diff --git a/fda-authentication-service/rest-service/src/main/java/at/tuwien/config/SamlConfig.java b/fda-authentication-service/rest-service/src/main/java/at/tuwien/config/SamlConfig.java
index c63acc6812b876eff7d10459adccd567b555b9e5..06910b2d0a4c50bb2a7f386180d2c06222e49295 100644
--- a/fda-authentication-service/rest-service/src/main/java/at/tuwien/config/SamlConfig.java
+++ b/fda-authentication-service/rest-service/src/main/java/at/tuwien/config/SamlConfig.java
@@ -14,6 +14,7 @@ import org.springframework.core.io.DefaultResourceLoader;
import org.springframework.core.io.Resource;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.saml.*;
@@ -33,7 +34,10 @@ import org.springframework.security.saml.processor.SAMLProcessorImpl;
import org.springframework.security.saml.util.VelocityFactory;
import org.springframework.security.saml.websso.*;
import org.springframework.security.web.*;
+import org.springframework.security.web.access.channel.ChannelProcessingFilter;
import org.springframework.security.web.authentication.logout.SimpleUrlLogoutSuccessHandler;
+import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
+import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
import java.util.*;
@@ -133,6 +137,9 @@ public class SamlConfig extends WebSecurityConfigurerAdapter {
@Bean
public SAMLEntryPoint samlEntryPoint() {
final SAMLEntryPoint samlEntryPoint = new SAMLEntryPoint();
+ samlEntryPoint.setSamlLogger(samlLogger());
+ samlEntryPoint.setContextProvider(samlContextProvider());
+ samlEntryPoint.setWebSSOprofile(webSSOprofile());
samlEntryPoint.setDefaultProfileOptions(defaultWebSSOProfileOptions());
return samlEntryPoint;
}
@@ -220,11 +227,44 @@ public class SamlConfig extends WebSecurityConfigurerAdapter {
return new SAMLProcessorImpl(bindings);
}
+ @Bean
+ public FilterChainProxy samlFilter() throws Exception {
+ final List<SecurityFilterChain> chains = new ArrayList<>();
+ chains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/login/**"),
+ samlEntryPoint()));
+ chains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/metadata/**"),
+ metadataDisplayFilter()));
+ chains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/SSO/**"),
+ samlWebSSOProcessingFilter()));
+ chains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/discovery/**"),
+ samlIDPDiscovery()));
+ return new FilterChainProxy(chains);
+ }
+
@Bean
public SAMLLogger samlLogger() {
return new SAMLDefaultLogger();
}
+ @Override
+ protected void configure(HttpSecurity http) throws Exception {
+ http.requiresChannel()
+ .anyRequest()
+ .requiresSecure();
+ http.httpBasic()
+ .authenticationEntryPoint(samlEntryPoint());
+ http.csrf()
+ .disable();
+ http.addFilterBefore(metadataGeneratorFilter(), ChannelProcessingFilter.class)
+ .addFilterAfter(samlFilter(), BasicAuthenticationFilter.class);
+ /* allow metadata and saml stuff */
+ http.authorizeRequests()
+ .antMatchers("/saml/**").permitAll()
+ .antMatchers("/health").permitAll()
+ .antMatchers("/error").permitAll()
+ .anyRequest().authenticated();
+ }
+
@Bean
public MetadataProvider metadataProvider() throws MetadataProviderException {
final HTTPMetadataProvider provider = new HTTPMetadataProvider(timer(), httpClient(), idpProviderMetadata);
diff --git a/fda-authentication-service/rest-service/src/main/resources/securityContext.xml b/fda-authentication-service/rest-service/src/main/resources/securityContext.xml
deleted file mode 100644
index 0232b163178846c74cce40c68b70bb73a3346a65..0000000000000000000000000000000000000000
--- a/fda-authentication-service/rest-service/src/main/resources/securityContext.xml
+++ /dev/null
@@ -1,26 +0,0 @@
-<?xml version="1.0" encoding="UTF-8" ?>
-<beans xmlns="http://www.springframework.org/schema/beans"
- xmlns:security="http://www.springframework.org/schema/security"
- xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xmlns:context="http://www.springframework.org/schema/context"
- xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
- http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.1.xsd">
-
- <!-- Enable auto-wiring -->
- <context:annotation-config/>
- <context:component-scan base-package="org.springframework.security.saml"/>
- <context:component-scan base-package="at.tuwien.config"/>
-
- <!-- Unsecured pages -->
- <security:http security="none" pattern="/saml/web/**"/>
- <security:http security="none" pattern="/logout.jsp"/>
- <security:http security="none" pattern="/favicon.ico"/>
-
- <!-- Secured pages -->
- <security:http entry-point-ref="samlEntryPoint">
- <security:intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY"/>
- <security:custom-filter before="FIRST" ref="metadataGeneratorFilter"/>
- <security:custom-filter after="BASIC_AUTH_FILTER" ref="samlFilter"/>
- </security:http>
-
-</beans>
\ No newline at end of file