Improve doc for Portal API configuration

[portal/ric-dashboard.git] / webapp-backend / src / main / java / org / oransc / ric / portal / dashboard / config / WebSecurityConfiguration.java
diff --git a/webapp-backend/src/main/java/org/oransc/ric/portal/dashboard/config/WebSecurityConfiguration.java b/webapp-backend/src/main/java/org/oransc/ric/portal/dashboard/config/WebSecurityConfiguration.java

index 4429701..edb80c8 100644 (file)
--- a/webapp-backend/src/main/java/org/oransc/ric/portal/dashboard/config/WebSecurityConfiguration.java
+++ b/webapp-backend/src/main/java/org/oransc/ric/portal/dashboard/config/WebSecurityConfiguration.java
@@ -21,12 +21,12 @@ package org.oransc.ric.portal.dashboard.config;
  
  import java.io.IOException;
  import java.lang.invoke.MethodHandles;
+import java.lang.reflect.InvocationTargetException;
  
-import org.onap.portalsdk.core.onboarding.crossapi.PortalRestAPIProxy;
  import org.onap.portalsdk.core.onboarding.util.PortalApiConstants;
  import org.oransc.ric.portal.dashboard.DashboardConstants;
  import org.oransc.ric.portal.dashboard.LoginServlet;
-import org.oransc.ric.portal.dashboard.controller.AcXappController;
+import org.oransc.ric.portal.dashboard.controller.A1MediatorController;
  import org.oransc.ric.portal.dashboard.controller.AdminController;
  import org.oransc.ric.portal.dashboard.controller.AnrXappController;
  import org.oransc.ric.portal.dashboard.controller.AppManagerController;
@@ -48,6 +48,7 @@ import org.springframework.security.config.annotation.web.builders.WebSecurity;
  import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
  import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
  import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
+import org.springframework.security.web.csrf.CookieCsrfTokenRepository;
  
  @Configuration
  @EnableWebSecurity
@@ -59,8 +60,8 @@ public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {
  
         // Although constructor arguments are recommended over field injection,
         // this results in fewer lines of code.
-       @Value("${userfile}")
-       private String userFilePath;
+       @Value("${portalapi.security}")
+       private Boolean portalapiSecurity;
         @Value("${portalapi.appname}")
         private String appName;
         @Value("${portalapi.username}")
@@ -71,12 +72,15 @@ public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {
         private String decryptor;
         @Value("${portalapi.usercookie}")
         private String userCookie;
+       @Value("${userfile}")
+       private String userFilePath;
  
         protected void configure(HttpSecurity http) throws Exception {
                 logger.debug("configure: portalapi.username {}", userName);
                 // A chain of ".and()" always baffles me
                 http.authorizeRequests().anyRequest().authenticated();
-               // http.csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse());
+               http.headers().frameOptions().disable();
+               http.csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse());
                 http.addFilterBefore(portalAuthenticationFilterBean(), BasicAuthenticationFilter.class);
         }
  
@@ -90,7 +94,7 @@ public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {
                         "/swagger-ui.html", //
                         "/webjars/**", //
                         PortalApiConstants.API_PREFIX + "/**", //
-                       AcXappController.CONTROLLER_PATH + "/" + AcXappController.VERSION_METHOD, //
+                       A1MediatorController.CONTROLLER_PATH + "/" + A1MediatorController.VERSION_METHOD, //
                         AdminController.CONTROLLER_PATH + "/" + AdminController.HEALTH_METHOD, //
                         AdminController.CONTROLLER_PATH + "/" + AdminController.VERSION_METHOD, //
                         AnrXappController.CONTROLLER_PATH + "/" + AnrXappController.HEALTH_ALIVE_METHOD, //
@@ -101,8 +105,9 @@ public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {
                         AppManagerController.CONTROLLER_PATH + "/" + AppManagerController.VERSION_METHOD, //
                         E2ManagerController.CONTROLLER_PATH + "/" + E2ManagerController.HEALTH_METHOD, //
                         E2ManagerController.CONTROLLER_PATH + "/" + E2ManagerController.VERSION_METHOD, //
-                       DashboardConstants.LOGIN_PAGE, //
-                       SimpleErrorController.ERROR_PATH };
+                       SimpleErrorController.ERROR_PATH, //
+                       DashboardConstants.LOGIN_PAGE //
+       };
  
         @Override
         public void configure(WebSecurity web) throws Exception {
@@ -112,7 +117,8 @@ public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {
  
         @Bean
         public PortalAuthManager portalAuthManagerBean()
-                       throws IOException, ClassNotFoundException, InstantiationException, IllegalAccessException {
+                       throws IOException, ClassNotFoundException, InstantiationException, IllegalAccessException,
+                       IllegalArgumentException, InvocationTargetException, NoSuchMethodException, SecurityException {
                 return new PortalAuthManager(appName, userName, password, decryptor, userCookie);
         }
  
@@ -131,28 +137,13 @@ public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {
          * correctly.
          */
         public PortalAuthenticationFilter portalAuthenticationFilterBean()
-                       throws ClassNotFoundException, InstantiationException, IllegalAccessException, IOException {
-               PortalAuthenticationFilter portalAuthenticationFilter = new PortalAuthenticationFilter(portalAuthManagerBean(),
-                               dashboardUserManagerBean());
+                       throws ClassNotFoundException, InstantiationException, IllegalAccessException, IOException,
+                       IllegalArgumentException, InvocationTargetException, NoSuchMethodException, SecurityException {
+               PortalAuthenticationFilter portalAuthenticationFilter = new PortalAuthenticationFilter(portalapiSecurity,
+                               portalAuthManagerBean(), dashboardUserManagerBean());
                 return portalAuthenticationFilter;
         }
  
-       /**
-        * Instantiates the EPSDK-FW servlet. Needed because this app is not configured
-        * to scan the EPSDK-FW packages; there's also a chance that Spring-Boot does
-        * not automatically process @WebServlet annotations.
-        * 
-        * @return Servlet registration bean for the Portal Rest API proxy servlet.
-        */
-       @Bean
-       public ServletRegistrationBean<PortalRestAPIProxy> portalApiProxyServletBean() {
-               PortalRestAPIProxy servlet = new PortalRestAPIProxy();
-               final ServletRegistrationBean<PortalRestAPIProxy> servletBean = new ServletRegistrationBean<>(servlet,
-                               PortalApiConstants.API_PREFIX + "/*");
-               servletBean.setName("PortalRestApiProxyServlet");
-               return servletBean;
-       }
-
         /**
          * Instantiates a trivial login servlet that serves a basic page with a link to
          * authenticate at Portal. The login filter redirects to this page instead of