library/src/main/java/org/apache/fineract/cn/anubis/config/FinKeycloakSecurityConfigurerAdapter.java - fineract-cn-anubis - Git at Google

 /*
  * Licensed to the Apache Software Foundation (ASF) under one
  * or more contributor license agreements.  See the NOTICE file
  * distributed with this work for additional information
  * regarding copyright ownership.  The ASF licenses this file
  * to you under the Apache License, Version 2.0 (the
  * "License"); you may not use this file except in compliance
  * with the License.  You may obtain a copy of the License at
  *
  *   http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing,
  * software distributed under the License is distributed on an
  * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
  * KIND, either express or implied.  See the License for the
  * specific language governing permissions and limitations
  * under the License.
  */
 package org.apache.fineract.cn.anubis.config;

 import com.fasterxml.jackson.annotation.JsonProperty;
 import org.apache.fineract.cn.anubis.filter.IsisAuthenticatedProcessingFilter;
 import org.apache.fineract.cn.anubis.security.FinKeycloakAuthenticationProvider;
 import org.apache.fineract.cn.anubis.security.UrlPermissionChecker;
 import org.apache.fineract.cn.lang.ApplicationName;
 import org.keycloak.KeycloakPrincipal;
 import org.keycloak.KeycloakSecurityContext;
 import org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver;
 import org.keycloak.adapters.springsecurity.KeycloakSecurityComponents;
 import org.keycloak.adapters.springsecurity.account.KeycloakRole;
 import org.keycloak.adapters.springsecurity.authentication.KeycloakAuthenticationProvider;
 import org.keycloak.adapters.springsecurity.config.KeycloakWebSecurityConfigurerAdapter;
 import org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticationProcessingFilter;
 import org.keycloak.adapters.springsecurity.filter.KeycloakPreAuthActionsFilter;
 import org.keycloak.adapters.springsecurity.token.KeycloakAuthenticationToken;
 import org.keycloak.representations.AccessToken;
 import org.slf4j.Logger;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Qualifier;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
 import org.springframework.boot.web.servlet.FilterRegistrationBean;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.ComponentScan;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.security.access.AccessDecisionManager;
 import org.springframework.security.access.AccessDecisionVoter;
 import org.springframework.security.access.vote.UnanimousBased;
 import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configurers.UrlAuthorizationConfigurer;
 import org.springframework.security.config.http.SessionCreationPolicy;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.authority.mapping.SimpleAuthorityMapper;
 import org.springframework.security.web.authentication.session.NullAuthenticatedSessionStrategy;
 import org.springframework.security.web.authentication.session.SessionAuthenticationStrategy;

 import javax.servlet.Filter;
 import java.util.ArrayList;
 import java.util.List;
 import java.util.Set;

 /**
  * @author manoj
  */
 @Configuration
 @EnableWebSecurity
 @ComponentScan(basePackageClasses = KeycloakSecurityComponents.class)
 @ConditionalOnProperty({"authentication.service.keycloak"})
 public class FinKeycloakSecurityConfigurerAdapter extends KeycloakWebSecurityConfigurerAdapter {
  final private Logger logger;
  final private ApplicationName applicationName;

  public FinKeycloakSecurityConfigurerAdapter(final @Qualifier(AnubisConstants.LOGGER_NAME) Logger logger,
                                              final ApplicationName applicationName) {
   this.logger = logger;
   this.applicationName = applicationName;
  }

  static class CustomKeycloakAccessToken extends AccessToken {
   @JsonProperty("roles")
   protected Set<String> roles;

   public Set<String> getRoles() {
    return roles;
   }

   public void setRoles(Set<String> roles) {
    this.roles = roles;
   }
  }

  @Override
  protected KeycloakAuthenticationProvider keycloakAuthenticationProvider() {
   return new KeycloakAuthenticationProvider() {

    @Override
    public Authentication authenticate(Authentication authentication) throws AuthenticationException {
     KeycloakAuthenticationToken token = (KeycloakAuthenticationToken) authentication;
     List<GrantedAuthority> grantedAuthorities = new ArrayList<>();

     for (String role : ((CustomKeycloakAccessToken)((KeycloakPrincipal<KeycloakSecurityContext>)token.getPrincipal()).getKeycloakSecurityContext().getToken()).getRoles()) {
      grantedAuthorities.add(new KeycloakRole(role));
     }

     return new KeycloakAuthenticationToken(token.getAccount(), token.isInteractive(), new SimpleAuthorityMapper().mapAuthorities(grantedAuthorities));
    }

   };
  }

  @Autowired
  public void configureGlobal(
          final AuthenticationManagerBuilder auth,
          @SuppressWarnings("SpringJavaAutowiringInspection") final FinKeycloakAuthenticationProvider provider)
          throws Exception {
   auth.authenticationProvider(provider);
  }

  @Bean
  @Override
  protected SessionAuthenticationStrategy sessionAuthenticationStrategy() {
   return new NullAuthenticatedSessionStrategy();
  }
  @Bean
  public KeycloakSpringBootConfigResolver KeycloakConfigResolver() {
   return new KeycloakSpringBootConfigResolver();
  }

  @Bean
  public FilterRegistrationBean keycloakAuthenticationProcessingFilterRegistrationBean(
          KeycloakAuthenticationProcessingFilter filter) {
   FilterRegistrationBean registrationBean = new FilterRegistrationBean(filter);
   registrationBean.setEnabled(false);
   return registrationBean;
  }

  @Bean
  public FilterRegistrationBean keycloakPreAuthActionsFilterRegistrationBean(KeycloakPreAuthActionsFilter filter) {
   FilterRegistrationBean registrationBean = new FilterRegistrationBean(filter);
   registrationBean.setEnabled(false);
   return registrationBean;
  }

  private AccessDecisionManager defaultAccessDecisionManager() {
   final List<AccessDecisionVoter<?>> voters = new ArrayList<>();
   voters.add(new UrlPermissionChecker(logger, applicationName));return new UnanimousBased(voters);
  }

  protected void configure(HttpSecurity http) throws Exception {
   Filter filter = new IsisAuthenticatedProcessingFilter(super.authenticationManager());
   ((HttpSecurity)((HttpSecurity)((HttpSecurity)((HttpSecurity)((UrlAuthorizationConfigurer.StandardInterceptUrlRegistry)((UrlAuthorizationConfigurer.AuthorizedUrl)((UrlAuthorizationConfigurer)((HttpSecurity)((HttpSecurity)http.httpBasic().disable()).csrf().disable()).apply(new UrlAuthorizationConfigurer(this.getApplicationContext()))).getRegistry().anyRequest()).hasAuthority("maats_feather").accessDecisionManager(this.defaultAccessDecisionManager())).and()).formLogin().disable()).logout().disable()).addFilter(filter).sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()).exceptionHandling().accessDeniedHandler((request, response, accessDeniedException) -> {
    response.setStatus(404);
   });
  }

 }
	/*
	* Licensed to the Apache Software Foundation (ASF) under one
	* or more contributor license agreements. See the NOTICE file
	* distributed with this work for additional information
	* regarding copyright ownership. The ASF licenses this file
	* to you under the Apache License, Version 2.0 (the
	* "License"); you may not use this file except in compliance
	* with the License. You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing,
	* software distributed under the License is distributed on an
	* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
	* KIND, either express or implied. See the License for the
	* specific language governing permissions and limitations
	* under the License.
	*/
	package org.apache.fineract.cn.anubis.config;

	import com.fasterxml.jackson.annotation.JsonProperty;
	import org.apache.fineract.cn.anubis.filter.IsisAuthenticatedProcessingFilter;
	import org.apache.fineract.cn.anubis.security.FinKeycloakAuthenticationProvider;
	import org.apache.fineract.cn.anubis.security.UrlPermissionChecker;
	import org.apache.fineract.cn.lang.ApplicationName;
	import org.keycloak.KeycloakPrincipal;
	import org.keycloak.KeycloakSecurityContext;
	import org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver;
	import org.keycloak.adapters.springsecurity.KeycloakSecurityComponents;
	import org.keycloak.adapters.springsecurity.account.KeycloakRole;
	import org.keycloak.adapters.springsecurity.authentication.KeycloakAuthenticationProvider;
	import org.keycloak.adapters.springsecurity.config.KeycloakWebSecurityConfigurerAdapter;
	import org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticationProcessingFilter;
	import org.keycloak.adapters.springsecurity.filter.KeycloakPreAuthActionsFilter;
	import org.keycloak.adapters.springsecurity.token.KeycloakAuthenticationToken;
	import org.keycloak.representations.AccessToken;
	import org.slf4j.Logger;
	import org.springframework.beans.factory.annotation.Autowired;
	import org.springframework.beans.factory.annotation.Qualifier;
	import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
	import org.springframework.boot.web.servlet.FilterRegistrationBean;
	import org.springframework.context.annotation.Bean;
	import org.springframework.context.annotation.ComponentScan;
	import org.springframework.context.annotation.Configuration;
	import org.springframework.security.access.AccessDecisionManager;
	import org.springframework.security.access.AccessDecisionVoter;
	import org.springframework.security.access.vote.UnanimousBased;
	import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
	import org.springframework.security.config.annotation.web.builders.HttpSecurity;
	import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
	import org.springframework.security.config.annotation.web.configurers.UrlAuthorizationConfigurer;
	import org.springframework.security.config.http.SessionCreationPolicy;
	import org.springframework.security.core.Authentication;
	import org.springframework.security.core.AuthenticationException;
	import org.springframework.security.core.GrantedAuthority;
	import org.springframework.security.core.authority.mapping.SimpleAuthorityMapper;
	import org.springframework.security.web.authentication.session.NullAuthenticatedSessionStrategy;
	import org.springframework.security.web.authentication.session.SessionAuthenticationStrategy;

	import javax.servlet.Filter;
	import java.util.ArrayList;
	import java.util.List;
	import java.util.Set;

	/**
	* @author manoj
	*/
	@Configuration
	@EnableWebSecurity
	@ComponentScan(basePackageClasses = KeycloakSecurityComponents.class)
	@ConditionalOnProperty({"authentication.service.keycloak"})
	public class FinKeycloakSecurityConfigurerAdapter extends KeycloakWebSecurityConfigurerAdapter {
	final private Logger logger;
	final private ApplicationName applicationName;

	public FinKeycloakSecurityConfigurerAdapter(final @Qualifier(AnubisConstants.LOGGER_NAME) Logger logger,
	final ApplicationName applicationName) {
	this.logger = logger;
	this.applicationName = applicationName;
	}

	static class CustomKeycloakAccessToken extends AccessToken {
	@JsonProperty("roles")
	protected Set<String> roles;

	public Set<String> getRoles() {
	return roles;
	}

	public void setRoles(Set<String> roles) {
	this.roles = roles;
	}
	}

	@Override
	protected KeycloakAuthenticationProvider keycloakAuthenticationProvider() {
	return new KeycloakAuthenticationProvider() {

	@Override
	public Authentication authenticate(Authentication authentication) throws AuthenticationException {
	KeycloakAuthenticationToken token = (KeycloakAuthenticationToken) authentication;
	List<GrantedAuthority> grantedAuthorities = new ArrayList<>();

	for (String role : ((CustomKeycloakAccessToken)((KeycloakPrincipal<KeycloakSecurityContext>)token.getPrincipal()).getKeycloakSecurityContext().getToken()).getRoles()) {
	grantedAuthorities.add(new KeycloakRole(role));
	}

	return new KeycloakAuthenticationToken(token.getAccount(), token.isInteractive(), new SimpleAuthorityMapper().mapAuthorities(grantedAuthorities));
	}

	};
	}

	@Autowired
	public void configureGlobal(
	final AuthenticationManagerBuilder auth,
	@SuppressWarnings("SpringJavaAutowiringInspection") final FinKeycloakAuthenticationProvider provider)
	throws Exception {
	auth.authenticationProvider(provider);
	}

	@Bean
	@Override
	protected SessionAuthenticationStrategy sessionAuthenticationStrategy() {
	return new NullAuthenticatedSessionStrategy();
	}
	@Bean
	public KeycloakSpringBootConfigResolver KeycloakConfigResolver() {
	return new KeycloakSpringBootConfigResolver();
	}

	@Bean
	public FilterRegistrationBean keycloakAuthenticationProcessingFilterRegistrationBean(
	KeycloakAuthenticationProcessingFilter filter) {
	FilterRegistrationBean registrationBean = new FilterRegistrationBean(filter);
	registrationBean.setEnabled(false);
	return registrationBean;
	}

	@Bean
	public FilterRegistrationBean keycloakPreAuthActionsFilterRegistrationBean(KeycloakPreAuthActionsFilter filter) {
	FilterRegistrationBean registrationBean = new FilterRegistrationBean(filter);
	registrationBean.setEnabled(false);
	return registrationBean;
	}

	private AccessDecisionManager defaultAccessDecisionManager() {
	final List<AccessDecisionVoter<?>> voters = new ArrayList<>();
	voters.add(new UrlPermissionChecker(logger, applicationName));return new UnanimousBased(voters);
	}

	protected void configure(HttpSecurity http) throws Exception {
	Filter filter = new IsisAuthenticatedProcessingFilter(super.authenticationManager());
	((HttpSecurity)((HttpSecurity)((HttpSecurity)((HttpSecurity)((UrlAuthorizationConfigurer.StandardInterceptUrlRegistry)((UrlAuthorizationConfigurer.AuthorizedUrl)((UrlAuthorizationConfigurer)((HttpSecurity)((HttpSecurity)http.httpBasic().disable()).csrf().disable()).apply(new UrlAuthorizationConfigurer(this.getApplicationContext()))).getRegistry().anyRequest()).hasAuthority("maats_feather").accessDecisionManager(this.defaultAccessDecisionManager())).and()).formLogin().disable()).logout().disable()).addFilter(filter).sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()).exceptionHandling().accessDeniedHandler((request, response, accessDeniedException) -> {
	response.setStatus(404);
	});
	}

	}