From 41bbec0fa7d767536d892c4ad76dadcb54aa796f Mon Sep 17 00:00:00 2001 From: Sam Huang Date: Tue, 23 Mar 2021 10:16:47 -0600 Subject: Add keycloak integration Issue-ID: AAI-3298 Signed-off-by: Sam Huang Change-Id: I2d99769ab8d189d61de610ec020b15a8fe0aa652 --- aai-traversal/pom.xml | 29 +++++++++ .../onap/aai/rest/security/WebSecurityConfig.java | 76 ++++++++++++++++++++++ .../main/resources/application-keycloak.properties | 13 ++++ .../src/main/resources/application.properties | 11 +++- .../src/test/resources/application-test.properties | 6 +- 5 files changed, 132 insertions(+), 3 deletions(-) create mode 100644 aai-traversal/src/main/java/org/onap/aai/rest/security/WebSecurityConfig.java create mode 100644 aai-traversal/src/main/resources/application-keycloak.properties diff --git a/aai-traversal/pom.xml b/aai-traversal/pom.xml index f07ead8..f887e86 100644 --- a/aai-traversal/pom.xml +++ b/aai-traversal/pom.xml @@ -95,6 +95,7 @@ v23 v10,v11,v12,v13,v14,v15,v16,v17,v18,v19,v20,v21,v22,v23 /aai + 11.0.2 @@ -688,7 +689,26 @@ org.codehaus.plexus plexus-utils + + org.springframework.boot + spring-boot-starter-security + + + org.keycloak + keycloak-spring-boot-starter + + + + + org.keycloak.bom + keycloak-adapter-bom + ${keycloak.version} + pom + import + + + @@ -820,6 +840,15 @@ + + org.jacoco + jacoco-maven-plugin + + + **/*WebSecurityConfig.* + + + org.apache.maven.plugins maven-clean-plugin diff --git a/aai-traversal/src/main/java/org/onap/aai/rest/security/WebSecurityConfig.java b/aai-traversal/src/main/java/org/onap/aai/rest/security/WebSecurityConfig.java new file mode 100644 index 0000000..c92d818 --- /dev/null +++ b/aai-traversal/src/main/java/org/onap/aai/rest/security/WebSecurityConfig.java @@ -0,0 +1,76 @@ + +/** + * ============LICENSE_START======================================================= + * org.onap.aai + * ================================================================================ + * Copyright (C) 2019 Nordix Foundation. + * Modifications Copyright (C) 2019 AT&T Intellectual Property. + * Modifications Copyright (C) 2020 Bell Canada. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * SPDX-License-Identifier: Apache-2.0 + * ============LICENSE_END========================================================= + */ +package org.onap.aai.rest.security; +import org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver; +import org.keycloak.adapters.springsecurity.KeycloakConfiguration; +import org.keycloak.adapters.springsecurity.authentication.KeycloakAuthenticationProvider; +import org.keycloak.adapters.springsecurity.config.KeycloakWebSecurityConfigurerAdapter; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.boot.web.servlet.ServletListenerRegistrationBean; +import org.springframework.context.annotation.Bean; +import org.springframework.context.annotation.Import; +import org.springframework.context.annotation.Profile; +import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; +import org.springframework.security.config.annotation.web.builders.HttpSecurity; +import org.springframework.security.config.annotation.web.builders.WebSecurity; +import org.springframework.security.core.authority.mapping.SimpleAuthorityMapper; +import org.springframework.security.core.session.SessionRegistryImpl; +import org.springframework.security.web.authentication.session.RegisterSessionAuthenticationStrategy; +import org.springframework.security.web.authentication.session.SessionAuthenticationStrategy; +import org.springframework.security.web.session.HttpSessionEventPublisher; +@Profile("keycloak") +@KeycloakConfiguration +@Import({KeycloakSpringBootConfigResolver.class}) +public class WebSecurityConfig extends KeycloakWebSecurityConfigurerAdapter { + @Autowired + public void configureGlobal(AuthenticationManagerBuilder auth) { + KeycloakAuthenticationProvider keycloakAuthenticationProvider + = keycloakAuthenticationProvider(); + keycloakAuthenticationProvider.setGrantedAuthoritiesMapper( + new SimpleAuthorityMapper()); + auth.authenticationProvider(keycloakAuthenticationProvider); + } + @Bean + public ServletListenerRegistrationBean httpSessionEventPublisher() { + return new ServletListenerRegistrationBean<>(new HttpSessionEventPublisher()); + } + @Bean + @Override + protected SessionAuthenticationStrategy sessionAuthenticationStrategy() { + return new RegisterSessionAuthenticationStrategy( + new SessionRegistryImpl()); + } + @Override + protected void configure(HttpSecurity http) throws Exception { + super.configure(http); + http.authorizeRequests() + .antMatchers("/**") + .permitAll().and().csrf().disable(); + } + @Override + public void configure(WebSecurity web) throws Exception { + web.ignoring().regexMatchers("^.*/util/echo$"); + } +} diff --git a/aai-traversal/src/main/resources/application-keycloak.properties b/aai-traversal/src/main/resources/application-keycloak.properties new file mode 100644 index 0000000..86adb59 --- /dev/null +++ b/aai-traversal/src/main/resources/application-keycloak.properties @@ -0,0 +1,13 @@ +spring.autoconfigure.exclude=\ + org.springframework.boot.autoconfigure.jdbc.DataSourceAutoConfiguration,\ + org.springframework.boot.autoconfigure.orm.jpa.HibernateJpaAutoConfiguration + +multi.tenancy.enabled=true +keycloak.auth-server-url=http://localhost:8180/auth +keycloak.realm=aai-traversal +keycloak.resource=aai-traversal-app +keycloak.public-client=false +keycloak.principal-attribute=preferred_username + +keycloak.ssl-required=external +keycloak.bearer-only=true diff --git a/aai-traversal/src/main/resources/application.properties b/aai-traversal/src/main/resources/application.properties index 14d6b64..a22f708 100644 --- a/aai-traversal/src/main/resources/application.properties +++ b/aai-traversal/src/main/resources/application.properties @@ -9,7 +9,11 @@ spring.jersey.type=filter spring.main.allow-bean-definition-overriding=true server.servlet.context-path=/ -spring.autoconfigure.exclude=org.springframework.boot.autoconfigure.jdbc.DataSourceAutoConfiguration,org.springframework.boot.autoconfigure.orm.jpa.HibernateJpaAutoConfiguration +spring.autoconfigure.exclude=\ + org.springframework.boot.autoconfigure.jdbc.DataSourceAutoConfiguration,\ + org.springframework.boot.autoconfigure.orm.jpa.HibernateJpaAutoConfiguration,\ + org.keycloak.adapters.springboot.KeycloakAutoConfiguration,\ + org.springframework.boot.autoconfigure.security.servlet.SecurityAutoConfiguration spring.jersey.application-path=${schema.uri.base.path} @@ -27,7 +31,7 @@ server.basic.auth.location=${server.local.startpath}etc/auth/realm.properties server.port=8446 server.ssl.enabled-protocols=TLSv1.1,TLSv1.2 - +server.compression.excluded-user-agents= # By default spring boot jetty will exclude the following ciphers # We need to specifically add this to support tls v1.1 server.ssl.ciphers=^.*_(MD5|SHA|SHA1)$ @@ -35,7 +39,10 @@ server.ssl.client-auth=want server.ssl.key-store-type=JKS # Start of Internal Specific Properties +# Switch to one-way-ssl spring.profiles.active=production,one-way-ssl +# Switch to keycloak +#spring.profiles.active=production, keycloak ### server.certs.location=${server.local.startpath}etc/auth/ server.keystore.name.pkcs12=aai_keystore diff --git a/aai-traversal/src/test/resources/application-test.properties b/aai-traversal/src/test/resources/application-test.properties index a433ab7..8994c2e 100644 --- a/aai-traversal/src/test/resources/application-test.properties +++ b/aai-traversal/src/test/resources/application-test.properties @@ -8,7 +8,11 @@ spring.application.name=aai-traversal spring.jersey.type=filter server.contextPath=/ -spring.autoconfigure.exclude=org.springframework.boot.autoconfigure.jdbc.DataSourceAutoConfiguration,org.springframework.boot.autoconfigure.orm.jpa.HibernateJpaAutoConfiguration +spring.autoconfigure.exclude=\ + org.springframework.boot.autoconfigure.jdbc.DataSourceAutoConfiguration,\ + org.springframework.boot.autoconfigure.orm.jpa.HibernateJpaAutoConfiguration,\ + org.keycloak.adapters.springboot.KeycloakAutoConfiguration,\ + org.springframework.boot.autoconfigure.security.servlet.SecurityAutoConfiguration spring.jersey.application-path=${schema.uri.base.path} -- cgit 1.2.3-korg