-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
25 changed files
with
1,279 additions
and
11 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
60 changes: 60 additions & 0 deletions
60
...va/no/nav/foreldrepenger/tilbakekreving/web/server/jetty/sikkerhet/ContextPathHolder.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,60 @@ | ||
package no.nav.foreldrepenger.tilbakekreving.web.server.jetty.sikkerhet; | ||
|
||
import org.slf4j.Logger; | ||
import org.slf4j.LoggerFactory; | ||
|
||
/** | ||
* Denne eksisterer nå kun pga exp/contract + fp/k9tilbake og cookiepath /k9 | ||
*/ | ||
public class ContextPathHolder { | ||
|
||
private static final Logger LOG = LoggerFactory.getLogger(ContextPathHolder.class); | ||
|
||
private static volatile ContextPathHolder instance; // NOSONAR | ||
private final String cookiePath; | ||
private final boolean harSattCookiePath; | ||
|
||
private ContextPathHolder(String cookiePath) { | ||
this.harSattCookiePath = cookiePath != null; | ||
this.cookiePath = validerCookiePath(cookiePath); | ||
} | ||
|
||
public static ContextPathHolder instance() { | ||
var inst = instance; | ||
if (inst == null) { | ||
inst = new ContextPathHolder(null); | ||
instance = inst; | ||
} | ||
return inst; | ||
} | ||
|
||
@Deprecated // K9tilbake trenger denne | ||
@SuppressWarnings("unused") | ||
public static ContextPathHolder instance(@SuppressWarnings("unused") String contextPath, String cookiePath) { | ||
var inst = instance; | ||
if (inst == null) { | ||
inst = new ContextPathHolder(cookiePath); | ||
instance = inst; | ||
} | ||
return inst; | ||
} | ||
|
||
private String validerCookiePath(String cookiePath) { | ||
if (cookiePath == null) { | ||
return "/"; | ||
} | ||
if (!cookiePath.startsWith("/")) { | ||
LOG.warn("CookiePath ({}) er ugyldig som cookiePath, forkaster og bruker default ('/').", cookiePath); | ||
return "/"; | ||
} | ||
return cookiePath; | ||
} | ||
|
||
public String getCookiePath() { | ||
return cookiePath; | ||
} | ||
|
||
public boolean harSattCookiePath() { | ||
return harSattCookiePath; | ||
} | ||
} |
26 changes: 26 additions & 0 deletions
26
.../java/no/nav/foreldrepenger/tilbakekreving/web/server/jetty/sikkerhet/README.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,26 @@ | ||
Denne modulen dekker JASPI, JAAS og Tokenvalidering - LEGACY for bruk av K9-tilbake | ||
- | ||
|
||
Kode relatert til Context, OIDC-config og Tokenhenting/veksling ligger i felles-oidc | ||
|
||
Sikkerhetskontekst skal hentes fra KontekstHolder, ikke via SubjectHandler | ||
|
||
Kort om hovedkomponentene | ||
|
||
OidcAuthModule | ||
* Inngangsportalen og konfigureres programmatisk i applikasjonenes Jetty-oppsett | ||
* validateRequest får inn alle requests og beskyttede ressurser håndteres av lokal oidcLogin | ||
* Login lager en LoginContext og forsøker en login (validere token, sette context) | ||
* Dersom unathorized: Hvis Bearer -> 401, ellers redirect til OpenAm-login | ||
* Spesialhåndtering av interaktive requests auth-flow, cookies og refresh 2 minutt før tokenutløp | ||
* Stateless connection - ingen session | ||
|
||
LoginModule(s) | ||
* Gjør tokenvalidering og fortsetter prosess basert på resultat | ||
* Vil sørge for en kontekst bestående av Subject, Principal m/identType og token | ||
* Får inn subject og callback i initialize() | ||
* Vanlig OIDC-requests håndteres ved tokenvalidering og setter Authentication for request | ||
|
||
OidcTokenValidator validerer tokens fra ulike issuers og henter jwks til keycache. | ||
Er for tiden en blanding av jose4j og nimbusds (og litt no nav sikkerhet) | ||
|
25 changes: 25 additions & 0 deletions
25
.../nav/foreldrepenger/tilbakekreving/web/server/jetty/sikkerhet/context/ContextCleaner.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,25 @@ | ||
package no.nav.foreldrepenger.tilbakekreving.web.server.jetty.sikkerhet.context; | ||
|
||
import org.slf4j.Logger; | ||
import org.slf4j.LoggerFactory; | ||
|
||
import no.nav.vedtak.sikkerhet.kontekst.KontekstHolder; | ||
|
||
public class ContextCleaner { | ||
|
||
private static final Logger LOG = LoggerFactory.getLogger(ContextCleaner.class); | ||
|
||
private ContextCleaner() { | ||
} | ||
|
||
public static void enusureCleanContext() { | ||
try { | ||
if (KontekstHolder.harKontekst()) { | ||
LOG.trace("FPFELLES KONTEKST fjernet i ContextCleaner - burde vært fjernet før"); | ||
KontekstHolder.fjernKontekst(); | ||
} | ||
} catch (Exception e) { | ||
LOG.trace("FPFELLES ConClean: kunne ikke fjerne kontekst", e); | ||
} | ||
} | ||
} |
Oops, something went wrong.