You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@isis.apache.org by da...@apache.org on 2021/04/09 11:18:57 UTC
[isis] 04/04: ISIS-2484: minor tweaks
This is an automated email from the ASF dual-hosted git repository.
danhaywood pushed a commit to branch 2.0.0-M5
in repository https://gitbox.apache.org/repos/asf/isis.git
commit 4c16248d2b8381aea098cb23bac1581c90c7a230
Author: danhaywood <da...@haywood-associates.co.uk>
AuthorDate: Fri Apr 9 12:18:38 2021 +0100
ISIS-2484: minor tweaks
---
.../src/main/adoc/modules/spring/pages/about.adoc | 94 ++++++++++++----------
1 file changed, 53 insertions(+), 41 deletions(-)
diff --git a/security/spring/src/main/adoc/modules/spring/pages/about.adoc b/security/spring/src/main/adoc/modules/spring/pages/about.adoc
index e6cae18..1d174e7 100644
--- a/security/spring/src/main/adoc/modules/spring/pages/about.adoc
+++ b/security/spring/src/main/adoc/modules/spring/pages/about.adoc
@@ -31,7 +31,10 @@ In the webapp module of your application, add the following dependency:
[[_update-appmanifest]]
== Update AppManifest
-In your application's `AppManifest` (top-level Spring `@Configuration` used to bootstrap the app), import the
+In your application's `AppManifest` (top-level Spring `@Configuration` used to bootstrap the app), import the `IsisModuleSecuritySpring` module and remove any other `IsisModuleSecurityXxx` modules.
+
+Also, as this module provides no implementation of the xref:refguide:core:index/security/authorization/Authorizor.adoc[Authorizor] SPI, instead you will need some an alternative implementation, such as the xref:bypass:about.adoc[Bypass] implementation.
+(Note: this will in effect disable authorisation checks).
[source,java]
.AppManifest.java
@@ -39,14 +42,15 @@ In your application's `AppManifest` (top-level Spring `@Configuration` used to b
@Configuration
@Import({
...
- IsisModuleSecuritySpring.class,
+ IsisModuleSecuritySpring.class, // <.>
+ AuthorizorBypass.class, // <.>
...
})
public class AppManifest {
}
----
-
-Make sure that no other `IsisModuleSecurityXxx` module is imported.
+<.> make sure that no other `IsisModuleSecurityXxx` module is imported.
+<.> or some other implementation of `Authorizor`.
== Design
@@ -87,11 +91,13 @@ For an authenticated user the `org.apache.isis.viewer.wicket.roles.USER` role --
-== Walk-through : Simple Authentication
+== Walk-through : In-memory
Using Spring Security we can configure your app with various authentication providers.
In this section we describe how to modify the xref:docs:starters:helloworld.adoc[HelloWorld] starter app to use an in-memory authenticator.
+TIP: These changes have been applied to the `origin/jdo-spring-security-inmemory` branch.
+
=== Code Changes
First, we need an implementation of `WebSecurityConfigurerAdapter` to setup the inmemory authenticator:
@@ -120,7 +126,7 @@ public class SecurityConfig extends WebSecurityConfigurerAdapter
<.> at least one role must be assigned to each user.
Next, we configure the necessary components (including `SecurityConfig`, above).
-As Apache Isis' Spring security module does not provide an implementation of the xref:refguide:core:index/security/authorization/Authorizor.adoc[Authorizor] SPI, we use an alternative implementation from the xref:bypass:about.adoc[Bypass] implementation (this will in effect disable authorisation checks):
+As discussed <<_update-appmanifest,above>>, we need to reference Apache Isis' Spring security module and also an implementation of xref:refguide:core:index/security/authorization/Authorizor.adoc[Authorizor] SPI, eg the xref:bypass:about.adoc[Bypass] implementation:
[source,java]
.AppManifest.java
@@ -130,18 +136,17 @@ As Apache Isis' Spring security module does not provide an implementation of the
...
IsisModuleSecuritySpring.class,
AuthorizorBypass.class,
- SecurityConfig.class, // <.>
+ SecurityConfig.class,
...
})
public class AppManifest {
}
----
-<.> as above
=== Code Patch
-In the current release of Apache Isis ({page-rel}), there is an issue with its `SpringSecurityFilter`; it does not recognise `UserDetails` as a valid authenticated principal.
+In the current release of Apache Isis ({page-isisrel}), there is an issue with its `SpringSecurityFilter`; it does not recognise `UserDetails` as a valid authenticated principal.
We therefore (for now) need to patch in our own replacement.
[source,java]
@@ -195,7 +200,9 @@ public class SpringSecurityFilter implements Filter {
}
----
-Finally, (and optionally), the swagger/REST API is not configured for oauth2, so we replace the `index.html` page with one to redirect straight to the xref:vw::about.adoc[Wicket Viewer]:
+=== Tidying up
+
+Finally, (and optionally), the swagger/REST API is not configured for spring security, so we replace the `index.html` page with one to redirect straight to the xref:vw::about.adoc[Wicket Viewer]:
[source,html]
.static/index.html
@@ -227,12 +234,12 @@ Using Spring Security we can configure your app with various authentication prov
In this section we describe how to modify the xref:docs:starters:helloworld.adoc[HelloWorld] starter app to use github as an OAuth2 provider.
The steps here are based on link:https://spring.io/guides/tutorials/spring-boot-oauth2/[this Spring tutorial].
+TIP: These changes have been applied to the `origin/jdo-spring-security-oauth2` branch.
+
=== Code Changes
-First, we configure the necessary components:
+First, we add in the OAuth2 client dependency:
-* add in OAuth2 client dependency:
-+
[source,xml]
.pom.xml
----
@@ -249,24 +256,7 @@ First, we configure the necessary components:
----
<.> excluded to avoid log4j2 <--> slf4j bidirectional dependency
-* in `AppManifest` (as described <<_update-appmanifest,above>>), import the `IsisModuleSecuritySpring` module and remove any other `IsisModuleSecurityXxx` modules
-
-* as this module provides no implementation of the xref:refguide:core:index/security/authorization/Authorizor.adoc[Authorizor] SPI, instead configure an alternative implementation from the xref:bypass:about.adoc[Bypass] implementation (this will in effect disable authorisation checks):
-+
-[source,java]
-.AppManifest.java
-----
-@Configuration
-@Import({
- ...
- AuthorizorBypass.class,
- ...
-})
-public class AppManifest {
-}
-----
-
-The OAuth2 integration provided by Spring (seemingly) forwards onto an "/login" endpoint immediately after the user has logged into github, but with an authenticated principal.
+Next: the OAuth2 integration provided by Spring (seemingly) forwards onto an "/login" endpoint immediately after the user has logged into github, but with an authenticated principal.
We therefore use a controller to simply forward directly onto the xref:vw::about.adoc[Wicket Viewer]:
* create this page to redirect:
@@ -305,14 +295,17 @@ public class LoginController {
}
----
-* register in `AppManifest`:
-+
+Next, we configure the necessary components (including `LoginController`, above).
+As discussed <<_update-appmanifest,above>>, we need to reference Apache Isis' Spring security module and also an implementation of xref:refguide:core:index/security/authorization/Authorizor.adoc[Authorizor] SPI, eg the xref:bypass:about.adoc[Bypass] implementation:
+
[source,java]
.AppManifest.java
----
@Configuration
@Import({
...
+ IsisModuleSecuritySpring.class,
+ AuthorizorBypass.class,
LoginController.class,
...
})
@@ -323,7 +316,7 @@ public class AppManifest {
=== Code Patch
-In the current release of Apache Isis ({page-rel}), there is an issue with its `SpringSecurityFilter`.
+In the current release of Apache Isis ({page-isisrel}), there is an issue with its `SpringSecurityFilter`.
We therefore (for now) need to patch in our own replacement.
[source,java]
@@ -377,8 +370,27 @@ public class SpringSecurityFilter implements Filter {
}
----
+
+=== Tidying up
+
Finally, (and optionally), the swagger/REST API is not configured for oauth2, so we replace the `index.html` page with one to redirect straight to the xref:vw::about.adoc[Wicket Viewer]:
+[source,html]
+.static/index.html
+----
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<html xmlns:th="http://www.thymeleaf.org">
+<head>
+ <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+ <meta http-equiv="refresh" content="0;url=/wicket/" />
+</head>
+<body>
+<div id="wrapper">
+ <!-- we just redirect immediately, because swagger/restful API not configured to use spring security -->
+</div>
+</body>
+</html>
+----
=== Configuration
@@ -387,16 +399,16 @@ As described in the link:https://spring.io/guides/tutorials/spring-boot-oauth2/[
* register the app on github:
+
-image::register-github-oauth-app.png[]
+image::register-github-oauth-app.png[width=500px]
* obtain the clientId and create a new client secret:
+
-image::github-client-id.png[]
+image::github-client-id.png[width=600px]
* update the configuration:
+
[source,properties]
-.application-github-example.properties
+.config/application-github-example.properties
----
spring.security.oauth2.client.registration.github.clientId=XXXX
spring.security.oauth2.client.registration.github.clientSecret=XXXXXXXX
@@ -404,17 +416,17 @@ spring.security.oauth2.client.registration.github.clientSecret=XXXXXXXX
=== Run the application
-You should now be able to run the application, selecting the "github-example" profile using this JVM argument:
+You should now be able to run the application, setting the "github-example" profile using this JVM argument:
-Dspring.profiles.active=github-example
If you are already signed into github:
-image::github-already-signed-in.png[width=200px]
+image::github-already-signed-in.png[width=300px]
then you should be logged in directly; the app will show your user name:
-image::helloworld-shows-username.png[width=250px]
+image::helloworld-shows-username.png[width=300px]
On the other hand, if you are not signed in then you will be redirected to the github login page:
@@ -430,4 +442,4 @@ image::helloworld-shows-username.png[width=250px]
Finally, if you log out then Spring will show a page to allow you to trigger the login process:
-image::github-sign-in-again.png[width=500px]
+image::github-sign-in-again.png[width=600px]