Fix granting default user role to authenticated user in internal secu…

…rity provider In SecurityConfig: - fix configurable role prefix not set using GrantedAuthorityDefaults - fix http authorization rules are defined with roles without prefix In MainUserDetailsService - Add default user role to authenticated user if security provider is "internal"
kbss-cvut · Oct 22, 2024 · 840a69b · 840a69b
1 parent e8b6fae
commit 840a69b
Show file tree

Hide file tree

Showing 4 changed files with 42 additions and 6 deletions.
diff --git a/src/main/java/cz/cvut/kbss/analysis/config/SecurityConfig.java b/src/main/java/cz/cvut/kbss/analysis/config/SecurityConfig.java
@@ -20,6 +20,7 @@
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
+import org.springframework.security.config.core.GrantedAuthorityDefaults;
 import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.web.SecurityFilterChain;
 import org.springframework.security.web.access.intercept.AuthorizationFilter;
@@ -38,7 +39,7 @@
 import java.util.*;
 
 
-@ConditionalOnProperty(prefix = "security", name = "provider", havingValue = "internal")
+@ConditionalOnProperty(prefix = "security", name = "provider", havingValue = SecurityConstants.SEC_PROVIDER_INTERNAL)
 @Configuration
 @EnableWebSecurity
 @Slf4j
@@ -53,20 +54,26 @@ public class SecurityConfig {
 
     private final LogoutSuccessHandler logoutSuccessHandler;
 
+    private final SecurityConf securityConf;
 
     private static final String[] COOKIES_TO_DESTROY = {
             SecurityConstants.SESSION_COOKIE_NAME,
             SecurityConstants.REMEMBER_ME_COOKIE_NAME,
             SecurityConstants.CSRF_COOKIE_NAME
     };
 
-
     @Autowired
-    public SecurityConfig(AuthenticationProvider ontologyAuthenticationProvider, AuthenticationSuccessHandler authenticationSuccessHandler, AuthenticationFailureHandler authenticationFailureHandler, LogoutSuccessHandler logoutSuccessHandler) {
+    public SecurityConfig(AuthenticationProvider ontologyAuthenticationProvider, AuthenticationSuccessHandler authenticationSuccessHandler, AuthenticationFailureHandler authenticationFailureHandler, LogoutSuccessHandler logoutSuccessHandler, SecurityConf securityConf) {
         this.ontologyAuthenticationProvider = ontologyAuthenticationProvider;
         this.authenticationSuccessHandler = authenticationSuccessHandler;
         this.authenticationFailureHandler = authenticationFailureHandler;
         this.logoutSuccessHandler = logoutSuccessHandler;
+        this.securityConf = securityConf;
+    }
+
+    @Bean
+    public GrantedAuthorityDefaults grantedAuthorityDefaults(){
+        return new GrantedAuthorityDefaults(securityConf.getRolePrefix());
     }
 
     @Bean
@@ -87,10 +94,10 @@ public SecurityFilterChain filterChain(HttpSecurity http, SecurityConf config, U
         final AuthenticationManager authManager = buildAuthenticationManager(http);
         http.authorizeHttpRequests(auth ->
                         auth.requestMatchers("/rest/users/impersonate").
-                                hasAuthority(SecurityConstants.ROLE_ADMIN)
+                                hasAuthority(config.getRolePrefix() + SecurityConstants.ROLE_ADMIN)
                             .requestMatchers("/auth/*").permitAll()
                             .requestMatchers("/").permitAll()
-                            .requestMatchers("/**").hasAuthority(SecurityConstants.ROLE_USER)
+                            .requestMatchers("/**").hasAuthority(config.getRolePrefix() + SecurityConstants.ROLE_USER)
                 )
                 .cors(auth -> auth.configurationSource(corsConfigurationSource(config)))
                 .csrf(AbstractHttpConfigurer::disable)

diff --git a/src/main/java/cz/cvut/kbss/analysis/config/conf/SecurityConf.java b/src/main/java/cz/cvut/kbss/analysis/config/conf/SecurityConf.java
@@ -19,6 +19,8 @@ public class SecurityConf {
 
     private String appContext;
 
+    private String provider;
+
     private String rolePrefix;
 
     private String roleClaim;

diff --git a/src/main/java/cz/cvut/kbss/analysis/model/User.java b/src/main/java/cz/cvut/kbss/analysis/model/User.java
@@ -1,7 +1,6 @@
 package cz.cvut.kbss.analysis.model;
 
 import com.fasterxml.jackson.annotation.JsonProperty;
-import cz.cvut.kbss.analysis.security.SecurityConstants;
 import cz.cvut.kbss.analysis.util.Vocabulary;
 import cz.cvut.kbss.jopa.model.annotations.OWLClass;
 import cz.cvut.kbss.jopa.model.annotations.OWLDataProperty;

diff --git a/src/main/java/cz/cvut/kbss/analysis/service/MainUserDetailsService.java b/src/main/java/cz/cvut/kbss/analysis/service/MainUserDetailsService.java
@@ -1,23 +1,51 @@
 package cz.cvut.kbss.analysis.service;
 
+import cz.cvut.kbss.analysis.config.conf.SecurityConf;
 import cz.cvut.kbss.analysis.model.User;
+import cz.cvut.kbss.analysis.security.SecurityConstants;
 import lombok.RequiredArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.core.userdetails.UsernameNotFoundException;
 import org.springframework.stereotype.Component;
 
+import java.util.ArrayList;
+import java.util.Optional;
+
 @Component
 @RequiredArgsConstructor(onConstructor = @__(@Autowired))
 @Slf4j
 public class MainUserDetailsService implements UserDetailsService {
 
     private final UserRepositoryService userRepositoryService;
 
+    private final SecurityConf securityConf;
+
     @Override
     public User loadUserByUsername(String username) throws UsernameNotFoundException {
         return userRepositoryService.findByUsername(username)
+                .map(this::setDefaultRoles)
                 .orElseThrow(() -> new UsernameNotFoundException("Username: " + username + " not found"));
     }
+
+    /**
+     * Adds default roles to user based on security provider. Should be applied to authenticated users.
+     *
+     * <p>Default roles based on security provider:</p>
+     * <ul>
+     * <li> internal - add default role "user"</li>
+     * <li> oidc - no default roles are added.</li>
+     * </ul>
+     * @param user should be authenticated user
+     * @return input user with default roles
+     */
+    private User setDefaultRoles(User user){
+        if(user == null || Optional.ofNullable(securityConf.getProvider())
+                .filter(p -> p.equals(SecurityConstants.SEC_PROVIDER_INTERNAL)).isEmpty())
+            return user;
+        user.setRoles(user.getRoles() != null ? new ArrayList<>(user.getRoles()) : new ArrayList<>());
+        user.getRoles().add(securityConf.getRolePrefix()+SecurityConstants.ROLE_USER);
+        return user;
+    }
 }