resolving error with rest and from customer email

gui/admin-gui/src/main/java/com/evolveum/midpoint/gui/api/GuiConstants.java

@@ -13,4 +13,6 @@ public class GuiConstants {
     public static final String NS_UI_PREFIX = SchemaConstants.NS_MIDPOINT_PUBLIC_PREFIX + "ui/";
     public static final String NS_UI_FEATURE = NS_UI_PREFIX + "feature";
 
+    public static final String DEFAULT_PATH_AFTER_LOGIN = "/self/dashboard";
+    public static final String DEFAULT_PATH_AFTER_LOGOUT = "/";
 }

gui/admin-gui/src/main/java/com/evolveum/midpoint/web/boot/actuator/ActuatorWebSecurityConfig.java

@@ -51,7 +51,7 @@ protected void configure(HttpSecurity http) throws Exception {
         .and()
         .formLogin().disable()
         .csrf().disable()
-        .exceptionHandling().authenticationEntryPoint(new RestAuthenticationEntryPoint())
+        .exceptionHandling().authenticationEntryPoint(new HttpAuthenticationEntryPoint())
         .and()
         .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.NEVER);
 

gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/forgetpassword/PageShowPassword.java

@@ -13,6 +13,8 @@
 @PageDescriptor(url = "/resetpasswordsuccess", permitAll = true)
 public class PageShowPassword extends PageBase {
 
+    public final static String URL = "/resetpasswordsuccess";
+
     public PageShowPassword() {
         add(new Label("pass", getSession().getAttribute("pwdReset")));
         getSession().removeAttribute("pwdReset");

gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/login/PageSecurityQuestions.java

@@ -63,6 +63,7 @@
 import org.apache.wicket.protocol.http.servlet.ServletWebRequest;
 import org.apache.wicket.request.cycle.RequestCycle;
 import org.springframework.security.core.Authentication;
+import org.springframework.security.core.context.SecurityContext;
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.security.web.WebAttributes;
 
@@ -192,7 +193,20 @@ protected void onUpdate(AjaxRequestTarget target) {
         questionsView.setOutputMarkupId(true);
         questionsContainer.add(questionsView);
 
-        questionsContainer.add(createBackButton(ID_BACK_2_BUTTON));
+        AjaxButton back = new AjaxButton(ID_BACK_2_BUTTON) {
+
+            private static final long serialVersionUID = 1L;
+
+            @Override
+            public void onClick(AjaxRequestTarget target) {
+                showedQuestions = false;
+                questionsModel.setObject(new ArrayList<SecurityQuestionDto>());
+                getHiddenUsername().getModel().setObject(null);
+                getHiddenAnswer().getModel().setObject(null);
+                target.add(getMainForm());
+            }
+        };
+        questionsContainer.add(back);
     }
 
     private String generateAnswer() {
@@ -332,15 +346,16 @@ private void showQuestions(AjaxRequestTarget target) {
 
     private List<SecurityQuestionDto> createUsersSecurityQuestionsList(PrismObject<UserType> user) {
 
-//        SecurityQuestionsCredentialsType credentialsPolicyType = user.asObjectable().getCredentials()
-//                .getSecurityQuestions();
-//        if (credentialsPolicyType == null) {
-//            String key = "web.security.flexAuth.unsupported.auth.type";
-//            error(getString(key));
-//            throw new RestartResponseException(PageError.class);
-//            return null;
-//        }
-//        List<SecurityQuestionAnswerType> secQuestAnsList = credentialsPolicyType.getQuestionAnswer();
+        SecurityQuestionsCredentialsType credentialsPolicyType = user.asObjectable().getCredentials()
+                .getSecurityQuestions();
+        if (credentialsPolicyType == null || credentialsPolicyType.getQuestionAnswer() == null
+                || credentialsPolicyType.getQuestionAnswer().isEmpty()) {
+            String key = "web.security.flexAuth.any.security.questions";
+            error(getString(key));
+            LOGGER.error(key);
+            throw new RestartResponseException(PageSecurityQuestions.class);
+        }
+        List<SecurityQuestionAnswerType> secQuestAnsList = credentialsPolicyType.getQuestionAnswer();
 
         SecurityPolicyType securityPolicy = resolveSecurityPolicy(user);
         LOGGER.trace("Found security policy: {}", securityPolicy);
@@ -363,12 +378,27 @@ private List<SecurityQuestionDto> createUsersSecurityQuestionsList(PrismObject<U
         List<SecurityQuestionDefinitionType> questionList = secQuestionsPolicy != null ? secQuestionsPolicy.getQuestion() : new ArrayList<SecurityQuestionDefinitionType>();
 
         List<SecurityQuestionDto> questionsDto = new ArrayList<SecurityQuestionDto>();
+        int questionNumber = secQuestionsPolicy != null ? secQuestionsPolicy.getQuestionNumber() : 1;
         for (SecurityQuestionDefinitionType question : questionList) {
             if (Boolean.TRUE.equals(question.isEnabled())) {
-                SecurityQuestionDto questionDto = new SecurityQuestionDto(question.getIdentifier());
-                questionDto.setQuestionText(question.getQuestionText());
-                questionsDto.add(questionDto);
+                for (SecurityQuestionAnswerType userAnswer : secQuestAnsList) {
+                    if (question.getIdentifier().equals(userAnswer.getQuestionIdentifier())) {
+                        SecurityQuestionDto questionDto = new SecurityQuestionDto(question.getIdentifier());
+                        questionDto.setQuestionText(question.getQuestionText());
+                        questionsDto.add(questionDto);
+                        break;
+                    }
+                }
             }
+            if (questionNumber == questionsDto.size()) {
+                break;
+            }
+        }
+        if (questionsDto.size() < questionNumber) {
+            String key = "pageForgetPassword.message.ContactAdminQuestionsNotSetEnough";
+            error(getString(key));
+            LOGGER.error(key);
+            throw new RestartResponseException(PageSecurityQuestions.class);
         }
 
         return questionsDto;

gui/admin-gui/src/main/java/com/evolveum/midpoint/web/security/AuditedLogoutHandler.java

@@ -11,15 +11,23 @@
 import com.evolveum.midpoint.audit.api.AuditEventStage;
 import com.evolveum.midpoint.audit.api.AuditEventType;
 import com.evolveum.midpoint.audit.api.AuditService;
+import com.evolveum.midpoint.gui.api.GuiConstants;
 import com.evolveum.midpoint.gui.api.util.WebComponentUtil;
+import com.evolveum.midpoint.model.api.authentication.MidpointAuthentication;
+import com.evolveum.midpoint.model.api.authentication.ModuleAuthentication;
+import com.evolveum.midpoint.model.api.authentication.StateOfModule;
 import com.evolveum.midpoint.prism.PrismObject;
 import com.evolveum.midpoint.schema.constants.SchemaConstants;
 import com.evolveum.midpoint.schema.result.OperationResultStatus;
 import com.evolveum.midpoint.security.api.MidPointPrincipal;
 import com.evolveum.midpoint.task.api.Task;
 import com.evolveum.midpoint.task.api.TaskManager;
+import com.evolveum.midpoint.util.logging.Trace;
+import com.evolveum.midpoint.util.logging.TraceManager;
+import com.evolveum.midpoint.web.security.filter.MidpointAuthFilter;
 import com.evolveum.midpoint.web.security.util.SecurityUtils;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.UserType;
+import org.apache.commons.lang3.StringUtils;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.web.authentication.logout.SimpleUrlLogoutSuccessHandler;
@@ -34,16 +42,49 @@
  */
 public class AuditedLogoutHandler extends SimpleUrlLogoutSuccessHandler {
 
+    private static final transient Trace LOGGER = TraceManager.getTrace(AuditedLogoutHandler.class);
+
     @Autowired
     private TaskManager taskManager;
     @Autowired
     private AuditService auditService;
 
+    boolean useDefaultUrl = false;
+
+    private boolean useDefaultUrl() {
+        return useDefaultUrl;
+    }
+
+    @Override
+    public void setDefaultTargetUrl(String defaultTargetUrl) {
+        super.setDefaultTargetUrl(defaultTargetUrl);
+        this.useDefaultUrl = true;
+    }
+
     @Override
     public void onLogoutSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication)
             throws IOException, ServletException {
 
-        super.onLogoutSuccess(request, response, authentication);
+        String targetUrl;
+        if (useDefaultUrl()) {
+            targetUrl = getDefaultTargetUrl();
+        } else {
+            targetUrl = GuiConstants.DEFAULT_PATH_AFTER_LOGOUT;
+        }
+
+        if (authentication instanceof MidpointAuthentication) {
+            MidpointAuthentication mpAuthentication = (MidpointAuthentication) authentication;
+            ModuleAuthentication moduleAuthentication = mpAuthentication.getProcessingModuleAuthentication();
+            if (mpAuthentication.getAuthenticationChannel() != null) {
+                targetUrl = mpAuthentication.getAuthenticationChannel().getPathDuringProccessing();
+            }
+        }
+
+        if (response.isCommitted()) {
+            LOGGER.debug("Response has already been committed. Unable to redirect to " + targetUrl);
+        } else {
+            getRedirectStrategy().sendRedirect(request, response, targetUrl);
+        }
 
         auditEvent(request, authentication);
     }

gui/admin-gui/src/main/java/com/evolveum/midpoint/web/security/BasicWebSecurityConfig.java

@@ -6,9 +6,15 @@
  */
 package com.evolveum.midpoint.web.security;
 
+import com.evolveum.midpoint.model.common.SystemObjectCache;
+import com.evolveum.midpoint.schema.result.OperationResult;
+import com.evolveum.midpoint.schema.util.SystemConfigurationTypeUtil;
 import com.evolveum.midpoint.security.api.SecurityContextManager;
 import com.evolveum.midpoint.security.enforcer.api.SecurityEnforcer;
 import com.evolveum.midpoint.task.api.TaskManager;
+import com.evolveum.midpoint.util.exception.SchemaException;
+import com.evolveum.midpoint.util.logging.Trace;
+import com.evolveum.midpoint.util.logging.TraceManager;
 import com.evolveum.midpoint.web.security.filter.MidpointAnonymousAuthenticationFilter;
 import com.evolveum.midpoint.web.security.filter.MidpointRequestAttributeAuthenticationFilter;
 import com.evolveum.midpoint.web.security.filter.configurers.AuthFilterConfigurer;
@@ -40,7 +46,10 @@
 import org.springframework.security.web.authentication.preauth.RequestAttributeAuthenticationFilter;
 import org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter;
 import org.springframework.security.web.session.HttpSessionEventPublisher;
+import org.springframework.security.web.util.matcher.RequestMatcher;
+import org.springframework.util.AntPathMatcher;
 
+import javax.servlet.http.HttpServletRequest;
 import java.util.ArrayList;
 import java.util.List;
 import java.util.UUID;
@@ -54,12 +63,17 @@
 @EnableWebSecurity
 public class BasicWebSecurityConfig extends WebSecurityConfigurerAdapter {
 
+    private static final Trace LOGGER = TraceManager.getTrace(BasicWebSecurityConfig.class);
+
     @Autowired
     private AuthModuleRegistryImpl authRegistry;
 
     @Autowired
     private AuthenticationManager authenticationManager;
 
+    @Autowired
+    private SystemObjectCache systemObjectCache;
+
 //    @Autowired
 //    private AuthenticationProvider midPointAuthenticationProvider;
 
@@ -135,7 +149,27 @@ public void configure(WebSecurity web) throws Exception {
         super.configure(web);
         // Web (SOAP) services
         web.ignoring().antMatchers("/model/**");
-        web.ignoring().antMatchers("/ws/**");
+        web.ignoring().requestMatchers(new RequestMatcher() {
+            @Override
+            public boolean matches(HttpServletRequest httpServletRequest) {
+                AntPathMatcher mather = new AntPathMatcher();
+                boolean isExperimentalEnabled = false;
+                try {
+                    isExperimentalEnabled = SystemConfigurationTypeUtil.isExperimentalCodeEnabled(
+                            systemObjectCache.getSystemConfiguration(new OperationResult("Load System Config")).asObjectable());
+                } catch (SchemaException e) {
+                    LOGGER.error("Coulnd't load system configuration", e);
+                }
+                if (isExperimentalEnabled
+                        && mather.match("/ws/rest/**", httpServletRequest.getRequestURI().substring(httpServletRequest.getContextPath().length()))) {
+                    return false;
+                }
+                if (mather.match("/ws/**", httpServletRequest.getRequestURI().substring(httpServletRequest.getContextPath().length()))) {
+                    return true;
+                }
+                return false;
+            }
+        });
 
         // REST service
         web.ignoring().antMatchers("/rest/**");
@@ -166,19 +200,15 @@ protected void configure(HttpSecurity http) throws Exception {
 
         AnonymousAuthenticationFilter anonymousFilter = new MidpointAnonymousAuthenticationFilter(authRegistry, UUID.randomUUID().toString(), "anonymousUser",
                 AuthorityUtils.createAuthorityList("ROLE_ANONYMOUS"));
-//        http.anonymous().authenticationFilter(anonymousFilter);
 
         http.setSharedObject(AuthenticationTrustResolverImpl.class, new MidpointAuthenticationTrustResolverImpl());
-        http
-                .addFilter(new WebAsyncManagerIntegrationFilter())
+        http.addFilter(new WebAsyncManagerIntegrationFilter())
                 .sessionManagement().and()
-                .securityContext();//.and()
+                .securityContext();
         http.apply(new AuthFilterConfigurer());
 
-//        http.csrf();
 
         http.sessionManagement()
-//                .sessionCreationPolicy(SessionCreationPolicy.NEVER)
                 .maximumSessions(-1)
                 .sessionRegistry(sessionRegistry)
                 .maxSessionsPreventsLogin(true);

gui/admin-gui/src/main/java/com/evolveum/midpoint/web/security/RestAuthenticationEntryPoint.java → gui/admin-gui/src/main/java/com/evolveum/midpoint/web/security/HttpAuthenticationEntryPoint.java

@@ -23,7 +23,7 @@
  * @author skublik
  */
 
-public class RestAuthenticationEntryPoint implements AuthenticationEntryPoint{
+public class HttpAuthenticationEntryPoint implements AuthenticationEntryPoint{
 
     @Override
     public void commence(
@@ -52,5 +52,8 @@ public void commence(
             }
         }
         response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
+        response.getWriter().write(" test error ");
+        response.getWriter().flush();
+        response.getWriter().close();
     }
 }

gui/admin-gui/src/main/java/com/evolveum/midpoint/web/security/SecurityQuestionsAuthenticationEntryPoint.java → gui/admin-gui/src/main/java/com/evolveum/midpoint/web/security/HttpSecurityQuestionsAuthenticationEntryPoint.java

@@ -9,17 +9,12 @@
 import com.evolveum.midpoint.model.api.ModelInteractionService;
 import com.evolveum.midpoint.model.api.ModelService;
 import com.evolveum.midpoint.model.api.authentication.MidpointAuthentication;
-import com.evolveum.midpoint.model.api.authentication.ModuleAuthentication;
 import com.evolveum.midpoint.model.api.authentication.NameOfModuleType;
-import com.evolveum.midpoint.model.api.context.SecurityQuestionsAuthenticationContext;
-import com.evolveum.midpoint.prism.PrismContainer;
 import com.evolveum.midpoint.prism.PrismContext;
 import com.evolveum.midpoint.prism.PrismObject;
 import com.evolveum.midpoint.schema.SearchResultList;
-import com.evolveum.midpoint.schema.constants.SchemaConstants;
 import com.evolveum.midpoint.schema.result.OperationResult;
 import com.evolveum.midpoint.schema.util.ObjectQueryUtil;
-import com.evolveum.midpoint.security.api.RestAuthenticationMethod;
 import com.evolveum.midpoint.security.api.SecurityContextManager;
 import com.evolveum.midpoint.task.api.Task;
 import com.evolveum.midpoint.task.api.TaskManager;
@@ -30,39 +25,28 @@
 import com.evolveum.midpoint.web.security.filter.HttpSecurityQuestionsAuthenticationFilter;
 import com.evolveum.midpoint.web.security.filter.MidpointAuthFilter;
 import com.evolveum.midpoint.web.security.filter.SecurityQuestionsAuthenticationFilter;
-import com.evolveum.midpoint.web.security.util.SecurityQuestionDto;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.SecurityPolicyType;
-import com.evolveum.midpoint.xml.ns._public.common.common_3.SecurityQuestionAnswerType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.SecurityQuestionDefinitionType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.UserType;
-import com.fasterxml.jackson.core.JsonFactory;
-import com.fasterxml.jackson.databind.JsonNode;
-import com.fasterxml.jackson.databind.ObjectMapper;
-import com.fasterxml.jackson.databind.node.ArrayNode;
-import com.fasterxml.jackson.databind.node.MissingNode;
 import com.github.openjson.JSONArray;
 import com.github.openjson.JSONObject;
-import org.apache.commons.lang3.StringUtils;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.security.authentication.AnonymousAuthenticationToken;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;
 import org.springframework.security.core.authority.AuthorityUtils;
 import org.springframework.security.core.context.SecurityContextHolder;
-import org.springframework.security.web.AuthenticationEntryPoint;
 
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
-import javax.ws.rs.container.ContainerRequestContext;
-import javax.ws.rs.core.Response;
 import java.io.IOException;
 import java.util.*;
 
 /**
  * @author skublik
  */
 
-public class SecurityQuestionsAuthenticationEntryPoint extends RestAuthenticationEntryPoint{
+public class HttpSecurityQuestionsAuthenticationEntryPoint extends HttpAuthenticationEntryPoint {
 
     private static final transient Trace LOGGER = TraceManager.getTrace(MidpointAuthFilter.class);
 

gui/admin-gui/src/main/java/com/evolveum/midpoint/web/security/MidPointGuiAuthorizationEvaluator.java

@@ -223,9 +223,12 @@ public void decide(Authentication authentication, Object object, Collection<Conf
         }
         MidPointPrincipal principal = (MidPointPrincipal)principalObject;
 
-
         Task task = taskManager.createTaskInstance(MidPointGuiAuthorizationEvaluator.class.getName() + ".decide");
 
+        decideInternal(principal, requiredActions, authentication, object, task);
+    }
+
+    protected void decideInternal(MidPointPrincipal principal, List<String> requiredActions, Authentication authentication, Object object, Task task) {
 
         AccessDecision decision;
         try {