webapp/src/main/java/org/apache/atlas/web/security/AtlasSecurityConfig.java - incubator-atlas - Git at Google

 /**
  * Licensed to the Apache Software Foundation (ASF) under one
  * or more contributor license agreements.  See the NOTICE file
  * distributed with this work for additional information
  * regarding copyright ownership.  The ASF licenses this file
  * to you under the Apache License, Version 2.0 (the
  * "License"); you may not use this file except in compliance
  * with the License.  You may obtain a copy of the License at
  * <p>
  * http://www.apache.org/licenses/LICENSE-2.0
  * <p>
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
 package org.apache.atlas.web.security;

 import org.apache.atlas.web.filters.ActiveServerFilter;
 import org.apache.atlas.web.filters.AtlasAuthenticationEntryPoint;
 import org.apache.atlas.web.filters.AtlasAuthenticationFilter;
 import org.apache.atlas.web.filters.AtlasAuthorizationFilter;
 import org.apache.atlas.web.filters.AtlasCSRFPreventionFilter;
 import org.apache.atlas.web.filters.AtlasKnoxSSOAuthenticationFilter;
 import org.apache.atlas.web.filters.StaleTransactionCleanupFilter;
 import org.apache.commons.configuration.Configuration;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
 import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.builders.WebSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 import org.springframework.security.config.http.SessionCreationPolicy;
 import org.springframework.security.web.AuthenticationEntryPoint;
 import org.springframework.security.web.access.intercept.FilterSecurityInterceptor;
 import org.springframework.security.web.authentication.DelegatingAuthenticationEntryPoint;
 import org.springframework.security.web.authentication.www.BasicAuthenticationEntryPoint;
 import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
 import org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter;
 import org.springframework.security.web.util.matcher.RequestHeaderRequestMatcher;
 import org.springframework.security.web.util.matcher.RequestMatcher;

 import javax.inject.Inject;
 import java.util.LinkedHashMap;

 @EnableWebSecurity
 @EnableGlobalMethodSecurity(prePostEnabled = true)
 public class AtlasSecurityConfig extends WebSecurityConfigurerAdapter {
     private static final Logger LOG = LoggerFactory.getLogger(AtlasSecurityConfig.class);

     private final AtlasAuthenticationProvider authenticationProvider;
     private final AtlasAuthenticationSuccessHandler successHandler;
     private final AtlasAuthenticationFailureHandler failureHandler;
     private final AtlasAuthorizationFilter atlasAuthorizationFilter;
     private final AtlasKnoxSSOAuthenticationFilter ssoAuthenticationFilter;
     private final AtlasAuthenticationFilter atlasAuthenticationFilter;
     private final AtlasCSRFPreventionFilter csrfPreventionFilter;
     private final AtlasAuthenticationEntryPoint atlasAuthenticationEntryPoint;

     // Our own Atlas filters need to be registered as well
     private final Configuration configuration;
     private final StaleTransactionCleanupFilter staleTransactionCleanupFilter;
     private final ActiveServerFilter activeServerFilter;

     @Inject
     public AtlasSecurityConfig(AtlasKnoxSSOAuthenticationFilter ssoAuthenticationFilter,
                                AtlasCSRFPreventionFilter atlasCSRFPreventionFilter,
                                AtlasAuthenticationFilter atlasAuthenticationFilter,
                                AtlasAuthenticationProvider authenticationProvider,
                                AtlasAuthenticationSuccessHandler successHandler,
                                AtlasAuthenticationFailureHandler failureHandler,
                                AtlasAuthorizationFilter atlasAuthorizationFilter,
                                AtlasAuthenticationEntryPoint atlasAuthenticationEntryPoint,
                                Configuration configuration,
                                StaleTransactionCleanupFilter staleTransactionCleanupFilter,
                                ActiveServerFilter activeServerFilter) {
         this.ssoAuthenticationFilter = ssoAuthenticationFilter;
         this.csrfPreventionFilter = atlasCSRFPreventionFilter;
         this.atlasAuthenticationFilter = atlasAuthenticationFilter;
         this.authenticationProvider = authenticationProvider;
         this.successHandler = successHandler;
         this.failureHandler = failureHandler;
         this.atlasAuthorizationFilter = atlasAuthorizationFilter;
         this.atlasAuthenticationEntryPoint = atlasAuthenticationEntryPoint;
         this.configuration = configuration;
         this.staleTransactionCleanupFilter = staleTransactionCleanupFilter;
         this.activeServerFilter = activeServerFilter;
     }

     public BasicAuthenticationEntryPoint getAuthenticationEntryPoint() {
         BasicAuthenticationEntryPoint basicAuthenticationEntryPoint = new BasicAuthenticationEntryPoint();
         basicAuthenticationEntryPoint.setRealmName("atlas.com");
         return basicAuthenticationEntryPoint;
     }

     public DelegatingAuthenticationEntryPoint getDelegatingAuthenticationEntryPoint() {
         LinkedHashMap<RequestMatcher, AuthenticationEntryPoint> entryPointMap = new LinkedHashMap<>();
         entryPointMap.put(new RequestHeaderRequestMatcher("User-Agent", "Mozilla"), atlasAuthenticationEntryPoint);
         DelegatingAuthenticationEntryPoint entryPoint = new DelegatingAuthenticationEntryPoint(entryPointMap);
         entryPoint.setDefaultEntryPoint(getAuthenticationEntryPoint());
         return entryPoint;
     }

     @Inject
     protected void configure(AuthenticationManagerBuilder authenticationManagerBuilder) {
         authenticationManagerBuilder.authenticationProvider(authenticationProvider);
     }

     @Override
     public void configure(WebSecurity web) throws Exception {
         web.ignoring()
                 .antMatchers("/login.jsp",
                         "/css/**",
                         "/img/**",
                         "/libs/**",
                         "/js/**",
                         "/ieerror.html",
                         "/api/atlas/admin/status",
                         "/api/atlas/admin/metrics");
     }

     protected void configure(HttpSecurity httpSecurity) throws Exception {

         //@formatter:off
         httpSecurity
                 .authorizeRequests().anyRequest().authenticated()
                 .and()
                     .headers().disable()
                     .servletApi()
                 .and()
                     .csrf().disable()
                     .sessionManagement()
                     .enableSessionUrlRewriting(false)
                     .sessionCreationPolicy(SessionCreationPolicy.ALWAYS)
                     .sessionFixation()
                     .newSession()
                 .and()
                     .formLogin()
                         .loginPage("/login.jsp")
                         .loginProcessingUrl("/j_spring_security_check")
                         .successHandler(successHandler)
                         .failureHandler(failureHandler)
                         .usernameParameter("j_username")
                         .passwordParameter("j_password")
                 .and()
                     .logout()
                         .logoutSuccessUrl("/login.jsp")
                         .deleteCookies("ATLASSESSIONID")
                         .logoutUrl("/logout.html")
                 .and()
                     .httpBasic()
                     .authenticationEntryPoint(getDelegatingAuthenticationEntryPoint());
         //@formatter:on

         if (configuration.getBoolean("atlas.server.ha.enabled", false)) {
             LOG.info("Atlas is in HA Mode, enabling ActiveServerFilter");
             httpSecurity.addFilterAfter(activeServerFilter, BasicAuthenticationFilter.class);
         }
         httpSecurity
                 .addFilterAfter(staleTransactionCleanupFilter, BasicAuthenticationFilter.class)
                 .addFilterAfter(ssoAuthenticationFilter, BasicAuthenticationFilter.class)
                 .addFilterAfter(atlasAuthenticationFilter, SecurityContextHolderAwareRequestFilter.class)
                 .addFilterAfter(csrfPreventionFilter, AtlasAuthenticationFilter.class)
                 .addFilterAfter(atlasAuthorizationFilter, FilterSecurityInterceptor.class);
     }
 }
	/**
	* Licensed to the Apache Software Foundation (ASF) under one
	* or more contributor license agreements. See the NOTICE file
	* distributed with this work for additional information
	* regarding copyright ownership. The ASF licenses this file
	* to you under the Apache License, Version 2.0 (the
	* "License"); you may not use this file except in compliance
	* with the License. You may obtain a copy of the License at
	* <p>
	* http://www.apache.org/licenses/LICENSE-2.0
	* <p>
	* Unless required by applicable law or agreed to in writing, software
	* distributed under the License is distributed on an "AS IS" BASIS,
	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	* See the License for the specific language governing permissions and
	* limitations under the License.
	*/
	package org.apache.atlas.web.security;

	import org.apache.atlas.web.filters.ActiveServerFilter;
	import org.apache.atlas.web.filters.AtlasAuthenticationEntryPoint;
	import org.apache.atlas.web.filters.AtlasAuthenticationFilter;
	import org.apache.atlas.web.filters.AtlasAuthorizationFilter;
	import org.apache.atlas.web.filters.AtlasCSRFPreventionFilter;
	import org.apache.atlas.web.filters.AtlasKnoxSSOAuthenticationFilter;
	import org.apache.atlas.web.filters.StaleTransactionCleanupFilter;
	import org.apache.commons.configuration.Configuration;
	import org.slf4j.Logger;
	import org.slf4j.LoggerFactory;
	import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
	import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
	import org.springframework.security.config.annotation.web.builders.HttpSecurity;
	import org.springframework.security.config.annotation.web.builders.WebSecurity;
	import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
	import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
	import org.springframework.security.config.http.SessionCreationPolicy;
	import org.springframework.security.web.AuthenticationEntryPoint;
	import org.springframework.security.web.access.intercept.FilterSecurityInterceptor;
	import org.springframework.security.web.authentication.DelegatingAuthenticationEntryPoint;
	import org.springframework.security.web.authentication.www.BasicAuthenticationEntryPoint;
	import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
	import org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter;
	import org.springframework.security.web.util.matcher.RequestHeaderRequestMatcher;
	import org.springframework.security.web.util.matcher.RequestMatcher;

	import javax.inject.Inject;
	import java.util.LinkedHashMap;

	@EnableWebSecurity
	@EnableGlobalMethodSecurity(prePostEnabled = true)
	public class AtlasSecurityConfig extends WebSecurityConfigurerAdapter {
	private static final Logger LOG = LoggerFactory.getLogger(AtlasSecurityConfig.class);

	private final AtlasAuthenticationProvider authenticationProvider;
	private final AtlasAuthenticationSuccessHandler successHandler;
	private final AtlasAuthenticationFailureHandler failureHandler;
	private final AtlasAuthorizationFilter atlasAuthorizationFilter;
	private final AtlasKnoxSSOAuthenticationFilter ssoAuthenticationFilter;
	private final AtlasAuthenticationFilter atlasAuthenticationFilter;
	private final AtlasCSRFPreventionFilter csrfPreventionFilter;
	private final AtlasAuthenticationEntryPoint atlasAuthenticationEntryPoint;

	// Our own Atlas filters need to be registered as well
	private final Configuration configuration;
	private final StaleTransactionCleanupFilter staleTransactionCleanupFilter;
	private final ActiveServerFilter activeServerFilter;

	@Inject
	public AtlasSecurityConfig(AtlasKnoxSSOAuthenticationFilter ssoAuthenticationFilter,
	AtlasCSRFPreventionFilter atlasCSRFPreventionFilter,
	AtlasAuthenticationFilter atlasAuthenticationFilter,
	AtlasAuthenticationProvider authenticationProvider,
	AtlasAuthenticationSuccessHandler successHandler,
	AtlasAuthenticationFailureHandler failureHandler,
	AtlasAuthorizationFilter atlasAuthorizationFilter,
	AtlasAuthenticationEntryPoint atlasAuthenticationEntryPoint,
	Configuration configuration,
	StaleTransactionCleanupFilter staleTransactionCleanupFilter,
	ActiveServerFilter activeServerFilter) {
	this.ssoAuthenticationFilter = ssoAuthenticationFilter;
	this.csrfPreventionFilter = atlasCSRFPreventionFilter;
	this.atlasAuthenticationFilter = atlasAuthenticationFilter;
	this.authenticationProvider = authenticationProvider;
	this.successHandler = successHandler;
	this.failureHandler = failureHandler;
	this.atlasAuthorizationFilter = atlasAuthorizationFilter;
	this.atlasAuthenticationEntryPoint = atlasAuthenticationEntryPoint;
	this.configuration = configuration;
	this.staleTransactionCleanupFilter = staleTransactionCleanupFilter;
	this.activeServerFilter = activeServerFilter;
	}

	public BasicAuthenticationEntryPoint getAuthenticationEntryPoint() {
	BasicAuthenticationEntryPoint basicAuthenticationEntryPoint = new BasicAuthenticationEntryPoint();
	basicAuthenticationEntryPoint.setRealmName("atlas.com");
	return basicAuthenticationEntryPoint;
	}

	public DelegatingAuthenticationEntryPoint getDelegatingAuthenticationEntryPoint() {
	LinkedHashMap<RequestMatcher, AuthenticationEntryPoint> entryPointMap = new LinkedHashMap<>();
	entryPointMap.put(new RequestHeaderRequestMatcher("User-Agent", "Mozilla"), atlasAuthenticationEntryPoint);
	DelegatingAuthenticationEntryPoint entryPoint = new DelegatingAuthenticationEntryPoint(entryPointMap);
	entryPoint.setDefaultEntryPoint(getAuthenticationEntryPoint());
	return entryPoint;
	}

	@Inject
	protected void configure(AuthenticationManagerBuilder authenticationManagerBuilder) {
	authenticationManagerBuilder.authenticationProvider(authenticationProvider);
	}

	@Override
	public void configure(WebSecurity web) throws Exception {
	web.ignoring()
	.antMatchers("/login.jsp",
	"/css/**",
	"/img/**",
	"/libs/**",
	"/js/**",
	"/ieerror.html",
	"/api/atlas/admin/status",
	"/api/atlas/admin/metrics");
	}

	protected void configure(HttpSecurity httpSecurity) throws Exception {

	//@formatter:off
	httpSecurity
	.authorizeRequests().anyRequest().authenticated()
	.and()
	.headers().disable()
	.servletApi()
	.and()
	.csrf().disable()
	.sessionManagement()
	.enableSessionUrlRewriting(false)
	.sessionCreationPolicy(SessionCreationPolicy.ALWAYS)
	.sessionFixation()
	.newSession()
	.and()
	.formLogin()
	.loginPage("/login.jsp")
	.loginProcessingUrl("/j_spring_security_check")
	.successHandler(successHandler)
	.failureHandler(failureHandler)
	.usernameParameter("j_username")
	.passwordParameter("j_password")
	.and()
	.logout()
	.logoutSuccessUrl("/login.jsp")
	.deleteCookies("ATLASSESSIONID")
	.logoutUrl("/logout.html")
	.and()
	.httpBasic()
	.authenticationEntryPoint(getDelegatingAuthenticationEntryPoint());
	//@formatter:on

	if (configuration.getBoolean("atlas.server.ha.enabled", false)) {
	LOG.info("Atlas is in HA Mode, enabling ActiveServerFilter");
	httpSecurity.addFilterAfter(activeServerFilter, BasicAuthenticationFilter.class);
	}
	httpSecurity
	.addFilterAfter(staleTransactionCleanupFilter, BasicAuthenticationFilter.class)
	.addFilterAfter(ssoAuthenticationFilter, BasicAuthenticationFilter.class)
	.addFilterAfter(atlasAuthenticationFilter, SecurityContextHolderAwareRequestFilter.class)
	.addFilterAfter(csrfPreventionFilter, AtlasAuthenticationFilter.class)
	.addFilterAfter(atlasAuthorizationFilter, FilterSecurityInterceptor.class);
	}
	}