fix for csrf exection redirect

Evolveum · Jan 31, 2020 · 2748424 · 2748424
1 parent 4ed18bf
commit 2748424
Show file tree

Hide file tree

Showing 6 changed files with 125 additions and 31 deletions.
diff --git a/...security/MidPointAccessDeniedHandler.java → .../security/AuditedAccessDeniedHandler.java b/...security/MidPointAccessDeniedHandler.java → .../security/AuditedAccessDeniedHandler.java
@@ -38,39 +38,26 @@
 /**
  * Created by Viliam Repan (lazyman).
  */
-public class MidPointAccessDeniedHandler<SecurityHelper> implements AccessDeniedHandler {
-
-    private AccessDeniedHandler defaultHandler = new AccessDeniedHandlerImpl();
+public class AuditedAccessDeniedHandler<SecurityHelper> extends MidpointAccessDeniedHandler {
 
     @Autowired
     private TaskManager taskManager;
     @Autowired
     private AuditService auditService;
 
     @Override
-    public void handle(HttpServletRequest request, HttpServletResponse response,
+    protected boolean handleInternal(HttpServletRequest request, HttpServletResponse response,
                        AccessDeniedException accessDeniedException) throws IOException, ServletException {
-        if (response.isCommitted()) {
-            return;
-        }
 
-        if (accessDeniedException instanceof CsrfException) {
-            // handle invalid csrf token exception gracefully when user tries to log in/out with expired exception
-            // handle session timeout for ajax cases -> redirect to base context (login)
-            if (WicketRedirectStrategy.isWicketAjaxRequest(request)) {
-                WicketRedirectStrategy redirect = new WicketRedirectStrategy();
-                redirect.sendRedirect(request, response, request.getContextPath());
-            } else {
-                response.sendRedirect(request.getContextPath());
-            }
-
-            return;
+        boolean ended = super.handleInternal(request, response, accessDeniedException);
+        if (ended) {
+            return ended;
         }
 
         Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
         auditEvent(request, authentication, accessDeniedException);
 
-        defaultHandler.handle(request, response, accessDeniedException);
+        return false;
     }
 
     private void auditEvent(HttpServletRequest request, Authentication authentication, AccessDeniedException accessDeniedException) {

diff --git a/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/security/BasicWebSecurityConfig.java b/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/security/BasicWebSecurityConfig.java
@@ -130,8 +130,8 @@ public AuditedLogoutHandler logoutHandler() {
     }
 
     @Bean
-    public MidPointAccessDeniedHandler accessDeniedHandler() {
-        return objectObjectPostProcessor.postProcess(new MidPointAccessDeniedHandler());
+    public AuditedAccessDeniedHandler accessDeniedHandler() {
+        return objectObjectPostProcessor.postProcess(new AuditedAccessDeniedHandler());
     }
 
     @Profile("!cas")

diff --git a/...min-gui/src/main/java/com/evolveum/midpoint/web/security/MidpointAccessDeniedHandler.java b/...min-gui/src/main/java/com/evolveum/midpoint/web/security/MidpointAccessDeniedHandler.java
@@ -0,0 +1,81 @@
+/*
+ * Copyright (c) 2010-2017 Evolveum and contributors
+ *
+ * This work is dual-licensed under the Apache License 2.0
+ * and European Union Public License. See LICENSE file for details.
+ */
+
+package com.evolveum.midpoint.web.security;
+
+import java.io.IOException;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.access.AccessDeniedException;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.web.access.AccessDeniedHandler;
+import org.springframework.security.web.access.AccessDeniedHandlerImpl;
+import org.springframework.security.web.csrf.CsrfException;
+
+import com.evolveum.midpoint.audit.api.AuditEventRecord;
+import com.evolveum.midpoint.audit.api.AuditEventStage;
+import com.evolveum.midpoint.audit.api.AuditEventType;
+import com.evolveum.midpoint.audit.api.AuditService;
+import com.evolveum.midpoint.gui.api.util.WebComponentUtil;
+import com.evolveum.midpoint.model.api.authentication.MidpointAuthentication;
+import com.evolveum.midpoint.prism.PrismObject;
+import com.evolveum.midpoint.schema.constants.SchemaConstants;
+import com.evolveum.midpoint.schema.result.OperationResultStatus;
+import com.evolveum.midpoint.security.api.MidPointPrincipal;
+import com.evolveum.midpoint.task.api.Task;
+import com.evolveum.midpoint.task.api.TaskManager;
+import com.evolveum.midpoint.web.security.util.SecurityUtils;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.UserType;
+
+/**
+ * Created by Viliam Repan (lazyman).
+ */
+public class MidpointAccessDeniedHandler<SecurityHelper> implements AccessDeniedHandler {
+
+    private AccessDeniedHandler defaultHandler = new AccessDeniedHandlerImpl();
+
+    @Autowired
+    private TaskManager taskManager;
+    @Autowired
+    private AuditService auditService;
+
+    @Override
+    public void handle(HttpServletRequest request, HttpServletResponse response,
+                       AccessDeniedException accessDeniedException) throws IOException, ServletException {
+        boolean ended = handleInternal(request, response, accessDeniedException);
+        if (ended) {
+            return;
+        }
+
+        defaultHandler.handle(request, response, accessDeniedException);
+    }
+
+    protected boolean handleInternal(HttpServletRequest request, HttpServletResponse response,
+            AccessDeniedException accessDeniedException) throws IOException, ServletException {
+        if (response.isCommitted()) {
+            return true;
+        }
+
+        if (accessDeniedException instanceof CsrfException) {
+            // handle invalid csrf token exception gracefully when user tries to log in/out with expired exception
+            // handle session timeout for ajax cases -> redirect to base context (login)
+            if (WicketRedirectStrategy.isWicketAjaxRequest(request)) {
+                WicketRedirectStrategy redirect = new WicketRedirectStrategy();
+                redirect.sendRedirect(request, response, request.getContextPath());
+            } else {
+                response.sendRedirect(request.getContextPath());
+            }
+
+            return true;
+        }
+        return false;
+    }
+}
diff --git a/...admin-gui/src/main/java/com/evolveum/midpoint/web/security/MidpointBeanPostProcessor.java b/...admin-gui/src/main/java/com/evolveum/midpoint/web/security/MidpointBeanPostProcessor.java
@@ -0,0 +1,35 @@
+/*
+ * Copyright (c) 2010-2019 Evolveum and contributors
+ *
+ * This work is dual-licensed under the Apache License 2.0
+ * and European Union Public License. See LICENSE file for details.
+ */
+package com.evolveum.midpoint.web.security;
+
+import org.springframework.beans.BeansException;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.beans.factory.config.BeanPostProcessor;
+import org.springframework.security.web.csrf.CsrfFilter;
+import org.springframework.stereotype.Component;
+
+/**
+ * @author skublik
+ */
+
+@Component
+class MidpointBeanPostProcessor implements BeanPostProcessor {
+
+    @Override
+    public Object postProcessBeforeInitialization(Object bean, String beanName) throws BeansException {
+        if (bean instanceof CsrfFilter) {
+            CsrfFilter csrfFilter = (CsrfFilter) bean;
+            csrfFilter.setAccessDeniedHandler(new MidpointAccessDeniedHandler());
+        }
+        return bean;
+    }
+
+    @Override
+    public Object postProcessAfterInitialization(Object bean, String beanName) throws BeansException {
+        return bean;
+    }
+}
diff --git a/...ui/src/main/java/com/evolveum/midpoint/web/security/module/HttpHeaderModuleWebConfig.java b/...ui/src/main/java/com/evolveum/midpoint/web/security/module/HttpHeaderModuleWebConfig.java
@@ -6,12 +6,9 @@
  */
 package com.evolveum.midpoint.web.security.module;
 
-import com.evolveum.midpoint.web.security.MidPointAccessDeniedHandler;
 import com.evolveum.midpoint.web.security.MidpointAuthenticationFauileHandler;
 import com.evolveum.midpoint.web.security.MidpointProviderManager;
-import com.evolveum.midpoint.web.security.WicketLoginUrlAuthenticationEntryPoint;
 import com.evolveum.midpoint.web.security.filter.MidpointRequestHeaderAuthenticationFilter;
-import com.evolveum.midpoint.web.security.filter.configurers.MidpointExceptionHandlingConfigurer;
 import com.evolveum.midpoint.web.security.module.configuration.HttpHeaderModuleWebSecurityConfiguration;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;

diff --git a/...-gui/src/main/java/com/evolveum/midpoint/web/security/module/ModuleWebSecurityConfig.java b/...-gui/src/main/java/com/evolveum/midpoint/web/security/module/ModuleWebSecurityConfig.java
@@ -7,20 +7,15 @@
 package com.evolveum.midpoint.web.security.module;
 
 import com.evolveum.midpoint.model.api.authentication.ModuleWebSecurityConfiguration;
-import com.evolveum.midpoint.security.api.SecurityContextManager;
-import com.evolveum.midpoint.security.enforcer.api.SecurityEnforcer;
-import com.evolveum.midpoint.task.api.TaskManager;
 import com.evolveum.midpoint.web.security.*;
 import com.evolveum.midpoint.web.security.factory.channel.AuthChannelRegistryImpl;
 import com.evolveum.midpoint.web.security.filter.MidpointAnonymousAuthenticationFilter;
-import com.evolveum.midpoint.web.security.filter.PreLogoutFilter;
 import com.evolveum.midpoint.web.security.filter.RedirectForLoginPagesWithAuthenticationFilter;
 import com.evolveum.midpoint.web.security.filter.configurers.MidpointExceptionHandlingConfigurer;
 import com.evolveum.midpoint.web.security.factory.module.AuthModuleRegistryImpl;
 import org.apache.commons.lang3.StringUtils;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Value;
-import org.springframework.security.access.AccessDecisionManager;
 import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.authentication.AuthenticationProvider;
 import org.springframework.security.authentication.AuthenticationTrustResolver;
@@ -36,7 +31,6 @@
 import org.springframework.security.web.authentication.AnonymousAuthenticationFilter;
 import org.springframework.security.web.authentication.logout.LogoutSuccessHandler;
 import org.springframework.security.web.csrf.CsrfFilter;
-import org.springframework.security.web.header.HeaderWriterFilter;
 
 import java.util.UUID;
 
@@ -47,7 +41,7 @@
 public class ModuleWebSecurityConfig<C extends ModuleWebSecurityConfiguration> extends WebSecurityConfigurerAdapter {
 
     @Autowired
-    private MidPointAccessDeniedHandler accessDeniedHandler;
+    private AuditedAccessDeniedHandler accessDeniedHandler;
 
     @Autowired
     private SessionRegistry sessionRegistry;