You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@syncope.apache.org by GitBox <gi...@apache.org> on 2022/07/15 15:45:39 UTC
[GitHub] [syncope] ilgrosso opened a new pull request, #362: Upgrading Spring Boot to 2.7 and CAS to 6.6
ilgrosso opened a new pull request, #362:
URL: https://github.com/apache/syncope/pull/362
This PR:
- upgrades Spring Boot to latest 2.7 currently available (2.7.1)
- upgrades CAS to latest 6.6. currently available (6.6.0-RC4) and matching Pac4j (5.4.3)
Some work has been performed in order to upgrade the Spring Security configuration to match with the latest deprecations.
All seems to work except for a breaking error with CAS templates; in order to reproduce, it is enough to run the test cases
* `org.apache.syncope.wa.starter.BasicTest#loginLogout`
* `org.apache.syncope.wa.starter.BasicTest#loginError`
under `/wa/starter`.
The error message is
```
org.thymeleaf.exceptions.TemplateProcessingException: Error during execution of processor 'nz.net.ultraq.thymeleaf.layoutdialect.decorators.DecorateProcessor' (template: "login/casLoginView" - line 2, col 64)
at org.thymeleaf.processor.element.AbstractAttributeModelProcessor.doProcess(AbstractAttributeModelProcessor.java:134) ~[thymeleaf-3.0.15.RELEASE.jar:3.0.15.RELEASE]
[...]
Caused by: groovy.lang.MissingMethodException: No signature of method: nz.net.ultraq.thymeleaf.layoutdialect.decorators.xml.XmlDocumentDecorator.decorate() is applicable for argument types: (org.thymeleaf.engine.Model, org.thymeleaf.engine.Model)
[...]
Possible solutions: decorate(org.thymeleaf.model.IModel, org.thymeleaf.model.IModel)
at org.codehaus.groovy.runtime.ScriptBytecodeAdapter.unwrap(ScriptBytecodeAdapter.java:72) ~[groovy-4.0.3.jar:4.0.3]
at org.codehaus.groovy.runtime.ScriptBytecodeAdapter.invokeMethodOnSuperN(ScriptBytecodeAdapter.java:148) ~[groovy-4.0.3.jar:4.0.3]
at nz.net.ultraq.thymeleaf.layoutdialect.decorators.html.HtmlDocumentDecorator.decorate(HtmlDocumentDecorator.groovy:115) ~[thymeleaf-layout-dialect-3.0.0.jar:?]
at nz.net.ultraq.thymeleaf.layoutdialect.decorators.Decorator$decorate.call(Unknown Source) ~[?:?]
at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCall(CallSiteArray.java:45) ~[groovy-4.0.3.jar:4.0.3]
at org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:125) ~[groovy-4.0.3.jar:4.0.3]
at org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:148) ~[groovy-4.0.3.jar:4.0.3]
at nz.net.ultraq.thymeleaf.layoutdialect.decorators.DecorateProcessor.doProcess(DecorateProcessor.groovy:134) ~[thymeleaf-layout-dialect-3.0.0.jar:?]
at org.thymeleaf.processor.element.AbstractAttributeModelProcessor.doProcess(AbstractAttributeModelProcessor.java:77) ~[thymeleaf-3.0.15.RELEASE.jar:3.0.15.RELEASE]
... 186 more
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@syncope.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [syncope] github-code-scanning[bot] commented on a diff in pull request #362: Upgrading Spring Boot to 2.7 and CAS to 6.6
Posted by GitBox <gi...@apache.org>.
github-code-scanning[bot] commented on code in PR #362:
URL: https://github.com/apache/syncope/pull/362#discussion_r930879619
##########
core/provisioning-java/src/main/java/org/apache/syncope/core/provisioning/java/data/OIDCJWKSDataBinderImpl.java:
##########
@@ -51,22 +58,66 @@
}
@Override
- public OIDCJWKS create(final int size, final JWSAlgorithm algorithm) {
+ public OIDCJWKS create(final String jwksKeyId, final String jwksType, final int jwksKeySize) {
+ JWK jwk;
try {
- OIDCJWKS jwks = entityFactory.newEntity(OIDCJWKS.class);
- RSAKey jwk = new RSAKeyGenerator(size).
- keyUse(KeyUse.SIGNATURE).
- keyID(SecureRandomUtils.generateRandomUUID().toString()).
- algorithm(new com.nimbusds.jose.JWSAlgorithm(algorithm.name())).
- generate();
- jwks.setJson(JSONObjectUtils.toJSONString(new JWKSet(jwk).toJSONObject(false)));
- return jwks;
- } catch (JOSEException e) {
+ switch (jwksType.trim().toLowerCase()) {
+ case "ec":
+ KeyPairGenerator gen = KeyPairGenerator.getInstance("EC");
Review Comment:
## Use of a potentially broken or risky cryptographic algorithm
Cryptographic algorithm [EC](1) may not be secure, consider using a different algorithm.
[Show more details](https://github.com/apache/syncope/security/code-scanning/1120)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@syncope.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [syncope] ilgrosso commented on pull request #362: Upgrading Spring Boot to 2.7 and CAS to 6.6
Posted by GitBox <gi...@apache.org>.
ilgrosso commented on PR #362:
URL: https://github.com/apache/syncope/pull/362#issuecomment-1193262218
@mmoayyed after your suggestion I did some investigations and found that version `3.0.0` for `nz.net.ultraq.thymeleaf:thymeleaf-layout-dialect` comes from Spring Boot itself: see https://docs.spring.io/spring-boot/docs/2.7.2/reference//html/dependency-versions.html
Waiting to understand if it is possible to downgrade CAS 6.6 to `3.0.0` to align with Spring Boot 2.7, I went ahead and explicitly set
```xml
<dependency>
<groupId>nz.net.ultraq.thymeleaf</groupId>
<artifactId>thymeleaf-layout-dialect</artifactId>
<version>3.1.0</version>
</dependency>
```
for WA (unfortunately a bare override of `thymeleaf-layout-dialect.version` did not do the job).
With such setting, only `BasicTest#loginError` is failing, with the following stacktrace:
```
2022-07-24 09:06:35.506 ERROR 128227 --- [o-auto-1-exec-2] o.a.c.c.C.[.[.[.[dispatcherServlet] : Servlet.service() for servlet [dispatcherServlet] in context with path [/syncope-wa] threw exception [Request processing failed; nested exception is org.springframework.webflow.execution.ActionExecutionException: Exception thrown executing org.apereo.cas.web.flow.actions.DelegatedAuthenticationGenerateClientsAction@f5f6bb1 in state 'viewLoginForm' of flow 'login' -- action execution attributes were 'map[[empty]]'] with root cause
org.apereo.cas.authentication.adaptive.UnauthorizedAuthenticationException: Authentication is not authorized: 401
at org.apereo.cas.web.flow.actions.DelegatedAuthenticationGenerateClientsAction.produceDelegatedAuthenticationClientsForContext(DelegatedAuthenticationGenerateClientsAction.java:47) ~[cas-server-support-pac4j-webflow-6.6.0-RC4.jar:6.6.0-RC4]
at org.apereo.cas.web.flow.actions.DelegatedAuthenticationGenerateClientsAction.doExecute(DelegatedAuthenticationGenerateClientsAction.java:31) ~[cas-server-support-pac4j-webflow-6.6.0-RC4.jar:6.6.0-RC4]
at org.springframework.webflow.action.AbstractAction.execute(AbstractAction.java:188) ~[spring-webflow-2.5.1.RELEASE.jar:2.5.1.RELEASE]
at org.springframework.webflow.execution.ActionExecutor.execute(ActionExecutor.java:51) ~[spring-webflow-2.5.1.RELEASE.jar:2.5.1.RELEASE]
at org.springframework.webflow.action.EvaluateAction.doExecute(EvaluateAction.java:77) ~[spring-webflow-2.5.1.RELEASE.jar:2.5.1.RELEASE]
at org.springframework.webflow.action.AbstractAction.execute(AbstractAction.java:188) ~[spring-webflow-2.5.1.RELEASE.jar:2.5.1.RELEASE]
at org.springframework.webflow.execution.ActionExecutor.execute(ActionExecutor.java:51) ~[spring-webflow-2.5.1.RELEASE.jar:2.5.1.RELEASE]
at org.springframework.webflow.engine.ActionList.execute(ActionList.java:154) ~[spring-webflow-2.5.1.RELEASE.jar:2.5.1.RELEASE]
at org.springframework.webflow.engine.ViewState.render(ViewState.java:291) ~[spring-webflow-2.5.1.RELEASE.jar:2.5.1.RELEASE]
at org.springframework.webflow.engine.ViewState.doEnter(ViewState.java:185) ~[spring-webflow-2.5.1.RELEASE.jar:2.5.1.RELEASE]
at org.springframework.webflow.engine.State.enter(State.java:194) ~[spring-webflow-2.5.1.RELEASE.jar:2.5.1.RELEASE]
at org.springframework.webflow.engine.Transition.execute(Transition.java:228) ~[spring-webflow-2.5.1.RELEASE.jar:2.5.1.RELEASE]
at org.springframework.webflow.engine.impl.FlowExecutionImpl.execute(FlowExecutionImpl.java:395) ~[spring-webflow-2.5.1.RELEASE.jar:2.5.1.RELEASE]
at org.springframework.webflow.engine.impl.RequestControlContextImpl.execute(RequestControlContextImpl.java:214) ~[spring-webflow-2.5.1.RELEASE.jar:2.5.1.RELEASE]
at org.springframework.webflow.engine.TransitionableState.handleEvent(TransitionableState.java:116) ~[spring-webflow-2.5.1.RELEASE.jar:2.5.1.RELEASE]
at org.springframework.webflow.engine.Flow.handleEvent(Flow.java:547) ~[spring-webflow-2.5.1.RELEASE.jar:2.5.1.RELEASE]
at org.springframework.webflow.engine.impl.FlowExecutionImpl.handleEvent(FlowExecutionImpl.java:390) ~[spring-webflow-2.5.1.RELEASE.jar:2.5.1.RELEASE]
at org.springframework.webflow.engine.impl.RequestControlContextImpl.handleEvent(RequestControlContextImpl.java:210) ~[spring-webflow-2.5.1.RELEASE.jar:2.5.1.RELEASE]
at org.springframework.webflow.engine.ActionState.doEnter(ActionState.java:105) ~[spring-webflow-2.5.1.RELEASE.jar:2.5.1.RELEASE]
at org.springframework.webflow.engine.State.enter(State.java:194) ~[spring-webflow-2.5.1.RELEASE.jar:2.5.1.RELEASE]
at org.springframework.webflow.engine.Transition.execute(Transition.java:228) ~[spring-webflow-2.5.1.RELEASE.jar:2.5.1.RELEASE]
at org.springframework.webflow.engine.impl.FlowExecutionImpl.execute(FlowExecutionImpl.java:395) ~[spring-webflow-2.5.1.RELEASE.jar:2.5.1.RELEASE]
at org.springframework.webflow.engine.impl.RequestControlContextImpl.execute(RequestControlContextImpl.java:214) ~[spring-webflow-2.5.1.RELEASE.jar:2.5.1.RELEASE]
at org.springframework.webflow.engine.TransitionableState.handleEvent(TransitionableState.java:116) ~[spring-webflow-2.5.1.RELEASE.jar:2.5.1.RELEASE]
at org.springframework.webflow.engine.Flow.handleEvent(Flow.java:547) ~[spring-webflow-2.5.1.RELEASE.jar:2.5.1.RELEASE]
at org.springframework.webflow.engine.impl.FlowExecutionImpl.handleEvent(FlowExecutionImpl.java:390) ~[spring-webflow-2.5.1.RELEASE.jar:2.5.1.RELEASE]
at org.springframework.webflow.engine.impl.RequestControlContextImpl.handleEvent(RequestControlContextImpl.java:210) ~[spring-webflow-2.5.1.RELEASE.jar:2.5.1.RELEASE]
at org.springframework.webflow.engine.ActionState.doEnter(ActionState.java:105) ~[spring-webflow-2.5.1.RELEASE.jar:2.5.1.RELEASE]
at org.springframework.webflow.engine.State.enter(State.java:194) ~[spring-webflow-2.5.1.RELEASE.jar:2.5.1.RELEASE]
at org.springframework.webflow.engine.Transition.execute(Transition.java:228) ~[spring-webflow-2.5.1.RELEASE.jar:2.5.1.RELEASE]
at org.springframework.webflow.engine.impl.FlowExecutionImpl.execute(FlowExecutionImpl.java:395) ~[spring-webflow-2.5.1.RELEASE.jar:2.5.1.RELEASE]
at org.springframework.webflow.engine.impl.RequestControlContextImpl.execute(RequestControlContextImpl.java:214) ~[spring-webflow-2.5.1.RELEASE.jar:2.5.1.RELEASE]
at org.springframework.webflow.engine.TransitionableState.handleEvent(TransitionableState.java:116) ~[spring-webflow-2.5.1.RELEASE.jar:2.5.1.RELEASE]
at org.springframework.webflow.engine.Flow.handleEvent(Flow.java:547) ~[spring-webflow-2.5.1.RELEASE.jar:2.5.1.RELEASE]
at org.springframework.webflow.engine.impl.FlowExecutionImpl.handleEvent(FlowExecutionImpl.java:390) ~[spring-webflow-2.5.1.RELEASE.jar:2.5.1.RELEASE]
at org.springframework.webflow.engine.impl.RequestControlContextImpl.handleEvent(RequestControlContextImpl.java:210) ~[spring-webflow-2.5.1.RELEASE.jar:2.5.1.RELEASE]
at org.springframework.webflow.engine.ActionState.doEnter(ActionState.java:105) ~[spring-webflow-2.5.1.RELEASE.jar:2.5.1.RELEASE]
at org.springframework.webflow.engine.State.enter(State.java:194) ~[spring-webflow-2.5.1.RELEASE.jar:2.5.1.RELEASE]
at org.springframework.webflow.engine.Transition.execute(Transition.java:228) ~[spring-webflow-2.5.1.RELEASE.jar:2.5.1.RELEASE]
at org.springframework.webflow.engine.impl.FlowExecutionImpl.execute(FlowExecutionImpl.java:395) ~[spring-webflow-2.5.1.RELEASE.jar:2.5.1.RELEASE]
at org.springframework.webflow.engine.impl.RequestControlContextImpl.execute(RequestControlContextImpl.java:214) ~[spring-webflow-2.5.1.RELEASE.jar:2.5.1.RELEASE]
at org.springframework.webflow.engine.TransitionableState.handleEvent(TransitionableState.java:116) ~[spring-webflow-2.5.1.RELEASE.jar:2.5.1.RELEASE]
at org.springframework.webflow.engine.Flow.handleEvent(Flow.java:547) ~[spring-webflow-2.5.1.RELEASE.jar:2.5.1.RELEASE]
at org.springframework.webflow.engine.impl.FlowExecutionImpl.handleEvent(FlowExecutionImpl.java:390) ~[spring-webflow-2.5.1.RELEASE.jar:2.5.1.RELEASE]
at org.springframework.webflow.engine.impl.RequestControlContextImpl.handleEvent(RequestControlContextImpl.java:210) ~[spring-webflow-2.5.1.RELEASE.jar:2.5.1.RELEASE]
at org.springframework.webflow.engine.ActionState.doEnter(ActionState.java:105) ~[spring-webflow-2.5.1.RELEASE.jar:2.5.1.RELEASE]
at org.springframework.webflow.engine.State.enter(State.java:194) ~[spring-webflow-2.5.1.RELEASE.jar:2.5.1.RELEASE]
at org.springframework.webflow.engine.Transition.execute(Transition.java:228) ~[spring-webflow-2.5.1.RELEASE.jar:2.5.1.RELEASE]
at org.springframework.webflow.engine.impl.FlowExecutionImpl.execute(FlowExecutionImpl.java:395) ~[spring-webflow-2.5.1.RELEASE.jar:2.5.1.RELEASE]
at org.springframework.webflow.engine.impl.RequestControlContextImpl.execute(RequestControlContextImpl.java:214) ~[spring-webflow-2.5.1.RELEASE.jar:2.5.1.RELEASE]
at org.springframework.webflow.engine.TransitionableState.handleEvent(TransitionableState.java:116) ~[spring-webflow-2.5.1.RELEASE.jar:2.5.1.RELEASE]
at org.springframework.webflow.engine.Flow.handleEvent(Flow.java:547) ~[spring-webflow-2.5.1.RELEASE.jar:2.5.1.RELEASE]
at org.springframework.webflow.engine.impl.FlowExecutionImpl.handleEvent(FlowExecutionImpl.java:390) ~[spring-webflow-2.5.1.RELEASE.jar:2.5.1.RELEASE]
at org.springframework.webflow.engine.impl.RequestControlContextImpl.handleEvent(RequestControlContextImpl.java:210) ~[spring-webflow-2.5.1.RELEASE.jar:2.5.1.RELEASE]
at org.springframework.webflow.engine.ViewState.handleEvent(ViewState.java:231) ~[spring-webflow-2.5.1.RELEASE.jar:2.5.1.RELEASE]
at org.springframework.webflow.engine.ViewState.resume(ViewState.java:195) ~[spring-webflow-2.5.1.RELEASE.jar:2.5.1.RELEASE]
at org.springframework.webflow.engine.Flow.resume(Flow.java:537) ~[spring-webflow-2.5.1.RELEASE.jar:2.5.1.RELEASE]
at org.springframework.webflow.engine.impl.FlowExecutionImpl.resume(FlowExecutionImpl.java:259) ~[spring-webflow-2.5.1.RELEASE.jar:2.5.1.RELEASE]
at org.springframework.webflow.executor.FlowExecutorImpl.resumeExecution(FlowExecutorImpl.java:168) ~[spring-webflow-2.5.1.RELEASE.jar:2.5.1.RELEASE]
at org.springframework.webflow.mvc.servlet.FlowHandlerAdapter.handle(FlowHandlerAdapter.java:254) ~[spring-webflow-2.5.1.RELEASE.jar:2.5.1.RELEASE]
at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:1070) ~[spring-webmvc-5.3.22.jar:5.3.22]
at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:963) ~[spring-webmvc-5.3.22.jar:5.3.22]
at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:1006) ~[spring-webmvc-5.3.22.jar:5.3.22]
at org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:909) ~[spring-webmvc-5.3.22.jar:5.3.22]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:665) ~[javax.servlet-api-4.0.1.jar:4.0.1]
```
e.g. instead of returning 401, 500 is returned but page text says it was because of 401: anything obvious I am missing here?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@syncope.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [syncope] mmoayyed commented on pull request #362: Upgrading Spring Boot to 2.7 and CAS to 6.6
Posted by GitBox <gi...@apache.org>.
mmoayyed commented on PR #362:
URL: https://github.com/apache/syncope/pull/362#issuecomment-1193363891
I don't think downgrading is a good or practical option. First, it's possible that we might break someone else, and also something in CAS UI that might depend on this, but the bigger concern is that downgrading is only a stop-gap that sooner or later would break. The strategy should be that if a CAS module decides to switch a dependency, and for whatever reason SB does not, then we ought to be able to receive that update immediately and easily without a lot of gymnastics. This quickly becomes important when security patches to external libs that might affect CAS but not SB would be needed.
Short of declaring a dependency on the dialect, (or even declaring an override version), both of which I think are uncomfortable, I would think this should be the more ideal solution would be putting this into wa or wa/starter:
```xml
<dependencyManagement>
<dependencies>
<dependency>
<groupId>org.apereo.cas</groupId>
<artifactId>cas-server-support-bom</artifactId>
<version>${cas.version}</version>
<type>pom</type>
<scope>import</scope>
</dependency>
</dependencies>
</dependencyManagement>
```
We should let CAS manage CAS, and then we only override what we want, and only when we want it. Not because we have to.
As for the 401 vs 500 error, I don't think you're missing anything. The scenario is that generally, the external provider returns back a 401, and CAS translates that, *correctly* I think into a 401. One could debate whether the end result should be a 401 or 500, and In my opinion, 500 makes more sense, though I don't recall if this was ever an intentional change. That said, as far as the particular test here goes, it should be safe to assume that the response status returned from the test is either a 4xx or a 5xx. Both should be appropriate. You should care about the fact that the operation failed in the general sense.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@syncope.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [syncope] ilgrosso merged pull request #362: Upgrading Spring Boot to 2.7 and CAS to 6.6
Posted by GitBox <gi...@apache.org>.
ilgrosso merged PR #362:
URL: https://github.com/apache/syncope/pull/362
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@syncope.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [syncope] ilgrosso commented on pull request #362: Upgrading Spring Boot to 2.7 and CAS to 6.6
Posted by GitBox <gi...@apache.org>.
ilgrosso commented on PR #362:
URL: https://github.com/apache/syncope/pull/362#issuecomment-1193704311
@mmoayyed I have pushed changes to import CAS BOM under `wa/pom.xml`
The only inconvenience I could found is the conflict about Spring versions: 2.7.2 from Syncope root pom, 2.7.0 from CAS 6.6.0-RC4; for the moment I've switched to CAS 6.6.0-SNAPSHOT which has 2.7.2 as well but if we take this approach we'll hopefully need to find a way to override versions if needed.
About the failing test, I think the current behavior is not correct: when the log reports the message as above, the response body returned to the caller is as follows:
```
--- !<java.util.LinkedHashMap>
timestamp: "2022-07-25T07:39:48.333+00:00"
status: 500
error: "Internal Server Error"
path: "/syncope-wa/login"
```
I can easily switch the test assertion but I don't think this behavioral change (compared to 6.5.x) is expected.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@syncope.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [syncope] github-code-scanning[bot] commented on a diff in pull request #362: Upgrading Spring Boot to 2.7 and CAS to 6.6
Posted by GitBox <gi...@apache.org>.
github-code-scanning[bot] commented on code in PR #362:
URL: https://github.com/apache/syncope/pull/362#discussion_r922311353
##########
core/spring/src/main/java/org/apache/syncope/core/spring/security/WebSecurityContext.java:
##########
@@ -74,66 +75,65 @@
}
@Bean
- public WebSecurityConfigurerAdapter webSecurityConfigurerAdapter(
- final ApplicationContext ctx,
+ public WebSecurityCustomizer webSecurityCustomizer(final HttpFirewall allowUrlEncodedSlashHttpFirewall) {
+ return web -> web.httpFirewall(allowUrlEncodedSlashHttpFirewall);
+ }
+
+ @Bean
+ public SecurityFilterChain filterChain(
+ final HttpSecurity http,
+ final UsernamePasswordAuthenticationProvider usernamePasswordAuthenticationProvider,
+ final JWTAuthenticationProvider jwtAuthenticationProvider,
final SecurityProperties securityProperties,
- final HttpFirewall allowUrlEncodedSlashHttpFirewall) {
-
- return new WebSecurityConfigurerAdapter(true) {
-
- @Override
- public void configure(final WebSecurity web) {
- web.httpFirewall(allowUrlEncodedSlashHttpFirewall);
- }
-
- @Override
- protected void configure(final HttpSecurity http) throws Exception {
- SyncopeAuthenticationDetailsSource authenticationDetailsSource =
- new SyncopeAuthenticationDetailsSource();
-
- AnonymousAuthenticationProvider anonymousAuthenticationProvider =
- new AnonymousAuthenticationProvider(ANONYMOUS_BEAN_KEY);
- AnonymousAuthenticationFilter anonymousAuthenticationFilter =
- new AnonymousAuthenticationFilter(
- ANONYMOUS_BEAN_KEY,
- securityProperties.getAnonymousUser(),
- AuthorityUtils.createAuthorityList("ROLE_ANONYMOUS"));
- anonymousAuthenticationFilter.setAuthenticationDetailsSource(authenticationDetailsSource);
-
- SyncopeBasicAuthenticationEntryPoint basicAuthenticationEntryPoint =
- new SyncopeBasicAuthenticationEntryPoint();
- basicAuthenticationEntryPoint.setRealmName("Apache Syncope authentication");
-
- JWTAuthenticationFilter jwtAuthenticationFilter = new JWTAuthenticationFilter(
- authenticationManager(),
- basicAuthenticationEntryPoint,
- authenticationDetailsSource,
- ctx.getBean(AuthDataAccessor.class),
- ctx.getBean(DefaultCredentialChecker.class));
-
- http.authorizeRequests().
- antMatchers("/**").permitAll().and().
- sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and().
- securityContext().securityContextRepository(new NullSecurityContextRepository()).and().
- anonymous().
- authenticationProvider(anonymousAuthenticationProvider).
- authenticationFilter(anonymousAuthenticationFilter).and().
- httpBasic().authenticationEntryPoint(basicAuthenticationEntryPoint).
- authenticationDetailsSource(authenticationDetailsSource).and().
- exceptionHandling().accessDeniedHandler(accessDeniedHandler()).and().
- addFilterBefore(jwtAuthenticationFilter, BasicAuthenticationFilter.class).
- addFilterBefore(new MustChangePasswordFilter(), FilterSecurityInterceptor.class).
- headers().disable().
- csrf().disable();
- }
-
- @Override
- protected void configure(final AuthenticationManagerBuilder builder) throws Exception {
- builder.
- authenticationProvider(ctx.getBean(UsernamePasswordAuthenticationProvider.class)).
- authenticationProvider(ctx.getBean(JWTAuthenticationProvider.class));
- }
- };
+ final ApplicationContext ctx) throws Exception {
+
+ AuthenticationManager authenticationManager = http.getSharedObject(AuthenticationManagerBuilder.class).
+ authenticationProvider(usernamePasswordAuthenticationProvider).
+ authenticationProvider(jwtAuthenticationProvider).
+ build();
+
+ SyncopeAuthenticationDetailsSource authenticationDetailsSource =
+ new SyncopeAuthenticationDetailsSource();
+
+ AnonymousAuthenticationProvider anonymousAuthenticationProvider =
+ new AnonymousAuthenticationProvider(ANONYMOUS_BEAN_KEY);
+ AnonymousAuthenticationFilter anonymousAuthenticationFilter =
+ new AnonymousAuthenticationFilter(
+ ANONYMOUS_BEAN_KEY,
+ securityProperties.getAnonymousUser(),
+ AuthorityUtils.createAuthorityList("ROLE_ANONYMOUS"));
+ anonymousAuthenticationFilter.setAuthenticationDetailsSource(authenticationDetailsSource);
+
+ SyncopeBasicAuthenticationEntryPoint basicAuthenticationEntryPoint =
+ new SyncopeBasicAuthenticationEntryPoint();
+ basicAuthenticationEntryPoint.setRealmName("Apache Syncope authentication");
+
+ JWTAuthenticationFilter jwtAuthenticationFilter = new JWTAuthenticationFilter(
+ authenticationManager,
+ basicAuthenticationEntryPoint,
+ authenticationDetailsSource,
+ ctx.getBean(AuthDataAccessor.class),
+ ctx.getBean(DefaultCredentialChecker.class));
+
+ MustChangePasswordFilter mustChangePasswordFilter = new MustChangePasswordFilter();
+
+ http.authenticationManager(authenticationManager).
+ authorizeRequests().
+ antMatchers("/**").permitAll().and().
+ sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and().
+ securityContext().securityContextRepository(new NullSecurityContextRepository()).and().
+ anonymous().
+ authenticationProvider(anonymousAuthenticationProvider).
+ authenticationFilter(anonymousAuthenticationFilter).and().
+ httpBasic().authenticationEntryPoint(basicAuthenticationEntryPoint).
+ authenticationDetailsSource(authenticationDetailsSource).and().
+ exceptionHandling().accessDeniedHandler(accessDeniedHandler()).and().
+ addFilterBefore(jwtAuthenticationFilter, BasicAuthenticationFilter.class).
+ addFilterBefore(mustChangePasswordFilter, FilterSecurityInterceptor.class).
+ headers().disable().
+ csrf().disable();
Review Comment:
## Disabled Spring CSRF protection
CSRF vulnerability due to protection being disabled.
[Show more details](https://github.com/apache/syncope/security/code-scanning/1119)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@syncope.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [syncope] mmoayyed commented on pull request #362: Upgrading Spring Boot to 2.7 and CAS to 6.6
Posted by GitBox <gi...@apache.org>.
mmoayyed commented on PR #362:
URL: https://github.com/apache/syncope/pull/362#issuecomment-1193759544
I think the CAS BOM also, similar to SB, provides the ability for you to override version numbers but I think this part might be Maven specific such that it might get confused between what the parent says vs what the bom says vs what the local project property says. Presumably, if the parent says use X, and BOM says use Y, we should be able to override the BOM version using a property that would match it against X. But we'll need to test this.
As for the error, I realize the mismatch between the log and the reported error code is confusing but they don't have to be the same. In fact they should not be. The error code the provider returns is entirely separate from how CAS wants to process that error code; maybe it's the same, maybe it's different, maybe it's ignored. In others, this is not a "behavior" or a feature; you're testing something that uncharted, accidental, undocumented, and could change at any moment. What the test should care about is that something, (at least for now), went wrong. The specific error code is not a contract or a standard feature in any way, and if your test passed in 6.5, it was only because you were lucky.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@syncope.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org