From 8439d30754eb4d22d2327ffed8b76be5db4d04f4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Francesco=20Chicchiricc=C3=B2?= Date: Mon, 24 Apr 2023 14:00:26 +0200 Subject: [PATCH] Fixing Spring Security 7 deprecations --- .../client/console/SecurityConfig.java | 14 +++--- .../client/enduser/SecurityConfig.java | 14 +++--- .../spring/security/WebSecurityContext.java | 36 +++++++-------- .../apache/syncope/sra/SecurityConfig.java | 44 ++++++++++++------- .../security/cas/CASSecurityConfigUtils.java | 4 +- .../oauth2/OAuth2SecurityConfigUtils.java | 8 ++-- .../saml2/SAML2SecurityConfigUtils.java | 6 +-- 7 files changed, 72 insertions(+), 54 deletions(-) diff --git a/client/idrepo/console/src/main/java/org/apache/syncope/client/console/SecurityConfig.java b/client/idrepo/console/src/main/java/org/apache/syncope/client/console/SecurityConfig.java index d8c3e59d9d8..73850f58880 100644 --- a/client/idrepo/console/src/main/java/org/apache/syncope/client/console/SecurityConfig.java +++ b/client/idrepo/console/src/main/java/org/apache/syncope/client/console/SecurityConfig.java @@ -22,8 +22,10 @@ import org.springframework.boot.actuate.autoconfigure.security.servlet.EndpointRequest; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; +import org.springframework.security.config.Customizer; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; +import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer; import org.springframework.security.core.userdetails.User; import org.springframework.security.core.userdetails.UserDetails; import org.springframework.security.core.userdetails.UserDetailsService; @@ -38,13 +40,13 @@ public class SecurityConfig { @Bean public SecurityFilterChain filterChain(final HttpSecurity http) throws Exception { EndpointRequest.EndpointRequestMatcher actuatorEndpoints = EndpointRequest.toAnyEndpoint(); - - http.csrf().disable(). - authorizeHttpRequests(). + http.authorizeHttpRequests(customizer -> customizer. requestMatchers(new NegatedRequestMatcher(actuatorEndpoints)).permitAll(). - requestMatchers(actuatorEndpoints).authenticated(). - and(). - httpBasic(); + requestMatchers(actuatorEndpoints).authenticated()); + + http.httpBasic(Customizer.withDefaults()); + http.csrf(AbstractHttpConfigurer::disable); + return http.build(); } diff --git a/client/idrepo/enduser/src/main/java/org/apache/syncope/client/enduser/SecurityConfig.java b/client/idrepo/enduser/src/main/java/org/apache/syncope/client/enduser/SecurityConfig.java index ee0cda36807..327ced58c9f 100644 --- a/client/idrepo/enduser/src/main/java/org/apache/syncope/client/enduser/SecurityConfig.java +++ b/client/idrepo/enduser/src/main/java/org/apache/syncope/client/enduser/SecurityConfig.java @@ -22,8 +22,10 @@ import org.springframework.boot.actuate.autoconfigure.security.servlet.EndpointRequest; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; +import org.springframework.security.config.Customizer; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; +import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer; import org.springframework.security.core.userdetails.User; import org.springframework.security.core.userdetails.UserDetails; import org.springframework.security.core.userdetails.UserDetailsService; @@ -38,13 +40,13 @@ public class SecurityConfig { @Bean public SecurityFilterChain filterChain(final HttpSecurity http) throws Exception { EndpointRequest.EndpointRequestMatcher actuatorEndpoints = EndpointRequest.toAnyEndpoint(); - - http.csrf().disable(). - authorizeHttpRequests(). + http.authorizeHttpRequests(customizer -> customizer. requestMatchers(new NegatedRequestMatcher(actuatorEndpoints)).permitAll(). - requestMatchers(actuatorEndpoints).authenticated(). - and(). - httpBasic(); + requestMatchers(actuatorEndpoints).authenticated()); + + http.httpBasic(Customizer.withDefaults()); + http.csrf(AbstractHttpConfigurer::disable); + return http.build(); } diff --git a/core/spring/src/main/java/org/apache/syncope/core/spring/security/WebSecurityContext.java b/core/spring/src/main/java/org/apache/syncope/core/spring/security/WebSecurityContext.java index 71693cd944d..df004da7ef6 100644 --- a/core/spring/src/main/java/org/apache/syncope/core/spring/security/WebSecurityContext.java +++ b/core/spring/src/main/java/org/apache/syncope/core/spring/security/WebSecurityContext.java @@ -42,14 +42,13 @@ import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityCustomizer; -import org.springframework.security.config.http.SessionCreationPolicy; +import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer; import org.springframework.security.core.authority.AuthorityUtils; import org.springframework.security.web.SecurityFilterChain; import org.springframework.security.web.access.AccessDeniedHandler; import org.springframework.security.web.access.intercept.AuthorizationFilter; import org.springframework.security.web.authentication.AnonymousAuthenticationFilter; import org.springframework.security.web.authentication.www.BasicAuthenticationFilter; -import org.springframework.security.web.context.NullSecurityContextRepository; import org.springframework.security.web.firewall.DefaultHttpFirewall; import org.springframework.security.web.firewall.HttpFirewall; @@ -76,6 +75,7 @@ public WebSecurityCustomizer webSecurityCustomizer(final HttpFirewall allowUrlEn public SecurityFilterChain filterChain( final HttpSecurity http, final UsernamePasswordAuthenticationProvider usernamePasswordAuthenticationProvider, + final AccessDeniedHandler accessDeniedHandler, final AuthDataAccessor authDataAccessor, final DefaultCredentialChecker defaultCredentialChecker, final SecurityProperties securityProperties) throws Exception { @@ -84,6 +84,7 @@ public SecurityFilterChain filterChain( parentAuthenticationManager(null). authenticationProvider(usernamePasswordAuthenticationProvider). build(); + http.authenticationManager(authenticationManager); SyncopeAuthenticationDetailsSource authenticationDetailsSource = new SyncopeAuthenticationDetailsSource(); @@ -96,10 +97,16 @@ public SecurityFilterChain filterChain( securityProperties.getAnonymousUser(), AuthorityUtils.createAuthorityList("ROLE_ANONYMOUS")); anonymousAuthenticationFilter.setAuthenticationDetailsSource(authenticationDetailsSource); + http.anonymous(customizer -> customizer. + authenticationProvider(anonymousAuthenticationProvider). + authenticationFilter(anonymousAuthenticationFilter)); SyncopeBasicAuthenticationEntryPoint basicAuthenticationEntryPoint = new SyncopeBasicAuthenticationEntryPoint(); basicAuthenticationEntryPoint.setRealmName("Apache Syncope authentication"); + http.httpBasic(customizer -> customizer. + authenticationEntryPoint(basicAuthenticationEntryPoint). + authenticationDetailsSource(authenticationDetailsSource)); JWTAuthenticationFilter jwtAuthenticationFilter = new JWTAuthenticationFilter( authenticationManager, @@ -107,24 +114,17 @@ public SecurityFilterChain filterChain( authenticationDetailsSource, authDataAccessor, defaultCredentialChecker); + http.addFilterBefore(jwtAuthenticationFilter, BasicAuthenticationFilter.class); MustChangePasswordFilter mustChangePasswordFilter = new MustChangePasswordFilter(); - - http.authenticationManager(authenticationManager). - authorizeHttpRequests(). - requestMatchers("/**").permitAll().and(). - sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and(). - securityContext().securityContextRepository(new NullSecurityContextRepository()).and(). - anonymous(). - authenticationProvider(anonymousAuthenticationProvider). - authenticationFilter(anonymousAuthenticationFilter).and(). - httpBasic().authenticationEntryPoint(basicAuthenticationEntryPoint). - authenticationDetailsSource(authenticationDetailsSource).and(). - exceptionHandling().accessDeniedHandler(accessDeniedHandler()).and(). - addFilterBefore(jwtAuthenticationFilter, BasicAuthenticationFilter.class). - addFilterBefore(mustChangePasswordFilter, AuthorizationFilter.class). - headers().disable(). - csrf().disable(); + http.addFilterBefore(mustChangePasswordFilter, AuthorizationFilter.class); + + http.authorizeHttpRequests(customizer -> customizer.requestMatchers("/**").permitAll()); + http.securityContext(AbstractHttpConfigurer::disable); + http.sessionManagement(AbstractHttpConfigurer::disable); + http.headers(AbstractHttpConfigurer::disable); + http.csrf(AbstractHttpConfigurer::disable); + http.exceptionHandling(customizer -> customizer.accessDeniedHandler(accessDeniedHandler)); return http.build(); } diff --git a/sra/src/main/java/org/apache/syncope/sra/SecurityConfig.java b/sra/src/main/java/org/apache/syncope/sra/SecurityConfig.java index 878ed14660d..3590bcc0cd0 100644 --- a/sra/src/main/java/org/apache/syncope/sra/SecurityConfig.java +++ b/sra/src/main/java/org/apache/syncope/sra/SecurityConfig.java @@ -54,6 +54,7 @@ import org.springframework.core.io.FileUrlResource; import org.springframework.core.io.support.ResourcePatternResolver; import org.springframework.http.HttpMethod; +import org.springframework.security.config.Customizer; import org.springframework.security.config.annotation.web.reactive.EnableWebFluxSecurity; import org.springframework.security.config.web.server.ServerHttpSecurity; import org.springframework.security.core.userdetails.MapReactiveUserDetailsService; @@ -88,21 +89,30 @@ public class SecurityConfig { public SecurityWebFilterChain saml2SecurityFilterChain(final ServerHttpSecurity http) { ServerWebExchangeMatcher metadataMatcher = ServerWebExchangeMatchers.pathMatchers(HttpMethod.GET, SAML2MetadataEndpoint.METADATA_URL); - return http.securityMatcher(metadataMatcher). - authorizeExchange().anyExchange().permitAll(). - and().csrf().requireCsrfProtectionMatcher(new NegatedServerWebExchangeMatcher(metadataMatcher)). - and().build(); + http.securityMatcher(metadataMatcher); + + http.authorizeExchange(customizer -> customizer.anyExchange().permitAll()); + + http.csrf(customizer -> customizer. + requireCsrfProtectionMatcher(new NegatedServerWebExchangeMatcher(metadataMatcher))); + + return http.build(); } @Bean @Order(1) public SecurityWebFilterChain actuatorSecurityFilterChain(final ServerHttpSecurity http) { ServerWebExchangeMatcher actuatorMatcher = EndpointRequest.toAnyEndpoint(); - return http.securityMatcher(actuatorMatcher). - authorizeExchange().anyExchange().authenticated(). - and().httpBasic(). - and().csrf().requireCsrfProtectionMatcher(new NegatedServerWebExchangeMatcher(actuatorMatcher)). - and().build(); + http.securityMatcher(actuatorMatcher); + + http.authorizeExchange(customizer -> customizer.anyExchange().authenticated()); + + http.httpBasic(Customizer.withDefaults()); + + http.csrf(customizer -> customizer. + requireCsrfProtectionMatcher(new NegatedServerWebExchangeMatcher(actuatorMatcher))); + + return http.build(); } @Bean @@ -298,21 +308,22 @@ public SecurityWebFilterChain routesSecurityFilterChain( final CsrfRouteMatcher csrfRouteMatcher, final ConfigurableApplicationContext ctx) { - ServerHttpSecurity.AuthorizeExchangeSpec builder = http.authorizeExchange(). + http.authorizeExchange(customizer -> customizer. matchers(publicRouteMatcher).permitAll(). - anyExchange().authenticated(); + anyExchange().authenticated()); switch (props.getAmType()) { case OIDC, OAUTH2 -> { OAuth2SecurityConfigUtils.forLogin(http, props.getAmType(), ctx); - OAuth2SecurityConfigUtils.forLogout(builder, props.getAmType(), cacheManager, logoutRouteMatcher, ctx); - http.oauth2ResourceServer().jwt().jwtDecoder(ctx.getBean(ReactiveJwtDecoder.class)); + OAuth2SecurityConfigUtils.forLogout(http, props.getAmType(), cacheManager, logoutRouteMatcher, ctx); + http.oauth2ResourceServer(customizer -> customizer.jwt( + c -> c.jwtDecoder(ctx.getBean(ReactiveJwtDecoder.class)))); } case SAML2 -> saml2Client.ifAvailable(client -> { SAML2SecurityConfigUtils.forLogin(http, client, publicRouteMatcher); - SAML2SecurityConfigUtils.forLogout(builder, client, cacheManager, logoutRouteMatcher, ctx); + SAML2SecurityConfigUtils.forLogout(http, client, cacheManager, logoutRouteMatcher, ctx); }); case CAS -> { @@ -322,7 +333,7 @@ public SecurityWebFilterChain routesSecurityFilterChain( props.getCas().getServerPrefix(), publicRouteMatcher); CASSecurityConfigUtils.forLogout( - builder, + http, cacheManager, props.getCas().getServerPrefix(), logoutRouteMatcher, @@ -333,6 +344,7 @@ public SecurityWebFilterChain routesSecurityFilterChain( } } - return builder.and().csrf().requireCsrfProtectionMatcher(csrfRouteMatcher).and().build(); + http.csrf(customizer -> customizer.requireCsrfProtectionMatcher(csrfRouteMatcher)); + return http.build(); } } diff --git a/sra/src/main/java/org/apache/syncope/sra/security/cas/CASSecurityConfigUtils.java b/sra/src/main/java/org/apache/syncope/sra/security/cas/CASSecurityConfigUtils.java index 6a478764359..7d47e60c442 100644 --- a/sra/src/main/java/org/apache/syncope/sra/security/cas/CASSecurityConfigUtils.java +++ b/sra/src/main/java/org/apache/syncope/sra/security/cas/CASSecurityConfigUtils.java @@ -67,7 +67,7 @@ public static void forLogin( } public static void forLogout( - final ServerHttpSecurity.AuthorizeExchangeSpec builder, + final ServerHttpSecurity http, final CacheManager cacheManager, final String casServerUrlPrefix, final LogoutRouteMatcher logoutRouteMatcher, @@ -87,7 +87,7 @@ public static void forLogout( LOG.error("While creating instance of {}", CASServerLogoutSuccessHandler.class.getName(), e); } - builder.and().addFilterAt(logoutWebFilter, SecurityWebFiltersOrder.LOGOUT); + http.addFilterAt(logoutWebFilter, SecurityWebFiltersOrder.LOGOUT); } private CASSecurityConfigUtils() { diff --git a/sra/src/main/java/org/apache/syncope/sra/security/oauth2/OAuth2SecurityConfigUtils.java b/sra/src/main/java/org/apache/syncope/sra/security/oauth2/OAuth2SecurityConfigUtils.java index 8a9c78890a2..d31d8a9edd2 100644 --- a/sra/src/main/java/org/apache/syncope/sra/security/oauth2/OAuth2SecurityConfigUtils.java +++ b/sra/src/main/java/org/apache/syncope/sra/security/oauth2/OAuth2SecurityConfigUtils.java @@ -107,11 +107,12 @@ public static void forLogin( htmlMatcher.setIgnoredMediaTypes(Set.of(MediaType.ALL)); ServerAuthenticationEntryPoint entrypoint = new RedirectServerAuthenticationEntryPoint("/oauth2/authorization/" + amType.name()); - http.exceptionHandling().authenticationEntryPoint(new DelegateEntry(htmlMatcher, entrypoint).getEntryPoint()); + http.exceptionHandling(customizer -> customizer.authenticationEntryPoint( + new DelegateEntry(htmlMatcher, entrypoint).getEntryPoint())); } public static void forLogout( - final ServerHttpSecurity.AuthorizeExchangeSpec builder, + final ServerHttpSecurity http, final SRAProperties.AMType amType, final CacheManager cacheManager, final LogoutRouteMatcher logoutRouteMatcher, @@ -134,7 +135,8 @@ public static void forLogout( } } - builder.and().logout().disable().addFilterAt(logoutWebFilter, SecurityWebFiltersOrder.LOGOUT); + http.logout(customizer -> customizer.disable()); + http.addFilterAt(logoutWebFilter, SecurityWebFiltersOrder.LOGOUT); } private OAuth2SecurityConfigUtils() { diff --git a/sra/src/main/java/org/apache/syncope/sra/security/saml2/SAML2SecurityConfigUtils.java b/sra/src/main/java/org/apache/syncope/sra/security/saml2/SAML2SecurityConfigUtils.java index 21b8923e8d6..95e2074467e 100644 --- a/sra/src/main/java/org/apache/syncope/sra/security/saml2/SAML2SecurityConfigUtils.java +++ b/sra/src/main/java/org/apache/syncope/sra/security/saml2/SAML2SecurityConfigUtils.java @@ -66,7 +66,7 @@ public static void forLogin( } public static void forLogout( - final ServerHttpSecurity.AuthorizeExchangeSpec builder, + final ServerHttpSecurity http, final SAML2Client saml2Client, final CacheManager cacheManager, final LogoutRouteMatcher logoutRouteMatcher, @@ -85,12 +85,12 @@ public static void forLogout( SAML2LogoutResponseWebFilter logoutResponseWebFilter = new SAML2LogoutResponseWebFilter(saml2Client, logoutSuccessHandler); - builder.and().addFilterAt(logoutResponseWebFilter, SecurityWebFiltersOrder.LOGOUT); + http.addFilterAt(logoutResponseWebFilter, SecurityWebFiltersOrder.LOGOUT); } catch (ClassNotFoundException e) { LOG.error("While creating instance of {}", SAML2ServerLogoutSuccessHandler.class.getName(), e); } - builder.and().addFilterAt(logoutWebFilter, SecurityWebFiltersOrder.LOGOUT); + http.addFilterAt(logoutWebFilter, SecurityWebFiltersOrder.LOGOUT); } private SAML2SecurityConfigUtils() {