Skip to content
Snippets Groups Projects
Commit e16ee87b authored by Martin Weise's avatar Martin Weise
Browse files

still not working

Former-commit-id: 6a593b69
parent 43726963
Branches
Tags
1 merge request!42Fixed the query service tests
Showing
with 269 additions and 197 deletions
......@@ -6,7 +6,7 @@ target/
### Generated ###
ready
*.jks
*.pem
### STS ###
.apt_generated
......
......@@ -9,4 +9,4 @@ use TU Wien SSO
## Development
Context metadata for IdP: `http://localhost:9097/context/saml/metadata`
\ No newline at end of file
Context metadata for IdP: `http://localhost:9097/saml/metadata`
\ No newline at end of file
......@@ -33,19 +33,6 @@
</properties>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.security.extensions</groupId>
<artifactId>spring-security-saml2-core</artifactId>
<version>${spring-saml.version}</version>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-validation</artifactId>
......@@ -60,6 +47,16 @@
<artifactId>javax.ws.rs-api</artifactId>
<version>${javax-rs.version}</version>
</dependency>
<!-- SAML -->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.security.extensions</groupId>
<artifactId>spring-security-saml2-core</artifactId>
<version>${spring-saml.version}</version>
</dependency>
<!-- Entity and API -->
<dependency>
<groupId>at.tuwien</groupId>
......@@ -74,6 +71,11 @@
<scope>compile</scope>
</dependency>
<!-- Testing -->
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-test</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
......
......@@ -5,11 +5,11 @@ import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.boot.autoconfigure.jdbc.DataSourceAutoConfiguration;
import org.springframework.boot.autoconfigure.jdbc.DataSourceTransactionManagerAutoConfiguration;
import org.springframework.boot.autoconfigure.orm.jpa.HibernateJpaAutoConfiguration;
import org.springframework.web.servlet.config.annotation.EnableWebMvc;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import springfox.documentation.oas.annotations.EnableOpenApi;
@EnableWebMvc
@EnableOpenApi
@EnableWebSecurity
@SpringBootApplication(exclude = {DataSourceAutoConfiguration.class,
DataSourceTransactionManagerAutoConfiguration.class, HibernateJpaAutoConfiguration.class})
public class FdaAuthenticationServiceApplication {
......
package at.tuwien.endpoints;
import io.swagger.annotations.ApiOperation;
import io.swagger.annotations.ApiResponse;
import io.swagger.annotations.ApiResponses;
import lombok.extern.log4j.Log4j2;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.http.HttpStatus;
import org.springframework.http.ResponseEntity;
import org.springframework.security.authentication.AnonymousAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.saml.metadata.MetadataManager;
import org.springframework.web.bind.annotation.*;
import javax.servlet.http.HttpServletRequest;
import java.util.Set;
/**
* https://www.baeldung.com/spring-security-saml
*/
@Log4j2
@RestController
@CrossOrigin(origins = "*")
@ControllerAdvice
@RequestMapping("/api/auth")
@RestController("/api/auth")
public class AuthenticationEndpoint {
private final MetadataManager metadataManager;
@Autowired
public AuthenticationEndpoint(MetadataManager metadataManager) {
this.metadataManager = metadataManager;
@RequestMapping("/")
public String index() {
return "index";
}
// @GetMapping
// @ApiOperation(value = "Check user authentication", notes = "Check if the user is authenticated")
// @ApiResponses({
// @ApiResponse(code = 202, message = "User is authenticated."),
// @ApiResponse(code = 401, message = "The user is not authenticated"),
// })
// public ResponseEntity<?> status() {
// final Authentication auth = SecurityContextHolder.getContext()
// .getAuthentication();
// if (auth.isAuthenticated()) {
// return ResponseEntity.status(HttpStatus.ACCEPTED)
// .build();
// }
// return ResponseEntity.status(HttpStatus.UNAUTHORIZED)
// .build();
// }
//
@RequestMapping(value = "/discovery", method = RequestMethod.GET)
public String idpSelection(HttpServletRequest request) {
Authentication auth = SecurityContextHolder.getContext().getAuthentication();
if (auth == null) {
log.debug("Current authentication instance from security context is null");
} else {
log.debug("Current authentication instance from security context: {}", this.getClass().getSimpleName());
}
if (auth == null || (auth instanceof AnonymousAuthenticationToken)) {
final Set<String> idps = metadataManager.getIDPEntityNames();
for (String idp : idps) {
log.debug("Configured Identity Provider for SSO: {}", idp);
}
return "pages/discovery";
} else {
log.warn("The current user is already logged.");
return "redirect:/landing";
}
@RequestMapping("/hello")
public String hello() {
return "hello";
}
}
\ No newline at end of file
......@@ -16,9 +16,6 @@ eureka:
fda:
ready.path: /ready
identity.provider:
discovery:
url: http://localhost:9097/context/saml/discovery
response: http://localhost:9097/context/saml/login
metadata: https://idp.zid.tuwien.ac.at/saml2
issuer:
cert: /okta.crt
......
......@@ -6,6 +6,7 @@ spring:
loadbalancer.ribbon.enabled: false
security:
saml2:
metadata: ./rest-service/src/main/resources/saml/metadata.xml
relyingparty:
registration:
okta-saml:
......@@ -15,7 +16,14 @@ spring:
- certificate-location: "classpath:x509/okta.crt"
singlesignon.url: https://dev-13953915.okta.com/app/dev-13953915_testtusaml_1/exk26nye6eBAomvJW5d7/sso/saml
singlesignon.sign-request: false
server.port: 9097
server:
port: 9097
ssl.enabled: true
ssl:
key-alias: dbrepo
key-store: classpath:saml/dbrepo.p12
key-store-password: dbrepo
key-store-type: pkcs12
logging:
pattern.console: "%d %highlight(%-5level) %msg%n"
level:
......@@ -26,13 +34,3 @@ eureka:
client.serviceUrl.defaultZone: http://localhost:9090/eureka/
fda:
ready.path: ./ready
\ No newline at end of file
identity.provider:
metadata: ./rest-service/src/main/resources/idp_metadata.xml
discovery:
url: http://localhost:9097/context/saml/discovery
response: http://localhost:9097/context/saml/login
saml:
keystore:
location: ./dbrepo.jks
alias: dbrepo
password: dbrepo
\ No newline at end of file
File added
File added
......@@ -34,4 +34,24 @@
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
Location="https://dev-13953915.okta.com/app/dev-13953915_testtusaml_1/exk26nye6eBAomvJW5d7/sso/saml"/>
</md:IDPSSODescriptor>
<md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://dbrepo.ossdip.at/api/auth"
index="1" />
</md:SPSSODescriptor>
<md:Organization>
<md:OrganizationName xml:lang="en-US">Technische Universität Wien</md:OrganizationName>
<md:OrganizationDisplayName xml:lang="en-US">TU Wien</md:OrganizationDisplayName>
<md:OrganizationURL xml:lang="en-US">https://tuwien.ac.at</md:OrganizationURL>
</md:Organization>
<md:ContactPerson contactType="technical">
<md:GivenName>Martin Weise</md:GivenName>
<md:EmailAddress>martin.weise@tuwien.ac.at</md:EmailAddress>
</md:ContactPerson>
<md:ContactPerson contactType="support">
<md:GivenName>Andreas Rauber</md:GivenName>
<md:EmailAddress>andreas.rauber@tuwien.ac.at</md:EmailAddress>
</md:ContactPerson>
</md:EntityDescriptor>
\ No newline at end of file
<?xml version="1.0" encoding="UTF-8"?>
<md:EntityDescriptor entityID="http://www.okta.com/exk26nye6eBAomvJW5d7"
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
<md:IDPSSODescriptor WantAuthnRequestsSigned="false"
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>MIIDqDCCApCgAwIBAgIGAXxuFWkiMA0GCSqGSIb3DQEBCwUAMIGUMQswCQYDVQQGEwJVUzETMBEG
A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU
MBIGA1UECwwLU1NPUHJvdmlkZXIxFTATBgNVBAMMDGRldi0xMzk1MzkxNTEcMBoGCSqGSIb3DQEJ
ARYNaW5mb0Bva3RhLmNvbTAeFw0yMTEwMTEwNjQwMDlaFw0zMTEwMTEwNjQxMDlaMIGUMQswCQYD
VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsG
A1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxFTATBgNVBAMMDGRldi0xMzk1MzkxNTEc
MBoGCSqGSIb3DQEJARYNaW5mb0Bva3RhLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
ggEBAIZny5u9B0ooc5OigsxXv9MisZZzvXdoiIUtkF3Lvd2wEsdEcl8JPeZ0Id9xskaxkVhvvVeW
W+R0yADi4mmDkqrKfOkSKqBSFlaHAlH1OZyfWLTLmMwxTuVNCu200ok33p/iyJ5dff914YEuQRVw
1u+t9UVwtSrNoDaJG8vxh1JsZ1zXceGRENvD/NdzV/PherPNmKnnr2r10uKTDrc03NJt22AOGxY0
s0NDHU2hqm8xNiGnztZxlcrjTKtUljOQnAsaqY+AugH1Ov40VABotgg+r69uz+lYpbDiDtpZbPfK
gwCcQwWeX0VaYDeK+ESXxo55eM8qxeMbC6CrKIALLw0CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEA
WgUI3wswTBZa7zkF90KTnlb7+qnks4rdV8c6Guxpj5TIqsAZjDYv573Dqqpsp5QJBSfUwO1iRdXf
ueO6r8haLY2ukk5vjZd31GboH+e+py6nVATUZ5xL2JxMhDgG8Hh9Gg/rl04O4Uk12f9YJF1k5Qko
ZQ3Kaxf/5nKw3mJL4wzmJz3ezeEn4M5VyC6BfhIcIC+asScsEgjRNQQ/SrgG7ywl0C3i+P41Nw9x
cWXQ6pepnLVR9q1aaLv2cyZ7RiN0JyKxruWdZPAluPODEp65TpfKbfCBXM00Bikm4MW76rXH2sjI
uUmMDfGSFmR+urDPJdc8kL26X0kwUrbEXXsT3g==
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://dev-13953915.okta.com/app/dev-13953915_testtusaml_1/exk26nye6eBAomvJW5d7/sso/saml"/>
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
Location="https://dev-13953915.okta.com/app/dev-13953915_testtusaml_1/exk26nye6eBAomvJW5d7/sso/saml"/>
</md:IDPSSODescriptor>
<md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="http://localhost:9097/api/auth"
index="1" />
</md:SPSSODescriptor>
<md:Organization>
<md:OrganizationName xml:lang="en-US">Technische Universität Wien</md:OrganizationName>
<md:OrganizationDisplayName xml:lang="en-US">TU Wien</md:OrganizationDisplayName>
<md:OrganizationURL xml:lang="en-US">https://tuwien.ac.at</md:OrganizationURL>
</md:Organization>
<md:ContactPerson contactType="technical">
<md:GivenName>Martin Weise</md:GivenName>
<md:EmailAddress>martin.weise@tuwien.ac.at</md:EmailAddress>
</md:ContactPerson>
<md:ContactPerson contactType="support">
<md:GivenName>Andreas Rauber</md:GivenName>
<md:EmailAddress>andreas.rauber@tuwien.ac.at</md:EmailAddress>
</md:ContactPerson>
</md:EntityDescriptor>
\ No newline at end of file
<?xml version="1.0"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
validUntil="2021-10-13T10:33:48Z"
validUntil="2021-10-13T15:46:10Z"
cacheDuration="PT604800S"
entityID="at:tuwien:dbrepo:auth">
<md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="http://localhost:9097/api/auth"
Location="https://dbrepo.ossdip.at/api/auth"
index="1" />
</md:SPSSODescriptor>
<md:Organization>
<md:OrganizationName xml:lang="en-US">Technische Universität Wien</md:OrganizationName>
<md:OrganizationDisplayName xml:lang="en-US">TU Wien</md:OrganizationDisplayName>
<md:OrganizationURL xml:lang="en-US">https://tuwien.ac.at</md:OrganizationURL>
</md:Organization>
<md:ContactPerson contactType="technical">
<md:GivenName>Martin Weise</md:GivenName>
<md:EmailAddress>martin.weise@tuwien.ac.at</md:EmailAddress>
......
-----BEGIN CERTIFICATE-----
MIIFITCCBAmgAwIBAgISBEh169kOMeYh+SgBdP8KFL2fMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMTEwMTIwNzA4NTVaFw0yMjAxMTAwNzA4NTRaMBgxFjAUBgNVBAMT
DWRldi5vc3NkaXAuYXQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCm
vl9NZd4qV53j8U1irMwR0RXR2tl0i3FqXUxGYUHabIADLciAzl83vFnPMmJFeubn
DBGfkP2Z7Q+96fgwuxhXVVovT4uCwNcUGW66LzwemYJKnauy6muPooyllLO/mHAe
hhtdber7H9dwj8gdTjIDGRgw/owElsMGYOt1XxXRpnmh6QzvprT38Lt7OTfRlvlz
//p0PoYzfeI295fSGuIAl2rVAOQJq/n/Nl3dbTQ4KdLn0raf5am1ah+S904br34J
FyDfziswLGNRQ4SuYxFUXmfyV8TsxmJeRRfBa6JFofbAsuvzJ/TcJDiaLcsWjbWz
KQTz8tWhTA1U5McU0sLTAgMBAAGjggJJMIICRTAOBgNVHQ8BAf8EBAMCBaAwHQYD
VR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0O
BBYEFIDkQgQxxpq9cTecpFYY97S7ClRyMB8GA1UdIwQYMBaAFBQusxe3WFbLrlAJ
QOYfr52LFMLGMFUGCCsGAQUFBwEBBEkwRzAhBggrBgEFBQcwAYYVaHR0cDovL3Iz
Lm8ubGVuY3Iub3JnMCIGCCsGAQUFBzAChhZodHRwOi8vcjMuaS5sZW5jci5vcmcv
MBgGA1UdEQQRMA+CDWRldi5vc3NkaXAuYXQwTAYDVR0gBEUwQzAIBgZngQwBAgEw
NwYLKwYBBAGC3xMBAQEwKDAmBggrBgEFBQcCARYaaHR0cDovL2Nwcy5sZXRzZW5j
cnlwdC5vcmcwggEFBgorBgEEAdZ5AgQCBIH2BIHzAPEAdgBByMqx3yJGShDGoToJ
QodeTjGLGwPr60vHaPCQYpYG9gAAAXxzjB5xAAAEAwBHMEUCIQCYOtWFJnGtJ2kC
E+De2h/eWKrQPf6guJq/tCWz3XdCPQIgdPKdERwSqECytmCG2jPXLMSxL+LrIPtY
Zl/cZSePFzkAdwBGpVXrdfqRIDC1oolp9PN9ESxBdL79SbiFq/L8cP5tRwAAAXxz
jCKvAAAEAwBIMEYCIQCb1vdGOZx4MU72UABM5WOdUNKLZyuqmRYY8MWCiEnuMgIh
AL1Q3SAtogxxJh61qIk9/9R+0n1xQ+xxPkq81uid+l8cMA0GCSqGSIb3DQEBCwUA
A4IBAQADxwr9oAA5hCyqqzcmqgk0fk6wv3r/hzki+mZ/CjiIN9HdcOP5rP+B29Xu
WvN+8j/nIOuwGg1vI/vQn3XUg/ICsaVDTqnN6FiK6+08Vp1A90j0hhExFMWWNIbA
OIE/KYHnqpu0jFBKRA7XhRAXCyl1JGbfhxdHJHt2oZ9RKB85b9NogUB4II9A2rE2
BUyS4fpUAFWJOWrkvc6uV2gWfMfr85L6rnpBl6xBuEr/9zOK87jjiqyq86MBTvPu
6Pyd0m0OA9fiP/8XzrdOtmUX0yXxCpUzT7VzW/85oFU8HG1dbfu0QqGmYgYKEgwe
r8US8fgeAoSkCQJmQC6z8/PRtkI0
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw
WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP
R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx
sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm
NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg
Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG
/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC
AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB
Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA
FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw
AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw
Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB
gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W
PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl
ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz
CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm
lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4
avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2
yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O
yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids
hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+
HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv
MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX
nLRbwHOoq7hHwg==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1ow
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIiMA0GCSqGSIb3DQEB
AQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B493XC
ov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpL
wYqGcWlKZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+D
LtFJV4yAdLbaL9A4jXsDcCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK
4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5
bHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeYjzYIlefiN5YNNnWe+w5y
sR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHduRze6zqxZ
Xmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4
FQsDj43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBc
SLeCO5imfWCKoqMpgsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2ql
PRmP6zjzZN7IKw0KKP/32+IVQtQi0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TND
TwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw
SwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5pZGVudHJ1
c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx
+tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEB
ATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQu
b3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9E
U1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFHm0WeZ7tuXkAXOACIjIGlj26Ztu
MA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oGrS+o44+/yQoDFVDC
5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMrAdSW
9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuG
WCLKTVXkcGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9O
he8Y4IWS6wY7bCkjCWDcRQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFC
Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5
-----END CERTIFICATE-----
\ No newline at end of file
-----BEGIN PRIVATE KEY-----
MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQCmvl9NZd4qV53j
8U1irMwR0RXR2tl0i3FqXUxGYUHabIADLciAzl83vFnPMmJFeubnDBGfkP2Z7Q+9
6fgwuxhXVVovT4uCwNcUGW66LzwemYJKnauy6muPooyllLO/mHAehhtdber7H9dw
j8gdTjIDGRgw/owElsMGYOt1XxXRpnmh6QzvprT38Lt7OTfRlvlz//p0PoYzfeI2
95fSGuIAl2rVAOQJq/n/Nl3dbTQ4KdLn0raf5am1ah+S904br34JFyDfziswLGNR
Q4SuYxFUXmfyV8TsxmJeRRfBa6JFofbAsuvzJ/TcJDiaLcsWjbWzKQTz8tWhTA1U
5McU0sLTAgMBAAECggEALFYeXSQjCLs3Xm7BFuW/dVVVKfG5NIYHaDLanzQpIH0N
JMs9rxIwu083yiIpgzQExZat8PHKnO0t7F+UANEezcoCKuZJwECqb8u7Z4I7yB8l
R9XY27/9Tbn5D+YUTXOpDFS4XgVmH9P9ow54NWKfZbd8eTqV3HqB7OZEdXcNBCuD
1RPpEB+UJx+7HMfqRfyjSF0fKOEPjq2aBw3DfYuwiU2O/L9n5KftU05AQA8FTGe+
gOnnGjEIPvwykspB8pgKri9TB3RAs22mrho1L7j3ThEBa+sauvUWsKG72WjHjzKJ
07WGa28uW2qhXxGZD5aAbOmLHHV2d9F81OpeRnM7kQKBgQDZO9cBdO2lvGVsnAVi
O0G1gSficX/jFUEKb15EzvyEuEElCFcIOWZgvmn+9Zr4TAJLzgSUgGTlREvLM4Zf
mh2RR2fXRMbmPiI+37+E/841Aa5b/pfJj4kolz2Y3FmlrztPTlPkx8kFckdW4HSH
WHM3VlIfWSWdGQye8EuPC5+mXQKBgQDEf+4M8q16q4SxnX2Yci46cZbnS98n7QG/
HnuVElmnodxV7OOc773x7/nyoW8j3hhD9GWQkPjQMbT5c8pMix5+/AG2vvjtzhJW
klnYz7iw2k6+OY1oMSPu+f/wBpXOhJCniAFjPJCXwpSA+h0KuaxfOhxxOZl++E8c
gEmbc1Ua7wKBgQChBt6F0esnY9O7ApxrCInYxXiPPpsR9XtVBODYGKbOqtZ/YQNC
sWnWZM+lkuHhFFbPYlO60MH5wPp+Eh+VVmR8gHXU+MKHgZ9ZA/qv1/8/A5P/1WUm
oCOH1zRtz0kUrCRG0UUW3ZGBXAjNuWwnt8UQTAhr/GUJYrwcRPt9eZxKcQKBgQDE
P3RTUCd8RULQVRczoo2S5xEsTbVA3c8Jvnr0hhAugFRbKKymdzXAJMj/zsT+EHkx
nSu2d2NYIty46jDXw3WgozVe+1oHvvDHr4C2LbcqQc205CvbLIDT0rEPWrRRPkpu
V0Hzh3BtcPL54VIR/SAvNw1i84Des0XnlCRvcX9E1wKBgQC8DgYnsMEGFpVBp1xT
0ER0XSq5njl6vAoUCkw3jN+dkWxYjI9sWQtP5pyrE0kWDG8h9/mbRG5rTFK7PzK6
Vilqp7hws3NuKec3uRBtoeZI2wIBVfBihTLM7AhUROsrbf2ocP1jfEvl7yd49UYI
i/dStaqfpozr864eytU8Pzct3g==
-----END PRIVATE KEY-----
\ No newline at end of file
package at.tuwien.config;
import at.tuwien.service.UserService;
import org.apache.commons.httpclient.HttpClient;
import org.apache.commons.httpclient.MultiThreadedHttpConnectionManager;
import org.apache.velocity.app.VelocityEngine;
import org.opensaml.saml2.metadata.provider.*;
import org.opensaml.saml2.metadata.provider.FilesystemMetadataProvider;
import org.opensaml.saml2.metadata.provider.MetadataProvider;
import org.opensaml.saml2.metadata.provider.MetadataProviderException;
import org.opensaml.xml.parse.ParserPool;
import org.opensaml.xml.parse.StaticBasicParserPool;
import org.springframework.beans.factory.DisposableBean;
import org.springframework.beans.factory.InitializingBean;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Bean;
......@@ -48,42 +48,26 @@ import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
import java.io.File;
import java.util.*;
/**
*
*/
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(securedEnabled = true)
public class SamlConfig extends WebSecurityConfigurerAdapter implements InitializingBean, DisposableBean {
private final UserService userService;
private Timer backgroundTaskTimer;
private MultiThreadedHttpConnectionManager multiThreadedHttpConnectionManager;
@Autowired
public SamlConfig(UserService userService) {
this.userService = userService;
}
@Value("${spring.security.saml2.metadata}")
private String serviceMetadataPath;
@Value("${fda.saml.keystore.location}")
@Value("${server.ssl.key-store}")
private String samlKeystoreLocation;
@Value("${fda.saml.keystore.alias}")
@Value("${server.ssl.key-alias}")
private String samlKeystoreAlias;
@Value("${fda.saml.keystore.password}")
@Value("${server.ssl.key-store-password}")
private String samlKeystorePassword;
@Value("${fda.identity.provider.metadata}")
private String identityProviderMetadataPath;
@Value("${fda.identity.provider.discovery.url}")
private String identityProviderDiscoveryUrl;
@Value("${fda.identity.provider.discovery.response}")
private String identityProviderDiscoveryResponseUrl;
/* The filter is waiting for connections on URL suffixed with filterSuffix and presents SP metadata there */
@Bean
public MetadataDisplayFilter metadataDisplayFilter() {
......@@ -121,7 +105,7 @@ public class SamlConfig extends WebSecurityConfigurerAdapter implements Initiali
/* Processing filter for WebSSO profile messages */
@Bean
public SAMLProcessingFilter samlWebSSOProcessingFilter() throws Exception {
SAMLProcessingFilter samlWebSSOProcessingFilter = new SAMLProcessingFilter();
final SAMLProcessingFilter samlWebSSOProcessingFilter = new SAMLProcessingFilter();
samlWebSSOProcessingFilter.setAuthenticationManager(authenticationManager());
samlWebSSOProcessingFilter.setAuthenticationSuccessHandler(successRedirectHandler());
samlWebSSOProcessingFilter.setAuthenticationFailureHandler(authenticationFailureHandler());
......@@ -151,8 +135,7 @@ public class SamlConfig extends WebSecurityConfigurerAdapter implements Initiali
return logoutHandler;
}
/* Filter processing incoming logout messages. First argument determines URL user will be redirected to after
successful global logout */
/* Filter processing incoming logout messages */
@Bean
public SAMLLogoutProcessingFilter samlLogoutProcessingFilter() {
return new SAMLLogoutProcessingFilter(successLogoutHandler(),
......@@ -217,39 +200,24 @@ public class SamlConfig extends WebSecurityConfigurerAdapter implements Initiali
return new SAMLProcessorImpl(bindings);
}
/**
* Define the security filter chain in order to support SSO Auth by using SAML 2.0
*
* @return Filter chain proxy
* @throws Exception
*/
/* Define the security filter chain in order to support SSO Auth by using SAML 2.0 */
@Bean
public FilterChainProxy samlFilter() throws Exception {
List<SecurityFilterChain> chains = new ArrayList<>();
chains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/context/saml/login/**"),
chains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/SSO/**"),
samlWebSSOProcessingFilter()));
chains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/discovery/**"),
samlDiscovery()));
chains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/login/**"),
samlEntryPoint()));
chains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/context/saml/logout/**"),
chains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/logout/**"),
samlLogoutFilter()));
chains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/context/saml/metadata/**"),
metadataDisplayFilter()));
chains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/context/saml/SSO/**"),
samlWebSSOProcessingFilter()));
chains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/context/saml/SSOHoK/**"),
samlWebSSOHoKProcessingFilter()));
chains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/context/saml/SingleLogout/**"),
chains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/SingleLogout/**"),
samlLogoutProcessingFilter()));
chains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/context/saml/discovery/**"),
samlDiscovery()));
return new FilterChainProxy(chains);
}
/**
* Returns the authentication manager currently used by Spring.
* It represents a bean definition with the aim allow wiring from
* other classes performing the Inversion of Control (IoC).
*
* @throws Exception
*/
/* Returns the authentication manager currently used by Spring. */
@Bean
@Override
public AuthenticationManager authenticationManagerBean() throws Exception {
......@@ -258,9 +226,6 @@ public class SamlConfig extends WebSecurityConfigurerAdapter implements Initiali
/**
* Defines the web based security configuration.
*
* @param http It allows configuring web based security for specific http requests.
* @throws Exception
*/
@Override
protected void configure(HttpSecurity http) throws Exception {
......@@ -282,9 +247,6 @@ public class SamlConfig extends WebSecurityConfigurerAdapter implements Initiali
/**
* Sets a custom authentication provider.
*
* @param auth SecurityBuilder used to create an AuthenticationManager.
* @throws Exception
*/
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
......@@ -326,7 +288,7 @@ public class SamlConfig extends WebSecurityConfigurerAdapter implements Initiali
@Qualifier("idp-ssocircle")
public ExtendedMetadataDelegate ssoCircleExtendedMetadataProvider() throws MetadataProviderException {
final FilesystemMetadataProvider filesystemMetadataProvider = new FilesystemMetadataProvider(
new File(identityProviderMetadataPath));
new File(serviceMetadataPath));
filesystemMetadataProvider.setParserPool(parserPool());
final ExtendedMetadataDelegate extendedMetadataDelegate = new ExtendedMetadataDelegate(filesystemMetadataProvider,
extendedMetadata());
......@@ -338,10 +300,8 @@ public class SamlConfig extends WebSecurityConfigurerAdapter implements Initiali
/* IDP Discovery Service */
@Bean
public SAMLDiscovery samlDiscovery() {
SAMLDiscovery idpDiscovery = new SAMLDiscovery();
idpDiscovery.setIdpSelectionPath("/api/auth/discovery");
return idpDiscovery;
public SAMLDiscovery samlDiscovery() throws MetadataProviderException {
return new SAMLDiscovery();
}
/* Setup advanced info about metadata */
......@@ -350,8 +310,6 @@ public class SamlConfig extends WebSecurityConfigurerAdapter implements Initiali
ExtendedMetadata extendedMetadata = new ExtendedMetadata();
extendedMetadata.setLocal(true);
extendedMetadata.setIdpDiscoveryEnabled(true);
extendedMetadata.setIdpDiscoveryURL(identityProviderDiscoveryUrl);
extendedMetadata.setIdpDiscoveryResponseURL(identityProviderDiscoveryResponseUrl);
extendedMetadata.setSignMetadata(true);
extendedMetadata.setEcpEnabled(true);
return extendedMetadata;
......@@ -360,23 +318,23 @@ public class SamlConfig extends WebSecurityConfigurerAdapter implements Initiali
/* Entry point to initialize authentication, default values taken from properties file */
@Bean
public SAMLEntryPoint samlEntryPoint() {
SAMLEntryPoint samlEntryPoint = new SAMLEntryPoint();
final SAMLEntryPoint samlEntryPoint = new SAMLEntryPoint();
samlEntryPoint.setDefaultProfileOptions(defaultWebSSOProfileOptions());
return samlEntryPoint;
}
@Bean
public WebSSOProfileOptions defaultWebSSOProfileOptions() {
WebSSOProfileOptions webSSOProfileOptions = new WebSSOProfileOptions();
final WebSSOProfileOptions webSSOProfileOptions = new WebSSOProfileOptions();
webSSOProfileOptions.setIncludeScoping(false);
return webSSOProfileOptions;
}
@Bean
public KeyManager keyManager() {
DefaultResourceLoader loader = new DefaultResourceLoader();
Resource storeFile = loader.getResource(samlKeystoreLocation);
Map<String, String> passwords = new HashMap<>();
final DefaultResourceLoader loader = new DefaultResourceLoader();
final Resource storeFile = loader.getResource(samlKeystoreLocation);
final Map<String, String> passwords = new HashMap<>();
passwords.put(samlKeystoreAlias, samlKeystorePassword);
return new JKSKeyManager(storeFile, samlKeystorePassword, passwords, samlKeystoreAlias);
}
......@@ -429,8 +387,8 @@ public class SamlConfig extends WebSecurityConfigurerAdapter implements Initiali
/* SAML Authentication Provider responsible for validating of received SAML messages */
@Bean
public SAMLAuthenticationProvider samlAuthenticationProvider() {
SAMLAuthenticationProvider samlAuthenticationProvider = new SAMLAuthenticationProvider();
samlAuthenticationProvider.setUserDetails(userService);
final SAMLAuthenticationProvider samlAuthenticationProvider = new SAMLAuthenticationProvider();
// samlAuthenticationProvider.setUserDetails(userService);
samlAuthenticationProvider.setForcePrincipalAsString(false);
return samlAuthenticationProvider;
}
......
package at.tuwien.service;
import lombok.extern.log4j.Log4j2;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.security.saml.SAMLCredential;
import org.springframework.security.saml.userdetails.SAMLUserDetailsService;
import org.springframework.stereotype.Service;
import java.util.ArrayList;
import java.util.List;
@Log4j2
@Service
public class UserService implements SAMLUserDetailsService {
@Override
public Object loadUserBySAML(SAMLCredential credential) throws UsernameNotFoundException {
final String userID = credential.getNameID().getValue();
log.debug("Logged in user {}", userID);
List<GrantedAuthority> authorities = new ArrayList<>();
GrantedAuthority authority = new SimpleGrantedAuthority("ROLE_USER");
authorities.add(authority);
return new User(userID, "<abc123>", true, true, true, true, authorities);
}
}
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment