X-Git-Url: https://gerrit.o-ran-sc.org/r/gitweb?a=blobdiff_plain;f=webapp-backend%2Fsrc%2Fmain%2Fjava%2Forg%2Foransc%2Fric%2Fportal%2Fdashboard%2Fconfig%2FWebSecurityConfiguration.java;h=33458badaf3d2d1eefd034586c6c0f6460d61911;hb=50fb3b40ec45a65ba7c687e290a3d7f491484b49;hp=44297016ce99289b9508a5c0ca444403995721ba;hpb=c0dbfbc9c6268d8a8bea989daffb3a5065e820aa;p=portal%2Fric-dashboard.git diff --git a/webapp-backend/src/main/java/org/oransc/ric/portal/dashboard/config/WebSecurityConfiguration.java b/webapp-backend/src/main/java/org/oransc/ric/portal/dashboard/config/WebSecurityConfiguration.java index 44297016..33458bad 100644 --- a/webapp-backend/src/main/java/org/oransc/ric/portal/dashboard/config/WebSecurityConfiguration.java +++ b/webapp-backend/src/main/java/org/oransc/ric/portal/dashboard/config/WebSecurityConfiguration.java @@ -2,7 +2,7 @@ * ========================LICENSE_START================================= * O-RAN-SC * %% - * Copyright (C) 2019 AT&T Intellectual Property and Nokia + * Copyright (C) 2019 AT&T Intellectual Property * %% * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -21,24 +21,22 @@ package org.oransc.ric.portal.dashboard.config; import java.io.IOException; import java.lang.invoke.MethodHandles; +import java.lang.reflect.InvocationTargetException; -import org.onap.portalsdk.core.onboarding.crossapi.PortalRestAPIProxy; import org.onap.portalsdk.core.onboarding.util.PortalApiConstants; -import org.oransc.ric.portal.dashboard.DashboardConstants; -import org.oransc.ric.portal.dashboard.LoginServlet; -import org.oransc.ric.portal.dashboard.controller.AcXappController; +import org.oransc.ric.portal.dashboard.DashboardUserManager; +import org.oransc.ric.portal.dashboard.controller.A1MediatorController; import org.oransc.ric.portal.dashboard.controller.AdminController; import org.oransc.ric.portal.dashboard.controller.AnrXappController; import org.oransc.ric.portal.dashboard.controller.AppManagerController; import org.oransc.ric.portal.dashboard.controller.E2ManagerController; import org.oransc.ric.portal.dashboard.controller.SimpleErrorController; -import org.oransc.ric.portal.dashboard.portalapi.DashboardUserManager; import org.oransc.ric.portal.dashboard.portalapi.PortalAuthManager; import org.oransc.ric.portal.dashboard.portalapi.PortalAuthenticationFilter; import org.slf4j.Logger; import org.slf4j.LoggerFactory; +import org.springframework.beans.factory.annotation.Autowired; import org.springframework.beans.factory.annotation.Value; -import org.springframework.boot.web.servlet.ServletRegistrationBean; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.context.annotation.Profile; @@ -48,6 +46,7 @@ import org.springframework.security.config.annotation.web.builders.WebSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.web.authentication.www.BasicAuthenticationFilter; +import org.springframework.security.web.csrf.CookieCsrfTokenRepository; @Configuration @EnableWebSecurity @@ -59,8 +58,8 @@ public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter { // Although constructor arguments are recommended over field injection, // this results in fewer lines of code. - @Value("${userfile}") - private String userFilePath; + @Value("${portalapi.security}") + private Boolean portalapiSecurity; @Value("${portalapi.appname}") private String appName; @Value("${portalapi.username}") @@ -72,11 +71,15 @@ public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter { @Value("${portalapi.usercookie}") private String userCookie; + @Autowired + DashboardUserManager userManager; + protected void configure(HttpSecurity http) throws Exception { logger.debug("configure: portalapi.username {}", userName); // A chain of ".and()" always baffles me http.authorizeRequests().anyRequest().authenticated(); - // http.csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()); + http.headers().frameOptions().disable(); + http.csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()); http.addFilterBefore(portalAuthenticationFilterBean(), BasicAuthenticationFilter.class); } @@ -90,7 +93,7 @@ public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter { "/swagger-ui.html", // "/webjars/**", // PortalApiConstants.API_PREFIX + "/**", // - AcXappController.CONTROLLER_PATH + "/" + AcXappController.VERSION_METHOD, // + A1MediatorController.CONTROLLER_PATH + "/" + A1MediatorController.VERSION_METHOD, // AdminController.CONTROLLER_PATH + "/" + AdminController.HEALTH_METHOD, // AdminController.CONTROLLER_PATH + "/" + AdminController.VERSION_METHOD, // AnrXappController.CONTROLLER_PATH + "/" + AnrXappController.HEALTH_ALIVE_METHOD, // @@ -101,7 +104,6 @@ public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter { AppManagerController.CONTROLLER_PATH + "/" + AppManagerController.VERSION_METHOD, // E2ManagerController.CONTROLLER_PATH + "/" + E2ManagerController.HEALTH_METHOD, // E2ManagerController.CONTROLLER_PATH + "/" + E2ManagerController.VERSION_METHOD, // - DashboardConstants.LOGIN_PAGE, // SimpleErrorController.ERROR_PATH }; @Override @@ -112,15 +114,11 @@ public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter { @Bean public PortalAuthManager portalAuthManagerBean() - throws IOException, ClassNotFoundException, InstantiationException, IllegalAccessException { + throws IOException, ClassNotFoundException, InstantiationException, IllegalAccessException, + IllegalArgumentException, InvocationTargetException, NoSuchMethodException, SecurityException { return new PortalAuthManager(appName, userName, password, decryptor, userCookie); } - @Bean - public DashboardUserManager dashboardUserManagerBean() throws IOException { - return new DashboardUserManager(userFilePath); - } - /* * If this is annotated with @Bean, it is created automatically AND REGISTERED, * and Spring processes annotations in the source of the class. However, the @@ -131,42 +129,11 @@ public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter { * correctly. */ public PortalAuthenticationFilter portalAuthenticationFilterBean() - throws ClassNotFoundException, InstantiationException, IllegalAccessException, IOException { - PortalAuthenticationFilter portalAuthenticationFilter = new PortalAuthenticationFilter(portalAuthManagerBean(), - dashboardUserManagerBean()); + throws ClassNotFoundException, InstantiationException, IllegalAccessException, IOException, + IllegalArgumentException, InvocationTargetException, NoSuchMethodException, SecurityException { + PortalAuthenticationFilter portalAuthenticationFilter = new PortalAuthenticationFilter(portalapiSecurity, + portalAuthManagerBean(), this.userManager); return portalAuthenticationFilter; } - /** - * Instantiates the EPSDK-FW servlet. Needed because this app is not configured - * to scan the EPSDK-FW packages; there's also a chance that Spring-Boot does - * not automatically process @WebServlet annotations. - * - * @return Servlet registration bean for the Portal Rest API proxy servlet. - */ - @Bean - public ServletRegistrationBean portalApiProxyServletBean() { - PortalRestAPIProxy servlet = new PortalRestAPIProxy(); - final ServletRegistrationBean servletBean = new ServletRegistrationBean<>(servlet, - PortalApiConstants.API_PREFIX + "/*"); - servletBean.setName("PortalRestApiProxyServlet"); - return servletBean; - } - - /** - * Instantiates a trivial login servlet that serves a basic page with a link to - * authenticate at Portal. The login filter redirects to this page instead of - * Portal. - * - * @return Servlet registration bean for the Dashboard login servlet. - */ - @Bean - public ServletRegistrationBean loginServletBean() { - LoginServlet servlet = new LoginServlet(); - final ServletRegistrationBean servletBean = new ServletRegistrationBean<>(servlet, - DashboardConstants.LOGIN_PAGE); - servletBean.setName("LoginServlet"); - return servletBean; - } - }