diff --git a/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/factory/module/AbstractCredentialModuleFactory.java b/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/factory/module/AbstractCredentialModuleFactory.java index 195e2a0a672..609c0d27cb1 100644 --- a/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/factory/module/AbstractCredentialModuleFactory.java +++ b/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/factory/module/AbstractCredentialModuleFactory.java @@ -12,29 +12,21 @@ import com.evolveum.midpoint.authentication.api.config.ModuleAuthentication; -import com.evolveum.midpoint.authentication.impl.filter.RefuseUnauthenticatedRequestFilter; - import jakarta.servlet.ServletRequest; import com.evolveum.midpoint.authentication.impl.module.configurer.ModuleWebSecurityConfigurer; -import com.evolveum.midpoint.authentication.impl.util.AuthModuleImpl; import com.evolveum.midpoint.authentication.api.AuthModule; import com.evolveum.midpoint.authentication.api.AuthenticationChannel; -import com.evolveum.midpoint.authentication.impl.module.authentication.ModuleAuthenticationImpl; import com.evolveum.midpoint.authentication.api.ModuleWebSecurityConfiguration; import org.apache.commons.lang3.StringUtils; import org.springframework.security.authentication.AuthenticationProvider; import org.springframework.security.config.annotation.ObjectPostProcessor; -import org.springframework.security.config.annotation.web.builders.HttpSecurity; -import org.springframework.security.web.SecurityFilterChain; import com.evolveum.midpoint.util.logging.Trace; import com.evolveum.midpoint.util.logging.TraceManager; import com.evolveum.midpoint.xml.ns._public.common.common_3.*; -import org.springframework.security.web.authentication.switchuser.SwitchUserFilter; - /** * @author skublik */ @@ -43,7 +35,7 @@ public abstract class AbstractCredentialModuleFactory< CA extends ModuleWebSecurityConfigurer, MT extends AbstractAuthenticationModuleType, MA extends ModuleAuthentication> - extends AbstractModuleFactory { + extends AbstractModuleFactory { private static final Trace LOGGER = TraceManager.getTrace(AbstractCredentialModuleFactory.class); @@ -76,20 +68,21 @@ public AuthModule createModuleFilter( // getProvider((AbstractCredentialAuthenticationModuleType) moduleType, credentialPolicy)); - CA moduleConfigurer = getObjectObjectPostProcessor() - .postProcess(createModuleConfigurer(moduleType, sequenceSuffix, authenticationChannel, getObjectObjectPostProcessor())); - - HttpSecurity http = moduleConfigurer.getNewHttpSecurity(); - http.addFilterAfter(new RefuseUnauthenticatedRequestFilter(), SwitchUserFilter.class); - setSharedObjects(http, sharedObjects); - - SecurityFilterChain filter = http.build(); - +// CA moduleConfigurer = getObjectObjectPostProcessor() +// .postProcess(createModuleConfigurer(moduleType, sequenceSuffix, authenticationChannel, getObjectObjectPostProcessor())); - MA moduleAuthentication = createEmptyModuleAuthentication(moduleType, moduleConfigurer.getConfiguration(), necessity); - moduleAuthentication.setFocusType(moduleType.getFocusType()); +// HttpSecurity http = moduleConfigurer.getNewHttpSecurity(); +// http.addFilterAfter(new RefuseUnauthenticatedRequestFilter(), SwitchUserFilter.class); +// setSharedObjects(http, sharedObjects); +// +// SecurityFilterChain filter = http.build(); +// +// +// MA moduleAuthentication = createEmptyModuleAuthentication(moduleType, moduleConfigurer.getConfiguration(), necessity); +// moduleAuthentication.setFocusType(moduleType.getFocusType()); - return AuthModuleImpl.build(filter, moduleConfigurer.getConfiguration(), moduleAuthentication); +// return AuthModuleImpl.build(filter, moduleConfigurer.getConfiguration(), moduleAuthentication); + return null; } @@ -157,13 +150,13 @@ private String getCredentialAuthModuleIdentifier(AbstractCredentialAuthenticatio } protected abstract MA createEmptyModuleAuthentication( - MT moduleType, C configuration, AuthenticationSequenceModuleType sequenceModule); + MT moduleType, C configuration, AuthenticationSequenceModuleType sequenceModule, ServletRequest request); protected abstract CA createModuleConfigurer(MT moduleType, String sequenceSuffix, AuthenticationChannel authenticationChannel, - ObjectPostProcessor objectPostProcessor); + ObjectPostProcessor objectPostProcessor, ServletRequest request); protected abstract AuthenticationProvider createProvider(CredentialPolicyType usedPolicy); diff --git a/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/factory/module/AbstractModuleFactory.java b/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/factory/module/AbstractModuleFactory.java index 6240c0e4f54..13a1a8e21db 100644 --- a/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/factory/module/AbstractModuleFactory.java +++ b/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/factory/module/AbstractModuleFactory.java @@ -8,8 +8,14 @@ import java.util.Map; +import com.evolveum.midpoint.authentication.api.ModuleWebSecurityConfiguration; import com.evolveum.midpoint.authentication.api.config.ModuleAuthentication; +import com.evolveum.midpoint.authentication.impl.util.AuthModuleImpl; + +import com.evolveum.midpoint.util.logging.Trace; +import com.evolveum.midpoint.util.logging.TraceManager; + import jakarta.annotation.PostConstruct; import jakarta.servlet.ServletRequest; @@ -28,13 +34,20 @@ import com.evolveum.midpoint.schema.constants.SchemaConstants; +import org.springframework.security.web.SecurityFilterChain; import org.springframework.security.web.authentication.switchuser.SwitchUserFilter; /** * @author skublik */ -public abstract class AbstractModuleFactory { +public abstract class AbstractModuleFactory< + C extends ModuleWebSecurityConfiguration, + CA extends ModuleWebSecurityConfigurer, + MT extends AbstractAuthenticationModuleType, + MA extends ModuleAuthentication> implements ModuleFactory { + + private static final Trace LOGGER = TraceManager.getTrace(AbstractModuleFactory.class); @PostConstruct public void register() { @@ -62,7 +75,72 @@ public abstract AuthModule createModuleFilter(MT moduleType, String sequence AuthenticationModulesType authenticationsPolicy, CredentialsPolicyType credentialPolicy, AuthenticationChannel authenticationChannel, AuthenticationSequenceModuleType sequenceModule) throws Exception; - protected Integer getOrder(){ + @Override + public AuthModule createAuthModule(MT moduleType, String sequenceSuffix, + ServletRequest request, Map, Object> sharedObjects, + AuthenticationModulesType authenticationsPolicy, CredentialsPolicyType credentialPolicy, + AuthenticationChannel authenticationChannel, AuthenticationSequenceModuleType sequenceModule) throws Exception { + + validateChanelAndModule(authenticationChannel, moduleType); + + + //TODO PROVIDERS +// configuration.addAuthenticationProvider( +// getProvider((AbstractCredentialAuthenticationModuleType) moduleType, credentialPolicy)); + + + CA moduleConfigurer = getObjectObjectPostProcessor() + .postProcess(createModuleConfigurer(moduleType, sequenceSuffix, authenticationChannel, getObjectObjectPostProcessor(), request)); + + HttpSecurity http = moduleConfigurer.getNewHttpSecurity(); + http.addFilterAfter(new RefuseUnauthenticatedRequestFilter(), SwitchUserFilter.class); + setSharedObjects(http, sharedObjects); + + SecurityFilterChain filter = http.build(); + postProcessFilter(filter, moduleConfigurer); + + + MA moduleAuthentication = createEmptyModuleAuthentication(moduleType, moduleConfigurer.getConfiguration(), sequenceModule, request); + moduleAuthentication.setFocusType(moduleType.getFocusType()); + + return AuthModuleImpl.build(filter, moduleConfigurer.getConfiguration(), moduleAuthentication); + } + + protected void postProcessFilter(SecurityFilterChain filter, CA configurer) { + // Nothing to do here. Subclasses may override. + } + + protected void validateChanelAndModule(AuthenticationChannel authenticationChannel, MT moduleType) { + if (!(moduleType instanceof AbstractCredentialAuthenticationModuleType)) { + LOGGER.error("This factory supports only AbstractCredentialAuthenticationModuleType, but moduleType is " + moduleType); + throw new IllegalArgumentException("Unsupported factory " + this.getClass().getSimpleName() + + " for module " + moduleType); + } + + + if (authenticationChannel == null) { + return; + } + + //TODO chanel + if (SchemaConstants.CHANNEL_SELF_REGISTRATION_URI.equals(authenticationChannel.getChannelId())) { + throw new IllegalArgumentException("Unsupported factory " + this.getClass().getSimpleName() + + " for channel " + authenticationChannel.getChannelId()); + } + } + + protected abstract CA createModuleConfigurer(MT moduleType, + String sequenceSuffix, + AuthenticationChannel authenticationChannel, + ObjectPostProcessor objectPostProcessor, ServletRequest request); + + protected abstract MA createEmptyModuleAuthentication( + MT moduleType, C configuration, + AuthenticationSequenceModuleType sequenceModule, + ServletRequest request); + + + public Integer getOrder() { return 0; } @@ -82,11 +160,11 @@ protected void isSupportedChannel(AuthenticationChannel authenticationChannel) { } } - HttpSecurity getNewHttpSecurity(ModuleWebSecurityConfigurer module) throws Exception { -// module.setObjectPostProcessor(getObjectObjectPostProcessor()); - HttpSecurity httpSecurity = module.getNewHttpSecurity(); - httpSecurity.addFilterAfter(new RefuseUnauthenticatedRequestFilter(), SwitchUserFilter.class); - return httpSecurity; - } +// HttpSecurity getNewHttpSecurity(ModuleWebSecurityConfigurer module) throws Exception { +//// module.setObjectPostProcessor(getObjectObjectPostProcessor()); +// HttpSecurity httpSecurity = module.getNewHttpSecurity(); +// httpSecurity.addFilterAfter(new RefuseUnauthenticatedRequestFilter(), SwitchUserFilter.class); +// return httpSecurity; +// } } diff --git a/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/factory/module/ArchetypeSelectionModuleFactory.java b/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/factory/module/ArchetypeSelectionModuleFactory.java index c7ee50eae6c..3fe4c3332ad 100644 --- a/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/factory/module/ArchetypeSelectionModuleFactory.java +++ b/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/factory/module/ArchetypeSelectionModuleFactory.java @@ -9,7 +9,6 @@ import com.evolveum.midpoint.authentication.api.AuthenticationChannel; import com.evolveum.midpoint.authentication.impl.module.authentication.ArchetypeSelectionModuleAuthentication; -import com.evolveum.midpoint.authentication.impl.module.authentication.ModuleAuthenticationImpl; import com.evolveum.midpoint.authentication.impl.module.configuration.LoginFormModuleWebSecurityConfiguration; import com.evolveum.midpoint.authentication.impl.module.configurer.ArchetypeSelectionModuleWebSecurityConfigurer; import com.evolveum.midpoint.authentication.impl.provider.ArchetypeSelectionAuthenticationProvider; @@ -17,6 +16,7 @@ import com.evolveum.midpoint.util.logging.TraceManager; import com.evolveum.midpoint.xml.ns._public.common.common_3.*; +import jakarta.servlet.ServletRequest; import org.springframework.security.authentication.AuthenticationProvider; import org.springframework.security.config.annotation.ObjectPostProcessor; import org.springframework.stereotype.Component; @@ -37,7 +37,7 @@ public boolean match(AbstractAuthenticationModuleType moduleType, Authentication @Override protected ArchetypeSelectionModuleAuthentication createEmptyModuleAuthentication(ArchetypeSelectionModuleType moduleType, - LoginFormModuleWebSecurityConfiguration configuration, AuthenticationSequenceModuleType sequenceModule) { + LoginFormModuleWebSecurityConfiguration configuration, AuthenticationSequenceModuleType sequenceModule, ServletRequest request) { ArchetypeSelectionModuleAuthentication moduleAuthentication = new ArchetypeSelectionModuleAuthentication(sequenceModule); moduleAuthentication.setPrefix(configuration.getPrefixOfModule()); moduleAuthentication.setCredentialName(moduleType.getCredentialName()); @@ -51,8 +51,8 @@ protected ArchetypeSelectionModuleWebSecurityConfigurer objectPostProcessor) { - return new ArchetypeSelectionModuleWebSecurityConfigurer<>(moduleType, sequenceSuffix, authenticationChannel, objectPostProcessor); + ObjectPostProcessor objectPostProcessor, ServletRequest request) { + return new ArchetypeSelectionModuleWebSecurityConfigurer<>(moduleType, sequenceSuffix, authenticationChannel, objectPostProcessor, request); // return null; } diff --git a/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/factory/module/AttributeVerificationModuleFactory.java b/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/factory/module/AttributeVerificationModuleFactory.java index fca4c0b2063..3e14a23f72b 100644 --- a/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/factory/module/AttributeVerificationModuleFactory.java +++ b/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/factory/module/AttributeVerificationModuleFactory.java @@ -8,13 +8,12 @@ import com.evolveum.midpoint.authentication.api.AuthenticationChannel; import com.evolveum.midpoint.authentication.impl.module.authentication.AttributeVerificationModuleAuthentication; -import com.evolveum.midpoint.authentication.impl.module.authentication.ModuleAuthenticationImpl; import com.evolveum.midpoint.authentication.impl.module.configuration.LoginFormModuleWebSecurityConfiguration; -import com.evolveum.midpoint.authentication.impl.module.configurer.ArchetypeSelectionModuleWebSecurityConfigurer; import com.evolveum.midpoint.authentication.impl.module.configurer.AttributeVerificationModuleWebSecurityConfigurer; import com.evolveum.midpoint.authentication.impl.provider.AttributeVerificationProvider; import com.evolveum.midpoint.xml.ns._public.common.common_3.*; +import jakarta.servlet.ServletRequest; import org.springframework.security.authentication.AuthenticationProvider; import org.springframework.security.config.annotation.ObjectPostProcessor; import org.springframework.stereotype.Component; @@ -36,8 +35,8 @@ protected AttributeVerificationModuleWebSecurityConfigurer objectPostProcessor) { - return new AttributeVerificationModuleWebSecurityConfigurer<>(moduleType, sequenceSuffix, authenticationChannel, objectPostProcessor); + ObjectPostProcessor objectPostProcessor, ServletRequest request) { + return new AttributeVerificationModuleWebSecurityConfigurer<>(moduleType, sequenceSuffix, authenticationChannel, objectPostProcessor, request); // return null; } @@ -53,7 +52,7 @@ protected Class supportedClass() { @Override protected AttributeVerificationModuleAuthentication createEmptyModuleAuthentication(AttributeVerificationAuthenticationModuleType moduleType, - LoginFormModuleWebSecurityConfiguration configuration, AuthenticationSequenceModuleType sequenceModule) { + LoginFormModuleWebSecurityConfiguration configuration, AuthenticationSequenceModuleType sequenceModule, ServletRequest request) { AttributeVerificationModuleAuthentication moduleAuthentication = new AttributeVerificationModuleAuthentication(sequenceModule); moduleAuthentication.setPrefix(configuration.getPrefixOfModule()); moduleAuthentication.setCredentialName(moduleType.getCredentialName()); diff --git a/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/factory/module/AuthModuleRegistryImpl.java b/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/factory/module/AuthModuleRegistryImpl.java index bf454aca0de..fdca9de86e1 100644 --- a/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/factory/module/AuthModuleRegistryImpl.java +++ b/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/factory/module/AuthModuleRegistryImpl.java @@ -13,6 +13,8 @@ import com.evolveum.midpoint.authentication.api.AuthenticationChannel; +import com.evolveum.midpoint.authentication.api.config.ModuleAuthentication; + import org.springframework.stereotype.Component; import com.evolveum.midpoint.util.logging.Trace; @@ -27,12 +29,12 @@ public class AuthModuleRegistryImpl { private static final Trace LOGGER = TraceManager.getTrace(AuthModuleRegistryImpl.class); - List moduleFactories = new ArrayList<>(); + List moduleFactories = new ArrayList<>(); - public void addToRegistry(AbstractModuleFactory factory) { + public void addToRegistry(ModuleFactory factory) { moduleFactories.add(factory); - Comparator comparator = + Comparator comparator = (f1,f2) -> { Integer f1Order = f1.getOrder(); @@ -57,26 +59,30 @@ public void addToRegistry(AbstractModuleFactory factory) { } - public AbstractModuleFactory findModuleFactory(AbstractAuthenticationModuleType configuration, AuthenticationChannel authenticationChannel) { + public ModuleFactory findModuleFactory( + AbstractAuthenticationModuleType configuration, AuthenticationChannel authenticationChannel) { - Optional opt = moduleFactories.stream().filter(f -> f.match(configuration, authenticationChannel)).findFirst(); + Optional opt = moduleFactories.stream().filter(f -> f.match(configuration, authenticationChannel)).findFirst(); if (opt.isEmpty()) { LOGGER.trace("No factory found for {}", configuration); return null; } - AbstractModuleFactory factory = opt.get(); + ModuleFactory factory = opt.get(); LOGGER.trace("Found component factory {} for {}", factory, configuration); return factory; } - public T findModelFactoryByClass(Class clazz) { - - Optional opt = (Optional) moduleFactories.stream().filter(f -> f.getClass().equals(clazz)).findFirst(); - if (opt.isEmpty()) { - LOGGER.trace("No factory found for class {}", clazz); - return null; - } - T factory = opt.get(); + public T findModuleFactoryByClass(Class clazz) { + + T factory = (T) moduleFactories.stream() + .filter(f -> f.getClass().equals(clazz)) + .findFirst() + .orElse(null); +// if (opt.isEmpty()) { +// LOGGER.trace("No factory found for class {}", clazz); +// return null; +// } +// T factory = opt.get(); LOGGER.trace("Found component factory {} for class {}", factory, clazz); return factory; } diff --git a/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/factory/module/CorrelationModuleFactoryImpl.java b/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/factory/module/CorrelationModuleFactoryImpl.java index 141b7075062..bc104af2567 100644 --- a/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/factory/module/CorrelationModuleFactoryImpl.java +++ b/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/factory/module/CorrelationModuleFactoryImpl.java @@ -12,12 +12,12 @@ import com.evolveum.midpoint.authentication.impl.provider.CorrelationProvider; +import jakarta.servlet.ServletRequest; import org.springframework.security.authentication.AuthenticationProvider; import org.springframework.security.config.annotation.ObjectPostProcessor; import org.springframework.stereotype.Component; import com.evolveum.midpoint.authentication.api.AuthenticationChannel; -import com.evolveum.midpoint.authentication.impl.module.authentication.ModuleAuthenticationImpl; import com.evolveum.midpoint.authentication.impl.module.configuration.LoginFormModuleWebSecurityConfiguration; import com.evolveum.midpoint.xml.ns._public.common.common_3.*; @@ -37,8 +37,8 @@ public boolean match(AbstractAuthenticationModuleType moduleType, Authentication } @Override - protected CorrelationModuleWebSecurityConfigurer createModuleConfigurer(CorrelationAuthenticationModuleType moduleType, String sequenceSuffix, AuthenticationChannel authenticationChannel, ObjectPostProcessor objectPostProcessor) { - return new CorrelationModuleWebSecurityConfigurer<>(moduleType, sequenceSuffix, authenticationChannel, objectPostProcessor); + protected CorrelationModuleWebSecurityConfigurer createModuleConfigurer(CorrelationAuthenticationModuleType moduleType, String sequenceSuffix, AuthenticationChannel authenticationChannel, ObjectPostProcessor objectPostProcessor, ServletRequest request) { + return new CorrelationModuleWebSecurityConfigurer<>(moduleType, sequenceSuffix, authenticationChannel, objectPostProcessor, request); } @Override @@ -53,7 +53,7 @@ protected Class supportedClass() { @Override protected CorrelationModuleAuthentication createEmptyModuleAuthentication(CorrelationAuthenticationModuleType moduleType, - LoginFormModuleWebSecurityConfiguration configuration, AuthenticationSequenceModuleType sequenceModule) { + LoginFormModuleWebSecurityConfiguration configuration, AuthenticationSequenceModuleType sequenceModule, ServletRequest request) { CorrelationModuleAuthenticationImpl moduleAuthentication = new CorrelationModuleAuthenticationImpl(sequenceModule); moduleAuthentication.setPrefix(configuration.getPrefixOfModule()); moduleAuthentication.setNameOfModule(configuration.getModuleIdentifier()); diff --git a/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/factory/module/FocusIdentificationModuleFactoryImpl.java b/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/factory/module/FocusIdentificationModuleFactoryImpl.java index 64c2e776eee..945cbc21c22 100644 --- a/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/factory/module/FocusIdentificationModuleFactoryImpl.java +++ b/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/factory/module/FocusIdentificationModuleFactoryImpl.java @@ -6,13 +6,13 @@ */ package com.evolveum.midpoint.authentication.impl.factory.module; +import jakarta.servlet.ServletRequest; import org.springframework.security.authentication.AuthenticationProvider; import org.springframework.security.config.annotation.ObjectPostProcessor; import org.springframework.stereotype.Component; import com.evolveum.midpoint.authentication.api.AuthenticationChannel; import com.evolveum.midpoint.authentication.impl.module.authentication.FocusIdentificationModuleAuthentication; -import com.evolveum.midpoint.authentication.impl.module.authentication.ModuleAuthenticationImpl; import com.evolveum.midpoint.authentication.impl.module.configuration.LoginFormModuleWebSecurityConfiguration; import com.evolveum.midpoint.authentication.impl.module.configurer.FocusIdentificationModuleWebSecurityConfigurer; import com.evolveum.midpoint.authentication.impl.provider.FocusIdentificationProvider; @@ -34,8 +34,8 @@ public boolean match(AbstractAuthenticationModuleType moduleType, Authentication } @Override - protected FocusIdentificationModuleWebSecurityConfigurer createModuleConfigurer(FocusIdentificationAuthenticationModuleType moduleType, String sequenceSuffix, AuthenticationChannel authenticationChannel, ObjectPostProcessor objectPostProcessor) { - return new FocusIdentificationModuleWebSecurityConfigurer<>(moduleType, sequenceSuffix, authenticationChannel, objectPostProcessor); + protected FocusIdentificationModuleWebSecurityConfigurer createModuleConfigurer(FocusIdentificationAuthenticationModuleType moduleType, String sequenceSuffix, AuthenticationChannel authenticationChannel, ObjectPostProcessor objectPostProcessor, ServletRequest request) { + return new FocusIdentificationModuleWebSecurityConfigurer<>(moduleType, sequenceSuffix, authenticationChannel, objectPostProcessor, request); } @Override @@ -50,14 +50,14 @@ protected Class supportedClass() { @Override protected FocusIdentificationModuleAuthentication createEmptyModuleAuthentication(FocusIdentificationAuthenticationModuleType moduleType, - LoginFormModuleWebSecurityConfiguration configuration, AuthenticationSequenceModuleType sequenceModule) { + LoginFormModuleWebSecurityConfiguration configuration, AuthenticationSequenceModuleType sequenceModule, ServletRequest request) { FocusIdentificationModuleAuthentication moduleAuthentication = new FocusIdentificationModuleAuthentication(sequenceModule); moduleAuthentication.setPrefix(configuration.getPrefixOfModule()); - moduleAuthentication.setCredentialName(((AbstractCredentialAuthenticationModuleType)moduleType).getCredentialName()); + moduleAuthentication.setCredentialName(moduleType.getCredentialName()); moduleAuthentication.setCredentialType(supportedClass()); moduleAuthentication.setNameOfModule(configuration.getModuleIdentifier()); if (moduleType instanceof FocusIdentificationAuthenticationModuleType) { - moduleAuthentication.setModuleConfiguration(((FocusIdentificationAuthenticationModuleType) moduleType).getItem()); + moduleAuthentication.setModuleConfiguration(moduleType.getItem()); } return moduleAuthentication; } diff --git a/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/factory/module/HintAuthenticationModuleFactoryImpl.java b/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/factory/module/HintAuthenticationModuleFactoryImpl.java index 84768927a57..e8672c17761 100644 --- a/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/factory/module/HintAuthenticationModuleFactoryImpl.java +++ b/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/factory/module/HintAuthenticationModuleFactoryImpl.java @@ -6,13 +6,13 @@ */ package com.evolveum.midpoint.authentication.impl.factory.module; +import jakarta.servlet.ServletRequest; import org.springframework.security.authentication.AuthenticationProvider; import org.springframework.security.config.annotation.ObjectPostProcessor; import org.springframework.stereotype.Component; import com.evolveum.midpoint.authentication.api.AuthenticationChannel; import com.evolveum.midpoint.authentication.impl.module.authentication.HintAuthenticationModuleAuthentication; -import com.evolveum.midpoint.authentication.impl.module.authentication.ModuleAuthenticationImpl; import com.evolveum.midpoint.authentication.impl.module.configuration.LoginFormModuleWebSecurityConfiguration; import com.evolveum.midpoint.authentication.impl.module.configurer.HintModuleWebSecurityConfigurer; import com.evolveum.midpoint.authentication.impl.provider.HintAuthenticationProvider; @@ -31,8 +31,8 @@ public boolean match(AbstractAuthenticationModuleType moduleType, Authentication } @Override - protected HintModuleWebSecurityConfigurer createModuleConfigurer(HintAuthenticationModuleType moduleType, String sequenceSuffix, AuthenticationChannel authenticationChannel, ObjectPostProcessor objectPostProcessor) { - return new HintModuleWebSecurityConfigurer<>(moduleType, sequenceSuffix, authenticationChannel, objectPostProcessor); + protected HintModuleWebSecurityConfigurer createModuleConfigurer(HintAuthenticationModuleType moduleType, String sequenceSuffix, AuthenticationChannel authenticationChannel, ObjectPostProcessor objectPostProcessor, ServletRequest request) { + return new HintModuleWebSecurityConfigurer<>(moduleType, sequenceSuffix, authenticationChannel, objectPostProcessor, request); } @Override @@ -47,7 +47,7 @@ protected Class supportedClass() { @Override protected HintAuthenticationModuleAuthentication createEmptyModuleAuthentication(HintAuthenticationModuleType moduleType, - LoginFormModuleWebSecurityConfiguration configuration, AuthenticationSequenceModuleType sequenceModule) { + LoginFormModuleWebSecurityConfiguration configuration, AuthenticationSequenceModuleType sequenceModule, ServletRequest request) { HintAuthenticationModuleAuthentication moduleAuthentication = new HintAuthenticationModuleAuthentication(sequenceModule); moduleAuthentication.setPrefix(configuration.getPrefixOfModule()); moduleAuthentication.setCredentialName(moduleType.getCredentialName()); diff --git a/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/factory/module/HttpBasicModuleFactory.java b/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/factory/module/HttpBasicModuleFactory.java index 2cc5eb92aa1..f28a78ce969 100644 --- a/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/factory/module/HttpBasicModuleFactory.java +++ b/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/factory/module/HttpBasicModuleFactory.java @@ -10,11 +10,11 @@ import com.evolveum.midpoint.authentication.api.AuthenticationChannel; import com.evolveum.midpoint.authentication.api.util.AuthenticationModuleNameConstants; import com.evolveum.midpoint.authentication.impl.module.authentication.ModuleAuthenticationImpl; -import com.evolveum.midpoint.authentication.api.ModuleWebSecurityConfiguration; import com.evolveum.midpoint.authentication.impl.module.configurer.HttpBasicModuleWebSecurityConfigurer; import com.evolveum.midpoint.authentication.impl.module.authentication.HttpModuleAuthentication; import com.evolveum.midpoint.authentication.impl.module.configuration.ModuleWebSecurityConfigurationImpl; +import jakarta.servlet.ServletRequest; import org.springframework.security.authentication.AuthenticationProvider; import org.springframework.security.config.annotation.ObjectPostProcessor; import org.springframework.stereotype.Component; @@ -37,8 +37,8 @@ public boolean match(AbstractAuthenticationModuleType moduleType, Authentication } @Override - protected HttpBasicModuleWebSecurityConfigurer createModuleConfigurer(HttpBasicAuthenticationModuleType moduleType, String sequenceSuffix, AuthenticationChannel authenticationChannel, ObjectPostProcessor objectPostProcessor) { - return new HttpBasicModuleWebSecurityConfigurer(moduleType, sequenceSuffix, authenticationChannel, objectPostProcessor); + protected HttpBasicModuleWebSecurityConfigurer createModuleConfigurer(HttpBasicAuthenticationModuleType moduleType, String sequenceSuffix, AuthenticationChannel authenticationChannel, ObjectPostProcessor objectPostProcessor, ServletRequest request) { + return new HttpBasicModuleWebSecurityConfigurer(moduleType, sequenceSuffix, authenticationChannel, objectPostProcessor, request); } @Override @@ -53,7 +53,7 @@ protected Class supportedClass() { @Override protected ModuleAuthenticationImpl createEmptyModuleAuthentication(HttpBasicAuthenticationModuleType moduleType, - ModuleWebSecurityConfigurationImpl configuration, AuthenticationSequenceModuleType sequenceModule) { + ModuleWebSecurityConfigurationImpl configuration, AuthenticationSequenceModuleType sequenceModule, ServletRequest request) { HttpModuleAuthentication moduleAuthentication = new HttpModuleAuthentication(AuthenticationModuleNameConstants.HTTP_BASIC, sequenceModule); moduleAuthentication.setPrefix(configuration.getPrefixOfModule()); moduleAuthentication.setCredentialName(moduleType.getCredentialName()); diff --git a/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/factory/module/HttpClusterModuleFactory.java b/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/factory/module/HttpClusterModuleFactory.java index 368a9d55f77..306a90eac2d 100644 --- a/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/factory/module/HttpClusterModuleFactory.java +++ b/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/factory/module/HttpClusterModuleFactory.java @@ -22,6 +22,7 @@ import com.evolveum.midpoint.xml.ns._public.common.common_3.*; import org.springframework.security.authentication.AuthenticationProvider; +import org.springframework.security.config.annotation.ObjectPostProcessor; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.web.SecurityFilterChain; import org.springframework.stereotype.Component; @@ -30,25 +31,42 @@ * @author skublik */ @Component -public class HttpClusterModuleFactory extends AbstractModuleFactory { +public class HttpClusterModuleFactory extends AbstractModuleFactory< + ModuleWebSecurityConfigurationImpl, + HttpClusterModuleWebSecurityConfigurer, + AbstractAuthenticationModuleType, + ModuleAuthenticationImpl> { @Override public boolean match(AbstractAuthenticationModuleType moduleType, AuthenticationChannel authenticationChannel) { return false; } + @Override + protected HttpClusterModuleWebSecurityConfigurer createModuleConfigurer(AbstractAuthenticationModuleType moduleType, String sequenceSuffix, AuthenticationChannel authenticationChannel, ObjectPostProcessor objectPostProcessor, ServletRequest request) { + return new HttpClusterModuleWebSecurityConfigurer(moduleType, sequenceSuffix, authenticationChannel, objectPostProcessor, request); + } + + @Override + protected ModuleAuthenticationImpl createEmptyModuleAuthentication(AbstractAuthenticationModuleType moduleType, ModuleWebSecurityConfigurationImpl configuration, AuthenticationSequenceModuleType sequenceModule, ServletRequest request) { + ModuleAuthenticationImpl moduleAuthentication = new ModuleAuthenticationImpl(AuthenticationModuleNameConstants.CLUSTER, sequenceModule); + moduleAuthentication.setPrefix(configuration.getPrefixOfModule()); + moduleAuthentication.setNameOfModule(configuration.getModuleIdentifier()); + return moduleAuthentication; + } + @Override public AuthModule createModuleFilter(AbstractAuthenticationModuleType moduleType, String sequenceSuffix, ServletRequest request, Map, Object> sharedObjects, AuthenticationModulesType authenticationsPolicy, CredentialsPolicyType credentialPolicy, AuthenticationChannel authenticationChannel, AuthenticationSequenceModuleType sequenceModule) throws Exception { - ModuleWebSecurityConfiguration configuration = createConfiguration(moduleType, sequenceSuffix); + ModuleWebSecurityConfigurationImpl configuration = createConfiguration(moduleType, sequenceSuffix); configuration.addAuthenticationProvider(createProvider()); - HttpClusterModuleWebSecurityConfigurer module = createModule(configuration); - HttpSecurity http = getNewHttpSecurity(module); + HttpClusterModuleWebSecurityConfigurer module = createModule(configuration); + HttpSecurity http = module.getNewHttpSecurity(); //getNewHttpSecurity(module); setSharedObjects(http, sharedObjects); ModuleAuthenticationImpl moduleAuthentication = createEmptyModuleAuthentication(configuration, sequenceModule); @@ -56,21 +74,21 @@ public AuthModule createModuleFilter(AbstractAuthentic return AuthModuleImpl.build(filter, configuration, moduleAuthentication); } - private ModuleWebSecurityConfiguration createConfiguration(AbstractAuthenticationModuleType moduleType, String prefixOfSequence) { + private ModuleWebSecurityConfigurationImpl createConfiguration(AbstractAuthenticationModuleType moduleType, String prefixOfSequence) { ModuleWebSecurityConfigurationImpl configuration = ModuleWebSecurityConfigurationImpl.build(moduleType,prefixOfSequence); configuration.setSequenceSuffix(prefixOfSequence); return configuration; } - private HttpClusterModuleWebSecurityConfigurer createModule(ModuleWebSecurityConfiguration configuration) { - return getObjectObjectPostProcessor().postProcess(new HttpClusterModuleWebSecurityConfigurer<>(configuration)); + private HttpClusterModuleWebSecurityConfigurer createModule(ModuleWebSecurityConfigurationImpl configuration) { + return getObjectObjectPostProcessor().postProcess(new HttpClusterModuleWebSecurityConfigurer(configuration)); } private AuthenticationProvider createProvider() { return getObjectObjectPostProcessor().postProcess(new ClusterProvider()); } - private ModuleAuthenticationImpl createEmptyModuleAuthentication(ModuleWebSecurityConfiguration configuration, AuthenticationSequenceModuleType sequenceModule) { + private ModuleAuthenticationImpl createEmptyModuleAuthentication(ModuleWebSecurityConfigurationImpl configuration, AuthenticationSequenceModuleType sequenceModule) { ModuleAuthenticationImpl moduleAuthentication = new ModuleAuthenticationImpl(AuthenticationModuleNameConstants.CLUSTER, sequenceModule); moduleAuthentication.setPrefix(configuration.getPrefixOfModule()); moduleAuthentication.setNameOfModule(configuration.getModuleIdentifier()); diff --git a/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/factory/module/HttpHeaderModuleFactory.java b/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/factory/module/HttpHeaderModuleFactory.java index a74f56d20ee..03017a6cbf1 100644 --- a/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/factory/module/HttpHeaderModuleFactory.java +++ b/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/factory/module/HttpHeaderModuleFactory.java @@ -22,6 +22,7 @@ import com.evolveum.midpoint.xml.ns._public.common.common_3.*; +import org.springframework.security.config.annotation.ObjectPostProcessor; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.web.SecurityFilterChain; import org.springframework.stereotype.Component; @@ -33,7 +34,11 @@ * @author skublik */ @Component -public class HttpHeaderModuleFactory extends AbstractModuleFactory { +public class HttpHeaderModuleFactory extends AbstractModuleFactory< + HttpHeaderModuleWebSecurityConfiguration, + HttpHeaderModuleWebSecurityConfigurer, + HttpHeaderAuthenticationModuleType, + ModuleAuthenticationImpl> { private static final Trace LOGGER = TraceManager.getTrace(HttpHeaderModuleFactory.class); @@ -42,6 +47,19 @@ public boolean match(AbstractAuthenticationModuleType moduleType, Authentication return moduleType instanceof HttpHeaderAuthenticationModuleType; } + @Override + protected HttpHeaderModuleWebSecurityConfigurer createModuleConfigurer(HttpHeaderAuthenticationModuleType moduleType, String sequenceSuffix, AuthenticationChannel authenticationChannel, ObjectPostProcessor objectPostProcessor, ServletRequest request) { + return new HttpHeaderModuleWebSecurityConfigurer(moduleType, sequenceSuffix, authenticationChannel, objectPostProcessor, request); + } + + @Override + protected ModuleAuthenticationImpl createEmptyModuleAuthentication(HttpHeaderAuthenticationModuleType moduleType, HttpHeaderModuleWebSecurityConfiguration configuration, AuthenticationSequenceModuleType sequenceModule, ServletRequest request) { + HttpHeaderModuleAuthentication moduleAuthentication = new HttpHeaderModuleAuthentication(sequenceModule); + moduleAuthentication.setPrefix(configuration.getPrefixOfModule()); + moduleAuthentication.setNameOfModule(configuration.getModuleIdentifier()); + return moduleAuthentication; + } + @Override public AuthModule createModuleFilter(HttpHeaderAuthenticationModuleType httpModuleType, String sequenceSuffix, ServletRequest request, Map, Object> sharedObjects, AuthenticationModulesType authenticationsPolicy, @@ -53,9 +71,9 @@ public AuthModule createModuleFilter(HttpHeaderAuthent HttpHeaderModuleWebSecurityConfiguration configuration = HttpHeaderModuleWebSecurityConfiguration.build(httpModuleType, sequenceSuffix); configuration.addAuthenticationProvider(getObjectObjectPostProcessor().postProcess(new PasswordProvider())); - HttpHeaderModuleWebSecurityConfigurer module = - getObjectObjectPostProcessor().postProcess(new HttpHeaderModuleWebSecurityConfigurer<>(configuration)); - HttpSecurity http = getNewHttpSecurity(module); + HttpHeaderModuleWebSecurityConfigurer module = + getObjectObjectPostProcessor().postProcess(new HttpHeaderModuleWebSecurityConfigurer(configuration)); + HttpSecurity http = module.getNewHttpSecurity();//getNewHttpSecurity(module); setSharedObjects(http, sharedObjects); ModuleAuthenticationImpl moduleAuthentication = createEmptyModuleAuthentication(configuration, sequenceModule); diff --git a/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/factory/module/HttpSecurityQuestionModuleFactory.java b/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/factory/module/HttpSecurityQuestionModuleFactory.java index 0e528c49c80..3d8cf10fca6 100644 --- a/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/factory/module/HttpSecurityQuestionModuleFactory.java +++ b/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/factory/module/HttpSecurityQuestionModuleFactory.java @@ -9,12 +9,11 @@ import com.evolveum.midpoint.authentication.impl.provider.SecurityQuestionProvider; import com.evolveum.midpoint.authentication.api.AuthenticationChannel; import com.evolveum.midpoint.authentication.api.util.AuthenticationModuleNameConstants; -import com.evolveum.midpoint.authentication.impl.module.authentication.ModuleAuthenticationImpl; -import com.evolveum.midpoint.authentication.api.ModuleWebSecurityConfiguration; import com.evolveum.midpoint.authentication.impl.module.configurer.HttpSecurityQuestionsModuleWebSecurityConfigurer; import com.evolveum.midpoint.authentication.impl.module.authentication.HttpModuleAuthentication; import com.evolveum.midpoint.authentication.impl.module.configuration.ModuleWebSecurityConfigurationImpl; +import jakarta.servlet.ServletRequest; import org.springframework.security.authentication.AuthenticationProvider; import org.springframework.security.config.annotation.ObjectPostProcessor; import org.springframework.stereotype.Component; @@ -37,8 +36,8 @@ public boolean match(AbstractAuthenticationModuleType moduleType, Authentication } @Override - protected HttpSecurityQuestionsModuleWebSecurityConfigurer createModuleConfigurer(HttpSecQAuthenticationModuleType moduleType, String sequenceSuffix, AuthenticationChannel authenticationChannel, ObjectPostProcessor objectPostProcessor) { - return new HttpSecurityQuestionsModuleWebSecurityConfigurer(moduleType, sequenceSuffix, authenticationChannel, objectPostProcessor); + protected HttpSecurityQuestionsModuleWebSecurityConfigurer createModuleConfigurer(HttpSecQAuthenticationModuleType moduleType, String sequenceSuffix, AuthenticationChannel authenticationChannel, ObjectPostProcessor objectPostProcessor, ServletRequest request) { + return new HttpSecurityQuestionsModuleWebSecurityConfigurer(moduleType, sequenceSuffix, authenticationChannel, objectPostProcessor, request); } @Override @@ -53,7 +52,7 @@ protected Class supportedClass() { @Override protected HttpModuleAuthentication createEmptyModuleAuthentication(HttpSecQAuthenticationModuleType moduleType, - ModuleWebSecurityConfigurationImpl configuration, AuthenticationSequenceModuleType sequenceModule) { + ModuleWebSecurityConfigurationImpl configuration, AuthenticationSequenceModuleType sequenceModule, ServletRequest request) { HttpModuleAuthentication moduleAuthentication = new HttpModuleAuthentication(AuthenticationModuleNameConstants.SECURITY_QUESTIONS, sequenceModule); moduleAuthentication.setPrefix(configuration.getPrefixOfModule()); moduleAuthentication.setCredentialName(moduleType.getCredentialName()); diff --git a/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/factory/module/LdapModuleFactory.java b/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/factory/module/LdapModuleFactory.java index bda408dc863..b50ec29ffb0 100644 --- a/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/factory/module/LdapModuleFactory.java +++ b/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/factory/module/LdapModuleFactory.java @@ -27,6 +27,7 @@ import org.apache.commons.lang3.StringUtils; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.security.authentication.AuthenticationProvider; +import org.springframework.security.config.annotation.ObjectPostProcessor; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.ldap.DefaultSpringSecurityContextSource; import org.springframework.security.ldap.authentication.BindAuthenticator; @@ -43,9 +44,13 @@ * @author skublik */ @Component -public class LdapModuleFactory extends AbstractModuleFactory { +public class LdapModuleFactory extends AbstractModuleFactory< + LdapModuleWebSecurityConfiguration, + LdapWebSecurityConfigurer, + LdapAuthenticationModuleType, + ModuleAuthenticationImpl> { - private static final Trace LOGGER = TraceManager.getTrace(AbstractCredentialModuleFactory.class); + private static final Trace LOGGER = TraceManager.getTrace(LdapModuleFactory.class); @Autowired private Protector protector; @@ -55,6 +60,22 @@ public boolean match(AbstractAuthenticationModuleType moduleType, Authentication return moduleType instanceof LdapAuthenticationModuleType; } + @Override + protected LdapWebSecurityConfigurer createModuleConfigurer(LdapAuthenticationModuleType moduleType, String sequenceSuffix, AuthenticationChannel authenticationChannel, ObjectPostProcessor objectPostProcessor, ServletRequest request) { + return new LdapWebSecurityConfigurer(moduleType, sequenceSuffix, authenticationChannel, objectPostProcessor, request); + } + + @Override + protected ModuleAuthenticationImpl createEmptyModuleAuthentication(LdapAuthenticationModuleType moduleType, LdapModuleWebSecurityConfiguration configuration, AuthenticationSequenceModuleType sequenceModule, ServletRequest request) { + LdapModuleAuthentication moduleAuthentication = new LdapModuleAuthentication(sequenceModule); + moduleAuthentication.setPrefix(configuration.getPrefixOfModule()); + if (moduleType.getSearch() != null) { + moduleAuthentication.setNamingAttribute(moduleType.getSearch().getNamingAttr()); + } + moduleAuthentication.setNameOfModule(configuration.getModuleIdentifier()); + return moduleAuthentication; + } + @Override public AuthModule createModuleFilter(LdapAuthenticationModuleType moduleType, String sequenceSuffix, ServletRequest request, Map, Object> sharedObjects, AuthenticationModulesType authenticationsPolicy, @@ -72,8 +93,9 @@ public AuthModule createModuleFilter(LdapAuthenticatio configuration.addAuthenticationProvider(getProvider(moduleType)); - LdapWebSecurityConfigurer module = createModule(configuration); - HttpSecurity http = getNewHttpSecurity(module); + LdapWebSecurityConfigurer module = createModule(configuration); +// HttpSecurity http = getNewHttpSecurity(module); + HttpSecurity http = module.getNewHttpSecurity(); setSharedObjects(http, sharedObjects); ModuleAuthenticationImpl moduleAuthentication = createEmptyModuleAuthentication( @@ -115,8 +137,8 @@ private AuthenticationProvider getProvider(LdapAuthenticationModuleType moduleTy return provider; } - private LdapWebSecurityConfigurer createModule(LdapModuleWebSecurityConfiguration configuration) { - return getObjectObjectPostProcessor().postProcess(new LdapWebSecurityConfigurer<>(configuration)); + private LdapWebSecurityConfigurer createModule(LdapModuleWebSecurityConfiguration configuration) { + return getObjectObjectPostProcessor().postProcess(new LdapWebSecurityConfigurer(configuration)); } protected ModuleAuthenticationImpl createEmptyModuleAuthentication(LdapAuthenticationModuleType moduleType, diff --git a/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/factory/module/LoginFormModuleFactoryImpl.java b/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/factory/module/LoginFormModuleFactoryImpl.java index 07995c0491d..09bd74853b1 100644 --- a/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/factory/module/LoginFormModuleFactoryImpl.java +++ b/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/factory/module/LoginFormModuleFactoryImpl.java @@ -8,11 +8,11 @@ import com.evolveum.midpoint.authentication.impl.provider.PasswordProvider; import com.evolveum.midpoint.authentication.api.AuthenticationChannel; -import com.evolveum.midpoint.authentication.impl.module.authentication.ModuleAuthenticationImpl; import com.evolveum.midpoint.authentication.impl.module.configurer.LoginFormModuleWebSecurityConfigurer; import com.evolveum.midpoint.authentication.impl.module.authentication.LoginFormModuleAuthenticationImpl; import com.evolveum.midpoint.authentication.impl.module.configuration.LoginFormModuleWebSecurityConfiguration; +import jakarta.servlet.ServletRequest; import org.springframework.security.authentication.AuthenticationProvider; import org.springframework.security.config.annotation.ObjectPostProcessor; import org.springframework.stereotype.Component; @@ -35,8 +35,8 @@ public boolean match(AbstractAuthenticationModuleType moduleType, Authentication } @Override - protected LoginFormModuleWebSecurityConfigurer createModuleConfigurer(LoginFormAuthenticationModuleType moduleType, String sequenceSuffix, AuthenticationChannel authenticationChannel, ObjectPostProcessor objectPostProcessor) { - return new LoginFormModuleWebSecurityConfigurer<>(moduleType, sequenceSuffix, authenticationChannel, objectPostProcessor); + protected LoginFormModuleWebSecurityConfigurer createModuleConfigurer(LoginFormAuthenticationModuleType moduleType, String sequenceSuffix, AuthenticationChannel authenticationChannel, ObjectPostProcessor objectPostProcessor, ServletRequest request) { + return new LoginFormModuleWebSecurityConfigurer<>(moduleType, sequenceSuffix, authenticationChannel, objectPostProcessor, request); } @Override @@ -51,7 +51,7 @@ protected Class supportedClass() { @Override protected LoginFormModuleAuthenticationImpl createEmptyModuleAuthentication(LoginFormAuthenticationModuleType moduleType, - LoginFormModuleWebSecurityConfiguration configuration, AuthenticationSequenceModuleType sequenceModule) { + LoginFormModuleWebSecurityConfiguration configuration, AuthenticationSequenceModuleType sequenceModule, ServletRequest request) { LoginFormModuleAuthenticationImpl moduleAuthentication = new LoginFormModuleAuthenticationImpl(sequenceModule); moduleAuthentication.setPrefix(configuration.getPrefixOfModule()); moduleAuthentication.setCredentialName(moduleType.getCredentialName()); diff --git a/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/factory/module/MailNonceModuleFactory.java b/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/factory/module/MailNonceModuleFactory.java index e2d77f1c2bc..8205736d811 100644 --- a/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/factory/module/MailNonceModuleFactory.java +++ b/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/factory/module/MailNonceModuleFactory.java @@ -8,12 +8,11 @@ import com.evolveum.midpoint.authentication.impl.provider.MailNonceProvider; import com.evolveum.midpoint.authentication.api.AuthenticationChannel; -import com.evolveum.midpoint.authentication.impl.module.authentication.ModuleAuthenticationImpl; -import com.evolveum.midpoint.authentication.api.ModuleWebSecurityConfiguration; import com.evolveum.midpoint.authentication.impl.module.configurer.MailNonceFormModuleWebSecurityConfigurer; import com.evolveum.midpoint.authentication.impl.module.authentication.MailNonceModuleAuthenticationImpl; import com.evolveum.midpoint.authentication.impl.module.configuration.ModuleWebSecurityConfigurationImpl; +import jakarta.servlet.ServletRequest; import org.springframework.security.authentication.AuthenticationProvider; import org.springframework.security.config.annotation.ObjectPostProcessor; import org.springframework.stereotype.Component; @@ -36,8 +35,8 @@ public boolean match(AbstractAuthenticationModuleType moduleType, Authentication } @Override - protected MailNonceFormModuleWebSecurityConfigurer createModuleConfigurer(MailNonceAuthenticationModuleType moduleType, String sequenceSuffix, AuthenticationChannel authenticationChannel, ObjectPostProcessor objectPostProcessor) { - return new MailNonceFormModuleWebSecurityConfigurer(moduleType, sequenceSuffix, authenticationChannel, objectPostProcessor); + protected MailNonceFormModuleWebSecurityConfigurer createModuleConfigurer(MailNonceAuthenticationModuleType moduleType, String sequenceSuffix, AuthenticationChannel authenticationChannel, ObjectPostProcessor objectPostProcessor, ServletRequest request) { + return new MailNonceFormModuleWebSecurityConfigurer(moduleType, sequenceSuffix, authenticationChannel, objectPostProcessor, request); } //TODO @@ -53,7 +52,7 @@ protected Class supportedClass() { @Override protected MailNonceModuleAuthenticationImpl createEmptyModuleAuthentication(MailNonceAuthenticationModuleType moduleType, - ModuleWebSecurityConfigurationImpl configuration, AuthenticationSequenceModuleType sequenceModule) { + ModuleWebSecurityConfigurationImpl configuration, AuthenticationSequenceModuleType sequenceModule, ServletRequest request) { MailNonceModuleAuthenticationImpl moduleAuthentication = new MailNonceModuleAuthenticationImpl(sequenceModule); moduleAuthentication.setPrefix(configuration.getPrefixOfModule()); moduleAuthentication.setCredentialName(moduleType.getCredentialName()); diff --git a/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/factory/module/ModuleFactory.java b/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/factory/module/ModuleFactory.java new file mode 100644 index 00000000000..639ad1f0224 --- /dev/null +++ b/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/factory/module/ModuleFactory.java @@ -0,0 +1,25 @@ +package com.evolveum.midpoint.authentication.impl.factory.module; + +import com.evolveum.midpoint.authentication.api.AuthModule; +import com.evolveum.midpoint.authentication.api.AuthenticationChannel; +import com.evolveum.midpoint.authentication.api.config.ModuleAuthentication; +import com.evolveum.midpoint.xml.ns._public.common.common_3.AbstractAuthenticationModuleType; +import com.evolveum.midpoint.xml.ns._public.common.common_3.AuthenticationModulesType; +import com.evolveum.midpoint.xml.ns._public.common.common_3.AuthenticationSequenceModuleType; +import com.evolveum.midpoint.xml.ns._public.common.common_3.CredentialsPolicyType; + +import jakarta.servlet.ServletRequest; + +import java.util.Map; + +public interface ModuleFactory { + + AuthModule createAuthModule(MT moduleType, String sequenceSuffix, + ServletRequest request, Map, Object> sharedObjects, + AuthenticationModulesType authenticationsPolicy, CredentialsPolicyType credentialPolicy, + AuthenticationChannel authenticationChannel, AuthenticationSequenceModuleType sequenceModule) throws Exception; + + boolean match(AbstractAuthenticationModuleType module, AuthenticationChannel authenticationChannel); + + Integer getOrder(); +} diff --git a/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/factory/module/OidcClientModuleFactory.java b/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/factory/module/OidcClientModuleFactory.java index 1f51b957c57..d8f22d4da44 100644 --- a/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/factory/module/OidcClientModuleFactory.java +++ b/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/factory/module/OidcClientModuleFactory.java @@ -20,7 +20,9 @@ import com.evolveum.midpoint.util.logging.TraceManager; import com.evolveum.midpoint.xml.ns._public.common.common_3.*; +import org.springframework.security.config.annotation.ObjectPostProcessor; import org.springframework.security.config.annotation.web.builders.HttpSecurity; +import org.springframework.security.oauth2.client.registration.ClientRegistration; import org.springframework.security.web.SecurityFilterChain; import org.springframework.stereotype.Component; @@ -33,7 +35,11 @@ * @author skublik */ @Component -public class OidcClientModuleFactory extends RemoteModuleFactory { +public class OidcClientModuleFactory extends RemoteModuleFactory< + OidcClientModuleWebSecurityConfiguration, + OidcClientModuleWebSecurityConfigurer, + OidcAuthenticationModuleType, + ModuleAuthenticationImpl> { private static final Trace LOGGER = TraceManager.getTrace(OidcClientModuleFactory.class); @@ -42,6 +48,11 @@ public boolean match(AbstractAuthenticationModuleType moduleType, Authentication return moduleType instanceof OidcAuthenticationModuleType && !(authenticationChannel instanceof RestAuthenticationChannel); } + @Override + protected OidcClientModuleWebSecurityConfigurer createModuleConfigurer(OidcAuthenticationModuleType moduleType, String sequenceSuffix, AuthenticationChannel authenticationChannel, ObjectPostProcessor objectPostProcessor, ServletRequest request) { + return new OidcClientModuleWebSecurityConfigurer(moduleType, sequenceSuffix, authenticationChannel, objectPostProcessor, request); + } + @Override public AuthModule createModuleFilter(OidcAuthenticationModuleType moduleType, String sequenceSuffix, ServletRequest request, Map, Object> sharedObjects, AuthenticationModulesType authenticationsPolicy, @@ -64,19 +75,47 @@ public AuthModule createModuleFilter(OidcAuthenticatio configuration.addAuthenticationProvider(getObjectObjectPostProcessor().postProcess( new OidcClientProvider(configuration.getAdditionalConfiguration()))); - OidcClientModuleWebSecurityConfigurer module = getObjectObjectPostProcessor().postProcess( - new OidcClientModuleWebSecurityConfigurer<>(configuration)); + OidcClientModuleWebSecurityConfigurer module = getObjectObjectPostProcessor().postProcess( + new OidcClientModuleWebSecurityConfigurer(configuration)); module.setObjectPostProcessor(getObjectObjectPostProcessor()); module.setPublicUrlPrefix(getPublicUrlPrefix(request)); + + HttpSecurity http = module.getNewHttpSecurity(); setSharedObjects(http, sharedObjects); + SecurityFilterChain filter = http.build(); ModuleAuthenticationImpl moduleAuthentication = createEmptyModuleAuthentication(configuration, sequenceModule, request); moduleAuthentication.setFocusType(moduleType.getFocusType()); - SecurityFilterChain filter = http.build(); + return AuthModuleImpl.build(filter, configuration, moduleAuthentication); } + @Override + protected ModuleAuthenticationImpl createEmptyModuleAuthentication(OidcAuthenticationModuleType moduleType, OidcClientModuleWebSecurityConfiguration configuration, AuthenticationSequenceModuleType sequenceModule, ServletRequest request) { + OidcClientModuleAuthenticationImpl moduleAuthentication = new OidcClientModuleAuthenticationImpl(sequenceModule); + List providers = new ArrayList<>(); + configuration.getClientRegistrationRepository().forEach( + client -> { + IdentityProvider provider = createIdentityProvider(client, request, configuration); + providers.add(provider); + } + ); + moduleAuthentication.setClientsRepository(configuration.getClientRegistrationRepository()); + moduleAuthentication.setProviders(providers); + moduleAuthentication.setNameOfModule(configuration.getModuleIdentifier()); + moduleAuthentication.setPrefix(configuration.getPrefixOfModule()); + return moduleAuthentication; + } + + private IdentityProvider createIdentityProvider(ClientRegistration client, ServletRequest request, OidcClientModuleWebSecurityConfiguration configuration) { + String authRequestPrefixUrl = request.getServletContext().getContextPath() + configuration.getPrefixOfModule() + + OidcClientModuleAuthenticationImpl.AUTHORIZATION_REQUEST_PROCESSING_URL_SUFFIX_WITH_REG_ID; + return new IdentityProvider() + .setLinkText(client.getClientName()) + .setRedirectLink(authRequestPrefixUrl.replace("{registrationId}", client.getRegistrationId())); + } + public ModuleAuthenticationImpl createEmptyModuleAuthentication( OidcClientModuleWebSecurityConfiguration configuration, AuthenticationSequenceModuleType sequenceModule, ServletRequest request) { OidcClientModuleAuthenticationImpl moduleAuthentication = new OidcClientModuleAuthenticationImpl(sequenceModule); diff --git a/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/factory/module/OidcResourceServerModuleFactory.java b/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/factory/module/OidcResourceServerModuleFactory.java index f145f99f473..42be3c53354 100644 --- a/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/factory/module/OidcResourceServerModuleFactory.java +++ b/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/factory/module/OidcResourceServerModuleFactory.java @@ -22,6 +22,7 @@ import com.evolveum.midpoint.util.logging.TraceManager; import com.evolveum.midpoint.xml.ns._public.common.common_3.*; +import org.springframework.security.config.annotation.ObjectPostProcessor; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationConverter; import org.springframework.security.web.SecurityFilterChain; @@ -34,7 +35,11 @@ * @author skublik */ @Component -public class OidcResourceServerModuleFactory extends RemoteModuleFactory { +public class OidcResourceServerModuleFactory extends RemoteModuleFactory< + C, + OidcResourceServerModuleWebSecurityConfigurer, + OidcAuthenticationModuleType, + ModuleAuthenticationImpl> { private static final Trace LOGGER = TraceManager.getTrace(OidcResourceServerModuleFactory.class); @@ -43,6 +48,20 @@ public boolean match(AbstractAuthenticationModuleType moduleType, Authentication return moduleType instanceof OidcAuthenticationModuleType && authenticationChannel instanceof RestAuthenticationChannel; } + @Override + protected OidcResourceServerModuleWebSecurityConfigurer createModuleConfigurer(OidcAuthenticationModuleType moduleType, String sequenceSuffix, AuthenticationChannel authenticationChannel, ObjectPostProcessor objectPostProcessor, ServletRequest request) { + return new OidcResourceServerModuleWebSecurityConfigurer<>(moduleType, sequenceSuffix, authenticationChannel, objectPostProcessor, request); + } + + @Override + protected ModuleAuthenticationImpl createEmptyModuleAuthentication(OidcAuthenticationModuleType moduleType, C configuration, AuthenticationSequenceModuleType sequenceModule, ServletRequest request) { + OidcResourceServerModuleAuthentication moduleAuthentication = new OidcResourceServerModuleAuthentication(sequenceModule); + moduleAuthentication.setPrefix(configuration.getPrefixOfModule()); + moduleAuthentication.setNameOfModule(configuration.getModuleIdentifier()); + moduleAuthentication.setRealm(getRealm(moduleType.getResourceServer())); + return moduleAuthentication; + } + @Override public AuthModule createModuleFilter(OidcAuthenticationModuleType moduleType, String sequenceSuffix, ServletRequest request, Map, Object> sharedObjects, AuthenticationModulesType authenticationsPolicy, diff --git a/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/factory/module/OtherModuleFactory.java b/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/factory/module/OtherModuleFactory.java index 8c002f5d76b..16f02b1494e 100644 --- a/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/factory/module/OtherModuleFactory.java +++ b/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/factory/module/OtherModuleFactory.java @@ -2,8 +2,11 @@ import java.util.Map; +import com.evolveum.midpoint.authentication.api.ModuleWebSecurityConfiguration; import com.evolveum.midpoint.authentication.api.config.ModuleAuthentication; +import com.evolveum.midpoint.authentication.impl.module.configurer.ModuleWebSecurityConfigurer; + import jakarta.servlet.ServletRequest; import com.evolveum.midpoint.authentication.api.AuthModule; @@ -25,20 +28,26 @@ */ @Component @Experimental -public class OtherModuleFactory extends AbstractModuleFactory { +public class OtherModuleFactory implements ModuleFactory { private static final Trace LOGGER = TraceManager.getTrace(OtherModuleFactory.class); @Autowired private ApplicationContext applicationContext; - @Override +// @Override public boolean match(AbstractAuthenticationModuleType module, AuthenticationChannel authenticationChannel) { return module instanceof OtherAuthenticationModuleType; } @Override - public AuthModule createModuleFilter(MT module, String sequenceSuffix, ServletRequest request, + public Integer getOrder() { + return 0; + } + + // @Override + public AuthModule createAuthModule(MT module, String sequenceSuffix, ServletRequest request, Map, Object> sharedObjects, AuthenticationModulesType authenticationsPolicy, CredentialsPolicyType credentialPolicy, AuthenticationChannel authenticationChannel, AuthenticationSequenceModuleType sequenceModule) throws Exception { @@ -54,7 +63,7 @@ public AuthModule createModuleFilter(MT module, String sequenceSuffix, Servl Class factoryClazz = (Class) Class.forName(factoryClass); AbstractModuleFactory factory = applicationContext.getBean(factoryClazz); - return factory.createModuleFilter(module, sequenceSuffix, request, sharedObjects, + return factory.createAuthModule(module, sequenceSuffix, request, sharedObjects, authenticationsPolicy, credentialPolicy, authenticationChannel, sequenceModule); } } diff --git a/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/factory/module/RemoteModuleFactory.java b/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/factory/module/RemoteModuleFactory.java index b65ead0aa7b..05a488cc464 100644 --- a/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/factory/module/RemoteModuleFactory.java +++ b/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/factory/module/RemoteModuleFactory.java @@ -6,7 +6,10 @@ */ package com.evolveum.midpoint.authentication.impl.factory.module; +import com.evolveum.midpoint.authentication.api.ModuleWebSecurityConfiguration; +import com.evolveum.midpoint.authentication.api.config.ModuleAuthentication; import com.evolveum.midpoint.authentication.impl.module.authentication.ModuleAuthenticationImpl; +import com.evolveum.midpoint.authentication.impl.module.configurer.ModuleWebSecurityConfigurer; import com.evolveum.midpoint.repo.common.SystemObjectCache; import com.evolveum.midpoint.prism.PrismObject; import com.evolveum.midpoint.schema.result.OperationResult; @@ -23,7 +26,11 @@ /** * @author skublik */ -public abstract class RemoteModuleFactory extends AbstractModuleFactory { +public abstract class RemoteModuleFactory< + C extends ModuleWebSecurityConfiguration, + CA extends ModuleWebSecurityConfigurer, + MT extends AbstractAuthenticationModuleType, + MA extends ModuleAuthentication> extends AbstractModuleFactory { private static final Trace LOGGER = TraceManager.getTrace(RemoteModuleFactory.class); diff --git a/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/factory/module/Saml2ModuleFactory.java b/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/factory/module/Saml2ModuleFactory.java index b64cdca8f21..23f8da8ae42 100644 --- a/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/factory/module/Saml2ModuleFactory.java +++ b/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/factory/module/Saml2ModuleFactory.java @@ -27,8 +27,9 @@ import com.evolveum.midpoint.authentication.impl.module.configuration.SamlAdditionalConfiguration; import com.evolveum.midpoint.authentication.impl.module.configuration.SamlModuleWebSecurityConfiguration; +import org.springframework.security.config.annotation.ObjectPostProcessor; import org.springframework.security.config.annotation.web.builders.HttpSecurity; -import org.springframework.security.saml2.provider.service.web.Saml2WebSsoAuthenticationRequestFilter; +import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration; import org.springframework.security.web.SecurityFilterChain; import org.springframework.security.web.util.matcher.AntPathRequestMatcher; import org.springframework.stereotype.Component; @@ -41,7 +42,7 @@ * @author skublik */ @Component -public class Saml2ModuleFactory extends RemoteModuleFactory { +public class Saml2ModuleFactory extends RemoteModuleFactory { private static final Trace LOGGER = TraceManager.getTrace(Saml2ModuleFactory.class); @@ -50,6 +51,12 @@ public boolean match(AbstractAuthenticationModuleType moduleType, Authentication return moduleType instanceof Saml2AuthenticationModuleType; } + @Override + protected SamlModuleWebSecurityConfigurer createModuleConfigurer(Saml2AuthenticationModuleType moduleType, String sequenceSuffix, AuthenticationChannel authenticationChannel, ObjectPostProcessor objectPostProcessor, ServletRequest request) { + return new SamlModuleWebSecurityConfigurer(moduleType, sequenceSuffix, authenticationChannel, objectPostProcessor, request); + + } + @Override public AuthModule createModuleFilter(Saml2AuthenticationModuleType moduleType, String sequenceSuffix, ServletRequest request, Map, Object> sharedObjects, AuthenticationModulesType authenticationsPolicy, @@ -61,18 +68,20 @@ public AuthModule createModuleFilter(Saml2Authenticati isSupportedChannel(authenticationChannel); - SamlModuleWebSecurityConfiguration configuration = SamlModuleWebSecurityConfiguration.build((Saml2AuthenticationModuleType)moduleType, sequenceSuffix, getPublicUrlPrefix(request), request); + SamlModuleWebSecurityConfiguration configuration = SamlModuleWebSecurityConfiguration.build(moduleType, sequenceSuffix, getPublicUrlPrefix(request), request); configuration.setSequenceSuffix(sequenceSuffix); configuration.addAuthenticationProvider(getObjectObjectPostProcessor().postProcess(new Saml2Provider())); - SamlModuleWebSecurityConfigurer module = getObjectObjectPostProcessor().postProcess( - new SamlModuleWebSecurityConfigurer<>(configuration)); - HttpSecurity http = getNewHttpSecurity(module); + SamlModuleWebSecurityConfigurer module = getObjectObjectPostProcessor().postProcess( + new SamlModuleWebSecurityConfigurer(configuration)); + HttpSecurity http = null;//getNewHttpSecurity(module); setSharedObjects(http, sharedObjects); ModuleAuthenticationImpl moduleAuthentication = createEmptyModuleAuthentication(configuration, sequenceModule, request); moduleAuthentication.setFocusType(moduleType.getFocusType()); SecurityFilterChain filter = http.build(); + + //TODO filterimg for (Filter f : filter.getFilters()){ if (f instanceof MidpointSaml2WebSsoAuthenticationRequestFilter) { ((MidpointSaml2WebSsoAuthenticationRequestFilter) f).getAuthenticationRequestResolver().setRequestMatcher( @@ -84,6 +93,46 @@ public AuthModule createModuleFilter(Saml2Authenticati return AuthModuleImpl.build(filter, configuration, moduleAuthentication); } + @Override + protected void postProcessFilter(SecurityFilterChain filter, SamlModuleWebSecurityConfigurer configurer) { + for (Filter f : filter.getFilters()){ + if (f instanceof MidpointSaml2WebSsoAuthenticationRequestFilter samlFilter) { + samlFilter.getAuthenticationRequestResolver().setRequestMatcher( + new AntPathRequestMatcher(configurer.getPrefix() + + RemoteModuleAuthenticationImpl.AUTHENTICATION_REQUEST_PROCESSING_URL_SUFFIX_WITH_REG_ID)); + break; + } + } + } + + @Override + protected ModuleAuthenticationImpl createEmptyModuleAuthentication(Saml2AuthenticationModuleType moduleType, + SamlModuleWebSecurityConfiguration configuration, + AuthenticationSequenceModuleType sequenceModule, + ServletRequest request) { + + Saml2ModuleAuthenticationImpl moduleAuthentication = new Saml2ModuleAuthenticationImpl(sequenceModule); + List providers = new ArrayList<>(); + for (RelyingPartyRegistration p : configuration.getRelyingPartyRegistrationRepository()) { + IdentityProvider provider = createIdentityProvider(p, request, configuration); + providers.add(provider); + } + moduleAuthentication.setProviders(providers); + moduleAuthentication.setAdditionalConfiguration(configuration.getAdditionalConfiguration()); + moduleAuthentication.setNameOfModule(configuration.getModuleIdentifier()); + moduleAuthentication.setPrefix(configuration.getPrefixOfModule()); + return moduleAuthentication; + } + + private IdentityProvider createIdentityProvider(RelyingPartyRegistration relyingParty, ServletRequest request, SamlModuleWebSecurityConfiguration configuration) { + String authRequestPrefixUrl = request.getServletContext().getContextPath() + configuration.getPrefixOfModule() + + RemoteModuleAuthenticationImpl.AUTHENTICATION_REQUEST_PROCESSING_URL_SUFFIX_WITH_REG_ID; + SamlAdditionalConfiguration config = configuration.getAdditionalConfiguration().get(relyingParty.getRegistrationId()); + return new IdentityProvider() + .setLinkText(config.getLinkText()) + .setRedirectLink(authRequestPrefixUrl.replace("{registrationId}", relyingParty.getRegistrationId())); + } + public ModuleAuthenticationImpl createEmptyModuleAuthentication( SamlModuleWebSecurityConfiguration configuration, AuthenticationSequenceModuleType sequenceModule, ServletRequest request) { Saml2ModuleAuthenticationImpl moduleAuthentication = new Saml2ModuleAuthenticationImpl(sequenceModule); diff --git a/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/factory/module/SecurityQuestionFormModuleFactory.java b/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/factory/module/SecurityQuestionFormModuleFactory.java index f894336c7bc..2967a3e425a 100644 --- a/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/factory/module/SecurityQuestionFormModuleFactory.java +++ b/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/factory/module/SecurityQuestionFormModuleFactory.java @@ -8,11 +8,11 @@ import com.evolveum.midpoint.authentication.impl.provider.SecurityQuestionProvider; import com.evolveum.midpoint.authentication.api.AuthenticationChannel; -import com.evolveum.midpoint.authentication.impl.module.authentication.ModuleAuthenticationImpl; import com.evolveum.midpoint.authentication.impl.module.configurer.SecurityQuestionsFormModuleWebSecurityConfigurer; import com.evolveum.midpoint.authentication.impl.module.authentication.SecurityQuestionFormModuleAuthentication; import com.evolveum.midpoint.authentication.impl.module.configuration.LoginFormModuleWebSecurityConfiguration; +import jakarta.servlet.ServletRequest; import org.springframework.security.authentication.AuthenticationProvider; import org.springframework.security.config.annotation.ObjectPostProcessor; import org.springframework.stereotype.Component; @@ -35,8 +35,8 @@ public boolean match(AbstractAuthenticationModuleType moduleType, Authentication } @Override - protected SecurityQuestionsFormModuleWebSecurityConfigurer createModuleConfigurer(SecurityQuestionsFormAuthenticationModuleType moduleType, String sequenceSuffix, AuthenticationChannel authenticationChannel, ObjectPostProcessor objectPostProcessor) { - return new SecurityQuestionsFormModuleWebSecurityConfigurer<>(moduleType, sequenceSuffix, authenticationChannel, objectPostProcessor); + protected SecurityQuestionsFormModuleWebSecurityConfigurer createModuleConfigurer(SecurityQuestionsFormAuthenticationModuleType moduleType, String sequenceSuffix, AuthenticationChannel authenticationChannel, ObjectPostProcessor objectPostProcessor, ServletRequest request) { + return new SecurityQuestionsFormModuleWebSecurityConfigurer<>(moduleType, sequenceSuffix, authenticationChannel, objectPostProcessor, request); } @Override @@ -51,7 +51,7 @@ protected Class supportedClass() { @Override protected SecurityQuestionFormModuleAuthentication createEmptyModuleAuthentication(SecurityQuestionsFormAuthenticationModuleType moduleType, - LoginFormModuleWebSecurityConfiguration configuration, AuthenticationSequenceModuleType sequenceModule) { + LoginFormModuleWebSecurityConfiguration configuration, AuthenticationSequenceModuleType sequenceModule, ServletRequest request) { SecurityQuestionFormModuleAuthentication moduleAuthentication = new SecurityQuestionFormModuleAuthentication(sequenceModule); moduleAuthentication.setPrefix(configuration.getPrefixOfModule()); moduleAuthentication.setCredentialName(moduleType.getCredentialName()); diff --git a/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/module/configurer/ArchetypeSelectionModuleWebSecurityConfigurer.java b/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/module/configurer/ArchetypeSelectionModuleWebSecurityConfigurer.java index 6fc056cad15..3adca35be7f 100644 --- a/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/module/configurer/ArchetypeSelectionModuleWebSecurityConfigurer.java +++ b/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/module/configurer/ArchetypeSelectionModuleWebSecurityConfigurer.java @@ -20,6 +20,7 @@ import com.evolveum.midpoint.xml.ns._public.common.common_3.ArchetypeSelectionModuleType; +import jakarta.servlet.ServletRequest; import org.springframework.security.config.annotation.ObjectPostProcessor; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter; @@ -34,8 +35,9 @@ public ArchetypeSelectionModuleWebSecurityConfigurer(C configuration) { public ArchetypeSelectionModuleWebSecurityConfigurer(ArchetypeSelectionModuleType moduleType, String sequenceSuffix, AuthenticationChannel authenticationChannel, - ObjectPostProcessor objectPostProcessor) { - super(moduleType, sequenceSuffix, authenticationChannel, objectPostProcessor); + ObjectPostProcessor objectPostProcessor, + ServletRequest request) { + super(moduleType, sequenceSuffix, authenticationChannel, objectPostProcessor, request); } @Override diff --git a/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/module/configurer/AttributeVerificationModuleWebSecurityConfigurer.java b/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/module/configurer/AttributeVerificationModuleWebSecurityConfigurer.java index 0075d71f04c..50cee659906 100644 --- a/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/module/configurer/AttributeVerificationModuleWebSecurityConfigurer.java +++ b/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/module/configurer/AttributeVerificationModuleWebSecurityConfigurer.java @@ -7,10 +7,10 @@ package com.evolveum.midpoint.authentication.impl.module.configurer; import com.evolveum.midpoint.authentication.api.AuthenticationChannel; -import com.evolveum.midpoint.xml.ns._public.common.common_3.ArchetypeSelectionModuleType; import com.evolveum.midpoint.xml.ns._public.common.common_3.AttributeVerificationAuthenticationModuleType; +import jakarta.servlet.ServletRequest; import org.springframework.security.config.annotation.ObjectPostProcessor; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter; @@ -33,8 +33,9 @@ public AttributeVerificationModuleWebSecurityConfigurer(C configuration) { public AttributeVerificationModuleWebSecurityConfigurer(AttributeVerificationAuthenticationModuleType moduleType, String sequenceSuffix, AuthenticationChannel authenticationChannel, - ObjectPostProcessor objectPostProcessor) { - super(moduleType, sequenceSuffix, authenticationChannel, objectPostProcessor); + ObjectPostProcessor objectPostProcessor, + ServletRequest request) { + super(moduleType, sequenceSuffix, authenticationChannel, objectPostProcessor, request); } diff --git a/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/module/configurer/CorrelationModuleWebSecurityConfigurer.java b/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/module/configurer/CorrelationModuleWebSecurityConfigurer.java index 378493ec0e9..b016cb38f83 100644 --- a/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/module/configurer/CorrelationModuleWebSecurityConfigurer.java +++ b/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/module/configurer/CorrelationModuleWebSecurityConfigurer.java @@ -10,17 +10,15 @@ import com.evolveum.midpoint.authentication.api.util.AuthUtil; import com.evolveum.midpoint.authentication.impl.entry.point.WicketLoginUrlAuthenticationEntryPoint; import com.evolveum.midpoint.authentication.impl.filter.CorrelationAuthenticationFilter; -import com.evolveum.midpoint.authentication.impl.filter.FocusIdentificationAuthenticationFilter; import com.evolveum.midpoint.authentication.impl.filter.configurers.MidpointAttributeConfigurer; import com.evolveum.midpoint.authentication.impl.filter.configurers.MidpointExceptionHandlingConfigurer; import com.evolveum.midpoint.authentication.impl.handler.MidPointAuthenticationSuccessHandler; import com.evolveum.midpoint.authentication.impl.handler.MidpointAuthenticationFailureHandler; import com.evolveum.midpoint.authentication.impl.module.configuration.LoginFormModuleWebSecurityConfiguration; -import com.evolveum.midpoint.xml.ns._public.common.common_3.ArchetypeSelectionModuleType; - import com.evolveum.midpoint.xml.ns._public.common.common_3.CorrelationAuthenticationModuleType; +import jakarta.servlet.ServletRequest; import org.springframework.boot.autoconfigure.security.SecurityProperties; import org.springframework.core.annotation.Order; import org.springframework.security.config.annotation.ObjectPostProcessor; @@ -37,8 +35,9 @@ public CorrelationModuleWebSecurityConfigurer(C configuration) { public CorrelationModuleWebSecurityConfigurer(CorrelationAuthenticationModuleType moduleType, String sequenceSuffix, AuthenticationChannel authenticationChannel, - ObjectPostProcessor objectPostProcessor) { - super(moduleType, sequenceSuffix, authenticationChannel, objectPostProcessor); + ObjectPostProcessor objectPostProcessor, + ServletRequest request) { + super(moduleType, sequenceSuffix, authenticationChannel, objectPostProcessor, request); } @Override diff --git a/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/module/configurer/FocusIdentificationModuleWebSecurityConfigurer.java b/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/module/configurer/FocusIdentificationModuleWebSecurityConfigurer.java index b3d8ab29023..30b0079f749 100644 --- a/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/module/configurer/FocusIdentificationModuleWebSecurityConfigurer.java +++ b/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/module/configurer/FocusIdentificationModuleWebSecurityConfigurer.java @@ -9,6 +9,7 @@ import com.evolveum.midpoint.authentication.api.AuthenticationChannel; import com.evolveum.midpoint.xml.ns._public.common.common_3.FocusIdentificationAuthenticationModuleType; +import jakarta.servlet.ServletRequest; import org.springframework.boot.autoconfigure.security.SecurityProperties; import org.springframework.core.annotation.Order; import org.springframework.security.config.annotation.ObjectPostProcessor; @@ -32,8 +33,11 @@ public FocusIdentificationModuleWebSecurityConfigurer(C configuration) { super(configuration); } - public FocusIdentificationModuleWebSecurityConfigurer(FocusIdentificationAuthenticationModuleType moduleType, String sequenceSuffix, AuthenticationChannel authenticationChannel, ObjectPostProcessor objectPostProcessor) { - super(moduleType, sequenceSuffix, authenticationChannel, objectPostProcessor); + public FocusIdentificationModuleWebSecurityConfigurer(FocusIdentificationAuthenticationModuleType moduleType, String sequenceSuffix, + AuthenticationChannel authenticationChannel, + ObjectPostProcessor objectPostProcessor, + ServletRequest request) { + super(moduleType, sequenceSuffix, authenticationChannel, objectPostProcessor, request); } @Override diff --git a/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/module/configurer/HintModuleWebSecurityConfigurer.java b/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/module/configurer/HintModuleWebSecurityConfigurer.java index 4b6e152fadc..0912eb406bc 100644 --- a/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/module/configurer/HintModuleWebSecurityConfigurer.java +++ b/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/module/configurer/HintModuleWebSecurityConfigurer.java @@ -9,17 +9,16 @@ import com.evolveum.midpoint.authentication.api.AuthenticationChannel; import com.evolveum.midpoint.authentication.api.util.AuthUtil; import com.evolveum.midpoint.authentication.impl.entry.point.WicketLoginUrlAuthenticationEntryPoint; -import com.evolveum.midpoint.authentication.impl.filter.AttributeVerificationAuthenticationFilter; import com.evolveum.midpoint.authentication.impl.filter.HintAuthenticationFilter; import com.evolveum.midpoint.authentication.impl.filter.configurers.MidpointAttributeConfigurer; import com.evolveum.midpoint.authentication.impl.filter.configurers.MidpointExceptionHandlingConfigurer; -import com.evolveum.midpoint.authentication.impl.filter.configurers.MidpointFormLoginConfigurer; import com.evolveum.midpoint.authentication.impl.handler.MidPointAuthenticationSuccessHandler; import com.evolveum.midpoint.authentication.impl.handler.MidpointAuthenticationFailureHandler; import com.evolveum.midpoint.authentication.impl.module.configuration.LoginFormModuleWebSecurityConfiguration; import com.evolveum.midpoint.xml.ns._public.common.common_3.HintAuthenticationModuleType; +import jakarta.servlet.ServletRequest; import org.springframework.security.config.annotation.ObjectPostProcessor; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter; @@ -33,8 +32,9 @@ public HintModuleWebSecurityConfigurer(C configuration) { public HintModuleWebSecurityConfigurer(HintAuthenticationModuleType moduleType, String sequenceSuffix, AuthenticationChannel authenticationChannel, - ObjectPostProcessor objectPostProcessor) { - super(moduleType, sequenceSuffix, authenticationChannel, objectPostProcessor); + ObjectPostProcessor objectPostProcessor, + ServletRequest request) { + super(moduleType, sequenceSuffix, authenticationChannel, objectPostProcessor, request); } @Override diff --git a/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/module/configurer/HttpBasicModuleWebSecurityConfigurer.java b/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/module/configurer/HttpBasicModuleWebSecurityConfigurer.java index e2fe7c5cbbe..1ffdb843da0 100644 --- a/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/module/configurer/HttpBasicModuleWebSecurityConfigurer.java +++ b/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/module/configurer/HttpBasicModuleWebSecurityConfigurer.java @@ -18,6 +18,7 @@ import com.evolveum.midpoint.authentication.impl.module.configuration.ModuleWebSecurityConfigurationImpl; import com.evolveum.midpoint.xml.ns._public.common.common_3.HttpBasicAuthenticationModuleType; +import jakarta.servlet.ServletRequest; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.security.config.annotation.ObjectPostProcessor; import org.springframework.security.config.annotation.web.builders.HttpSecurity; @@ -54,13 +55,14 @@ public HttpBasicModuleWebSecurityConfigurer(ModuleWebSecurityConfigurationImpl c public HttpBasicModuleWebSecurityConfigurer(HttpBasicAuthenticationModuleType module, String sequenceSuffix, AuthenticationChannel authenticationChannel, - ObjectPostProcessor postProcessor) { - super(module, sequenceSuffix, authenticationChannel, postProcessor); + ObjectPostProcessor postProcessor, + ServletRequest request) { + super(module, sequenceSuffix, authenticationChannel, postProcessor, request); } @Override - protected ModuleWebSecurityConfigurationImpl buildConfiguration(HttpBasicAuthenticationModuleType moduleType, String sequenceSuffix, AuthenticationChannel authenticationChannel) { + protected ModuleWebSecurityConfigurationImpl buildConfiguration(HttpBasicAuthenticationModuleType moduleType, String sequenceSuffix, AuthenticationChannel authenticationChannel, ServletRequest request) { ModuleWebSecurityConfigurationImpl configuration = ModuleWebSecurityConfigurationImpl.build(moduleType, sequenceSuffix); configuration.setSequenceSuffix(sequenceSuffix); return configuration; diff --git a/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/module/configurer/HttpClusterModuleWebSecurityConfigurer.java b/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/module/configurer/HttpClusterModuleWebSecurityConfigurer.java index 8e3b2e3a7fb..9367dbbba57 100644 --- a/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/module/configurer/HttpClusterModuleWebSecurityConfigurer.java +++ b/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/module/configurer/HttpClusterModuleWebSecurityConfigurer.java @@ -6,6 +6,7 @@ */ package com.evolveum.midpoint.authentication.impl.module.configurer; +import com.evolveum.midpoint.authentication.api.AuthenticationChannel; import com.evolveum.midpoint.authentication.impl.authorization.evaluator.MidpointAllowAllAuthorizationEvaluator; import com.evolveum.midpoint.authentication.impl.entry.point.HttpAuthenticationEntryPoint; import com.evolveum.midpoint.authentication.impl.MidpointAuthenticationTrustResolverImpl; @@ -14,9 +15,12 @@ import com.evolveum.midpoint.authentication.api.util.AuthUtil; import com.evolveum.midpoint.authentication.api.ModuleWebSecurityConfiguration; +import com.evolveum.midpoint.authentication.impl.module.configuration.ModuleWebSecurityConfigurationImpl; import com.evolveum.midpoint.xml.ns._public.common.common_3.AbstractAuthenticationModuleType; +import jakarta.servlet.ServletRequest; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.security.config.annotation.ObjectPostProcessor; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.web.authentication.RememberMeServices; import org.springframework.security.web.authentication.www.BasicAuthenticationFilter; @@ -29,7 +33,7 @@ * @author skublik */ -public class HttpClusterModuleWebSecurityConfigurer extends ModuleWebSecurityConfigurer { +public class HttpClusterModuleWebSecurityConfigurer extends ModuleWebSecurityConfigurer { @Autowired private SecurityEnforcer securityEnforcer; @@ -40,10 +44,25 @@ public class HttpClusterModuleWebSecurityConfigurer postProcessor, + ServletRequest request) { + super(moduleType, sequeneSuffix, authenticationChannel, postProcessor, request); + } + + @Override + protected ModuleWebSecurityConfigurationImpl buildConfiguration(AbstractAuthenticationModuleType moduleType, String sequenceSuffix, AuthenticationChannel authenticationChannel, ServletRequest request) { + ModuleWebSecurityConfigurationImpl configuration = ModuleWebSecurityConfigurationImpl.build(moduleType, sequenceSuffix); + configuration.setSequenceSuffix(sequenceSuffix); + return configuration; + } + @Override protected void configure(HttpSecurity http) throws Exception { diff --git a/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/module/configurer/HttpHeaderModuleWebSecurityConfigurer.java b/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/module/configurer/HttpHeaderModuleWebSecurityConfigurer.java index d4522afac29..6f4c152604f 100644 --- a/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/module/configurer/HttpHeaderModuleWebSecurityConfigurer.java +++ b/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/module/configurer/HttpHeaderModuleWebSecurityConfigurer.java @@ -11,6 +11,7 @@ import com.evolveum.midpoint.xml.ns._public.common.common_3.HttpHeaderAuthenticationModuleType; import jakarta.servlet.ServletException; +import jakarta.servlet.ServletRequest; import jakarta.servlet.http.HttpServletRequest; import jakarta.servlet.http.HttpServletResponse; @@ -34,18 +35,24 @@ * @author skublik */ -public class HttpHeaderModuleWebSecurityConfigurer extends LoginFormModuleWebSecurityConfigurer { +public class HttpHeaderModuleWebSecurityConfigurer extends LoginFormModuleWebSecurityConfigurer { @Autowired private MidpointProviderManager authenticationManager; - public HttpHeaderModuleWebSecurityConfigurer(C configuration) { + public HttpHeaderModuleWebSecurityConfigurer(HttpHeaderModuleWebSecurityConfiguration configuration) { super(configuration); } public HttpHeaderModuleWebSecurityConfigurer(HttpHeaderAuthenticationModuleType httpHeaderAuthenticationModuleType, String prefixOfSequence, AuthenticationChannel authenticationChannel, - ObjectPostProcessor postProcessor) { - super(httpHeaderAuthenticationModuleType, prefixOfSequence, authenticationChannel, postProcessor); + ObjectPostProcessor postProcessor, + ServletRequest request) { + super(httpHeaderAuthenticationModuleType, prefixOfSequence, authenticationChannel, postProcessor, request); + } + + @Override + protected HttpHeaderModuleWebSecurityConfiguration buildConfiguration(HttpHeaderAuthenticationModuleType moduleType, String sequenceSuffix, AuthenticationChannel authenticationChannel, ServletRequest request) { + return HttpHeaderModuleWebSecurityConfiguration.build(moduleType, sequenceSuffix); } @Override diff --git a/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/module/configurer/HttpSecurityQuestionsModuleWebSecurityConfigurer.java b/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/module/configurer/HttpSecurityQuestionsModuleWebSecurityConfigurer.java index 88d6699371d..ab31b12ea7a 100644 --- a/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/module/configurer/HttpSecurityQuestionsModuleWebSecurityConfigurer.java +++ b/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/module/configurer/HttpSecurityQuestionsModuleWebSecurityConfigurer.java @@ -19,6 +19,7 @@ import com.evolveum.midpoint.authentication.impl.module.configuration.ModuleWebSecurityConfigurationImpl; import com.evolveum.midpoint.xml.ns._public.common.common_3.HttpSecQAuthenticationModuleType; +import jakarta.servlet.ServletRequest; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.security.config.annotation.ObjectPostProcessor; import org.springframework.security.config.annotation.web.builders.HttpSecurity; @@ -55,12 +56,13 @@ public HttpSecurityQuestionsModuleWebSecurityConfigurer(ModuleWebSecurityConfigu public HttpSecurityQuestionsModuleWebSecurityConfigurer(HttpSecQAuthenticationModuleType moduleType, String suffix, AuthenticationChannel authenticationChannel, - ObjectPostProcessor postProcessor) { - super(moduleType, suffix, authenticationChannel, postProcessor); + ObjectPostProcessor postProcessor, + ServletRequest request) { + super(moduleType, suffix, authenticationChannel, postProcessor, request); } @Override - protected ModuleWebSecurityConfigurationImpl buildConfiguration(HttpSecQAuthenticationModuleType moduleType, String sequenceSuffix, AuthenticationChannel authenticationChannel) { + protected ModuleWebSecurityConfigurationImpl buildConfiguration(HttpSecQAuthenticationModuleType moduleType, String sequenceSuffix, AuthenticationChannel authenticationChannel, ServletRequest request) { ModuleWebSecurityConfigurationImpl configuration = ModuleWebSecurityConfigurationImpl.build(moduleType, sequenceSuffix); configuration.setSequenceSuffix(sequenceSuffix); return configuration; diff --git a/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/module/configurer/LdapWebSecurityConfigurer.java b/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/module/configurer/LdapWebSecurityConfigurer.java index a894a6c5502..69cee4c15c0 100644 --- a/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/module/configurer/LdapWebSecurityConfigurer.java +++ b/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/module/configurer/LdapWebSecurityConfigurer.java @@ -13,23 +13,25 @@ import com.evolveum.midpoint.authentication.impl.module.configuration.LdapModuleWebSecurityConfiguration; import com.evolveum.midpoint.xml.ns._public.common.common_3.LdapAuthenticationModuleType; +import jakarta.servlet.ServletRequest; import org.springframework.security.config.annotation.ObjectPostProcessor; /** * @author lskublik */ -public class LdapWebSecurityConfigurer extends LoginFormModuleWebSecurityConfigurer { +public class LdapWebSecurityConfigurer extends LoginFormModuleWebSecurityConfigurer { - public LdapWebSecurityConfigurer(C configuration) { + public LdapWebSecurityConfigurer(LdapModuleWebSecurityConfiguration configuration) { super(configuration); } - public LdapWebSecurityConfigurer(LdapAuthenticationModuleType moduleType, - String prefixOfSequence, + public LdapWebSecurityConfigurer(LdapAuthenticationModuleType module, + String sequenceSuffix, AuthenticationChannel authenticationChannel, - ObjectPostProcessor postProcessor) { - super(moduleType, prefixOfSequence, authenticationChannel, postProcessor); + ObjectPostProcessor postProcessor, + ServletRequest request) { + super(module, sequenceSuffix, authenticationChannel, postProcessor, request); } protected MidpointFormLoginConfigurer getMidpointFormLoginConfigurer() { diff --git a/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/module/configurer/LoginFormModuleWebSecurityConfigurer.java b/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/module/configurer/LoginFormModuleWebSecurityConfigurer.java index 81de740864d..655e8d971c7 100644 --- a/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/module/configurer/LoginFormModuleWebSecurityConfigurer.java +++ b/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/module/configurer/LoginFormModuleWebSecurityConfigurer.java @@ -20,6 +20,7 @@ import com.evolveum.midpoint.xml.ns._public.common.common_3.AbstractAuthenticationModuleType; +import jakarta.servlet.ServletRequest; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.core.env.Environment; import org.springframework.security.config.annotation.ObjectPostProcessor; @@ -49,19 +50,20 @@ public class LoginFormModuleWebSecurityConfigurer postProcessor) { - super(moduleType, prefixOfSequence, authenticationChannel, postProcessor); - this.configuration = (C) getConfiguration(); + ObjectPostProcessor postProcessor, + ServletRequest request) { + super(moduleType, prefixOfSequence, authenticationChannel, postProcessor, request); +// this.configuration = getConfiguration(); } @Override @@ -88,10 +90,10 @@ protected MidpointFormLoginConfigurer getMidpointFormLoginConfigurer() { return new MidpointFormLoginConfigurer<>(new MidpointUsernamePasswordAuthenticationFilter()); } - @Override - public C getConfiguration() { - return configuration; - } +// @Override +// public C getConfiguration() { +// return configuration; +// } protected SessionRegistry getSessionRegistry() { return sessionRegistry; diff --git a/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/module/configurer/MailNonceFormModuleWebSecurityConfigurer.java b/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/module/configurer/MailNonceFormModuleWebSecurityConfigurer.java index 1414ca4bc9d..bfdd171d59f 100644 --- a/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/module/configurer/MailNonceFormModuleWebSecurityConfigurer.java +++ b/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/module/configurer/MailNonceFormModuleWebSecurityConfigurer.java @@ -21,6 +21,7 @@ import com.evolveum.midpoint.xml.ns._public.common.common_3.MailNonceAuthenticationModuleType; +import jakarta.servlet.ServletRequest; import org.springframework.security.authentication.AnonymousAuthenticationToken; import org.springframework.security.config.annotation.ObjectPostProcessor; import org.springframework.security.config.annotation.web.builders.HttpSecurity; @@ -40,12 +41,13 @@ public MailNonceFormModuleWebSecurityConfigurer(ModuleWebSecurityConfigurationIm public MailNonceFormModuleWebSecurityConfigurer(MailNonceAuthenticationModuleType moduleType, String prefixOfSequence, AuthenticationChannel authenticationChannel, - ObjectPostProcessor postProcessor) { - super(moduleType, prefixOfSequence, authenticationChannel, postProcessor); + ObjectPostProcessor postProcessor, + ServletRequest request) { + super(moduleType, prefixOfSequence, authenticationChannel, postProcessor, request); } @Override - protected ModuleWebSecurityConfigurationImpl buildConfiguration(MailNonceAuthenticationModuleType moduleType, String sequenceSuffix, AuthenticationChannel authenticationChannel) { + protected ModuleWebSecurityConfigurationImpl buildConfiguration(MailNonceAuthenticationModuleType moduleType, String sequenceSuffix, AuthenticationChannel authenticationChannel, ServletRequest request) { ModuleWebSecurityConfigurationImpl configuration = ModuleWebSecurityConfigurationImpl.build(moduleType, sequenceSuffix); configuration.setSequenceSuffix(sequenceSuffix); configuration.setSpecificLoginUrl(authenticationChannel.getSpecificLoginUrl()); diff --git a/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/module/configurer/ModuleWebSecurityConfigurer.java b/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/module/configurer/ModuleWebSecurityConfigurer.java index 31b23cd79ca..d0fba84d205 100644 --- a/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/module/configurer/ModuleWebSecurityConfigurer.java +++ b/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/module/configurer/ModuleWebSecurityConfigurer.java @@ -29,6 +29,7 @@ import com.evolveum.midpoint.authentication.impl.module.configuration.LoginFormModuleWebSecurityConfiguration; import com.evolveum.midpoint.xml.ns._public.common.common_3.AbstractAuthenticationModuleType; +import jakarta.servlet.ServletRequest; import org.apache.commons.lang3.StringUtils; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.beans.factory.annotation.Value; @@ -82,13 +83,12 @@ public ModuleWebSecurityConfigurer(C configuration){ public ModuleWebSecurityConfigurer(MT moduleType, String sequenceSuffix, AuthenticationChannel authenticationChannel, - ObjectPostProcessor objectPostProcessor) { - this.configuration = buildConfiguration(moduleType, sequenceSuffix, authenticationChannel); + ObjectPostProcessor objectPostProcessor, ServletRequest request) { this.objectPostProcessor = objectPostProcessor; - + this.configuration = buildConfiguration(moduleType, sequenceSuffix, authenticationChannel, request); } - protected C buildConfiguration(MT moduleType, String sequenceSuffix, AuthenticationChannel authenticationChannel) { + protected C buildConfiguration(MT moduleType, String sequenceSuffix, AuthenticationChannel authenticationChannel, ServletRequest request) { LoginFormModuleWebSecurityConfiguration config = new LoginFormModuleWebSecurityConfiguration(); config.setSequenceSuffix(sequenceSuffix); config.setModuleIdentifier(moduleType.getIdentifier() != null ? moduleType.getIdentifier() : moduleType.getName()); diff --git a/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/module/configurer/OidcClientModuleWebSecurityConfigurer.java b/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/module/configurer/OidcClientModuleWebSecurityConfigurer.java index 2a389f48a93..8c21bbcffc1 100644 --- a/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/module/configurer/OidcClientModuleWebSecurityConfigurer.java +++ b/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/module/configurer/OidcClientModuleWebSecurityConfigurer.java @@ -7,6 +7,7 @@ package com.evolveum.midpoint.authentication.impl.module.configurer; +import com.evolveum.midpoint.authentication.api.AuthenticationChannel; import com.evolveum.midpoint.authentication.api.util.AuthUtil; import com.evolveum.midpoint.authentication.impl.handler.MidPointAuthenticationSuccessHandler; import com.evolveum.midpoint.authentication.impl.handler.MidpointAuthenticationFailureHandler; @@ -20,8 +21,10 @@ import com.evolveum.midpoint.xml.ns._public.common.common_3.OidcAuthenticationModuleType; +import jakarta.servlet.ServletRequest; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.security.authentication.ProviderManager; +import org.springframework.security.config.annotation.ObjectPostProcessor; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.core.Authentication; import org.springframework.security.oauth2.client.authentication.OAuth2LoginAuthenticationToken; @@ -34,7 +37,7 @@ * @author skublik */ -public class OidcClientModuleWebSecurityConfigurer extends RemoteModuleWebSecurityConfigurer { +public class OidcClientModuleWebSecurityConfigurer extends RemoteModuleWebSecurityConfigurer { private static final Trace LOGGER = TraceManager.getTrace(OidcClientModuleWebSecurityConfigurer.class); public static final String OIDC_LOGIN_PATH = "/oidc/select"; @@ -44,10 +47,24 @@ public class OidcClientModuleWebSecurityConfigurer postProcessor, ServletRequest request) { + super(moduleType, prefix, authenticationChannel, postProcessor, request); + } + + @Override + protected OidcClientModuleWebSecurityConfiguration buildConfiguration(OidcAuthenticationModuleType moduleType, String sequenceSuffix, AuthenticationChannel authenticationChannel, ServletRequest request) { + OidcClientModuleWebSecurityConfiguration configuration = OidcClientModuleWebSecurityConfiguration.build( + moduleType, sequenceSuffix, getPublicUrlPrefix(request), request); + configuration.setSequenceSuffix(sequenceSuffix); + return configuration; + } + @Override protected void configure(HttpSecurity http) throws Exception { super.configure(http); diff --git a/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/module/configurer/OidcResourceServerModuleWebSecurityConfigurer.java b/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/module/configurer/OidcResourceServerModuleWebSecurityConfigurer.java index a4b22ddfdca..479ae63ee05 100644 --- a/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/module/configurer/OidcResourceServerModuleWebSecurityConfigurer.java +++ b/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/module/configurer/OidcResourceServerModuleWebSecurityConfigurer.java @@ -7,24 +7,32 @@ package com.evolveum.midpoint.authentication.impl.module.configurer; +import com.evolveum.midpoint.authentication.api.AuthenticationChannel; import com.evolveum.midpoint.authentication.api.util.AuthUtil; import com.evolveum.midpoint.authentication.impl.MidpointAuthenticationTrustResolverImpl; import com.evolveum.midpoint.authentication.impl.authorization.evaluator.MidpointHttpAuthorizationEvaluator; import com.evolveum.midpoint.authentication.impl.entry.point.HttpAuthenticationEntryPoint; import com.evolveum.midpoint.authentication.impl.filter.SequenceAuditFilter; import com.evolveum.midpoint.authentication.impl.filter.configurers.MidpointExceptionHandlingConfigurer; +import com.evolveum.midpoint.authentication.impl.module.configuration.JwtOidcResourceServerConfiguration; +import com.evolveum.midpoint.authentication.impl.module.configuration.OpaqueTokenOidcResourceServerConfiguration; import com.evolveum.midpoint.authentication.impl.module.configuration.RemoteModuleWebSecurityConfiguration; import com.evolveum.midpoint.authentication.impl.oidc.OidcBearerTokenAuthenticationFilter; +import com.evolveum.midpoint.authentication.impl.provider.OidcResourceServerProvider; import com.evolveum.midpoint.model.api.ModelService; import com.evolveum.midpoint.security.api.SecurityContextManager; import com.evolveum.midpoint.security.enforcer.api.SecurityEnforcer; import com.evolveum.midpoint.task.api.TaskManager; +import com.evolveum.midpoint.xml.ns._public.common.common_3.AbstractAuthenticationModuleType; import com.evolveum.midpoint.xml.ns._public.common.common_3.OidcAuthenticationModuleType; import com.evolveum.midpoint.xml.ns._public.common.common_3.OidcResourceServerAuthenticationModuleType; +import jakarta.servlet.ServletRequest; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.security.config.annotation.ObjectPostProcessor; import org.springframework.security.config.annotation.web.builders.HttpSecurity; +import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationConverter; import org.springframework.security.web.authentication.RememberMeServices; import org.springframework.security.web.authentication.www.BasicAuthenticationFilter; @@ -35,20 +43,71 @@ public class OidcResourceServerModuleWebSecurityConfigurer extends ModuleWebSecurityConfigurer { - @Autowired - private ModelService model; + @Autowired private ModelService model; + @Autowired private SecurityEnforcer securityEnforcer; + @Autowired private SecurityContextManager securityContextManager; + @Autowired TaskManager taskManager; - @Autowired - private SecurityEnforcer securityEnforcer; + public OidcResourceServerModuleWebSecurityConfigurer(C configuration) { + super(configuration); + } + + public OidcResourceServerModuleWebSecurityConfigurer(OidcAuthenticationModuleType moduleType, + String sequenceSuffix, + AuthenticationChannel authenticationChannel, + ObjectPostProcessor objectPostProcessor, + ServletRequest request) { + super(moduleType, sequenceSuffix, authenticationChannel, objectPostProcessor, request); + } + + @Override + protected C buildConfiguration(OidcAuthenticationModuleType moduleType, String sequenceSuffix, AuthenticationChannel authenticationChannel, ServletRequest request) { + OidcResourceServerAuthenticationModuleType resourceServer = moduleType.getResourceServer(); + if (resourceServer.getJwt() != null) { + return createJwtResourceServerConfiguration(moduleType, resourceServer, sequenceSuffix); + } + if (resourceServer.getOpaqueToken() != null) { + return createOpaqueTokenResourceServerConfiguration(moduleType, resourceServer, sequenceSuffix); + } - @Autowired - private SecurityContextManager securityContextManager; + return createJwtResourceServerConfiguration(moduleType, resourceServer, sequenceSuffix); + } - @Autowired - private TaskManager taskManager; + private C createJwtResourceServerConfiguration( + AbstractAuthenticationModuleType moduleType, + OidcResourceServerAuthenticationModuleType resourceServer, + String sequenceSuffix) { + + JwtOidcResourceServerConfiguration configuration = + JwtOidcResourceServerConfiguration.build( + (OidcAuthenticationModuleType)moduleType, + sequenceSuffix); + configuration.setSequenceSuffix(sequenceSuffix); + + JwtAuthenticationConverter jwtAuthenticationConverter = new JwtAuthenticationConverter(); + if (resourceServer.getJwt() != null && resourceServer.getJwt().getNameOfUsernameClaim() != null) { + jwtAuthenticationConverter.setPrincipalClaimName(resourceServer.getJwt().getNameOfUsernameClaim()); + } else if (resourceServer.getNameOfUsernameClaim() != null) { + jwtAuthenticationConverter.setPrincipalClaimName(resourceServer.getNameOfUsernameClaim()); + } + configuration.addAuthenticationProvider(getObjectPostProcessor().postProcess( + new OidcResourceServerProvider(configuration.getDecoder(), jwtAuthenticationConverter))); + return (C) configuration; + } - public OidcResourceServerModuleWebSecurityConfigurer(C configuration) { - super(configuration); + private C createOpaqueTokenResourceServerConfiguration( + AbstractAuthenticationModuleType moduleType, + OidcResourceServerAuthenticationModuleType resourceServer, + String sequenceSuffix) { + OpaqueTokenOidcResourceServerConfiguration configuration = + OpaqueTokenOidcResourceServerConfiguration.build( + (OidcAuthenticationModuleType)moduleType, + sequenceSuffix); + configuration.setSequenceSuffix(sequenceSuffix); + + configuration.addAuthenticationProvider(getObjectPostProcessor().postProcess( + new OidcResourceServerProvider(configuration.getIntrospector()))); + return (C) configuration; } @Override diff --git a/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/module/configurer/RemoteModuleWebSecurityConfigurer.java b/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/module/configurer/RemoteModuleWebSecurityConfigurer.java index 1fa86911ebf..71527433e9b 100644 --- a/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/module/configurer/RemoteModuleWebSecurityConfigurer.java +++ b/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/module/configurer/RemoteModuleWebSecurityConfigurer.java @@ -9,9 +9,20 @@ import java.util.UUID; +import com.evolveum.midpoint.authentication.api.AuthenticationChannel; +import com.evolveum.midpoint.authentication.impl.factory.module.LdapModuleFactory; +import com.evolveum.midpoint.prism.PrismObject; +import com.evolveum.midpoint.repo.common.SystemObjectCache; +import com.evolveum.midpoint.schema.result.OperationResult; +import com.evolveum.midpoint.schema.util.SystemConfigurationTypeUtil; +import com.evolveum.midpoint.util.exception.SchemaException; +import com.evolveum.midpoint.util.logging.Trace; +import com.evolveum.midpoint.util.logging.TraceManager; import com.evolveum.midpoint.xml.ns._public.common.common_3.AbstractAuthenticationModuleType; import com.evolveum.midpoint.xml.ns._public.common.common_3.AuthenticationSequenceChannelType; +import com.evolveum.midpoint.xml.ns._public.common.common_3.SystemConfigurationType; + import jakarta.servlet.ServletRequest; import jakarta.servlet.http.HttpServletRequest; @@ -21,11 +32,11 @@ import org.springframework.beans.factory.annotation.Autowired; import org.springframework.security.authentication.AnonymousAuthenticationToken; import org.springframework.security.authentication.AuthenticationDetailsSource; +import org.springframework.security.config.annotation.ObjectPostProcessor; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.core.Authentication; import org.springframework.security.core.authority.AuthorityUtils; import org.springframework.security.core.context.SecurityContextHolder; -import org.springframework.security.web.AuthenticationEntryPoint; import org.springframework.security.web.authentication.AnonymousAuthenticationFilter; import org.springframework.security.web.authentication.WebAuthenticationDetailsSource; import org.springframework.security.web.authentication.logout.LogoutSuccessHandler; @@ -48,19 +59,23 @@ public abstract class RemoteModuleWebSecurityConfigurer extends ModuleWebSecurityConfigurer { - @Autowired - private ModelAuditRecorder auditProvider; - - @Autowired - private AuthModuleRegistryImpl authRegistry; + private static final Trace LOGGER = TraceManager.getTrace(RemoteModuleWebSecurityConfigurer.class); - @Autowired - private AuthChannelRegistryImpl authChannelRegistry; + @Autowired private ModelAuditRecorder auditProvider; + @Autowired private AuthModuleRegistryImpl authRegistry; + @Autowired private AuthChannelRegistryImpl authChannelRegistry; + @Autowired SystemObjectCache systemObjectCache; public RemoteModuleWebSecurityConfigurer(C configuration) { super(configuration); } + public RemoteModuleWebSecurityConfigurer(MT moduleType, String prefix, AuthenticationChannel authenticationChannel, + ObjectPostProcessor postProcessor, + ServletRequest request) { + super(moduleType, prefix, authenticationChannel, postProcessor, request); + } + protected ModelAuditRecorder getAuditProvider() { return auditProvider; } @@ -146,4 +161,14 @@ public Object buildDetails(HttpServletRequest context) { return detailsSource.buildDetails(context); } } + + protected String getPublicUrlPrefix(ServletRequest request) { + try { + PrismObject systemConfig = systemObjectCache.getSystemConfiguration(new OperationResult("load system configuration")); + return SystemConfigurationTypeUtil.getPublicHttpUrlPattern(systemConfig.asObjectable(), request.getServerName()); + } catch (SchemaException e) { + LOGGER.error("Couldn't load system configuration", e); + return null; + } + } } diff --git a/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/module/configurer/SamlModuleWebSecurityConfigurer.java b/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/module/configurer/SamlModuleWebSecurityConfigurer.java index d2100cd60cc..183b7067bb1 100644 --- a/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/module/configurer/SamlModuleWebSecurityConfigurer.java +++ b/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/module/configurer/SamlModuleWebSecurityConfigurer.java @@ -9,6 +9,7 @@ import java.util.Collections; +import com.evolveum.midpoint.authentication.api.AuthenticationChannel; import com.evolveum.midpoint.authentication.impl.handler.MidPointAuthenticationSuccessHandler; import com.evolveum.midpoint.authentication.impl.handler.MidpointAuthenticationFailureHandler; import com.evolveum.midpoint.authentication.impl.saml.MidpointMetadataRelyingPartyRegistrationResolver; @@ -19,8 +20,10 @@ import com.evolveum.midpoint.xml.ns._public.common.common_3.Saml2AuthenticationModuleType; +import jakarta.servlet.ServletRequest; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.security.authentication.ProviderManager; +import org.springframework.security.config.annotation.ObjectPostProcessor; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.core.Authentication; import org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticationToken; @@ -44,7 +47,7 @@ * @author skublik */ -public class SamlModuleWebSecurityConfigurer extends RemoteModuleWebSecurityConfigurer { +public class SamlModuleWebSecurityConfigurer extends RemoteModuleWebSecurityConfigurer { private static final Trace LOGGER = TraceManager.getTrace(SamlModuleWebSecurityConfigurer.class); public static final String SAML_LOGIN_PATH = "/saml2/select"; @@ -52,10 +55,24 @@ public class SamlModuleWebSecurityConfigurer postProcessor, + ServletRequest request) { + super(moduleType, sequenceSuffix, channel, postProcessor, request); + } + + @Override + protected SamlModuleWebSecurityConfiguration buildConfiguration(Saml2AuthenticationModuleType moduleType, String sequenceSuffix, AuthenticationChannel authenticationChannel, ServletRequest request) { + SamlModuleWebSecurityConfiguration configuration = SamlModuleWebSecurityConfiguration.build(moduleType, sequenceSuffix, getPublicUrlPrefix(request), request); + configuration.setSequenceSuffix(sequenceSuffix); + return configuration; + } + @Override protected void configure(HttpSecurity http) throws Exception { super.configure(http); diff --git a/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/module/configurer/SecurityQuestionsFormModuleWebSecurityConfigurer.java b/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/module/configurer/SecurityQuestionsFormModuleWebSecurityConfigurer.java index 5d65543f6ab..717f1fbf027 100644 --- a/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/module/configurer/SecurityQuestionsFormModuleWebSecurityConfigurer.java +++ b/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/module/configurer/SecurityQuestionsFormModuleWebSecurityConfigurer.java @@ -19,6 +19,7 @@ import com.evolveum.midpoint.xml.ns._public.common.common_3.SecurityQuestionsFormAuthenticationModuleType; +import jakarta.servlet.ServletRequest; import org.springframework.security.config.annotation.ObjectPostProcessor; import org.springframework.security.config.annotation.web.builders.HttpSecurity; @@ -35,8 +36,9 @@ public SecurityQuestionsFormModuleWebSecurityConfigurer(C configuration) { public SecurityQuestionsFormModuleWebSecurityConfigurer(SecurityQuestionsFormAuthenticationModuleType moduleType, String prefixOfSequence, AuthenticationChannel authenticationChannel, - ObjectPostProcessor postProcessor) { - super(moduleType, prefixOfSequence, authenticationChannel, postProcessor); + ObjectPostProcessor postProcessor, + ServletRequest request) { + super(moduleType, prefixOfSequence, authenticationChannel, postProcessor, request); } @Override diff --git a/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/util/AuthenticationSequenceModuleCreator.java b/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/util/AuthenticationSequenceModuleCreator.java index 9fb7b8d25f6..742d2c12f0b 100644 --- a/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/util/AuthenticationSequenceModuleCreator.java +++ b/model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/util/AuthenticationSequenceModuleCreator.java @@ -13,6 +13,7 @@ import java.util.Objects; import java.util.stream.Collectors; +import com.evolveum.midpoint.authentication.impl.factory.module.ModuleFactory; import com.evolveum.midpoint.util.logging.Trace; import com.evolveum.midpoint.util.logging.TraceManager; @@ -91,9 +92,9 @@ private AuthModule createAuthModule(AuthenticationSequenceModuleType sequenc String sequenceModuleIdentifier = StringUtils.isNotEmpty(sequenceModule.getIdentifier()) ? sequenceModule.getIdentifier() : sequenceModule.getName(); AbstractAuthenticationModuleType module = getModuleByIdentifier(sequenceModuleIdentifier, authenticationModulesType); - AbstractModuleFactory moduleFactory = authRegistry.findModuleFactory(module, authenticationChannel); + ModuleFactory moduleFactory = authRegistry.findModuleFactory(module, authenticationChannel); - return moduleFactory.createModuleFilter(module, sequence.getChannel().getUrlSuffix(), request, + return moduleFactory.createAuthModule(module, sequence.getChannel().getUrlSuffix(), request, sharedObjects, authenticationModulesType, credentialPolicy, authenticationChannel, sequenceModule); } catch (Exception e) { @@ -114,13 +115,13 @@ private List> getSpecificModuleFilter(AuthModuleRegistryImpl auth String type = header.split(" ")[0]; if (AuthenticationModuleNameConstants.CLUSTER.equalsIgnoreCase(type)) { List> authModules = new ArrayList<>(); - HttpClusterModuleFactory factory = authRegistry.findModelFactoryByClass(HttpClusterModuleFactory.class); + HttpClusterModuleFactory factory = authRegistry.findModuleFactoryByClass(HttpClusterModuleFactory.class); AbstractAuthenticationModuleType module = new AbstractAuthenticationModuleType() { }; module.setIdentifier(AuthenticationModuleNameConstants.CLUSTER.toLowerCase() + "-module"); try { //noinspection unchecked - authModules.add((AuthModule) factory.createModuleFilter(module, urlSuffix, httpRequest, + authModules.add((AuthModule) factory.createAuthModule(module, urlSuffix, httpRequest, sharedObjects, authenticationModulesType, credentialPolicy, null, new AuthenticationSequenceModuleType() .necessity(AuthenticationSequenceModuleNecessityType.SUFFICIENT)