p>
|
||||||
* The endpoint of the AdministrationAPI can be configured within the key; sebserver.webservice.api.admin.endpoint
|
* The endpoint of the AdministrationAPI can be configured within the key; sebserver.webservice.api.admin.endpoint
|
||||||
* and is by default set to "/admin-api/**"
|
* and is by default set to "/admin-api/**"
|
||||||
*
|
* <p>
|
||||||
* The endpoint of the ExamAPI can be configured within the key; sebserver.webservice.api.exam.endpoint
|
* The endpoint of the ExamAPI can be configured within the key; sebserver.webservice.api.exam.endpoint
|
||||||
* and is by default set to "/exam-api/**" */
|
* and is by default set to "/exam-api/**" */
|
||||||
@WebServiceProfile
|
@WebServiceProfile
|
||||||
|
|
|
||||||
|
|
@ -11,6 +11,8 @@ package ch.ethz.seb.sebserver.webservice.weblayer.oauth;
|
||||||
import java.util.Arrays;
|
import java.util.Arrays;
|
||||||
import java.util.List;
|
import java.util.List;
|
||||||
|
|
||||||
|
import ch.ethz.seb.sebserver.gbl.api.API;
|
||||||
|
import org.springframework.beans.factory.annotation.Value;
|
||||||
import org.springframework.security.authentication.AuthenticationManager;
|
import org.springframework.security.authentication.AuthenticationManager;
|
||||||
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
|
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
|
||||||
import org.springframework.security.config.http.SessionCreationPolicy;
|
import org.springframework.security.config.http.SessionCreationPolicy;
|
||||||
|
|
@ -30,6 +32,8 @@ public abstract class WebserviceResourceConfiguration extends ResourceServerConf
|
||||||
public static final String ADMIN_API_RESOURCE_ID = "seb-server-administration-api";
|
public static final String ADMIN_API_RESOURCE_ID = "seb-server-administration-api";
|
||||||
/** The resource identifier of the Exam API resources */
|
/** The resource identifier of the Exam API resources */
|
||||||
public static final String EXAM_API_RESOURCE_ID = "seb-server-exam-api";
|
public static final String EXAM_API_RESOURCE_ID = "seb-server-exam-api";
|
||||||
|
@Value("${sebserver.webservice.api.exam.endpoint.discovery}")
|
||||||
|
private String examAPIDiscoveryEndpoint;
|
||||||
|
|
||||||
public WebserviceResourceConfiguration(
|
public WebserviceResourceConfiguration(
|
||||||
final TokenStore tokenStore,
|
final TokenStore tokenStore,
|
||||||
|
|
@ -74,6 +78,14 @@ public abstract class WebserviceResourceConfiguration extends ResourceServerConf
|
||||||
.sessionManagement()
|
.sessionManagement()
|
||||||
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
|
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
|
||||||
.and()
|
.and()
|
||||||
|
.authorizeRequests()
|
||||||
|
.antMatchers(API.ERROR_PATH).permitAll()
|
||||||
|
.antMatchers(API.CHECK_PATH).permitAll()
|
||||||
|
.antMatchers(this.examAPIDiscoveryEndpoint).permitAll()
|
||||||
|
.antMatchers(configurerAdapter.apiEndpoint + API.INFO_ENDPOINT + API.LOGO_PATH_SEGMENT + "/**").permitAll()
|
||||||
|
.antMatchers(configurerAdapter.apiEndpoint + API.INFO_ENDPOINT + API.INFO_INST_PATH_SEGMENT + "/**").permitAll()
|
||||||
|
.antMatchers(configurerAdapter.apiEndpoint + API.REGISTER_ENDPOINT).permitAll()
|
||||||
|
.and()
|
||||||
.antMatcher(configurerAdapter.apiEndpoint + "/**")
|
.antMatcher(configurerAdapter.apiEndpoint + "/**")
|
||||||
.authorizeRequests()
|
.authorizeRequests()
|
||||||
.anyRequest()
|
.anyRequest()
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue