AuthResolver

.gitignore

@@ -39,4 +39,3 @@ gradle/
 
 **/.gradle
 **/build
-.DS_Store

build.gradle.kts

@@ -1,6 +1,7 @@
 plugins {
     `java-library`
     `maven-publish`
+    `kotlin-dsl`
     pmd
     checkstyle
     jacoco
@@ -11,11 +12,12 @@ plugins {
 val springVersion = "3.2.2";
 
 dependencies {
-    api("com.knecon.fforesight:tenant-commons:0.31.0")
+    api("com.knecon.fforesight:tenant-commons:0.24.0")
     api("org.springframework.boot:spring-boot-starter-oauth2-resource-server:${springVersion}")
     api("org.springframework.boot:spring-boot-starter-security:${springVersion}")
     api("org.springframework.boot:spring-boot-starter-web:${springVersion}")
     api("org.springframework.boot:spring-boot-configuration-processor:${springVersion}")
+    api("org.projectlombok:lombok:1.18.30")
     testImplementation("org.springframework.boot:spring-boot-starter-test:${springVersion}")
 }
 
@@ -79,7 +81,7 @@ tasks.named<Test>("test") {
 
 sonarqube {
     properties {
-        providers.gradleProperty("sonarToken").getOrNull()?.let { property("sonar.login", it) }
+        property("sonar.login", providers.gradleProperty("sonarToken").getOrNull())
         property("sonar.host.url", "https://sonarqube.knecon.com")
     }
 }
@@ -99,4 +101,4 @@ tasks.jacocoTestReport {
 
 java {
     withJavadocJar()
-}
+}

src/main/java/com/knecon/fforesight/keycloakcommons/security/SecuredKeyCloakConfiguration.java

@@ -59,7 +59,11 @@ public class SecuredKeyCloakConfiguration {
 
         http.anonymous().disable();
         http.httpBasic().disable();
-        http.csrf().disable();
+        http.csrf(csrf -> csrf.ignoringRequestMatchers("/redaction-gateway-v1/websocket/**"));
+        http.headers(headers -> headers
+                // allow same origin to frame our site to support iframe SockJS
+                .frameOptions(frameOptions -> frameOptions
+                                .sameOrigin()));
 
         http.oauth2ResourceServer(oauth2 -> oauth2.authenticationManagerResolver(tenantAuthenticationManagerResolver));
         http.authorizeHttpRequests().anyRequest().authenticated();
@@ -73,7 +77,7 @@ public class SecuredKeyCloakConfiguration {
     @Bean
     public WebSecurityCustomizer webSecurityCustomizer(CommonsKeyCloakProperties commonsKeyCloakProperties) {
 
-        return (web) -> web.debug(false)
+        return (web) -> web.debug(true)
                 .ignoring()
                 .requestMatchers(commonsKeyCloakProperties.getIgnoredEndpoints().toArray(new String[0]))
                 .requestMatchers(HttpMethod.OPTIONS, "/**");

src/main/java/com/knecon/fforesight/keycloakcommons/security/TenantAuthenticationManagerResolver.java

@@ -35,18 +35,6 @@ public class TenantAuthenticationManagerResolver implements AuthenticationManage
     }
 
 
-    public AuthenticationManager resolve(String token) {
-
-        return this.authenticationManagers.computeIfAbsent(toTenant(token), this::fromTenant);
-    }
-
-
-    private String toTenant(String token) {
-
-        return TokenUtils.toTenant(token);
-    }
-
-
     private String toTenant(HttpServletRequest request) {
 
         return TokenUtils.toTenant(this.resolver.resolve(request));

src/main/java/com/knecon/fforesight/keycloakcommons/security/WebsocketTenantAuthenticationManagerResolver.java

@@ -0,0 +1,53 @@
+package com.knecon.fforesight.keycloakcommons.security;
+
+import java.util.Map;
+import java.util.Optional;
+import java.util.concurrent.ConcurrentHashMap;
+
+import org.springframework.security.authentication.AuthenticationManager;
+import org.springframework.security.authentication.AuthenticationManagerResolver;
+import org.springframework.security.oauth2.jwt.JwtDecoder;
+import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationConverter;
+import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationProvider;
+import org.springframework.stereotype.Component;
+
+import com.knecon.fforesight.tenantcommons.TenantProvider;
+
+import lombok.RequiredArgsConstructor;
+
+@Component
+@RequiredArgsConstructor
+public class WebsocketTenantAuthenticationManagerResolver implements AuthenticationManagerResolver<String> {
+
+    private final TenantProvider tenantProvider;
+    private final JwtDecoder jwtDecoder;
+    private final Map<String, AuthenticationManager> authenticationManagers = new ConcurrentHashMap<>();
+
+
+    @Override
+    public AuthenticationManager resolve(String token) {
+
+        return this.authenticationManagers.computeIfAbsent(toTenant(token), this::fromTenant);
+    }
+
+
+    private String toTenant(String token) {
+
+        return TokenUtils.toTenant(token);
+    }
+
+
+    private AuthenticationManager fromTenant(String tenant) {
+
+        return Optional.ofNullable(this.tenantProvider.getTenant(tenant)).map(tt ->
+
+        {
+            var provider = new JwtAuthenticationProvider(jwtDecoder);
+            var converter = new JwtAuthenticationConverter();
+            converter.setJwtGrantedAuthoritiesConverter(new CustomJwtAuthoritiesConverter(tt.getAuthDetails()));
+            provider.setJwtAuthenticationConverter(converter);
+            return provider;
+        }).orElseThrow(() -> new IllegalArgumentException("unknown tenant"))::authenticate;
+    }
+
+}