Spring 6.0 Update - fix spring security upgrade

model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/configuration/MidpointWebSecurityConfigurerAdapter.java

@@ -24,20 +24,22 @@
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.boot.autoconfigure.security.SecurityProperties;
 import org.springframework.boot.web.servlet.ServletListenerRegistrationBean;
+import org.springframework.context.ApplicationContext;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.context.annotation.DependsOn;
 import org.springframework.core.annotation.Order;
 import org.springframework.security.authentication.AuthenticationTrustResolver;
 import org.springframework.security.authentication.AuthenticationTrustResolverImpl;
 import org.springframework.security.config.annotation.ObjectPostProcessor;
+import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
-import org.springframework.security.config.annotation.web.builders.WebSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
-import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.config.annotation.web.configuration.WebSecurityCustomizer;
 import org.springframework.security.core.context.SecurityContext;
 import org.springframework.security.core.session.SessionRegistry;
 import org.springframework.security.web.AuthenticationEntryPoint;
+import org.springframework.security.web.SecurityFilterChain;
 import org.springframework.security.web.context.HttpSessionSecurityContextRepository;
 import org.springframework.security.web.context.SecurityContextRepository;
 import org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter;
@@ -48,32 +50,48 @@
 import com.evolveum.midpoint.task.api.TaskManager;
 import com.evolveum.midpoint.authentication.impl.factory.channel.AuthChannelRegistryImpl;
 
+import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
+import org.springframework.web.accept.ContentNegotiationStrategy;
+import org.springframework.web.accept.HeaderContentNegotiationStrategy;
+
+import java.util.HashMap;
+import java.util.Map;
+
 /**
  * @author skublik
  */
 @Order(SecurityProperties.BASIC_AUTH_ORDER - 1)
 @Configuration
 @EnableWebSecurity
 @DependsOn("initialSecurityConfiguration")
-public class MidpointWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {
+public class MidpointWebSecurityConfigurerAdapter {//extends WebSecurityConfigurerAdapter {
 
     @Autowired
     private AuthChannelRegistryImpl authChannelRegistry;
 
     @Autowired
     private SessionRegistry sessionRegistry;
 
+    @Autowired
+    private ApplicationContext context;
+
     private ObjectPostProcessor<Object> objectObjectPostProcessor;
+    private ContentNegotiationStrategy contentNegotiationStrategy = new HeaderContentNegotiationStrategy();
 
-    public MidpointWebSecurityConfigurerAdapter() {
-        super(true);
+//    public MidpointWebSecurityConfigurerAdapter() {
+//        super(true);
+//    }
+
+    @Autowired(required = false)
+    void setContentNegotiationStrategy(ContentNegotiationStrategy contentNegotiationStrategy) {
+        this.contentNegotiationStrategy = contentNegotiationStrategy;
     }
 
+//    @Override
     @Autowired
-    @Override
     public void setObjectPostProcessor(ObjectPostProcessor<Object> objectPostProcessor) {
         this.objectObjectPostProcessor = objectPostProcessor;
-        super.setObjectPostProcessor(objectPostProcessor);
+//        super.setObjectPostProcessor(objectPostProcessor);
     }
 
     @Bean
@@ -110,38 +128,63 @@ public AuthenticationEntryPoint authenticationEntryPoint() {
         return new WicketLoginUrlAuthenticationEntryPoint("/login");
     }
 
+
+//    @Override
     @Bean
     @SessionAndRequestScope
-    @Override
     protected MidpointProviderManager authenticationManager() throws Exception {
         return new MidpointProviderManager();
     }
 
-    @Override
-    public void configure(WebSecurity web) throws Exception {
-        super.configure(web);
-        // Web (SOAP) services
-        web.ignoring().antMatchers("/model/**");
+    @Bean
+    public WebSecurityCustomizer webSecurityCustomizer() {
+        return (web) -> {
+            // Web (SOAP) services
+            web.ignoring().requestMatchers(new AntPathRequestMatcher("/model/**"));
 
-        // Special intra-cluster service to download and delete report outputs
-        web.ignoring().antMatchers("/report");
+            // Special intra-cluster service to download and delete report outputs
+            web.ignoring().requestMatchers(new AntPathRequestMatcher("/report"));
 
-        web.ignoring().antMatchers("/js/**");
-        web.ignoring().antMatchers("/css/**");
-        web.ignoring().antMatchers("/img/**");
-        web.ignoring().antMatchers("/fonts/**");
+            web.ignoring().requestMatchers(new AntPathRequestMatcher("/js/**"));
+            web.ignoring().requestMatchers(new AntPathRequestMatcher("/css/**"));
+            web.ignoring().requestMatchers(new AntPathRequestMatcher("/img/**"));
+            web.ignoring().requestMatchers(new AntPathRequestMatcher("/fonts/**"));
 
-        web.ignoring().antMatchers("/static/**");
-        web.ignoring().antMatchers("/static-web/**");
-        web.ignoring().antMatchers("/less/**");
+            web.ignoring().requestMatchers(new AntPathRequestMatcher("/static/**"));
+            web.ignoring().requestMatchers(new AntPathRequestMatcher("/static-web/**"));
+            web.ignoring().requestMatchers(new AntPathRequestMatcher("/less/**"));
 
-        web.ignoring().antMatchers("/wicket/resource/**");
+            web.ignoring().requestMatchers(new AntPathRequestMatcher("/wicket/resource/**"));
 
-        web.ignoring().antMatchers("/favicon.ico");
+            web.ignoring().requestMatchers(new AntPathRequestMatcher("/favicon.ico"));
+        };
     }
 
-    @Override
-    protected void configure(HttpSecurity http) throws Exception {
+//    @Override
+//    public void configure(WebSecurity web) throws Exception {
+//        super.configure(web);
+//        // Web (SOAP) services
+//        web.ignoring().antMatchers("/model/**");
+//
+//        // Special intra-cluster service to download and delete report outputs
+//        web.ignoring().antMatchers("/report");
+//
+//        web.ignoring().antMatchers("/js/**");
+//        web.ignoring().antMatchers("/css/**");
+//        web.ignoring().antMatchers("/img/**");
+//        web.ignoring().antMatchers("/fonts/**");
+//
+//        web.ignoring().antMatchers("/static/**");
+//        web.ignoring().antMatchers("/static-web/**");
+//        web.ignoring().antMatchers("/less/**");
+//
+//        web.ignoring().antMatchers("/wicket/resource/**");
+//
+//        web.ignoring().antMatchers("/favicon.ico");
+//    }
+
+    @Bean
+    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
         http.setSharedObject(AuthenticationTrustResolverImpl.class, new MidpointAuthenticationTrustResolverImpl());
         http.addFilter(new WebAsyncManagerIntegrationFilter())
                 .sessionManagement().and()
@@ -154,8 +197,40 @@ protected void configure(HttpSecurity http) throws Exception {
                 .maximumSessions(-1)
                 .sessionRegistry(sessionRegistry)
                 .maxSessionsPreventsLogin(true);
+        return http.build();
+    }
+
+    @Bean
+    public HttpSecurity httpSecurity() throws Exception {
+        AuthenticationManagerBuilder authenticationBuilder = new AuthenticationManagerBuilder(this.objectObjectPostProcessor);
+        authenticationBuilder.parentAuthenticationManager(authenticationManager());
+        HttpSecurity http = new HttpSecurity(this.objectObjectPostProcessor, authenticationBuilder, createSharedObjects());
+        return http;
+    }
+
+    private Map<Class<?>, Object> createSharedObjects() {
+        Map<Class<?>, Object> sharedObjects = new HashMap<>();
+        sharedObjects.put(ApplicationContext.class, this.context);
+        sharedObjects.put(ContentNegotiationStrategy.class, this.contentNegotiationStrategy);
+        return sharedObjects;
     }
 
+//    @Override
+//    protected void configure(HttpSecurity http) throws Exception {
+//        http.setSharedObject(AuthenticationTrustResolverImpl.class, new MidpointAuthenticationTrustResolverImpl());
+//        http.addFilter(new WebAsyncManagerIntegrationFilter())
+//                .sessionManagement().and()
+//                .securityContext();
+//        http.apply(new AuthFilterConfigurer());
+//
+//        createSessionContextRepository(http);
+//
+//        http.sessionManagement()
+//                .maximumSessions(-1)
+//                .sessionRegistry(sessionRegistry)
+//                .maxSessionsPreventsLogin(true);
+//    }
+
     private void createSessionContextRepository(HttpSecurity http) {
         HttpSessionSecurityContextRepository httpSecurityRepository = new HttpSessionSecurityContextRepository() {
             @Override

model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/factory/module/Saml2ModuleFactory.java

@@ -9,6 +9,9 @@
 import java.util.ArrayList;
 import java.util.List;
 import java.util.Map;
+
+import com.evolveum.midpoint.authentication.impl.saml.MidpointSaml2WebSsoAuthenticationRequestFilter;
+
 import jakarta.servlet.Filter;
 import jakarta.servlet.ServletRequest;
 
@@ -25,7 +28,7 @@
 import com.evolveum.midpoint.authentication.impl.module.configuration.SamlModuleWebSecurityConfiguration;
 
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
-import org.springframework.security.saml2.provider.service.servlet.filter.Saml2WebSsoAuthenticationRequestFilter;
+import org.springframework.security.saml2.provider.service.web.Saml2WebSsoAuthenticationRequestFilter;
 import org.springframework.security.web.SecurityFilterChain;
 import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
 import org.springframework.stereotype.Component;
@@ -71,9 +74,10 @@ public AuthModule createModuleFilter(AbstractAuthenticationModuleType moduleType
         moduleAuthentication.setFocusType(moduleType.getFocusType());
         SecurityFilterChain filter = http.build();
         for (Filter f : filter.getFilters()){
-            if (f instanceof Saml2WebSsoAuthenticationRequestFilter) {
-                ((Saml2WebSsoAuthenticationRequestFilter) f).setRedirectMatcher(new AntPathRequestMatcher(module.getPrefix()
-                        + RemoteModuleAuthenticationImpl.AUTHENTICATION_REQUEST_PROCESSING_URL_SUFFIX_WITH_REG_ID));
+            if (f instanceof MidpointSaml2WebSsoAuthenticationRequestFilter) {
+                ((MidpointSaml2WebSsoAuthenticationRequestFilter) f).getAuthenticationRequestResolver().setRequestMatcher(
+                        new AntPathRequestMatcher(module.getPrefix()
+                                + RemoteModuleAuthenticationImpl.AUTHENTICATION_REQUEST_PROCESSING_URL_SUFFIX_WITH_REG_ID));
                 break;
             }
         }

model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/module/configurer/AttributeVerificationModuleWebSecurityConfigurer.java

@@ -28,7 +28,7 @@ public AttributeVerificationModuleWebSecurityConfigurer(C configuration) {
     protected void configure(HttpSecurity http) throws Exception {
         super.configure(http);
         AttributeVerificationAuthenticationFilter verificationFilter = new AttributeVerificationAuthenticationFilter();
-        http.antMatcher(AuthUtil.stripEndingSlashes(getPrefix()) + "/**");
+        http.securityMatcher(AuthUtil.stripEndingSlashes(getPrefix()) + "/**");
         getOrApply(http, new MidpointAttributeConfigurer<>(verificationFilter))
                 .loginPage("/attributeVerification")
                 .loginProcessingUrl(AuthUtil.stripEndingSlashes(getPrefix()) + "/spring_security_login")

model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/module/configurer/FocusIdentificationModuleWebSecurityConfigurer.java

@@ -34,7 +34,7 @@ protected void configure(HttpSecurity http) throws Exception {
         super.configure(http);
         FocusIdentificationAuthenticationFilter identificationFilter = new FocusIdentificationAuthenticationFilter();
 
-        http.antMatcher(AuthUtil.stripEndingSlashes(getPrefix()) + "/**");
+        http.securityMatcher(AuthUtil.stripEndingSlashes(getPrefix()) + "/**");
         getOrApply(http, new MidpointAttributeConfigurer<>(identificationFilter))
                 .loginPage("/focusIdentification")
                 .loginProcessingUrl(AuthUtil.stripEndingSlashes(getPrefix()) + "/spring_security_login")

model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/module/configurer/HintModuleWebSecurityConfigurer.java

@@ -30,7 +30,7 @@ public HintModuleWebSecurityConfigurer(C configuration) {
     protected void configure(HttpSecurity http) throws Exception {
         super.configure(http);
         HintAuthenticationFilter hintFilter = new HintAuthenticationFilter();
-        http.antMatcher(AuthUtil.stripEndingSlashes(getPrefix()) + "/**");
+        http.securityMatcher(AuthUtil.stripEndingSlashes(getPrefix()) + "/**");
         getOrApply(http, new MidpointAttributeConfigurer<>(hintFilter))
                 .loginPage("/hint")
                 .loginProcessingUrl(AuthUtil.stripEndingSlashes(getPrefix()) + "/spring_security_login")

model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/module/configurer/HttpBasicModuleWebSecurityConfigurer.java

@@ -52,7 +52,7 @@ protected void configure(HttpSecurity http) throws Exception {
 
         super.configure(http);
         HttpAuthenticationEntryPoint entryPoint = getObjectPostProcessor().postProcess(new HttpAuthenticationEntryPoint());
-        http.antMatcher(AuthUtil.stripEndingSlashes(getPrefix()) + "/**");
+        http.securityMatcher(AuthUtil.stripEndingSlashes(getPrefix()) + "/**");
 
         HttpBasicAuthenticationFilter filter = getObjectPostProcessor().postProcess(new HttpBasicAuthenticationFilter(authenticationManager(), entryPoint));
         RememberMeServices rememberMeServices = http.getSharedObject(RememberMeServices.class);

model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/module/configurer/HttpClusterModuleWebSecurityConfigurer.java

@@ -47,7 +47,7 @@ protected void configure(HttpSecurity http) throws Exception {
 
         super.configure(http);
         HttpAuthenticationEntryPoint entryPoint = getObjectPostProcessor().postProcess(new HttpAuthenticationEntryPoint());
-        http.antMatcher(AuthUtil.stripEndingSlashes(getPrefix()) + "/**");
+        http.securityMatcher(AuthUtil.stripEndingSlashes(getPrefix()) + "/**");
 
         HttpClusterAuthenticationFilter filter = getObjectPostProcessor().postProcess(new HttpClusterAuthenticationFilter(authenticationManager(), entryPoint));
         RememberMeServices rememberMeServices = http.getSharedObject(RememberMeServices.class);

model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/module/configurer/HttpSecurityQuestionsModuleWebSecurityConfigurer.java

@@ -53,7 +53,7 @@ protected void configure(HttpSecurity http) throws Exception {
 
         super.configure(http);
         HttpAuthenticationEntryPoint entryPoint = getObjectPostProcessor().postProcess(new HttpSecurityQuestionsAuthenticationEntryPoint());
-        http.antMatcher(AuthUtil.stripEndingSlashes(getPrefix()) + "/**");
+        http.securityMatcher(AuthUtil.stripEndingSlashes(getPrefix()) + "/**");
 
         http.authorizeRequests().accessDecisionManager(new MidpointHttpAuthorizationEvaluator(securityEnforcer, securityContextManager, taskManager, model));
 

model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/module/configurer/LoginFormModuleWebSecurityConfigurer.java

@@ -6,8 +6,6 @@
  */
 package com.evolveum.midpoint.authentication.impl.module.configurer;
 
-import java.util.Arrays;
-
 import com.evolveum.midpoint.authentication.impl.handler.AuditedLogoutHandler;
 import com.evolveum.midpoint.authentication.impl.handler.MidPointAuthenticationSuccessHandler;
 import com.evolveum.midpoint.authentication.impl.handler.MidpointAuthenticationFailureHandler;
@@ -21,7 +19,6 @@
 
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.core.env.Environment;
-import org.springframework.security.cas.web.CasAuthenticationFilter;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.core.session.SessionRegistry;
 import org.springframework.security.web.authentication.logout.LogoutFilter;
@@ -45,9 +42,6 @@ public class LoginFormModuleWebSecurityConfigurer<C extends LoginFormModuleWebSe
     @Autowired(required = false)
     private RequestAttributeAuthenticationFilter requestAttributeAuthenticationFilter;
 
-    @Autowired(required = false)
-    private CasAuthenticationFilter casFilter;
-
     @Autowired(required = false)
     private LogoutFilter requestSingleLogoutFilter;
 
@@ -61,7 +55,7 @@ public LoginFormModuleWebSecurityConfigurer(C configuration) {
     @Override
     protected void configure(HttpSecurity http) throws Exception {
         super.configure(http);
-        http.antMatcher(AuthUtil.stripEndingSlashes(getPrefix()) + "/**");
+        http.securityMatcher(AuthUtil.stripEndingSlashes(getPrefix()) + "/**");
         getOrApply(http, getMidpointFormLoginConfigurer())
                 .loginPage("/login")
                 .loginProcessingUrl(AuthUtil.stripEndingSlashes(getPrefix()) + "/spring_security_login")
@@ -76,15 +70,6 @@ protected void configure(HttpSecurity http) throws Exception {
                 .invalidateHttpSession(true)
                 .deleteCookies("JSESSIONID")
                 .logoutSuccessHandler(createLogoutHandler());
-
-        if (Arrays.stream(environment.getActiveProfiles()).anyMatch(p -> p.equalsIgnoreCase("cas"))) {
-            http.addFilterAt(casFilter, CasAuthenticationFilter.class);
-            http.addFilterBefore(requestSingleLogoutFilter, LogoutFilter.class);
-        }
-
-        if (Arrays.stream(environment.getActiveProfiles()).anyMatch(p -> p.equalsIgnoreCase("ssoenv"))) {
-            http.addFilterBefore(requestAttributeAuthenticationFilter, LogoutFilter.class);
-        }
     }
 
     protected MidpointFormLoginConfigurer getMidpointFormLoginConfigurer() {

model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/module/configurer/MailNonceFormModuleWebSecurityConfigurer.java

@@ -30,7 +30,7 @@ public MailNonceFormModuleWebSecurityConfigurer(C configuration) {
     @Override
     protected void configure(HttpSecurity http) throws Exception {
         super.configure(http);
-        http.antMatcher(AuthUtil.stripEndingSlashes(getPrefix()) + "/**");
+        http.securityMatcher(AuthUtil.stripEndingSlashes(getPrefix()) + "/**");
         getOrApply(http, new MidpointFormLoginConfigurer<>(new MailNonceAuthenticationFilter()))
                 .loginPage(getConfiguration().getSpecificLoginUrl() == null ? "/emailNonce" : getConfiguration().getSpecificLoginUrl())
                 .failureHandler(new MidpointAuthenticationFailureHandler())