-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
0b12ab0
commit b8ced09
Showing
51 changed files
with
3,486 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,24 @@ | ||
package com.example.authorizationserver | ||
|
||
import com.example.authorizationserver.props.SecurityProperties | ||
import com.example.authorizationserver.props.ServerProperties | ||
import com.example.authorizationserver.props.SpringDataProperties | ||
import com.example.authorizationserver.props.SpringSessionProperties | ||
import org.springframework.boot.autoconfigure.SpringBootApplication | ||
import org.springframework.boot.context.properties.EnableConfigurationProperties | ||
import org.springframework.boot.runApplication | ||
|
||
@SpringBootApplication | ||
@EnableConfigurationProperties( | ||
ServerProperties::class, | ||
SecurityProperties::class, | ||
SpringDataProperties::class, | ||
SpringSessionProperties::class | ||
) | ||
internal class AuthorizationServerApplication | ||
|
||
fun main(args: Array<String>) { | ||
// run SpringBoot application | ||
runApplication<AuthorizationServerApplication>(*args) | ||
|
||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,101 @@ | ||
# Custom properties to ease configuration overrides | ||
# on command-line or IDE launch configurations | ||
|
||
#**********************************************************************************************************************# | ||
#***************************************************** VARIABLES ******************************************************# | ||
#**********************************************************************************************************************# | ||
|
||
# server settings | ||
dse-servers.scheme: http | ||
dse-servers.hostname: localhost | ||
|
||
# reverse proxy server | ||
dse-servers.reverse-proxy-port: 7080 | ||
|
||
# bff server | ||
dse-servers.bff-prefix: /bff | ||
|
||
# authorization server | ||
dse-servers.authorization-server-port: 6060 | ||
dse-servers.authorization-server-prefix: /auth | ||
dse-servers.in-house-auth-registration-id: in-house-auth-server | ||
|
||
#**********************************************************************************************************************# | ||
#************************************************** SPRING SETTINGS ***************************************************# | ||
#**********************************************************************************************************************# | ||
|
||
# spring settings | ||
spring: | ||
# profile settings | ||
profiles: | ||
active: ssl | ||
# session redis configurations | ||
session: | ||
redis: | ||
namespace: spring:session:in-house-auth-server | ||
repository-type: indexed | ||
flush-mode: on-save | ||
timeout: 30 | ||
|
||
#**********************************************************************************************************************# | ||
#************************************************** SERVER SETTINGS ***************************************************# | ||
#**********************************************************************************************************************# | ||
|
||
# current server settings | ||
server: | ||
port: ${dse-servers.authorization-server-port} | ||
ssl: | ||
enabled: false | ||
|
||
#**********************************************************************************************************************# | ||
#************************************************* PROFILE SETTINGS ***************************************************# | ||
#**********************************************************************************************************************# | ||
|
||
# spring profile settings | ||
--- | ||
spring: | ||
config: | ||
activate: | ||
on-profile: ssl | ||
server: | ||
ssl: | ||
# This has been disabled! | ||
enabled: false | ||
|
||
#**********************************************************************************************************************# | ||
#*********************************************** MANAGEMENT SETTINGS **************************************************# | ||
#**********************************************************************************************************************# | ||
|
||
# endpoint settings | ||
management: | ||
endpoint: | ||
health: | ||
probes: | ||
enabled: true | ||
endpoints: | ||
web: | ||
exposure: | ||
include: health,info | ||
health: | ||
livenessstate: | ||
enabled: true | ||
readinessstate: | ||
enabled: true | ||
|
||
#**********************************************************************************************************************# | ||
#************************************************ LOGGING SETTINGS ****************************************************# | ||
#**********************************************************************************************************************# | ||
|
||
# logging configurations | ||
logging: | ||
level: | ||
root: INFO | ||
org: | ||
springframework: | ||
boot: INFO | ||
security: TRACE | ||
web: INFO | ||
|
||
#**********************************************************************************************************************# | ||
#************************************************** END OF YAML *******************************************************# | ||
#**********************************************************************************************************************# |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,70 @@ | ||
package com.example.authorizationserver.auth | ||
|
||
import com.example.authorizationserver.props.ServerProperties | ||
import org.springframework.context.annotation.Bean | ||
import org.springframework.context.annotation.Configuration | ||
import org.springframework.core.annotation.Order | ||
import org.springframework.http.MediaType | ||
import org.springframework.security.config.Customizer.withDefaults | ||
import org.springframework.security.config.annotation.web.builders.HttpSecurity | ||
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity | ||
import org.springframework.security.oauth2.server.authorization.config.annotation.web.configuration.OAuth2AuthorizationServerConfiguration | ||
import org.springframework.security.oauth2.server.authorization.config.annotation.web.configurers.OAuth2AuthorizationServerConfigurer | ||
import org.springframework.security.oauth2.server.authorization.settings.AuthorizationServerSettings | ||
import org.springframework.security.oauth2.server.authorization.token.* | ||
import org.springframework.security.web.SecurityFilterChain | ||
import org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint | ||
import org.springframework.security.web.util.matcher.MediaTypeRequestMatcher | ||
import java.util.* | ||
|
||
/**********************************************************************************************************************/ | ||
/********************************************* AUTHORIZATION SERVER CONFIGURATION *************************************/ | ||
/**********************************************************************************************************************/ | ||
|
||
@Configuration | ||
@EnableWebSecurity | ||
internal class AuthServerConfig ( | ||
private val serverProperties: ServerProperties, | ||
) { | ||
|
||
@Bean | ||
@Order(1) | ||
@Throws(Exception::class) | ||
/* security filter chain for protocol endpoints */ | ||
fun authorizationServerSecurityFilterChain(http: HttpSecurity): SecurityFilterChain { | ||
|
||
// disable csrf | ||
http.csrf { csrf -> csrf.disable() } | ||
|
||
// apply default http security settings to oauth 2.0 (e.g. default endpoints) | ||
OAuth2AuthorizationServerConfiguration.applyDefaultSecurity(http) | ||
|
||
// enable OpenID Connect 1.0 | ||
http.getConfigurer(OAuth2AuthorizationServerConfigurer::class.java) | ||
.oidc(withDefaults()) | ||
|
||
// redirect to the login page when not authenticated | ||
// handlers for any exceptions not handled elsewhere | ||
http.exceptionHandling { | ||
it.defaultAuthenticationEntryPointFor( | ||
LoginUrlAuthenticationEntryPoint("/login"), | ||
MediaTypeRequestMatcher(MediaType.TEXT_HTML) | ||
) | ||
} | ||
|
||
return http.build() | ||
} | ||
|
||
@Bean | ||
// for configuring Spring Authorization Server (e.g. customising URLs for exposed endpoints) | ||
fun authorizationServerSettings(): AuthorizationServerSettings { | ||
return AuthorizationServerSettings.builder() | ||
.issuer(serverProperties.inHouseIssuerUri) | ||
.build() | ||
} | ||
|
||
} | ||
|
||
/**********************************************************************************************************************/ | ||
/**************************************************** END OF KOTLIN ***************************************************/ | ||
/**********************************************************************************************************************/ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,165 @@ | ||
package com.example.authorizationserver.auth | ||
|
||
import com.example.authorizationserver.auth.filters.DocDbAuthenticationFilter | ||
import com.example.authorizationserver.auth.handlers.DefaultAccessDeniedHandler | ||
import com.example.authorizationserver.auth.handlers.SocialLoginSuccessHandler | ||
import com.example.authorizationserver.auth.repositories.tokens.CustomServletCsrfTokenRepository | ||
import com.example.authorizationserver.auth.repositories.tokens.RedisRememberMeTokenRepository | ||
import com.example.authorizationserver.auth.requestcache.CustomRequestCache | ||
import com.example.authorizationserver.auth.csrf.CustomCsrfAuthenticationStrategy | ||
import com.example.authorizationserver.auth.sessions.CustomInvalidSessionStrategy | ||
import com.example.authorizationserver.auth.sessions.CustomSessionAuthenticationStrategy | ||
import com.example.authorizationserver.props.SecurityProperties | ||
import org.springframework.beans.factory.annotation.Autowired | ||
import org.springframework.context.annotation.Bean | ||
import org.springframework.context.annotation.Configuration | ||
import org.springframework.core.annotation.Order | ||
import org.springframework.security.config.annotation.web.builders.HttpSecurity | ||
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity | ||
import org.springframework.security.config.http.SessionCreationPolicy | ||
import org.springframework.security.oauth2.client.* | ||
import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository | ||
import org.springframework.security.oauth2.client.web.OAuth2AuthorizedClientRepository | ||
import org.springframework.security.web.SecurityFilterChain | ||
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter | ||
import org.springframework.security.web.authentication.logout.HeaderWriterLogoutHandler | ||
import org.springframework.security.web.context.SecurityContextRepository | ||
import org.springframework.security.web.header.writers.ClearSiteDataHeaderWriter | ||
import org.springframework.security.web.header.writers.ClearSiteDataHeaderWriter.Directive.COOKIES | ||
import org.springframework.session.data.redis.config.annotation.web.http.EnableRedisHttpSession | ||
import org.springframework.session.security.web.authentication.SpringSessionRememberMeServices | ||
|
||
/**********************************************************************************************************************/ | ||
/*********************************************** DEFAULT SECURITY CONFIGURATION ***************************************/ | ||
/**********************************************************************************************************************/ | ||
|
||
@Configuration | ||
@EnableWebSecurity | ||
@EnableRedisHttpSession( ) | ||
internal class DefaultSecurityConfig ( | ||
private val securityProperties: SecurityProperties | ||
) { | ||
|
||
@Autowired | ||
private lateinit var servletClientRegistrationRepository: ClientRegistrationRepository | ||
|
||
@Autowired | ||
private lateinit var servletAuthorizedClientRepository: OAuth2AuthorizedClientRepository | ||
|
||
@Autowired | ||
private lateinit var servletAuthorizedClientService: OAuth2AuthorizedClientService | ||
|
||
@Bean | ||
@Order(2) | ||
@Throws(Exception::class) | ||
/* security filter chain for authentication & authorization */ | ||
fun defaultSecurityFilterChain( | ||
http: HttpSecurity, | ||
customServletCsrfTokenRepository : CustomServletCsrfTokenRepository, | ||
customCsrfAuthenticationStrategy: CustomCsrfAuthenticationStrategy, | ||
sessionRememberMeServices: SpringSessionRememberMeServices, | ||
socialLoginSuccessHandler: SocialLoginSuccessHandler, | ||
docDbAuthenticationFilter: DocDbAuthenticationFilter, | ||
customRequestCache: CustomRequestCache, | ||
customSecurityContextRepository: SecurityContextRepository, | ||
customInvalidSessionStrategy: CustomInvalidSessionStrategy, | ||
customSessionAuthenticationStrategy: CustomSessionAuthenticationStrategy, | ||
redisRememberMeTokenRepository: RedisRememberMeTokenRepository, | ||
accessDeniedHandler: DefaultAccessDeniedHandler, | ||
): SecurityFilterChain { | ||
|
||
// enable csrf | ||
http.csrf { csrf -> | ||
csrf.csrfTokenRepository(customServletCsrfTokenRepository) | ||
csrf.sessionAuthenticationStrategy(customCsrfAuthenticationStrategy) | ||
csrf.requireCsrfProtectionMatcher { request -> | ||
!request.method.equals("GET", ignoreCase = true) | ||
} | ||
} | ||
|
||
// setup session management - use stateless, and set other configurations | ||
http.sessionManagement { session -> | ||
// not truly stateless since HttpSessionSecurityContextRepository is used | ||
session.sessionCreationPolicy(SessionCreationPolicy.STATELESS) | ||
session.enableSessionUrlRewriting(false) | ||
session.invalidSessionStrategy(customInvalidSessionStrategy) | ||
session.sessionAuthenticationStrategy(customSessionAuthenticationStrategy) | ||
} | ||
|
||
// creates a more persistent rememberMe token, that isn't lost when browser closes | ||
// (unlike a session cookie, that will be lost) | ||
// http.rememberMe { rememberMe -> | ||
// rememberMe.rememberMeServices(sessionRememberMeServices) | ||
// rememberMe.useSecureCookie(false) // scope is not just on secure connections | ||
// rememberMe.key(securityProperties.rememberMeKey) | ||
// rememberMe.rememberMeCookieName("REMEMBER-ME-SESSIONID") | ||
// rememberMe.tokenRepository(redisRememberMeTokenRepository) | ||
// // rememberMe.userDetailsService() - NEED TO IMPLEMENT | ||
// } | ||
|
||
// apply security context repository | ||
http.securityContext { context -> | ||
context.securityContextRepository(customSecurityContextRepository) | ||
} | ||
|
||
// configure request cache | ||
http.requestCache { requestCache -> | ||
requestCache.requestCache(customRequestCache) | ||
} | ||
|
||
// form login handles the redirect to the login page from earlier filter chain | ||
http.formLogin { formLogin -> | ||
formLogin | ||
.permitAll() | ||
} | ||
|
||
// oauth2.0 client login (google) | ||
http.oauth2Login { oauth -> | ||
oauth | ||
.clientRegistrationRepository(servletClientRegistrationRepository) | ||
.authorizedClientRepository(servletAuthorizedClientRepository) | ||
.authorizedClientService(servletAuthorizedClientService) | ||
.successHandler(socialLoginSuccessHandler) | ||
} | ||
|
||
// apply DocDb authentication filter | ||
http.addFilterBefore( | ||
docDbAuthenticationFilter, | ||
UsernamePasswordAuthenticationFilter::class.java | ||
) | ||
|
||
// authorizations (lock all endpoints apart from) | ||
http.authorizeHttpRequests { authorize -> | ||
authorize | ||
.requestMatchers("/login/**").permitAll() | ||
.requestMatchers("/logout/**").permitAll() | ||
.requestMatchers("/oauth2/**").permitAll() | ||
.requestMatchers("/userinfo").permitAll() | ||
.requestMatchers("/connect/logout").permitAll() | ||
.anyRequest().authenticated() | ||
} | ||
|
||
// perform cleanup operations on logout (invalidate session, remove cookies & authentication object) | ||
// (note: this does not invalidate access or refresh tokens - they expire whenever they expire) | ||
http.logout { logout -> | ||
logout.logoutUrl("/logout") | ||
logout.invalidateHttpSession(true) | ||
logout.clearAuthentication(true) | ||
logout.deleteCookies("AUTH-SESSIONID") | ||
logout.addLogoutHandler(HeaderWriterLogoutHandler(ClearSiteDataHeaderWriter(COOKIES))) | ||
logout.permitAll() | ||
} | ||
|
||
// handlers for any exceptions not handled elsewhere | ||
http.exceptionHandling { exceptionHandling -> | ||
exceptionHandling.accessDeniedHandler(accessDeniedHandler) | ||
} | ||
|
||
return http.build() | ||
} | ||
|
||
} | ||
|
||
/**********************************************************************************************************************/ | ||
/**************************************************** END OF KOTLIN ***************************************************/ | ||
/**********************************************************************************************************************/ |
Oops, something went wrong.