Merge branch 'master' into feature/mid-6303

gui/admin-gui/src/main/java/com/evolveum/midpoint/web/boot/MidpointResponse.java

@@ -20,6 +20,9 @@
 import org.apache.catalina.connector.Response;
 import org.apache.commons.lang3.StringUtils;
 
+import java.util.Arrays;
+import java.util.List;
+
 /**
  * @author skublik
  */
@@ -48,7 +51,12 @@ public void setHeader(String name, String value) {
             String publicUrlPrefix = getPublicUrlPrefix();
             if (publicUrlPrefix != null && StringUtils.isNotBlank(value)) {
                 if (value.startsWith(".")) {
-                    value = publicUrlPrefix + value.substring(1);
+                    List<String> segments = Arrays.asList(getRequest().getServletPath().substring(1).split("/"));
+                    if (segments.size() <= 1) {
+                        value = publicUrlPrefix + value.substring(1);
+                    } else {
+                        value = publicUrlPrefix + getRequest().getServletPath().substring(0, getRequest().getServletPath().lastIndexOf("/")) + value.substring(1);
+                    }
                 } else if (StringUtils.isBlank(contextPath)) {
                     if (value.startsWith("/")) {
                         value = publicUrlPrefix + value;

gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/forgetpassword/PageResetPasswordConfirmation.java

@@ -11,7 +11,6 @@
 import com.evolveum.midpoint.model.api.authentication.*;
 import com.evolveum.midpoint.schema.util.SecurityPolicyUtil;
 import com.evolveum.midpoint.web.security.factory.channel.ResetPasswordChannelFactory;
-import com.evolveum.midpoint.web.security.factory.module.AbstractModuleFactory;
 import com.evolveum.midpoint.web.security.factory.module.LoginFormModuleFactory;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.*;
 
@@ -22,7 +21,6 @@
 import org.apache.wicket.request.mapper.parameter.PageParameters;
 import org.apache.wicket.spring.injection.annot.SpringBean;
 import org.apache.wicket.util.string.StringValue;
-import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
 import org.springframework.security.core.AuthenticationException;
 import org.springframework.security.core.context.SecurityContextHolder;
@@ -127,7 +125,7 @@ private void init(final PageParameters pageParameters) {
             authorizationType.getAction().add(AuthorizationConstants.AUTZ_UI_SELF_CREDENTIALS_URL);
             Authorization selfServiceCredentialsAuthz = new Authorization(authorizationType);
             authz.add(selfServiceCredentialsAuthz);
-            AuthenticationSequenceType sequence = SecurityPolicyUtil.createPaswordResetSequence();
+            AuthenticationSequenceType sequence = SecurityPolicyUtil.createPasswordResetSequence();
             Map<Class<? extends Object>, Object> sharedObjects = new HashMap<>();
             AuthenticationModulesType modules = new AuthenticationModulesType();
             AuthenticationModuleLoginFormType loginForm = new AuthenticationModuleLoginFormType();

gui/admin-gui/src/main/java/com/evolveum/midpoint/web/security/BasicWebSecurityConfig.java

@@ -10,11 +10,15 @@
 import java.util.List;
 import java.util.UUID;
 
+import com.evolveum.midpoint.prism.PrismContext;
+import com.evolveum.midpoint.prism.schema.SchemaRegistry;
+
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.boot.autoconfigure.security.SecurityProperties;
 import org.springframework.boot.web.servlet.ServletListenerRegistrationBean;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.context.annotation.Scope;
 import org.springframework.core.annotation.Order;
 import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.authentication.AuthenticationProvider;
@@ -39,6 +43,8 @@
 import com.evolveum.midpoint.web.security.filter.MidpointAnonymousAuthenticationFilter;
 import com.evolveum.midpoint.web.security.filter.configurers.AuthFilterConfigurer;
 
+import org.springframework.web.context.annotation.SessionScope;
+
 /**
  * @author skublik
  */
@@ -56,6 +62,9 @@ public class BasicWebSecurityConfig extends WebSecurityConfigurerAdapter {
     @Autowired
     private SessionRegistry sessionRegistry;
 
+    @Autowired
+    PrismContext prismContext;
+
     private ObjectPostProcessor<Object> objectObjectPostProcessor;
 
     public BasicWebSecurityConfig() {
@@ -127,7 +136,8 @@ public void configure(WebSecurity web) throws Exception {
 
     @Override
     protected void configure(HttpSecurity http) throws Exception {
-        AnonymousAuthenticationFilter anonymousFilter = new MidpointAnonymousAuthenticationFilter(authRegistry, authChannelRegistry, UUID.randomUUID().toString(), "anonymousUser",
+        AnonymousAuthenticationFilter anonymousFilter = new MidpointAnonymousAuthenticationFilter(authRegistry, authChannelRegistry, prismContext,
+                UUID.randomUUID().toString(), "anonymousUser",
                 AuthorityUtils.createAuthorityList("ROLE_ANONYMOUS"));
 
         http.setSharedObject(AuthenticationTrustResolverImpl.class, new MidpointAuthenticationTrustResolverImpl());
@@ -143,8 +153,9 @@ protected void configure(HttpSecurity http) throws Exception {
     }
 
     @Bean
+    @SessionScope
     @Override
-    protected AuthenticationManager authenticationManager() throws Exception {
+    protected MidpointAuthenticationManager authenticationManager() throws Exception {
         List<AuthenticationProvider> providers = new ArrayList<AuthenticationProvider>();
         return new MidpointProviderManager(providers);
     }

gui/admin-gui/src/main/java/com/evolveum/midpoint/web/security/MidpointAuthenticationFauileHandler.java → gui/admin-gui/src/main/java/com/evolveum/midpoint/web/security/MidpointAuthenticationFailureHandler.java

@@ -30,7 +30,7 @@
  * @author skublik
  */
 
-public class MidpointAuthenticationFauileHandler extends SimpleUrlAuthenticationFailureHandler {
+public class MidpointAuthenticationFailureHandler extends SimpleUrlAuthenticationFailureHandler {
 
     private RequestCache requestCache = new HttpSessionRequestCache();
 

gui/admin-gui/src/main/java/com/evolveum/midpoint/web/security/MidpointAuthenticationManager.java

@@ -0,0 +1,20 @@
+/*
+ * Copyright (c) 2010-2019 Evolveum and contributors
+ *
+ * This work is dual-licensed under the Apache License 2.0
+ * and European Union Public License. See LICENSE file for details.
+ */
+package com.evolveum.midpoint.web.security;
+
+import org.springframework.security.authentication.AuthenticationManager;
+import org.springframework.security.authentication.AuthenticationProvider;
+
+import java.util.List;
+
+/**
+ * @author skublik
+ */
+
+public interface MidpointAuthenticationManager extends AuthenticationManager {
+    public List<AuthenticationProvider> getProviders();
+}

gui/admin-gui/src/main/java/com/evolveum/midpoint/web/security/MidpointProviderManager.java

@@ -17,7 +17,7 @@
 import java.util.ArrayList;
 import java.util.List;
 
-public class MidpointProviderManager implements AuthenticationManager {
+public class MidpointProviderManager implements MidpointAuthenticationManager {
 
     private static final Trace LOGGER = TraceManager.getTrace(MidpointProviderManager.class);
 

gui/admin-gui/src/main/java/com/evolveum/midpoint/web/security/MidpointWebSecurityConfiguration.java

@@ -15,6 +15,7 @@
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration;
 import org.springframework.security.web.FilterChainProxy;
 import org.springframework.security.web.SecurityFilterChain;
+import org.springframework.security.web.firewall.HttpFirewall;
 
 import javax.servlet.Filter;
 import java.util.ArrayList;
@@ -33,6 +34,9 @@ public class MidpointWebSecurityConfiguration extends WebSecurityConfiguration {
     @Autowired
     ApplicationContext context;
 
+    @Autowired(required = false)
+    private HttpFirewall firewall;
+
     @Override
     public Filter springSecurityFilterChain() throws Exception {
         Filter filter = super.springSecurityFilterChain();
@@ -46,6 +50,9 @@ public Filter springSecurityFilterChain() throws Exception {
                 filters = ((FilterChainProxy) filter).getFilterChains();
             }
             MidpointFilterChainProxy mpFilter = objectObjectPostProcessor.postProcess(new MidpointFilterChainProxy(filters));
+            if (firewall != null) {
+                mpFilter.setFirewall(firewall);
+            }
             mpFilter.afterPropertiesSet();
             return mpFilter;
         }

gui/admin-gui/src/main/java/com/evolveum/midpoint/web/security/factory/module/OtherModuleFactory.java

@@ -0,0 +1,61 @@
+package com.evolveum.midpoint.web.security.factory.module;
+
+import com.evolveum.midpoint.model.api.authentication.AuthModule;
+import com.evolveum.midpoint.model.api.authentication.AuthenticationChannel;
+import com.evolveum.midpoint.util.logging.Trace;
+import com.evolveum.midpoint.util.logging.TraceManager;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.AbstractAuthenticationModuleType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.AuthenticationModuleOtherType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.AuthenticationModulesType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.CredentialsPolicyType;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.context.ApplicationContext;
+import org.springframework.stereotype.Component;
+
+import javax.servlet.ServletRequest;
+import java.util.Map;
+
+/**
+ * Created by Viliam Repan (lazyman).
+ */
+@Component
+public class OtherModuleFactory extends AbstractModuleFactory {
+
+    private static final Trace LOGGER = TraceManager.getTrace(OtherModuleFactory.class);
+
+    @Autowired
+    private ApplicationContext applicationContext;
+
+    @Override
+    public boolean match(AbstractAuthenticationModuleType module) {
+        if (module instanceof AuthenticationModuleOtherType) {
+            return true;
+        }
+
+        return false;
+    }
+
+    @Override
+    public AuthModule createModuleFilter(AbstractAuthenticationModuleType module, String prefixOfSequence, ServletRequest request,
+            Map<Class<?>, Object> sharedObjects, AuthenticationModulesType authenticationsPolicy,
+            CredentialsPolicyType credentialPolicy, AuthenticationChannel authenticationChannel) throws Exception {
+
+        if (!(module instanceof AuthenticationModuleOtherType)) {
+            LOGGER.error("This factory support only AuthenticationModuleOtherType, but module is " + module);
+            return null;
+        }
+
+        AuthenticationModuleOtherType other = (AuthenticationModuleOtherType) module;
+
+        String factoryClass = other.getFactoryClass();
+
+        Class<AbstractModuleFactory> factoryClazz = (Class) Class.forName(factoryClass);
+        AbstractModuleFactory factory = applicationContext.getBean(factoryClazz);
+
+        AuthModule authModule = factory.createModuleFilter(module, prefixOfSequence, request, sharedObjects,
+                authenticationsPolicy, credentialPolicy, authenticationChannel);
+
+        return authModule;
+    }
+}

gui/admin-gui/src/main/java/com/evolveum/midpoint/web/security/filter/MidpointAnonymousAuthenticationFilter.java

@@ -8,7 +8,11 @@
 
 import com.evolveum.midpoint.model.api.authentication.AuthModule;
 import com.evolveum.midpoint.model.api.authentication.AuthenticationChannel;
+import com.evolveum.midpoint.prism.PrismContainer;
+import com.evolveum.midpoint.prism.PrismContext;
+import com.evolveum.midpoint.prism.schema.SchemaRegistry;
 import com.evolveum.midpoint.schema.util.SecurityPolicyUtil;
+import com.evolveum.midpoint.util.exception.SchemaException;
 import com.evolveum.midpoint.util.logging.Trace;
 import com.evolveum.midpoint.util.logging.TraceManager;
 import com.evolveum.midpoint.model.api.authentication.MidpointAuthentication;
@@ -49,14 +53,18 @@ public class MidpointAnonymousAuthenticationFilter extends AnonymousAuthenticati
 
     private AuthChannelRegistryImpl authChannelRegistry;
 
+    private PrismContext prismContext;
+
     private AuthenticationDetailsSource<HttpServletRequest, ?> authenticationDetailsSource = new WebAuthenticationDetailsSource();
     private String key;
 
-    public MidpointAnonymousAuthenticationFilter(AuthModuleRegistryImpl authRegistry, AuthChannelRegistryImpl authChannelRegistry,
+    public MidpointAnonymousAuthenticationFilter(AuthModuleRegistryImpl authRegistry, AuthChannelRegistryImpl authChannelRegistry, PrismContext prismContext,
                                                  String key, Object principal, List<GrantedAuthority> authorities) {
         super(key, principal, authorities);
         this.key = key;
         this.authRegistry = authRegistry;
+        this.authChannelRegistry = authChannelRegistry;
+        this.prismContext = prismContext;
     }
 
     public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
@@ -94,7 +102,13 @@ protected Authentication createAuthentication(HttpServletRequest request) {
         Authentication auth = createBasicAuthentication(request);
 
         MidpointAuthentication authentication = new MidpointAuthentication(SecurityPolicyUtil.createDefaultSequence());
-        AuthenticationsPolicyType authenticationsPolicy = SecurityPolicyUtil.createDefaultAuthenticationPolicy();
+        AuthenticationsPolicyType authenticationsPolicy = null;
+        try {
+            authenticationsPolicy = SecurityPolicyUtil.createDefaultAuthenticationPolicy(prismContext.getSchemaRegistry());
+        } catch (SchemaException e) {
+            LOGGER.error("Couldn't get default authentication policy");
+            throw new IllegalArgumentException("Couldn't get default authentication policy", e);
+        }
         AuthenticationSequenceType sequence = SecurityPolicyUtil.createDefaultSequence();
         AuthenticationChannel authenticationChannel = SecurityUtils.buildAuthChannel(authChannelRegistry, sequence);
         List<AuthModule> authModules = SecurityUtils.buildModuleFilters(authRegistry, sequence, request, authenticationsPolicy.getModules(),

gui/admin-gui/src/main/java/com/evolveum/midpoint/web/security/filter/MidpointAuthFilter.java

@@ -8,12 +8,15 @@
 
 import com.evolveum.midpoint.model.api.authentication.*;
 import com.evolveum.midpoint.model.common.SystemObjectCache;
+import com.evolveum.midpoint.prism.PrismContext;
 import com.evolveum.midpoint.prism.PrismObject;
+import com.evolveum.midpoint.prism.schema.SchemaRegistry;
 import com.evolveum.midpoint.schema.result.OperationResult;
 import com.evolveum.midpoint.schema.util.SecurityPolicyUtil;
 import com.evolveum.midpoint.util.exception.SchemaException;
 import com.evolveum.midpoint.util.logging.Trace;
 import com.evolveum.midpoint.util.logging.TraceManager;
+import com.evolveum.midpoint.web.security.MidpointAuthenticationManager;
 import com.evolveum.midpoint.web.security.MidpointProviderManager;
 import com.evolveum.midpoint.web.security.factory.channel.AuthChannelRegistryImpl;
 import com.evolveum.midpoint.web.security.module.ModuleWebSecurityConfig;
@@ -60,7 +63,10 @@ public class MidpointAuthFilter extends GenericFilterBean {
     private AuthChannelRegistryImpl authChannelRegistry;
 
     @Autowired
-    private AuthenticationManager authenticationManager;
+    private MidpointAuthenticationManager authenticationManager;
+
+    @Autowired
+    private PrismContext prismContext;
 
 //    private SecurityFilterChain authenticatedFilter;
     private AuthenticationsPolicyType authenticationPolicy;
@@ -85,9 +91,9 @@ public void createFilterForAuthenticatedRequest() {
 //        }
     }
 
-    public AuthenticationsPolicyType getDefaultAuthenticationPolicy() {
+    public AuthenticationsPolicyType getDefaultAuthenticationPolicy() throws SchemaException {
         if (authenticationPolicy == null) {
-            authenticationPolicy = SecurityPolicyUtil.createDefaultAuthenticationPolicy();
+            authenticationPolicy = SecurityPolicyUtil.createDefaultAuthenticationPolicy(prismContext.getSchemaRegistry());
         }
         return authenticationPolicy;
     }
@@ -130,7 +136,12 @@ private void doFilterInternal(ServletRequest request, ServletResponse response,
 
         } catch (SchemaException e) {
             LOGGER.error("Couldn't load Authentication policy", e);
-            authenticationsPolicy = getDefaultAuthenticationPolicy();
+            try {
+                authenticationsPolicy = getDefaultAuthenticationPolicy();
+            } catch (SchemaException schemaException) {
+                LOGGER.error("Couldn't get default authentication policy");
+                throw new IllegalArgumentException("Couldn't get default authentication policy", e);
+            }
         }
 
         if (SecurityUtils.isIgnoredLocalPath(authenticationsPolicy, httpRequest)) {
@@ -171,7 +182,7 @@ private void doFilterInternal(ServletRequest request, ServletResponse response,
         //change sequence of authentication during another sequence
         if (mpAuthentication == null || !sequence.equals(mpAuthentication.getSequence())) {
             SecurityContextHolder.getContext().setAuthentication(null);
-            ((MidpointProviderManager)authenticationManager).getProviders().clear();
+            authenticationManager.getProviders().clear();
             authModules = SecurityUtils.buildModuleFilters(authModuleRegistry, sequence, httpRequest, authenticationsPolicy.getModules(),
                     credentialsPolicy, sharedObjects, authenticationChannel);
         } else {

gui/admin-gui/src/main/java/com/evolveum/midpoint/web/security/module/HttpHeaderModuleWebSecurityConfig.java

@@ -6,7 +6,7 @@
  */
 package com.evolveum.midpoint.web.security.module;
 
-import com.evolveum.midpoint.web.security.MidpointAuthenticationFauileHandler;
+import com.evolveum.midpoint.web.security.MidpointAuthenticationFailureHandler;
 import com.evolveum.midpoint.web.security.MidpointProviderManager;
 import com.evolveum.midpoint.web.security.filter.MidpointRequestHeaderAuthenticationFilter;
 import com.evolveum.midpoint.web.security.module.configuration.HttpHeaderModuleWebSecurityConfiguration;
@@ -41,7 +41,7 @@ private RequestHeaderAuthenticationFilter requestHeaderAuthenticationFilter() {
         filter.setPrincipalRequestHeader(getConfiguration().getPrincipalRequestHeader());
         filter.setExceptionIfHeaderMissing(false);
         filter.setAuthenticationManager(authenticationManager);
-        filter.setAuthenticationFailureHandler(new MidpointAuthenticationFauileHandler());
+        filter.setAuthenticationFailureHandler(new MidpointAuthenticationFailureHandler());
 
         return filter;
     }

gui/admin-gui/src/main/java/com/evolveum/midpoint/web/security/module/LoginFormModuleWebSecurityConfig.java

@@ -6,7 +6,7 @@
  */
 package com.evolveum.midpoint.web.security.module;
 
-import com.evolveum.midpoint.web.security.MidpointAuthenticationFauileHandler;
+import com.evolveum.midpoint.web.security.MidpointAuthenticationFailureHandler;
 import com.evolveum.midpoint.web.security.filter.MidpointUsernamePasswordAuthenticationFilter;
 import com.evolveum.midpoint.web.security.filter.configurers.MidpointExceptionHandlingConfigurer;
 import com.evolveum.midpoint.web.security.filter.configurers.MidpointFormLoginConfigurer;
@@ -69,7 +69,7 @@ protected void configure(HttpSecurity http) throws Exception {
         getOrApply(http, getMidpointFormLoginConfiguration())
                 .loginPage("/login")
                 .loginProcessingUrl(stripEndingSlases(getPrefix()) + "/spring_security_login")
-                .failureHandler(new MidpointAuthenticationFauileHandler())
+                .failureHandler(new MidpointAuthenticationFailureHandler())
                 .successHandler(getObjectPostProcessor().postProcess(
                         new MidPointAuthenticationSuccessHandler().setPrefix(configuration.getPrefix()))).permitAll();
         getOrApply(http, new MidpointExceptionHandlingConfigurer())

gui/admin-gui/src/main/java/com/evolveum/midpoint/web/security/module/MailNonceFormModuleWebSecurityConfig.java

@@ -8,7 +8,7 @@
 
 import com.evolveum.midpoint.model.api.authentication.ModuleWebSecurityConfiguration;
 import com.evolveum.midpoint.web.security.MidPointAuthenticationSuccessHandler;
-import com.evolveum.midpoint.web.security.MidpointAuthenticationFauileHandler;
+import com.evolveum.midpoint.web.security.MidpointAuthenticationFailureHandler;
 import com.evolveum.midpoint.web.security.WicketLoginUrlAuthenticationEntryPoint;
 import com.evolveum.midpoint.web.security.filter.MailNonceAuthenticationFilter;
 import com.evolveum.midpoint.web.security.filter.configurers.MidpointExceptionHandlingConfigurer;
@@ -41,7 +41,7 @@ protected void configure(HttpSecurity http) throws Exception {
         http.antMatcher(stripEndingSlases(getPrefix()) + "/**");
         getOrApply(http, new MidpointFormLoginConfigurer(new MailNonceAuthenticationFilter()))
                 .loginPage(getConfiguration().getSpecificLoginUrl() == null ? "/emailNonce" : getConfiguration().getSpecificLoginUrl())
-                .failureHandler(new MidpointAuthenticationFauileHandler())
+                .failureHandler(new MidpointAuthenticationFailureHandler())
                 .successHandler(getObjectPostProcessor().postProcess(
                         new MidPointAuthenticationSuccessHandler().setPrefix(configuration.getPrefix()))).permitAll();
         getOrApply(http, new MidpointExceptionHandlingConfigurer())