You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@isis.apache.org by da...@apache.org on 2021/04/09 11:18:53 UTC
[isis] branch 2.0.0-M5 updated (0eeac40 -> 4c16248)
This is an automated email from the ASF dual-hosted git repository.
danhaywood pushed a change to branch 2.0.0-M5
in repository https://gitbox.apache.org/repos/asf/isis.git.
from 0eeac40 ISIS-2484: adds some docs for spring sec
new 5dcec80 ISIS-2484: fixes REVISION
new c611745 ISIS-2484: adds docs on how to set up spring oauth2
new b7ad0db ISIS-2484: adds docs on security spring config walkthroughs
new 4c16248 ISIS-2484: minor tweaks
The 4 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
Summary of changes:
.../setupguide/modules/intellij/pages/about.adoc | 17 +-
.../jpa/adoc/modules/ROOT/pages/weaving.adoc | 2 +-
preview.sh | 4 +
.../main/adoc/modules/spring/images/github-2fa.png | Bin 0 -> 72571 bytes
.../spring/images/github-already-signed-in.png | Bin 0 -> 56943 bytes
.../modules/spring/images/github-client-id.png | Bin 0 -> 508338 bytes
.../modules/spring/images/github-login-page.png | Bin 0 -> 163287 bytes
.../modules/spring/images/github-sign-in-again.png | Bin 0 -> 47166 bytes
.../spring/images/helloworld-shows-username.png | Bin 0 -> 13449 bytes
.../spring/images/register-github-oauth-app.png | Bin 0 -> 308822 bytes
.../spring/images/spring-security-login.png | Bin 0 -> 32133 bytes
.../src/main/adoc/modules/spring/pages/about.adoc | 391 ++++++++++++++++++++-
12 files changed, 401 insertions(+), 13 deletions(-)
create mode 100644 security/spring/src/main/adoc/modules/spring/images/github-2fa.png
create mode 100644 security/spring/src/main/adoc/modules/spring/images/github-already-signed-in.png
create mode 100644 security/spring/src/main/adoc/modules/spring/images/github-client-id.png
create mode 100644 security/spring/src/main/adoc/modules/spring/images/github-login-page.png
create mode 100644 security/spring/src/main/adoc/modules/spring/images/github-sign-in-again.png
create mode 100644 security/spring/src/main/adoc/modules/spring/images/helloworld-shows-username.png
create mode 100644 security/spring/src/main/adoc/modules/spring/images/register-github-oauth-app.png
create mode 100644 security/spring/src/main/adoc/modules/spring/images/spring-security-login.png
[isis] 01/04: ISIS-2484: fixes REVISION
Posted by da...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
danhaywood pushed a commit to branch 2.0.0-M5
in repository https://gitbox.apache.org/repos/asf/isis.git
commit 5dcec8012f4432cf3e8ecf43202b6e9e100d77be
Author: danhaywood <da...@haywood-associates.co.uk>
AuthorDate: Thu Apr 8 22:23:55 2021 +0100
ISIS-2484: fixes REVISION
---
preview.sh | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/preview.sh b/preview.sh
index 0d78c24..a9d66a7 100644
--- a/preview.sh
+++ b/preview.sh
@@ -12,6 +12,10 @@ export ANTORA_TARGET_SITE=antora/target/site
#
PLAYBOOK_FILE=antora/playbooks/site.yml
+BRANCH=$(git branch --show-current)
+DATE=$(date +%Y%m%d-%H%M)
+export REVISION="${BRANCH}.${DATE}"
+
while getopts 'ECDAKSLecdaksxylhf:' opt
do
case $opt in
[isis] 03/04: ISIS-2484: adds docs on security spring config
walkthroughs
Posted by da...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
danhaywood pushed a commit to branch 2.0.0-M5
in repository https://gitbox.apache.org/repos/asf/isis.git
commit b7ad0db1092af7675fa0924d300718574351b40a
Author: danhaywood <da...@haywood-associates.co.uk>
AuthorDate: Fri Apr 9 11:42:13 2021 +0100
ISIS-2484: adds docs on security spring config walkthroughs
---
.../setupguide/modules/intellij/pages/about.adoc | 17 +-
.../jpa/adoc/modules/ROOT/pages/weaving.adoc | 2 +-
.../main/adoc/modules/spring/images/github-2fa.png | Bin 0 -> 72571 bytes
.../spring/images/github-already-signed-in.png | Bin 0 -> 56943 bytes
.../modules/spring/images/github-login-page.png | Bin 0 -> 163287 bytes
.../modules/spring/images/github-sign-in-again.png | Bin 0 -> 47166 bytes
.../spring/images/helloworld-shows-username.png | Bin 0 -> 13449 bytes
.../spring/images/spring-security-login.png | Bin 0 -> 32133 bytes
.../src/main/adoc/modules/spring/pages/about.adoc | 174 +++++++++++++++++++--
9 files changed, 177 insertions(+), 16 deletions(-)
diff --git a/antora/components/setupguide/modules/intellij/pages/about.adoc b/antora/components/setupguide/modules/intellij/pages/about.adoc
index 0a3f96d..0ddb2dc 100644
--- a/antora/components/setupguide/modules/intellij/pages/about.adoc
+++ b/antora/components/setupguide/modules/intellij/pages/about.adoc
@@ -66,7 +66,9 @@ On the *Annotation Processors* page, confirm that these are enabled for all of t
.IntelliJ Annotation Processor Settings
image::040-other-settings-compiler/020-annotation-processor.png[width="700px"]
-This setting enables the generation of the `Q*` classes for DataNucleus type-safe queries, as well as being required for frameworks such as xref:setupguide:ROOT:hints-and-tips.adoc#project-lombok[Project Lombok].
+If using xref:pjdo:ROOT:about.adoc[JDO/DataNucleus], this setting enables the generation of the `Q*` classes for DataNucleus type-safe queries.
+
+It is also required for frameworks such as link:https://projectlombok.org[Lombok].
=== Maven Settings
@@ -129,7 +131,18 @@ If the app uses xref:pjdo:ROOT:about.adoc[JDO], then Datanucleus enhancer should
=== Running the App (JPA)
-CAUTION: TODO - to document
+With JPA, the classes need to be "weaved" in order to support lazy loading and (more performant) dirty object tracking.
+This is typically done dynamically at runtime, using a Java agent.
+The xref:docs:starters:simpleapp.adoc[SimpleApp] and xref:docs:starters:helloworld.adoc[HelloWorld] starter apps demonstrate this, bundling the `spring-instrument-5.3.5.jar` file.
+To run, use:
+
+[source,bash]
+----
+-javaagent:lib/spring-instrument-5.3.5.jar
+----
+
+as a JVM argument (where the system properties also are located.)
+
=== Running the App (JDO)
diff --git a/persistence/jpa/adoc/modules/ROOT/pages/weaving.adoc b/persistence/jpa/adoc/modules/ROOT/pages/weaving.adoc
index 846bb2d..62edc90 100644
--- a/persistence/jpa/adoc/modules/ROOT/pages/weaving.adoc
+++ b/persistence/jpa/adoc/modules/ROOT/pages/weaving.adoc
@@ -5,7 +5,7 @@
A responsibility of all ORMs is lazy loading of related objects (so as not to load all the data in one go), and tracking of objects as they are modified (to flush back to the database).
-With JPA, this is typically accomplished dynamically at runtime, using a Java agent.
+With JPA, this is typically done dynamically at runtime, using a Java agent.
The xref:docs:starters:simpleapp.adoc[SimpleApp] and xref:docs:starters:helloworld.adoc[HelloWorld] starter apps demonstrate this, bundling the `spring-instrument-5.3.5.jar` file.
To run, use:
diff --git a/security/spring/src/main/adoc/modules/spring/images/github-2fa.png b/security/spring/src/main/adoc/modules/spring/images/github-2fa.png
new file mode 100644
index 0000000..063696a
Binary files /dev/null and b/security/spring/src/main/adoc/modules/spring/images/github-2fa.png differ
diff --git a/security/spring/src/main/adoc/modules/spring/images/github-already-signed-in.png b/security/spring/src/main/adoc/modules/spring/images/github-already-signed-in.png
new file mode 100644
index 0000000..77eb6f2
Binary files /dev/null and b/security/spring/src/main/adoc/modules/spring/images/github-already-signed-in.png differ
diff --git a/security/spring/src/main/adoc/modules/spring/images/github-login-page.png b/security/spring/src/main/adoc/modules/spring/images/github-login-page.png
new file mode 100644
index 0000000..ea5e2d3
Binary files /dev/null and b/security/spring/src/main/adoc/modules/spring/images/github-login-page.png differ
diff --git a/security/spring/src/main/adoc/modules/spring/images/github-sign-in-again.png b/security/spring/src/main/adoc/modules/spring/images/github-sign-in-again.png
new file mode 100644
index 0000000..8020855
Binary files /dev/null and b/security/spring/src/main/adoc/modules/spring/images/github-sign-in-again.png differ
diff --git a/security/spring/src/main/adoc/modules/spring/images/helloworld-shows-username.png b/security/spring/src/main/adoc/modules/spring/images/helloworld-shows-username.png
new file mode 100644
index 0000000..cd09db4
Binary files /dev/null and b/security/spring/src/main/adoc/modules/spring/images/helloworld-shows-username.png differ
diff --git a/security/spring/src/main/adoc/modules/spring/images/spring-security-login.png b/security/spring/src/main/adoc/modules/spring/images/spring-security-login.png
new file mode 100644
index 0000000..9148996
Binary files /dev/null and b/security/spring/src/main/adoc/modules/spring/images/spring-security-login.png differ
diff --git a/security/spring/src/main/adoc/modules/spring/pages/about.adoc b/security/spring/src/main/adoc/modules/spring/pages/about.adoc
index faeb3d5..e6cae18 100644
--- a/security/spring/src/main/adoc/modules/spring/pages/about.adoc
+++ b/security/spring/src/main/adoc/modules/spring/pages/about.adoc
@@ -86,6 +86,141 @@ if(springAuthentication==null
For an authenticated user the `org.apache.isis.viewer.wicket.roles.USER` role -- as required by xref:vw::about.adoc[Web UI (Wicket viewer)] -- is automatically added to the list of roles.
+
+== Walk-through : Simple Authentication
+
+Using Spring Security we can configure your app with various authentication providers.
+In this section we describe how to modify the xref:docs:starters:helloworld.adoc[HelloWorld] starter app to use an in-memory authenticator.
+
+=== Code Changes
+
+First, we need an implementation of `WebSecurityConfigurerAdapter` to setup the inmemory authenticator:
+
+[source,java]
+----
+@Configuration
+@EnableWebSecurity
+public class SecurityConfig extends WebSecurityConfigurerAdapter
+{
+ @Override
+ protected void configure(AuthenticationManagerBuilder auth) throws Exception {
+ auth.inMemoryAuthentication()
+ .withUser("sven")
+ .password(passwordEncoder().encode("pass"))
+ .roles("USER"); // <.>
+ ;
+ }
+
+ @Bean
+ public PasswordEncoder passwordEncoder() {
+ return new BCryptPasswordEncoder();
+ }
+}
+----
+<.> at least one role must be assigned to each user.
+
+Next, we configure the necessary components (including `SecurityConfig`, above).
+As Apache Isis' Spring security module does not provide an implementation of the xref:refguide:core:index/security/authorization/Authorizor.adoc[Authorizor] SPI, we use an alternative implementation from the xref:bypass:about.adoc[Bypass] implementation (this will in effect disable authorisation checks):
+
+[source,java]
+.AppManifest.java
+----
+@Configuration
+@Import({
+ ...
+ IsisModuleSecuritySpring.class,
+ AuthorizorBypass.class,
+ SecurityConfig.class, // <.>
+ ...
+})
+public class AppManifest {
+}
+----
+<.> as above
+
+
+=== Code Patch
+
+In the current release of Apache Isis ({page-rel}), there is an issue with its `SpringSecurityFilter`; it does not recognise `UserDetails` as a valid authenticated principal.
+We therefore (for now) need to patch in our own replacement.
+
+[source,java]
+.org/apache/isis/security/spring/webmodule/SpringSecurityFilter.java
+----
+package org.apache.isis.security.spring.webmodule;
+
+//...
+
+public class SpringSecurityFilter implements Filter {
+
+ @Autowired
+ private InteractionFactory isisInteractionFactory;
+
+ @Override
+ public void doFilter(
+ final ServletRequest servletRequest,
+ final ServletResponse servletResponse,
+ final FilterChain filterChain) throws IOException, ServletException {
+
+ HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
+
+ org.springframework.security.core.Authentication springAuthentication = SecurityContextHolder.getContext().getAuthentication();
+ if(springAuthentication==null
+ || !springAuthentication.isAuthenticated()) {
+ httpServletResponse.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
+ return; // not authenticated
+ }
+
+ String principalIdentity;
+ Object principal = springAuthentication.getPrincipal();
+ if (principal instanceof UserDetails) {
+ final UserDetails user = (UserDetails) principal;
+ principalIdentity = user.getUsername();
+ } else {
+ httpServletResponse.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
+ return; // unknown principal type, not handled
+ }
+
+ UserMemento user = UserMemento.ofNameAndRoleNames(principalIdentity,
+ Stream.of("org.apache.isis.viewer.wicket.roles.USER"));
+ SimpleAuthentication authentication = SimpleAuthentication.validOf(user);
+ authentication.setType(Authentication.Type.EXTERNAL);
+
+ isisInteractionFactory.runAuthenticated(
+ authentication,
+ ()->{
+ filterChain.doFilter(servletRequest, servletResponse);
+ });
+ }
+}
+----
+
+Finally, (and optionally), the swagger/REST API is not configured for oauth2, so we replace the `index.html` page with one to redirect straight to the xref:vw::about.adoc[Wicket Viewer]:
+
+[source,html]
+.static/index.html
+----
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<html xmlns:th="http://www.thymeleaf.org">
+<head>
+ <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+ <meta http-equiv="refresh" content="0;url=/wicket/" />
+</head>
+<body>
+<div id="wrapper">
+ <!-- we just redirect immediately, because swagger/restful API not configured to use spring security -->
+</div>
+</body>
+</html>
+----
+
+=== Run the application
+
+You should now be able to run the application.
+You will see that the usual login page is replaced by one provided by Spring:
+
+image::spring-security-login.png[width=300px]
+
== Walk-through : OAuth2
Using Spring Security we can configure your app with various authentication providers.
@@ -114,7 +249,7 @@ First, we configure the necessary components:
----
<.> excluded to avoid log4j2 <--> slf4j bidirectional dependency
-* in `AppManifest` (as described <<_update-appmanifest,above>>), import the `IsisModuleSecuritySpring` module
+* in `AppManifest` (as described <<_update-appmanifest,above>>), import the `IsisModuleSecuritySpring` module and remove any other `IsisModuleSecurityXxx` modules
* as this module provides no implementation of the xref:refguide:core:index/security/authorization/Authorizor.adoc[Authorizor] SPI, instead configure an alternative implementation from the xref:bypass:about.adoc[Bypass] implementation (this will in effect disable authorisation checks):
+
@@ -218,27 +353,16 @@ public class SpringSecurityFilter implements Filter {
return; // not authenticated
}
- String principalIdentity;
-
- Object principal = springAuthentication.getPrincipal();
+ Object principal = springAuthentication.getPrincipal();
if (principal instanceof OAuth2User) {
OAuth2User oAuth2User = (OAuth2User) principal;
final Object login = oAuth2User.getAttributes().get("login");
principalIdentity = login instanceof String ? (String)login : oAuth2User.getName();
- } else if (principal instanceof AuthenticatedPrincipal) {
- AuthenticatedPrincipal authenticatedPrincipal = (AuthenticatedPrincipal) principal;
- principalIdentity = authenticatedPrincipal.getName();
- } else if (principal instanceof AbstractAuthenticationToken) {
- final AbstractAuthenticationToken abstractAuthenticationToken = (AbstractAuthenticationToken) principal;
- principalIdentity = abstractAuthenticationToken.getName();
- } else if (principal instanceof String) {
- principalIdentity = (String) principal;
} else {
httpServletResponse.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
return; // unknown principal type, not handled
}
-
UserMemento user = UserMemento.ofNameAndRoleNames(principalIdentity,
Stream.of("org.apache.isis.viewer.wicket.roles.USER"));
SimpleAuthentication authentication = SimpleAuthentication.validOf(user);
@@ -283,3 +407,27 @@ spring.security.oauth2.client.registration.github.clientSecret=XXXXXXXX
You should now be able to run the application, selecting the "github-example" profile using this JVM argument:
-Dspring.profiles.active=github-example
+
+If you are already signed into github:
+
+image::github-already-signed-in.png[width=200px]
+
+then you should be logged in directly; the app will show your user name:
+
+image::helloworld-shows-username.png[width=250px]
+
+On the other hand, if you are not signed in then you will be redirected to the github login page:
+
+image::github-login-page.png[width=300px]
+
+If you have 2FA enabled, then this also works:
+
+image::github-2fa.png[width=300px]
+
+and then, once again, you will be redirected to the app and it will show your user name:
+
+image::helloworld-shows-username.png[width=250px]
+
+Finally, if you log out then Spring will show a page to allow you to trigger the login process:
+
+image::github-sign-in-again.png[width=500px]
[isis] 04/04: ISIS-2484: minor tweaks
Posted by da...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
danhaywood pushed a commit to branch 2.0.0-M5
in repository https://gitbox.apache.org/repos/asf/isis.git
commit 4c16248d2b8381aea098cb23bac1581c90c7a230
Author: danhaywood <da...@haywood-associates.co.uk>
AuthorDate: Fri Apr 9 12:18:38 2021 +0100
ISIS-2484: minor tweaks
---
.../src/main/adoc/modules/spring/pages/about.adoc | 94 ++++++++++++----------
1 file changed, 53 insertions(+), 41 deletions(-)
diff --git a/security/spring/src/main/adoc/modules/spring/pages/about.adoc b/security/spring/src/main/adoc/modules/spring/pages/about.adoc
index e6cae18..1d174e7 100644
--- a/security/spring/src/main/adoc/modules/spring/pages/about.adoc
+++ b/security/spring/src/main/adoc/modules/spring/pages/about.adoc
@@ -31,7 +31,10 @@ In the webapp module of your application, add the following dependency:
[[_update-appmanifest]]
== Update AppManifest
-In your application's `AppManifest` (top-level Spring `@Configuration` used to bootstrap the app), import the
+In your application's `AppManifest` (top-level Spring `@Configuration` used to bootstrap the app), import the `IsisModuleSecuritySpring` module and remove any other `IsisModuleSecurityXxx` modules.
+
+Also, as this module provides no implementation of the xref:refguide:core:index/security/authorization/Authorizor.adoc[Authorizor] SPI, instead you will need some an alternative implementation, such as the xref:bypass:about.adoc[Bypass] implementation.
+(Note: this will in effect disable authorisation checks).
[source,java]
.AppManifest.java
@@ -39,14 +42,15 @@ In your application's `AppManifest` (top-level Spring `@Configuration` used to b
@Configuration
@Import({
...
- IsisModuleSecuritySpring.class,
+ IsisModuleSecuritySpring.class, // <.>
+ AuthorizorBypass.class, // <.>
...
})
public class AppManifest {
}
----
-
-Make sure that no other `IsisModuleSecurityXxx` module is imported.
+<.> make sure that no other `IsisModuleSecurityXxx` module is imported.
+<.> or some other implementation of `Authorizor`.
== Design
@@ -87,11 +91,13 @@ For an authenticated user the `org.apache.isis.viewer.wicket.roles.USER` role --
-== Walk-through : Simple Authentication
+== Walk-through : In-memory
Using Spring Security we can configure your app with various authentication providers.
In this section we describe how to modify the xref:docs:starters:helloworld.adoc[HelloWorld] starter app to use an in-memory authenticator.
+TIP: These changes have been applied to the `origin/jdo-spring-security-inmemory` branch.
+
=== Code Changes
First, we need an implementation of `WebSecurityConfigurerAdapter` to setup the inmemory authenticator:
@@ -120,7 +126,7 @@ public class SecurityConfig extends WebSecurityConfigurerAdapter
<.> at least one role must be assigned to each user.
Next, we configure the necessary components (including `SecurityConfig`, above).
-As Apache Isis' Spring security module does not provide an implementation of the xref:refguide:core:index/security/authorization/Authorizor.adoc[Authorizor] SPI, we use an alternative implementation from the xref:bypass:about.adoc[Bypass] implementation (this will in effect disable authorisation checks):
+As discussed <<_update-appmanifest,above>>, we need to reference Apache Isis' Spring security module and also an implementation of xref:refguide:core:index/security/authorization/Authorizor.adoc[Authorizor] SPI, eg the xref:bypass:about.adoc[Bypass] implementation:
[source,java]
.AppManifest.java
@@ -130,18 +136,17 @@ As Apache Isis' Spring security module does not provide an implementation of the
...
IsisModuleSecuritySpring.class,
AuthorizorBypass.class,
- SecurityConfig.class, // <.>
+ SecurityConfig.class,
...
})
public class AppManifest {
}
----
-<.> as above
=== Code Patch
-In the current release of Apache Isis ({page-rel}), there is an issue with its `SpringSecurityFilter`; it does not recognise `UserDetails` as a valid authenticated principal.
+In the current release of Apache Isis ({page-isisrel}), there is an issue with its `SpringSecurityFilter`; it does not recognise `UserDetails` as a valid authenticated principal.
We therefore (for now) need to patch in our own replacement.
[source,java]
@@ -195,7 +200,9 @@ public class SpringSecurityFilter implements Filter {
}
----
-Finally, (and optionally), the swagger/REST API is not configured for oauth2, so we replace the `index.html` page with one to redirect straight to the xref:vw::about.adoc[Wicket Viewer]:
+=== Tidying up
+
+Finally, (and optionally), the swagger/REST API is not configured for spring security, so we replace the `index.html` page with one to redirect straight to the xref:vw::about.adoc[Wicket Viewer]:
[source,html]
.static/index.html
@@ -227,12 +234,12 @@ Using Spring Security we can configure your app with various authentication prov
In this section we describe how to modify the xref:docs:starters:helloworld.adoc[HelloWorld] starter app to use github as an OAuth2 provider.
The steps here are based on link:https://spring.io/guides/tutorials/spring-boot-oauth2/[this Spring tutorial].
+TIP: These changes have been applied to the `origin/jdo-spring-security-oauth2` branch.
+
=== Code Changes
-First, we configure the necessary components:
+First, we add in the OAuth2 client dependency:
-* add in OAuth2 client dependency:
-+
[source,xml]
.pom.xml
----
@@ -249,24 +256,7 @@ First, we configure the necessary components:
----
<.> excluded to avoid log4j2 <--> slf4j bidirectional dependency
-* in `AppManifest` (as described <<_update-appmanifest,above>>), import the `IsisModuleSecuritySpring` module and remove any other `IsisModuleSecurityXxx` modules
-
-* as this module provides no implementation of the xref:refguide:core:index/security/authorization/Authorizor.adoc[Authorizor] SPI, instead configure an alternative implementation from the xref:bypass:about.adoc[Bypass] implementation (this will in effect disable authorisation checks):
-+
-[source,java]
-.AppManifest.java
-----
-@Configuration
-@Import({
- ...
- AuthorizorBypass.class,
- ...
-})
-public class AppManifest {
-}
-----
-
-The OAuth2 integration provided by Spring (seemingly) forwards onto an "/login" endpoint immediately after the user has logged into github, but with an authenticated principal.
+Next: the OAuth2 integration provided by Spring (seemingly) forwards onto an "/login" endpoint immediately after the user has logged into github, but with an authenticated principal.
We therefore use a controller to simply forward directly onto the xref:vw::about.adoc[Wicket Viewer]:
* create this page to redirect:
@@ -305,14 +295,17 @@ public class LoginController {
}
----
-* register in `AppManifest`:
-+
+Next, we configure the necessary components (including `LoginController`, above).
+As discussed <<_update-appmanifest,above>>, we need to reference Apache Isis' Spring security module and also an implementation of xref:refguide:core:index/security/authorization/Authorizor.adoc[Authorizor] SPI, eg the xref:bypass:about.adoc[Bypass] implementation:
+
[source,java]
.AppManifest.java
----
@Configuration
@Import({
...
+ IsisModuleSecuritySpring.class,
+ AuthorizorBypass.class,
LoginController.class,
...
})
@@ -323,7 +316,7 @@ public class AppManifest {
=== Code Patch
-In the current release of Apache Isis ({page-rel}), there is an issue with its `SpringSecurityFilter`.
+In the current release of Apache Isis ({page-isisrel}), there is an issue with its `SpringSecurityFilter`.
We therefore (for now) need to patch in our own replacement.
[source,java]
@@ -377,8 +370,27 @@ public class SpringSecurityFilter implements Filter {
}
----
+
+=== Tidying up
+
Finally, (and optionally), the swagger/REST API is not configured for oauth2, so we replace the `index.html` page with one to redirect straight to the xref:vw::about.adoc[Wicket Viewer]:
+[source,html]
+.static/index.html
+----
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<html xmlns:th="http://www.thymeleaf.org">
+<head>
+ <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+ <meta http-equiv="refresh" content="0;url=/wicket/" />
+</head>
+<body>
+<div id="wrapper">
+ <!-- we just redirect immediately, because swagger/restful API not configured to use spring security -->
+</div>
+</body>
+</html>
+----
=== Configuration
@@ -387,16 +399,16 @@ As described in the link:https://spring.io/guides/tutorials/spring-boot-oauth2/[
* register the app on github:
+
-image::register-github-oauth-app.png[]
+image::register-github-oauth-app.png[width=500px]
* obtain the clientId and create a new client secret:
+
-image::github-client-id.png[]
+image::github-client-id.png[width=600px]
* update the configuration:
+
[source,properties]
-.application-github-example.properties
+.config/application-github-example.properties
----
spring.security.oauth2.client.registration.github.clientId=XXXX
spring.security.oauth2.client.registration.github.clientSecret=XXXXXXXX
@@ -404,17 +416,17 @@ spring.security.oauth2.client.registration.github.clientSecret=XXXXXXXX
=== Run the application
-You should now be able to run the application, selecting the "github-example" profile using this JVM argument:
+You should now be able to run the application, setting the "github-example" profile using this JVM argument:
-Dspring.profiles.active=github-example
If you are already signed into github:
-image::github-already-signed-in.png[width=200px]
+image::github-already-signed-in.png[width=300px]
then you should be logged in directly; the app will show your user name:
-image::helloworld-shows-username.png[width=250px]
+image::helloworld-shows-username.png[width=300px]
On the other hand, if you are not signed in then you will be redirected to the github login page:
@@ -430,4 +442,4 @@ image::helloworld-shows-username.png[width=250px]
Finally, if you log out then Spring will show a page to allow you to trigger the login process:
-image::github-sign-in-again.png[width=500px]
+image::github-sign-in-again.png[width=600px]
[isis] 02/04: ISIS-2484: adds docs on how to set up spring oauth2
Posted by da...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
danhaywood pushed a commit to branch 2.0.0-M5
in repository https://gitbox.apache.org/repos/asf/isis.git
commit c6117454ea311051c30dba3b2eaf9cf6ad056058
Author: danhaywood <da...@haywood-associates.co.uk>
AuthorDate: Fri Apr 9 10:42:54 2021 +0100
ISIS-2484: adds docs on how to set up spring oauth2
---
.../modules/spring/images/github-client-id.png | Bin 0 -> 508338 bytes
.../spring/images/register-github-oauth-app.png | Bin 0 -> 308822 bytes
.../src/main/adoc/modules/spring/pages/about.adoc | 223 ++++++++++++++++++++-
3 files changed, 217 insertions(+), 6 deletions(-)
diff --git a/security/spring/src/main/adoc/modules/spring/images/github-client-id.png b/security/spring/src/main/adoc/modules/spring/images/github-client-id.png
new file mode 100644
index 0000000..cc95a52
Binary files /dev/null and b/security/spring/src/main/adoc/modules/spring/images/github-client-id.png differ
diff --git a/security/spring/src/main/adoc/modules/spring/images/register-github-oauth-app.png b/security/spring/src/main/adoc/modules/spring/images/register-github-oauth-app.png
new file mode 100644
index 0000000..0a00075
Binary files /dev/null and b/security/spring/src/main/adoc/modules/spring/images/register-github-oauth-app.png differ
diff --git a/security/spring/src/main/adoc/modules/spring/pages/about.adoc b/security/spring/src/main/adoc/modules/spring/pages/about.adoc
index 66fa230..faeb3d5 100644
--- a/security/spring/src/main/adoc/modules/spring/pages/about.adoc
+++ b/security/spring/src/main/adoc/modules/spring/pages/about.adoc
@@ -1,16 +1,34 @@
-= Sring Security
+= Spring Security
:Notice: Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements. See the NOTICE file distributed with this work for additional information regarding copyright ownership. The ASF licenses this file to you under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at. http://www.apache.org/licenses/LICENSE-2.0 . Unless required by applicable law or ag [...]
:page-partial:
-WARNING: TODO: this content has not yet been reviewed/updated for v2.0
-This guide describes the configuration of the Spring implementation of Apache Isis' `Authenticator and `Authorizor` APIs.
+This guide describes the configuration of the Spring implementation of Apache Isis' xref:refguide:core:index/security/authentication/Authenticator.adoc[Authenticator] SPI.
+It does _not_ however provide any implementation of xref:refguide:core:index/security/authorization/Authorizor.adoc[Authorizor] SPI.
+You will therefore need to configure an alternative implementation, eg the xref:bypass:about.adoc[Bypass] implementation (to disable authorisation checks completely), or use the xref:secman:about.adoc[SecMan] implementation.
-include::docs:mavendeps:partial$setup-and-configure-mavendeps-webapp.adoc[leveloffset=+1]
+include::docs:mavendeps:partial$setup-and-configure-dependencyManagement.adoc[leveloffset=+1]
+
+== Dependency
+
+In the webapp module of your application, add the following dependency:
+
+[source,xml]
+.pom.xml
+----
+<dependencies>
+ <dependency>
+ <groupId>org.apache.isis.security</groupId>
+ <artifactId>isis-security-spring</artifactId>
+ </dependency>
+</dependencies>
+----
+
+[[_update-appmanifest]]
== Update AppManifest
In your application's `AppManifest` (top-level Spring `@Configuration` used to bootstrap the app), import the
@@ -68,7 +86,200 @@ if(springAuthentication==null
For an authenticated user the `org.apache.isis.viewer.wicket.roles.USER` role -- as required by xref:vw::about.adoc[Web UI (Wicket viewer)] -- is automatically added to the list of roles.
-== Walk-through
+== Walk-through : OAuth2
+
+Using Spring Security we can configure your app with various authentication providers.
+In this section we describe how to modify the xref:docs:starters:helloworld.adoc[HelloWorld] starter app to use github as an OAuth2 provider.
+The steps here are based on link:https://spring.io/guides/tutorials/spring-boot-oauth2/[this Spring tutorial].
+
+=== Code Changes
+
+First, we configure the necessary components:
+
+* add in OAuth2 client dependency:
++
+[source,xml]
+.pom.xml
+----
+<dependency>
+ <groupId>org.springframework.boot</groupId>
+ <artifactId>spring-boot-starter-oauth2-client</artifactId>
+ <exclusions>
+ <exclusion>
+ <groupId>org.springframework.boot</groupId> <!--.-->
+ <artifactId>spring-boot-starter-logging</artifactId>
+ </exclusion>
+ </exclusions>
+</dependency>
+----
+<.> excluded to avoid log4j2 <--> slf4j bidirectional dependency
+
+* in `AppManifest` (as described <<_update-appmanifest,above>>), import the `IsisModuleSecuritySpring` module
+
+* as this module provides no implementation of the xref:refguide:core:index/security/authorization/Authorizor.adoc[Authorizor] SPI, instead configure an alternative implementation from the xref:bypass:about.adoc[Bypass] implementation (this will in effect disable authorisation checks):
++
+[source,java]
+.AppManifest.java
+----
+@Configuration
+@Import({
+ ...
+ AuthorizorBypass.class,
+ ...
+})
+public class AppManifest {
+}
+----
+
+The OAuth2 integration provided by Spring (seemingly) forwards onto an "/login" endpoint immediately after the user has logged into github, but with an authenticated principal.
+We therefore use a controller to simply forward directly onto the xref:vw::about.adoc[Wicket Viewer]:
+
+* create this page to redirect:
++
+[source,html]
+.templates/redirect-immediately.html
+----
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<html xmlns:th="http://www.thymeleaf.org">
+ <head>
+ <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+ <meta http-equiv="refresh" content="0;url=/wicket/" />
+ </head>
+ <body>
+ <div id="wrapper">
+ </div>
+ </body>
+</html>
+----
+
+* define this controller for `/login`:
++
+[source,java]
+.LoginController.java
+----
+@Controller
+@RequestMapping({"/login"})
+public class LoginController {
+
+ @RequestMapping(
+ produces = {"text/html"}
+ )
+ public String login(HttpServletRequest request, HttpServletResponse response) {
+ return "redirect-immediately";
+ }
+}
+----
+
+* register in `AppManifest`:
++
+[source,java]
+.AppManifest.java
+----
+@Configuration
+@Import({
+ ...
+ LoginController.class,
+ ...
+})
+public class AppManifest {
+}
+----
+
+
+=== Code Patch
+
+In the current release of Apache Isis ({page-rel}), there is an issue with its `SpringSecurityFilter`.
+We therefore (for now) need to patch in our own replacement.
+
+[source,java]
+.org/apache/isis/security/spring/webmodule/SpringSecurityFilter.java
+----
+package org.apache.isis.security.spring.webmodule;
+
+//...
+
+public class SpringSecurityFilter implements Filter {
+
+ @Autowired
+ private InteractionFactory isisInteractionFactory;
+
+ @Override
+ public void doFilter(
+ final ServletRequest servletRequest,
+ final ServletResponse servletResponse,
+ final FilterChain filterChain) throws IOException, ServletException {
+
+ HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
+
+ org.springframework.security.core.Authentication springAuthentication = SecurityContextHolder.getContext().getAuthentication();
+ if(springAuthentication==null
+ || !springAuthentication.isAuthenticated()) {
+ httpServletResponse.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
+ return; // not authenticated
+ }
+
+ String principalIdentity;
+
+ Object principal = springAuthentication.getPrincipal();
+ if (principal instanceof OAuth2User) {
+ OAuth2User oAuth2User = (OAuth2User) principal;
+ final Object login = oAuth2User.getAttributes().get("login");
+ principalIdentity = login instanceof String ? (String)login : oAuth2User.getName();
+ } else if (principal instanceof AuthenticatedPrincipal) {
+ AuthenticatedPrincipal authenticatedPrincipal = (AuthenticatedPrincipal) principal;
+ principalIdentity = authenticatedPrincipal.getName();
+ } else if (principal instanceof AbstractAuthenticationToken) {
+ final AbstractAuthenticationToken abstractAuthenticationToken = (AbstractAuthenticationToken) principal;
+ principalIdentity = abstractAuthenticationToken.getName();
+ } else if (principal instanceof String) {
+ principalIdentity = (String) principal;
+ } else {
+ httpServletResponse.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
+ return; // unknown principal type, not handled
+ }
+
+
+ UserMemento user = UserMemento.ofNameAndRoleNames(principalIdentity,
+ Stream.of("org.apache.isis.viewer.wicket.roles.USER"));
+ SimpleAuthentication authentication = SimpleAuthentication.validOf(user);
+ authentication.setType(Authentication.Type.EXTERNAL);
+
+ isisInteractionFactory.runAuthenticated(
+ authentication,
+ ()->{
+ filterChain.doFilter(servletRequest, servletResponse);
+ });
+ }
+}
+----
+
+Finally, (and optionally), the swagger/REST API is not configured for oauth2, so we replace the `index.html` page with one to redirect straight to the xref:vw::about.adoc[Wicket Viewer]:
+
+
+=== Configuration
+
+We are now ready to configure the app.
+As described in the link:https://spring.io/guides/tutorials/spring-boot-oauth2/[this Spring tutorial]:
+
+* register the app on github:
++
+image::register-github-oauth-app.png[]
+
+* obtain the clientId and create a new client secret:
++
+image::github-client-id.png[]
+
+* update the configuration:
++
+[source,properties]
+.application-github-example.properties
+----
+spring.security.oauth2.client.registration.github.clientId=XXXX
+spring.security.oauth2.client.registration.github.clientSecret=XXXXXXXX
+----
+
+=== Run the application
-WARNING: TODO - show how this fits together.
+You should now be able to run the application, selecting the "github-example" profile using this JVM argument:
+ -Dspring.profiles.active=github-example