X-Git-Url: https://gerrit.o-ran-sc.org/r/gitweb?a=blobdiff_plain;f=webapp-backend%2Fsrc%2Fmain%2Fjava%2Forg%2Foransc%2Fric%2Fportal%2Fdashboard%2Fconfig%2FWebSecurityConfiguration.java;h=5fde5c28f598bf9a446ea052d4e64751557553e8;hb=55472d9367cf229b2b87a625a8aa1dfb822cbaad;hp=44297016ce99289b9508a5c0ca444403995721ba;hpb=c0dbfbc9c6268d8a8bea989daffb3a5065e820aa;p=portal%2Fric-dashboard.git

diff --git a/webapp-backend/src/main/java/org/oransc/ric/portal/dashboard/config/WebSecurityConfiguration.java b/webapp-backend/src/main/java/org/oransc/ric/portal/dashboard/config/WebSecurityConfiguration.java
index 44297016..5fde5c28 100644
--- a/webapp-backend/src/main/java/org/oransc/ric/portal/dashboard/config/WebSecurityConfiguration.java
+++ b/webapp-backend/src/main/java/org/oransc/ric/portal/dashboard/config/WebSecurityConfiguration.java
@@ -21,12 +21,10 @@ package org.oransc.ric.portal.dashboard.config;
 
 import java.io.IOException;
 import java.lang.invoke.MethodHandles;
+import java.lang.reflect.InvocationTargetException;
 
-import org.onap.portalsdk.core.onboarding.crossapi.PortalRestAPIProxy;
 import org.onap.portalsdk.core.onboarding.util.PortalApiConstants;
-import org.oransc.ric.portal.dashboard.DashboardConstants;
-import org.oransc.ric.portal.dashboard.LoginServlet;
-import org.oransc.ric.portal.dashboard.controller.AcXappController;
+import org.oransc.ric.portal.dashboard.controller.A1MediatorController;
 import org.oransc.ric.portal.dashboard.controller.AdminController;
 import org.oransc.ric.portal.dashboard.controller.AnrXappController;
 import org.oransc.ric.portal.dashboard.controller.AppManagerController;
@@ -38,7 +36,6 @@ import org.oransc.ric.portal.dashboard.portalapi.PortalAuthenticationFilter;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Value;
-import org.springframework.boot.web.servlet.ServletRegistrationBean;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.context.annotation.Profile;
@@ -48,6 +45,7 @@ import org.springframework.security.config.annotation.web.builders.WebSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
+import org.springframework.security.web.csrf.CookieCsrfTokenRepository;
 
 @Configuration
 @EnableWebSecurity
@@ -59,8 +57,8 @@ public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {
 
 	// Although constructor arguments are recommended over field injection,
 	// this results in fewer lines of code.
-	@Value("${userfile}")
-	private String userFilePath;
+	@Value("${portalapi.security}")
+	private Boolean portalapiSecurity;
 	@Value("${portalapi.appname}")
 	private String appName;
 	@Value("${portalapi.username}")
@@ -71,12 +69,15 @@ public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {
 	private String decryptor;
 	@Value("${portalapi.usercookie}")
 	private String userCookie;
+	@Value("${userfile}")
+	private String userFilePath;
 
 	protected void configure(HttpSecurity http) throws Exception {
 		logger.debug("configure: portalapi.username {}", userName);
 		// A chain of ".and()" always baffles me
 		http.authorizeRequests().anyRequest().authenticated();
-		// http.csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse());
+		http.headers().frameOptions().disable();
+		http.csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse());
 		http.addFilterBefore(portalAuthenticationFilterBean(), BasicAuthenticationFilter.class);
 	}
 
@@ -90,7 +91,7 @@ public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {
 			"/swagger-ui.html", //
 			"/webjars/**", //
 			PortalApiConstants.API_PREFIX + "/**", //
-			AcXappController.CONTROLLER_PATH + "/" + AcXappController.VERSION_METHOD, //
+			A1MediatorController.CONTROLLER_PATH + "/" + A1MediatorController.VERSION_METHOD, //
 			AdminController.CONTROLLER_PATH + "/" + AdminController.HEALTH_METHOD, //
 			AdminController.CONTROLLER_PATH + "/" + AdminController.VERSION_METHOD, //
 			AnrXappController.CONTROLLER_PATH + "/" + AnrXappController.HEALTH_ALIVE_METHOD, //
@@ -101,7 +102,6 @@ public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {
 			AppManagerController.CONTROLLER_PATH + "/" + AppManagerController.VERSION_METHOD, //
 			E2ManagerController.CONTROLLER_PATH + "/" + E2ManagerController.HEALTH_METHOD, //
 			E2ManagerController.CONTROLLER_PATH + "/" + E2ManagerController.VERSION_METHOD, //
-			DashboardConstants.LOGIN_PAGE, //
 			SimpleErrorController.ERROR_PATH };
 
 	@Override
@@ -112,7 +112,8 @@ public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {
 
 	@Bean
 	public PortalAuthManager portalAuthManagerBean()
-			throws IOException, ClassNotFoundException, InstantiationException, IllegalAccessException {
+			throws IOException, ClassNotFoundException, InstantiationException, IllegalAccessException,
+			IllegalArgumentException, InvocationTargetException, NoSuchMethodException, SecurityException {
 		return new PortalAuthManager(appName, userName, password, decryptor, userCookie);
 	}
 
@@ -131,42 +132,11 @@ public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {
 	 * correctly.
 	 */
 	public PortalAuthenticationFilter portalAuthenticationFilterBean()
-			throws ClassNotFoundException, InstantiationException, IllegalAccessException, IOException {
-		PortalAuthenticationFilter portalAuthenticationFilter = new PortalAuthenticationFilter(portalAuthManagerBean(),
-				dashboardUserManagerBean());
+			throws ClassNotFoundException, InstantiationException, IllegalAccessException, IOException,
+			IllegalArgumentException, InvocationTargetException, NoSuchMethodException, SecurityException {
+		PortalAuthenticationFilter portalAuthenticationFilter = new PortalAuthenticationFilter(portalapiSecurity,
+				portalAuthManagerBean(), dashboardUserManagerBean());
 		return portalAuthenticationFilter;
 	}
 
-	/**
-	 * Instantiates the EPSDK-FW servlet. Needed because this app is not configured
-	 * to scan the EPSDK-FW packages; there's also a chance that Spring-Boot does
-	 * not automatically process @WebServlet annotations.
-	 * 
-	 * @return Servlet registration bean for the Portal Rest API proxy servlet.
-	 */
-	@Bean
-	public ServletRegistrationBean<PortalRestAPIProxy> portalApiProxyServletBean() {
-		PortalRestAPIProxy servlet = new PortalRestAPIProxy();
-		final ServletRegistrationBean<PortalRestAPIProxy> servletBean = new ServletRegistrationBean<>(servlet,
-				PortalApiConstants.API_PREFIX + "/*");
-		servletBean.setName("PortalRestApiProxyServlet");
-		return servletBean;
-	}
-
-	/**
-	 * Instantiates a trivial login servlet that serves a basic page with a link to
-	 * authenticate at Portal. The login filter redirects to this page instead of
-	 * Portal.
-	 * 
-	 * @return Servlet registration bean for the Dashboard login servlet.
-	 */
-	@Bean
-	public ServletRegistrationBean<LoginServlet> loginServletBean() {
-		LoginServlet servlet = new LoginServlet();
-		final ServletRegistrationBean<LoginServlet> servletBean = new ServletRegistrationBean<>(servlet,
-				DashboardConstants.LOGIN_PAGE);
-		servletBean.setName("LoginServlet");
-		return servletBean;
-	}
-
 }