[isis] branch spring6 updated: ISIS-3275: keycloak WebSecurityConfigurerAdapter was removed

ahuber Mon, 05 Dec 2022 02:48:49 -0800

This is an automated email from the ASF dual-hosted git repository.

ahuber pushed a commit to branch spring6
in repository https://gitbox.apache.org/repos/asf/isis.git



The following commit(s) were added to refs/heads/spring6 by this push:
     new 29ed9746ee ISIS-3275: keycloak WebSecurityConfigurerAdapter was removed
29ed9746ee is described below

commit 29ed9746ee1d21624f49dafa7c82097680810e13
Author: Andi Huber <[email protected]>
AuthorDate: Mon Dec 5 11:48:33 2022 +0100

    ISIS-3275: keycloak WebSecurityConfigurerAdapter was removed
    
    
https://spring.io/blog/2022/02/21/spring-security-without-the-websecurityconfigureradapter
---
 .../keycloak/CausewayModuleSecurityKeycloak.java   | 126 ++++++++++-----------
 1 file changed, 58 insertions(+), 68 deletions(-)

diff --git 
a/security/keycloak/src/main/java/org/apache/causeway/security/keycloak/CausewayModuleSecurityKeycloak.java
 
b/security/keycloak/src/main/java/org/apache/causeway/security/keycloak/CausewayModuleSecurityKeycloak.java
index ee28149955..9092784cfc 100644
--- 
a/security/keycloak/src/main/java/org/apache/causeway/security/keycloak/CausewayModuleSecurityKeycloak.java
+++ 
b/security/keycloak/src/main/java/org/apache/causeway/security/keycloak/CausewayModuleSecurityKeycloak.java
@@ -19,6 +19,7 @@
 package org.apache.causeway.security.keycloak;
 
 import java.util.Collections;
+import java.util.List;
 import java.util.Map;
 
 import 
org.springframework.boot.autoconfigure.security.oauth2.client.OAuth2ClientProperties;
@@ -26,8 +27,11 @@ import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.context.annotation.Import;
 import org.springframework.core.convert.converter.Converter;
+import 
org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import 
org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.config.http.SessionCreationPolicy;
 import 
org.springframework.security.core.authority.mapping.SimpleAuthorityMapper;
+import 
org.springframework.security.oauth2.client.web.OAuth2AuthorizationRequestRedirectFilter;
 import org.springframework.security.oauth2.core.OAuth2TokenValidator;
 import org.springframework.security.oauth2.jose.jws.JwsAlgorithms;
 import org.springframework.security.oauth2.jose.jws.SignatureAlgorithm;
@@ -35,10 +39,15 @@ import org.springframework.security.oauth2.jwt.Jwt;
 import org.springframework.security.oauth2.jwt.JwtValidators;
 import org.springframework.security.oauth2.jwt.MappedJwtClaimSetConverter;
 import org.springframework.security.oauth2.jwt.NimbusJwtDecoder;
+import org.springframework.security.web.SecurityFilterChain;
+import 
org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler;
+import org.springframework.security.web.authentication.logout.LogoutHandler;
+import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
 import org.springframework.util.Assert;
 
 import org.apache.causeway.core.config.CausewayConfiguration;
 import 
org.apache.causeway.core.runtimeservices.CausewayModuleCoreRuntimeServices;
+import 
org.apache.causeway.core.security.authentication.login.LoginSuccessHandlerUNUSED;
 import org.apache.causeway.core.webapp.CausewayModuleCoreWebapp;
 import org.apache.causeway.security.keycloak.handler.LogoutHandlerForKeycloak;
 import 
org.apache.causeway.security.keycloak.services.KeycloakOauth2UserService;
@@ -67,20 +76,56 @@ import lombok.val;
 @EnableWebSecurity
 public class CausewayModuleSecurityKeycloak {
 
-    //TODO[ISIS-3275] WebSecurityConfigurerAdapter was removed
-    // see 
https://spring.io/blog/2022/02/21/spring-security-without-the-websecurityconfigureradapter
 
-//    @Bean
-//    public WebSecurityConfigurerAdapter webSecurityConfigurer(
-//            final CausewayConfiguration causewayConfiguration,
-//            final KeycloakOauth2UserService keycloakOidcUserService,
-//            final List<LoginSuccessHandlerUNUSED> loginSuccessHandlersUNUSED,
-//            final List<LogoutHandler> logoutHandlers
-//            ) {
-//        //val realm = 
causewayConfiguration.getSecurity().getKeycloak().getRealm();
-//        return new 
KeycloakWebSecurityConfigurerAdapter(keycloakOidcUserService, logoutHandlers, 
causewayConfiguration
-//        );
-//    }
+    @Bean
+    public SecurityFilterChain filterChain(
+            final HttpSecurity http,
+            final CausewayConfiguration causewayConfiguration,
+            final KeycloakOauth2UserService keycloakOidcUserService,
+            final List<LoginSuccessHandlerUNUSED> loginSuccessHandlersUNUSED,
+            final List<LogoutHandler> logoutHandlers) throws Exception {
+
+
+        val successUrl = 
causewayConfiguration.getSecurity().getKeycloak().getLoginSuccessUrl();
+        val realm = 
causewayConfiguration.getSecurity().getKeycloak().getRealm();
+        val loginPage = 
OAuth2AuthorizationRequestRedirectFilter.DEFAULT_AUTHORIZATION_REQUEST_BASE_URI
+                + "/" + realm;
+
+        val httpSecurityLogoutConfigurer =
+            http
+                .sessionManagement()
+                    .sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED)
+                .and()
+
+                .authorizeHttpRequests()
+                    .anyRequest().authenticated()
+                .and()
+
+                // responsibility to propagate logout to Keycloak is performed 
by
+                // LogoutHandlerForKeycloak (called by Causeway' LogoutMenu, 
not by Spring)
+                // this is to ensure that Causeway can invalidate the http 
session eagerly and not preserve it in
+                // the SecurityContextPersistenceFilter (which uses http 
session to do its work)
+                .logout()
+                    .logoutRequestMatcher(new 
AntPathRequestMatcher("/logout"));
+
+        logoutHandlers.forEach(httpSecurityLogoutConfigurer::addLogoutHandler);
+
+        httpSecurityLogoutConfigurer
+                .and()
+
+                // This is the point where OAuth2 login of Spring 5 gets 
enabled
+                .oauth2Login()
+                    .defaultSuccessUrl(successUrl, true)
+//                        .successHandler(new 
AuthSuccessHandler(loginSuccessHandlers))
+                    .successHandler(new 
SavedRequestAwareAuthenticationSuccessHandler())
+                    .userInfoEndpoint()
+                        .oidcUserService(keycloakOidcUserService)
+                .and()
+
+                .loginPage(loginPage);
+
+        return http.build();
+    }
 
 
     @Bean
@@ -96,61 +141,6 @@ public class CausewayModuleSecurityKeycloak {
         return new KeycloakOauth2UserService(jwtDecoder, authoritiesMapper, 
causewayConfiguration);
     }
 
-/*
-    //TODO[ISIS-3275] WebSecurityConfigurerAdapter was removed
-    // see 
https://spring.io/blog/2022/02/21/spring-security-without-the-websecurityconfigureradapter
-
-    @RequiredArgsConstructor
-    public static class KeycloakWebSecurityConfigurerAdapter extends 
WebSecurityConfigurerAdapter {
-
-        private final KeycloakOauth2UserService keycloakOidcUserService;
-        private final List<LogoutHandler> logoutHandlers;
-        private final CausewayConfiguration causewayConfiguration;
-
-        @Override
-        public void configure(final HttpSecurity http) throws Exception {
-
-            val successUrl = 
causewayConfiguration.getSecurity().getKeycloak().getLoginSuccessUrl();
-            val realm = 
causewayConfiguration.getSecurity().getKeycloak().getRealm();
-            val loginPage = 
OAuth2AuthorizationRequestRedirectFilter.DEFAULT_AUTHORIZATION_REQUEST_BASE_URI
-                    + "/" + realm;
-
-            val httpSecurityLogoutConfigurer =
-                http
-                    .sessionManagement()
-                        
.sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED)
-                    .and()
-
-                    .authorizeRequests()
-                        .anyRequest().authenticated()
-                    .and()
-
-                    // responsibility to propagate logout to Keycloak is 
performed by
-                    // LogoutHandlerForKeycloak (called by Causeway' 
LogoutMenu, not by Spring)
-                    // this is to ensure that Causeway can invalidate the http 
session eagerly and not preserve it in
-                    // the SecurityContextPersistenceFilter (which uses http 
session to do its work)
-                    .logout()
-                        .logoutRequestMatcher(new 
AntPathRequestMatcher("/logout"));
-
-            
logoutHandlers.forEach(httpSecurityLogoutConfigurer::addLogoutHandler);
-
-            httpSecurityLogoutConfigurer
-                    .and()
-
-                    // This is the point where OAuth2 login of Spring 5 gets 
enabled
-                    .oauth2Login()
-                        .defaultSuccessUrl(successUrl, true)
-//                            .successHandler(new 
AuthSuccessHandler(loginSuccessHandlers))
-                        .successHandler(new 
SavedRequestAwareAuthenticationSuccessHandler())
-                        .userInfoEndpoint()
-                            .oidcUserService(keycloakOidcUserService)
-                    .and()
-
-                    .loginPage(loginPage);
-        }
-    }
-*/
-
     // -- HELPER
 
     private static NimbusJwtDecoder createNimbusJwtDecoder(final String 
jwkSetUrl, final String jwsAlgorithms) {

[isis] branch spring6 updated: ISIS-3275: keycloak WebSecurityConfigurerAdapter was removed

Reply via email to