OPHYK-302 add a separate security filter chain for Oauth2 authenticat…

…ion that does not create a session and enable resource server in all environments
Opetushallitus · Nov 19, 2024 · dbaa079 · dbaa079
1 parent e0c260b
commit dbaa079
Show file tree

Hide file tree

Showing 6 changed files with 51 additions and 18 deletions.
diff --git a/...-service/src/main/java/fi/vm/sade/kayttooikeus/config/security/SecurityConfigDefault.java b/...-service/src/main/java/fi/vm/sade/kayttooikeus/config/security/SecurityConfigDefault.java
@@ -3,6 +3,7 @@
 import fi.vm.sade.java_utils.security.OpintopolkuCasAuthenticationFilter;
 import fi.vm.sade.kayttooikeus.config.properties.CasProperties;
 import fi.vm.sade.properties.OphProperties;
+import jakarta.servlet.http.HttpServletRequest;
 
 import java.util.List;
 import java.util.Map;
@@ -12,7 +13,6 @@
 import org.apereo.cas.client.session.SingleSignOutFilter;
 import org.apereo.cas.client.validation.Cas30ProxyTicketValidator;
 import org.apereo.cas.client.validation.TicketValidator;
-import org.springframework.beans.factory.annotation.Value;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.core.annotation.Order;
@@ -26,6 +26,7 @@
 import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.config.http.SessionCreationPolicy;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.authority.SimpleGrantedAuthority;
 import org.springframework.security.oauth2.jwt.Jwt;
@@ -36,6 +37,7 @@
 import org.springframework.security.web.context.HttpSessionSecurityContextRepository;
 import org.springframework.security.web.context.SecurityContextRepository;
 import org.springframework.security.web.savedrequest.HttpSessionRequestCache;
+import org.springframework.security.web.util.matcher.RequestMatcher;
 
 @Configuration
 @EnableMethodSecurity(jsr250Enabled = false, prePostEnabled = true, securedEnabled = true)
@@ -47,9 +49,6 @@ public class SecurityConfigDefault {
 
     public static final String SPRING_CAS_SECURITY_CHECK_PATH = "/j_spring_cas_security_check";
 
-    @Value("${kayttooikeus.oauth2.enabled:false}")
-    private boolean oauth2Enabled;
-
     public SecurityConfigDefault(CasProperties casProperties, OphProperties ophProperties,
                                  SessionMappingStorage sessionMappingStorage) {
         this.casProperties = casProperties;
@@ -169,16 +168,61 @@ private List<GrantedAuthority> extractRoles(Jwt jwt) {
         };
     }
 
+    private boolean isOauth2Request(HttpServletRequest request) {
+        return request.getHeader("Authorization") != null
+            && request.getHeader("Authorization").startsWith("Bearer ");
+    }
+
     @Bean
     @Order(4)
-    SecurityFilterChain restApiFilterChain(HttpSecurity http, CasAuthenticationFilter casAuthenticationFilter,
+    SecurityFilterChain oauth2RestApiFilterChain(HttpSecurity http) throws Exception {
+        return http
+            .headers(headers -> headers.disable())
+            .csrf(csrf -> csrf.disable())
+            .securityMatcher(new RequestMatcher() {
+                @Override
+                public boolean matches(HttpServletRequest request) {
+                    return isOauth2Request(request);
+                }
+            })
+            .authorizeHttpRequests(authz -> authz
+                    .requestMatchers("/buildversion.txt").permitAll()
+                    .requestMatchers("/actuator/health").permitAll()
+                    .requestMatchers("/kutsu/token/*").permitAll()
+                    .requestMatchers("/cas/uudelleenrekisterointi").permitAll()
+                    .requestMatchers("/cas/henkilo/loginToken/*").permitAll()
+                    .requestMatchers("/cas/emailverification/*").permitAll()
+                    .requestMatchers("/cas/emailverification/loginTokenValidation/*").permitAll()
+                    .requestMatchers("/cas/emailverification/redirectByLoginToken/*").permitAll()
+                    .requestMatchers("/cas/salasananvaihto").permitAll()
+                    .requestMatchers("/cas/loginparams").permitAll()
+                    .requestMatchers("/cas/tunnistus").permitAll()
+                    .requestMatchers("/userDetails", "/userDetails/*").permitAll()
+                    .requestMatchers("/swagger-ui/**", "/v3/api-docs/**").permitAll()
+                    .requestMatchers("/oauth2", "/oauth2/*", "/oauth2/**").permitAll()
+                    .requestMatchers("/.well-known/**").permitAll()
+                    .requestMatchers("/error").permitAll()
+                    .anyRequest().authenticated())
+            .sessionManagement(session -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
+            .oauth2ResourceServer(oauth2 -> oauth2.jwt(jwt -> jwt.jwtAuthenticationConverter(oauth2JwtConverter())))
+            .build();
+    }
+
+    @Bean
+    @Order(5)
+    SecurityFilterChain casRestApiFilterChain(HttpSecurity http, CasAuthenticationFilter casAuthenticationFilter,
             AuthenticationEntryPoint authenticationEntryPoint, SecurityContextRepository securityContextRepository) throws Exception {
         HttpSessionRequestCache requestCache = new HttpSessionRequestCache();
         requestCache.setMatchingRequestParameterName(null);
         http
             .headers(headers -> headers.disable())
             .csrf(csrf -> csrf.disable())
-            .securityMatcher("/**")
+            .securityMatcher(new RequestMatcher() {
+                @Override
+                public boolean matches(HttpServletRequest request) {
+                    return !isOauth2Request(request);
+                }
+            })
             .authorizeHttpRequests(authz -> authz
                     .requestMatchers("/buildversion.txt").permitAll()
                     .requestMatchers("/actuator/health").permitAll()
@@ -192,8 +236,7 @@ SecurityFilterChain restApiFilterChain(HttpSecurity http, CasAuthenticationFilte
                     .requestMatchers("/cas/loginparams").permitAll()
                     .requestMatchers("/cas/tunnistus").permitAll()
                     .requestMatchers("/userDetails", "/userDetails/*").permitAll()
-                    .requestMatchers("/swagger-ui.html", "/swagger-ui/", "/swagger-ui/**", "/swagger-resources/**").permitAll()
-                    .requestMatchers("/v3/api-docs/**", "/v3/api-docs.yaml").permitAll()
+                    .requestMatchers("/swagger-ui/**", "/v3/api-docs/**").permitAll()
                     .requestMatchers("/oauth2", "/oauth2/*", "/oauth2/**").permitAll()
                     .requestMatchers("/.well-known/**").permitAll()
                     .requestMatchers("/error").permitAll()
@@ -205,11 +248,6 @@ SecurityFilterChain restApiFilterChain(HttpSecurity http, CasAuthenticationFilte
                     .securityContextRepository(securityContextRepository))
             .requestCache(cache -> cache.requestCache(requestCache))
             .exceptionHandling(handling -> handling.authenticationEntryPoint(authenticationEntryPoint));
-
-        if (oauth2Enabled) {
-            http.oauth2ResourceServer(oauth2 -> oauth2.jwt(jwt -> jwt.jwtAuthenticationConverter(oauth2JwtConverter())));
-        }
-
         return http.build();
     }
 }
diff --git a/kayttooikeus-service/src/main/resources/application.yml b/kayttooikeus-service/src/main/resources/application.yml
@@ -89,7 +89,6 @@ kayttooikeus:
       lampi-bucket-name: none
       lampi-role-arn: none
       lampi-external-id: none
-kayttooikeus.oauth2.enabled: false
 kayttooikeus.kutsu.allowlist-oids: 1.2.3.4.6
 
 auth:

diff --git a/kayttooikeus-service/src/main/resources/config/dev.yml b/kayttooikeus-service/src/main/resources/config/dev.yml
@@ -38,7 +38,6 @@ kayttooikeus.uses-ssl-proxy: true
 kayttooikeus.disable-same-site-cookie: true
 kayttooikeus.scheduling.enabled: true
 kayttooikeus.kutsu.allowlist-oids: ${ssm_kayttooikeus_kutsu_allowlist}
-kayttooikeus.oauth2.enabled: true
 kayttooikeus.oauth2.publickey: ${ssm_kayttooikeus_oauth2_publickey}
 kayttooikeus.oauth2.privatekey: ${ssm_kayttooikeus_oauth2_privatekey}
 

diff --git a/kayttooikeus-service/src/main/resources/config/hahtuva.yml b/kayttooikeus-service/src/main/resources/config/hahtuva.yml
@@ -38,7 +38,6 @@ kayttooikeus.uses-ssl-proxy: true
 kayttooikeus.disable-same-site-cookie: true
 kayttooikeus.scheduling.enabled: true
 kayttooikeus.kutsu.allowlist-oids: ${ssm_kayttooikeus_kutsu_allowlist}
-kayttooikeus.oauth2.enabled: true
 kayttooikeus.oauth2.publickey: ${ssm_kayttooikeus_oauth2_publickey}
 kayttooikeus.oauth2.privatekey: ${ssm_kayttooikeus_oauth2_privatekey}
 

diff --git a/kayttooikeus-service/src/main/resources/config/local.yml b/kayttooikeus-service/src/main/resources/config/local.yml
@@ -1,5 +1,4 @@
 server.port: 8101
 
-kayttooikeus.oauth2.enabled: true
 kayttooikeus.oauth2.publickey: classpath:public_key.pem
 kayttooikeus.oauth2.privatekey: classpath:private_key.pem
diff --git a/kayttooikeus-service/src/main/resources/config/qa.yml b/kayttooikeus-service/src/main/resources/config/qa.yml
@@ -38,7 +38,6 @@ kayttooikeus.uses-ssl-proxy: true
 kayttooikeus.disable-same-site-cookie: false
 kayttooikeus.scheduling.enabled: true
 kayttooikeus.kutsu.allowlist-oids: ${ssm_kayttooikeus_kutsu_allowlist}
-kayttooikeus.oauth2.enabled: true
 kayttooikeus.oauth2.publickey: ${ssm_kayttooikeus_oauth2_publickey}
 kayttooikeus.oauth2.privatekey: ${ssm_kayttooikeus_oauth2_privatekey}