X-Git-Url: https://gerrit.o-ran-sc.org/r/gitweb?a=blobdiff_plain;f=dashboard%2Fwebapp-backend%2Fsrc%2Fmain%2Fjava%2Forg%2Foransc%2Fric%2Fportal%2Fdashboard%2Fconfig%2FWebSecurityConfiguration.java;h=e70b6122976c76a6beb1eeea4410f0fc9a7d7809;hb=8f1c85c3604a0d10675cacd16a7b67dca346d478;hp=b912500a8c1e612b82926a92e508f35786ec97c4;hpb=a2bc79c5f0027e953815d6e98814a748b36827aa;p=nonrtric.git diff --git a/dashboard/webapp-backend/src/main/java/org/oransc/ric/portal/dashboard/config/WebSecurityConfiguration.java b/dashboard/webapp-backend/src/main/java/org/oransc/ric/portal/dashboard/config/WebSecurityConfiguration.java index b912500a..e70b6122 100644 --- a/dashboard/webapp-backend/src/main/java/org/oransc/ric/portal/dashboard/config/WebSecurityConfiguration.java +++ b/dashboard/webapp-backend/src/main/java/org/oransc/ric/portal/dashboard/config/WebSecurityConfiguration.java @@ -3,6 +3,7 @@ * O-RAN-SC * %% * Copyright (C) 2019 AT&T Intellectual Property + * Modifications Copyright (C) 2019 Nordix Foundation * %% * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -22,9 +23,10 @@ package org.oransc.ric.portal.dashboard.config; import java.io.IOException; import java.lang.invoke.MethodHandles; import java.lang.reflect.InvocationTargetException; + import org.onap.portalsdk.core.onboarding.util.PortalApiConstants; import org.oransc.ric.portal.dashboard.DashboardUserManager; -import org.oransc.ric.portal.dashboard.controller.A1Controller; +import org.oransc.ric.portal.dashboard.controller.PolicyController; import org.oransc.ric.portal.dashboard.controller.SimpleErrorController; import org.oransc.ric.portal.dashboard.portalapi.PortalAuthManager; import org.oransc.ric.portal.dashboard.portalapi.PortalAuthenticationFilter; @@ -49,77 +51,74 @@ import org.springframework.security.web.csrf.CookieCsrfTokenRepository; @Profile("!test") public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter { - private static final Logger logger = LoggerFactory.getLogger(MethodHandles.lookup().lookupClass()); + private static final Logger logger = LoggerFactory.getLogger(MethodHandles.lookup().lookupClass()); - // Although constructor arguments are recommended over field injection, - // this results in fewer lines of code. - @Value("${portalapi.security}") - private Boolean portalapiSecurity; - @Value("${portalapi.appname}") - private String appName; - @Value("${portalapi.username}") - private String userName; - @Value("${portalapi.password}") - private String password; - @Value("${portalapi.decryptor}") - private String decryptor; - @Value("${portalapi.usercookie}") - private String userCookie; + // Although constructor arguments are recommended over field injection, + // this results in fewer lines of code. + @Value("${portalapi.security}") + private Boolean portalapiSecurity; + @Value("${portalapi.appname}") + private String appName; + @Value("${portalapi.username}") + private String userName; + @Value("${portalapi.password}") + private String password; + @Value("${portalapi.decryptor}") + private String decryptor; + @Value("${portalapi.usercookie}") + private String userCookie; - @Autowired - DashboardUserManager userManager; + @Autowired + DashboardUserManager userManager; - @Override + @Override protected void configure(HttpSecurity http) throws Exception { - logger.debug("configure: portalapi.username {}", userName); - // A chain of ".and()" always baffles me - http.authorizeRequests().anyRequest().authenticated(); - http.headers().frameOptions().disable(); - http.csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()); - http.addFilterBefore(portalAuthenticationFilterBean(), BasicAuthenticationFilter.class); - } + logger.debug("configure: portalapi.username {}", userName); + // A chain of ".and()" always baffles me + http.authorizeRequests().anyRequest().authenticated(); + http.headers().frameOptions().disable(); + http.csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()); + http.addFilterBefore(portalAuthenticationFilterBean(), BasicAuthenticationFilter.class); + } - /** - * Resource paths that do not require authentication, especially including - * Swagger-generated documentation. - */ - public static final String[] OPEN_PATHS = { // - "/v2/api-docs", // - "/swagger-resources/**", // - "/swagger-ui.html", // - "/webjars/**", // - PortalApiConstants.API_PREFIX + "/**", // - A1Controller.CONTROLLER_PATH + "/" + A1Controller.VERSION_METHOD, // - SimpleErrorController.ERROR_PATH }; + /** + * Resource paths that do not require authentication, especially including + * Swagger-generated documentation. + */ + @SuppressWarnings("squid:S1075") + protected static final String[] OPEN_PATHS = { // + "/v2/api-docs", // + "/swagger-resources/**", // + "/swagger-ui.html", // + "/webjars/**", // + PortalApiConstants.API_PREFIX + "/**", // + PolicyController.CONTROLLER_PATH + "/" + PolicyController.VERSION_METHOD, // + SimpleErrorController.ERROR_PATH}; - @Override - public void configure(WebSecurity web) throws Exception { - // This disables Spring security, but not the app's filter. - web.ignoring().antMatchers(OPEN_PATHS); - } + @Override + public void configure(WebSecurity web) throws Exception { + // This disables Spring security, but not the app's filter. + web.ignoring().antMatchers(OPEN_PATHS); + } - @Bean - public PortalAuthManager portalAuthManagerBean() - throws IOException, ClassNotFoundException, InstantiationException, IllegalAccessException, - IllegalArgumentException, InvocationTargetException, NoSuchMethodException, SecurityException { - return new PortalAuthManager(appName, userName, password, decryptor, userCookie); - } + @Bean + public PortalAuthManager portalAuthManagerBean() throws ClassNotFoundException, InstantiationException, + IllegalAccessException, InvocationTargetException, NoSuchMethodException { + return new PortalAuthManager(appName, userName, password, decryptor, userCookie); + } - /* - * If this is annotated with @Bean, it is created automatically AND REGISTERED, - * and Spring processes annotations in the source of the class. However, the - * filter is added in the chain apparently in the wrong order. Alternately, with - * no @Bean and added to the chain up in the configure() method in the desired - * order, the ignoring() matcher pattern configured above causes Spring to - * bypass this filter, which seems to me means the filter participates - * correctly. - */ - public PortalAuthenticationFilter portalAuthenticationFilterBean() - throws ClassNotFoundException, InstantiationException, IllegalAccessException, IOException, - IllegalArgumentException, InvocationTargetException, NoSuchMethodException, SecurityException { - PortalAuthenticationFilter portalAuthenticationFilter = new PortalAuthenticationFilter(portalapiSecurity, - portalAuthManagerBean(), this.userManager); - return portalAuthenticationFilter; - } + /* + * If this is annotated with @Bean, it is created automatically AND REGISTERED, + * and Spring processes annotations in the source of the class. However, the + * filter is added in the chain apparently in the wrong order. Alternately, with + * no @Bean and added to the chain up in the configure() method in the desired + * order, the ignoring() matcher pattern configured above causes Spring to + * bypass this filter, which seems to me means the filter participates + * correctly. + */ + public PortalAuthenticationFilter portalAuthenticationFilterBean() throws ClassNotFoundException, + InstantiationException, IllegalAccessException, IOException, InvocationTargetException, NoSuchMethodException { + return new PortalAuthenticationFilter(portalapiSecurity, portalAuthManagerBean(), this.userManager); + } }