@Bean public FilterChainProxy samlFilter() throws Exception { List<SecurityFilterChain> chains = new ArrayList<SecurityFilterChain>(); chains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/login/**"), samlEntryPoint())); chains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/logout/**"), samlLogoutFilter())); chains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/metadata/**"), metadataDisplayFilter())); chains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/SSO/**"), samlWebSSOProcessingFilter())); chains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/SSOHoK/**"), samlWebSSOHoKProcessingFilter())); chains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/SingleLogout/**"), samlLogoutProcessingFilter())); chains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/discovery/**"), samlIDPDiscovery())); return new FilterChainProxy(chains); }
@Bean(name = "springSecurityFilterChain") public FilterChainProxy springSecurityFilterChain() throws ServletException, Exception { final List<SecurityFilterChain> listOfFilterChains = new ArrayList<SecurityFilterChain>(); listOfFilterChains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/api/cors"))); listOfFilterChains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/api/dump"))); listOfFilterChains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/api/validatorUrl"))); listOfFilterChains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/api/swagger-resources"))); listOfFilterChains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/api/configuration/ui"))); listOfFilterChains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/api/configuration/security"))); listOfFilterChains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/api/v2/api-docs"))); listOfFilterChains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/api/swagger-ui.html"))); listOfFilterChains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/api/webjars/**"))); // no filters listOfFilterChains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/webjars/**")));// no filters listOfFilterChains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/api/*"), securityContextPersistenceFilterWithASCFalse(), usernamePasswordAuthenticationFilter(), sessionManagementFilter(), exceptionTranslationFilter(), filterSecurityInterceptor())); final FilterChainProxy filterChainProxy = new FilterChainProxy(listOfFilterChains); return filterChainProxy; }
@Bean(name = "springSecurityFilterChain") public FilterChainProxy springSecurityFilterChain() throws ServletException, Exception { final List<SecurityFilterChain> listOfFilterChains = new ArrayList<SecurityFilterChain>(); // listOfFilterChains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/api/login"), new NoSecurityFilter())); listOfFilterChains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/api/validatorUrl"))); listOfFilterChains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/api/swagger-resources"))); listOfFilterChains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/api/configuration/ui"))); listOfFilterChains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/api/configuration/security"))); listOfFilterChains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/api/v2/api-docs"))); listOfFilterChains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/api/swagger-ui.html"))); listOfFilterChains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/api/webjars/**"))); // no filters listOfFilterChains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/webjars/**")));// no filters listOfFilterChains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/api/**"), securityContextPersistenceFilterWithASCFalse(), exceptionTranslationFilter(), filterSecurityInterceptor())); final FilterChainProxy filterChainProxy = new FilterChainProxy(listOfFilterChains); return filterChainProxy; }
@Test public void Can_modify_a_filter() { @SuppressWarnings("unchecked") final Modifier<FilterTwo> modifier = mock(Modifier.class); final SecurityFilterChain chain = mock(SecurityFilterChain.class); final FilterTwo filter1 = mock(FilterTwo.class); // Given given(chain.getFilters()).willReturn(asList(mock(FilterOne.class), filter1, mock(FilterThree.class))); // When configurer.modifyLink(chain, FilterTwo.class, modifier); // Then verify(modifier).modify(filter1); }
@Test public void Can_add_a_filter_before_another() { final FilterTwo filterTwo = mock(FilterTwo.class); final FilterOne filterOne = mock(FilterOne.class); final FilterThree filterThree = mock(FilterThree.class); final FilterFour filterFour = mock(FilterFour.class); final SecurityFilterChain chain = mock(SecurityFilterChain.class); final List<Filter> filters = new ArrayList<>(asList(filterOne, filterThree, filterFour, filterThree)); // Given given(chain.getFilters()).willReturn(filters); // When configurer.addBefore(chain, FilterThree.class, filterTwo); // Then assertThat(filters, contains(filterOne, filterTwo, filterThree, filterFour, filterThree)); }
@Test public void Can_not_add_a_filter_before_a_filter_that_does_not_exist() { final FilterTwo filterTwo = mock(FilterTwo.class); final FilterOne filterOne = mock(FilterOne.class); final FilterThree filterThree = mock(FilterThree.class); final FilterFour filterFour = mock(FilterFour.class); final SecurityFilterChain chain = mock(SecurityFilterChain.class); final List<Filter> filters = new ArrayList<>(asList(filterOne, filterFour)); // Given given(chain.getFilters()).willReturn(filters); // When configurer.addBefore(chain, FilterThree.class, filterTwo); // Then assertThat(filters, contains(filterOne, filterFour)); }
@Test public void Can_weave_a_filter_chain_proxy() { final SecurityFilterChain chain1 = mock(SecurityFilterChain.class); final SecurityFilterChain chain2 = mock(SecurityFilterChain.class); final SecurityFilterChain chain3 = mock(SecurityFilterChain.class); // Given given(filterChainProxy.getFilterChains()).willReturn(asList(chain1, chain2, chain3)); // When proxyWeaver.weave(); // Then verify(chainWeaver).weave(chain1); verify(chainWeaver).weave(chain2); verify(chainWeaver).weave(chain3); verifyNoMoreInteractions(chainWeaver); }
/** * SAML Filter. * @return SAMLFilter * @throws Exception Exception */ @Bean public FilterChainProxy samlFilter() throws Exception { List<SecurityFilterChain> chains = new ArrayList<>(); chains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/login/**"), samlEntryPoint())); chains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/logout/**"), samlLogoutFilter())); chains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/SSO/**"), samlWebSSOProcessingFilter())); chains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/SSOHoK/**"), samlWebSSOHoKProcessingFilter())); chains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/SingleLogout/**"), samlLogoutProcessingFilter())); return new FilterChainProxy(chains); }
private FilterChainProxy samlFilter(SAMLEntryPoint samlEntryPoint, SAMLContextProvider contextProvider) { List<SecurityFilterChain> chains = new ArrayList<>(); chains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/login/**"), samlEntryPoint)); chains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/metadata/**"), new MetadataDisplayFilter())); try { chains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/SSO/**"), samlWebSSOProcessingFilter(samlAuthenticationProvider, contextProvider, samlProcessor))); } catch (Exception e) { e.printStackTrace(); } SAMLDiscovery samlDiscovery = new SAMLDiscovery(); samlDiscovery.setMetadata(cachingMetadataManager); samlDiscovery.setContextProvider(contextProvider); chains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/discovery/**"), samlDiscovery)); return new FilterChainProxy(chains); }
/** * Updates security chain with given {@link org.motechproject.security.domain.MotechURLSecurityRule} * * @param securityRules list that contains new security rules */ private void updateSecurityChain(List<MotechURLSecurityRule> securityRules) { LOGGER.debug("Updating security chain"); // sort rules by priority descending TreeSet<MotechURLSecurityRule> sortedRules = new TreeSet<>(new SecurityRuleComparator()); sortedRules.addAll(securityRules); List<SecurityFilterChain> newFilterChains = new ArrayList<>(); for (MotechURLSecurityRule securityRule : sortedRules) { if (securityRule.isActive() && !securityRule.isDeleted()) { LOGGER.debug("Creating SecurityFilterChain for: {}", securityRule.getPattern()); for (HTTPMethod method : securityRule.getMethodsRequired()) { newFilterChains.add(securityRuleBuilder.buildSecurityChain(securityRule, method)); } LOGGER.debug("Created SecurityFilterChain for: {}", securityRule.getPattern()); } } proxy = new FilterChainProxy(newFilterChains); LOGGER.debug("Updated security chain."); }
/** * Define the security filter chain in order to support SSO Auth by using SAML 2.0 * * @return Filter chain proxy * @throws Exception */ @Bean public FilterChainProxy samlFilter() throws Exception { List<SecurityFilterChain> chains = new ArrayList<SecurityFilterChain>(); chains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/login/**"), samlEntryPoint())); chains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/logout/**"), samlLogoutFilter())); chains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/metadata/**"), metadataDisplayFilter())); chains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/SSO/**"), samlWebSSOProcessingFilter())); chains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/SSOHoK/**"), samlWebSSOHoKProcessingFilter())); chains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/SingleLogout/**"), samlLogoutProcessingFilter())); chains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/discovery/**"), samlIDPDiscovery())); return new FilterChainProxy(chains); }
/** * Define the security filter chain in order to support SSO Auth by using SAML 2.0 * * @return Filter chain proxy * @throws Exception */ @Bean public FilterChainProxy samlFilter() throws Exception { List<SecurityFilterChain> chains = new ArrayList<SecurityFilterChain>(); chains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/login/**"), new TargetStoringFilter(), samlEntryPoint())); chains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/logout/**"), new TargetStoringFilter(), samlLogoutFilter())); chains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/metadata/**"), metadataDisplayFilter())); chains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/SSO/**"), samlWebSSOProcessingFilter())); chains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/SingleLogout/**"), samlLogoutProcessingFilter())); return new FilterChainProxy(chains); }
@Override public Object postProcessAfterInitialization(Object bean, String beanName) throws BeansException { if (bean instanceof FilterChainProxy) { FilterChainProxy chains = (FilterChainProxy) bean; for (SecurityFilterChain chain : chains.getFilterChains()) { for (Filter filter : chain.getFilters()) { if (filter instanceof OAuth2ClientAuthenticationProcessingFilter) { OAuth2ClientAuthenticationProcessingFilter oAuth2ClientAuthenticationProcessingFilter = (OAuth2ClientAuthenticationProcessingFilter) filter; oAuth2ClientAuthenticationProcessingFilter .setAuthenticationSuccessHandler(new OAuth2AuthenticationSuccessHandler()); } } } } return bean; }
@Bean public FilterChainProxy samlFilter() throws Exception { List<SecurityFilterChain> chains = new ArrayList<>(); chains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/login/**"), samlEntryPoint())); chains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/metadata/**"), metadataDisplayFilter())); chains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/SSO/**"), samlWebSSOProcessingFilter())); chains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/discovery/**"), samlIDPDiscovery())); return new FilterChainProxy(chains); }
@Override @SuppressWarnings("unchecked") public <F extends Filter> void modifyLink(SecurityFilterChain filterChain, Class<F> filterType, Modifier<F> modifier) { for (Filter filter : filterChain.getFilters()) { if (filterType.isAssignableFrom(filter.getClass())) { modifier.modify((F) filter); } } }
@Override public void addBefore(SecurityFilterChain filterChain, Class<? extends Filter> filterClass, Filter filter) { final List<Filter> filters = filterChain.getFilters(); final int index = findFirstIndexOf(filterClass, filters); if (index >= 0) { filters.add(index, filter); } }
@Bean @ConditionalOnMissingBean(ChainWeaver.class) public ChainWeaver<SecurityFilterChain> securityFilterChainWeaver( LogoutHandlerAdder logoutHandlerAdder, SuccessHandlerWrapper successHandlerWrapper, ChainModifier<SecurityFilterChain, Filter> modifier, JwtAuthenticationFilter authenticationFilter ) { return new SecurityFilterChainWeaver(logoutHandlerAdder, successHandlerWrapper, modifier, authenticationFilter); }
public SecurityFilterChainWeaver( LogoutHandlerAdder logoutHandlerAdder, SuccessHandlerWrapper successHandlerWrapper, ChainModifier<SecurityFilterChain, Filter> modifier, JwtAuthenticationFilter authenticationFilter ) { this.logoutHandlerAdder = logoutHandlerAdder; this.successHandlerWrapper = successHandlerWrapper; this.modifier = modifier; this.authenticationFilter = authenticationFilter; }
@Test public void Can_weave_a_security_filter_chain() { // Given final SecurityFilterChain filterChain = mock(SecurityFilterChain.class); // When chainWeaver.weave(filterChain); // Then verify(modifier).modifyLink(filterChain, LogoutFilter.class, logoutHandlerAdder); verify(modifier).addBefore(filterChain, UsernamePasswordAuthenticationFilter.class, authenticationFilter); verify(modifier).modifyLink(filterChain, UsernamePasswordAuthenticationFilter.class, successHandlerWrapper); }
@Bean public FilterChainProxy filterChainProxy() throws Exception { //@formatter:off return new FilterChainProxy(ImmutableList.<SecurityFilterChain>of( new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/login/**"), samlEntryPoint()), new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/logout/**"), samlLogoutFilter()), new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/metadata/**"), metadataDisplayFilter()), new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/SSO/**"), samlProcessingFilter()), new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/SSOHoK/**"), samlWebSSOHoKProcessingFilter()), new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/SingleLogout/**"), samlLogoutProcessingFilter()), new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/discovery/**"), samlIDPDiscovery()) )); //@formatter:on }
private List<SecurityFilterChain> filterChain() { List<SecurityFilterChain> filters = new ArrayList<SecurityFilterChain>(12); RequestMatcher req = new AntPathRequestMatcher("/**"); filters.add(new DefaultSecurityFilterChain(req, new SecurityContextPersistenceFilter(), logoutFilter(),cojAuthenticationProcessingFilter(),new SecurityContextHolderAwareRequestFilter(), rememberMeAuthenticationFilter(),anonymousAuthenticationFilter(),exceptionTranslationFilter(),filterInvocationInterceptor() )); return filters; }
@Test public void testWebConfiguration() throws Exception { this.context = new AnnotationConfigWebApplicationContext(); this.context.setServletContext(new MockServletContext()); this.context.register(SecurityAutoConfiguration.class, ServerPropertiesAutoConfiguration.class, PropertyPlaceholderAutoConfiguration.class); this.context.refresh(); assertNotNull(this.context.getBean(AuthenticationManagerBuilder.class)); // 5 for static resources and one for the rest List<SecurityFilterChain> filterChains = this.context .getBean(FilterChainProxy.class).getFilterChains(); assertEquals(5, filterChains.size()); }
/** * Gets a filter chain proxy. * * @param trustedUserAuthenticationFilter the trusted user authentication filter. * @param httpHeaderAuthenticationFilter the HTTP header authentication filter. * * @return the filter chain proxy. */ @Bean public FilterChainProxy filterChainProxy(final TrustedUserAuthenticationFilter trustedUserAuthenticationFilter, final HttpHeaderAuthenticationFilter httpHeaderAuthenticationFilter) { return new FilterChainProxy(new SecurityFilterChain() { @Override public boolean matches(HttpServletRequest request) { // Match all URLs. return true; } @Override public List<Filter> getFilters() { List<Filter> filters = new ArrayList<>(); // Required filter to store session information between HTTP requests. filters.add(new SecurityContextPersistenceFilter()); // Trusted user filter to bypass security based on SpEL expression environment property. filters.add(trustedUserAuthenticationFilter); // Filter that authenticates based on http headers. if (Boolean.valueOf(configurationHelper.getProperty(ConfigurationValue.SECURITY_HTTP_HEADER_ENABLED))) { filters.add(httpHeaderAuthenticationFilter); } // Anonymous user filter. filters.add(new AnonymousAuthenticationFilter("AnonymousFilterKey")); return filters; } }); }
/** * Gets the filter chain proxy. * * @return the filter chain proxy */ @Bean(name = "filterChainProxy") public FilterChainProxy getFilterChainProxy() { SecurityFilterChain chain = new DefaultSecurityFilterChain(new AntPathRequestMatcher("/**"), getSecurityContextPersistenceFilter(), getJ2eePreAuthenticatedProcessingFilter(), getLogoutFilter(), getExceptionTranslationFilter(), getFilterSecurityInterceptor()); return new FilterChainProxy(chain); }
@Test public void testProxyHasDefaultSecurityChains() { FilterChainProxy filterChainProxy = proxyManager.getFilterChainProxy(); List<SecurityFilterChain> filterChains = filterChainProxy.getFilterChains(); assertTrue(filterChains.size() > 0); }
@Test public void testMinimalRequirements() { MotechURLSecurityRule securityRule = new MotechURLSecurityRule(); securityRule.setPattern("pattern"); securityRule.setProtocol(HTTP); securityRule.setSupportedSchemes(Arrays.asList(USERNAME_PASSWORD)); securityRule.setMethodsRequired(Arrays.asList(ANY)); SecurityFilterChain filterChain = securityBuilder.buildSecurityChain(securityRule, GET); assertNotNull(filterChain); assertEquals(10, filterChain.getFilters().size()); }
@Bean @ConditionalOnMissingBean(Weaver.class) public Weaver weaver(FilterChainProxy filterChainProxy, ChainWeaver<SecurityFilterChain> chainWeaver) { return new FilterChainProxyWeaver(filterChainProxy, chainWeaver); }
@Bean @ConditionalOnMissingBean(ChainModifier.class) public ChainModifier<SecurityFilterChain, Filter> modifier() { return new SecurityFilterChainModifier(); }
@Override public void weave(SecurityFilterChain filterChain) { modifier.modifyLink(filterChain, LogoutFilter.class, logoutHandlerAdder); modifier.addBefore(filterChain, UsernamePasswordAuthenticationFilter.class, authenticationFilter); modifier.modifyLink(filterChain, UsernamePasswordAuthenticationFilter.class, successHandlerWrapper); }
public FilterChainProxyWeaver(FilterChainProxy filterChainProxy, ChainWeaver<SecurityFilterChain> chainWeaver) { this.filterChainProxy = filterChainProxy; this.chainWeaver = chainWeaver; }
@Override public void weave() { for (SecurityFilterChain filterChain : filterChainProxy.getFilterChains()) { chainWeaver.weave(filterChain); } }
protected void registerSpringSecurityFilters(Environment environment) { SecurityFilterChain filterChain = context.getBean(SecurityFilterChain.class); for (Filter filter : filterChain.getFilters()) { environment.addFilter(filter, "/*"); } }
