AuthResolver

debug
Websocket test
2024-05-17 14:57:54 +02:00 · 2024-05-17 11:37:21 +02:00 · 2024-05-17 11:15:46 +02:00 · 2024-05-16 14:54:27 +02:00
3 changed files with 59 additions and 4 deletions
--- a/src/main/java/com/knecon/fforesight/keycloakcommons/security/SecuredKeyCloakConfiguration.java
+++ b/src/main/java/com/knecon/fforesight/keycloakcommons/security/SecuredKeyCloakConfiguration.java
@ -59,7 +59,11 @@ public class SecuredKeyCloakConfiguration {

        http.anonymous().disable();
        http.httpBasic().disable();
-        http.csrf().disable();
+        http.csrf(csrf -> csrf.ignoringRequestMatchers("/redaction-gateway-v1/websocket/**"));
+        http.headers(headers -> headers
+                // allow same origin to frame our site to support iframe SockJS
+                .frameOptions(frameOptions -> frameOptions
+                                .sameOrigin()));

        http.oauth2ResourceServer(oauth2 -> oauth2.authenticationManagerResolver(tenantAuthenticationManagerResolver));
        http.authorizeHttpRequests().anyRequest().authenticated();
@ -73,7 +77,7 @@ public class SecuredKeyCloakConfiguration {
    @Bean
    public WebSecurityCustomizer webSecurityCustomizer(CommonsKeyCloakProperties commonsKeyCloakProperties) {

-        return (web) -> web.debug(false)
+        return (web) -> web.debug(true)
                .ignoring()
                .requestMatchers(commonsKeyCloakProperties.getIgnoredEndpoints().toArray(new String[0]))
                .requestMatchers(HttpMethod.OPTIONS, "/**");
--- a/src/main/java/com/knecon/fforesight/keycloakcommons/security/TenantAuthenticationManagerResolver.java
+++ b/src/main/java/com/knecon/fforesight/keycloakcommons/security/TenantAuthenticationManagerResolver.java
@ -1,6 +1,5 @@
 package com.knecon.fforesight.keycloakcommons.security;

-import java.util.HashMap;
 import java.util.Map;
 import java.util.Optional;
 import java.util.concurrent.ConcurrentHashMap;
@ -8,7 +7,6 @@ import java.util.concurrent.ConcurrentHashMap;
 import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.authentication.AuthenticationManagerResolver;
 import org.springframework.security.oauth2.jwt.JwtDecoder;
-import org.springframework.security.oauth2.jwt.JwtDecoders;
 import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationConverter;
 import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationProvider;
 import org.springframework.security.oauth2.server.resource.web.BearerTokenResolver;
--- a/src/main/java/com/knecon/fforesight/keycloakcommons/security/WebsocketTenantAuthenticationManagerResolver.java
+++ b/src/main/java/com/knecon/fforesight/keycloakcommons/security/WebsocketTenantAuthenticationManagerResolver.java
@ -0,0 +1,53 @@
+package com.knecon.fforesight.keycloakcommons.security;
+
+import java.util.Map;
+import java.util.Optional;
+import java.util.concurrent.ConcurrentHashMap;
+
+import org.springframework.security.authentication.AuthenticationManager;
+import org.springframework.security.authentication.AuthenticationManagerResolver;
+import org.springframework.security.oauth2.jwt.JwtDecoder;
+import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationConverter;
+import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationProvider;
+import org.springframework.stereotype.Component;
+
+import com.knecon.fforesight.tenantcommons.TenantProvider;
+
+import lombok.RequiredArgsConstructor;
+
+@Component
+@RequiredArgsConstructor
+public class WebsocketTenantAuthenticationManagerResolver implements AuthenticationManagerResolver<String> {
+
+    private final TenantProvider tenantProvider;
+    private final JwtDecoder jwtDecoder;
+    private final Map<String, AuthenticationManager> authenticationManagers = new ConcurrentHashMap<>();
+
+
+    @Override
+    public AuthenticationManager resolve(String token) {
+
+        return this.authenticationManagers.computeIfAbsent(toTenant(token), this::fromTenant);
+    }
+
+
+    private String toTenant(String token) {
+
+        return TokenUtils.toTenant(token);
+    }
+
+
+    private AuthenticationManager fromTenant(String tenant) {
+
+        return Optional.ofNullable(this.tenantProvider.getTenant(tenant)).map(tt ->
+
+        {
+            var provider = new JwtAuthenticationProvider(jwtDecoder);
+            var converter = new JwtAuthenticationConverter();
+            converter.setJwtGrantedAuthoritiesConverter(new CustomJwtAuthoritiesConverter(tt.getAuthDetails()));
+            provider.setJwtAuthenticationConverter(converter);
+            return provider;
+        }).orElseThrow(() -> new IllegalArgumentException("unknown tenant"))::authenticate;
+    }
+
+}
Author	SHA1	Message	Date
Dominique Eifländer	576f1f8159	AuthResolver	2024-05-17 14:57:54 +02:00
Dominique Eifländer	6894f0f61c	debug	2024-05-17 11:37:21 +02:00
Dominique Eifländer	04807ab9eb	Websocket test	2024-05-17 11:15:46 +02:00
Dominique Eifländer	e11cb8149e	Webso	2024-05-16 14:54:27 +02:00