use CSRF filter after authentication for remote auth modules

Evolveum · Aug 28, 2023 · 11c2f42 · 11c2f42
1 parent c9a3935
commit 11c2f42
Show file tree

Hide file tree

Showing 4 changed files with 51 additions and 1 deletion.
diff --git a/...hentication-api/src/main/java/com/evolveum/midpoint/authentication/api/util/AuthUtil.java b/...hentication-api/src/main/java/com/evolveum/midpoint/authentication/api/util/AuthUtil.java
@@ -101,6 +101,20 @@ public static boolean isPostAuthenticationEnabled(TaskManager taskManager, Model
         return false;
     }
 
+    /**
+     * Convenient method to return instance of MidpointAuthentication if exists
+     * If not present, exception is thrown.
+     *
+     * TODO: maybe we wll need to change exception to return null
+     */
+    public static MidpointAuthentication getMidpointAuthentication() {
+        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
+        if (!(authentication instanceof MidpointAuthentication)) {
+            throw new AuthenticationServiceException("web.security.flexAuth.auth.wrong.type");
+        }
+        return (MidpointAuthentication) authentication;
+    }
+
     public static ModuleAuthentication getAuthenticatedModule() {
         Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
 

diff --git a/...volveum/midpoint/authentication/impl/filter/UseCsrfFilterOnlyForAuthenticatedRequest.java b/...volveum/midpoint/authentication/impl/filter/UseCsrfFilterOnlyForAuthenticatedRequest.java
@@ -0,0 +1,34 @@
+/*
+ * Copyright (c) 2023 Evolveum and contributors
+ *
+ * This work is dual-licensed under the Apache License 2.0
+ * and European Union Public License. See LICENSE file for details.
+ */
+
+package com.evolveum.midpoint.authentication.impl.filter;
+
+import com.evolveum.midpoint.authentication.api.config.MidpointAuthentication;
+import com.evolveum.midpoint.authentication.api.util.AuthUtil;
+
+import javax.servlet.http.HttpServletRequest;
+import org.springframework.security.web.csrf.CsrfFilter;
+import org.springframework.security.web.util.matcher.RequestMatcher;
+
+public class UseCsrfFilterOnlyForAuthenticatedRequest implements RequestMatcher {
+
+    private final RequestMatcher requireCsrfProtectionMatcher = CsrfFilter.DEFAULT_CSRF_MATCHER;
+
+    @Override
+    public boolean matches(HttpServletRequest request) {
+        MidpointAuthentication mPAuthentication = AuthUtil.getMidpointAuthentication();
+        if (mPAuthentication != null && mPAuthentication.isAuthenticated()) {
+            return requireCsrfProtectionMatcher.matches(request);
+        }
+        return false;
+    }
+
+    @Override
+    public MatchResult matcher(HttpServletRequest request) {
+        return requireCsrfProtectionMatcher.matcher(request);
+    }
+}
diff --git a/...nt/authentication/impl/module/configuration/OidcClientModuleWebSecurityConfiguration.java b/...nt/authentication/impl/module/configuration/OidcClientModuleWebSecurityConfiguration.java
@@ -217,6 +217,7 @@ private static void initializeProofKey(AbstractKeyStoreKeyType key, OidcAddition
             pkey = getPrivateKey(key, protector);
         } catch (KeyStoreException | IOException | EncryptionException | CertificateException |
                 NoSuchAlgorithmException | UnrecoverableKeyException e) {
+            LOGGER.error("Unable get key from " + key, e);
             throw new OAuth2AuthenticationException(new OAuth2Error("missing_key"), "Unable get key from " + key, e);
         }
         if (!(pkey instanceof RSAPrivateKey)) {

diff --git a/...eum/midpoint/authentication/impl/module/configurer/RemoteModuleWebSecurityConfigurer.java b/...eum/midpoint/authentication/impl/module/configurer/RemoteModuleWebSecurityConfigurer.java
@@ -12,6 +12,7 @@
 import javax.servlet.http.HttpServletRequest;
 
 import com.evolveum.midpoint.authentication.impl.entry.point.RemoteAuthenticationEntryPoint;
+import com.evolveum.midpoint.authentication.impl.filter.UseCsrfFilterOnlyForAuthenticatedRequest;
 import com.evolveum.midpoint.authentication.impl.module.configuration.RemoteModuleWebSecurityConfiguration;
 
 import org.springframework.beans.factory.annotation.Autowired;
@@ -66,7 +67,7 @@ protected void configure(HttpSecurity http) throws Exception {
         super.configure(http);
 
         http.antMatcher(AuthUtil.stripEndingSlashes(getPrefix()) + "/**");
-        http.csrf().disable();
+        http.csrf().requireCsrfProtectionMatcher(new UseCsrfFilterOnlyForAuthenticatedRequest());
 
         MidpointExceptionHandlingConfigurer exceptionConfigurer = new MidpointExceptionHandlingConfigurer() {
             @Override