Code development platform for open source projects from the European Union institutions :large_blue_circle: EU Login authentication by SMS has been phased out. To see alternatives please check here

Skip to content
Snippets Groups Projects
Commit 53adfbb3 authored by Joze RIHTARSIC's avatar Joze RIHTARSIC
Browse files

Pull request #184: Add SSLClientCertificate authentication

Merge in EDELIVERY/smp from feature/EDELIVERY-9011-implement-sslclientcert-authentication to development

* commit 'cebad14509ff3cb08a385b6ed69463fa2b8f1a97':
  add SSLClientCertificate authentication
parents 596a43a9 a14f7e6f
Branches
Tags
No related merge requests found
Showing
with 241 additions and 213 deletions
Domibus 4.2 eDelivery SMP 4.2
- added new properties: - added new properties:
smp.ui.authentication.types: Set list of '|' separated UI authentication types. Currently supported PASSWORD, SSO: ex. PASSWORD|SSO
smp.automation.authentication.types: Set list of '|' separated automation authentication types (Web-Service integration). Currently supported PASSWORD, CERT: ex. PASSWORD|CERT
smp.http.forwarded.headers.enabled to control usage of Forwarded parameters RP/LoadBalancer. smp.http.forwarded.headers.enabled to control usage of Forwarded parameters RP/LoadBalancer.
smp.ui.session.secure: Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks. smp.ui.session.secure: Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.
smp.ui.session.max-age: Number of seconds until the cookie expires. A zero or negative number will expire the cookie immediately. Empty value will not set parameter smp.ui.session.max-age: Number of seconds until the cookie expires. A zero or negative number will expire the cookie immediately. Empty value will not set parameter
...@@ -7,7 +9,6 @@ Domibus 4.2 ...@@ -7,7 +9,6 @@ Domibus 4.2
smp.ui.session.path: A path that must exist in the requested URL, or the browser won't send the Cookie header. Null/Empty value sets the authentication requests context by default. The forward slash (/) character is interpreted as a directory separator, and subdirectories will be matched as well: for Path=/docs, /docs, /docs/Web/, and /docs/Web/HTTP will all match. smp.ui.session.path: A path that must exist in the requested URL, or the browser won't send the Cookie header. Null/Empty value sets the authentication requests context by default. The forward slash (/) character is interpreted as a directory separator, and subdirectories will be matched as well: for Path=/docs, /docs, /docs/Web/, and /docs/Web/HTTP will all match.
smp.ui.session.idle_timeout.admin: Specifies the time, in seconds, between client requests before the SMP will invalidate session for ADMIN users (System)! smp.ui.session.idle_timeout.admin: Specifies the time, in seconds, between client requests before the SMP will invalidate session for ADMIN users (System)!
smp.ui.session.idle_timeout.user: Specifies the time, in seconds, between client requests before the SMP will invalidate session for users (Service group, SMP Admin) smp.ui.session.idle_timeout.user: Specifies the time, in seconds, between client requests before the SMP will invalidate session for users (Service group, SMP Admin)
smp.sso.cas.enabled: Enable/disable CAS authentication.
smp.sso.cas.ui.label: The SSO service provider label. smp.sso.cas.ui.label: The SSO service provider label.
smp.sso.cas.url: The SSO CAS URL enpoint smp.sso.cas.url: The SSO CAS URL enpoint
smp.sso.cas.urlpath.login: The CAS URL path for login. Complete URL is composed from parameters: ${smp.sso.cas.url}/${smp.sso.cas.urlpath.login}. smp.sso.cas.urlpath.login: The CAS URL path for login. Complete URL is composed from parameters: ${smp.sso.cas.url}/${smp.sso.cas.urlpath.login}.
......
...@@ -22,10 +22,9 @@ ...@@ -22,10 +22,9 @@
<version>4.2-SNAPSHOT</version> <version>4.2-SNAPSHOT</version>
<modules> <modules>
<!-- module>smp-parent-pom</module -->
<module>smp-api</module> <module>smp-api</module>
<module>smp-angular</module>
<module>smp-server-library</module> <module>smp-server-library</module>
<module>smp-angular</module>
<module>smp-webapp</module> <module>smp-webapp</module>
</modules> </modules>
...@@ -35,7 +34,7 @@ ...@@ -35,7 +34,7 @@
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding> <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<!-- Only selected modules are deployed --> <!-- Only selected modules are deployed -->
<maven.deploy.skip>true</maven.deploy.skip> <maven.deploy.skip>true</maven.deploy.skip>
<edelivery.ssl-auth.version>1.9</edelivery.ssl-auth.version> <edelivery.ssl-auth.version>1.10-SNAPSHOT</edelivery.ssl-auth.version>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding> <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<ant-commons-net.version>1.6.5</ant-commons-net.version> <ant-commons-net.version>1.6.5</ant-commons-net.version>
...@@ -83,7 +82,7 @@ ...@@ -83,7 +82,7 @@
<!-- jacoco, sonar code coverage settings start --> <!-- jacoco, sonar code coverage settings start -->
<sonar.java.coveragePlugin>jacoco</sonar.java.coveragePlugin> <sonar.java.coveragePlugin>jacoco</sonar.java.coveragePlugin>
<sonar.jacoco.codeCoveragePath>${maven.multiModuleProjectDirectory}/code-coverage</sonar.jacoco.codeCoveragePath> <sonar.jacoco.codeCoveragePath>${basedir}/target/code-coverage</sonar.jacoco.codeCoveragePath>
<sonar.jacoco.reportPath>${sonar.jacoco.codeCoveragePath}/jacoco-ut.exec</sonar.jacoco.reportPath> <sonar.jacoco.reportPath>${sonar.jacoco.codeCoveragePath}/jacoco-ut.exec</sonar.jacoco.reportPath>
<sonar.jacoco.itReportPath>${sonar.jacoco.codeCoveragePath}/jacoco-it.exec</sonar.jacoco.itReportPath> <sonar.jacoco.itReportPath>${sonar.jacoco.codeCoveragePath}/jacoco-it.exec</sonar.jacoco.itReportPath>
<sonar.language>java</sonar.language> <sonar.language>java</sonar.language>
...@@ -604,8 +603,7 @@ ...@@ -604,8 +603,7 @@
<groupId>org.apache.maven.plugins</groupId> <groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-surefire-plugin</artifactId> <artifactId>maven-surefire-plugin</artifactId>
<configuration> <configuration>
<reportsDirectory>${maven.multiModuleProjectDirectory}/code-coverage/surefire-reports <reportsDirectory>${basedir}/target/code-coverage/surefire-reports</reportsDirectory>
</reportsDirectory>
</configuration> </configuration>
<executions> <executions>
<execution> <execution>
...@@ -630,8 +628,7 @@ ...@@ -630,8 +628,7 @@
<artifactId>maven-failsafe-plugin</artifactId> <artifactId>maven-failsafe-plugin</artifactId>
<version>2.19.1</version> <version>2.19.1</version>
<configuration> <configuration>
<reportsDirectory>${maven.multiModuleProjectDirectory}/code-coverage/failsafe-reports <reportsDirectory>${basedir}/target/code-coverage/failsafe-reports</reportsDirectory>
</reportsDirectory>
</configuration> </configuration>
<executions> <executions>
<execution> <execution>
...@@ -727,11 +724,11 @@ ...@@ -727,11 +724,11 @@
<outputFolder>${sonar.jacoco.codeCoveragePath}/surefire-reports</outputFolder> <outputFolder>${sonar.jacoco.codeCoveragePath}/surefire-reports</outputFolder>
<junitReport>true</junitReport> <junitReport>true</junitReport>
<printReport>true</printReport> <printReport>true</printReport>
<settingsFile>${maven.multiModuleProjectDirectory}/smp-soapui-tests/soapui/soapui-settings.xml</settingsFile> <settingsFile>${basedir}/soapui/soapui-settings.xml</settingsFile>
<soapuiProperties> <soapuiProperties>
<property> <property>
<name>soapui.scripting.library</name> <name>soapui.scripting.library</name>
<value>${maven.multiModuleProjectDirectory}/smp-soapui-tests/groovy</value> <value>${basedir}/groovy</value>
</property> </property>
<property> <property>
<name>soapui.logroot</name> <name>soapui.logroot</name>
...@@ -743,7 +740,7 @@ ...@@ -743,7 +740,7 @@
</property> </property>
</soapuiProperties> </soapuiProperties>
<testFailIgnore>true</testFailIgnore> <testFailIgnore>true</testFailIgnore>
<projectFile>${maven.multiModuleProjectDirectory}/smp-soapui-tests/soapui/SMP4.0-Generic-soapui-project.xml</projectFile> <projectFile>${basedir}/soapui/SMP4.0-Generic-soapui-project.xml</projectFile>
<testSuite>PASSING_AUTO_BAMBOO</testSuite> <testSuite>PASSING_AUTO_BAMBOO</testSuite>
<!--If you want to execute single test case <testCase>SMP001-Create ServiceGroup-Basic Flow-Admin Service Group specified</testCase>--> <!--If you want to execute single test case <testCase>SMP001-Create ServiceGroup-Basic Flow-Admin Service Group specified</testCase>-->
<projectProperties> <projectProperties>
......
...@@ -3,7 +3,6 @@ export interface SmpInfo { ...@@ -3,7 +3,6 @@ export interface SmpInfo {
smlIntegrationOn?: boolean; smlIntegrationOn?: boolean;
contextPath?: string; contextPath?: string;
smlParticipantMultiDomainOn?: boolean smlParticipantMultiDomainOn?: boolean
ssoAuthentication?: boolean; authTypes?: string[];
ssoAuthenticationLabel?: string; ssoAuthenticationLabel?: string;
} }
<div id="page" class="login-page" [style]="'justify-content:center; align-items:center; height:100%'"> <div id="page" class="login-page" [style]="'justify-content:center; align-items:center; height:100%'">
<div fxLayout="row" [style]="'justify-content:center; align-items:center; height:100%'"> <div fxLayout="row" [style]="'justify-content:center; align-items:center; height:100%'">
<mat-card *ngIf="lookups.cachedApplicationInfo.ssoAuthentication" fxFlex="400px" [style]="'width:400px;height:300px;margin:10px'"> <mat-card *ngIf="isUserAuthSSOEnabled() == true" fxFlex="400px" [style]="'width:400px;height:300px;margin:10px'">
<mat-card-title>SSO Login: {{lookups.cachedApplicationInfo.ssoAuthenticationLabel}}</mat-card-title> <mat-card-title>SSO Login: {{lookups.cachedApplicationInfo.ssoAuthenticationLabel}}</mat-card-title>
<mat-card-content style="align-items: center;justify-content: center;display: flex;height: 200px;"> <mat-card-content style="align-items: center;justify-content: center;display: flex;height: 200px;">
<a mat-raised-button color="primary" href="/smp/ui/rest/security/cas" [style]="'width=150px'"> <a mat-raised-button color="primary" href="/smp/ui/rest/security/cas" [style]="'width=150px'">
<mat-icon>input</mat-icon> <mat-icon>input</mat-icon>
<span> SSO Login</span> <span> SSO Login</span>
</a> </a>
</mat-card-content> </mat-card-content>
</mat-card> </mat-card>
<mat-card fxFlex="400px" [style]="'width:400px;height:300px;margin:10px'"> <mat-card *ngIf="isUserAuthPasswdEnabled() == true" fxFlex="400px" [style]="'width:400px;height:300px;margin:10px'">
<mat-card-title>SMP Login</mat-card-title> <mat-card-title>SMP Login</mat-card-title>
<mat-card-content style="align-items: center;justify-content: center;display: flex;height: 200px;"> <mat-card-content style="align-items: center;justify-content: center;display: flex;height: 200px;">
<form name="loginForm" #loginForm="ngForm" (ngSubmit)="login()"> <form name="loginForm" #loginForm="ngForm" (ngSubmit)="login()">
...@@ -36,7 +33,8 @@ ...@@ -36,7 +33,8 @@
</tr> </tr>
<tr> <tr>
<td> <td>
<button mat-raised-button color="primary" [disabled]="!loginForm.form.valid" id="loginbutton_id" [style]="'width=150px'"> <button mat-raised-button color="primary" [disabled]="!loginForm.form.valid" id="loginbutton_id"
[style]="'width=150px'">
<mat-icon>input</mat-icon> <mat-icon>input</mat-icon>
<span> Login</span> <span> Login</span>
</button> </button>
......
...@@ -100,4 +100,12 @@ export class LoginComponent implements OnInit, OnDestroy { ...@@ -100,4 +100,12 @@ export class LoginComponent implements OnInit, OnDestroy {
ngOnDestroy(): void { ngOnDestroy(): void {
this.sub.unsubscribe(); this.sub.unsubscribe();
} }
isUserAuthSSOEnabled(): boolean {
return this.lookups.cachedApplicationInfo.authTypes.includes('SSO');
}
isUserAuthPasswdEnabled():boolean {
return this.lookups.cachedApplicationInfo.authTypes.includes('PASSWORD');
}
} }
...@@ -6,7 +6,8 @@ export class SmpConstants { ...@@ -6,7 +6,8 @@ export class SmpConstants {
public static readonly REST_EDIT = 'rest/servicegroup'; public static readonly REST_EDIT = 'rest/servicegroup';
public static readonly REST_METADATA = 'rest/servicemetadata'; public static readonly REST_METADATA = 'rest/servicemetadata';
public static readonly REST_SECURITY_AUTHENTICATION = 'rest/security/authentication'; public static readonly REST_SECURITY_AUTHENTICATION = 'rest/security/authentication';
public static readonly REST_SECURITY_CAS_AUTHENTICATION = 'rest/security/saml'; public static readonly REST_SECURITY_CAS_AUTHENTICATION = 'rest/security/cas';
public static readonly REST_SECURITY_USER = 'rest/security/user'; public static readonly REST_SECURITY_USER = 'rest/security/user';
public static readonly REST_APPLICATION = 'rest/application/info'; public static readonly REST_APPLICATION = 'rest/application/info';
public static readonly REST_CONFIG = 'rest/application/config'; public static readonly REST_CONFIG = 'rest/application/config';
......
...@@ -88,33 +88,6 @@ ...@@ -88,33 +88,6 @@
</plugins> </plugins>
</configuration> </configuration>
</plugin> </plugin>
<!-- just clean code coverage folder before collecting any information.
placed in this module as is the first in maven reactor order to collect info
about code coverage.
do not move this to parent pom or root pom!
-->
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-clean-plugin</artifactId>
<version>3.0.0</version>
<executions>
<execution>
<id>default-clean</id>
<phase>clean</phase>
<goals>
<goal>clean</goal>
</goals>
</execution>
</executions>
<configuration>
<filesets>
<fileset>
<directory>${maven.multiModuleProjectDirectory}/code-coverage</directory>
</fileset>
</filesets>
</configuration>
</plugin>
</plugins> </plugins>
</build> </build>
</project> </project>
package eu.europa.ec.edelivery.smp.auth.enums;
/**
* Authentication types for application accounts supporting automated application functionalities. The application accounts
* are used for SMP web-service integrations.
*
* Supported authentication types
* - PASSWORD: the application username/password (Note:automation-user authentication is different than ui-user
* password and it can be used only for web-services!).
* - CERTIFICATE: certificate authentication username/password.,
*
* @author Joze Rihtarsic
* @since 4.2
*/
public enum SMPAutomationAuthenticationTypes {
PASSWORD,
CERTIFICATE;
}
\ No newline at end of file
package eu.europa.ec.edelivery.smp.auth.enums;
/**
* Authentication types for application accounts supporting automated application functionalities. The application accounts
* are used for SMP web-service integrations.
*
* Supported authentication types
* - PASSWORD: the user password authentication (Note:automation-user authentication is different than ui-user
* password and it can be used only for the UI!).
* - SSO: Single sign-on authentication using CAS server. ,
*
* @author Joze Rihtarsic
* @since 4.2
*/
public enum SMPUserAuthenticationTypes {
PASSWORD,
SSO;
}
\ No newline at end of file
package eu.europa.ec.edelivery.smp.data.ui; package eu.europa.ec.edelivery.smp.data.ui;
import java.io.Serializable; import java.io.Serializable;
import java.util.List;
public class SmpInfoRO implements Serializable { public class SmpInfoRO implements Serializable {
private static final long serialVersionUID = -49712226560325302L; private static final long serialVersionUID = -49712226560325302L;
String version; String version;
boolean smlIntegrationOn; boolean smlIntegrationOn;
boolean smlParticipantMultiDomainOn; boolean smlParticipantMultiDomainOn;
boolean ssoAuthentication;
String ssoAuthenticationLabel; String ssoAuthenticationLabel;
String contextPath; String contextPath;
List<String> authTypes;
public String getVersion() { public String getVersion() {
return version; return version;
...@@ -43,14 +44,6 @@ public class SmpInfoRO implements Serializable { ...@@ -43,14 +44,6 @@ public class SmpInfoRO implements Serializable {
this.smlParticipantMultiDomainOn = smlParticipantMultidomainOn; this.smlParticipantMultiDomainOn = smlParticipantMultidomainOn;
} }
public boolean isSsoAuthentication() {
return ssoAuthentication;
}
public void setSsoAuthentication(boolean ssoAuthentication) {
this.ssoAuthentication = ssoAuthentication;
}
public String getSsoAuthenticationLabel() { public String getSsoAuthenticationLabel() {
return ssoAuthenticationLabel; return ssoAuthenticationLabel;
} }
...@@ -58,4 +51,12 @@ public class SmpInfoRO implements Serializable { ...@@ -58,4 +51,12 @@ public class SmpInfoRO implements Serializable {
public void setSsoAuthenticationLabel(String ssoAuthenticationLabel) { public void setSsoAuthenticationLabel(String ssoAuthenticationLabel) {
this.ssoAuthenticationLabel = ssoAuthenticationLabel; this.ssoAuthenticationLabel = ssoAuthenticationLabel;
} }
public List<String> getAuthTypes() {
return authTypes;
}
public void setAuthTypes(List<String> authTypes) {
this.authTypes = authTypes;
}
} }
...@@ -13,7 +13,7 @@ public enum SMPPropertyEnum { ...@@ -13,7 +13,7 @@ public enum SMPPropertyEnum {
OUTPUT_CONTEXT_PATH("contextPath.output", "true", "This property controls pattern of URLs produced by SMP in GET ServiceGroup responses.", true, false, true, SMPPropertyTypeEnum.BOOLEAN), OUTPUT_CONTEXT_PATH("contextPath.output", "true", "This property controls pattern of URLs produced by SMP in GET ServiceGroup responses.", true, false, true, SMPPropertyTypeEnum.BOOLEAN),
HTTP_FORWARDED_HEADERS_ENABLED("smp.http.forwarded.headers.enabled", "false", "Use (value true) or remove (value false) forwarded headers! There are security considerations for forwarded headers since an application cannot know if the headers were added by a proxy, as intended, or by a malicious client.", false, false, false, SMPPropertyTypeEnum.BOOLEAN), HTTP_FORWARDED_HEADERS_ENABLED("smp.http.forwarded.headers.enabled", "false", "Use (value true) or remove (value false) forwarded headers! There are security considerations for forwarded headers since an application cannot know if the headers were added by a proxy, as intended, or by a malicious client.", false, false, false, SMPPropertyTypeEnum.BOOLEAN),
HTTP_HSTS_MAX_AGE("smp.http.httpStrictTransportSecurity.maxAge", "31536000", "How long(in seconds) HSTS should last in the browser's cache(default one year)", false, false, true, SMPPropertyTypeEnum.INTEGER), HTTP_HSTS_MAX_AGE("smp.http.httpStrictTransportSecurity.maxAge", "31536000", "How long(in seconds) HSTS should last in the browser's cache(default one year)", false, false, true, SMPPropertyTypeEnum.INTEGER),
// http proxy configuration
HTTP_PROXY_HOST("smp.proxy.host", "", "The http proxy host", false, false, false, SMPPropertyTypeEnum.STRING), HTTP_PROXY_HOST("smp.proxy.host", "", "The http proxy host", false, false, false, SMPPropertyTypeEnum.STRING),
HTTP_NO_PROXY_HOSTS("smp.noproxy.hosts", "localhost|127.0.0.1", "list of nor proxy hosts. Ex.: localhost|127.0.0.1", false, false, false, SMPPropertyTypeEnum.STRING), HTTP_NO_PROXY_HOSTS("smp.noproxy.hosts", "localhost|127.0.0.1", "list of nor proxy hosts. Ex.: localhost|127.0.0.1", false, false, false, SMPPropertyTypeEnum.STRING),
HTTP_PROXY_PASSWORD("smp.proxy.password", "", "Base64 encrypted password for Proxy.", false, true, false, SMPPropertyTypeEnum.STRING), HTTP_PROXY_PASSWORD("smp.proxy.password", "", "Base64 encrypted password for Proxy.", false, true, false, SMPPropertyTypeEnum.STRING),
...@@ -23,40 +23,28 @@ public enum SMPPropertyEnum { ...@@ -23,40 +23,28 @@ public enum SMPPropertyEnum {
PARTC_SCH_REGEXP("identifiersBehaviour.ParticipantIdentifierScheme.validationRegex", "^((?!^.{26})([a-z0-9]+-[a-z0-9]+-[a-z0-9]+)|urn:oasis:names:tc:ebcore:partyid-type:(iso6523|unregistered)(:.+)?$)", "Participant Identifier Schema of each PUT ServiceGroup request is validated against this schema.", false, false, false, SMPPropertyTypeEnum.REGEXP), PARTC_SCH_REGEXP("identifiersBehaviour.ParticipantIdentifierScheme.validationRegex", "^((?!^.{26})([a-z0-9]+-[a-z0-9]+-[a-z0-9]+)|urn:oasis:names:tc:ebcore:partyid-type:(iso6523|unregistered)(:.+)?$)", "Participant Identifier Schema of each PUT ServiceGroup request is validated against this schema.", false, false, false, SMPPropertyTypeEnum.REGEXP),
PARTC_SCH_REGEXP_MSG("identifiersBehaviour.ParticipantIdentifierScheme.validationRegexMessage", PARTC_SCH_REGEXP_MSG("identifiersBehaviour.ParticipantIdentifierScheme.validationRegexMessage",
"Participant scheme must start with:urn:oasis:names:tc:ebcore:partyid-type:(iso6523:|unregistered:) OR must be up to 25 characters long with form [domain]-[identifierArea]-[identifierType] (ex.: 'busdox-actorid-upis') and may only contain the following characters: [a-z0-9].", "Error message for UI", false, false, false, SMPPropertyTypeEnum.STRING), "Participant scheme must start with:urn:oasis:names:tc:ebcore:partyid-type:(iso6523:|unregistered:) OR must be up to 25 characters long with form [domain]-[identifierArea]-[identifierType] (ex.: 'busdox-actorid-upis') and may only contain the following characters: [a-z0-9].", "Error message for UI", false, false, false, SMPPropertyTypeEnum.STRING),
CS_PARTICIPANTS("identifiersBehaviour.caseSensitive.ParticipantIdentifierSchemes", "sensitive-participant-sc1|sensitive-participant-sc2", "Specifies schemes of participant identifiers that must be considered CASE-SENSITIVE.", false, false, false, SMPPropertyTypeEnum.LIST_STRING), CS_PARTICIPANTS("identifiersBehaviour.caseSensitive.ParticipantIdentifierSchemes", "sensitive-participant-sc1|sensitive-participant-sc2", "Specifies schemes of participant identifiers that must be considered CASE-SENSITIVE.", false, false, false, SMPPropertyTypeEnum.LIST_STRING),
CS_DOCUMENTS("identifiersBehaviour.caseSensitive.DocumentIdentifierSchemes", "casesensitive-doc-scheme1|casesensitive-doc-scheme2", "Specifies schemes of document identifiers that must be considered CASE-SENSITIVE.", false, false, false, SMPPropertyTypeEnum.LIST_STRING), CS_DOCUMENTS("identifiersBehaviour.caseSensitive.DocumentIdentifierSchemes", "casesensitive-doc-scheme1|casesensitive-doc-scheme2", "Specifies schemes of document identifiers that must be considered CASE-SENSITIVE.", false, false, false, SMPPropertyTypeEnum.LIST_STRING),
// SML integration!
SML_ENABLED("bdmsl.integration.enabled", "false", "BDMSL (SML) integration ON/OFF switch", false, false, false, SMPPropertyTypeEnum.BOOLEAN), SML_ENABLED("bdmsl.integration.enabled", "false", "BDMSL (SML) integration ON/OFF switch", false, false, false, SMPPropertyTypeEnum.BOOLEAN),
SML_PARTICIPANT_MULTIDOMAIN("bdmsl.participant.multidomain.enabled", "false", "Set to true if SML support participant on multidomain", false, false, true, SMPPropertyTypeEnum.BOOLEAN), SML_PARTICIPANT_MULTIDOMAIN("bdmsl.participant.multidomain.enabled", "false", "Set to true if SML support participant on multidomain", false, false, true, SMPPropertyTypeEnum.BOOLEAN),
SML_URL("bdmsl.integration.url", "http://localhost:8080/edelivery-sml", "BDMSL (SML) endpoint", false, false, false, SMPPropertyTypeEnum.URL), SML_URL("bdmsl.integration.url", "http://localhost:8080/edelivery-sml", "BDMSL (SML) endpoint", false, false, false, SMPPropertyTypeEnum.URL),
SML_TLS_DISABLE_CN_CHECK("bdmsl.integration.tls.disableCNCheck", "false", "If SML Url is HTTPs - Disable CN check if needed.", false, false, false, SMPPropertyTypeEnum.BOOLEAN), SML_TLS_DISABLE_CN_CHECK("bdmsl.integration.tls.disableCNCheck", "false", "If SML Url is HTTPs - Disable CN check if needed.", false, false, false, SMPPropertyTypeEnum.BOOLEAN),
SML_TLS_SERVER_CERT_SUBJECT_REGEXP("bdmsl.integration.tls.serverSubjectRegex", ".*", "Regular expression for server TLS certificate subject verification CertEx. .*CN=acc.edelivery.tech.ec.europa.eu.*.", false, false, false, SMPPropertyTypeEnum.REGEXP), SML_TLS_SERVER_CERT_SUBJECT_REGEXP("bdmsl.integration.tls.serverSubjectRegex", ".*", "Regular expression for server TLS certificate subject verification CertEx. .*CN=acc.edelivery.tech.ec.europa.eu.*.", false, false, false, SMPPropertyTypeEnum.REGEXP),
SML_LOGICAL_ADDRESS("bdmsl.integration.logical.address", "http://localhost:8080/smp/", "Logical SMP endpoint which will be registered on SML when registering new domain", false, false, false, SMPPropertyTypeEnum.URL), SML_LOGICAL_ADDRESS("bdmsl.integration.logical.address", "http://localhost:8080/smp/", "Logical SMP endpoint which will be registered on SML when registering new domain", false, false, false, SMPPropertyTypeEnum.URL),
SML_PHYSICAL_ADDRESS("bdmsl.integration.physical.address", "0.0.0.0", "Physical SMP endpoint which will be registered on SML when registering new domain.", false, false, false, SMPPropertyTypeEnum.STRING), SML_PHYSICAL_ADDRESS("bdmsl.integration.physical.address", "0.0.0.0", "Physical SMP endpoint which will be registered on SML when registering new domain.", false, false, false, SMPPropertyTypeEnum.STRING),
// keystore truststore
KEYSTORE_PASSWORD("smp.keystore.password", "", "Encrypted keystore (and keys) password ", false, true, false, SMPPropertyTypeEnum.STRING), KEYSTORE_PASSWORD("smp.keystore.password", "", "Encrypted keystore (and keys) password ", false, true, false, SMPPropertyTypeEnum.STRING),
KEYSTORE_FILENAME("smp.keystore.filename", "smp-keystore.jks", "Keystore filename ", true, false, false, SMPPropertyTypeEnum.FILENAME), KEYSTORE_FILENAME("smp.keystore.filename", "smp-keystore.jks", "Keystore filename ", true, false, false, SMPPropertyTypeEnum.FILENAME),
TRUSTSTORE_PASSWORD("smp.truststore.password", "", "Encrypted truststore password ", false, true, false, SMPPropertyTypeEnum.STRING), TRUSTSTORE_PASSWORD("smp.truststore.password", "", "Encrypted truststore password ", false, true, false, SMPPropertyTypeEnum.STRING),
TRUSTSTORE_FILENAME("smp.truststore.filename", "", "Truststore filename ", false, false, false, SMPPropertyTypeEnum.FILENAME), TRUSTSTORE_FILENAME("smp.truststore.filename", "", "Truststore filename ", false, false, false, SMPPropertyTypeEnum.FILENAME),
CERTIFICATE_CRL_FORCE("smp.certificate.crl.force", "false", "If false then if CRL is not reachable ignore CRL validation", false, false, false, SMPPropertyTypeEnum.BOOLEAN), CERTIFICATE_CRL_FORCE("smp.certificate.crl.force", "false", "If false then if CRL is not reachable ignore CRL validation", false, false, false, SMPPropertyTypeEnum.BOOLEAN),
CERTIFICATE_ALLOWED_CERTIFICATEPOLICY_OIDS("smp.certificate.validation.allowedCertificatePolicyOIDs","","List of certificate policy OIDs separated by comma where at least one must be in the CertifictePolicy extension", false, false,false, SMPPropertyTypeEnum.STRING),
CERTIFICATE_SUBJECT_REGULAR_EXPRESSION("smp.certificate.validation.subjectRegex",".*","Regular expression to validate subject of the certificate", false, false,false, SMPPropertyTypeEnum.REGEXP),
CONFIGURATION_DIR("configuration.dir", "smp", "Path to the folder containing all the configuration files (keystore and encryption key)", true, false, true, SMPPropertyTypeEnum.PATH), CONFIGURATION_DIR("configuration.dir", "smp", "Path to the folder containing all the configuration files (keystore and encryption key)", true, false, true, SMPPropertyTypeEnum.PATH),
ENCRYPTION_FILENAME("encryption.key.filename", "encryptionPrivateKey.private", "Key filename to encrypt passwords", false, false, true, SMPPropertyTypeEnum.FILENAME), ENCRYPTION_FILENAME("encryption.key.filename", "encryptionPrivateKey.private", "Key filename to encrypt passwords", false, false, true, SMPPropertyTypeEnum.FILENAME),
KEYSTORE_PASSWORD_DECRYPTED("smp.keystore.password.decrypted", "", "Only for backup purposes when password is automatically created. Store password somewhere save and delete this entry!", false, false, false, SMPPropertyTypeEnum.STRING), KEYSTORE_PASSWORD_DECRYPTED("smp.keystore.password.decrypted", "", "Only for backup purposes when password is automatically created. Store password somewhere save and delete this entry!", false, false, false, SMPPropertyTypeEnum.STRING),
TRUSTSTORE_PASSWORD_DECRYPTED("smp.truststore.password.decrypted", "", "Only for backup purposes when password is automatically created. Store password somewhere save and delete this entry!", false, false, false, SMPPropertyTypeEnum.STRING), TRUSTSTORE_PASSWORD_DECRYPTED("smp.truststore.password.decrypted", "", "Only for backup purposes when password is automatically created. Store password somewhere save and delete this entry!", false, false, false, SMPPropertyTypeEnum.STRING),
CERTIFICATE_ALLOWED_CERTIFICATEPOLICY_OIDS("smp.certificate.validation.allowedCertificatePolicyOIDs","","List of certificate policy OIDs separated by comma where at least one must be in the CertifictePolicy extension", false, false,false, SMPPropertyTypeEnum.STRING),
SML_KEYSTORE_PASSWORD("bdmsl.integration.keystore.password","","Deprecated", false, false,false, SMPPropertyTypeEnum.STRING), CERTIFICATE_SUBJECT_REGULAR_EXPRESSION("smp.certificate.validation.subjectRegex",".*","Regular expression to validate subject of the certificate", false, false,false, SMPPropertyTypeEnum.REGEXP),
SML_KEYSTORE_PATH("bdmsl.integration.keystore.path","","Deprecated", false, false,false, SMPPropertyTypeEnum.STRING),
SIGNATURE_KEYSTORE_PASSWORD("xmldsig.keystore.password","","Deprecated", false, false,false, SMPPropertyTypeEnum.STRING),
SIGNATURE_KEYSTORE_PATH("xmldsig.keystore.classpath","","Deprecated", false, false,false, SMPPropertyTypeEnum.STRING),
SML_PROXY_HOST("bdmsl.integration.proxy.server","","Deprecated", false, false,false, SMPPropertyTypeEnum.STRING),
SML_PROXY_PORT("bdmsl.integration.proxy.port","","Deprecated", false, false,false, SMPPropertyTypeEnum.INTEGER),
SML_PROXY_USER("bdmsl.integration.proxy.user","","Deprecated", false, false,false, SMPPropertyTypeEnum.STRING),
SML_PROXY_PASSWORD("bdmsl.integration.proxy.password","","Deprecated", false, false,false, SMPPropertyTypeEnum.STRING),
SMP_PROPERTY_REFRESH_CRON("smp.property.refresh.cronJobExpression", "0 48 */1 * * *", "Property refresh cron expression (def 12 minutes to each hour). Property change is refreshed at restart!", false, false, true, SMPPropertyTypeEnum.STRING), SMP_PROPERTY_REFRESH_CRON("smp.property.refresh.cronJobExpression", "0 48 */1 * * *", "Property refresh cron expression (def 12 minutes to each hour). Property change is refreshed at restart!", false, false, true, SMPPropertyTypeEnum.STRING),
// UI COOKIE configuration // UI COOKIE configuration
...@@ -64,11 +52,12 @@ public enum SMPPropertyEnum { ...@@ -64,11 +52,12 @@ public enum SMPPropertyEnum {
UI_COOKIE_SESSION_MAX_AGE("smp.ui.session.max-age", "", "Number of seconds until the cookie expires. A zero or negative number will expire the cookie immediately. Empty value will not set parameter", false, false, false, SMPPropertyTypeEnum.INTEGER), UI_COOKIE_SESSION_MAX_AGE("smp.ui.session.max-age", "", "Number of seconds until the cookie expires. A zero or negative number will expire the cookie immediately. Empty value will not set parameter", false, false, false, SMPPropertyTypeEnum.INTEGER),
UI_COOKIE_SESSION_SITE("smp.ui.session.strict", "Lax", "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks. Possible values are: Strict, None, Lax. (Cookies with SameSite=None require a secure context/HTTPS)!!)", false, false, false, SMPPropertyTypeEnum.STRING), UI_COOKIE_SESSION_SITE("smp.ui.session.strict", "Lax", "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks. Possible values are: Strict, None, Lax. (Cookies with SameSite=None require a secure context/HTTPS)!!)", false, false, false, SMPPropertyTypeEnum.STRING),
UI_COOKIE_SESSION_PATH("smp.ui.session.path", "", "A path that must exist in the requested URL, or the browser won't send the Cookie header. Null/Empty value sets the authentication requests context by default. The forward slash (/) character is interpreted as a directory separator, and subdirectories will be matched as well: for Path=/docs, /docs, /docs/Web/, and /docs/Web/HTTP will all match", false, false, false, SMPPropertyTypeEnum.STRING), UI_COOKIE_SESSION_PATH("smp.ui.session.path", "", "A path that must exist in the requested URL, or the browser won't send the Cookie header. Null/Empty value sets the authentication requests context by default. The forward slash (/) character is interpreted as a directory separator, and subdirectories will be matched as well: for Path=/docs, /docs, /docs/Web/, and /docs/Web/HTTP will all match", false, false, false, SMPPropertyTypeEnum.STRING),
UI_COOKIE_SESSION_IDLE_TIMEOUT_ADMIN("smp.ui.session.idle_timeout.admin", "300", "Specifies the time, in seconds, between client requests before the SMP will invalidate session for ADMIN users (System)!", false, false, false, SMPPropertyTypeEnum.INTEGER),
UI_COOKIE_SESSION_IDLE_TIMEOUT_ADMIN("smp.ui.session.idle_timeout.admin","300","Specifies the time, in seconds, between client requests before the SMP will invalidate session for ADMIN users (System and SMP Admin)!", false, false,false, SMPPropertyTypeEnum.INTEGER), UI_COOKIE_SESSION_IDLE_TIMEOUT_USER("smp.ui.session.idle_timeout.user", "1800", "Specifies the time, in seconds, between client requests before the SMP will invalidate session for users (Service group, SMP Admin)", false, false, false, SMPPropertyTypeEnum.INTEGER),
UI_COOKIE_SESSION_IDLE_TIMEOUT_USER("smp.ui.session.idle_timeout.user","1800","Specifies the time, in seconds, between client requests before the SMP will invalidate session for users (Service group)", false, false,false, SMPPropertyTypeEnum.INTEGER), // authentication
UI_AUTHENTICATION_TYPES("smp.ui.authentication.types", "PASSWORD", "Set list of '|' separated authentication types: PASSWORD|SSO.", false, false, false, SMPPropertyTypeEnum.LIST_STRING),
AUTOMATION_AUTHENTICATION_TYPES("smp.automation.authentication.types", "PASSWORD|CERTIFICATE", "Set list of '|' separated application-automation authentication types (Web-Service integration). Currently supported PASSWORD, CERT: ex. PASSWORD|CERT", false, false, false, SMPPropertyTypeEnum.LIST_STRING),
// SSO configuration // SSO configuration
SSO_CAS_ENABLED("smp.sso.cas.enabled","false","Enable/disable CAS authentication.", false, false,true, SMPPropertyTypeEnum.BOOLEAN),
SSO_CAS_UI_LABEL("smp.sso.cas.ui.label", "EU Login", "The SSO service provider label.", false, false, true, SMPPropertyTypeEnum.STRING), SSO_CAS_UI_LABEL("smp.sso.cas.ui.label", "EU Login", "The SSO service provider label.", false, false, true, SMPPropertyTypeEnum.STRING),
SSO_CAS_URL("smp.sso.cas.url", "http://localhost:8080/cas/", "The SSO CAS URL enpoint", false, false, true, SMPPropertyTypeEnum.URL), SSO_CAS_URL("smp.sso.cas.url", "http://localhost:8080/cas/", "The SSO CAS URL enpoint", false, false, true, SMPPropertyTypeEnum.URL),
SSO_CAS_URLPATH_LOGIN("smp.sso.cas.urlpath.login", "login", "The CAS URL path for login. Complete URL is composed from parameters: ${smp.sso.cas.url}/${smp.sso.cas.urlpath.login}.", false, false, true, SMPPropertyTypeEnum.STRING), SSO_CAS_URLPATH_LOGIN("smp.sso.cas.urlpath.login", "login", "The CAS URL path for login. Complete URL is composed from parameters: ${smp.sso.cas.url}/${smp.sso.cas.urlpath.login}.", false, false, true, SMPPropertyTypeEnum.STRING),
...@@ -76,6 +65,16 @@ public enum SMPPropertyEnum { ...@@ -76,6 +65,16 @@ public enum SMPPropertyEnum {
SSO_CAS_TOKEN_VALIDATION_URLPATH("smp.sso.cas.token.validation.urlpath", "http://localhost:8080/cas/", "The CAS URL path for login. Complete URL is composed from parameters: ${smp.sso.cas.url}/${smp.sso.cas.urlpath.token.validation}.", false, false, true, SMPPropertyTypeEnum.STRING), SSO_CAS_TOKEN_VALIDATION_URLPATH("smp.sso.cas.token.validation.urlpath", "http://localhost:8080/cas/", "The CAS URL path for login. Complete URL is composed from parameters: ${smp.sso.cas.url}/${smp.sso.cas.urlpath.token.validation}.", false, false, true, SMPPropertyTypeEnum.STRING),
SSO_CAS_TOKEN_VALIDATION_PARAMS("smp.sso.cas.token.validation.params", "acceptStrengths:BASIC,CLIENT_CERT|assuranceLevel:TOP", "The CAS token validation key:value properties separated with '|'.Ex: 'acceptStrengths:BASIC,CLIENT_CERT|assuranceLevel:TOP'", false, false, true, SMPPropertyTypeEnum.MAP_STRING), SSO_CAS_TOKEN_VALIDATION_PARAMS("smp.sso.cas.token.validation.params", "acceptStrengths:BASIC,CLIENT_CERT|assuranceLevel:TOP", "The CAS token validation key:value properties separated with '|'.Ex: 'acceptStrengths:BASIC,CLIENT_CERT|assuranceLevel:TOP'", false, false, true, SMPPropertyTypeEnum.MAP_STRING),
SSO_CAS_TOKEN_VALIDATION_GROUPS("smp.sso.cas.token.validation.groups", "DIGIT_SMP|DIGIT_ADMIN", "'|' separated CAS groups user must belong to.", false, false, true, SMPPropertyTypeEnum.LIST_STRING), SSO_CAS_TOKEN_VALIDATION_GROUPS("smp.sso.cas.token.validation.groups", "DIGIT_SMP|DIGIT_ADMIN", "'|' separated CAS groups user must belong to.", false, false, true, SMPPropertyTypeEnum.LIST_STRING),
//deprecated properties
SML_KEYSTORE_PASSWORD("bdmsl.integration.keystore.password", "", "Deprecated", false, false, false, SMPPropertyTypeEnum.STRING),
SML_KEYSTORE_PATH("bdmsl.integration.keystore.path", "", "Deprecated", false, false, false, SMPPropertyTypeEnum.STRING),
SIGNATURE_KEYSTORE_PASSWORD("xmldsig.keystore.password", "", "Deprecated", false, false, false, SMPPropertyTypeEnum.STRING),
SIGNATURE_KEYSTORE_PATH("xmldsig.keystore.classpath", "", "Deprecated", false, false, false, SMPPropertyTypeEnum.STRING),
SML_PROXY_HOST("bdmsl.integration.proxy.server", "", "Deprecated", false, false, false, SMPPropertyTypeEnum.STRING),
SML_PROXY_PORT("bdmsl.integration.proxy.port", "", "Deprecated", false, false, false, SMPPropertyTypeEnum.INTEGER),
SML_PROXY_USER("bdmsl.integration.proxy.user", "", "Deprecated", false, false, false, SMPPropertyTypeEnum.STRING),
SML_PROXY_PASSWORD("bdmsl.integration.proxy.password", "", "Deprecated", false, false, false, SMPPropertyTypeEnum.STRING),
; ;
......
package eu.europa.ec.edelivery.smp.services; package eu.europa.ec.edelivery.smp.services;
import eu.europa.ec.edelivery.smp.auth.enums.SMPUserAuthenticationTypes;
import eu.europa.ec.edelivery.smp.data.dao.ConfigurationDao; import eu.europa.ec.edelivery.smp.data.dao.ConfigurationDao;
import eu.europa.ec.edelivery.smp.data.model.DBConfiguration; import eu.europa.ec.edelivery.smp.data.model.DBConfiguration;
import eu.europa.ec.edelivery.smp.data.ui.enums.SMPPropertyEnum; import eu.europa.ec.edelivery.smp.data.ui.enums.SMPPropertyEnum;
...@@ -137,7 +138,13 @@ public class ConfigurationService { ...@@ -137,7 +138,13 @@ public class ConfigurationService {
public boolean forceCRLValidation() { public boolean forceCRLValidation() {
Boolean value = (Boolean) configurationDAO.getCachedPropertyValue(CERTIFICATE_CRL_FORCE); Boolean value = (Boolean) configurationDAO.getCachedPropertyValue(CERTIFICATE_CRL_FORCE);
// by default is not forced // by default is not forced -> if missing is false!
return value != null && value;
}
public boolean isAuthenticationWithClientCertHeaderEnabled() {
Boolean value = (Boolean) configurationDAO.getCachedPropertyValue(SMPPropertyEnum.BLUE_COAT_ENABLED);
// by default is not forced -> if missing is false!
return value != null && value; return value != null && value;
} }
...@@ -205,9 +212,9 @@ public class ConfigurationService { ...@@ -205,9 +212,9 @@ public class ConfigurationService {
return (Integer) configurationDAO.getCachedPropertyValue(UI_COOKIE_SESSION_IDLE_TIMEOUT_USER); return (Integer) configurationDAO.getCachedPropertyValue(UI_COOKIE_SESSION_IDLE_TIMEOUT_USER);
} }
public boolean isCasEnabled() { public boolean isSSOEnabledForUserAuthentication() {
Boolean value = (Boolean) configurationDAO.getCachedPropertyValue(SSO_CAS_ENABLED); List<String> userAuthenticationTypes = getUIAuthenticationTypes();
return value != null && value; return userAuthenticationTypes != null && userAuthenticationTypes.contains(SMPUserAuthenticationTypes.SSO.name());
} }
public String getCasUILabel() { public String getCasUILabel() {
...@@ -237,4 +244,12 @@ public class ConfigurationService { ...@@ -237,4 +244,12 @@ public class ConfigurationService {
public List<String> getCasURLTokenValidationGroups() { public List<String> getCasURLTokenValidationGroups() {
return (List<String>) configurationDAO.getCachedPropertyValue(SSO_CAS_TOKEN_VALIDATION_GROUPS); return (List<String>) configurationDAO.getCachedPropertyValue(SSO_CAS_TOKEN_VALIDATION_GROUPS);
} }
public List<String> getUIAuthenticationTypes() {
return (List<String>) configurationDAO.getCachedPropertyValue(UI_AUTHENTICATION_TYPES);
}
public List<String> getAutomationAuthenticationTypes() {
return (List<String>) configurationDAO.getCachedPropertyValue(AUTOMATION_AUTHENTICATION_TYPES);
}
} }
...@@ -66,6 +66,7 @@ public class UITruststoreService { ...@@ -66,6 +66,7 @@ public class UITruststoreService {
long lastUpdateTrustoreFileTime = 0; long lastUpdateTrustoreFileTime = 0;
File lastUpdateTrustStoreFile = null; File lastUpdateTrustStoreFile = null;
TrustManager[] trustManagers; TrustManager[] trustManagers;
KeyStore trustStore = null;
@PostConstruct @PostConstruct
...@@ -81,7 +82,7 @@ public class UITruststoreService { ...@@ -81,7 +82,7 @@ public class UITruststoreService {
} }
} }
private boolean useTrustStore() { public boolean useTrustStore() {
File truststoreFile = configurationService.getTruststoreFile(); File truststoreFile = configurationService.getTruststoreFile();
return truststoreFile != null; return truststoreFile != null;
} }
...@@ -99,7 +100,7 @@ public class UITruststoreService { ...@@ -99,7 +100,7 @@ public class UITruststoreService {
// load keystore // load keystore
File truststoreFile = getTruststoreFile(); File truststoreFile = getTruststoreFile();
KeyStore trustStore = loadTruststore(truststoreFile); trustStore = loadTruststore(truststoreFile);
if (trustStore == null) { if (trustStore == null) {
LOG.error("Keystore: '" + truststoreFile.getAbsolutePath() + "' is not loaded! Check the truststore filename" + LOG.error("Keystore: '" + truststoreFile.getAbsolutePath() + "' is not loaded! Check the truststore filename" +
" and the configuration!"); " and the configuration!");
...@@ -131,7 +132,6 @@ public class UITruststoreService { ...@@ -131,7 +132,6 @@ public class UITruststoreService {
X509Certificate x509Certificate = (X509Certificate) cert; X509Certificate x509Certificate = (X509Certificate) cert;
String subject = x509Certificate.getSubjectX500Principal().getName(); String subject = x509Certificate.getSubjectX500Principal().getName();
subject = DistinguishedNamesCodingUtil.normalizeDN(subject, subject = DistinguishedNamesCodingUtil.normalizeDN(subject,
DistinguishedNamesCodingUtil.getCommonAttributesDN()); DistinguishedNamesCodingUtil.getCommonAttributesDN());
tmpList.add(subject); tmpList.add(subject);
...@@ -193,7 +193,7 @@ public class UITruststoreService { ...@@ -193,7 +193,7 @@ public class UITruststoreService {
// test if certificate is valid // test if certificate is valid
cert.checkValidity(); cert.checkValidity();
// check if certificate or its issuer is on trusted list // check if certificate or its issuer is on trusted list
// check only issuer because using bluecoat Client-cert we do not have whole chain. // check only issuer because using Client-cert header we do not have whole chain.
// if the truststore is empty then truststore validation is ignored // if the truststore is empty then truststore validation is ignored
// backward compatibility // backward compatibility
if (!normalizedTrustedList.isEmpty() && !(isSubjectOnTrustedList(cert.getSubjectX500Principal().getName()) if (!normalizedTrustedList.isEmpty() && !(isSubjectOnTrustedList(cert.getSubjectX500Principal().getName())
...@@ -359,6 +359,10 @@ public class UITruststoreService { ...@@ -359,6 +359,10 @@ public class UITruststoreService {
return null; return null;
} }
public KeyStore getTrustStore() {
return trustStore;
}
public String createAliasFromCert(X509Certificate x509cert, KeyStore truststore) { public String createAliasFromCert(X509Certificate x509cert, KeyStore truststore) {
......
#
# Copyright 2017 European Commission | CEF eDelivery
#
# Licensed under the EUPL, Version 1.2 or - as soon they will be approved by the European Commission - subsequent versions of the EUPL (the "Licence");
# You may not use this work except in compliance with the Licence.
#
# You may obtain a copy of the Licence attached in file: LICENCE-EUPL-v1.2.pdf
#
# Unless required by applicable law or agreed to in writing, software distributed under the Licence is distributed on an "AS IS" basis,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the Licence for the specific language governing permissions and limitations under the Licence.
#
log4j.rootLogger=DEBUG, stdout
# A1 is set to be a ConsoleAppender.
log4j.appender.stdout=org.apache.log4j.ConsoleAppender
# A1 uses PatternLayout.
log4j.appender.stdout.layout=org.apache.log4j.PatternLayout
log4j.appender.stdout.layout.ConversionPattern=%d [%p] %c %x - %m%n
...@@ -6,7 +6,7 @@ ...@@ -6,7 +6,7 @@
<property name="consolePattern" value="%d{ISO8601} [%X{d_user}] [%X{d_domain}] [%X{d_messageId}] [%thread] %5p %c{1}:%L - %m%n" scope="global"/> <property name="consolePattern" value="%d{ISO8601} [%X{d_user}] [%X{d_domain}] [%X{d_messageId}] [%thread] %5p %c{1}:%L - %m%n" scope="global"/>
<appender name="file" class="ch.qos.logback.core.rolling.RollingFileAppender"> <appender name="file" class="ch.qos.logback.core.rolling.RollingFileAppender">
<file>${log.folder:-logs}/edelivery-smp.log</file> <file>${project.build.directory}/logs/edelivery-smp.log</file>
<filter class="ch.qos.logback.core.filter.EvaluatorFilter"> <filter class="ch.qos.logback.core.filter.EvaluatorFilter">
<evaluator class="ch.qos.logback.classic.boolex.OnMarkerEvaluator"> <evaluator class="ch.qos.logback.classic.boolex.OnMarkerEvaluator">
<marker>SECURITY</marker> <marker>SECURITY</marker>
...@@ -37,7 +37,8 @@ ...@@ -37,7 +37,8 @@
</encoder> </encoder>
</appender> </appender>
<logger name="eu.europa.ec.edelivery.smp" level="INFO" /> <logger name="eu.europa.ec.edelivery" level="DEBUG" />
<logger name="org.springframework.security.cas" level="DEBUG" />
<root level="WARN"> <root level="WARN">
<appender-ref ref="file"/> <appender-ref ref="file"/>
<appender-ref ref="stdout"/> <appender-ref ref="stdout"/>
......
package eu.europa.ec.edelivery.smp.auth; package eu.europa.ec.edelivery.smp.auth;
import eu.europa.ec.edelivery.security.PreAuthenticatedCertificatePrincipal; import eu.europa.ec.edelivery.security.PreAuthenticatedCertificatePrincipal;
import eu.europa.ec.edelivery.security.cert.CertificateValidator;
import eu.europa.ec.edelivery.smp.config.SmpAppConfig; import eu.europa.ec.edelivery.smp.config.SmpAppConfig;
import eu.europa.ec.edelivery.smp.data.dao.UserDao; import eu.europa.ec.edelivery.smp.data.dao.UserDao;
import eu.europa.ec.edelivery.smp.data.model.DBCertificate; import eu.europa.ec.edelivery.smp.data.model.DBCertificate;
...@@ -10,6 +11,7 @@ import eu.europa.ec.edelivery.smp.logging.SMPLogger; ...@@ -10,6 +11,7 @@ import eu.europa.ec.edelivery.smp.logging.SMPLogger;
import eu.europa.ec.edelivery.smp.logging.SMPLoggerFactory; import eu.europa.ec.edelivery.smp.logging.SMPLoggerFactory;
import eu.europa.ec.edelivery.smp.logging.SMPMessageCode; import eu.europa.ec.edelivery.smp.logging.SMPMessageCode;
import eu.europa.ec.edelivery.smp.services.CRLVerifierService; import eu.europa.ec.edelivery.smp.services.CRLVerifierService;
import eu.europa.ec.edelivery.smp.services.ConfigurationService;
import eu.europa.ec.edelivery.smp.services.ui.UITruststoreService; import eu.europa.ec.edelivery.smp.services.ui.UITruststoreService;
import org.apache.commons.lang3.StringUtils; import org.apache.commons.lang3.StringUtils;
import org.apache.commons.lang3.exception.ExceptionUtils; import org.apache.commons.lang3.exception.ExceptionUtils;
...@@ -22,7 +24,10 @@ import org.springframework.security.crypto.bcrypt.BCrypt; ...@@ -22,7 +24,10 @@ import org.springframework.security.crypto.bcrypt.BCrypt;
import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken; import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken;
import org.springframework.stereotype.Component; import org.springframework.stereotype.Component;
import java.security.KeyStore;
import java.security.cert.CertificateException;
import java.security.cert.CertificateRevokedException; import java.security.cert.CertificateRevokedException;
import java.security.cert.X509Certificate;
import java.text.DateFormat; import java.text.DateFormat;
import java.text.SimpleDateFormat; import java.text.SimpleDateFormat;
import java.util.*; import java.util.*;
...@@ -45,18 +50,19 @@ public class SMPAuthenticationProvider implements AuthenticationProvider { ...@@ -45,18 +50,19 @@ public class SMPAuthenticationProvider implements AuthenticationProvider {
private final String dummyPasswordHash; private final String dummyPasswordHash;
private final String dummyPassword; private final String dummyPassword;
UserDao mUserDao; final UserDao mUserDao;
CRLVerifierService crlVerifierService; final CRLVerifierService crlVerifierService;
UITruststoreService truststoreService; final UITruststoreService truststoreService;
final ConfigurationService configurationService;
@Autowired @Autowired
public SMPAuthenticationProvider(UserDao mUserDao, CRLVerifierService crlVerifierService, UITruststoreService truststoreService) { public SMPAuthenticationProvider(UserDao mUserDao, CRLVerifierService crlVerifierService, UITruststoreService truststoreService, ConfigurationService configurationService) {
this.dummyPassword = UUID.randomUUID().toString(); this.dummyPassword = UUID.randomUUID().toString();
this.dummyPasswordHash = BCrypt.hashpw(dummyPassword, BCrypt.gensalt()); this.dummyPasswordHash = BCrypt.hashpw(dummyPassword, BCrypt.gensalt());
this.mUserDao = mUserDao; this.mUserDao = mUserDao;
this.crlVerifierService = crlVerifierService; this.crlVerifierService = crlVerifierService;
this.truststoreService = truststoreService; this.truststoreService = truststoreService;
this.configurationService = configurationService;
} }
@Override @Override
...@@ -88,15 +94,30 @@ public class SMPAuthenticationProvider implements AuthenticationProvider { ...@@ -88,15 +94,30 @@ public class SMPAuthenticationProvider implements AuthenticationProvider {
/** /**
* Authenticate by certificate token got by BlueCoat or X509Certificate authentication) * Authenticated using the X509Certificate or ClientCert header certificate)
* *
* @param principal - certificate principal * @param principal - certificate principal
* @return authentication value. * @return authentication value.
*/ */
public Authentication authenticateByCertificateToken(PreAuthenticatedCertificatePrincipal principal) { public Authentication authenticateByCertificateToken(PreAuthenticatedCertificatePrincipal principal) {
LOG.info("authenticateByCertificateToken:" + principal.getName()); LOG.info("authenticateByCertificateToken:" + principal.getName());
KeyStore truststore = truststoreService.getTrustStore();
DBUser user; DBUser user;
X509Certificate x509Certificate = principal.getCertificate();
String userToken = principal.getName(); String userToken = principal.getName();
if (truststore != null && x509Certificate != null) {
CertificateValidator certificateValidator = new CertificateValidator(
null, truststore, null);
try {
certificateValidator.validateCertificate(x509Certificate);
} catch (CertificateException e) {
throw new BadCredentialsException("Certificate is not trusted!");
}
}
try { try {
Optional<DBUser> oUsr = mUserDao.findUserByCertificateId(userToken, true); Optional<DBUser> oUsr = mUserDao.findUserByCertificateId(userToken, true);
...@@ -113,7 +134,6 @@ public class SMPAuthenticationProvider implements AuthenticationProvider { ...@@ -113,7 +134,6 @@ public class SMPAuthenticationProvider implements AuthenticationProvider {
} catch (RuntimeException ex) { } catch (RuntimeException ex) {
LOG.error("Database connection error", ex); LOG.error("Database connection error", ex);
throw new AuthenticationServiceException("Internal server error occurred while user authentication!"); throw new AuthenticationServiceException("Internal server error occurred while user authentication!");
} }
DBCertificate certificate = user.getCertificate(); DBCertificate certificate = user.getCertificate();
......
...@@ -70,7 +70,7 @@ public class SMPCasConfigurer { ...@@ -70,7 +70,7 @@ public class SMPCasConfigurer {
@Bean @Bean
public CasAuthenticationEntryPoint casAuthenticationEntryPoint(@Nullable @Qualifier(SMP_CAS_PROPERTIES_BEAN) ServiceProperties serviceProperties, ConfigurationService configService) { public CasAuthenticationEntryPoint casAuthenticationEntryPoint(@Nullable @Qualifier(SMP_CAS_PROPERTIES_BEAN) ServiceProperties serviceProperties, ConfigurationService configService) {
if (!configService.isCasEnabled()) { if (!configService.isSSOEnabledForUserAuthentication()) {
LOG.debug("Bean CasAuthenticationEntryPoint is not configured because SSO CAS authentication is not enabled!", SMP_CAS_PROPERTIES_BEAN); LOG.debug("Bean CasAuthenticationEntryPoint is not configured because SSO CAS authentication is not enabled!", SMP_CAS_PROPERTIES_BEAN);
return null; return null;
} }
...@@ -88,7 +88,7 @@ public class SMPCasConfigurer { ...@@ -88,7 +88,7 @@ public class SMPCasConfigurer {
@Bean @Bean
public SMPCas20ServiceTicketValidator ecasServiceTicketValidator(ConfigurationService configService) { public SMPCas20ServiceTicketValidator ecasServiceTicketValidator(ConfigurationService configService) {
if (!configService.isCasEnabled()) { if (!configService.isSSOEnabledForUserAuthentication()) {
LOG.debug("Bean SMPCas20ServiceTicketValidator is not configured because SSO CAS authentication is not enabled!", SMP_CAS_PROPERTIES_BEAN); LOG.debug("Bean SMPCas20ServiceTicketValidator is not configured because SSO CAS authentication is not enabled!", SMP_CAS_PROPERTIES_BEAN);
return null; return null;
} }
...@@ -135,7 +135,7 @@ public class SMPCasConfigurer { ...@@ -135,7 +135,7 @@ public class SMPCasConfigurer {
@Nullable SMPCasUserService smpCasUserService, @Nullable SMPCasUserService smpCasUserService,
ConfigurationService configService) { ConfigurationService configService) {
if (!configService.isCasEnabled()) { if (!configService.isSSOEnabledForUserAuthentication()) {
LOG.debug("Bean [CasAuthenticationProvider:{}] is not configured because SSO CAS authentication is not enabled!", SMP_CAS_PROPERTIES_BEAN); LOG.debug("Bean [CasAuthenticationProvider:{}] is not configured because SSO CAS authentication is not enabled!", SMP_CAS_PROPERTIES_BEAN);
return null; return null;
} }
......
package eu.europa.ec.edelivery.smp.config; package eu.europa.ec.edelivery.smp.config;
import eu.europa.ec.edelivery.security.BlueCoatAuthenticationFilter; import eu.europa.ec.edelivery.security.ClientCertAuthenticationFilter;
import eu.europa.ec.edelivery.smp.data.dao.ConfigurationDao; import eu.europa.ec.edelivery.smp.data.dao.ConfigurationDao;
import eu.europa.ec.edelivery.smp.data.ui.enums.SMPPropertyEnum; import eu.europa.ec.edelivery.smp.data.ui.enums.SMPPropertyEnum;
import eu.europa.ec.edelivery.smp.logging.SMPLogger; import eu.europa.ec.edelivery.smp.logging.SMPLogger;
...@@ -11,8 +11,6 @@ import org.springframework.web.server.adapter.ForwardedHeaderTransformer; ...@@ -11,8 +11,6 @@ import org.springframework.web.server.adapter.ForwardedHeaderTransformer;
import javax.annotation.PostConstruct; import javax.annotation.PostConstruct;
import static eu.europa.ec.edelivery.smp.config.SMPSecurityConstants.SMP_FORWARDED_HEADER_TRANSFORMER_BEAN;
/** /**
* Class update security configuration on property update event * Class update security configuration on property update event
...@@ -24,14 +22,14 @@ import static eu.europa.ec.edelivery.smp.config.SMPSecurityConstants.SMP_FORWARD ...@@ -24,14 +22,14 @@ import static eu.europa.ec.edelivery.smp.config.SMPSecurityConstants.SMP_FORWARD
public class SMPSecurityPropertyUpdateListener implements PropertyUpdateListener { public class SMPSecurityPropertyUpdateListener implements PropertyUpdateListener {
private static final SMPLogger LOG = SMPLoggerFactory.getLogger(SMPSecurityPropertyUpdateListener.class); private static final SMPLogger LOG = SMPLoggerFactory.getLogger(SMPSecurityPropertyUpdateListener.class);
final BlueCoatAuthenticationFilter blueCoatAuthenticationFilter; final ClientCertAuthenticationFilter ClientCertAuthenticationFilter;
final ConfigurationDao configurationDao; final ConfigurationDao configurationDao;
final ForwardedHeaderTransformer forwardedHeaderTransformer; final ForwardedHeaderTransformer forwardedHeaderTransformer;
public SMPSecurityPropertyUpdateListener(BlueCoatAuthenticationFilter blueCoatAuthenticationFilter, public SMPSecurityPropertyUpdateListener(ClientCertAuthenticationFilter ClientCertAuthenticationFilter,
ConfigurationDao configurationDao, ConfigurationDao configurationDao,
ForwardedHeaderTransformer forwardedHeaderTransformer) { ForwardedHeaderTransformer forwardedHeaderTransformer) {
this.blueCoatAuthenticationFilter = blueCoatAuthenticationFilter; this.ClientCertAuthenticationFilter = ClientCertAuthenticationFilter;
this.configurationDao = configurationDao; this.configurationDao = configurationDao;
this.forwardedHeaderTransformer = forwardedHeaderTransformer; this.forwardedHeaderTransformer = forwardedHeaderTransformer;
} }
...@@ -47,9 +45,9 @@ public class SMPSecurityPropertyUpdateListener implements PropertyUpdateListener ...@@ -47,9 +45,9 @@ public class SMPSecurityPropertyUpdateListener implements PropertyUpdateListener
boolean setForwardHeadersEnabled = BooleanUtils.toBoolean((Boolean) configurationDao.getCachedPropertyValue(SMPPropertyEnum.HTTP_FORWARDED_HEADERS_ENABLED)); boolean setForwardHeadersEnabled = BooleanUtils.toBoolean((Boolean) configurationDao.getCachedPropertyValue(SMPPropertyEnum.HTTP_FORWARDED_HEADERS_ENABLED));
if (setBlueCoatEnabled) { if (setBlueCoatEnabled) {
LOG.warn("Set blue coat enabled: [true]. Do not enable this option when using SMP without reverse-proxy and HTTP header protection!"); LOG.warn("Set Client-Cert HTTP header enabled: [true]. Do not enable this option when using SMP without reverse-proxy and HTTP header protection!");
} }
blueCoatAuthenticationFilter.setBlueCoatEnabled(setBlueCoatEnabled); ClientCertAuthenticationFilter.setClientCertAuthenticationEnabled(setBlueCoatEnabled);
LOG.info("Set http forward headers enabled: [{}]." + setForwardHeadersEnabled); LOG.info("Set http forward headers enabled: [{}]." + setForwardHeadersEnabled);
if (setForwardHeadersEnabled) { if (setForwardHeadersEnabled) {
......
...@@ -13,7 +13,7 @@ ...@@ -13,7 +13,7 @@
package eu.europa.ec.edelivery.smp.config; package eu.europa.ec.edelivery.smp.config;
import eu.europa.ec.edelivery.security.BlueCoatAuthenticationFilter; import eu.europa.ec.edelivery.security.ClientCertAuthenticationFilter;
import eu.europa.ec.edelivery.security.EDeliveryX509AuthenticationFilter; import eu.europa.ec.edelivery.security.EDeliveryX509AuthenticationFilter;
import eu.europa.ec.edelivery.smp.auth.SMPAuthenticationProvider; import eu.europa.ec.edelivery.smp.auth.SMPAuthenticationProvider;
import eu.europa.ec.edelivery.smp.auth.URLCsrfMatcher; import eu.europa.ec.edelivery.smp.auth.URLCsrfMatcher;
...@@ -30,7 +30,6 @@ import org.springframework.context.annotation.Bean; ...@@ -30,7 +30,6 @@ import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.ComponentScan; import org.springframework.context.annotation.ComponentScan;
import org.springframework.context.annotation.Lazy; import org.springframework.context.annotation.Lazy;
import org.springframework.http.HttpMethod; import org.springframework.http.HttpMethod;
import org.springframework.lang.Nullable;
import org.springframework.security.authentication.AuthenticationManager; import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.cas.authentication.CasAuthenticationProvider; import org.springframework.security.cas.authentication.CasAuthenticationProvider;
import org.springframework.security.cas.web.CasAuthenticationEntryPoint; import org.springframework.security.cas.web.CasAuthenticationEntryPoint;
...@@ -68,7 +67,7 @@ public class SpringSecurityConfig extends WebSecurityConfigurerAdapter { ...@@ -68,7 +67,7 @@ public class SpringSecurityConfig extends WebSecurityConfigurerAdapter {
SMPAuthenticationProvider smpAuthenticationProvider; SMPAuthenticationProvider smpAuthenticationProvider;
CasAuthenticationProvider casAuthenticationProvider; CasAuthenticationProvider casAuthenticationProvider;
BlueCoatAuthenticationFilter blueCoatAuthenticationFilter; ClientCertAuthenticationFilter ClientCertAuthenticationFilter;
EDeliveryX509AuthenticationFilter x509AuthenticationFilter; EDeliveryX509AuthenticationFilter x509AuthenticationFilter;
CasAuthenticationFilter casAuthenticationFilter; CasAuthenticationFilter casAuthenticationFilter;
CasAuthenticationEntryPoint casAuthenticationEntryPoint; CasAuthenticationEntryPoint casAuthenticationEntryPoint;
...@@ -86,13 +85,13 @@ public class SpringSecurityConfig extends WebSecurityConfigurerAdapter { ...@@ -86,13 +85,13 @@ public class SpringSecurityConfig extends WebSecurityConfigurerAdapter {
* Initialize beans. Use lazy initialization for filter to avoid circular dependencies * Initialize beans. Use lazy initialization for filter to avoid circular dependencies
* *
* @param smpAuthenticationProvider * @param smpAuthenticationProvider
* @param blueCoatAuthenticationFilter * @param ClientCertAuthenticationFilter
* @param x509AuthenticationFilter * @param x509AuthenticationFilter
*/ */
@Autowired @Autowired
public SpringSecurityConfig(SMPAuthenticationProvider smpAuthenticationProvider, public SpringSecurityConfig(SMPAuthenticationProvider smpAuthenticationProvider,
ConfigurationService configurationService, ConfigurationService configurationService,
@Lazy BlueCoatAuthenticationFilter blueCoatAuthenticationFilter, @Lazy ClientCertAuthenticationFilter ClientCertAuthenticationFilter,
@Lazy EDeliveryX509AuthenticationFilter x509AuthenticationFilter, @Lazy EDeliveryX509AuthenticationFilter x509AuthenticationFilter,
@Lazy CsrfTokenRepository csrfTokenRepository, @Lazy CsrfTokenRepository csrfTokenRepository,
@Lazy RequestMatcher csrfURLMatcher, @Lazy RequestMatcher csrfURLMatcher,
...@@ -106,7 +105,7 @@ public class SpringSecurityConfig extends WebSecurityConfigurerAdapter { ...@@ -106,7 +105,7 @@ public class SpringSecurityConfig extends WebSecurityConfigurerAdapter {
this.configurationService = configurationService; this.configurationService = configurationService;
this.smpAuthenticationProvider = smpAuthenticationProvider; this.smpAuthenticationProvider = smpAuthenticationProvider;
this.casAuthenticationProvider = casAuthenticationProvider; this.casAuthenticationProvider = casAuthenticationProvider;
this.blueCoatAuthenticationFilter = blueCoatAuthenticationFilter; this.ClientCertAuthenticationFilter = ClientCertAuthenticationFilter;
this.x509AuthenticationFilter = x509AuthenticationFilter; this.x509AuthenticationFilter = x509AuthenticationFilter;
this.casAuthenticationFilter = casAuthenticationFilter; this.casAuthenticationFilter = casAuthenticationFilter;
this.casAuthenticationEntryPoint = casAuthenticationEntryPoint; this.casAuthenticationEntryPoint = casAuthenticationEntryPoint;
...@@ -128,7 +127,7 @@ public class SpringSecurityConfig extends WebSecurityConfigurerAdapter { ...@@ -128,7 +127,7 @@ public class SpringSecurityConfig extends WebSecurityConfigurerAdapter {
.and(); .and();
ExceptionHandlingConfigurer<HttpSecurity> exceptionHandlingConfigurer = httpSecurity.exceptionHandling(); ExceptionHandlingConfigurer<HttpSecurity> exceptionHandlingConfigurer = httpSecurity.exceptionHandling();
if (configurationService.isCasEnabled()) { if (configurationService.isSSOEnabledForUserAuthentication()) {
LOG.debug("The CAS authentication is enabled. Set casAuthenticationEntryPoint!"); LOG.debug("The CAS authentication is enabled. Set casAuthenticationEntryPoint!");
exceptionHandlingConfigurer = exceptionHandlingConfigurer.defaultAuthenticationEntryPointFor(casAuthenticationEntryPoint, new AntPathRequestMatcher(SMP_SECURITY_PATH_CAS_AUTHENTICATE)); exceptionHandlingConfigurer = exceptionHandlingConfigurer.defaultAuthenticationEntryPointFor(casAuthenticationEntryPoint, new AntPathRequestMatcher(SMP_SECURITY_PATH_CAS_AUTHENTICATE));
} }
...@@ -142,7 +141,7 @@ public class SpringSecurityConfig extends WebSecurityConfigurerAdapter { ...@@ -142,7 +141,7 @@ public class SpringSecurityConfig extends WebSecurityConfigurerAdapter {
.xssProtection().xssProtectionEnabled(true).and() .xssProtection().xssProtectionEnabled(true).and()
.and(); .and();
if (configurationService.isCasEnabled()) { if (configurationService.isSSOEnabledForUserAuthentication()) {
LOG.debug("The CAS authentication is enabled. Add CAS filter!"); LOG.debug("The CAS authentication is enabled. Add CAS filter!");
httpSecurity = httpSecurity.addFilter(casAuthenticationFilter); httpSecurity = httpSecurity.addFilter(casAuthenticationFilter);
} }
...@@ -168,7 +167,7 @@ public class SpringSecurityConfig extends WebSecurityConfigurerAdapter { ...@@ -168,7 +167,7 @@ public class SpringSecurityConfig extends WebSecurityConfigurerAdapter {
.requestMatcher(AnyRequestMatcher.INSTANCE).and().and(); .requestMatcher(AnyRequestMatcher.INSTANCE).and().and();
} }
httpSecurity.addFilter(blueCoatAuthenticationFilter) httpSecurity.addFilter(ClientCertAuthenticationFilter)
.addFilter(x509AuthenticationFilter) .addFilter(x509AuthenticationFilter)
.httpBasic().authenticationEntryPoint(new SpringSecurityExceptionHandler()).and() // username .httpBasic().authenticationEntryPoint(new SpringSecurityExceptionHandler()).and() // username
.anonymous().authorities(SMPAuthority.S_AUTHORITY_ANONYMOUS.getAuthority()).and() .anonymous().authorities(SMPAuthority.S_AUTHORITY_ANONYMOUS.getAuthority()).and()
...@@ -204,7 +203,7 @@ public class SpringSecurityConfig extends WebSecurityConfigurerAdapter { ...@@ -204,7 +203,7 @@ public class SpringSecurityConfig extends WebSecurityConfigurerAdapter {
@Override @Override
protected void configure(AuthenticationManagerBuilder auth) { protected void configure(AuthenticationManagerBuilder auth) {
LOG.info("configureAuthenticationManagerBuilder, set SMP provider "); LOG.info("configureAuthenticationManagerBuilder, set SMP provider ");
if (configurationService.isCasEnabled()) { if (configurationService.isSSOEnabledForUserAuthentication()) {
LOG.info("[CAS] Authentication Provider enabled"); LOG.info("[CAS] Authentication Provider enabled");
auth.authenticationProvider(casAuthenticationProvider); auth.authenticationProvider(casAuthenticationProvider);
} }
...@@ -225,11 +224,11 @@ public class SpringSecurityConfig extends WebSecurityConfigurerAdapter { ...@@ -225,11 +224,11 @@ public class SpringSecurityConfig extends WebSecurityConfigurerAdapter {
} }
@Bean @Bean
public BlueCoatAuthenticationFilter getClientCertAuthenticationFilter(@Qualifier(SMP_AUTHENTICATION_MANAGER_BEAN) AuthenticationManager authenticationManager) { public ClientCertAuthenticationFilter getClientCertAuthenticationFilter(@Qualifier(SMP_AUTHENTICATION_MANAGER_BEAN) AuthenticationManager authenticationManager) {
BlueCoatAuthenticationFilter blueCoatAuthenticationFilter = new BlueCoatAuthenticationFilter(); ClientCertAuthenticationFilter ClientCertAuthenticationFilter = new ClientCertAuthenticationFilter();
blueCoatAuthenticationFilter.setAuthenticationManager(authenticationManager); ClientCertAuthenticationFilter.setAuthenticationManager(authenticationManager);
blueCoatAuthenticationFilter.setBlueCoatEnabled(clientCertEnabled); ClientCertAuthenticationFilter.setClientCertAuthenticationEnabled(clientCertEnabled);
return blueCoatAuthenticationFilter; return ClientCertAuthenticationFilter;
} }
@Bean @Bean
......
...@@ -135,5 +135,4 @@ public class ServiceGroupController { ...@@ -135,5 +135,4 @@ public class ServiceGroupController {
String host = httpReq.getHeader("X-Forwarded-For"); String host = httpReq.getHeader("X-Forwarded-For");
return StringUtils.isBlank(host) ? httpReq.getRemoteHost() : host; return StringUtils.isBlank(host) ? httpReq.getRemoteHost() : host;
} }
} }
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment