From e45a46377f4ed6367e29a2b568e12ec67df7093e Mon Sep 17 00:00:00 2001 From: Dennis Crissman Date: Fri, 15 Dec 2017 08:48:17 -0500 Subject: [PATCH 01/19] fix test packages --- .../redhat => org/esbtools}/auth/CachedRolesProviderTest.java | 2 +- .../esbtools}/auth/ldap/LdapRoleProviderIntegrationTest.java | 0 2 files changed, 1 insertion(+), 1 deletion(-) rename src/test/java/{com/redhat => org/esbtools}/auth/CachedRolesProviderTest.java (99%) rename src/test/java/{com/redhat => org/esbtools}/auth/ldap/LdapRoleProviderIntegrationTest.java (100%) diff --git a/src/test/java/com/redhat/auth/CachedRolesProviderTest.java b/src/test/java/org/esbtools/auth/CachedRolesProviderTest.java similarity index 99% rename from src/test/java/com/redhat/auth/CachedRolesProviderTest.java rename to src/test/java/org/esbtools/auth/CachedRolesProviderTest.java index 6caf956..8ca9b30 100644 --- a/src/test/java/com/redhat/auth/CachedRolesProviderTest.java +++ b/src/test/java/org/esbtools/auth/CachedRolesProviderTest.java @@ -16,7 +16,7 @@ You should have received a copy of the GNU General Public License along with this program. If not, see . */ -package com.redhat.auth; +package org.esbtools.auth; import org.esbtools.auth.util.CachedRolesProvider; import org.esbtools.auth.util.RolesCache; diff --git a/src/test/java/com/redhat/auth/ldap/LdapRoleProviderIntegrationTest.java b/src/test/java/org/esbtools/auth/ldap/LdapRoleProviderIntegrationTest.java similarity index 100% rename from src/test/java/com/redhat/auth/ldap/LdapRoleProviderIntegrationTest.java rename to src/test/java/org/esbtools/auth/ldap/LdapRoleProviderIntegrationTest.java From 5f1593e6491011b79c08e928a387ee33b60fb263 Mon Sep 17 00:00:00 2001 From: Dennis Crissman Date: Fri, 15 Dec 2017 09:05:45 -0500 Subject: [PATCH 02/19] move over spring classes --- pom.xml | 6 + ...ertEnvironmentAuthenticationException.java | 17 +++ .../CertEnvironmentVerificationFilter.java | 111 ++++++++++++++++++ .../auth/spring/LdapUserDetailsService.java | 67 +++++++++++ 4 files changed, 201 insertions(+) create mode 100644 src/main/java/org/esbtools/auth/spring/CertEnvironmentAuthenticationException.java create mode 100644 src/main/java/org/esbtools/auth/spring/CertEnvironmentVerificationFilter.java create mode 100644 src/main/java/org/esbtools/auth/spring/LdapUserDetailsService.java diff --git a/pom.xml b/pom.xml index 8c57f3b..9e8f715 100644 --- a/pom.xml +++ b/pom.xml @@ -90,6 +90,12 @@ unboundid-ldapsdk 3.1.1 + + org.springframework.security + spring-security-web + 4.2.3.RELEASE + true + junit junit diff --git a/src/main/java/org/esbtools/auth/spring/CertEnvironmentAuthenticationException.java b/src/main/java/org/esbtools/auth/spring/CertEnvironmentAuthenticationException.java new file mode 100644 index 0000000..fb59e31 --- /dev/null +++ b/src/main/java/org/esbtools/auth/spring/CertEnvironmentAuthenticationException.java @@ -0,0 +1,17 @@ +package org.esbtools.auth.spring; + +import org.springframework.security.core.AuthenticationException; + +public class CertEnvironmentAuthenticationException extends AuthenticationException { + + private static final long serialVersionUID = -1102864286332227011L; + + public CertEnvironmentAuthenticationException(String msg) { + super(msg); + } + + public CertEnvironmentAuthenticationException(String msg, Throwable t) { + super(msg, t); + } + +} diff --git a/src/main/java/org/esbtools/auth/spring/CertEnvironmentVerificationFilter.java b/src/main/java/org/esbtools/auth/spring/CertEnvironmentVerificationFilter.java new file mode 100644 index 0000000..bcd4ecb --- /dev/null +++ b/src/main/java/org/esbtools/auth/spring/CertEnvironmentVerificationFilter.java @@ -0,0 +1,111 @@ +package org.esbtools.auth.spring; + +import java.io.IOException; +import java.security.cert.X509Certificate; + +import javax.annotation.Nullable; +import javax.naming.NamingException; +import javax.naming.ldap.LdapName; +import javax.naming.ldap.Rdn; +import javax.servlet.FilterChain; +import javax.servlet.ServletException; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +import org.apache.commons.lang3.StringUtils; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.springframework.security.core.AuthenticationException; +import org.springframework.security.core.context.SecurityContextHolder; +import org.springframework.security.web.WebAttributes; +import org.springframework.web.filter.OncePerRequestFilter; + +public class CertEnvironmentVerificationFilter extends OncePerRequestFilter { + + private static final Logger LOGGER = LoggerFactory.getLogger(CertEnvironmentVerificationFilter.class); + + public static final String LOCATION = "l"; + + private final String environment; + + public CertEnvironmentVerificationFilter(@Nullable String environment) { + this.environment = environment; + + LOGGER.info("Cert Environment: " + ((environment == null) ? "Not Set" : environment)); + } + + @Override + public void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain) throws IOException, ServletException { + if (null != environment) { + LOGGER.debug("Attempting Environment Cert verification"); + X509Certificate certChain[] = (X509Certificate[]) request.getAttribute("javax.servlet.request.X509Certificate"); + + String dn = certChain[0].getSubjectDN().getName(); + + if ((null != certChain) && (certChain.length > 0)) { + LOGGER.debug("Verifying environment on cert"); + if(!validateEnvironment(dn)) { + unsuccessfulAuthentication(request, response, + new CertEnvironmentAuthenticationException( + "Location from certificate does not match configured environment")); + return; //end the chain + } + } + else { + LOGGER.debug("Cert not found. Skipping Environment Cert verification."); + } + } + else { + LOGGER.debug("No environment configured. Skipping Environment Cert verification."); + } + + chain.doFilter(request, response); + } + + private boolean validateEnvironment(String certificatePrincipal) { + if (StringUtils.isNotBlank(environment)) { + try { + String location = getLDAPAttribute(certificatePrincipal, LOCATION); + + if (!StringUtils.equalsIgnoreCase(environment, location)) { + return false; + } + } catch (NamingException e) { + return false; + } + } + + return true; + } + + private String getLDAPAttribute(String certificatePrincipal, String searchAttribute) throws NamingException { + String searchName = new String(); + LdapName name = new LdapName(certificatePrincipal); + for (Rdn rdn : name.getRdns()) { + if (rdn.getType().equalsIgnoreCase(searchAttribute)) { + searchName = (String) rdn.getValue(); + break; + } + } + return searchName; + } + + /** + * Ensures the authentication object in the secure context is set to null when + * authentication fails. + *

+ * Caches the failure exception as a request attribute + */ + protected void unsuccessfulAuthentication(HttpServletRequest request, + HttpServletResponse response, AuthenticationException failed) throws IOException, ServletException { + SecurityContextHolder.clearContext(); + + if (LOGGER.isDebugEnabled()) { + LOGGER.debug("Cleared security context due to exception", failed); + } + request.setAttribute(WebAttributes.AUTHENTICATION_EXCEPTION, failed); + + response.sendError(HttpServletResponse.SC_UNAUTHORIZED, failed.getMessage()); + } + +} diff --git a/src/main/java/org/esbtools/auth/spring/LdapUserDetailsService.java b/src/main/java/org/esbtools/auth/spring/LdapUserDetailsService.java new file mode 100644 index 0000000..f740bb9 --- /dev/null +++ b/src/main/java/org/esbtools/auth/spring/LdapUserDetailsService.java @@ -0,0 +1,67 @@ +package org.esbtools.auth.spring; + +import java.util.stream.Collectors; + +import org.esbtools.auth.ldap.LdapConfiguration; +import org.esbtools.auth.ldap.LdapRolesProvider; +import org.esbtools.auth.util.CachedRolesProvider; +import org.esbtools.auth.util.RolesCache; +import org.esbtools.auth.util.RolesProvider; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.springframework.security.core.authority.SimpleGrantedAuthority; +import org.springframework.security.core.userdetails.AuthenticationUserDetailsService; +import org.springframework.security.core.userdetails.User; +import org.springframework.security.core.userdetails.UserDetails; +import org.springframework.security.core.userdetails.UserDetailsService; +import org.springframework.security.core.userdetails.UsernameNotFoundException; +import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken; + +public class LdapUserDetailsService implements UserDetailsService, AuthenticationUserDetailsService { + + private static final Logger LOGGER = LoggerFactory.getLogger(LdapUserDetailsService.class); + + private final RolesProvider rolesProvider; + + public LdapUserDetailsService(String searchBase, LdapConfiguration ldapConfiguration, int rolesCacheExpiryMS) throws Exception { + this(new LdapRolesProvider(searchBase, ldapConfiguration), rolesCacheExpiryMS); + } + + public LdapUserDetailsService(String searchBase, LdapConfiguration ldapConfiguration) throws Exception { + this(new LdapRolesProvider(searchBase, ldapConfiguration)); + } + + public LdapUserDetailsService(LdapRolesProvider rolesProvider, int rolesCacheExpiryMS) { + this(new CachedRolesProvider(rolesProvider, new RolesCache(rolesCacheExpiryMS))); + } + + public LdapUserDetailsService(RolesProvider rolesProvider) { + this.rolesProvider = rolesProvider; + } + + @Override + public UserDetails loadUserDetails(PreAuthenticatedAuthenticationToken token) throws UsernameNotFoundException { + return loadUserByUsername(token.getName()); + } + + @Override + public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException { + LOGGER.debug("Using LdapUserDetailsService with principal: " + username); + + try { + return new User( + username, + "no-password", + rolesProvider.getUserRoles(username).stream() + .map(n -> new SimpleGrantedAuthority(n)) + .collect(Collectors.toList()) + ); + } + catch (Exception e) { + LOGGER.error("Unable to check ldap for unknown reason.", e); + + throw new UsernameNotFoundException(username + " could not be authorized"); + } + } + +} From 3f4b62c04e55d80404a72265f7ddbee3eb245278 Mon Sep 17 00:00:00 2001 From: Dennis Crissman Date: Fri, 15 Dec 2017 10:54:44 -0500 Subject: [PATCH 03/19] refactor out comon environment logic --- .../auth/jboss/CertLdapLoginModule.java | 97 ++++-------------- .../CertEnvironmentVerificationFilter.java | 51 ++-------- .../esbtools/auth/util/EnvironmentUtils.java | 99 +++++++++++++++++++ .../auth/util/EnvironmentUtilsTest.java | 93 +++++++++++++++++ 4 files changed, 221 insertions(+), 119 deletions(-) create mode 100644 src/main/java/org/esbtools/auth/util/EnvironmentUtils.java create mode 100644 src/test/java/org/esbtools/auth/util/EnvironmentUtilsTest.java diff --git a/src/main/java/org/esbtools/auth/jboss/CertLdapLoginModule.java b/src/main/java/org/esbtools/auth/jboss/CertLdapLoginModule.java index bb61437..079947d 100644 --- a/src/main/java/org/esbtools/auth/jboss/CertLdapLoginModule.java +++ b/src/main/java/org/esbtools/auth/jboss/CertLdapLoginModule.java @@ -18,31 +18,28 @@ */ package org.esbtools.auth.jboss; +import java.security.Principal; +import java.security.acl.Group; +import java.util.Arrays; +import java.util.Collection; +import java.util.Map; + +import javax.security.auth.Subject; +import javax.security.auth.callback.CallbackHandler; +import javax.security.auth.login.LoginException; + +import org.apache.commons.lang.StringUtils; import org.esbtools.auth.ldap.LdapConfiguration; import org.esbtools.auth.ldap.LdapRolesProvider; import org.esbtools.auth.util.CachedRolesProvider; +import org.esbtools.auth.util.EnvironmentUtils; import org.esbtools.auth.util.RolesCache; import org.esbtools.auth.util.RolesProvider; -import org.apache.commons.lang.StringUtils; import org.jboss.security.SimpleGroup; import org.jboss.security.auth.spi.BaseCertLoginModule; import org.slf4j.Logger; import org.slf4j.LoggerFactory; -import javax.naming.NamingException; -import javax.naming.directory.NoSuchAttributeException; -import javax.naming.ldap.LdapName; -import javax.naming.ldap.Rdn; -import javax.security.auth.Subject; -import javax.security.auth.callback.CallbackHandler; -import javax.security.auth.login.LoginException; -import java.security.Principal; -import java.security.acl.Group; -import java.util.Arrays; -import java.util.Collection; -import java.util.List; -import java.util.Map; - public class CertLdapLoginModule extends BaseCertLoginModule { private final Logger LOGGER = LoggerFactory.getLogger(CertLdapLoginModule.class); @@ -75,14 +72,8 @@ public class CertLdapLoginModule extends BaseCertLoginModule { public static final String UID = "uid"; public static final String CN = "cn"; - public static final String LOCATION = "l"; - public static final String OU = "ou"; - - public static final String ENVIRONMENT_SEPARATOR= ","; - - private static String environment; - private static String allAccessOu; + private static volatile EnvironmentUtils envUtils; private static volatile RolesProvider rolesProvider = null; @Override @@ -97,8 +88,9 @@ public void initializeRolesProvider() throws Exception { if (rolesProvider == null) { synchronized(LdapRolesProvider.class) { if (rolesProvider == null) { - environment = (String) options.get(ENVIRONMENT); - allAccessOu = (String) options.get(ALL_ACCESS_OU); + String environment = (String) options.get(ENVIRONMENT); + String allAccessOu = (String) options.get(ALL_ACCESS_OU); + envUtils = new EnvironmentUtils(environment, allAccessOu); LdapConfiguration ldapConf = new LdapConfiguration(); ldapConf.server((String) options.get(SERVER)); @@ -160,13 +152,13 @@ protected Group[] getRoleSets() throws LoginException { LOGGER.debug("Certificate principal:" + certPrincipal); //first try getting search name from uid in certificate principle (new certificates) - String searchName = getLDAPAttribute(certPrincipal, UID); + String searchName = envUtils.getLDAPAttribute(certPrincipal, UID); if(StringUtils.isNotBlank(searchName)) { //only try to validate environment if it is a certificate that contains uid - validateEnvironment(certPrincipal); + envUtils.validateEnvironment(certPrincipal); } else { // fallback to getting search name from cn in certificate principle (legacy certificates) - searchName = getLDAPAttribute(certPrincipal, CN); + searchName = envUtils.getLDAPAttribute(certPrincipal, CN); } Collection groupNames = rolesProvider.getUserRoles(searchName); @@ -193,55 +185,4 @@ protected Group[] getRoleSets() throws LoginException { return roleSets; } - private void validateEnvironment(String certificatePrincipal) throws NamingException { - - String ou = getLDAPAttribute(certificatePrincipal, OU); - LOGGER.debug("OU from certificate: ", ou); - String location = getLDAPAttribute(certificatePrincipal, LOCATION); - LOGGER.debug("Location from certificate: ", location); - - if(StringUtils.isBlank(ou)) { - throw new NoSuchAttributeException("No ou in dn, you may need to update your certificate: " + certificatePrincipal); - } else { - if(allAccessOu.equalsIgnoreCase(StringUtils.replace(ou, " ", ""))){ - LOGGER.debug("Skipping environment validation, user ou matches {} ", allAccessOu); - } else { - //if dn not from allAccessOu, verify the location (l) field - //in the cert matches the configured environment - if(StringUtils.isBlank(location)) { - throw new NoSuchAttributeException("No location in dn, you may need to update your certificate: " + certificatePrincipal); - } else if(!locationMatchesEnvironment(location)){ - throw new NoSuchAttributeException("Invalid location from dn, expected " + environment + " but found l=" + location); - } - } - } - } - - private String getLDAPAttribute(String certificatePrincipal, String searchAttribute) throws NamingException { - String searchName = new String(); - LdapName name = new LdapName(certificatePrincipal); - for (Rdn rdn : name.getRdns()) { - if (rdn.getType().equalsIgnoreCase(searchAttribute)) { - searchName = (String) rdn.getValue(); - break; - } - } - return searchName; - } - - private boolean locationMatchesEnvironment(String location) { - List environments; - if(environment.contains(ENVIRONMENT_SEPARATOR)) { - environments = Arrays.asList(environment.split(ENVIRONMENT_SEPARATOR)); - - } else { - environments = Arrays.asList(new String[] {environment}); - } - for(String environment : environments) { - if(environment.equalsIgnoreCase(location)) { - return true; - } - } - return false; - } } diff --git a/src/main/java/org/esbtools/auth/spring/CertEnvironmentVerificationFilter.java b/src/main/java/org/esbtools/auth/spring/CertEnvironmentVerificationFilter.java index bcd4ecb..ecfe553 100644 --- a/src/main/java/org/esbtools/auth/spring/CertEnvironmentVerificationFilter.java +++ b/src/main/java/org/esbtools/auth/spring/CertEnvironmentVerificationFilter.java @@ -3,16 +3,13 @@ import java.io.IOException; import java.security.cert.X509Certificate; -import javax.annotation.Nullable; import javax.naming.NamingException; -import javax.naming.ldap.LdapName; -import javax.naming.ldap.Rdn; import javax.servlet.FilterChain; import javax.servlet.ServletException; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; -import org.apache.commons.lang3.StringUtils; +import org.esbtools.auth.util.EnvironmentUtils; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.security.core.AuthenticationException; @@ -24,19 +21,17 @@ public class CertEnvironmentVerificationFilter extends OncePerRequestFilter { private static final Logger LOGGER = LoggerFactory.getLogger(CertEnvironmentVerificationFilter.class); - public static final String LOCATION = "l"; + private final EnvironmentUtils envUtils; - private final String environment; - - public CertEnvironmentVerificationFilter(@Nullable String environment) { - this.environment = environment; + public CertEnvironmentVerificationFilter(String environment) { + envUtils = (null == environment) ? null : new EnvironmentUtils(environment); LOGGER.info("Cert Environment: " + ((environment == null) ? "Not Set" : environment)); } @Override public void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain) throws IOException, ServletException { - if (null != environment) { + if (null != envUtils) { LOGGER.debug("Attempting Environment Cert verification"); X509Certificate certChain[] = (X509Certificate[]) request.getAttribute("javax.servlet.request.X509Certificate"); @@ -44,10 +39,12 @@ public void doFilterInternal(HttpServletRequest request, HttpServletResponse res if ((null != certChain) && (certChain.length > 0)) { LOGGER.debug("Verifying environment on cert"); - if(!validateEnvironment(dn)) { + try { + envUtils.validateEnvironment(dn); + } + catch (NamingException e) { unsuccessfulAuthentication(request, response, - new CertEnvironmentAuthenticationException( - "Location from certificate does not match configured environment")); + new CertEnvironmentAuthenticationException(e.getMessage())); return; //end the chain } } @@ -62,34 +59,6 @@ public void doFilterInternal(HttpServletRequest request, HttpServletResponse res chain.doFilter(request, response); } - private boolean validateEnvironment(String certificatePrincipal) { - if (StringUtils.isNotBlank(environment)) { - try { - String location = getLDAPAttribute(certificatePrincipal, LOCATION); - - if (!StringUtils.equalsIgnoreCase(environment, location)) { - return false; - } - } catch (NamingException e) { - return false; - } - } - - return true; - } - - private String getLDAPAttribute(String certificatePrincipal, String searchAttribute) throws NamingException { - String searchName = new String(); - LdapName name = new LdapName(certificatePrincipal); - for (Rdn rdn : name.getRdns()) { - if (rdn.getType().equalsIgnoreCase(searchAttribute)) { - searchName = (String) rdn.getValue(); - break; - } - } - return searchName; - } - /** * Ensures the authentication object in the secure context is set to null when * authentication fails. diff --git a/src/main/java/org/esbtools/auth/util/EnvironmentUtils.java b/src/main/java/org/esbtools/auth/util/EnvironmentUtils.java new file mode 100644 index 0000000..b7deda0 --- /dev/null +++ b/src/main/java/org/esbtools/auth/util/EnvironmentUtils.java @@ -0,0 +1,99 @@ +package org.esbtools.auth.util; + +import java.util.Arrays; +import java.util.List; + +import javax.naming.NamingException; +import javax.naming.directory.NoSuchAttributeException; +import javax.naming.ldap.LdapName; +import javax.naming.ldap.Rdn; + +import org.apache.commons.lang.StringUtils; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +public class EnvironmentUtils { + + private final Logger LOGGER = LoggerFactory.getLogger(EnvironmentUtils.class); + + public static final String ENVIRONMENT_SEPARATOR = ","; + public static final String LOCATION = "l"; + public static final String OU = "ou"; + + private final String environment; + private final String allAccessOu; + + public String getEnvironment() { + return environment; + } + + public String getAllAccessOu() { + return allAccessOu; + } + + public EnvironmentUtils(String environment) { + this(environment, null); + } + + public EnvironmentUtils(String environment, String allAccessOu) { + if (environment == null) { + throw new NullPointerException("environment cannot be null"); + } + + this.environment = environment; + this.allAccessOu = allAccessOu; + } + + public void validateEnvironment(String certificatePrincipal) throws NamingException { + + String ou = getLDAPAttribute(certificatePrincipal, OU); + LOGGER.debug("OU from certificate: ", ou); + String location = getLDAPAttribute(certificatePrincipal, LOCATION); + LOGGER.debug("Location from certificate: ", location); + + if(StringUtils.isBlank(ou)) { + throw new NoSuchAttributeException("No ou in dn, you may need to update your certificate: " + certificatePrincipal); + } else { + if(getAllAccessOu() != null && getAllAccessOu().equalsIgnoreCase(StringUtils.replace(ou, " ", ""))){ + LOGGER.debug("Skipping environment validation, user ou matches {} ", getAllAccessOu()); + } else { + //if dn not from allAccessOu, verify the location (l) field + //in the cert matches the configured environment + if(StringUtils.isBlank(location)) { + throw new NoSuchAttributeException("No location in dn, you may need to update your certificate: " + certificatePrincipal); + } else if(!locationMatchesEnvironment(location)){ + throw new NoSuchAttributeException("Invalid location from dn, expected " + getEnvironment() + " but found l=" + location); + } + } + } + } + + public String getLDAPAttribute(String certificatePrincipal, String searchAttribute) throws NamingException { + String searchName = new String(); + LdapName name = new LdapName(certificatePrincipal); + for (Rdn rdn : name.getRdns()) { + if (rdn.getType().equalsIgnoreCase(searchAttribute)) { + searchName = (String) rdn.getValue(); + break; + } + } + return searchName; + } + + public boolean locationMatchesEnvironment(String location) { + List environments; + if(getEnvironment().contains(ENVIRONMENT_SEPARATOR)) { + environments = Arrays.asList(getEnvironment().split(ENVIRONMENT_SEPARATOR)); + + } else { + environments = Arrays.asList(new String[] {getEnvironment()}); + } + for(String environment : environments) { + if(environment.equalsIgnoreCase(location)) { + return true; + } + } + return false; + } + +} diff --git a/src/test/java/org/esbtools/auth/util/EnvironmentUtilsTest.java b/src/test/java/org/esbtools/auth/util/EnvironmentUtilsTest.java new file mode 100644 index 0000000..4368ee4 --- /dev/null +++ b/src/test/java/org/esbtools/auth/util/EnvironmentUtilsTest.java @@ -0,0 +1,93 @@ +package org.esbtools.auth.util; + +import static org.junit.Assert.assertEquals; +import static org.junit.Assert.assertFalse; +import static org.junit.Assert.assertTrue; + +import javax.naming.NamingException; +import javax.naming.directory.NoSuchAttributeException; + +import org.junit.Rule; +import org.junit.Test; +import org.junit.rules.ExpectedException; + +public class EnvironmentUtilsTest { + + @Rule + public ExpectedException expectedEx = ExpectedException.none(); + + @Test(expected = NullPointerException.class) + public void testValidateEnvironment_NullEnvironment() throws Exception { + new EnvironmentUtils(null); + } + + @Test + public void testValidateEnvironment_ValidLocation() throws Exception { + new EnvironmentUtils("dev") + .validateEnvironment("ou=someuser,l=dev"); + } + + @Test + public void testValidateEnvironment_AllAccessOU() throws Exception { + new EnvironmentUtils("dev", "allaccessou") + .validateEnvironment("ou=allaccessou,l=notdev"); + } + + @Test + public void testValidateEnvironment_MissingOU() throws Exception { + expectedEx.expect(NoSuchAttributeException.class); + expectedEx.expectMessage("No ou in dn, you may need to update your certificate: l=dev"); + + new EnvironmentUtils("dev") + .validateEnvironment("l=dev"); + } + + @Test + public void testValidateEnvironment_MissingLocation() throws Exception { + expectedEx.expect(NoSuchAttributeException.class); + expectedEx.expectMessage("No location in dn, you may need to update your certificate: ou=someuser"); + + new EnvironmentUtils("dev") + .validateEnvironment("ou=someuser"); + } + + @Test + public void testValidateEnvironment_InvalidLocation() throws Exception { + expectedEx.expect(NoSuchAttributeException.class); + expectedEx.expectMessage("Invalid location from dn, expected dev but found l=notdev"); + + new EnvironmentUtils("dev") + .validateEnvironment("ou=someuser,l=notdev"); + } + + @Test + public void testGetLDAPAttribute() throws NamingException { + assertEquals("testuser", new EnvironmentUtils("dev").getLDAPAttribute("ou=testuser,l=dev", "ou")); + } + + @Test + public void testGetLDAPAttribute_NotFound() throws NamingException { + assertEquals("", new EnvironmentUtils("dev").getLDAPAttribute("ou=testuser,l=dev", "cn")); + } + + @Test + public void testLocationMatchesEnvironment_SingleEnvironment_True() { + assertTrue(new EnvironmentUtils("dev").locationMatchesEnvironment("dev")); + } + + @Test + public void testLocationMatchesEnvironment_SingleEnvironment_False() { + assertFalse(new EnvironmentUtils("dev").locationMatchesEnvironment("notdev")); + } + + @Test + public void testLocationMatchesEnvironment_MultipleEnvironment_True() { + assertTrue(new EnvironmentUtils("someenv,dev,anotherenv").locationMatchesEnvironment("dev")); + } + + @Test + public void testLocationMatchesEnvironment_MultipleEnvironment_False() { + assertFalse(new EnvironmentUtils("someenv,dev,anotherenv").locationMatchesEnvironment("notdev")); + } + +} From 9a3856664af199f64a6e231e298e3748beb3f386 Mon Sep 17 00:00:00 2001 From: Dennis Crissman Date: Fri, 15 Dec 2017 14:04:42 -0500 Subject: [PATCH 04/19] requested changes --- .../auth/jboss/CertLdapLoginModule.java | 8 +-- .../CertEnvironmentVerificationFilter.java | 8 +-- ...EnvironmentUtils.java => Environment.java} | 15 +++--- ...entUtilsTest.java => EnvironmentTest.java} | 50 +++++++++---------- 4 files changed, 40 insertions(+), 41 deletions(-) rename src/main/java/org/esbtools/auth/util/{EnvironmentUtils.java => Environment.java} (89%) rename src/test/java/org/esbtools/auth/util/{EnvironmentUtilsTest.java => EnvironmentTest.java} (50%) diff --git a/src/main/java/org/esbtools/auth/jboss/CertLdapLoginModule.java b/src/main/java/org/esbtools/auth/jboss/CertLdapLoginModule.java index 079947d..da256fb 100644 --- a/src/main/java/org/esbtools/auth/jboss/CertLdapLoginModule.java +++ b/src/main/java/org/esbtools/auth/jboss/CertLdapLoginModule.java @@ -32,7 +32,7 @@ import org.esbtools.auth.ldap.LdapConfiguration; import org.esbtools.auth.ldap.LdapRolesProvider; import org.esbtools.auth.util.CachedRolesProvider; -import org.esbtools.auth.util.EnvironmentUtils; +import org.esbtools.auth.util.Environment; import org.esbtools.auth.util.RolesCache; import org.esbtools.auth.util.RolesProvider; import org.jboss.security.SimpleGroup; @@ -73,7 +73,7 @@ public class CertLdapLoginModule extends BaseCertLoginModule { public static final String UID = "uid"; public static final String CN = "cn"; - private static volatile EnvironmentUtils envUtils; + private static volatile Environment envUtils; private static volatile RolesProvider rolesProvider = null; @Override @@ -90,7 +90,7 @@ public void initializeRolesProvider() throws Exception { if (rolesProvider == null) { String environment = (String) options.get(ENVIRONMENT); String allAccessOu = (String) options.get(ALL_ACCESS_OU); - envUtils = new EnvironmentUtils(environment, allAccessOu); + envUtils = new Environment(environment, allAccessOu); LdapConfiguration ldapConf = new LdapConfiguration(); ldapConf.server((String) options.get(SERVER)); @@ -155,7 +155,7 @@ protected Group[] getRoleSets() throws LoginException { String searchName = envUtils.getLDAPAttribute(certPrincipal, UID); if(StringUtils.isNotBlank(searchName)) { //only try to validate environment if it is a certificate that contains uid - envUtils.validateEnvironment(certPrincipal); + envUtils.validate(certPrincipal); } else { // fallback to getting search name from cn in certificate principle (legacy certificates) searchName = envUtils.getLDAPAttribute(certPrincipal, CN); diff --git a/src/main/java/org/esbtools/auth/spring/CertEnvironmentVerificationFilter.java b/src/main/java/org/esbtools/auth/spring/CertEnvironmentVerificationFilter.java index ecfe553..49686ef 100644 --- a/src/main/java/org/esbtools/auth/spring/CertEnvironmentVerificationFilter.java +++ b/src/main/java/org/esbtools/auth/spring/CertEnvironmentVerificationFilter.java @@ -9,7 +9,7 @@ import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; -import org.esbtools.auth.util.EnvironmentUtils; +import org.esbtools.auth.util.Environment; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.security.core.AuthenticationException; @@ -21,10 +21,10 @@ public class CertEnvironmentVerificationFilter extends OncePerRequestFilter { private static final Logger LOGGER = LoggerFactory.getLogger(CertEnvironmentVerificationFilter.class); - private final EnvironmentUtils envUtils; + private final Environment envUtils; public CertEnvironmentVerificationFilter(String environment) { - envUtils = (null == environment) ? null : new EnvironmentUtils(environment); + envUtils = (null == environment) ? null : new Environment(environment); LOGGER.info("Cert Environment: " + ((environment == null) ? "Not Set" : environment)); } @@ -40,7 +40,7 @@ public void doFilterInternal(HttpServletRequest request, HttpServletResponse res if ((null != certChain) && (certChain.length > 0)) { LOGGER.debug("Verifying environment on cert"); try { - envUtils.validateEnvironment(dn); + envUtils.validate(dn); } catch (NamingException e) { unsuccessfulAuthentication(request, response, diff --git a/src/main/java/org/esbtools/auth/util/EnvironmentUtils.java b/src/main/java/org/esbtools/auth/util/Environment.java similarity index 89% rename from src/main/java/org/esbtools/auth/util/EnvironmentUtils.java rename to src/main/java/org/esbtools/auth/util/Environment.java index b7deda0..24561f8 100644 --- a/src/main/java/org/esbtools/auth/util/EnvironmentUtils.java +++ b/src/main/java/org/esbtools/auth/util/Environment.java @@ -2,6 +2,7 @@ import java.util.Arrays; import java.util.List; +import java.util.Objects; import javax.naming.NamingException; import javax.naming.directory.NoSuchAttributeException; @@ -12,9 +13,9 @@ import org.slf4j.Logger; import org.slf4j.LoggerFactory; -public class EnvironmentUtils { +public class Environment { - private final Logger LOGGER = LoggerFactory.getLogger(EnvironmentUtils.class); + private final Logger LOGGER = LoggerFactory.getLogger(Environment.class); public static final String ENVIRONMENT_SEPARATOR = ","; public static final String LOCATION = "l"; @@ -31,20 +32,18 @@ public String getAllAccessOu() { return allAccessOu; } - public EnvironmentUtils(String environment) { + public Environment(String environment) { this(environment, null); } - public EnvironmentUtils(String environment, String allAccessOu) { - if (environment == null) { - throw new NullPointerException("environment cannot be null"); - } + public Environment(String environment, String allAccessOu) { + Objects.requireNonNull(environment); this.environment = environment; this.allAccessOu = allAccessOu; } - public void validateEnvironment(String certificatePrincipal) throws NamingException { + public void validate(String certificatePrincipal) throws NamingException { String ou = getLDAPAttribute(certificatePrincipal, OU); LOGGER.debug("OU from certificate: ", ou); diff --git a/src/test/java/org/esbtools/auth/util/EnvironmentUtilsTest.java b/src/test/java/org/esbtools/auth/util/EnvironmentTest.java similarity index 50% rename from src/test/java/org/esbtools/auth/util/EnvironmentUtilsTest.java rename to src/test/java/org/esbtools/auth/util/EnvironmentTest.java index 4368ee4..1bcbb4f 100644 --- a/src/test/java/org/esbtools/auth/util/EnvironmentUtilsTest.java +++ b/src/test/java/org/esbtools/auth/util/EnvironmentTest.java @@ -11,83 +11,83 @@ import org.junit.Test; import org.junit.rules.ExpectedException; -public class EnvironmentUtilsTest { +public class EnvironmentTest { @Rule public ExpectedException expectedEx = ExpectedException.none(); @Test(expected = NullPointerException.class) - public void testValidateEnvironment_NullEnvironment() throws Exception { - new EnvironmentUtils(null); + public void testValidate_NullEnvironment() throws Exception { + new Environment(null); } @Test - public void testValidateEnvironment_ValidLocation() throws Exception { - new EnvironmentUtils("dev") - .validateEnvironment("ou=someuser,l=dev"); + public void testValidate_ValidLocation() throws Exception { + new Environment("dev") + .validate("ou=someuser,l=dev"); } @Test - public void testValidateEnvironment_AllAccessOU() throws Exception { - new EnvironmentUtils("dev", "allaccessou") - .validateEnvironment("ou=allaccessou,l=notdev"); + public void testValidate_AllAccessOU() throws Exception { + new Environment("dev", "allaccessou") + .validate("ou=allaccessou,l=notdev"); } @Test - public void testValidateEnvironment_MissingOU() throws Exception { + public void testValidate_MissingOU() throws Exception { expectedEx.expect(NoSuchAttributeException.class); expectedEx.expectMessage("No ou in dn, you may need to update your certificate: l=dev"); - new EnvironmentUtils("dev") - .validateEnvironment("l=dev"); + new Environment("dev") + .validate("l=dev"); } @Test - public void testValidateEnvironment_MissingLocation() throws Exception { + public void testValidate_MissingLocation() throws Exception { expectedEx.expect(NoSuchAttributeException.class); expectedEx.expectMessage("No location in dn, you may need to update your certificate: ou=someuser"); - new EnvironmentUtils("dev") - .validateEnvironment("ou=someuser"); + new Environment("dev") + .validate("ou=someuser"); } @Test - public void testValidateEnvironment_InvalidLocation() throws Exception { + public void testValidate_InvalidLocation() throws Exception { expectedEx.expect(NoSuchAttributeException.class); expectedEx.expectMessage("Invalid location from dn, expected dev but found l=notdev"); - new EnvironmentUtils("dev") - .validateEnvironment("ou=someuser,l=notdev"); + new Environment("dev") + .validate("ou=someuser,l=notdev"); } @Test public void testGetLDAPAttribute() throws NamingException { - assertEquals("testuser", new EnvironmentUtils("dev").getLDAPAttribute("ou=testuser,l=dev", "ou")); + assertEquals("testuser", new Environment("dev").getLDAPAttribute("ou=testuser,l=dev", "ou")); } @Test public void testGetLDAPAttribute_NotFound() throws NamingException { - assertEquals("", new EnvironmentUtils("dev").getLDAPAttribute("ou=testuser,l=dev", "cn")); + assertEquals("", new Environment("dev").getLDAPAttribute("ou=testuser,l=dev", "cn")); } @Test public void testLocationMatchesEnvironment_SingleEnvironment_True() { - assertTrue(new EnvironmentUtils("dev").locationMatchesEnvironment("dev")); + assertTrue(new Environment("dev").locationMatchesEnvironment("dev")); } @Test public void testLocationMatchesEnvironment_SingleEnvironment_False() { - assertFalse(new EnvironmentUtils("dev").locationMatchesEnvironment("notdev")); + assertFalse(new Environment("dev").locationMatchesEnvironment("notdev")); } - + @Test public void testLocationMatchesEnvironment_MultipleEnvironment_True() { - assertTrue(new EnvironmentUtils("someenv,dev,anotherenv").locationMatchesEnvironment("dev")); + assertTrue(new Environment("someenv,dev,anotherenv").locationMatchesEnvironment("dev")); } @Test public void testLocationMatchesEnvironment_MultipleEnvironment_False() { - assertFalse(new EnvironmentUtils("someenv,dev,anotherenv").locationMatchesEnvironment("notdev")); + assertFalse(new Environment("someenv,dev,anotherenv").locationMatchesEnvironment("notdev")); } } From 5b74c791974d6dfa3c358539d6c7472ad84906e9 Mon Sep 17 00:00:00 2001 From: Dennis Crissman Date: Mon, 18 Dec 2017 10:46:14 -0500 Subject: [PATCH 05/19] fix NPE --- .../auth/spring/CertEnvironmentVerificationFilter.java | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/src/main/java/org/esbtools/auth/spring/CertEnvironmentVerificationFilter.java b/src/main/java/org/esbtools/auth/spring/CertEnvironmentVerificationFilter.java index 49686ef..af194b8 100644 --- a/src/main/java/org/esbtools/auth/spring/CertEnvironmentVerificationFilter.java +++ b/src/main/java/org/esbtools/auth/spring/CertEnvironmentVerificationFilter.java @@ -35,10 +35,9 @@ public void doFilterInternal(HttpServletRequest request, HttpServletResponse res LOGGER.debug("Attempting Environment Cert verification"); X509Certificate certChain[] = (X509Certificate[]) request.getAttribute("javax.servlet.request.X509Certificate"); - String dn = certChain[0].getSubjectDN().getName(); - if ((null != certChain) && (certChain.length > 0)) { LOGGER.debug("Verifying environment on cert"); + String dn = certChain[0].getSubjectDN().getName(); try { envUtils.validate(dn); } From 5f6866361a6372fc21c49771fcf0e7b41a38872a Mon Sep 17 00:00:00 2001 From: Dennis Crissman Date: Wed, 20 Dec 2017 14:01:55 -0500 Subject: [PATCH 06/19] refactor and add testing for CertEnvironmentVerificationFilter --- .../CertEnvironmentVerificationFilter.java | 80 +++++++++++++++ ...ertEnvironmentAuthenticationException.java | 17 ---- .../CertEnvironmentVerificationFilter.java | 79 --------------- ...ringCertEnvironmentVerificationFilter.java | 49 +++++++++ ...CertEnvironmentVerificationFilterTest.java | 99 +++++++++++++++++++ 5 files changed, 228 insertions(+), 96 deletions(-) create mode 100644 src/main/java/org/esbtools/auth/servlet/CertEnvironmentVerificationFilter.java delete mode 100644 src/main/java/org/esbtools/auth/spring/CertEnvironmentAuthenticationException.java delete mode 100644 src/main/java/org/esbtools/auth/spring/CertEnvironmentVerificationFilter.java create mode 100644 src/main/java/org/esbtools/auth/spring/SpringCertEnvironmentVerificationFilter.java create mode 100644 src/test/java/org/esbtools/auth/servlet/CertEnvironmentVerificationFilterTest.java diff --git a/src/main/java/org/esbtools/auth/servlet/CertEnvironmentVerificationFilter.java b/src/main/java/org/esbtools/auth/servlet/CertEnvironmentVerificationFilter.java new file mode 100644 index 0000000..16f36f9 --- /dev/null +++ b/src/main/java/org/esbtools/auth/servlet/CertEnvironmentVerificationFilter.java @@ -0,0 +1,80 @@ +package org.esbtools.auth.servlet; + +import java.io.IOException; +import java.security.cert.X509Certificate; + +import javax.naming.NamingException; +import javax.servlet.Filter; +import javax.servlet.FilterChain; +import javax.servlet.FilterConfig; +import javax.servlet.ServletException; +import javax.servlet.ServletRequest; +import javax.servlet.ServletResponse; +import javax.servlet.http.HttpServletResponse; + +import org.esbtools.auth.util.Environment; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +public class CertEnvironmentVerificationFilter implements Filter { + + private static final Logger LOGGER = LoggerFactory.getLogger(CertEnvironmentVerificationFilter.class); + + private final Environment env; + + public CertEnvironmentVerificationFilter(String environment) { + env = (null == environment) ? null : new Environment(environment); + + LOGGER.info("Cert Environment: " + ((environment == null) ? "Not Set" : environment)); + } + + @Override + public void init(FilterConfig filterConfig) throws ServletException { + //Do Nothing! + } + + @Override + public void destroy() { + //Do Nothing! + } + + @Override + public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { + if (null != env) { + LOGGER.debug("Attempting Environment Cert verification"); + X509Certificate certChain[] = (X509Certificate[]) request.getAttribute("javax.servlet.request.X509Certificate"); + + if ((null != certChain) && (certChain.length > 0)) { + LOGGER.debug("Verifying environment on cert"); + String dn = certChain[0].getSubjectDN().getName(); + try { + env.validate(dn); + } + catch (NamingException e) { + unsuccessfulAuthentication(request, response, e); + return; //end the chain + } + } + else { + LOGGER.debug("Cert not found. Skipping Environment Cert verification."); + } + } + else { + LOGGER.debug("No environment configured. Skipping Environment Cert verification."); + } + + chain.doFilter(request, response); + } + + protected void unsuccessfulAuthentication(ServletRequest request, + ServletResponse response, NamingException failed) throws IOException, ServletException { + if (response instanceof HttpServletResponse) { + ((HttpServletResponse) response).setStatus(HttpServletResponse.SC_UNAUTHORIZED); + } + + response.setContentType("text/html"); + response.getWriter().write("Error" + failed.getMessage() + ""); + response.getWriter().close(); + } + +} diff --git a/src/main/java/org/esbtools/auth/spring/CertEnvironmentAuthenticationException.java b/src/main/java/org/esbtools/auth/spring/CertEnvironmentAuthenticationException.java deleted file mode 100644 index fb59e31..0000000 --- a/src/main/java/org/esbtools/auth/spring/CertEnvironmentAuthenticationException.java +++ /dev/null @@ -1,17 +0,0 @@ -package org.esbtools.auth.spring; - -import org.springframework.security.core.AuthenticationException; - -public class CertEnvironmentAuthenticationException extends AuthenticationException { - - private static final long serialVersionUID = -1102864286332227011L; - - public CertEnvironmentAuthenticationException(String msg) { - super(msg); - } - - public CertEnvironmentAuthenticationException(String msg, Throwable t) { - super(msg, t); - } - -} diff --git a/src/main/java/org/esbtools/auth/spring/CertEnvironmentVerificationFilter.java b/src/main/java/org/esbtools/auth/spring/CertEnvironmentVerificationFilter.java deleted file mode 100644 index af194b8..0000000 --- a/src/main/java/org/esbtools/auth/spring/CertEnvironmentVerificationFilter.java +++ /dev/null @@ -1,79 +0,0 @@ -package org.esbtools.auth.spring; - -import java.io.IOException; -import java.security.cert.X509Certificate; - -import javax.naming.NamingException; -import javax.servlet.FilterChain; -import javax.servlet.ServletException; -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; - -import org.esbtools.auth.util.Environment; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; -import org.springframework.security.core.AuthenticationException; -import org.springframework.security.core.context.SecurityContextHolder; -import org.springframework.security.web.WebAttributes; -import org.springframework.web.filter.OncePerRequestFilter; - -public class CertEnvironmentVerificationFilter extends OncePerRequestFilter { - - private static final Logger LOGGER = LoggerFactory.getLogger(CertEnvironmentVerificationFilter.class); - - private final Environment envUtils; - - public CertEnvironmentVerificationFilter(String environment) { - envUtils = (null == environment) ? null : new Environment(environment); - - LOGGER.info("Cert Environment: " + ((environment == null) ? "Not Set" : environment)); - } - - @Override - public void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain) throws IOException, ServletException { - if (null != envUtils) { - LOGGER.debug("Attempting Environment Cert verification"); - X509Certificate certChain[] = (X509Certificate[]) request.getAttribute("javax.servlet.request.X509Certificate"); - - if ((null != certChain) && (certChain.length > 0)) { - LOGGER.debug("Verifying environment on cert"); - String dn = certChain[0].getSubjectDN().getName(); - try { - envUtils.validate(dn); - } - catch (NamingException e) { - unsuccessfulAuthentication(request, response, - new CertEnvironmentAuthenticationException(e.getMessage())); - return; //end the chain - } - } - else { - LOGGER.debug("Cert not found. Skipping Environment Cert verification."); - } - } - else { - LOGGER.debug("No environment configured. Skipping Environment Cert verification."); - } - - chain.doFilter(request, response); - } - - /** - * Ensures the authentication object in the secure context is set to null when - * authentication fails. - *

- * Caches the failure exception as a request attribute - */ - protected void unsuccessfulAuthentication(HttpServletRequest request, - HttpServletResponse response, AuthenticationException failed) throws IOException, ServletException { - SecurityContextHolder.clearContext(); - - if (LOGGER.isDebugEnabled()) { - LOGGER.debug("Cleared security context due to exception", failed); - } - request.setAttribute(WebAttributes.AUTHENTICATION_EXCEPTION, failed); - - response.sendError(HttpServletResponse.SC_UNAUTHORIZED, failed.getMessage()); - } - -} diff --git a/src/main/java/org/esbtools/auth/spring/SpringCertEnvironmentVerificationFilter.java b/src/main/java/org/esbtools/auth/spring/SpringCertEnvironmentVerificationFilter.java new file mode 100644 index 0000000..2b15fe5 --- /dev/null +++ b/src/main/java/org/esbtools/auth/spring/SpringCertEnvironmentVerificationFilter.java @@ -0,0 +1,49 @@ +package org.esbtools.auth.spring; + +import java.io.IOException; + +import javax.naming.NamingException; +import javax.servlet.FilterConfig; +import javax.servlet.ServletException; +import javax.servlet.ServletRequest; +import javax.servlet.ServletResponse; + +import org.esbtools.auth.servlet.CertEnvironmentVerificationFilter; +import org.springframework.security.core.AuthenticationException; +import org.springframework.security.core.context.SecurityContextHolder; +import org.springframework.security.web.WebAttributes; + +public class SpringCertEnvironmentVerificationFilter extends CertEnvironmentVerificationFilter { + + public SpringCertEnvironmentVerificationFilter(String environment) { + super(environment); + } + + @Override + public void init(FilterConfig filterConfig) throws ServletException { + super.init(filterConfig); + } + + @Override + protected void unsuccessfulAuthentication(ServletRequest request, + ServletResponse response, NamingException failed) throws IOException, ServletException { + + SecurityContextHolder.clearContext(); + + AuthenticationException authException = new EnvironmentVerificationAuthenticationException( + "Unable to authenticate", failed); + + request.setAttribute(WebAttributes.AUTHENTICATION_EXCEPTION, authException); + + throw authException; + } + + public static class EnvironmentVerificationAuthenticationException extends AuthenticationException { + private static final long serialVersionUID = -9117378985089473004L; + + public EnvironmentVerificationAuthenticationException(String msg, Throwable t) { + super(msg, t); + } + } + +} diff --git a/src/test/java/org/esbtools/auth/servlet/CertEnvironmentVerificationFilterTest.java b/src/test/java/org/esbtools/auth/servlet/CertEnvironmentVerificationFilterTest.java new file mode 100644 index 0000000..f492b37 --- /dev/null +++ b/src/test/java/org/esbtools/auth/servlet/CertEnvironmentVerificationFilterTest.java @@ -0,0 +1,99 @@ +package org.esbtools.auth.servlet; + +import static org.junit.Assert.assertTrue; + +import java.io.PrintWriter; +import java.security.Principal; +import java.security.cert.X509Certificate; + +import javax.servlet.FilterChain; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +import org.junit.Test; +import org.junit.runner.RunWith; +import org.mockito.ArgumentCaptor; +import org.mockito.Mock; +import org.mockito.Mockito; +import org.mockito.runners.MockitoJUnitRunner; + +@RunWith(MockitoJUnitRunner.class) +public class CertEnvironmentVerificationFilterTest { + + @Mock + private HttpServletRequest request; + + @Mock + private HttpServletResponse response; + + @Mock + private FilterChain chain; + + private X509Certificate createCertificate(final String dn) { + X509Certificate certificate = Mockito.spy(X509Certificate.class); + Mockito.when(certificate.getSubjectDN()).thenReturn(new Principal() { + + @Override + public String getName() { + return dn; + } + + }); + + return certificate; + } + + @Test + public void nullEnvironmentShouldSkipCheck() throws Exception { + new CertEnvironmentVerificationFilter(null).doFilter(request, response, chain); + + Mockito.verify(chain, Mockito.times(1)).doFilter(request, response); + } + + @Test + public void noCertChainShouldSkipCheck() throws Exception { + new CertEnvironmentVerificationFilter("fakeenv").doFilter(request, response, chain); + + Mockito.verify(chain, Mockito.times(1)).doFilter(request, response); + } + + @Test + public void emptyCertChainShouldSkipCheck() throws Exception { + Mockito.when(request.getAttribute("javax.servlet.request.X509Certificate")).thenReturn(new X509Certificate[0]); + + new CertEnvironmentVerificationFilter("fakeenv").doFilter(request, response, chain); + + Mockito.verify(chain, Mockito.times(1)).doFilter(request, response); + } + + @Test + public void certWithCorrectEnvironmentShouldPass() throws Exception { + X509Certificate certificate = createCertificate("ou=fakeuser,l=fakeenv"); + Mockito.when(request.getAttribute("javax.servlet.request.X509Certificate")).thenReturn(new X509Certificate[] { + certificate + }); + + new CertEnvironmentVerificationFilter("fakeenv").doFilter(request, response, chain); + + Mockito.verify(chain, Mockito.times(1)).doFilter(request, response); + } + + @Test + public void certWithWrongEnvironmentShouldFail() throws Exception { + X509Certificate certificate = createCertificate("ou=fakeuser,l=fakeenv"); + Mockito.when(request.getAttribute("javax.servlet.request.X509Certificate")).thenReturn(new X509Certificate[] { + certificate + }); + PrintWriter writer = Mockito.mock(PrintWriter.class); + Mockito.when(response.getWriter()).thenReturn(writer); + + new CertEnvironmentVerificationFilter("notfakeenv").doFilter(request, response, chain); + + Mockito.verify(response, Mockito.times(1)).setStatus(HttpServletResponse.SC_UNAUTHORIZED); + ArgumentCaptor errorMsgCaptor = ArgumentCaptor.forClass(String.class); + Mockito.verify(writer, Mockito.times(1)).write(errorMsgCaptor.capture()); + assertTrue(errorMsgCaptor.getValue().contains("Error")); + Mockito.verify(chain, Mockito.never()).doFilter(request, response); + } + +} From 3e2a90b90273c747f2102a7e52d7a1723551bc3b Mon Sep 17 00:00:00 2001 From: Dennis Crissman Date: Thu, 21 Dec 2017 14:10:00 -0500 Subject: [PATCH 07/19] refactors --- .../EsbToolsExceptionTraslatingFilter.java | 69 +++++++++++++++++++ ...ringCertEnvironmentVerificationFilter.java | 18 +---- 2 files changed, 70 insertions(+), 17 deletions(-) create mode 100644 src/main/java/org/esbtools/auth/spring/EsbToolsExceptionTraslatingFilter.java diff --git a/src/main/java/org/esbtools/auth/spring/EsbToolsExceptionTraslatingFilter.java b/src/main/java/org/esbtools/auth/spring/EsbToolsExceptionTraslatingFilter.java new file mode 100644 index 0000000..8ac37f1 --- /dev/null +++ b/src/main/java/org/esbtools/auth/spring/EsbToolsExceptionTraslatingFilter.java @@ -0,0 +1,69 @@ +package org.esbtools.auth.spring; + +import java.io.IOException; + +import javax.servlet.FilterChain; +import javax.servlet.ServletException; +import javax.servlet.ServletRequest; +import javax.servlet.ServletResponse; +import javax.servlet.http.HttpServletResponse; +import javax.ws.rs.core.Response; + +import org.esbtools.auth.spring.SpringCertEnvironmentVerificationFilter.EnvironmentVerificationAuthenticationException; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.springframework.security.core.context.SecurityContextHolder; +import org.springframework.web.filter.GenericFilterBean; + +public class EsbToolsExceptionTraslatingFilter extends GenericFilterBean { + + private static final Logger LOGGER = LoggerFactory.getLogger(EsbToolsExceptionTraslatingFilter.class); + + private final ErrorResponseWriter writer; + + public EsbToolsExceptionTraslatingFilter(ErrorResponseWriter writer) { + this.writer = writer; + } + + @Override + public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { + LOGGER.debug("Executing"); + try { + chain.doFilter(request, response); + } catch (EnvironmentVerificationAuthenticationException e) { + LOGGER.debug("blocking access"); + + SecurityContextHolder.clearContext(); + + if (response instanceof HttpServletResponse) { + ((HttpServletResponse) response).setStatus(writer.getStatus().getStatusCode()); + } + + response.setContentType(writer.getContentType()); + response.getWriter().write(writer.print(e)); + response.getWriter().close(); + } + } + + public abstract static class ErrorResponseWriter { + + private final Response.Status status; + private final String contentType; + + public Response.Status getStatus() { + return status; + } + + public String getContentType() { + return contentType; + } + + public ErrorResponseWriter(String contentType, Response.Status status) { + this.contentType = contentType; + this.status = status; + } + + public abstract String print(Exception e); + } + +} diff --git a/src/main/java/org/esbtools/auth/spring/SpringCertEnvironmentVerificationFilter.java b/src/main/java/org/esbtools/auth/spring/SpringCertEnvironmentVerificationFilter.java index 2b15fe5..514eb0a 100644 --- a/src/main/java/org/esbtools/auth/spring/SpringCertEnvironmentVerificationFilter.java +++ b/src/main/java/org/esbtools/auth/spring/SpringCertEnvironmentVerificationFilter.java @@ -3,15 +3,12 @@ import java.io.IOException; import javax.naming.NamingException; -import javax.servlet.FilterConfig; import javax.servlet.ServletException; import javax.servlet.ServletRequest; import javax.servlet.ServletResponse; import org.esbtools.auth.servlet.CertEnvironmentVerificationFilter; import org.springframework.security.core.AuthenticationException; -import org.springframework.security.core.context.SecurityContextHolder; -import org.springframework.security.web.WebAttributes; public class SpringCertEnvironmentVerificationFilter extends CertEnvironmentVerificationFilter { @@ -19,23 +16,10 @@ public SpringCertEnvironmentVerificationFilter(String environment) { super(environment); } - @Override - public void init(FilterConfig filterConfig) throws ServletException { - super.init(filterConfig); - } - @Override protected void unsuccessfulAuthentication(ServletRequest request, ServletResponse response, NamingException failed) throws IOException, ServletException { - - SecurityContextHolder.clearContext(); - - AuthenticationException authException = new EnvironmentVerificationAuthenticationException( - "Unable to authenticate", failed); - - request.setAttribute(WebAttributes.AUTHENTICATION_EXCEPTION, authException); - - throw authException; + throw new EnvironmentVerificationAuthenticationException(failed.getMessage(), failed); } public static class EnvironmentVerificationAuthenticationException extends AuthenticationException { From 8a6a0e8958d99e8db35287aac6418361570dcb38 Mon Sep 17 00:00:00 2001 From: Dennis Crissman Date: Thu, 21 Dec 2017 18:12:24 -0500 Subject: [PATCH 08/19] clean up --- .../EsbToolsExceptionTraslatingFilter.java | 20 +++++++++---------- 1 file changed, 9 insertions(+), 11 deletions(-) diff --git a/src/main/java/org/esbtools/auth/spring/EsbToolsExceptionTraslatingFilter.java b/src/main/java/org/esbtools/auth/spring/EsbToolsExceptionTraslatingFilter.java index 8ac37f1..81aec13 100644 --- a/src/main/java/org/esbtools/auth/spring/EsbToolsExceptionTraslatingFilter.java +++ b/src/main/java/org/esbtools/auth/spring/EsbToolsExceptionTraslatingFilter.java @@ -35,11 +35,13 @@ public void doFilter(ServletRequest request, ServletResponse response, FilterCha SecurityContextHolder.clearContext(); - if (response instanceof HttpServletResponse) { - ((HttpServletResponse) response).setStatus(writer.getStatus().getStatusCode()); + if ((response instanceof HttpServletResponse) && writer.status != null) { + ((HttpServletResponse) response).setStatus(writer.status.getStatusCode()); } - response.setContentType(writer.getContentType()); + if (writer.contentType != null) { + response.setContentType(writer.contentType); + } response.getWriter().write(writer.print(e)); response.getWriter().close(); } @@ -47,15 +49,11 @@ public void doFilter(ServletRequest request, ServletResponse response, FilterCha public abstract static class ErrorResponseWriter { - private final Response.Status status; - private final String contentType; - - public Response.Status getStatus() { - return status; - } + public final Response.Status status; + public final String contentType; - public String getContentType() { - return contentType; + public ErrorResponseWriter() { + this(null, null); } public ErrorResponseWriter(String contentType, Response.Status status) { From 70afbdb8679fe68466d5ff03618efbff1e7c2a6a Mon Sep 17 00:00:00 2001 From: Dennis Crissman Date: Tue, 2 Jan 2018 09:31:17 -0500 Subject: [PATCH 09/19] rename variable --- .../org/esbtools/auth/jboss/CertLdapLoginModule.java | 12 ++++++------ .../spring/CertEnvironmentVerificationFilter.java | 8 ++++---- 2 files changed, 10 insertions(+), 10 deletions(-) diff --git a/src/main/java/org/esbtools/auth/jboss/CertLdapLoginModule.java b/src/main/java/org/esbtools/auth/jboss/CertLdapLoginModule.java index da256fb..f553604 100644 --- a/src/main/java/org/esbtools/auth/jboss/CertLdapLoginModule.java +++ b/src/main/java/org/esbtools/auth/jboss/CertLdapLoginModule.java @@ -73,7 +73,7 @@ public class CertLdapLoginModule extends BaseCertLoginModule { public static final String UID = "uid"; public static final String CN = "cn"; - private static volatile Environment envUtils; + private static volatile Environment environment; private static volatile RolesProvider rolesProvider = null; @Override @@ -88,9 +88,9 @@ public void initializeRolesProvider() throws Exception { if (rolesProvider == null) { synchronized(LdapRolesProvider.class) { if (rolesProvider == null) { - String environment = (String) options.get(ENVIRONMENT); + String env = (String) options.get(ENVIRONMENT); String allAccessOu = (String) options.get(ALL_ACCESS_OU); - envUtils = new Environment(environment, allAccessOu); + environment = new Environment(env, allAccessOu); LdapConfiguration ldapConf = new LdapConfiguration(); ldapConf.server((String) options.get(SERVER)); @@ -152,13 +152,13 @@ protected Group[] getRoleSets() throws LoginException { LOGGER.debug("Certificate principal:" + certPrincipal); //first try getting search name from uid in certificate principle (new certificates) - String searchName = envUtils.getLDAPAttribute(certPrincipal, UID); + String searchName = environment.getLDAPAttribute(certPrincipal, UID); if(StringUtils.isNotBlank(searchName)) { //only try to validate environment if it is a certificate that contains uid - envUtils.validate(certPrincipal); + environment.validate(certPrincipal); } else { // fallback to getting search name from cn in certificate principle (legacy certificates) - searchName = envUtils.getLDAPAttribute(certPrincipal, CN); + searchName = environment.getLDAPAttribute(certPrincipal, CN); } Collection groupNames = rolesProvider.getUserRoles(searchName); diff --git a/src/main/java/org/esbtools/auth/spring/CertEnvironmentVerificationFilter.java b/src/main/java/org/esbtools/auth/spring/CertEnvironmentVerificationFilter.java index af194b8..3b1f3c6 100644 --- a/src/main/java/org/esbtools/auth/spring/CertEnvironmentVerificationFilter.java +++ b/src/main/java/org/esbtools/auth/spring/CertEnvironmentVerificationFilter.java @@ -21,17 +21,17 @@ public class CertEnvironmentVerificationFilter extends OncePerRequestFilter { private static final Logger LOGGER = LoggerFactory.getLogger(CertEnvironmentVerificationFilter.class); - private final Environment envUtils; + private final Environment environment; public CertEnvironmentVerificationFilter(String environment) { - envUtils = (null == environment) ? null : new Environment(environment); + this.environment = (null == environment) ? null : new Environment(environment); LOGGER.info("Cert Environment: " + ((environment == null) ? "Not Set" : environment)); } @Override public void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain) throws IOException, ServletException { - if (null != envUtils) { + if (null != environment) { LOGGER.debug("Attempting Environment Cert verification"); X509Certificate certChain[] = (X509Certificate[]) request.getAttribute("javax.servlet.request.X509Certificate"); @@ -39,7 +39,7 @@ public void doFilterInternal(HttpServletRequest request, HttpServletResponse res LOGGER.debug("Verifying environment on cert"); String dn = certChain[0].getSubjectDN().getName(); try { - envUtils.validate(dn); + environment.validate(dn); } catch (NamingException e) { unsuccessfulAuthentication(request, response, From f7fd8c9b0a0302ac703f7d7cba727b362855ff19 Mon Sep 17 00:00:00 2001 From: Dennis Crissman Date: Tue, 2 Jan 2018 12:22:45 -0500 Subject: [PATCH 10/19] extract out multiple modules --- .gitignore | 1 + README.md | 31 -- dependency-reduced-pom.xml | 487 ------------------ jboss-cert-ldap-login-module/README.md | 31 ++ jboss-cert-ldap-login-module/pom.xml | 90 ++++ .../auth/jboss/CertLdapLoginModule.java | 0 .../esbtools/auth/jboss/CertLoginModule.java | 0 .../dependency-reduced-pom.xml | 63 +++ org.esbtools.auth.common/pom.xml | 34 ++ .../esbtools/auth/ldap/LdapConfiguration.java | 0 .../esbtools/auth/ldap/LdapRolesProvider.java | 0 .../CertEnvironmentVerificationFilter.java | 0 .../auth/util/CachedRolesProvider.java | 0 .../org/esbtools/auth/util/Environment.java | 0 .../org/esbtools/auth/util/RequestDumper.java | 0 .../org/esbtools/auth/util/RolesCache.java | 0 .../org/esbtools/auth/util/RolesProvider.java | 0 .../auth/CachedRolesProviderTest.java | 0 .../ldap/LdapRoleProviderIntegrationTest.java | 0 ...CertEnvironmentVerificationFilterTest.java | 0 .../esbtools/auth/util/EnvironmentTest.java | 0 .../test/resources/simplelogger.properties | 0 pom.xml | 120 ++--- .../dependency-reduced-pom.xml | 69 +++ spring-cert-ldap-login-module/pom.xml | 34 ++ .../EsbToolsExceptionTraslatingFilter.java | 0 .../auth/spring/LdapUserDetailsService.java | 0 ...ringCertEnvironmentVerificationFilter.java | 0 28 files changed, 353 insertions(+), 607 deletions(-) delete mode 100644 dependency-reduced-pom.xml create mode 100644 jboss-cert-ldap-login-module/README.md create mode 100644 jboss-cert-ldap-login-module/pom.xml rename {src => jboss-cert-ldap-login-module/src}/main/java/org/esbtools/auth/jboss/CertLdapLoginModule.java (100%) rename {src => jboss-cert-ldap-login-module/src}/main/java/org/esbtools/auth/jboss/CertLoginModule.java (100%) create mode 100644 org.esbtools.auth.common/dependency-reduced-pom.xml create mode 100644 org.esbtools.auth.common/pom.xml rename {src => org.esbtools.auth.common/src}/main/java/org/esbtools/auth/ldap/LdapConfiguration.java (100%) rename {src => org.esbtools.auth.common/src}/main/java/org/esbtools/auth/ldap/LdapRolesProvider.java (100%) rename {src => org.esbtools.auth.common/src}/main/java/org/esbtools/auth/servlet/CertEnvironmentVerificationFilter.java (100%) rename {src => org.esbtools.auth.common/src}/main/java/org/esbtools/auth/util/CachedRolesProvider.java (100%) rename {src => org.esbtools.auth.common/src}/main/java/org/esbtools/auth/util/Environment.java (100%) rename {src => org.esbtools.auth.common/src}/main/java/org/esbtools/auth/util/RequestDumper.java (100%) rename {src => org.esbtools.auth.common/src}/main/java/org/esbtools/auth/util/RolesCache.java (100%) rename {src => org.esbtools.auth.common/src}/main/java/org/esbtools/auth/util/RolesProvider.java (100%) rename {src => org.esbtools.auth.common/src}/test/java/org/esbtools/auth/CachedRolesProviderTest.java (100%) rename {src => org.esbtools.auth.common/src}/test/java/org/esbtools/auth/ldap/LdapRoleProviderIntegrationTest.java (100%) rename {src => org.esbtools.auth.common/src}/test/java/org/esbtools/auth/servlet/CertEnvironmentVerificationFilterTest.java (100%) rename {src => org.esbtools.auth.common/src}/test/java/org/esbtools/auth/util/EnvironmentTest.java (100%) rename {src => org.esbtools.auth.common/src}/test/resources/simplelogger.properties (100%) create mode 100644 spring-cert-ldap-login-module/dependency-reduced-pom.xml create mode 100644 spring-cert-ldap-login-module/pom.xml rename {src => spring-cert-ldap-login-module/src}/main/java/org/esbtools/auth/spring/EsbToolsExceptionTraslatingFilter.java (100%) rename {src => spring-cert-ldap-login-module/src}/main/java/org/esbtools/auth/spring/LdapUserDetailsService.java (100%) rename {src => spring-cert-ldap-login-module/src}/main/java/org/esbtools/auth/spring/SpringCertEnvironmentVerificationFilter.java (100%) diff --git a/.gitignore b/.gitignore index a903163..170e7cb 100644 --- a/.gitignore +++ b/.gitignore @@ -26,3 +26,4 @@ www/*/src/main/webapp/gwt .springBeans *.versionsBackup .idea/ +dependency-reduced-pom.xml diff --git a/README.md b/README.md index 54da552..e69de29 100644 --- a/README.md +++ b/README.md @@ -1,31 +0,0 @@ -[![Build Status](https://travis-ci.org/esbtools/jboss-cert-ldap-login-module.svg?branch=master)](https://travis-ci.org/esbtools/jboss-cert-ldap-login-module.svg?branch=master) -[![Coverage Status](https://coveralls.io/repos/esbtools/jboss-cert-ldap-login-module/badge.svg?branch=master&service=github)](https://coveralls.io/github/esbtools/jboss-cert-ldap-login-module?branch=master) - -# How to configure authentication/authorization on JBoss - -In standalone.xml: - -``` - - - - - - - - - - - - - - - - - - - - - - -``` diff --git a/dependency-reduced-pom.xml b/dependency-reduced-pom.xml deleted file mode 100644 index 7d6c84c..0000000 --- a/dependency-reduced-pom.xml +++ /dev/null @@ -1,487 +0,0 @@ - - - - oss-parent - org.sonatype.oss - 7 - pom.xml - - 4.0.0 - org.esbtools.auth - jboss-cert-ldap-login-module - esbtools: ${project.groupId}|${project.artifactId} - 1.3.0-SNAPSHOT - ESB Gateways - - - GNU GENERAL PUBLIC LICENSE, Version 3, 29 June 2007 - http://www.gnu.org/licenses/gpl-3.0-standalone.html - repo - - - - scm:git:https://github.com/esbtools/jboss-cert-ldap-login-module.git - scm:git:git@github.com:esbtools/jboss-cert-ldap-login-module.git - https://github.com/esbtools/jboss-cert-ldap-login-module - - - - - maven-shade-plugin - 3.0.0 - - - package - - shade - - - false - - - - - - maven-compiler-plugin - 3.5.1 - - 1.8 - 1.8 - - - - org.eluder.coveralls - coveralls-maven-plugin - 3.0.1 - - - org.codehaus.mojo - cobertura-maven-plugin - 2.6 - - xml - 256m - true - - - - - org.owasp - dependency-check-maven - 1.3.3 - - true - true - - - - maven-release-plugin - 2.5 - - V@{project.version} - true - false - release - deploy - - - - maven-gpg-plugin - 1.6 - - false - - - - org.sonatype.plugins - nexus-staging-maven-plugin - 1.6.2 - true - - ossrh - https://oss.sonatype.org/ - true - - - - maven-source-plugin - 2.2.1 - - - attach-sources - - jar-no-fork - - - - - - maven-javadoc-plugin - 2.9.1 - - - attach-javadocs - - jar - - - - - - - - - release - - - - maven-release-plugin - 2.5 - - V@{project.version} - true - false - release - deploy - - - - maven-gpg-plugin - 1.6 - - false - - - - org.sonatype.plugins - nexus-staging-maven-plugin - 1.6.2 - true - - ossrh - https://oss.sonatype.org/ - true - - - - maven-source-plugin - 2.2.1 - - - attach-sources - - jar-no-fork - - - - - - maven-javadoc-plugin - 2.9.1 - - - attach-javadocs - - jar - - - - - - - - - - - - - jboss - https://repository.jboss.org/nexus/content/repositories/releases/ - - - - - org.jboss.spec - jboss-javaee-6.0 - 3.0.2.Final - pom - provided - - - xalan - xalan - - - activation - javax.activation - - - cdi-api - javax.enterprise - - - javax.inject - javax.inject - - - jsr181-api - javax.jws - - - mail - javax.mail - - - validation-api - javax.validation - - - hibernate-jpa-2.0-api - org.hibernate.javax.persistence - - - jboss-annotations-api_1.1_spec - org.jboss.spec.javax.annotation - - - jboss-ejb-api_3.1_spec - org.jboss.spec.javax.ejb - - - jboss-el-api_2.2_spec - org.jboss.spec.javax.el - - - jboss-jad-api_1.2_spec - org.jboss.spec.javax.enterprise.deploy - - - jboss-jsf-api_2.1_spec - org.jboss.spec.javax.faces - - - jboss-interceptors-api_1.1_spec - org.jboss.spec.javax.interceptor - - - jboss-j2eemgmt-api_1.1_spec - org.jboss.spec.javax.management.j2ee - - - jboss-connector-api_1.6_spec - org.jboss.spec.javax.resource - - - jboss-rmi-api_1.0_spec - org.jboss.spec.javax.rmi - - - jboss-jacc-api_1.4_spec - org.jboss.spec.javax.security.jacc - - - jboss-jaspi-api_1.0_spec - org.jboss.spec.javax.security.auth.message - - - jboss-jaxr-api_1.0_spec - org.jboss.spec.javax.xml.registry - - - jboss-jms-api_1.1_spec - org.jboss.spec.javax.jms - - - jboss-servlet-api_3.0_spec - org.jboss.spec.javax.servlet - - - jboss-jsp-api_2.2_spec - org.jboss.spec.javax.servlet.jsp - - - jboss-jstl-api_1.2_spec - org.jboss.spec.javax.servlet.jstl - - - jboss-transaction-api_1.1_spec - org.jboss.spec.javax.transaction - - - jboss-jaxrs-api_1.1_spec - org.jboss.spec.javax.ws.rs - - - jboss-jaxb-api_2.2_spec - org.jboss.spec.javax.xml.bind - - - jboss-jaxrpc-api_1.1_spec - org.jboss.spec.javax.xml.rpc - - - jboss-saaj-api_1.3_spec - org.jboss.spec.javax.xml.soap - - - jboss-jaxws-api_2.2_spec - org.jboss.spec.javax.xml.ws - - - - - org.picketbox - picketbox - 4.9.6.Final - provided - - - org.slf4j - slf4j-api - 1.7.7 - provided - - - com.google.guava - guava - 19.0 - provided - - - commons-lang - commons-lang - 2.6 - provided - - - junit - junit - 4.12 - test - - - hamcrest-core - org.hamcrest - - - - - com.redhat.lightblue.ldap - lightblue-ldap-test - 1.11.0 - test - - - lightblue-core-config - com.redhat.lightblue - - - lightblue-core-test - com.redhat.lightblue - - - lightblue-mongo-test - com.redhat.lightblue.mongo - - - - - org.slf4j - slf4j-simple - 1.7.21 - test - - - org.apache.directory.server - apacheds-server-integ - 1.5.7 - test - - - apacheds-interceptor-kerberos - org.apache.directory.server - - - apacheds-core-integ - org.apache.directory.server - - - ldapsdk - ldapsdk - - - ldap-client-api - org.apache.directory.client.ldap - - - shared-ldap - org.apache.directory.shared - - - shared-ldap-schema - org.apache.directory.shared - - - shared-ldap-schema-loader - org.apache.directory.shared - - - shared-ldap-schema-manager - org.apache.directory.shared - - - shared-cursor - org.apache.directory.shared - - - shared-ldap-jndi - org.apache.directory.shared - - - shared-asn1-codec - org.apache.directory.shared - - - shared-asn1 - org.apache.directory.shared - - - shared-ldap-constants - org.apache.directory.shared - - - shared-ldap-converter - org.apache.directory.shared - - - shared-ldap-schema-dao - org.apache.directory.shared - - - shared-ldif - org.apache.directory.shared - - - shared-dsml-parser - org.apache.directory.shared - - - - - org.mockito - mockito-all - 1.10.19 - test - - - - esbtools: jboss-cert-ldap-login-module - true - lines,vars,source - **/*Test.java,**/*Exception.java - true - true - UTF-8 - - - diff --git a/jboss-cert-ldap-login-module/README.md b/jboss-cert-ldap-login-module/README.md new file mode 100644 index 0000000..54da552 --- /dev/null +++ b/jboss-cert-ldap-login-module/README.md @@ -0,0 +1,31 @@ +[![Build Status](https://travis-ci.org/esbtools/jboss-cert-ldap-login-module.svg?branch=master)](https://travis-ci.org/esbtools/jboss-cert-ldap-login-module.svg?branch=master) +[![Coverage Status](https://coveralls.io/repos/esbtools/jboss-cert-ldap-login-module/badge.svg?branch=master&service=github)](https://coveralls.io/github/esbtools/jboss-cert-ldap-login-module?branch=master) + +# How to configure authentication/authorization on JBoss + +In standalone.xml: + +``` + + + + + + + + + + + + + + + + + + + + + + +``` diff --git a/jboss-cert-ldap-login-module/pom.xml b/jboss-cert-ldap-login-module/pom.xml new file mode 100644 index 0000000..bbd1222 --- /dev/null +++ b/jboss-cert-ldap-login-module/pom.xml @@ -0,0 +1,90 @@ + + 4.0.0 + + org.esbtools.auth + cert-ldap-login-module + 1.3.0-SNAPSHOT + + jboss-cert-ldap-login-module + + + + jboss + https://repository.jboss.org/nexus/content/repositories/releases/ + + true + + + true + + + + + + + org.esbtools.auth + org.esbtools.auth.common + + + org.jboss.spec + jboss-javaee-6.0 + 3.0.2.Final + pom + provided + + + xalan + xalan + + + + + org.picketbox + picketbox + 4.9.6.Final + provided + + + + + org.slf4j + slf4j-api + 1.7.7 + provided + + + com.google.guava + guava + 19.0 + provided + + + commons-lang + commons-lang + 2.6 + provided + + + + + + + org.apache.maven.plugins + maven-shade-plugin + 3.0.0 + + + package + + shade + + + false + + + + + + + \ No newline at end of file diff --git a/src/main/java/org/esbtools/auth/jboss/CertLdapLoginModule.java b/jboss-cert-ldap-login-module/src/main/java/org/esbtools/auth/jboss/CertLdapLoginModule.java similarity index 100% rename from src/main/java/org/esbtools/auth/jboss/CertLdapLoginModule.java rename to jboss-cert-ldap-login-module/src/main/java/org/esbtools/auth/jboss/CertLdapLoginModule.java diff --git a/src/main/java/org/esbtools/auth/jboss/CertLoginModule.java b/jboss-cert-ldap-login-module/src/main/java/org/esbtools/auth/jboss/CertLoginModule.java similarity index 100% rename from src/main/java/org/esbtools/auth/jboss/CertLoginModule.java rename to jboss-cert-ldap-login-module/src/main/java/org/esbtools/auth/jboss/CertLoginModule.java diff --git a/org.esbtools.auth.common/dependency-reduced-pom.xml b/org.esbtools.auth.common/dependency-reduced-pom.xml new file mode 100644 index 0000000..867d54f --- /dev/null +++ b/org.esbtools.auth.common/dependency-reduced-pom.xml @@ -0,0 +1,63 @@ + + + + cert-ldap-login-module + org.esbtools.auth + 1.3.0-SNAPSHOT + + 4.0.0 + org.esbtools.auth.common + + + javax.servlet + servlet-api + 2.5 + provided + + + junit + junit + 4.12 + test + + + hamcrest-core + org.hamcrest + + + + + org.slf4j + slf4j-simple + 1.7.21 + test + + + org.mockito + mockito-all + 1.10.19 + test + + + com.redhat.lightblue.ldap + lightblue-ldap-test + 1.11.0 + test + + + lightblue-core-config + com.redhat.lightblue + + + lightblue-core-test + com.redhat.lightblue + + + lightblue-mongo-test + com.redhat.lightblue.mongo + + + + + + diff --git a/org.esbtools.auth.common/pom.xml b/org.esbtools.auth.common/pom.xml new file mode 100644 index 0000000..a171ff8 --- /dev/null +++ b/org.esbtools.auth.common/pom.xml @@ -0,0 +1,34 @@ + + 4.0.0 + + org.esbtools.auth + cert-ldap-login-module + 1.3.0-SNAPSHOT + + org.esbtools.auth.common + + + + javax.servlet + servlet-api + 2.5 + provided + + + commons-lang + commons-lang + 2.6 + + + com.google.guava + guava + 19.0 + + + com.unboundid + unboundid-ldapsdk + 3.1.1 + + + \ No newline at end of file diff --git a/src/main/java/org/esbtools/auth/ldap/LdapConfiguration.java b/org.esbtools.auth.common/src/main/java/org/esbtools/auth/ldap/LdapConfiguration.java similarity index 100% rename from src/main/java/org/esbtools/auth/ldap/LdapConfiguration.java rename to org.esbtools.auth.common/src/main/java/org/esbtools/auth/ldap/LdapConfiguration.java diff --git a/src/main/java/org/esbtools/auth/ldap/LdapRolesProvider.java b/org.esbtools.auth.common/src/main/java/org/esbtools/auth/ldap/LdapRolesProvider.java similarity index 100% rename from src/main/java/org/esbtools/auth/ldap/LdapRolesProvider.java rename to org.esbtools.auth.common/src/main/java/org/esbtools/auth/ldap/LdapRolesProvider.java diff --git a/src/main/java/org/esbtools/auth/servlet/CertEnvironmentVerificationFilter.java b/org.esbtools.auth.common/src/main/java/org/esbtools/auth/servlet/CertEnvironmentVerificationFilter.java similarity index 100% rename from src/main/java/org/esbtools/auth/servlet/CertEnvironmentVerificationFilter.java rename to org.esbtools.auth.common/src/main/java/org/esbtools/auth/servlet/CertEnvironmentVerificationFilter.java diff --git a/src/main/java/org/esbtools/auth/util/CachedRolesProvider.java b/org.esbtools.auth.common/src/main/java/org/esbtools/auth/util/CachedRolesProvider.java similarity index 100% rename from src/main/java/org/esbtools/auth/util/CachedRolesProvider.java rename to org.esbtools.auth.common/src/main/java/org/esbtools/auth/util/CachedRolesProvider.java diff --git a/src/main/java/org/esbtools/auth/util/Environment.java b/org.esbtools.auth.common/src/main/java/org/esbtools/auth/util/Environment.java similarity index 100% rename from src/main/java/org/esbtools/auth/util/Environment.java rename to org.esbtools.auth.common/src/main/java/org/esbtools/auth/util/Environment.java diff --git a/src/main/java/org/esbtools/auth/util/RequestDumper.java b/org.esbtools.auth.common/src/main/java/org/esbtools/auth/util/RequestDumper.java similarity index 100% rename from src/main/java/org/esbtools/auth/util/RequestDumper.java rename to org.esbtools.auth.common/src/main/java/org/esbtools/auth/util/RequestDumper.java diff --git a/src/main/java/org/esbtools/auth/util/RolesCache.java b/org.esbtools.auth.common/src/main/java/org/esbtools/auth/util/RolesCache.java similarity index 100% rename from src/main/java/org/esbtools/auth/util/RolesCache.java rename to org.esbtools.auth.common/src/main/java/org/esbtools/auth/util/RolesCache.java diff --git a/src/main/java/org/esbtools/auth/util/RolesProvider.java b/org.esbtools.auth.common/src/main/java/org/esbtools/auth/util/RolesProvider.java similarity index 100% rename from src/main/java/org/esbtools/auth/util/RolesProvider.java rename to org.esbtools.auth.common/src/main/java/org/esbtools/auth/util/RolesProvider.java diff --git a/src/test/java/org/esbtools/auth/CachedRolesProviderTest.java b/org.esbtools.auth.common/src/test/java/org/esbtools/auth/CachedRolesProviderTest.java similarity index 100% rename from src/test/java/org/esbtools/auth/CachedRolesProviderTest.java rename to org.esbtools.auth.common/src/test/java/org/esbtools/auth/CachedRolesProviderTest.java diff --git a/src/test/java/org/esbtools/auth/ldap/LdapRoleProviderIntegrationTest.java b/org.esbtools.auth.common/src/test/java/org/esbtools/auth/ldap/LdapRoleProviderIntegrationTest.java similarity index 100% rename from src/test/java/org/esbtools/auth/ldap/LdapRoleProviderIntegrationTest.java rename to org.esbtools.auth.common/src/test/java/org/esbtools/auth/ldap/LdapRoleProviderIntegrationTest.java diff --git a/src/test/java/org/esbtools/auth/servlet/CertEnvironmentVerificationFilterTest.java b/org.esbtools.auth.common/src/test/java/org/esbtools/auth/servlet/CertEnvironmentVerificationFilterTest.java similarity index 100% rename from src/test/java/org/esbtools/auth/servlet/CertEnvironmentVerificationFilterTest.java rename to org.esbtools.auth.common/src/test/java/org/esbtools/auth/servlet/CertEnvironmentVerificationFilterTest.java diff --git a/src/test/java/org/esbtools/auth/util/EnvironmentTest.java b/org.esbtools.auth.common/src/test/java/org/esbtools/auth/util/EnvironmentTest.java similarity index 100% rename from src/test/java/org/esbtools/auth/util/EnvironmentTest.java rename to org.esbtools.auth.common/src/test/java/org/esbtools/auth/util/EnvironmentTest.java diff --git a/src/test/resources/simplelogger.properties b/org.esbtools.auth.common/src/test/resources/simplelogger.properties similarity index 100% rename from src/test/resources/simplelogger.properties rename to org.esbtools.auth.common/src/test/resources/simplelogger.properties diff --git a/pom.xml b/pom.xml index 9e8f715..796093a 100644 --- a/pom.xml +++ b/pom.xml @@ -8,9 +8,9 @@ 4.0.0 org.esbtools.auth - jboss-cert-ldap-login-module + cert-ldap-login-module 1.3.0-SNAPSHOT - jar + pom esbtools: ${project.groupId}|${project.artifactId} ESB Gateways @@ -21,9 +21,9 @@ - scm:git:https://github.com/esbtools/jboss-cert-ldap-login-module.git - scm:git:git@github.com:esbtools/jboss-cert-ldap-login-module.git - https://github.com/esbtools/jboss-cert-ldap-login-module + scm:git:https://github.com/esbtools/cert-ldap-login-module.git + scm:git:git@github.com:esbtools/cert-ldap-login-module.git + https://github.com/esbtools/cert-ldap-login-module HEAD @@ -35,116 +35,53 @@ esbtools: jboss-cert-ldap-login-module **/*Test.java,**/*Exception.java - - - jboss - https://repository.jboss.org/nexus/content/repositories/releases/ - - true - - - true - - - + - - org.jboss.spec - jboss-javaee-6.0 - 3.0.2.Final - pom - provided - - - xalan - xalan - - - - - org.picketbox - picketbox - 4.9.6.Final - provided - org.slf4j slf4j-api - 1.7.7 - provided - - - com.google.guava - guava - 19.0 - provided - - - commons-lang - commons-lang - 2.6 - provided - - - com.unboundid - unboundid-ldapsdk - 3.1.1 - - - org.springframework.security - spring-security-web - 4.2.3.RELEASE - true + 1.7.25 + + junit junit 4.12 test - - com.redhat.lightblue.ldap - lightblue-ldap-test - 1.11.0 - test - org.slf4j slf4j-simple 1.7.21 test - - org.apache.directory.server - apacheds-server-integ - 1.5.7 - test - org.mockito mockito-all 1.10.19 test + + com.redhat.lightblue.ldap + lightblue-ldap-test + 1.11.0 + test + + + + + + org.esbtools.auth + org.esbtools.auth.common + ${project.version} + + + + - - org.apache.maven.plugins - maven-shade-plugin - 3.0.0 - - - package - - shade - - - false - - - - org.apache.maven.plugins maven-compiler-plugin @@ -305,4 +242,9 @@ + + spring-cert-ldap-login-module + jboss-cert-ldap-login-module + org.esbtools.auth.common + diff --git a/spring-cert-ldap-login-module/dependency-reduced-pom.xml b/spring-cert-ldap-login-module/dependency-reduced-pom.xml new file mode 100644 index 0000000..24abc67 --- /dev/null +++ b/spring-cert-ldap-login-module/dependency-reduced-pom.xml @@ -0,0 +1,69 @@ + + + + cert-ldap-login-module + org.esbtools.auth + 1.3.0-SNAPSHOT + + 4.0.0 + spring-cert-ldap-login-module + + + javax.servlet + servlet-api + 2.5 + provided + + + javax.ws.rs + javax.ws.rs-api + 2.1 + provided + + + junit + junit + 4.12 + test + + + hamcrest-core + org.hamcrest + + + + + org.slf4j + slf4j-simple + 1.7.21 + test + + + org.mockito + mockito-all + 1.10.19 + test + + + com.redhat.lightblue.ldap + lightblue-ldap-test + 1.11.0 + test + + + lightblue-core-config + com.redhat.lightblue + + + lightblue-core-test + com.redhat.lightblue + + + lightblue-mongo-test + com.redhat.lightblue.mongo + + + + + + diff --git a/spring-cert-ldap-login-module/pom.xml b/spring-cert-ldap-login-module/pom.xml new file mode 100644 index 0000000..2174e81 --- /dev/null +++ b/spring-cert-ldap-login-module/pom.xml @@ -0,0 +1,34 @@ + + 4.0.0 + + org.esbtools.auth + cert-ldap-login-module + 1.3.0-SNAPSHOT + + spring-cert-ldap-login-module + + + + org.esbtools.auth + org.esbtools.auth.common + + + org.springframework.security + spring-security-web + 4.2.3.RELEASE + + + javax.servlet + servlet-api + 2.5 + provided + + + javax.ws.rs + javax.ws.rs-api + 2.1 + provided + + + \ No newline at end of file diff --git a/src/main/java/org/esbtools/auth/spring/EsbToolsExceptionTraslatingFilter.java b/spring-cert-ldap-login-module/src/main/java/org/esbtools/auth/spring/EsbToolsExceptionTraslatingFilter.java similarity index 100% rename from src/main/java/org/esbtools/auth/spring/EsbToolsExceptionTraslatingFilter.java rename to spring-cert-ldap-login-module/src/main/java/org/esbtools/auth/spring/EsbToolsExceptionTraslatingFilter.java diff --git a/src/main/java/org/esbtools/auth/spring/LdapUserDetailsService.java b/spring-cert-ldap-login-module/src/main/java/org/esbtools/auth/spring/LdapUserDetailsService.java similarity index 100% rename from src/main/java/org/esbtools/auth/spring/LdapUserDetailsService.java rename to spring-cert-ldap-login-module/src/main/java/org/esbtools/auth/spring/LdapUserDetailsService.java diff --git a/src/main/java/org/esbtools/auth/spring/SpringCertEnvironmentVerificationFilter.java b/spring-cert-ldap-login-module/src/main/java/org/esbtools/auth/spring/SpringCertEnvironmentVerificationFilter.java similarity index 100% rename from src/main/java/org/esbtools/auth/spring/SpringCertEnvironmentVerificationFilter.java rename to spring-cert-ldap-login-module/src/main/java/org/esbtools/auth/spring/SpringCertEnvironmentVerificationFilter.java From b73c857e983460b309624332c91c247a70651de9 Mon Sep 17 00:00:00 2001 From: Dennis Crissman Date: Tue, 2 Jan 2018 12:36:01 -0500 Subject: [PATCH 11/19] remove files --- .../dependency-reduced-pom.xml | 63 ----------------- .../dependency-reduced-pom.xml | 69 ------------------- 2 files changed, 132 deletions(-) delete mode 100644 org.esbtools.auth.common/dependency-reduced-pom.xml delete mode 100644 spring-cert-ldap-login-module/dependency-reduced-pom.xml diff --git a/org.esbtools.auth.common/dependency-reduced-pom.xml b/org.esbtools.auth.common/dependency-reduced-pom.xml deleted file mode 100644 index 867d54f..0000000 --- a/org.esbtools.auth.common/dependency-reduced-pom.xml +++ /dev/null @@ -1,63 +0,0 @@ - - - - cert-ldap-login-module - org.esbtools.auth - 1.3.0-SNAPSHOT - - 4.0.0 - org.esbtools.auth.common - - - javax.servlet - servlet-api - 2.5 - provided - - - junit - junit - 4.12 - test - - - hamcrest-core - org.hamcrest - - - - - org.slf4j - slf4j-simple - 1.7.21 - test - - - org.mockito - mockito-all - 1.10.19 - test - - - com.redhat.lightblue.ldap - lightblue-ldap-test - 1.11.0 - test - - - lightblue-core-config - com.redhat.lightblue - - - lightblue-core-test - com.redhat.lightblue - - - lightblue-mongo-test - com.redhat.lightblue.mongo - - - - - - diff --git a/spring-cert-ldap-login-module/dependency-reduced-pom.xml b/spring-cert-ldap-login-module/dependency-reduced-pom.xml deleted file mode 100644 index 24abc67..0000000 --- a/spring-cert-ldap-login-module/dependency-reduced-pom.xml +++ /dev/null @@ -1,69 +0,0 @@ - - - - cert-ldap-login-module - org.esbtools.auth - 1.3.0-SNAPSHOT - - 4.0.0 - spring-cert-ldap-login-module - - - javax.servlet - servlet-api - 2.5 - provided - - - javax.ws.rs - javax.ws.rs-api - 2.1 - provided - - - junit - junit - 4.12 - test - - - hamcrest-core - org.hamcrest - - - - - org.slf4j - slf4j-simple - 1.7.21 - test - - - org.mockito - mockito-all - 1.10.19 - test - - - com.redhat.lightblue.ldap - lightblue-ldap-test - 1.11.0 - test - - - lightblue-core-config - com.redhat.lightblue - - - lightblue-core-test - com.redhat.lightblue - - - lightblue-mongo-test - com.redhat.lightblue.mongo - - - - - - From 810a24960a59f9f5eecd59d45346078238a66cf3 Mon Sep 17 00:00:00 2001 From: Dennis Crissman Date: Tue, 2 Jan 2018 13:50:39 -0500 Subject: [PATCH 12/19] move blank check to common --- .../CertEnvironmentVerificationFilter.java | 29 ++++++++----------- .../org/esbtools/auth/util/Environment.java | 7 +++-- 2 files changed, 16 insertions(+), 20 deletions(-) diff --git a/org.esbtools.auth.common/src/main/java/org/esbtools/auth/servlet/CertEnvironmentVerificationFilter.java b/org.esbtools.auth.common/src/main/java/org/esbtools/auth/servlet/CertEnvironmentVerificationFilter.java index 16f36f9..0be82e7 100644 --- a/org.esbtools.auth.common/src/main/java/org/esbtools/auth/servlet/CertEnvironmentVerificationFilter.java +++ b/org.esbtools.auth.common/src/main/java/org/esbtools/auth/servlet/CertEnvironmentVerificationFilter.java @@ -23,7 +23,7 @@ public class CertEnvironmentVerificationFilter implements Filter { private final Environment env; public CertEnvironmentVerificationFilter(String environment) { - env = (null == environment) ? null : new Environment(environment); + env = new Environment(environment); LOGGER.info("Cert Environment: " + ((environment == null) ? "Not Set" : environment)); } @@ -40,27 +40,22 @@ public void destroy() { @Override public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { - if (null != env) { - LOGGER.debug("Attempting Environment Cert verification"); - X509Certificate certChain[] = (X509Certificate[]) request.getAttribute("javax.servlet.request.X509Certificate"); + LOGGER.debug("Attempting Environment Cert verification"); + X509Certificate certChain[] = (X509Certificate[]) request.getAttribute("javax.servlet.request.X509Certificate"); - if ((null != certChain) && (certChain.length > 0)) { - LOGGER.debug("Verifying environment on cert"); - String dn = certChain[0].getSubjectDN().getName(); - try { - env.validate(dn); - } - catch (NamingException e) { - unsuccessfulAuthentication(request, response, e); - return; //end the chain - } + if ((null != certChain) && (certChain.length > 0)) { + LOGGER.debug("Verifying environment on cert"); + String dn = certChain[0].getSubjectDN().getName(); + try { + env.validate(dn); } - else { - LOGGER.debug("Cert not found. Skipping Environment Cert verification."); + catch (NamingException e) { + unsuccessfulAuthentication(request, response, e); + return; //end the chain } } else { - LOGGER.debug("No environment configured. Skipping Environment Cert verification."); + LOGGER.debug("Cert not found. Skipping Environment Cert verification."); } chain.doFilter(request, response); diff --git a/org.esbtools.auth.common/src/main/java/org/esbtools/auth/util/Environment.java b/org.esbtools.auth.common/src/main/java/org/esbtools/auth/util/Environment.java index 24561f8..b453402 100644 --- a/org.esbtools.auth.common/src/main/java/org/esbtools/auth/util/Environment.java +++ b/org.esbtools.auth.common/src/main/java/org/esbtools/auth/util/Environment.java @@ -2,7 +2,6 @@ import java.util.Arrays; import java.util.List; -import java.util.Objects; import javax.naming.NamingException; import javax.naming.directory.NoSuchAttributeException; @@ -37,13 +36,15 @@ public Environment(String environment) { } public Environment(String environment, String allAccessOu) { - Objects.requireNonNull(environment); - this.environment = environment; this.allAccessOu = allAccessOu; } public void validate(String certificatePrincipal) throws NamingException { + if (StringUtils.isBlank(getEnvironment())) { + LOGGER.debug("No environment configured. Skipping Environment Cert verification."); + return; + } String ou = getLDAPAttribute(certificatePrincipal, OU); LOGGER.debug("OU from certificate: ", ou); From bee312a4067972004d741dac9aed5dd11a302f21 Mon Sep 17 00:00:00 2001 From: Dennis Crissman Date: Tue, 2 Jan 2018 14:07:26 -0500 Subject: [PATCH 13/19] unit test fixes --- jboss-cert-ldap-login-module/pom.xml | 2 +- org.esbtools.auth.common/pom.xml | 2 +- .../java/org/esbtools/auth/util/EnvironmentTest.java | 10 ++++++++-- spring-cert-ldap-login-module/pom.xml | 2 +- 4 files changed, 11 insertions(+), 5 deletions(-) diff --git a/jboss-cert-ldap-login-module/pom.xml b/jboss-cert-ldap-login-module/pom.xml index bbd1222..f2b13a9 100644 --- a/jboss-cert-ldap-login-module/pom.xml +++ b/jboss-cert-ldap-login-module/pom.xml @@ -87,4 +87,4 @@ - \ No newline at end of file + diff --git a/org.esbtools.auth.common/pom.xml b/org.esbtools.auth.common/pom.xml index a171ff8..a996e28 100644 --- a/org.esbtools.auth.common/pom.xml +++ b/org.esbtools.auth.common/pom.xml @@ -31,4 +31,4 @@ 3.1.1 - \ No newline at end of file + diff --git a/org.esbtools.auth.common/src/test/java/org/esbtools/auth/util/EnvironmentTest.java b/org.esbtools.auth.common/src/test/java/org/esbtools/auth/util/EnvironmentTest.java index 1bcbb4f..537c770 100644 --- a/org.esbtools.auth.common/src/test/java/org/esbtools/auth/util/EnvironmentTest.java +++ b/org.esbtools.auth.common/src/test/java/org/esbtools/auth/util/EnvironmentTest.java @@ -16,9 +16,15 @@ public class EnvironmentTest { @Rule public ExpectedException expectedEx = ExpectedException.none(); - @Test(expected = NullPointerException.class) public void testValidate_NullEnvironment() throws Exception { - new Environment(null); + new Environment(null) + .validate("ou=someuser,l=dev"); + } + + @Test + public void testValidate_EmptyEnvironment() throws Exception { + new Environment("") + .validate("ou=someuser,l=dev"); } @Test diff --git a/spring-cert-ldap-login-module/pom.xml b/spring-cert-ldap-login-module/pom.xml index 2174e81..447ab9c 100644 --- a/spring-cert-ldap-login-module/pom.xml +++ b/spring-cert-ldap-login-module/pom.xml @@ -31,4 +31,4 @@ provided - \ No newline at end of file + From 8231c25b9a683a93ff8dbcba9870b19cf95411d0 Mon Sep 17 00:00:00 2001 From: Dennis Crissman Date: Wed, 3 Jan 2018 10:30:35 -0500 Subject: [PATCH 14/19] requested changes --- jboss-cert-ldap-login-module/pom.xml | 20 ------------- .../auth/jboss/CertLdapLoginModule.java | 10 +++---- org.esbtools.auth.common/pom.xml | 3 +- pom.xml | 29 ++++++++++++------- spring-cert-ldap-login-module/pom.xml | 5 ++-- 5 files changed, 26 insertions(+), 41 deletions(-) diff --git a/jboss-cert-ldap-login-module/pom.xml b/jboss-cert-ldap-login-module/pom.xml index f2b13a9..dada4d4 100644 --- a/jboss-cert-ldap-login-module/pom.xml +++ b/jboss-cert-ldap-login-module/pom.xml @@ -45,26 +45,6 @@ 4.9.6.Final provided - - - - org.slf4j - slf4j-api - 1.7.7 - provided - - - com.google.guava - guava - 19.0 - provided - - - commons-lang - commons-lang - 2.6 - provided - diff --git a/jboss-cert-ldap-login-module/src/main/java/org/esbtools/auth/jboss/CertLdapLoginModule.java b/jboss-cert-ldap-login-module/src/main/java/org/esbtools/auth/jboss/CertLdapLoginModule.java index f553604..4b23128 100644 --- a/jboss-cert-ldap-login-module/src/main/java/org/esbtools/auth/jboss/CertLdapLoginModule.java +++ b/jboss-cert-ldap-login-module/src/main/java/org/esbtools/auth/jboss/CertLdapLoginModule.java @@ -153,14 +153,12 @@ protected Group[] getRoleSets() throws LoginException { //first try getting search name from uid in certificate principle (new certificates) String searchName = environment.getLDAPAttribute(certPrincipal, UID); - if(StringUtils.isNotBlank(searchName)) { - //only try to validate environment if it is a certificate that contains uid - environment.validate(certPrincipal); - } else { - // fallback to getting search name from cn in certificate principle (legacy certificates) - searchName = environment.getLDAPAttribute(certPrincipal, CN); + if (StringUtils.isBlank(searchName)) { + throw new LoginException("A certificate is required."); } + environment.validate(certPrincipal); + Collection groupNames = rolesProvider.getUserRoles(searchName); p = super.createIdentity(roleName); diff --git a/org.esbtools.auth.common/pom.xml b/org.esbtools.auth.common/pom.xml index a996e28..4e0711a 100644 --- a/org.esbtools.auth.common/pom.xml +++ b/org.esbtools.auth.common/pom.xml @@ -12,8 +12,7 @@ javax.servlet servlet-api - 2.5 - provided + provided commons-lang diff --git a/pom.xml b/pom.xml index 796093a..6ffa5c1 100644 --- a/pom.xml +++ b/pom.xml @@ -1,5 +1,6 @@ - + org.sonatype.oss oss-parent @@ -27,20 +28,22 @@ HEAD - UTF-8 - true - true - lines,vars,source - true - esbtools: jboss-cert-ldap-login-module - **/*Test.java,**/*Exception.java + 1.7.25 + + UTF-8 + true + true + lines,vars,source + true + esbtools: jboss-cert-ldap-login-module + **/*Test.java,**/*Exception.java org.slf4j slf4j-api - 1.7.25 + ${slf4j.version} @@ -53,7 +56,7 @@ org.slf4j slf4j-simple - 1.7.21 + ${slf4j.version} test @@ -77,6 +80,12 @@ org.esbtools.auth.common ${project.version} + + javax.servlet + servlet-api + 2.5 + provided + diff --git a/spring-cert-ldap-login-module/pom.xml b/spring-cert-ldap-login-module/pom.xml index 447ab9c..84a159f 100644 --- a/spring-cert-ldap-login-module/pom.xml +++ b/spring-cert-ldap-login-module/pom.xml @@ -21,14 +21,13 @@ javax.servlet servlet-api - 2.5 - provided + provided javax.ws.rs javax.ws.rs-api 2.1 - provided + provided From 42664c8ac1a4c44288c45ee9a652285b1f1eb8de Mon Sep 17 00:00:00 2001 From: Dennis Crissman Date: Wed, 3 Jan 2018 11:23:11 -0500 Subject: [PATCH 15/19] READMEs --- README.md | 2 + jboss-cert-ldap-login-module/README.md | 3 - spring-cert-ldap-login-module/README.md | 104 ++++++++++++++++++++++++ 3 files changed, 106 insertions(+), 3 deletions(-) create mode 100644 spring-cert-ldap-login-module/README.md diff --git a/README.md b/README.md index e69de29..42bf135 100644 --- a/README.md +++ b/README.md @@ -0,0 +1,2 @@ +[![Build Status](https://travis-ci.org/esbtools/cert-ldap-login-module.svg?branch=master)](https://travis-ci.org/esbtools/ldap-login-module.svg?branch=master) +[![Coverage Status](https://coveralls.io/repos/esbtools/cert-ldap-login-module/badge.svg?branch=master&service=github)](https://coveralls.io/github/esbtools/cert-ldap-login-module?branch=master) diff --git a/jboss-cert-ldap-login-module/README.md b/jboss-cert-ldap-login-module/README.md index 54da552..ca4a801 100644 --- a/jboss-cert-ldap-login-module/README.md +++ b/jboss-cert-ldap-login-module/README.md @@ -1,6 +1,3 @@ -[![Build Status](https://travis-ci.org/esbtools/jboss-cert-ldap-login-module.svg?branch=master)](https://travis-ci.org/esbtools/jboss-cert-ldap-login-module.svg?branch=master) -[![Coverage Status](https://coveralls.io/repos/esbtools/jboss-cert-ldap-login-module/badge.svg?branch=master&service=github)](https://coveralls.io/github/esbtools/jboss-cert-ldap-login-module?branch=master) - # How to configure authentication/authorization on JBoss In standalone.xml: diff --git a/spring-cert-ldap-login-module/README.md b/spring-cert-ldap-login-module/README.md new file mode 100644 index 0000000..86060ab --- /dev/null +++ b/spring-cert-ldap-login-module/README.md @@ -0,0 +1,104 @@ +# How to configure authentication/authorization in Spring Security + +Using annotation driven configuration: + +``` java +import org.esbtools.auth.ldap.LdapConfiguration; +import org.esbtools.auth.spring.LdapUserDetailsService; +import org.springframework.beans.factory.annotation.Value; +import org.springframework.context.annotation.Bean; +import org.springframework.context.annotation.Configuration; +import org.springframework.context.annotation.PropertySource; + +@Configuration +@PropertySource(value = {"classpath:/ldapconfig.properties"}) +public class ApplicationConfiguration { + + @Bean + public LdapConfiguration ldapConfiguration( + @Value("${ldapconfig.server}") String server, + @Value("${ldapconfig.port}") Integer port, + @Value("${ldapconfig.username}") String bindDn, + @Value("${ldapconfig.password}") String bindDNPwd, + @Value("${ldapconfig.pool_size}") Integer poolSize, + @Value("${ldapconfig.use_tls}") Boolean useSSL, + @Value("${ldapconfig.truststore}") String trustStore, + @Value("${ldapconfig.truststore_password}") String trustStorePassword, + @Value("${ldapconfig.connectionTimeoutMS}") Integer connectionTimeoutMS, + @Value("${ldapconfig.responseTimeoutMS}") Integer responseTimeoutMS, + @Value("${ldapconfig.debug}") Boolean debug, + @Value("${ldapconfig.keepAlive}") Boolean keepAlive, + @Value("${ldapconfig.poolMaxConnectionAgeMS}") Integer poolMaxConnectionAgeMS) { + + LdapConfiguration config = new LdapConfiguration(); + config.server(server); + config.port(port); + config.bindDn(bindDn); + config.bindDNPwd(bindDNPwd); + config.poolSize(poolSize); + config.useSSL(useSSL); + config.trustStore(trustStore); + config.trustStorePassword(trustStorePassword); + config.connectionTimeoutMS(connectionTimeoutMS); + config.responseTimeoutMS(responseTimeoutMS); + config.debug(debug); + config.keepAlive(keepAlive); + config.poolMaxConnectionAgeMS(poolMaxConnectionAgeMS); + + return config; + } + + @Bean + public LdapUserDetailsService ldapUserDetailsService( + LdapConfiguration ldapConfiguration, + @Value("${ldapconfig.search_base:dc=redhat,dc=com}") String searchBaseDn, + @Value("${ldapconfig.rolesCacheExpiryMS:300000}") int rolesCacheExpiryMS) throws Exception { + return new LdapUserDetailsService( + searchBaseDn, + ldapConfiguration, + rolesCacheExpiryMS); + } + +} +``` + +``` java +import org.esbtools.auth.spring.EsbToolsExceptionTraslatingFilter; +import org.esbtools.auth.spring.EsbToolsExceptionTraslatingFilter.ErrorResponseWriter; +import org.esbtools.auth.spring.SpringCertEnvironmentVerificationFilter; +import org.esbtools.auth.spring.LdapUserDetailsService; +import org.springframework.security.config.annotation.web.builders.HttpSecurity; +import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; +import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; +import org.springframework.context.annotation.Configuration; + +@Configuration +@EnableWebSecurity +public class SecurityConfiguration extends WebSecurityConfigurerAdapter { + + @Autowired + private LdapUserDetailsService ldapUserDetailsService; + + @Override + protected void configure(HttpSecurity http) throws Exception + { + //... + + http.x509() + .authenticationUserDetailsService(ldapUserDetailsService) + .and() + .addFilterAfter( + new EsbToolsExceptionTraslatingFilter(new ErrorResponseWriter() { + //... + }), + ExceptionTranslationFilter.class) + .addFilterAfter( + new SpringCertEnvironmentVerificationFilter("expectedEnvironment"), + EsbToolsExceptionTraslatingFilter.class); + + //... + } + + //... +} +``` From 917fd6915505d7a7cfee455523d3a8862d39d6ac Mon Sep 17 00:00:00 2001 From: Dennis Crissman Date: Wed, 3 Jan 2018 12:08:55 -0500 Subject: [PATCH 16/19] add unit test --- .../spring/LdapUserDetailsServiceTest.java | 79 +++++++++++++++++++ 1 file changed, 79 insertions(+) create mode 100644 spring-cert-ldap-login-module/src/test/java/org/esbtools/auth/spring/LdapUserDetailsServiceTest.java diff --git a/spring-cert-ldap-login-module/src/test/java/org/esbtools/auth/spring/LdapUserDetailsServiceTest.java b/spring-cert-ldap-login-module/src/test/java/org/esbtools/auth/spring/LdapUserDetailsServiceTest.java new file mode 100644 index 0000000..e81dec7 --- /dev/null +++ b/spring-cert-ldap-login-module/src/test/java/org/esbtools/auth/spring/LdapUserDetailsServiceTest.java @@ -0,0 +1,79 @@ +package org.esbtools.auth.spring; + +import static org.junit.Assert.assertEquals; +import static org.junit.Assert.assertNotNull; +import static org.junit.Assert.assertTrue; +import static org.mockito.Matchers.anyString; +import static org.mockito.Mockito.times; +import static org.mockito.Mockito.verify; +import static org.mockito.Mockito.when; + +import java.util.Collections; +import java.util.HashSet; + +import org.esbtools.auth.util.RolesProvider; +import org.junit.Test; +import org.junit.runner.RunWith; +import org.mockito.Mock; +import org.mockito.runners.MockitoJUnitRunner; +import org.springframework.security.core.userdetails.UserDetails; +import org.springframework.security.core.userdetails.UsernameNotFoundException; + +@RunWith(MockitoJUnitRunner.class) +public class LdapUserDetailsServiceTest { + + @Mock + private RolesProvider rolesProvider; + + @Test + public void testLoadUserByUsername_UsernameShouldAlwaysBeReturned() throws Exception { + when(rolesProvider.getUserRoles(anyString())).thenReturn(new HashSet<>()); + + UserDetails details = new LdapUserDetailsService(rolesProvider) + .loadUserByUsername("johnny5"); + + assertNotNull(details); + assertEquals("johnny5", details.getUsername()); + + verify(rolesProvider, times(1)).getUserRoles(anyString()); + } + + @Test + public void testLoadUserByUsername_NoRoles() throws Exception { + when(rolesProvider.getUserRoles(anyString())).thenReturn(new HashSet<>()); + + UserDetails details = new LdapUserDetailsService(rolesProvider) + .loadUserByUsername("johnny5"); + + assertNotNull(details); + assertTrue(details.getAuthorities().isEmpty()); + + verify(rolesProvider, times(1)).getUserRoles(anyString()); + } + + @Test + public void testLoadUserByUsername_Roles() throws Exception { + when(rolesProvider.getUserRoles(anyString())).thenReturn( + Collections.singleton("laser")); + + UserDetails details = new LdapUserDetailsService(rolesProvider) + .loadUserByUsername("johnny5"); + + assertNotNull(details); + assertEquals(1, details.getAuthorities().size()); + assertEquals("laser", details.getAuthorities().iterator().next().getAuthority()); + + verify(rolesProvider, times(1)).getUserRoles(anyString()); + } + + @Test(expected = UsernameNotFoundException.class) + public void testLoadUserByUsername_UsernameNotFound() throws Exception { + when(rolesProvider.getUserRoles(anyString())).thenThrow( + new Exception("fake excepion")); + + new LdapUserDetailsService(rolesProvider) + .loadUserByUsername("larry"); + + } + +} From f146d7b080202e5701d4f09306ad3be274a53d2b Mon Sep 17 00:00:00 2001 From: Dennis Crissman Date: Thu, 4 Jan 2018 09:03:25 -0500 Subject: [PATCH 17/19] requested changes: --- README.md | 134 ++++++++++++++++++ jboss-cert-ldap-login-module/README.md | 28 ---- .../auth/jboss/CertLdapLoginModule.java | 3 +- pom.xml | 6 +- spring-cert-ldap-login-module/README.md | 104 -------------- 5 files changed, 137 insertions(+), 138 deletions(-) diff --git a/README.md b/README.md index 42bf135..f7ede1a 100644 --- a/README.md +++ b/README.md @@ -1,2 +1,136 @@ [![Build Status](https://travis-ci.org/esbtools/cert-ldap-login-module.svg?branch=master)](https://travis-ci.org/esbtools/ldap-login-module.svg?branch=master) [![Coverage Status](https://coveralls.io/repos/esbtools/cert-ldap-login-module/badge.svg?branch=master&service=github)](https://coveralls.io/github/esbtools/cert-ldap-login-module?branch=master) + +# How to configure authentication/authorization on JBoss + +In standalone.xml: + +``` + + + + + + + + + + + + + + + + + + + + + + +``` + +# How to configure authentication/authorization in Spring Security + +Using annotation driven configuration: + +``` java +import org.esbtools.auth.ldap.LdapConfiguration; +import org.esbtools.auth.spring.LdapUserDetailsService; +import org.springframework.beans.factory.annotation.Value; +import org.springframework.context.annotation.Bean; +import org.springframework.context.annotation.Configuration; +import org.springframework.context.annotation.PropertySource; + +@Configuration +@PropertySource(value = {"classpath:/ldapconfig.properties"}) +public class ApplicationConfiguration { + + @Bean + public LdapConfiguration ldapConfiguration( + @Value("${ldapconfig.server}") String server, + @Value("${ldapconfig.port}") Integer port, + @Value("${ldapconfig.username}") String bindDn, + @Value("${ldapconfig.password}") String bindDNPwd, + @Value("${ldapconfig.pool_size}") Integer poolSize, + @Value("${ldapconfig.use_tls}") Boolean useSSL, + @Value("${ldapconfig.truststore}") String trustStore, + @Value("${ldapconfig.truststore_password}") String trustStorePassword, + @Value("${ldapconfig.connectionTimeoutMS}") Integer connectionTimeoutMS, + @Value("${ldapconfig.responseTimeoutMS}") Integer responseTimeoutMS, + @Value("${ldapconfig.debug}") Boolean debug, + @Value("${ldapconfig.keepAlive}") Boolean keepAlive, + @Value("${ldapconfig.poolMaxConnectionAgeMS}") Integer poolMaxConnectionAgeMS) { + + LdapConfiguration config = new LdapConfiguration(); + config.server(server); + config.port(port); + config.bindDn(bindDn); + config.bindDNPwd(bindDNPwd); + config.poolSize(poolSize); + config.useSSL(useSSL); + config.trustStore(trustStore); + config.trustStorePassword(trustStorePassword); + config.connectionTimeoutMS(connectionTimeoutMS); + config.responseTimeoutMS(responseTimeoutMS); + config.debug(debug); + config.keepAlive(keepAlive); + config.poolMaxConnectionAgeMS(poolMaxConnectionAgeMS); + + return config; + } + + @Bean + public LdapUserDetailsService ldapUserDetailsService( + LdapConfiguration ldapConfiguration, + @Value("${ldapconfig.search_base:dc=redhat,dc=com}") String searchBaseDn, + @Value("${ldapconfig.rolesCacheExpiryMS:300000}") int rolesCacheExpiryMS) throws Exception { + return new LdapUserDetailsService( + searchBaseDn, + ldapConfiguration, + rolesCacheExpiryMS); + } + +} +``` + +``` java +import org.esbtools.auth.spring.EsbToolsExceptionTraslatingFilter; +import org.esbtools.auth.spring.EsbToolsExceptionTraslatingFilter.ErrorResponseWriter; +import org.esbtools.auth.spring.SpringCertEnvironmentVerificationFilter; +import org.esbtools.auth.spring.LdapUserDetailsService; +import org.springframework.security.config.annotation.web.builders.HttpSecurity; +import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; +import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; +import org.springframework.context.annotation.Configuration; + +@Configuration +@EnableWebSecurity +public class SecurityConfiguration extends WebSecurityConfigurerAdapter { + + @Autowired + private LdapUserDetailsService ldapUserDetailsService; + + @Override + protected void configure(HttpSecurity http) throws Exception + { + //... + + http.x509() + .authenticationUserDetailsService(ldapUserDetailsService) + .and() + .addFilterAfter( + new EsbToolsExceptionTraslatingFilter(new ErrorResponseWriter() { + //... + }), + ExceptionTranslationFilter.class) + .addFilterAfter( + new SpringCertEnvironmentVerificationFilter("expectedEnvironment"), + EsbToolsExceptionTraslatingFilter.class); + + //... + } + + //... +} +``` diff --git a/jboss-cert-ldap-login-module/README.md b/jboss-cert-ldap-login-module/README.md index ca4a801..e69de29 100644 --- a/jboss-cert-ldap-login-module/README.md +++ b/jboss-cert-ldap-login-module/README.md @@ -1,28 +0,0 @@ -# How to configure authentication/authorization on JBoss - -In standalone.xml: - -``` - - - - - - - - - - - - - - - - - - - - - - -``` diff --git a/jboss-cert-ldap-login-module/src/main/java/org/esbtools/auth/jboss/CertLdapLoginModule.java b/jboss-cert-ldap-login-module/src/main/java/org/esbtools/auth/jboss/CertLdapLoginModule.java index 4b23128..82c57ae 100644 --- a/jboss-cert-ldap-login-module/src/main/java/org/esbtools/auth/jboss/CertLdapLoginModule.java +++ b/jboss-cert-ldap-login-module/src/main/java/org/esbtools/auth/jboss/CertLdapLoginModule.java @@ -151,10 +151,9 @@ protected Group[] getRoleSets() throws LoginException { LOGGER.debug("Certificate principal:" + certPrincipal); - //first try getting search name from uid in certificate principle (new certificates) String searchName = environment.getLDAPAttribute(certPrincipal, UID); if (StringUtils.isBlank(searchName)) { - throw new LoginException("A certificate is required."); + throw new LoginException("A certificate with a UID attribute in the subject name is required."); } environment.validate(certPrincipal); diff --git a/pom.xml b/pom.xml index 6ffa5c1..4dba015 100644 --- a/pom.xml +++ b/pom.xml @@ -28,8 +28,6 @@ HEAD - 1.7.25 - UTF-8 true true @@ -43,7 +41,7 @@ org.slf4j slf4j-api - ${slf4j.version} + 1.7.25 @@ -56,7 +54,7 @@ org.slf4j slf4j-simple - ${slf4j.version} + 1.7.25 test diff --git a/spring-cert-ldap-login-module/README.md b/spring-cert-ldap-login-module/README.md index 86060ab..e69de29 100644 --- a/spring-cert-ldap-login-module/README.md +++ b/spring-cert-ldap-login-module/README.md @@ -1,104 +0,0 @@ -# How to configure authentication/authorization in Spring Security - -Using annotation driven configuration: - -``` java -import org.esbtools.auth.ldap.LdapConfiguration; -import org.esbtools.auth.spring.LdapUserDetailsService; -import org.springframework.beans.factory.annotation.Value; -import org.springframework.context.annotation.Bean; -import org.springframework.context.annotation.Configuration; -import org.springframework.context.annotation.PropertySource; - -@Configuration -@PropertySource(value = {"classpath:/ldapconfig.properties"}) -public class ApplicationConfiguration { - - @Bean - public LdapConfiguration ldapConfiguration( - @Value("${ldapconfig.server}") String server, - @Value("${ldapconfig.port}") Integer port, - @Value("${ldapconfig.username}") String bindDn, - @Value("${ldapconfig.password}") String bindDNPwd, - @Value("${ldapconfig.pool_size}") Integer poolSize, - @Value("${ldapconfig.use_tls}") Boolean useSSL, - @Value("${ldapconfig.truststore}") String trustStore, - @Value("${ldapconfig.truststore_password}") String trustStorePassword, - @Value("${ldapconfig.connectionTimeoutMS}") Integer connectionTimeoutMS, - @Value("${ldapconfig.responseTimeoutMS}") Integer responseTimeoutMS, - @Value("${ldapconfig.debug}") Boolean debug, - @Value("${ldapconfig.keepAlive}") Boolean keepAlive, - @Value("${ldapconfig.poolMaxConnectionAgeMS}") Integer poolMaxConnectionAgeMS) { - - LdapConfiguration config = new LdapConfiguration(); - config.server(server); - config.port(port); - config.bindDn(bindDn); - config.bindDNPwd(bindDNPwd); - config.poolSize(poolSize); - config.useSSL(useSSL); - config.trustStore(trustStore); - config.trustStorePassword(trustStorePassword); - config.connectionTimeoutMS(connectionTimeoutMS); - config.responseTimeoutMS(responseTimeoutMS); - config.debug(debug); - config.keepAlive(keepAlive); - config.poolMaxConnectionAgeMS(poolMaxConnectionAgeMS); - - return config; - } - - @Bean - public LdapUserDetailsService ldapUserDetailsService( - LdapConfiguration ldapConfiguration, - @Value("${ldapconfig.search_base:dc=redhat,dc=com}") String searchBaseDn, - @Value("${ldapconfig.rolesCacheExpiryMS:300000}") int rolesCacheExpiryMS) throws Exception { - return new LdapUserDetailsService( - searchBaseDn, - ldapConfiguration, - rolesCacheExpiryMS); - } - -} -``` - -``` java -import org.esbtools.auth.spring.EsbToolsExceptionTraslatingFilter; -import org.esbtools.auth.spring.EsbToolsExceptionTraslatingFilter.ErrorResponseWriter; -import org.esbtools.auth.spring.SpringCertEnvironmentVerificationFilter; -import org.esbtools.auth.spring.LdapUserDetailsService; -import org.springframework.security.config.annotation.web.builders.HttpSecurity; -import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; -import org.springframework.context.annotation.Configuration; - -@Configuration -@EnableWebSecurity -public class SecurityConfiguration extends WebSecurityConfigurerAdapter { - - @Autowired - private LdapUserDetailsService ldapUserDetailsService; - - @Override - protected void configure(HttpSecurity http) throws Exception - { - //... - - http.x509() - .authenticationUserDetailsService(ldapUserDetailsService) - .and() - .addFilterAfter( - new EsbToolsExceptionTraslatingFilter(new ErrorResponseWriter() { - //... - }), - ExceptionTranslationFilter.class) - .addFilterAfter( - new SpringCertEnvironmentVerificationFilter("expectedEnvironment"), - EsbToolsExceptionTraslatingFilter.class); - - //... - } - - //... -} -``` From 830a10c5f1b4a959608944232d929692067f98b6 Mon Sep 17 00:00:00 2001 From: Dennis Crissman Date: Thu, 4 Jan 2018 09:07:03 -0500 Subject: [PATCH 18/19] rename common module --- .../pom.xml | 2 +- .../src/main/java/org/esbtools/auth/ldap/LdapConfiguration.java | 0 .../src/main/java/org/esbtools/auth/ldap/LdapRolesProvider.java | 0 .../auth/servlet/CertEnvironmentVerificationFilter.java | 0 .../main/java/org/esbtools/auth/util/CachedRolesProvider.java | 0 .../src/main/java/org/esbtools/auth/util/Environment.java | 0 .../src/main/java/org/esbtools/auth/util/RequestDumper.java | 0 .../src/main/java/org/esbtools/auth/util/RolesCache.java | 0 .../src/main/java/org/esbtools/auth/util/RolesProvider.java | 0 .../test/java/org/esbtools/auth/CachedRolesProviderTest.java | 0 .../org/esbtools/auth/ldap/LdapRoleProviderIntegrationTest.java | 0 .../auth/servlet/CertEnvironmentVerificationFilterTest.java | 0 .../src/test/java/org/esbtools/auth/util/EnvironmentTest.java | 0 .../src/test/resources/simplelogger.properties | 0 pom.xml | 2 +- 15 files changed, 2 insertions(+), 2 deletions(-) rename {org.esbtools.auth.common => cert-ldap-login-module-common}/pom.xml (94%) rename {org.esbtools.auth.common => cert-ldap-login-module-common}/src/main/java/org/esbtools/auth/ldap/LdapConfiguration.java (100%) rename {org.esbtools.auth.common => cert-ldap-login-module-common}/src/main/java/org/esbtools/auth/ldap/LdapRolesProvider.java (100%) rename {org.esbtools.auth.common => cert-ldap-login-module-common}/src/main/java/org/esbtools/auth/servlet/CertEnvironmentVerificationFilter.java (100%) rename {org.esbtools.auth.common => cert-ldap-login-module-common}/src/main/java/org/esbtools/auth/util/CachedRolesProvider.java (100%) rename {org.esbtools.auth.common => cert-ldap-login-module-common}/src/main/java/org/esbtools/auth/util/Environment.java (100%) rename {org.esbtools.auth.common => cert-ldap-login-module-common}/src/main/java/org/esbtools/auth/util/RequestDumper.java (100%) rename {org.esbtools.auth.common => cert-ldap-login-module-common}/src/main/java/org/esbtools/auth/util/RolesCache.java (100%) rename {org.esbtools.auth.common => cert-ldap-login-module-common}/src/main/java/org/esbtools/auth/util/RolesProvider.java (100%) rename {org.esbtools.auth.common => cert-ldap-login-module-common}/src/test/java/org/esbtools/auth/CachedRolesProviderTest.java (100%) rename {org.esbtools.auth.common => cert-ldap-login-module-common}/src/test/java/org/esbtools/auth/ldap/LdapRoleProviderIntegrationTest.java (100%) rename {org.esbtools.auth.common => cert-ldap-login-module-common}/src/test/java/org/esbtools/auth/servlet/CertEnvironmentVerificationFilterTest.java (100%) rename {org.esbtools.auth.common => cert-ldap-login-module-common}/src/test/java/org/esbtools/auth/util/EnvironmentTest.java (100%) rename {org.esbtools.auth.common => cert-ldap-login-module-common}/src/test/resources/simplelogger.properties (100%) diff --git a/org.esbtools.auth.common/pom.xml b/cert-ldap-login-module-common/pom.xml similarity index 94% rename from org.esbtools.auth.common/pom.xml rename to cert-ldap-login-module-common/pom.xml index 4e0711a..6a0b49b 100644 --- a/org.esbtools.auth.common/pom.xml +++ b/cert-ldap-login-module-common/pom.xml @@ -6,7 +6,7 @@ cert-ldap-login-module 1.3.0-SNAPSHOT - org.esbtools.auth.common + cert-ldap-login-module-common diff --git a/org.esbtools.auth.common/src/main/java/org/esbtools/auth/ldap/LdapConfiguration.java b/cert-ldap-login-module-common/src/main/java/org/esbtools/auth/ldap/LdapConfiguration.java similarity index 100% rename from org.esbtools.auth.common/src/main/java/org/esbtools/auth/ldap/LdapConfiguration.java rename to cert-ldap-login-module-common/src/main/java/org/esbtools/auth/ldap/LdapConfiguration.java diff --git a/org.esbtools.auth.common/src/main/java/org/esbtools/auth/ldap/LdapRolesProvider.java b/cert-ldap-login-module-common/src/main/java/org/esbtools/auth/ldap/LdapRolesProvider.java similarity index 100% rename from org.esbtools.auth.common/src/main/java/org/esbtools/auth/ldap/LdapRolesProvider.java rename to cert-ldap-login-module-common/src/main/java/org/esbtools/auth/ldap/LdapRolesProvider.java diff --git a/org.esbtools.auth.common/src/main/java/org/esbtools/auth/servlet/CertEnvironmentVerificationFilter.java b/cert-ldap-login-module-common/src/main/java/org/esbtools/auth/servlet/CertEnvironmentVerificationFilter.java similarity index 100% rename from org.esbtools.auth.common/src/main/java/org/esbtools/auth/servlet/CertEnvironmentVerificationFilter.java rename to cert-ldap-login-module-common/src/main/java/org/esbtools/auth/servlet/CertEnvironmentVerificationFilter.java diff --git a/org.esbtools.auth.common/src/main/java/org/esbtools/auth/util/CachedRolesProvider.java b/cert-ldap-login-module-common/src/main/java/org/esbtools/auth/util/CachedRolesProvider.java similarity index 100% rename from org.esbtools.auth.common/src/main/java/org/esbtools/auth/util/CachedRolesProvider.java rename to cert-ldap-login-module-common/src/main/java/org/esbtools/auth/util/CachedRolesProvider.java diff --git a/org.esbtools.auth.common/src/main/java/org/esbtools/auth/util/Environment.java b/cert-ldap-login-module-common/src/main/java/org/esbtools/auth/util/Environment.java similarity index 100% rename from org.esbtools.auth.common/src/main/java/org/esbtools/auth/util/Environment.java rename to cert-ldap-login-module-common/src/main/java/org/esbtools/auth/util/Environment.java diff --git a/org.esbtools.auth.common/src/main/java/org/esbtools/auth/util/RequestDumper.java b/cert-ldap-login-module-common/src/main/java/org/esbtools/auth/util/RequestDumper.java similarity index 100% rename from org.esbtools.auth.common/src/main/java/org/esbtools/auth/util/RequestDumper.java rename to cert-ldap-login-module-common/src/main/java/org/esbtools/auth/util/RequestDumper.java diff --git a/org.esbtools.auth.common/src/main/java/org/esbtools/auth/util/RolesCache.java b/cert-ldap-login-module-common/src/main/java/org/esbtools/auth/util/RolesCache.java similarity index 100% rename from org.esbtools.auth.common/src/main/java/org/esbtools/auth/util/RolesCache.java rename to cert-ldap-login-module-common/src/main/java/org/esbtools/auth/util/RolesCache.java diff --git a/org.esbtools.auth.common/src/main/java/org/esbtools/auth/util/RolesProvider.java b/cert-ldap-login-module-common/src/main/java/org/esbtools/auth/util/RolesProvider.java similarity index 100% rename from org.esbtools.auth.common/src/main/java/org/esbtools/auth/util/RolesProvider.java rename to cert-ldap-login-module-common/src/main/java/org/esbtools/auth/util/RolesProvider.java diff --git a/org.esbtools.auth.common/src/test/java/org/esbtools/auth/CachedRolesProviderTest.java b/cert-ldap-login-module-common/src/test/java/org/esbtools/auth/CachedRolesProviderTest.java similarity index 100% rename from org.esbtools.auth.common/src/test/java/org/esbtools/auth/CachedRolesProviderTest.java rename to cert-ldap-login-module-common/src/test/java/org/esbtools/auth/CachedRolesProviderTest.java diff --git a/org.esbtools.auth.common/src/test/java/org/esbtools/auth/ldap/LdapRoleProviderIntegrationTest.java b/cert-ldap-login-module-common/src/test/java/org/esbtools/auth/ldap/LdapRoleProviderIntegrationTest.java similarity index 100% rename from org.esbtools.auth.common/src/test/java/org/esbtools/auth/ldap/LdapRoleProviderIntegrationTest.java rename to cert-ldap-login-module-common/src/test/java/org/esbtools/auth/ldap/LdapRoleProviderIntegrationTest.java diff --git a/org.esbtools.auth.common/src/test/java/org/esbtools/auth/servlet/CertEnvironmentVerificationFilterTest.java b/cert-ldap-login-module-common/src/test/java/org/esbtools/auth/servlet/CertEnvironmentVerificationFilterTest.java similarity index 100% rename from org.esbtools.auth.common/src/test/java/org/esbtools/auth/servlet/CertEnvironmentVerificationFilterTest.java rename to cert-ldap-login-module-common/src/test/java/org/esbtools/auth/servlet/CertEnvironmentVerificationFilterTest.java diff --git a/org.esbtools.auth.common/src/test/java/org/esbtools/auth/util/EnvironmentTest.java b/cert-ldap-login-module-common/src/test/java/org/esbtools/auth/util/EnvironmentTest.java similarity index 100% rename from org.esbtools.auth.common/src/test/java/org/esbtools/auth/util/EnvironmentTest.java rename to cert-ldap-login-module-common/src/test/java/org/esbtools/auth/util/EnvironmentTest.java diff --git a/org.esbtools.auth.common/src/test/resources/simplelogger.properties b/cert-ldap-login-module-common/src/test/resources/simplelogger.properties similarity index 100% rename from org.esbtools.auth.common/src/test/resources/simplelogger.properties rename to cert-ldap-login-module-common/src/test/resources/simplelogger.properties diff --git a/pom.xml b/pom.xml index 4dba015..0822d0b 100644 --- a/pom.xml +++ b/pom.xml @@ -252,6 +252,6 @@ spring-cert-ldap-login-module jboss-cert-ldap-login-module - org.esbtools.auth.common + cert-ldap-login-module-common From 6b10ba9e4ea832c5767c99b1394a72b89052941c Mon Sep 17 00:00:00 2001 From: Dennis Crissman Date: Thu, 4 Jan 2018 09:35:56 -0500 Subject: [PATCH 19/19] naming fixes --- jboss-cert-ldap-login-module/pom.xml | 2 +- pom.xml | 4 ++-- spring-cert-ldap-login-module/pom.xml | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/jboss-cert-ldap-login-module/pom.xml b/jboss-cert-ldap-login-module/pom.xml index dada4d4..b7df9cf 100644 --- a/jboss-cert-ldap-login-module/pom.xml +++ b/jboss-cert-ldap-login-module/pom.xml @@ -24,7 +24,7 @@ org.esbtools.auth - org.esbtools.auth.common + cert-ldap-login-module-common org.jboss.spec diff --git a/pom.xml b/pom.xml index 0822d0b..ec4efa6 100644 --- a/pom.xml +++ b/pom.xml @@ -75,7 +75,7 @@ org.esbtools.auth - org.esbtools.auth.common + cert-ldap-login-module-common ${project.version} @@ -250,8 +250,8 @@ + cert-ldap-login-module-common spring-cert-ldap-login-module jboss-cert-ldap-login-module - cert-ldap-login-module-common diff --git a/spring-cert-ldap-login-module/pom.xml b/spring-cert-ldap-login-module/pom.xml index 84a159f..00f36f1 100644 --- a/spring-cert-ldap-login-module/pom.xml +++ b/spring-cert-ldap-login-module/pom.xml @@ -11,7 +11,7 @@ org.esbtools.auth - org.esbtools.auth.common + cert-ldap-login-module-common org.springframework.security