diff options
author | Rodrigo Lima <rodrigo.lima@yoppworks.com> | 2020-09-03 11:54:27 -0400 |
---|---|---|
committer | Rodrigo Lima <rodrigo.lima@yoppworks.com> | 2020-09-08 11:25:04 -0400 |
commit | 696ebd9e433f2b6f890c6032a4febdb9d3ec8eb7 (patch) | |
tree | 427d1b6980fac114b4503407d434fa7ae979e743 /aai-resources | |
parent | 4714ea1e5f45fe286a25adbcad8e553c6250a821 (diff) |
Add keycloak integration
- The feature can be enabled by adding keycloak spring profile in application properties.
- Add keycloak springboot and spring security adapter to pom
- Exclude keycloak and spring security autoconfiguration in application properties
- Add keycloak application properties that is activated when keycloak profile used
- Add WebSecurityConfig to config authorization
Issue-ID: AAI-3129
Signed-off-by: Rodrigo Lima <rodrigo.lima@yoppworks.com>
Change-Id: Iaa086b4075c03237388a997274d01bf8b8114b4d
Diffstat (limited to 'aai-resources')
5 files changed, 139 insertions, 3 deletions
diff --git a/aai-resources/pom.xml b/aai-resources/pom.xml index 828b91a..a54f79d 100644 --- a/aai-resources/pom.xml +++ b/aai-resources/pom.xml @@ -77,7 +77,7 @@ <schema.ingest.file>${project.basedir}/src/main/resources/application.properties</schema.ingest.file> <!-- End of Default ONAP Schema Properties --> - + <keycloak.version>11.0.2</keycloak.version> <!-- Setting some default value to not complain by editor but it will be overridden by gmaven plugin --> </properties> <profiles> @@ -607,7 +607,26 @@ <groupId>org.apache.tinkerpop</groupId> <artifactId>gremlin-groovy</artifactId> </dependency> + <dependency> + <groupId>org.springframework.boot</groupId> + <artifactId>spring-boot-starter-security</artifactId> + </dependency> + <dependency> + <groupId>org.keycloak</groupId> + <artifactId>keycloak-spring-boot-starter</artifactId> + </dependency> </dependencies> + <dependencyManagement> + <dependencies> + <dependency> + <groupId>org.keycloak.bom</groupId> + <artifactId>keycloak-adapter-bom</artifactId> + <version>${keycloak.version}</version> + <type>pom</type> + <scope>import</scope> + </dependency> + </dependencies> + </dependencyManagement> <build> <resources> <resource> @@ -859,6 +878,15 @@ </execution> </executions> </plugin> + <plugin> + <groupId>org.jacoco</groupId> + <artifactId>jacoco-maven-plugin</artifactId> + <configuration combine.children="append"> + <excludes> + <exclude>**/*WebSecurityConfig.*</exclude> + </excludes> + </configuration> + </plugin> </plugins> </build> <reporting> diff --git a/aai-resources/src/main/java/org/onap/aai/rest/security/WebSecurityConfig.java b/aai-resources/src/main/java/org/onap/aai/rest/security/WebSecurityConfig.java new file mode 100644 index 0000000..2b67c40 --- /dev/null +++ b/aai-resources/src/main/java/org/onap/aai/rest/security/WebSecurityConfig.java @@ -0,0 +1,86 @@ +/** + * ============LICENSE_START======================================================= + * org.onap.aai + * ================================================================================ + * Copyright (C) 2019 Nordix Foundation. + * Modifications Copyright (C) 2019 AT&T Intellectual Property. + * Modifications Copyright (C) 2020 Bell Canada. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * SPDX-License-Identifier: Apache-2.0 + * ============LICENSE_END========================================================= + */ +package org.onap.aai.rest.security; + +import org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver; +import org.keycloak.adapters.springsecurity.KeycloakConfiguration; +import org.keycloak.adapters.springsecurity.authentication.KeycloakAuthenticationProvider; +import org.keycloak.adapters.springsecurity.config.KeycloakWebSecurityConfigurerAdapter; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.boot.web.servlet.ServletListenerRegistrationBean; +import org.springframework.context.annotation.Bean; +import org.springframework.context.annotation.Import; +import org.springframework.context.annotation.Profile; +import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; +import org.springframework.security.config.annotation.web.builders.HttpSecurity; +import org.springframework.security.config.annotation.web.builders.WebSecurity; +import org.springframework.security.core.authority.mapping.SimpleAuthorityMapper; +import org.springframework.security.core.session.SessionRegistryImpl; +import org.springframework.security.web.authentication.session.RegisterSessionAuthenticationStrategy; +import org.springframework.security.web.authentication.session.SessionAuthenticationStrategy; +import org.springframework.security.web.session.HttpSessionEventPublisher; + +@Profile("keycloak") +@KeycloakConfiguration +@Import({KeycloakSpringBootConfigResolver.class}) +public class WebSecurityConfig extends KeycloakWebSecurityConfigurerAdapter { + + @Autowired + public void configureGlobal(AuthenticationManagerBuilder auth) { + KeycloakAuthenticationProvider keycloakAuthenticationProvider + = keycloakAuthenticationProvider(); + keycloakAuthenticationProvider.setGrantedAuthoritiesMapper( + new SimpleAuthorityMapper()); + auth.authenticationProvider(keycloakAuthenticationProvider); + } + + @Bean + public ServletListenerRegistrationBean<HttpSessionEventPublisher> httpSessionEventPublisher() { + return new ServletListenerRegistrationBean<>(new HttpSessionEventPublisher()); + } + + @Bean + @Override + protected SessionAuthenticationStrategy sessionAuthenticationStrategy() { + return new RegisterSessionAuthenticationStrategy( + new SessionRegistryImpl()); + } + + @Override + protected void configure(HttpSecurity http) throws Exception { + super.configure(http); + http.authorizeRequests() + .antMatchers("/**") + .hasAnyRole("admin") + .anyRequest() + .permitAll().and().csrf().disable(); + } + + @Override + public void configure(WebSecurity web) throws Exception { + web.ignoring().regexMatchers("^.*/util/echo$"); + } + + +} diff --git a/aai-resources/src/main/resources/application-keycloak.properties b/aai-resources/src/main/resources/application-keycloak.properties new file mode 100644 index 0000000..538abfc --- /dev/null +++ b/aai-resources/src/main/resources/application-keycloak.properties @@ -0,0 +1,16 @@ + +spring.autoconfigure.exclude=\ + org.springframework.boot.autoconfigure.jdbc.DataSourceAutoConfiguration,\ + org.springframework.boot.autoconfigure.orm.jpa.HibernateJpaAutoConfiguration + + +keycloak.auth-server-url=http://localhost:8180/auth +keycloak.realm=aai-resources +keycloak.resource=aai-resources-app +keycloak.public-client=true +keycloak.principal-attribute=preferred_username + +keycloak.ssl-required=external +#keycloak.use-resource-role-mappings=true +#keycloak.credentials.secret=cd18afc8-9c96-4723-b9b3-0017ad615500 +keycloak.bearer-only=true
\ No newline at end of file diff --git a/aai-resources/src/main/resources/application.properties b/aai-resources/src/main/resources/application.properties index 0366e33..86bc0d5 100644 --- a/aai-resources/src/main/resources/application.properties +++ b/aai-resources/src/main/resources/application.properties @@ -11,7 +11,9 @@ spring.main.allow-bean-definition-overriding=true server.servlet.context-path=/ spring.autoconfigure.exclude=\ org.springframework.boot.autoconfigure.jdbc.DataSourceAutoConfiguration,\ - org.springframework.boot.autoconfigure.orm.jpa.HibernateJpaAutoConfiguration + org.springframework.boot.autoconfigure.orm.jpa.HibernateJpaAutoConfiguration,\ + org.keycloak.adapters.springboot.KeycloakAutoConfiguration,\ + org.springframework.boot.autoconfigure.security.servlet.SecurityAutoConfiguration spring.jersey.application-path=${schema.uri.base.path} diff --git a/aai-resources/src/test/resources/application-test.properties b/aai-resources/src/test/resources/application-test.properties index e8a4703..b96b9ce 100644 --- a/aai-resources/src/test/resources/application-test.properties +++ b/aai-resources/src/test/resources/application-test.properties @@ -11,7 +11,11 @@ server.servlet.context-path=/ spring.jersey.application-path=${schema.uri.base.path} -spring.autoconfigure.exclude=org.springframework.boot.autoconfigure.jdbc.DataSourceAutoConfiguration,org.springframework.boot.autoconfigure.orm.jpa.HibernateJpaAutoConfiguration +spring.autoconfigure.exclude=\ + org.springframework.boot.autoconfigure.jdbc.DataSourceAutoConfiguration,\ + org.springframework.boot.autoconfigure.orm.jpa.HibernateJpaAutoConfiguration,\ + org.keycloak.adapters.springboot.KeycloakAutoConfiguration,\ + org.springframework.boot.autoconfigure.security.servlet.SecurityAutoConfiguration spring.profiles.active=production #The max number of active threads in this pool |