diff options
author | Sam Huang <sam.huang@yoppworks.com> | 2021-03-23 10:16:47 -0600 |
---|---|---|
committer | Sam Huang <sam.huang@yoppworks.com> | 2021-03-31 12:42:42 -0600 |
commit | 41bbec0fa7d767536d892c4ad76dadcb54aa796f (patch) | |
tree | 04765df7a92e325acb8bcbcc99433918bd3e9ce1 | |
parent | 7e39a251880314af510a1a746fe28493403f1bc2 (diff) |
Add keycloak integration
Issue-ID: AAI-3298
Signed-off-by: Sam Huang <sam.huang@yoppworks.com>
Change-Id: I2d99769ab8d189d61de610ec020b15a8fe0aa652
5 files changed, 132 insertions, 3 deletions
diff --git a/aai-traversal/pom.xml b/aai-traversal/pom.xml index f07ead8..f887e86 100644 --- a/aai-traversal/pom.xml +++ b/aai-traversal/pom.xml @@ -95,6 +95,7 @@ <schema.version.api.default>v23</schema.version.api.default> <schema.version.list>v10,v11,v12,v13,v14,v15,v16,v17,v18,v19,v20,v21,v22,v23</schema.version.list> <schema.uri.base.path>/aai</schema.uri.base.path> + <keycloak.version>11.0.2</keycloak.version> <!-- End of Default ONAP Schema Properties --> </properties> <profiles> @@ -688,7 +689,26 @@ <groupId>org.codehaus.plexus</groupId> <artifactId>plexus-utils</artifactId> </dependency> + <dependency> + <groupId>org.springframework.boot</groupId> + <artifactId>spring-boot-starter-security</artifactId> + </dependency> + <dependency> + <groupId>org.keycloak</groupId> + <artifactId>keycloak-spring-boot-starter</artifactId> + </dependency> </dependencies> + <dependencyManagement> + <dependencies> + <dependency> + <groupId>org.keycloak.bom</groupId> + <artifactId>keycloak-adapter-bom</artifactId> + <version>${keycloak.version}</version> + <type>pom</type> + <scope>import</scope> + </dependency> + </dependencies> + </dependencyManagement> <build> <resources> <resource> @@ -821,6 +841,15 @@ </pluginManagement> <plugins> <plugin> + <groupId>org.jacoco</groupId> + <artifactId>jacoco-maven-plugin</artifactId> + <configuration combine.children="append"> + <excludes> + <exclude>**/*WebSecurityConfig.*</exclude> + </excludes> + </configuration> + </plugin> + <plugin> <groupId>org.apache.maven.plugins</groupId> <artifactId>maven-clean-plugin</artifactId> <version>2.4.1</version> diff --git a/aai-traversal/src/main/java/org/onap/aai/rest/security/WebSecurityConfig.java b/aai-traversal/src/main/java/org/onap/aai/rest/security/WebSecurityConfig.java new file mode 100644 index 0000000..c92d818 --- /dev/null +++ b/aai-traversal/src/main/java/org/onap/aai/rest/security/WebSecurityConfig.java @@ -0,0 +1,76 @@ + +/** + * ============LICENSE_START======================================================= + * org.onap.aai + * ================================================================================ + * Copyright (C) 2019 Nordix Foundation. + * Modifications Copyright (C) 2019 AT&T Intellectual Property. + * Modifications Copyright (C) 2020 Bell Canada. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * SPDX-License-Identifier: Apache-2.0 + * ============LICENSE_END========================================================= + */ +package org.onap.aai.rest.security; +import org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver; +import org.keycloak.adapters.springsecurity.KeycloakConfiguration; +import org.keycloak.adapters.springsecurity.authentication.KeycloakAuthenticationProvider; +import org.keycloak.adapters.springsecurity.config.KeycloakWebSecurityConfigurerAdapter; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.boot.web.servlet.ServletListenerRegistrationBean; +import org.springframework.context.annotation.Bean; +import org.springframework.context.annotation.Import; +import org.springframework.context.annotation.Profile; +import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; +import org.springframework.security.config.annotation.web.builders.HttpSecurity; +import org.springframework.security.config.annotation.web.builders.WebSecurity; +import org.springframework.security.core.authority.mapping.SimpleAuthorityMapper; +import org.springframework.security.core.session.SessionRegistryImpl; +import org.springframework.security.web.authentication.session.RegisterSessionAuthenticationStrategy; +import org.springframework.security.web.authentication.session.SessionAuthenticationStrategy; +import org.springframework.security.web.session.HttpSessionEventPublisher; +@Profile("keycloak") +@KeycloakConfiguration +@Import({KeycloakSpringBootConfigResolver.class}) +public class WebSecurityConfig extends KeycloakWebSecurityConfigurerAdapter { + @Autowired + public void configureGlobal(AuthenticationManagerBuilder auth) { + KeycloakAuthenticationProvider keycloakAuthenticationProvider + = keycloakAuthenticationProvider(); + keycloakAuthenticationProvider.setGrantedAuthoritiesMapper( + new SimpleAuthorityMapper()); + auth.authenticationProvider(keycloakAuthenticationProvider); + } + @Bean + public ServletListenerRegistrationBean<HttpSessionEventPublisher> httpSessionEventPublisher() { + return new ServletListenerRegistrationBean<>(new HttpSessionEventPublisher()); + } + @Bean + @Override + protected SessionAuthenticationStrategy sessionAuthenticationStrategy() { + return new RegisterSessionAuthenticationStrategy( + new SessionRegistryImpl()); + } + @Override + protected void configure(HttpSecurity http) throws Exception { + super.configure(http); + http.authorizeRequests() + .antMatchers("/**") + .permitAll().and().csrf().disable(); + } + @Override + public void configure(WebSecurity web) throws Exception { + web.ignoring().regexMatchers("^.*/util/echo$"); + } +} diff --git a/aai-traversal/src/main/resources/application-keycloak.properties b/aai-traversal/src/main/resources/application-keycloak.properties new file mode 100644 index 0000000..86adb59 --- /dev/null +++ b/aai-traversal/src/main/resources/application-keycloak.properties @@ -0,0 +1,13 @@ +spring.autoconfigure.exclude=\ + org.springframework.boot.autoconfigure.jdbc.DataSourceAutoConfiguration,\ + org.springframework.boot.autoconfigure.orm.jpa.HibernateJpaAutoConfiguration + +multi.tenancy.enabled=true +keycloak.auth-server-url=http://localhost:8180/auth +keycloak.realm=aai-traversal +keycloak.resource=aai-traversal-app +keycloak.public-client=false +keycloak.principal-attribute=preferred_username + +keycloak.ssl-required=external +keycloak.bearer-only=true diff --git a/aai-traversal/src/main/resources/application.properties b/aai-traversal/src/main/resources/application.properties index 14d6b64..a22f708 100644 --- a/aai-traversal/src/main/resources/application.properties +++ b/aai-traversal/src/main/resources/application.properties @@ -9,7 +9,11 @@ spring.jersey.type=filter spring.main.allow-bean-definition-overriding=true server.servlet.context-path=/ -spring.autoconfigure.exclude=org.springframework.boot.autoconfigure.jdbc.DataSourceAutoConfiguration,org.springframework.boot.autoconfigure.orm.jpa.HibernateJpaAutoConfiguration +spring.autoconfigure.exclude=\ + org.springframework.boot.autoconfigure.jdbc.DataSourceAutoConfiguration,\ + org.springframework.boot.autoconfigure.orm.jpa.HibernateJpaAutoConfiguration,\ + org.keycloak.adapters.springboot.KeycloakAutoConfiguration,\ + org.springframework.boot.autoconfigure.security.servlet.SecurityAutoConfiguration spring.jersey.application-path=${schema.uri.base.path} @@ -27,7 +31,7 @@ server.basic.auth.location=${server.local.startpath}etc/auth/realm.properties server.port=8446 server.ssl.enabled-protocols=TLSv1.1,TLSv1.2 - +server.compression.excluded-user-agents= # By default spring boot jetty will exclude the following ciphers # We need to specifically add this to support tls v1.1 server.ssl.ciphers=^.*_(MD5|SHA|SHA1)$ @@ -35,7 +39,10 @@ server.ssl.client-auth=want server.ssl.key-store-type=JKS # Start of Internal Specific Properties +# Switch to one-way-ssl spring.profiles.active=production,one-way-ssl +# Switch to keycloak +#spring.profiles.active=production, keycloak ### server.certs.location=${server.local.startpath}etc/auth/ server.keystore.name.pkcs12=aai_keystore diff --git a/aai-traversal/src/test/resources/application-test.properties b/aai-traversal/src/test/resources/application-test.properties index a433ab7..8994c2e 100644 --- a/aai-traversal/src/test/resources/application-test.properties +++ b/aai-traversal/src/test/resources/application-test.properties @@ -8,7 +8,11 @@ spring.application.name=aai-traversal spring.jersey.type=filter server.contextPath=/ -spring.autoconfigure.exclude=org.springframework.boot.autoconfigure.jdbc.DataSourceAutoConfiguration,org.springframework.boot.autoconfigure.orm.jpa.HibernateJpaAutoConfiguration +spring.autoconfigure.exclude=\ + org.springframework.boot.autoconfigure.jdbc.DataSourceAutoConfiguration,\ + org.springframework.boot.autoconfigure.orm.jpa.HibernateJpaAutoConfiguration,\ + org.keycloak.adapters.springboot.KeycloakAutoConfiguration,\ + org.springframework.boot.autoconfigure.security.servlet.SecurityAutoConfiguration spring.jersey.application-path=${schema.uri.base.path} |