refs #502450 ADD Shibboleth Dynamic Loginhandler

refs #502450 ADD Shibboleth Dynamic Loginhandler refs #501517 FIX Update group memberships in Shibboleth LoginHandler refs #501517 ADD Dynamic login handler based on spring expressions refs #501517 ADD Tests for dynamic login handler based on spring expressions refs #501517 FIX Interfaces and maven-dependency-plugin refs #4870 FIX map email and name refs #4943 FIX Fallback to user create when there is no user reference for existing users - FIXME Check for existence of non-ref user first FIX securitty.aai Checkstyle FIX userdirectory Checkstyle FIX all refs #502450 FIX Shibboleth Dynamic Loginhandler refs #2965 FIX Example configuration for Dynamic loginhandler refs #2965 FIX Use spring util 3.1 xsd - not tested - FIXME We may need to update pom.xml refs #2965 FIX Mockdata
opencast · Jun 22, 2020 · d50d7b2 · d50d7b2
1 parent 090d0f6
commit d50d7b2
Show file tree

Hide file tree

Showing 11 changed files with 1,101 additions and 15 deletions.
diff --git a/docs/guides/admin/docs/configuration/security.aai.md b/docs/guides/admin/docs/configuration/security.aai.md
@@ -158,3 +158,26 @@ To protect HTML pages, you will need to adapt the configuration of your web serv
         require valid-user
     </LocationMatch>
 
+Dynamic login handler configuration
+-----------------------------------
+
+To configure the dynamic login for the use of attributes via SpEL in the `mh_default_org.xml` file, it is necessary to follow the same steps above. Just change the bean class to `aaiLoginHandler`,
+
+    <bean id="aaiLoginHandler" class="org.opencastproject.security.aai.DynamicLoginHandler">
+      <property name="securityService" ref="securityService" />
+      <property name="userReferenceProvider" ref="userReferenceProvider" />
+      <property name="attributeMapper" ref="attributeMapper" />
+    </bean>
+
+activate the bean attributeMapper,
+
+    <bean id="attributeMapper" class="org.opencastproject.security.aai.api.AttributeMapper">
+      <property name="useHeader" value="true" />
+      <property name="multiValueDelimiter" value=";" />
+      <property name="attributeMap" ref="attributeMap" />
+      <property name="aaiAttributes" ref="aaiAttributes" />
+    </bean>
+
+and configure the values `<util:...>`.
+
+Everything is in the commented section Dynamic AAI Loginhandler.
diff --git a/etc/security/mh_default_org.xml b/etc/security/mh_default_org.xml
@@ -1,11 +1,16 @@
-<beans xmlns="http://www.springframework.org/schema/beans" xmlns:sec="http://www.springframework.org/schema/security"
-  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:osgi="http://www.springframework.org/schema/osgi"
-  xsi:schemaLocation="http://www.springframework.org/schema/beans
-       http://www.springframework.org/schema/beans/spring-beans.xsd
-       http://www.springframework.org/schema/osgi
-       http://www.springframework.org/schema/osgi/spring-osgi.xsd
-       http://www.springframework.org/schema/security
-       http://www.springframework.org/schema/security/spring-security-3.1.xsd">
+<beans xmlns="http://www.springframework.org/schema/beans"
+       xmlns:sec="http://www.springframework.org/schema/security"
+       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+       xmlns:osgi="http://www.springframework.org/schema/osgi"
+       xmlns:util="http://www.springframework.org/schema/util"
+       xsi:schemaLocation="http://www.springframework.org/schema/beans
+                           http://www.springframework.org/schema/beans/spring-beans.xsd
+                           http://www.springframework.org/schema/util
+                           http://www.springframework.org/schema/util/spring-util-3.1.xsd
+                           http://www.springframework.org/schema/osgi
+                           http://www.springframework.org/schema/osgi/spring-osgi.xsd
+                           http://www.springframework.org/schema/security
+                           http://www.springframework.org/schema/security/spring-security-3.1.xsd">
 
   <!-- ######################################## -->
   <!-- # Open and unsecured url patterns      # -->
@@ -406,6 +411,9 @@
         <!-- 2-legged OAuth is used by trusted 3rd party applications, including LTI. -->
         <!-- Uncomment the line below to support LTI or other OAuth clients.          -->
         <!-- <ref bean="oauthProtectedResourceFilter" /> -->
+
+        <!-- Uncomment the line below to support Shibboleth. -->
+        <!-- <ref bean="shibbolethHeaderFilter" /> -->
       </list>
     </property>
   </bean>
@@ -590,6 +598,67 @@
   </bean>
   -->
 
+  <!-- Dynamic AAI Loginhandler
+  <bean id="aaiLoginHandler" class="org.opencastproject.security.aai.DynamicLoginHandler">
+    <property name="securityService" ref="securityService" />
+    <property name="userReferenceProvider" ref="userReferenceProvider" />
+    <property name="attributeMapper" ref="attributeMapper" />
+  </bean>
+
+  <util:list id="roleMapping" value-type="java.lang.String">
+    <value>'ROLE_AAI_USER'</value>
+    <value>'ROLE_AAI_USER_' + ['eduPersonPrincipalName']</value>
+    <value>['homeOrganization'] != null ? 'ROLE_AAI_ORG_' + ['homeOrganization'] + '_MEMBER' : null</value>
+    <value>['eduPersonEntitlement'].contains('urn:mace:example.org:permission:shibboleth:opencast_editor') ? 'ROLE_GROUP_AAI_EDITOR' : null</value>
+    <value>['eduPersonPrincipalName'].contains('john.doe@example.org') ? 'ROLE_ADMIN' : null</value>
+  </util:list>
+
+  <util:list id="snMapping" value-type="java.lang.String">
+    <value>['sn'][0]</value>
+  </util:list>
+
+  <util:list id="givenNameMapping" value-type="java.lang.String">
+    <value>['givenName'][0]</value>
+  </util:list>
+
+  <util:list id="displayNameMapping" value-type="java.lang.String">
+    <value>['givenName'][0] + ' ' + ['sn'][0]</value>
+  </util:list>
+
+  <util:list id="mailMapping" value-type="java.lang.String">
+    <value>['mail'][0]</value>
+  </util:list>
+
+  <util:map id="attributeMap" map-class="java.util.HashMap">
+    <entry key="roles" value-ref="roleMapping" />
+    <entry key="sn" value-ref="snMapping" />
+    <entry key="givenName" value-ref="givenNameMapping" />
+    <entry key="displayName" value-ref="displayNameMapping" />
+    <entry key="mail" value-ref="mailMapping" />
+  </util:map>
+
+  <util:list id="roles2Attributes" value-type="java.lang.String">
+    <value>['roles']</value>
+  </util:list>
+
+  <util:list id="aaiAttributes" value-type="java.lang.String">
+    <value>sn</value>
+    <value>givenName</value>
+    <value>mail</value>
+    <value>homeOrganization</value>
+    <value>eduPersonEntitlement</value>
+    <value>eduPersonPrincipalName</value>
+    <value>homeOrganization</value>
+  </util:list>
+
+  <bean id="attributeMapper" class="org.opencastproject.security.aai.api.AttributeMapper">
+    <property name="useHeader" value="true" />
+    <property name="multiValueDelimiter" value=";" />
+    <property name="attributeMap" ref="attributeMap" />
+    <property name="aaiAttributes" ref="aaiAttributes" />
+  </bean>
+  -->
+
   <!--
   <bean id="preauthAuthProvider"
         class="org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider">

diff --git a/modules/security-aai/pom.xml b/modules/security-aai/pom.xml
@@ -44,6 +44,17 @@
       <groupId>org.slf4j</groupId>
       <artifactId>slf4j-api</artifactId>
     </dependency>
+    <dependency>
+      <groupId>org.easymock</groupId>
+      <artifactId>easymock</artifactId>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>org.springframework</groupId>
+      <artifactId>spring-test</artifactId>
+      <version>3.1.4.RELEASE</version>
+      <scope>test</scope>
+    </dependency>
     <dependency>
       <groupId>javax.servlet</groupId>
       <artifactId>javax.servlet-api</artifactId>
@@ -62,6 +73,29 @@
       <plugin>
         <groupId>org.apache.maven.plugins</groupId>
         <artifactId>maven-dependency-plugin</artifactId>
+        <executions>
+          <execution>
+            <id>analyze</id>
+            <goals>
+              <goal>analyze-only</goal>
+            </goals>
+            <configuration>
+              <failOnWarning>true</failOnWarning>
+              <ignoredUsedUndeclaredDependencies>
+                <ignoredUsedUndeclaredDependency>junit:junit</ignoredUsedUndeclaredDependency>
+                <ignoredUsedUndeclaredDependency>javax.annotation:javax.annotation-api</ignoredUsedUndeclaredDependency>
+                <ignoredUsedUndeclaredDependency>org.springframework:spring-expression</ignoredUsedUndeclaredDependency>
+                <ignoredUsedUndeclaredDependency>org.springframework:spring-core</ignoredUsedUndeclaredDependency>
+                <ignoredUsedUndeclaredDependency>org.springframework.security:spring-security-core</ignoredUsedUndeclaredDependency>
+                <ignoredUsedUndeclaredDependency>org.springframework:spring-beans</ignoredUsedUndeclaredDependency>
+                <ignoredUsedUndeclaredDependency>org.hamcrest:hamcrest</ignoredUsedUndeclaredDependency>
+              </ignoredUsedUndeclaredDependencies>
+              <ignoredUnusedDeclaredDependencies>
+                <ignoredUnusedDeclaredDependency>org.easymock:easymock</ignoredUnusedDeclaredDependency>
+              </ignoredUnusedDeclaredDependencies>
+            </configuration>
+          </execution>
+        </executions>
       </plugin>
       <plugin>
         <groupId>org.apache.felix</groupId>