Samlconfig

Former-commit-id: 13cb1df2

fda-authentication-service/rest-service/src/main/java/at/tuwien/config/SamlConfig.java

@@ -14,6 +14,7 @@ import org.springframework.core.io.DefaultResourceLoader;
 import org.springframework.core.io.Resource;
 import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
 import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 import org.springframework.security.saml.*;
@@ -33,7 +34,10 @@ import org.springframework.security.saml.processor.SAMLProcessorImpl;
 import org.springframework.security.saml.util.VelocityFactory;
 import org.springframework.security.saml.websso.*;
 import org.springframework.security.web.*;
+import org.springframework.security.web.access.channel.ChannelProcessingFilter;
 import org.springframework.security.web.authentication.logout.SimpleUrlLogoutSuccessHandler;
+import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
+import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
 
 import java.util.*;
 
@@ -133,6 +137,9 @@ public class SamlConfig extends WebSecurityConfigurerAdapter {
     @Bean
     public SAMLEntryPoint samlEntryPoint() {
         final SAMLEntryPoint samlEntryPoint = new SAMLEntryPoint();
+        samlEntryPoint.setSamlLogger(samlLogger());
+        samlEntryPoint.setContextProvider(samlContextProvider());
+        samlEntryPoint.setWebSSOprofile(webSSOprofile());
         samlEntryPoint.setDefaultProfileOptions(defaultWebSSOProfileOptions());
         return samlEntryPoint;
     }
@@ -220,11 +227,44 @@ public class SamlConfig extends WebSecurityConfigurerAdapter {
         return new SAMLProcessorImpl(bindings);
     }
 
+    @Bean
+    public FilterChainProxy samlFilter() throws Exception {
+        final List<SecurityFilterChain> chains = new ArrayList<>();
+        chains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/login/**"),
+                samlEntryPoint()));
+        chains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/metadata/**"),
+                metadataDisplayFilter()));
+        chains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/SSO/**"),
+                samlWebSSOProcessingFilter()));
+        chains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/discovery/**"),
+                samlIDPDiscovery()));
+        return new FilterChainProxy(chains);
+    }
+
     @Bean
     public SAMLLogger samlLogger() {
         return new SAMLDefaultLogger();
     }
 
+    @Override
+    protected void configure(HttpSecurity http) throws Exception {
+        http.requiresChannel()
+                .anyRequest()
+                .requiresSecure();
+        http.httpBasic()
+                .authenticationEntryPoint(samlEntryPoint());
+        http.csrf()
+                .disable();
+        http.addFilterBefore(metadataGeneratorFilter(), ChannelProcessingFilter.class)
+                .addFilterAfter(samlFilter(), BasicAuthenticationFilter.class);
+        /* allow metadata and saml stuff */
+        http.authorizeRequests()
+                .antMatchers("/saml/**").permitAll()
+                .antMatchers("/health").permitAll()
+                .antMatchers("/error").permitAll()
+                .anyRequest().authenticated();
+    }
+
     @Bean
     public MetadataProvider metadataProvider() throws MetadataProviderException {
         final HTTPMetadataProvider provider = new HTTPMetadataProvider(timer(), httpClient(), idpProviderMetadata);

fda-authentication-service/rest-service/src/main/resources/securityContext.xml

-<?xml version="1.0" encoding="UTF-8" ?>
-<beans xmlns="http://www.springframework.org/schema/beans"
-       xmlns:security="http://www.springframework.org/schema/security"
-       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-       xmlns:context="http://www.springframework.org/schema/context"
-       xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
-              http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.1.xsd">
-
-    <!-- Enable auto-wiring -->
-    <context:annotation-config/>
-    <context:component-scan base-package="org.springframework.security.saml"/>
-    <context:component-scan base-package="at.tuwien.config"/>
-
-    <!-- Unsecured pages -->
-    <security:http security="none" pattern="/saml/web/**"/>
-    <security:http security="none" pattern="/logout.jsp"/>
-    <security:http security="none" pattern="/favicon.ico"/>
-
-    <!-- Secured pages -->
-    <security:http entry-point-ref="samlEntryPoint">
-        <security:intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY"/>
-        <security:custom-filter before="FIRST" ref="metadataGeneratorFilter"/>
-        <security:custom-filter after="BASIC_AUTH_FILTER" ref="samlFilter"/>
-    </security:http>
-
-</beans>
\ No newline at end of file