Remove cors filter configuration

iam-login-service/src/main/java/it/infn/mw/iam/IamLoginService.java

@@ -16,6 +16,7 @@
 package it.infn.mw.iam;
 
 import org.mitre.discovery.web.DiscoveryEndpoint;
+import org.mitre.oauth2.web.CorsFilter;
 import org.mitre.openid.connect.web.JWKSetPublishingEndpoint;
 import org.mitre.openid.connect.web.RootController;
 import org.mitre.openid.connect.web.UserInfoEndpoint;
@@ -67,7 +68,9 @@
     @ComponentScan.Filter(type=FilterType.ASSIGNABLE_TYPE,
         value=HealthEndpoint.class),
     @ComponentScan.Filter(type=FilterType.ASSIGNABLE_TYPE,
-        value=JWKSetPublishingEndpoint.class)
+        value=JWKSetPublishingEndpoint.class),
+    @ComponentScan.Filter(type=FilterType.ASSIGNABLE_TYPE,
+    value=CorsFilter.class)
 })
 // @formatter:on
 

iam-login-service/src/main/java/it/infn/mw/iam/config/IamConfig.java

@@ -23,6 +23,7 @@
 import java.util.Arrays;
 import java.util.Map;
 
+import org.apache.velocity.app.VelocityEngine;
 import org.h2.server.web.WebServlet;
 import org.mitre.oauth2.service.IntrospectionResultAssembler;
 import org.mitre.oauth2.service.impl.DefaultIntrospectionResultAssembler;
@@ -260,4 +261,10 @@ ServletRegistrationBean h2Console() {
     WebServlet h2Servlet = new WebServlet();
     return new ServletRegistrationBean(h2Servlet, "/h2-console/*");
   }
+
+  @Bean
+  @Profile("saml")
+  VelocityEngine velocityEngine() {
+    return new VelocityEngine();
+  }
 }

iam-login-service/src/main/java/it/infn/mw/iam/config/MitreServicesConfig.java

@@ -32,7 +32,6 @@
 import org.mitre.oauth2.service.impl.DefaultDeviceCodeService;
 import org.mitre.oauth2.service.impl.DefaultOAuth2ClientDetailsEntityService;
 import org.mitre.oauth2.service.impl.DefaultOAuth2ProviderTokenService;
-import org.mitre.oauth2.web.CorsFilter;
 import org.mitre.openid.connect.config.ConfigurationPropertiesBean;
 import org.mitre.openid.connect.config.UIConfiguration;
 import org.mitre.openid.connect.filter.AuthorizationRequestFilter;
@@ -70,7 +69,6 @@
 import org.springframework.boot.web.servlet.FilterRegistrationBean;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
-import org.springframework.context.annotation.Primary;
 import org.springframework.security.oauth2.provider.OAuth2RequestFactory;
 import org.springframework.security.oauth2.provider.OAuth2RequestValidator;
 import org.springframework.security.oauth2.provider.approval.UserApprovalHandler;
@@ -228,20 +226,22 @@ public Http403ForbiddenEntryPoint http403ForbiddenEntryPoint() {
     return new Http403ForbiddenEntryPoint();
   }
 
-  @Bean
-  public FilterRegistrationBean disabledCorsFilterRegistration(CorsFilter c) {
-
-    FilterRegistrationBean b = new FilterRegistrationBean(c);
-    b.setEnabled(false);
-    return b;
-  }
-
-  @Primary
-  @Bean
-  public CorsFilter corsFilter() {
-
-    return new CorsFilter();
-  }
+  // @Bean
+  // public FilterRegistrationBean disabledCorsFilterRegistration(CorsFilter c) {
+  //
+  // FilterRegistrationBean b = new FilterRegistrationBean(c);
+  // b.setEnabled(false);
+  // return b;
+  // }
+
+  // @Primary
+  // @Bean
+  // public CorsFilter corsFilter() {
+  //
+  //
+  // CorsFilter filter = new CorsFilter()
+  // return new CorsFilter();
+  // }
 
   @Bean
   public OAuth2AuthenticationEntryPoint oauth2AuthenticationEntryPoint() {

iam-login-service/src/main/java/it/infn/mw/iam/config/security/IamApiSecurityConfig.java

@@ -18,7 +18,6 @@
 import static org.springframework.http.HttpMethod.GET;
 import static org.springframework.http.HttpMethod.POST;
 
-import org.mitre.oauth2.web.CorsFilter;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Qualifier;
 import org.springframework.beans.factory.annotation.Value;
@@ -34,7 +33,6 @@
 import org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint;
 import org.springframework.security.web.access.AccessDeniedHandlerImpl;
 import org.springframework.security.web.context.SecurityContextPersistenceFilter;
-import org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter;
 
 import it.infn.mw.iam.api.proxy.ProxyCertificatesApiController;
 import it.infn.mw.iam.config.CustomAuthenticationEntryPoint;
@@ -59,9 +57,6 @@ public static class IamProxyCertificateApiConfig extends WebSecurityConfigurerAd
     @Autowired
     private OAuth2AuthenticationEntryPoint authenticationEntryPoint;
 
-    @Autowired
-    private CorsFilter corsFilter;
-
     @Override
     protected void configure(final AuthenticationManagerBuilder auth) throws Exception {
       auth.userDetailsService(userDetailsService);
@@ -84,7 +79,8 @@ protected void configure(final HttpSecurity http) throws Exception {
         .and()
           .addFilterBefore(ccFilter, SecurityContextPersistenceFilter.class)
           .addFilterAfter(resourceFilter, SecurityContextPersistenceFilter.class)
-          .addFilterBefore(corsFilter, WebAsyncManagerIntegrationFilter.class)
+        .cors()
+        .and()
         .sessionManagement()
           .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
         .and()
@@ -108,9 +104,6 @@ public static class IamApiConfig extends WebSecurityConfigurerAdapter {
     @Autowired
     private OAuth2AuthenticationEntryPoint authenticationEntryPoint;
 
-    @Autowired
-    private CorsFilter corsFilter;
-
     @Override
     protected void configure(final HttpSecurity http) throws Exception {
       // @formatter:off
@@ -124,7 +117,8 @@ protected void configure(final HttpSecurity http) throws Exception {
             .accessDeniedHandler(new OAuth2AccessDeniedHandler())
         .and()
           .addFilterAfter(resourceFilter, SecurityContextPersistenceFilter.class)
-          .addFilterBefore(corsFilter, WebAsyncManagerIntegrationFilter.class)
+        .cors()
+        .and()
         .sessionManagement()
           .sessionCreationPolicy(SessionCreationPolicy.NEVER)
         .and()

iam-login-service/src/main/java/it/infn/mw/iam/config/security/IamTokenEndointSecurityConfig.java

@@ -21,7 +21,6 @@
 import java.time.Clock;
 
 import org.mitre.jwt.signer.service.impl.ClientKeyCacheService;
-import org.mitre.oauth2.web.CorsFilter;
 import org.mitre.openid.connect.assertion.JWTBearerClientAssertionTokenEndpointFilter;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Qualifier;
@@ -38,7 +37,6 @@
 import org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint;
 import org.springframework.security.web.authentication.preauth.AbstractPreAuthenticatedProcessingFilter;
 import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
-import org.springframework.security.web.context.SecurityContextPersistenceFilter;
 import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
 
 import it.infn.mw.iam.config.IamProperties;
@@ -51,9 +49,6 @@ public class IamTokenEndointSecurityConfig extends WebSecurityConfigurerAdapter
 
   public static final String TOKEN_ENDPOINT = "/token";
 
-  @Autowired
-  private CorsFilter corsFilter;
-
   @Autowired
   private OAuth2AuthenticationEntryPoint authenticationEntryPoint;
 
@@ -113,14 +108,15 @@ protected void configure(HttpSecurity http) throws Exception {
             .antMatchers(TOKEN_ENDPOINT).authenticated()
             .and()
             .addFilterBefore(jwtBearerFilter(), AbstractPreAuthenticatedProcessingFilter.class)
-            .addFilterBefore(ccFilter(), BasicAuthenticationFilter.class)   
-        .addFilterBefore(corsFilter, SecurityContextPersistenceFilter.class)
+            .addFilterBefore(ccFilter(), BasicAuthenticationFilter.class)
         .exceptionHandling()
             .authenticationEntryPoint(authenticationEntryPoint)
             .accessDeniedHandler(new OAuth2AccessDeniedHandler())
             .and()
         .sessionManagement()
             .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
+        .and()
+          .cors()
         .and()
           .csrf()
             .disable();

iam-login-service/src/main/java/it/infn/mw/iam/config/security/MitreSecurityConfig.java

@@ -18,7 +18,6 @@
 import static org.springframework.security.config.http.SessionCreationPolicy.NEVER;
 import static org.springframework.security.config.http.SessionCreationPolicy.STATELESS;
 
-import org.mitre.oauth2.web.CorsFilter;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Qualifier;
 import org.springframework.context.annotation.Configuration;
@@ -34,7 +33,6 @@
 import org.springframework.security.web.authentication.Http403ForbiddenEntryPoint;
 import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
 import org.springframework.security.web.context.SecurityContextPersistenceFilter;
-import org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter;
 
 import it.infn.mw.iam.config.client_registration.ClientRegistrationProperties;
 
@@ -52,16 +50,12 @@ public static class MitreApisEndpointAuthorizationConfig extends WebSecurityConf
     @Autowired
     private OAuth2AuthenticationEntryPoint authenticationEntryPoint;
 
-    @Autowired
-    private CorsFilter corsFilter;
-
     @Override
     public void configure(final HttpSecurity http) throws Exception {
 
       // @formatter:off
       http.antMatcher("/api/**")
           .addFilterAfter(resourceFilter, SecurityContextPersistenceFilter.class)
-          .addFilterBefore(corsFilter, WebAsyncManagerIntegrationFilter.class)
           .exceptionHandling()
             .authenticationEntryPoint(authenticationEntryPoint)
           .and()
@@ -84,26 +78,22 @@ public static class ResourceEndpointAuthorizationConfig extends WebSecurityConfi
     @Autowired
     private OAuth2AuthenticationEntryPoint authenticationEntryPoint;
 
-    @Autowired
-    private CorsFilter corsFilter;
-
     @Override
-
     public void configure(final HttpSecurity http) throws Exception {
 
       // @formatter:off
       http.antMatcher("/resource/**")
         .exceptionHandling()
           .authenticationEntryPoint(authenticationEntryPoint).and()
         .addFilterAfter(resourceFilter, SecurityContextPersistenceFilter.class)
-        .addFilterBefore(corsFilter, WebAsyncManagerIntegrationFilter.class)
         .sessionManagement()
           .sessionCreationPolicy(STATELESS)
         .and()
           .authorizeRequests()
             .antMatchers("/resource/**").permitAll()
         .and()
-          .csrf().disable();
+          .csrf().disable()
+        .cors();
       // @formatter:on
     }
   }
@@ -120,9 +110,6 @@ public static class RegisterEndpointAuthorizationConfig extends WebSecurityConfi
     @Autowired
     private OAuth2AuthenticationEntryPoint authenticationEntryPoint;
 
-    @Autowired
-    private CorsFilter corsFilter;
-
     @Autowired
     private ClientRegistrationProperties clientRegProps;
 
@@ -135,7 +122,6 @@ public void configure(final HttpSecurity http) throws Exception {
         .authenticationEntryPoint(authenticationEntryPoint)
         .and()
         .addFilterAfter(resourceFilter, SecurityContextPersistenceFilter.class)
-        .addFilterBefore(corsFilter, WebAsyncManagerIntegrationFilter.class)
         .sessionManagement()
         .sessionCreationPolicy(STATELESS);
 
@@ -162,9 +148,6 @@ public static class UserInfoEndpointAuthorizationConfig extends WebSecurityConfi
     @Autowired
     private OAuth2AuthenticationEntryPoint authenticationEntryPoint;
 
-    @Autowired
-    private CorsFilter corsFilter;
-
     @Override
     public void configure(final HttpSecurity http) throws Exception {
 
@@ -174,7 +157,6 @@ public void configure(final HttpSecurity http) throws Exception {
           .authenticationEntryPoint(authenticationEntryPoint)
         .and()
           .addFilterAfter(resourceFilter, SecurityContextPersistenceFilter.class)
-          .addFilterBefore(corsFilter, WebAsyncManagerIntegrationFilter.class)
         .sessionManagement()
           .sessionCreationPolicy(STATELESS)
         .and()
@@ -194,9 +176,6 @@ public static class IntrospectEndpointAuthorizationConfig extends WebSecurityCon
     @Qualifier("clientUserDetailsService")
     private UserDetailsService userDetailsService;
 
-    @Autowired
-    private CorsFilter corsFilter;
-
     @Override
     protected void configure(final AuthenticationManagerBuilder auth) throws Exception {
 
@@ -211,7 +190,6 @@ protected void configure(final HttpSecurity http) throws Exception {
         .httpBasic()
           .authenticationEntryPoint(authenticationEntryPoint)
         .and()
-          .addFilterBefore(corsFilter, SecurityContextPersistenceFilter.class)
             .exceptionHandling()
           .authenticationEntryPoint(authenticationEntryPoint)
         .and()
@@ -237,9 +215,6 @@ public static class RevokeEndpointAuthorizationConfig extends WebSecurityConfigu
     @Qualifier("clientUserDetailsService")
     private UserDetailsService userDetailsService;
 
-    @Autowired
-    private CorsFilter corsFilter;
-
     @Override
     protected void configure(final AuthenticationManagerBuilder auth) throws Exception {
 
@@ -263,7 +238,6 @@ protected void configure(final HttpSecurity http) throws Exception {
         .httpBasic()
           .authenticationEntryPoint(authenticationEntryPoint)
         .and()
-          .addFilterBefore(corsFilter, SecurityContextPersistenceFilter.class)
           .addFilterBefore(clientCredentialsEndpointFilter(), BasicAuthenticationFilter.class)
         .exceptionHandling()
           .authenticationEntryPoint(authenticationEntryPoint)