zowe
diff --git a/‎apiml-security-common/src/main/java/org/zowe/apiml/security/common/config/AuthConfigurationProperties.java
Lines changed: 9 additions & 4 deletions b/‎apiml-security-common/src/main/java/org/zowe/apiml/security/common/config/AuthConfigurationProperties.java
Lines changed: 9 additions & 4 deletions
diff --git a/‎gateway-service/src/main/java/org/zowe/apiml/gateway/security/config/SecurityConfiguration.java
Lines changed: 13 additions & 2 deletions b/‎gateway-service/src/main/java/org/zowe/apiml/gateway/security/config/SecurityConfiguration.java
Lines changed: 13 additions & 2 deletions
diff --git a/‎integration-tests/src/test/java/org/zowe/apiml/gatewayservice/PassTicketTest.java
Lines changed: 26 additions & 1 deletion b/‎integration-tests/src/test/java/org/zowe/apiml/gatewayservice/PassTicketTest.java
Lines changed: 26 additions & 1 deletion
diff --git a/‎integration-tests/src/test/java/org/zowe/apiml/gatewayservice/QueryIntegrationTest.java
Lines changed: 66 additions & 41 deletions b/‎integration-tests/src/test/java/org/zowe/apiml/gatewayservice/QueryIntegrationTest.java
Lines changed: 66 additions & 41 deletions
@@ -31,10 +31,15 @@ public class AuthConfigurationProperties {
     private ApimlLogger apimlLog = ApimlLogger.empty();
 
     // General properties
-    private String gatewayLoginEndpoint = "/api/v1/gateway/auth/login";
-    private String gatewayLogoutEndpoint = "/api/v1/gateway/auth/logout";
-    private String gatewayQueryEndpoint = "/api/v1/gateway/auth/query";
-    private String gatewayTicketEndpoint = "/api/v1/gateway/auth/ticket";
+    private String gatewayLoginEndpoint = "/gateway/api/v1/auth/login";
+    private String gatewayLogoutEndpoint = "/gateway/api/v1/auth/logout";
+    private String gatewayQueryEndpoint = "/gateway/api/v1/auth/query";
+    private String gatewayTicketEndpoint = "/gateway/api/v1/auth/ticket";
+
+    private String gatewayLoginEndpointOldFormat = "/api/v1/gateway/auth/login";
+    private String gatewayLogoutEndpointOldFormat = "/api/v1/gateway/auth/logout";
+    private String gatewayQueryEndpointOldFormat = "/api/v1/gateway/auth/query";
+    private String gatewayTicketEndpointOldFormat = "/api/v1/gateway/auth/ticket";
 
     private String serviceLoginEndpoint = "/auth/login";
     private String serviceLogoutEndpoint = "/auth/logout";
 
@@ -31,7 +31,7 @@
 import org.springframework.security.web.authentication.logout.HttpStatusReturningLogoutSuccessHandler;
 import org.springframework.security.web.authentication.logout.LogoutHandler;
 import org.springframework.security.web.firewall.StrictHttpFirewall;
-import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
+import org.springframework.security.web.util.matcher.RegexRequestMatcher;
 import org.springframework.web.cors.CorsConfiguration;
 import org.springframework.web.cors.CorsConfigurationSource;
 import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
@@ -64,6 +64,7 @@
 public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
     // List of endpoints protected by content filters
     private static final String[] PROTECTED_ENDPOINTS = {
+        "/gateway/api/v1",
         "/api/v1/gateway",
         "/application",
         "/gateway/services"
@@ -115,18 +116,24 @@ protected void configure(HttpSecurity http) throws Exception {
             .and()
             .authorizeRequests()
             .antMatchers(HttpMethod.POST, authConfigurationProperties.getGatewayLoginEndpoint()).permitAll()
+            .antMatchers(HttpMethod.POST, authConfigurationProperties.getGatewayLoginEndpointOldFormat()).permitAll()
 
             // ticket endpoint
             .and()
             .authorizeRequests()
             .antMatchers(HttpMethod.POST, authConfigurationProperties.getGatewayTicketEndpoint()).authenticated()
+            .antMatchers(HttpMethod.POST, authConfigurationProperties.getGatewayTicketEndpointOldFormat()).authenticated()
             .and().x509()
             .userDetailsService(x509UserDetailsService())
 
             // logout endpoint
             .and()
             .logout()
-            .logoutRequestMatcher(new AntPathRequestMatcher(authConfigurationProperties.getGatewayLogoutEndpoint(), HttpMethod.POST.name()))
+            .logoutRequestMatcher(new RegexRequestMatcher(
+                String.format("(%s|%s)",
+                    authConfigurationProperties.getGatewayLogoutEndpoint(),
+                    authConfigurationProperties.getGatewayLogoutEndpointOldFormat())
+                , HttpMethod.POST.name()))
             .addLogoutHandler(logoutHandler())
             .logoutSuccessHandler(new HttpStatusReturningLogoutSuccessHandler(HttpStatus.NO_CONTENT))
             .permitAll()
@@ -166,8 +173,12 @@ protected void configure(HttpSecurity http) throws Exception {
             .and()
             .addFilterBefore(loginFilter(authConfigurationProperties.getGatewayLoginEndpoint()), UsernamePasswordAuthenticationFilter.class)
             .addFilterBefore(x509Filter(authConfigurationProperties.getGatewayLoginEndpoint()), LoginFilter.class)
+            .addFilterBefore(loginFilter(authConfigurationProperties.getGatewayLoginEndpointOldFormat()), UsernamePasswordAuthenticationFilter.class)
+            .addFilterBefore(x509Filter(authConfigurationProperties.getGatewayLoginEndpointOldFormat()), LoginFilter.class)
             .addFilterBefore(queryFilter(authConfigurationProperties.getGatewayQueryEndpoint()), UsernamePasswordAuthenticationFilter.class)
+            .addFilterBefore(queryFilter(authConfigurationProperties.getGatewayQueryEndpointOldFormat()), UsernamePasswordAuthenticationFilter.class)
             .addFilterBefore(ticketFilter(authConfigurationProperties.getGatewayTicketEndpoint()), UsernamePasswordAuthenticationFilter.class)
+            .addFilterBefore(ticketFilter(authConfigurationProperties.getGatewayTicketEndpointOldFormat()), UsernamePasswordAuthenticationFilter.class)
             .addFilterBefore(basicFilter(), UsernamePasswordAuthenticationFilter.class)
             .addFilterBefore(cookieFilter(), UsernamePasswordAuthenticationFilter.class);
     }
 
@@ -50,7 +50,8 @@ class PassTicketTest {
     private final static String DISCOVERABLECLIENT_PASSTICKET_BASE_PATH = "/api/v1/dcpassticket";
     private final static String DISCOVERABLECLIENT_BASE_PATH = "/api/v1/discoverableclient";
     private final static String PASSTICKET_TEST_ENDPOINT = "/passticketTest";
-    private final static String TICKET_ENDPOINT = "/api/v1/gateway/auth/ticket";
+    private final static String TICKET_ENDPOINT = "/gateway/api/v1/auth/ticket";
+    private final static String TICKET_ENDPOINT_OLD_PATH_FORMAT = "/api/v1/gateway/auth/ticket";
     private final static String COOKIE = "apimlAuthenticationToken";
     private final static String REQUEST_INFO_ENDPOINT = "/request";
 
@@ -144,6 +145,30 @@ void doTicketWithValidCookieAndCertificate() {
 
     }
 
+    @Test
+    @TestsNotMeantForZowe
+    void generateTicketWithOldPathFormat() {
+        RestAssured.config = RestAssured.config().sslConfig(getConfiguredSslConfig());
+        String jwt = gatewayToken();
+        log.info(APPLICATION_NAME);
+        TicketRequest ticketRequest = new TicketRequest(APPLICATION_NAME);
+
+        // Generate ticket
+        TicketResponse ticketResponse = given()
+            .contentType(JSON)
+            .body(ticketRequest)
+            .cookie(COOKIE, jwt)
+        .when()
+            .post(String.format("%s://%s:%d%s", SCHEME, HOST, PORT, TICKET_ENDPOINT_OLD_PATH_FORMAT))
+        .then()
+            .statusCode(is(SC_OK))
+            .extract().body().as(TicketResponse.class);
+
+        assertEquals(jwt, ticketResponse.getToken());
+        assertEquals(USERNAME, ticketResponse.getUserId());
+        assertEquals(APPLICATION_NAME, ticketResponse.getApplicationName());
+    }
+
     @Test
     @TestsNotMeantForZowe
     void doTicketWithValidHeaderAndCertificate() {
 
@@ -10,8 +10,10 @@
 package org.zowe.apiml.gatewayservice;
 
 import io.restassured.RestAssured;
+import org.apache.commons.lang3.StringUtils;
 import org.junit.jupiter.api.BeforeEach;
-import org.junit.jupiter.api.Test;
+import org.junit.jupiter.params.ParameterizedTest;
+import org.junit.jupiter.params.provider.MethodSource;
 import org.zowe.apiml.util.config.ConfigReader;
 
 import static io.restassured.RestAssured.given;
@@ -25,14 +27,22 @@ public class QueryIntegrationTest {
     private final static String SCHEME = ConfigReader.environmentConfiguration().getGatewayServiceConfiguration().getScheme();
     private final static String HOST = ConfigReader.environmentConfiguration().getGatewayServiceConfiguration().getHost();
     private final static int PORT = ConfigReader.environmentConfiguration().getGatewayServiceConfiguration().getPort();
-    private final static String BASE_PATH = "/api/v1/gateway";
+    private final static String BASE_PATH = "/gateway/api/v1";
+    private final static String BASE_PATH_OLD_FORMAT = "/api/v1/gateway";
     private final static String QUERY_ENDPOINT = "/auth/query";
     private final static String PASSWORD = ConfigReader.environmentConfiguration().getCredentials().getPassword();
     private final static String USERNAME = ConfigReader.environmentConfiguration().getCredentials().getUser();
     private final static String COOKIE = "apimlAuthenticationToken";
 
     private String token;
 
+    private static String[] queryUrlsSource() {
+        return new String[]{
+            String.format("%s://%s:%d%s%s", SCHEME, HOST, PORT, BASE_PATH, QUERY_ENDPOINT),
+            String.format("%s://%s:%d%s%s", SCHEME, HOST, PORT, BASE_PATH_OLD_FORMAT, QUERY_ENDPOINT)
+        };
+    }
+
     @BeforeEach
     public void setUp() {
         RestAssured.port = PORT;
@@ -43,134 +53,149 @@ public void setUp() {
     }
 
     //@formatter:off
-    @Test
-    void doQueryWithValidTokenFromHeader() {
+    @ParameterizedTest
+    @MethodSource("queryUrlsSource")
+    void doQueryWithValidTokenFromHeader(String queryUrl) {
         given()
-             .header("Authorization", "Bearer " + token)
+            .header("Authorization", "Bearer " + token)
         .when()
-            .get(String.format("%s://%s:%d%s%s", SCHEME, HOST, PORT, BASE_PATH, QUERY_ENDPOINT))
+            .get(queryUrl)
         .then()
             .statusCode(is(SC_OK))
             .body("userId", equalTo(USERNAME));
     }
 
-    @Test
-    void doQueryWithValidTokenFromCookie() {
+    @ParameterizedTest
+    @MethodSource("queryUrlsSource")
+    void doQueryWithValidTokenFromCookie(String queryUrl) {
         given()
             .cookie(COOKIE, token)
         .when()
-            .get(String.format("%s://%s:%d%s%s", SCHEME, HOST, PORT, BASE_PATH, QUERY_ENDPOINT))
+            .get(queryUrl)
         .then()
             .statusCode(is(SC_OK))
             .body("userId", equalTo(USERNAME));
     }
 
-    @Test
-    void doQueryWithInvalidTokenFromHeader() {
+    @ParameterizedTest
+    @MethodSource("queryUrlsSource")
+    void doQueryWithInvalidTokenFromHeader(String queryUrl) {
         String invalidToken = "1234";
-        String expectedMessage = "Token is not valid for URL '" + BASE_PATH + QUERY_ENDPOINT + "'";
+        String queryPath = queryUrl.substring(StringUtils.ordinalIndexOf(queryUrl,"/",3));
+        String expectedMessage = "Token is not valid for URL '" + queryPath + "'";
 
         given()
             .header("Authorization", "Bearer " + invalidToken)
             .contentType(JSON)
         .when()
-            .get(String.format("%s://%s:%d%s%s", SCHEME, HOST, PORT, BASE_PATH, QUERY_ENDPOINT))
+            .get(queryUrl)
         .then()
             .statusCode(is(SC_UNAUTHORIZED))
             .body(
-            "messages.find { it.messageNumber == 'ZWEAG130E' }.messageContent", equalTo(expectedMessage)
-        );
+                "messages.find { it.messageNumber == 'ZWEAG130E' }.messageContent", equalTo(expectedMessage)
+            );
     }
 
-    @Test
-    void doQueryWithInvalidTokenFromCookie() {
+    @ParameterizedTest
+    @MethodSource("queryUrlsSource")
+    void doQueryWithInvalidTokenFromCookie(String queryUrl) {
         String invalidToken = "1234";
-        String expectedMessage = "Token is not valid for URL '" + BASE_PATH + QUERY_ENDPOINT + "'";
+        String queryPath = queryUrl.substring(StringUtils.ordinalIndexOf(queryUrl,"/",3));
+        String expectedMessage = "Token is not valid for URL '" + queryPath + "'";
 
         given()
             .cookie(COOKIE, invalidToken)
         .when()
-            .get(String.format("%s://%s:%d%s%s", SCHEME, HOST, PORT, BASE_PATH, QUERY_ENDPOINT))
+            .get(queryUrl)
         .then()
             .statusCode(is(SC_UNAUTHORIZED))
             .body(
                 "messages.find { it.messageNumber == 'ZWEAG130E' }.messageContent", equalTo(expectedMessage)
             );
     }
 
-    @Test
-    void doQueryWithoutHeaderOrCookie() {
-        String expectedMessage = "No authorization token provided for URL '" + BASE_PATH + QUERY_ENDPOINT + "'";
+    @ParameterizedTest
+    @MethodSource("queryUrlsSource")
+    void doQueryWithoutHeaderOrCookie(String queryUrl) {
+        String queryPath = queryUrl.substring(StringUtils.ordinalIndexOf(queryUrl,"/",3));
+        String expectedMessage = "No authorization token provided for URL '" + queryPath + "'";
 
         given()
         .when()
-            .get(String.format("%s://%s:%d%s%s", SCHEME, HOST, PORT, BASE_PATH, QUERY_ENDPOINT))
+            .get(queryUrl)
         .then()
             .statusCode(is(SC_UNAUTHORIZED))
             .body(
                 "messages.find { it.messageNumber == 'ZWEAG131E' }.messageContent", equalTo(expectedMessage)
             );
     }
 
-    @Test
-    void doQueryWithWrongAuthType() {
-        String expectedMessage = "No authorization token provided for URL '" + BASE_PATH + QUERY_ENDPOINT + "'";
+    @ParameterizedTest
+    @MethodSource("queryUrlsSource")
+    void doQueryWithWrongAuthType(String queryUrl) {
+        String queryPath = queryUrl.substring(StringUtils.ordinalIndexOf(queryUrl,"/",3));
+        String expectedMessage = "No authorization token provided for URL '" + queryPath + "'";
 
         given()
             .header("Authorization", "Basic " + token)
         .when()
-            .get(String.format("%s://%s:%d%s%s", SCHEME, HOST, PORT, BASE_PATH, QUERY_ENDPOINT))
+            .get(queryUrl)
         .then()
             .statusCode(is(SC_UNAUTHORIZED))
             .body(
                 "messages.find { it.messageNumber == 'ZWEAG131E' }.messageContent", equalTo(expectedMessage)
             );
     }
 
-    @Test
-    void doQueryWithWrongCookieName() {
+    @ParameterizedTest
+    @MethodSource("queryUrlsSource")
+    void doQueryWithWrongCookieName(String queryUrl) {
         String invalidCookie = "badCookie";
-        String expectedMessage = "No authorization token provided for URL '" + BASE_PATH + QUERY_ENDPOINT + "'";
+        String queryPath = queryUrl.substring(StringUtils.ordinalIndexOf(queryUrl,"/",3));
+        String expectedMessage = "No authorization token provided for URL '" + queryPath + "'";
 
         given()
             .cookie(invalidCookie, token)
         .when()
-            .get(String.format("%s://%s:%d%s%s", SCHEME, HOST, PORT, BASE_PATH, QUERY_ENDPOINT))
+            .get(queryUrl)
         .then()
             .statusCode(is(SC_UNAUTHORIZED))
             .body(
                 "messages.find { it.messageNumber == 'ZWEAG131E' }.messageContent", equalTo(expectedMessage)
             );
     }
 
-    @Test
-    void doQueryWithEmptyHeader() {
+    @ParameterizedTest
+    @MethodSource("queryUrlsSource")
+    void doQueryWithEmptyHeader(String queryUrl) {
         String emptyToken = " ";
-        String expectedMessage = "No authorization token provided for URL '" + BASE_PATH + QUERY_ENDPOINT + "'";
+        String queryPath = queryUrl.substring(StringUtils.ordinalIndexOf(queryUrl,"/",3));
+        String expectedMessage = "No authorization token provided for URL '" + queryPath + "'";
 
         given()
             .header("Authorization", "Bearer " + emptyToken)
         .when()
-            .get(String.format("%s://%s:%d%s%s", SCHEME, HOST, PORT, BASE_PATH, QUERY_ENDPOINT))
+            .get(queryUrl)
         .then()
             .statusCode(is(SC_UNAUTHORIZED))
             .body(
                 "messages.find { it.messageNumber == 'ZWEAG131E' }.messageContent", equalTo(expectedMessage)
             );
     }
 
-    @Test
-    void doQueryWithWrongHttpMethod() {
-        String expectedMessage = "Authentication method 'POST' is not supported for URL '" +
-            BASE_PATH + QUERY_ENDPOINT + "'";
+    @ParameterizedTest
+    @MethodSource("queryUrlsSource")
+    void doQueryWithWrongHttpMethod(String queryUrl) {
+        String queryPath = queryUrl.substring(StringUtils.ordinalIndexOf(queryUrl,"/",3));
+        String expectedMessage = "Authentication method 'POST' is not supported for URL '" + queryPath + "'";
 
         given()
             .header("Authorization", "Bearer " + token)
         .when()
-            .post(String.format("%s://%s:%d%s%s", SCHEME, HOST, PORT, BASE_PATH, QUERY_ENDPOINT))
+            .post(queryUrl)
         .then()
             .body(
-            "messages.find { it.messageNumber == 'ZWEAG101E' }.messageContent", equalTo(expectedMessage)
+                "messages.find { it.messageNumber == 'ZWEAG101E' }.messageContent", equalTo(expectedMessage)
             );
     }
     //@formatter:on