- Bunch of improvements for OAuth2 Community Module and Documentatio…

…n: allow GeoServer to use multiple OAuth2 Providers at the same time

 - Revert SecurityNamedServiceEditPage change since belonging to a new JIRA

 - Revert SecurityNamedServiceEditPage change since belonging to a new JIRA

 - WEB Gui Properties Description files update

 - WEB Gui Properties Description files update

doc/en/user/source/community/oauth2/index.rst

@@ -254,6 +254,146 @@ Configure the GeoServer OAuth2 filter
    .. figure:: images/oauth2filter004.png
       :align: center
 
+SSL Trusted Certificates
+------------------------
+
+When using a custom ``Keystore`` or trying to access a non-trusted or self-signed SSL-protected OAuth2 Provider from a non-SSH connection, you will need to add the certificated to the JVM ``Keystore``.
+
+In order to do this you can follow the next steps:
+
+    In this example we are going to
+
+	#. Retrieve SSL Certificates from Google domains:
+
+		"Access Token URI" = https://accounts.google.com/o/oauth2/token therefore we need to trust ``https://accounts.google.com`` or (``accounts.google.com:443``)
+		"Check Token Endpoint URL" = https://www.googleapis.com/oauth2/v1/tokeninfo therefore we need to trust ``https://www.googleapis.com`` or (``www.googleapis.com:443``)
+
+		.. note:: You will need to get and trust certificated from every different HTTPS URL used on OAuth2 Endpoints.
+
+	#. Store SSL Certificates on local hard-disk
+
+	#. Add SSL Certificates to the Java Keystore
+
+	#. Enable the JVM to check for SSL Certificates from the Keystore
+
+1. Retrieve the SSL Certificates from Google domains
+
+	Use the ``openssl`` command in order to dump the certificate
+
+	For ``https://accounts.google.com``
+
+		.. code-block:: shell
+		
+			openssl s_client -connect accounts.google.com:443
+			
+		.. figure:: images/google_ssl_001.png
+		   :align: center
+
+	And for ``https://www.googleapis.com``
+
+		.. code-block:: shell
+		
+			openssl s_client -connect www.googleapis.com:443
+			
+		.. figure:: images/google_ssl_002.png
+		   :align: center
+
+2. Store SSL Certificates on local hard-disk
+
+	Copy-and-paste the two sections ``-BEGIN CERTIFICATE-``, ``-END CERTIFICATE-`` and save them into two different ``.cert`` files
+
+	.. note:: ``.cert`` file are plain text files containing the ASCII characters included on the ``-BEGIN CERTIFICATE-``, ``-END CERTIFICATE-`` sections
+
+	``google.cert`` (or whatever name you want with ``.cert`` extension)
+
+        .. figure:: images/google_ssl_003.png
+           :align: center
+
+	``google-apis.cert`` (or whatever name you want with ``.cert`` extension)
+
+        .. figure:: images/google_ssl_004.png
+           :align: center
+
+3. Add SSL Certificates to the Java Keystore
+
+	You can use the Java command ``keytool`` like this
+
+	``google.cert`` (or whatever name you want with ``.cert`` extension)
+
+		.. code-block:: shell
+		
+			keytool -import -noprompt -trustcacerts -alias google -file google.cert -keystore ${KEYSTOREFILE} -storepass ${KEYSTOREPASS}
+
+	``google-apis.cert`` (or whatever name you want with ``.cert`` extension)
+
+		.. code-block:: shell
+		
+			keytool -import -noprompt -trustcacerts -alias google-apis -file google-apis.cert -keystore ${KEYSTOREFILE} -storepass ${KEYSTOREPASS}
+
+    or, alternatively, you can use some graphic tool which helps you managing the SSL Certificates and Keystores, like `Portecle <http://portecle.sourceforge.net/>`_
+
+		.. code-block:: shell
+		
+			java -jar c:\apps\portecle-1.9\portecle.jar
+	
+        .. figure:: images/google_ssl_005.png
+           :align: center
+
+        .. figure:: images/google_ssl_006.png
+           :align: center
+
+        .. figure:: images/google_ssl_007.png
+           :align: center
+
+        .. figure:: images/google_ssl_008.png
+           :align: center
+
+        .. figure:: images/google_ssl_009.png
+           :align: center
+
+        .. figure:: images/google_ssl_010.png
+           :align: center
+
+        .. figure:: images/google_ssl_011.png
+           :align: center
+
+        .. figure:: images/google_ssl_012.png
+           :align: center
+
+        .. figure:: images/google_ssl_013.png
+           :align: center
+
+4. Enable the JVM to check for SSL Certificates from the Keystore
+
+	In order to do this, you need to pass a ``JAVA_OPTION`` to your JVM:
+
+		.. code-block:: shell
+		
+			-Djavax.net.ssl.trustStore=F:\tmp\keystore.key
+
+5. Restart your server
+
+.. note:: Here below you can find a bash script which simplifies the Keystore SSL Certificates importing. Use it at your conveninece.
+
+	.. code-block:: shell
+
+		HOST=myhost.example.com
+		PORT=443
+		KEYSTOREFILE=dest_keystore
+		KEYSTOREPASS=changeme
+
+		# get the SSL certificate
+		openssl s_client -connect ${HOST}:${PORT} </dev/null \
+			| sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ${HOST}.cert
+
+		# create a keystore and import certificate
+		keytool -import -noprompt -trustcacerts \
+			-alias ${HOST} -file ${HOST}.cert \
+			-keystore ${KEYSTOREFILE} -storepass ${KEYSTOREPASS}
+
+		# verify we've got it.
+		keytool -list -v -keystore ${KEYSTOREFILE} -storepass ${KEYSTOREPASS} -alias ${HOST}
+
 Test the Google OAuth2 Provider Based Login
 -------------------------------------------
 

src/community/security/oauth2-geonode/pom.xml

@@ -38,6 +38,13 @@
 			<version>2.0.11.RELEASE</version>
 		</dependency>
 
+		<dependency>
+			<groupId>org.geoserver.community</groupId>
+			<artifactId>gs-sec-oauth2</artifactId>
+			<version>${project.version}</version>
+			<classifier>tests</classifier>
+			<scope>test</scope>
+		</dependency>
 		<dependency>
 			<groupId>org.geoserver</groupId>
 			<artifactId>gs-main</artifactId>

src/community/security/oauth2-geonode/src/main/java/org/geoserver/security/oauth2/GeoNodeOAuth2AuthenticationProvider.java

@@ -6,17 +6,21 @@
 
 import org.geoserver.config.util.XStreamPersister;
 import org.geoserver.security.GeoServerSecurityManager;
+import org.geoserver.security.config.SecurityNamedServiceConfig;
+import org.geoserver.security.filter.GeoServerSecurityFilter;
 
 /**
  * @author Alessio Fabiani, GeoSolutions S.A.S.
  *
  */
 public class GeoNodeOAuth2AuthenticationProvider extends GeoServerOAuthAuthenticationProvider {
 
-    public GeoNodeOAuth2AuthenticationProvider(GeoServerSecurityManager securityManager) {
-        super(securityManager);
+    public GeoNodeOAuth2AuthenticationProvider(
+            GeoServerSecurityManager securityManager, 
+            String tokenServices, String oauth2SecurityConfiguration, String geoServerOauth2RestTemplate) {
+        super(securityManager, tokenServices, oauth2SecurityConfiguration, geoServerOauth2RestTemplate);
     }
-
+    
     @Override
     public void handlePostChanged(GeoServerSecurityManager securityManager) {
         // Nothing to do
@@ -27,4 +31,14 @@ public void configure(XStreamPersister xp) {
         xp.getXStream().alias("geoNodeOauth2Authentication", GeoNodeOAuth2FilterConfig.class);
     }
 
+    @Override
+    public Class<? extends GeoServerSecurityFilter> getFilterClass() {
+        return GeoNodeOAuthAuthenticationFilter.class;
+    }
+
+    @Override
+    public GeoServerSecurityFilter createFilter(SecurityNamedServiceConfig config) {
+        return new GeoNodeOAuthAuthenticationFilter(config, tokenServices,
+                oauth2SecurityConfiguration, geoServerOauth2RestTemplate);
+    }
 }

src/community/security/oauth2-geonode/src/main/java/org/geoserver/security/oauth2/GeoNodeOAuth2SecurityConfiguration.java

@@ -59,11 +59,11 @@
  * 
  * @author Alessio Fabiani, GeoSolutions S.A.S.
  */
-@Configuration
+@Configuration(value="geoNodeOAuth2SecurityConfiguration")
 @EnableOAuth2Client
 class GeoNodeOAuth2SecurityConfiguration extends GeoServerOAuth2SecurityConfiguration {
 
-    @Bean
+    @Bean(name="geoNodeOAuth2Resource")
     public OAuth2ProtectedResourceDetails geoServerOAuth2Resource() {
         AuthorizationCodeResourceDetails details = new AuthorizationCodeResourceDetails();
         details.setId("geonode-oauth2-client");
@@ -78,7 +78,7 @@ public OAuth2ProtectedResourceDetails geoServerOAuth2Resource() {
     /**
      * Must have "session" scope
      */
-    @Bean
+    @Bean(name="geoNodeOauth2RestTemplate")
     @Scope(value = "session", proxyMode = ScopedProxyMode.TARGET_CLASS)
     public OAuth2RestTemplate geoServerOauth2RestTemplate() {
 

src/community/security/oauth2-geonode/src/main/java/org/geoserver/security/oauth2/GeoNodeOAuthAuthenticationFilter.java

@@ -0,0 +1,24 @@
+/* (c) 2016 Open Source Geospatial Foundation - all rights reserved
+ * This code is licensed under the GPL 2.0 license, available at the root
+ * application directory.
+ */
+package org.geoserver.security.oauth2;
+
+import org.geoserver.security.config.SecurityNamedServiceConfig;
+import org.springframework.security.oauth2.client.OAuth2RestOperations;
+import org.springframework.security.oauth2.provider.token.RemoteTokenServices;
+
+/**
+ * @author Alessio Fabiani, GeoSolutions S.A.S.
+ *
+ */
+public class GeoNodeOAuthAuthenticationFilter extends GeoServerOAuthAuthenticationFilter {
+
+    public GeoNodeOAuthAuthenticationFilter(SecurityNamedServiceConfig config,
+            RemoteTokenServices tokenServices,
+            GeoServerOAuth2SecurityConfiguration oauth2SecurityConfiguration,
+            OAuth2RestOperations oauth2RestTemplate) {
+        super(config, tokenServices, oauth2SecurityConfiguration, oauth2RestTemplate);
+    }
+
+}

src/community/security/oauth2-geonode/src/main/java/org/geoserver/web/security/oauth2/GeoNodeOAuth2AuthProviderPanelInfo.java

@@ -4,8 +4,9 @@
  */
 package org.geoserver.web.security.oauth2;
 
-import org.geoserver.security.oauth2.GeoServerOAuthAuthenticationFilter;
 import org.geoserver.security.oauth2.GeoNodeOAuth2FilterConfig;
+import org.geoserver.security.oauth2.GeoNodeOAuthAuthenticationFilter;
+import org.geoserver.security.oauth2.GeoServerOAuthAuthenticationFilter;
 import org.geoserver.security.web.auth.AuthenticationFilterPanelInfo;
 
 /**
@@ -21,7 +22,7 @@ public class GeoNodeOAuth2AuthProviderPanelInfo
 
     public GeoNodeOAuth2AuthProviderPanelInfo() {
         setComponentClass(GeoNodeOAuth2AuthProviderPanel.class);
-        setServiceClass(GeoServerOAuthAuthenticationFilter.class);
+        setServiceClass(GeoNodeOAuthAuthenticationFilter.class);
         setServiceConfigClass(GeoNodeOAuth2FilterConfig.class);
     }
 }

src/community/security/oauth2-geonode/src/main/resources/GeoServerApplication.properties

@@ -1,5 +1,5 @@
-org.geoserver.security.oauth2.GeoServerOAuthAuthenticationFilter.name=GeoNode OAuth2 
-org.geoserver.security.oauth2.GeoServerOAuthAuthenticationFilter.title=Authentication using a GeoNode OAuth2
+org.geoserver.security.oauth2.GeoNodeOAuthAuthenticationFilter.name=GeoNode OAuth2 
+org.geoserver.security.oauth2.GeoNodeOAuthAuthenticationFilter.title=Authentication using a GeoNode OAuth2
 
 GeoNodeOAuth2AuthProviderPanel.login=Login with GeoNode
 GeoNodeOAuth2AuthProviderPanel.short=GeoNode OAuth2 

src/community/security/oauth2-geonode/src/main/resources/applicationContext.xml

@@ -21,11 +21,6 @@
 	</bean>
 
 	<!-- OAuth2 Security Extension -->
-		<bean id="geoNodeOAuth2AuthenticationProvider"
-			class="org.geoserver.security.oauth2.GeoNodeOAuth2AuthenticationProvider">
-			<constructor-arg ref="authenticationManager" />
-		</bean>
-
 		<bean id="geoNodeOAuth2TokenServices" class="org.geoserver.security.oauth2.services.GeoNodeTokenServices">
 			<property name="accessTokenConverter">
 				<bean class="org.geoserver.security.oauth2.services.GeoNodeAccessTokenConverter">
@@ -36,7 +31,22 @@
 				</bean>
 			</property>
 		</bean>
-
+
+		<bean id="geoNodeOAuth2AuthenticationProvider"
+			class="org.geoserver.security.oauth2.GeoNodeOAuth2AuthenticationProvider">
+			<constructor-arg ref="authenticationManager" />
+			<constructor-arg value="geoNodeOAuth2TokenServices" />
+			<constructor-arg value="geoNodeOAuth2SecurityConfiguration" />
+			<constructor-arg value="geoNodeOauth2RestTemplate" />
+		</bean>
+
+		<!-- OAuth2 URL Mangler -->
+		<bean id="geoServerOAuth2AccessTokenURLMangler" class="org.geoserver.security.oauth2.OAuth2AccessTokenURLMangler">
+			<constructor-arg ref="authenticationManager" />
+			<constructor-arg value="geoNodeOAuth2SecurityConfiguration" />
+			<constructor-arg value="geoNodeOauth2RestTemplate" />
+		</bean>
+
 		<!-- wicket ui stuff -->
 
 		<!-- ui auth provider panel info -->

src/community/security/oauth2-geonode/src/test/java/org/geoserver/security/oauth2/OAuth2FilterConfigValidatorTest.java

@@ -121,7 +121,7 @@ public void check(GeoNodeOAuth2FilterConfig config) throws Exception {
         try {
             validator.validateOAuth2FilterConfig(config);
         } catch (OAuth2FilterConfigException ex) {
-            assertEquals(OAuth2FilterConfigException.OAUTH2_ACCESSTOKENURI_NOT_HTTPS, ex.getId());
+            assertEquals(OAuth2FilterConfigException.OAUTH2_CLIENT_ID_REQUIRED, ex.getId());
             assertEquals(0, ex.getArgs().length);
             LOGGER.info(ex.getMessage());
             failed = true;