You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@isis.apache.org by da...@apache.org on 2021/04/09 10:20:57 UTC

[isis-app-helloworld] 01/01: adds demo of spring security with userdetails

This is an automated email from the ASF dual-hosted git repository.

danhaywood pushed a commit to branch jdo-spring-security-userdetails
in repository https://gitbox.apache.org/repos/asf/isis-app-helloworld.git

commit 6dd2e96d5cc7a6f7c0132270c98bcf4de05503ca
Author: danhaywood <da...@haywood-associates.co.uk>
AuthorDate: Fri Apr 9 11:19:57 2021 +0100

    adds demo of spring security with userdetails
---
 pom.xml                                            |  5 ++
 src/main/java/domainapp/webapp/AppManifest.java    | 14 ++++-
 src/main/java/domainapp/webapp/SecurityConfig.java | 32 +++++++++++
 .../spring/webmodule/SpringSecurityFilter.java     | 67 ++++++++++++++++++++++
 src/main/resources/static/index.html               | 62 ++++----------------
 5 files changed, 127 insertions(+), 53 deletions(-)

diff --git a/pom.xml b/pom.xml
index 6fdb43c..75ce11f 100644
--- a/pom.xml
+++ b/pom.xml
@@ -61,6 +61,11 @@
         </dependency>
 
         <dependency>
+            <groupId>org.apache.isis.security</groupId>
+            <artifactId>isis-security-spring</artifactId>
+        </dependency>
+
+        <dependency>
             <groupId>org.apache.isis.mavendeps</groupId>
             <artifactId>isis-mavendeps-jdo</artifactId>
             <type>pom</type>
diff --git a/src/main/java/domainapp/webapp/AppManifest.java b/src/main/java/domainapp/webapp/AppManifest.java
index 86995b9..7701a8e 100644
--- a/src/main/java/domainapp/webapp/AppManifest.java
+++ b/src/main/java/domainapp/webapp/AppManifest.java
@@ -4,11 +4,18 @@ import org.springframework.context.annotation.Configuration;
 import org.springframework.context.annotation.Import;
 import org.springframework.context.annotation.PropertySource;
 import org.springframework.context.annotation.PropertySources;
+import org.springframework.security.config.Customizer;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.config.annotation.web.configurers.HeadersConfigurer;
 
 import org.apache.isis.core.config.presets.IsisPresets;
 import org.apache.isis.core.runtimeservices.IsisModuleCoreRuntimeServices;
 import org.apache.isis.persistence.jdo.datanucleus.IsisModuleJdoDatanucleus;
+import org.apache.isis.security.bypass.authorization.AuthorizorBypass;
 import org.apache.isis.security.shiro.IsisModuleSecurityShiro;
+import org.apache.isis.security.spring.IsisModuleSecuritySpring;
 import org.apache.isis.testing.h2console.ui.IsisModuleTestingH2ConsoleUi;
 import org.apache.isis.viewer.restfulobjects.jaxrsresteasy4.IsisModuleViewerRestfulObjectsJaxrsResteasy4;
 import org.apache.isis.viewer.wicket.viewer.IsisModuleViewerWicketViewer;
@@ -18,11 +25,15 @@ import domainapp.modules.hello.HelloWorldModule;
 @Configuration
 @Import({
         IsisModuleCoreRuntimeServices.class,
-        IsisModuleSecurityShiro.class,
+        IsisModuleSecuritySpring.class,
         IsisModuleJdoDatanucleus.class,
         IsisModuleViewerRestfulObjectsJaxrsResteasy4.class,
         IsisModuleViewerWicketViewer.class,
 
+//        LoginController.class,
+        SecurityConfig.class,
+        AuthorizorBypass.class,
+
         IsisModuleTestingH2ConsoleUi.class,
         HelloWorldModule.class
 })
@@ -30,4 +41,5 @@ import domainapp.modules.hello.HelloWorldModule;
     @PropertySource(IsisPresets.NoTranslations),
 })
 public class AppManifest {
+
 }
diff --git a/src/main/java/domainapp/webapp/SecurityConfig.java b/src/main/java/domainapp/webapp/SecurityConfig.java
new file mode 100644
index 0000000..3f01080
--- /dev/null
+++ b/src/main/java/domainapp/webapp/SecurityConfig.java
@@ -0,0 +1,32 @@
+package domainapp.webapp;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
+import org.springframework.security.crypto.password.PasswordEncoder;
+
+@Configuration
+@EnableWebSecurity
+public class SecurityConfig extends WebSecurityConfigurerAdapter
+{
+
+    @Override
+    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
+        auth.inMemoryAuthentication()
+                .withUser("sven")
+                .password(passwordEncoder().encode("pass"))
+                .roles("USER");
+                ;
+    }
+
+    @Bean
+    public PasswordEncoder passwordEncoder() {
+        return new BCryptPasswordEncoder();
+    }
+
+}
diff --git a/src/main/java/org/apache/isis/security/spring/webmodule/SpringSecurityFilter.java b/src/main/java/org/apache/isis/security/spring/webmodule/SpringSecurityFilter.java
new file mode 100644
index 0000000..fa4a12a
--- /dev/null
+++ b/src/main/java/org/apache/isis/security/spring/webmodule/SpringSecurityFilter.java
@@ -0,0 +1,67 @@
+package org.apache.isis.security.spring.webmodule;
+
+import java.io.IOException;
+import java.util.stream.Stream;
+
+import javax.servlet.Filter;
+import javax.servlet.FilterChain;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletResponse;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.core.userdetails.UserDetails;
+
+import org.apache.isis.applib.services.user.UserMemento;
+import org.apache.isis.core.interaction.session.InteractionFactory;
+import org.apache.isis.core.security.authentication.Authentication;
+import org.apache.isis.core.security.authentication.standard.SimpleAuthentication;
+
+/**
+ * This is a patch to replace the version provided in 2.0.0-M5
+ */
+public class SpringSecurityFilter implements Filter {
+
+    @Autowired
+    private InteractionFactory isisInteractionFactory;
+
+    @Override
+    public void doFilter(
+            final ServletRequest servletRequest,
+            final ServletResponse servletResponse,
+            final FilterChain filterChain) throws IOException, ServletException {
+
+        HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
+
+        org.springframework.security.core.Authentication springAuthentication = SecurityContextHolder.getContext().getAuthentication();
+        if(springAuthentication==null
+                || !springAuthentication.isAuthenticated()) {
+            httpServletResponse.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
+            return; // not authenticated
+        }
+
+        String principalIdentity;
+        Object principal = springAuthentication.getPrincipal();
+        if (principal instanceof UserDetails) {
+            final UserDetails user = (UserDetails) principal;
+            principalIdentity = user.getUsername();
+        } else {
+            httpServletResponse.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
+            return; // unknown principal type, not handled
+        }
+
+
+        UserMemento user = UserMemento.ofNameAndRoleNames(principalIdentity,
+                Stream.of("org.apache.isis.viewer.wicket.roles.USER"));
+        SimpleAuthentication authentication = SimpleAuthentication.validOf(user);
+        authentication.setType(Authentication.Type.EXTERNAL);
+
+        isisInteractionFactory.runAuthenticated(
+                authentication,
+                ()->{
+                    filterChain.doFilter(servletRequest, servletResponse);
+                });
+    }
+}
diff --git a/src/main/resources/static/index.html b/src/main/resources/static/index.html
index ec5144e..97d0f7d 100644
--- a/src/main/resources/static/index.html
+++ b/src/main/resources/static/index.html
@@ -1,54 +1,12 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
-<html>
-    <head>
-        <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-        <title>Apache Isis&trade; HelloWorld</title>
-
-        <link rel="stylesheet" type="text/css" href="css/page.css">
-    </head>
-    <body>
-        <div id="wrapper">
-            <img alt="Isis Logo" src="images/apache-isis/logo.png" />
-
-            <p>
-                This is a minimal <a href="https://isis.apache.org">Apache Isis</a> application, intended as a starting
-                point to learn what the framework is all about.
-                <br/>
-            </p>
-
-            <p>To access the app:</p>
-            <ul>
-                <li>
-                    <p>
-                        <b><a href="wicket/">Generic UI (Wicket)</a></b>
-                    </p>
-                    <p>
-                        provides access to a generic UI for end-users.  This
-                        viewer is built with <a href="http://wicket.apache.org" target="_blank">Apache Wicket</a>&trade;.
-                    </p>
-                </li>
-                <li>
-                    <p>
-                        <b>
-                            <a href="swagger-ui/index.thtml">RESTful API (Swagger)</a>
-                        </b>
-                    </p>
-                    <p>
-                        provides access to a Swagger UI for convenient access
-                        to (a subset of) the automatically generated REST API.
-                    </p>
-                    <p>
-                        The full backend API (at <a href="restful/">restful/</a>) renders both simple and also richer
-                        hypermedia representations of domain objects, the latter conforming to the
-                        <a href="http://restfulobjects.org"  target="_blank">Restful Objects</a> spec.
-                    </p>
-                </li>
-            </ul>
-
-            <p>
-            The default user/password is <b><i>sven/pass</i></b>.
-            </p>
-
-        </div>
-    </body>
+<html xmlns:th="http://www.thymeleaf.org">
+<head>
+    <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+    <meta http-equiv="refresh" content="0;url=/wicket/" />
+</head>
+<body>
+<div id="wrapper">
+    <!-- we just redirect immediately, because swagger/restful API not configured to use spring security -->
+</div>
+</body>
 </html>