Use xml

fda-authentication-service/rest-service/src/main/java/at/tuwien/config/SamlConfig.java

@@ -14,11 +14,11 @@ import org.springframework.core.io.DefaultResourceLoader;
 import org.springframework.core.io.Resource;
 import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
 import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
-import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 import org.springframework.security.saml.*;
 import org.springframework.security.saml.context.SAMLContextProvider;
+import org.springframework.security.saml.context.SAMLContextProviderImpl;
 import org.springframework.security.saml.context.SAMLContextProviderLB;
 import org.springframework.security.saml.key.JKSKeyManager;
 import org.springframework.security.saml.key.KeyManager;
@@ -33,10 +33,7 @@ import org.springframework.security.saml.processor.SAMLProcessorImpl;
 import org.springframework.security.saml.util.VelocityFactory;
 import org.springframework.security.saml.websso.*;
 import org.springframework.security.web.*;
-import org.springframework.security.web.access.channel.ChannelProcessingFilter;
 import org.springframework.security.web.authentication.logout.SimpleUrlLogoutSuccessHandler;
-import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
-import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
 
 import java.util.*;
 
@@ -140,6 +137,11 @@ public class SamlConfig extends WebSecurityConfigurerAdapter {
         return samlEntryPoint;
     }
 
+    @Bean
+    public SAMLContextProvider samlContextProvider() {
+        return new SAMLContextProviderImpl();
+    }
+
     @Bean
     public ExtendedMetadata extendedMetadata() {
         final ExtendedMetadata extendedMetadata = new ExtendedMetadata();
@@ -218,43 +220,11 @@ public class SamlConfig extends WebSecurityConfigurerAdapter {
         return new SAMLProcessorImpl(bindings);
     }
 
-    @Bean
-    public FilterChainProxy samlFilter() throws Exception {
-        final List<SecurityFilterChain> chains = new ArrayList<>();
-        chains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/login/**"),
-                samlEntryPoint()));
-        chains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/metadata/**"),
-                metadataDisplayFilter()));
-        chains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/SSO/**"),
-                samlWebSSOProcessingFilter()));
-        chains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/discovery/**"),
-                samlIDPDiscovery()));
-        return new FilterChainProxy(chains);
-    }
-
     @Bean
     public SAMLLogger samlLogger() {
         return new SAMLDefaultLogger();
     }
 
-    @Override
-    protected void configure(HttpSecurity http) throws Exception {
-        http.requiresChannel()
-                .anyRequest().requiresSecure();
-        http.httpBasic()
-                .authenticationEntryPoint(samlEntryPoint());
-        http.csrf()
-                .disable();
-        http.addFilterBefore(metadataGeneratorFilter(), ChannelProcessingFilter.class)
-                .addFilterAfter(samlFilter(), BasicAuthenticationFilter.class);
-        /* allow metadata and saml stuff */
-        http.authorizeRequests()
-                .antMatchers("/saml/**").permitAll()
-                .antMatchers("/health").permitAll()
-                .antMatchers("/error").permitAll()
-                .anyRequest().authenticated();
-    }
-
     @Bean
     public MetadataProvider metadataProvider() throws MetadataProviderException {
         final HTTPMetadataProvider provider = new HTTPMetadataProvider(timer(), httpClient(), idpProviderMetadata);

fda-authentication-service/rest-service/src/main/resources/application-sandbox.yml

@@ -15,17 +15,6 @@ spring:
     name: fda-authentication-service
   cloud:
     loadbalancer.ribbon.enabled: false
-#  security:
-#    saml2:
-#      relyingparty:
-#        registration:
-#          tu-saml:
-#            identityprovider:
-#              entity-id: at:tuwien
-#              verification.credentials:
-#                - certificate-location: classpath:ssl/tu.cer
-#              singlesignon.url: https://idp.zid.tuwien.ac.at/simplesaml/saml2/idp/SSOService.php
-#              singlesignon.sign-request: true
 server:
   port: 9097
   ssl:

fda-authentication-service/rest-service/src/main/resources/securityContext.xml

+<?xml version="1.0" encoding="UTF-8" ?>
+<beans xmlns="http://www.springframework.org/schema/beans"
+       xmlns:security="http://www.springframework.org/schema/security"
+       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+       xmlns:context="http://www.springframework.org/schema/context"
+       xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
+              http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.1.xsd">
+
+    <!-- Enable auto-wiring -->
+    <context:annotation-config/>
+    <context:component-scan base-package="org.springframework.security.saml"/>
+    <context:component-scan base-package="at.tuwien.config"/>
+
+    <!-- Unsecured pages -->
+    <security:http security="none" pattern="/saml/web/**"/>
+    <security:http security="none" pattern="/logout.jsp"/>
+    <security:http security="none" pattern="/favicon.ico"/>
+
+    <!-- Secured pages -->
+    <security:http entry-point-ref="samlEntryPoint">
+        <security:intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY"/>
+        <security:custom-filter before="FIRST" ref="metadataGeneratorFilter"/>
+        <security:custom-filter after="BASIC_AUTH_FILTER" ref="samlFilter"/>
+    </security:http>
+
+</beans>
\ No newline at end of file