From 1030510581dc0afa2699bda50aca9c62f121cf48 Mon Sep 17 00:00:00 2001 From: Bill Smith Date: Mon, 21 Jan 2019 16:45:49 -0700 Subject: [PATCH] [SHIBUI-1029] Removed the attempt at throwing an Access Denied exception and creating a handler for it as it never seemed to work. Added in the EmailService. --- .../shibui/pac4j/AccessDeniedHandler.java | 19 ------- .../unicon/shibui/pac4j/AddNewUserFilter.java | 25 +++++---- .../net/unicon/shibui/pac4j/WebSecurity.java | 53 +++---------------- 3 files changed, 24 insertions(+), 73 deletions(-) delete mode 100644 pac4j-module/src/main/java/net/unicon/shibui/pac4j/AccessDeniedHandler.java diff --git a/pac4j-module/src/main/java/net/unicon/shibui/pac4j/AccessDeniedHandler.java b/pac4j-module/src/main/java/net/unicon/shibui/pac4j/AccessDeniedHandler.java deleted file mode 100644 index 8fe233dc2..000000000 --- a/pac4j-module/src/main/java/net/unicon/shibui/pac4j/AccessDeniedHandler.java +++ /dev/null @@ -1,19 +0,0 @@ -package net.unicon.shibui.pac4j; - -import org.springframework.security.access.AccessDeniedException; - -import javax.servlet.ServletException; -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; -import java.io.IOException; - -/** - * @author Bill Smith (wsmith@unicon.net) - */ -public class AccessDeniedHandler implements org.springframework.security.web.access.AccessDeniedHandler { - @Override - public void handle(HttpServletRequest request, HttpServletResponse response, AccessDeniedException accessDeniedException) throws IOException, ServletException { - System.out.println("WOO! In handle!"); - response.sendRedirect("/static.html"); - } -} diff --git a/pac4j-module/src/main/java/net/unicon/shibui/pac4j/AddNewUserFilter.java b/pac4j-module/src/main/java/net/unicon/shibui/pac4j/AddNewUserFilter.java index 581cde47e..6cf95d8f8 100644 --- a/pac4j-module/src/main/java/net/unicon/shibui/pac4j/AddNewUserFilter.java +++ b/pac4j-module/src/main/java/net/unicon/shibui/pac4j/AddNewUserFilter.java @@ -6,14 +6,17 @@ import edu.internet2.tier.shibboleth.admin.ui.security.model.User; import edu.internet2.tier.shibboleth.admin.ui.security.repository.RoleRepository; import edu.internet2.tier.shibboleth.admin.ui.security.repository.UserRepository; +import edu.internet2.tier.shibboleth.admin.ui.service.EmailService; import org.apache.commons.lang.RandomStringUtils; import org.apache.http.entity.ContentType; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; import org.springframework.http.HttpStatus; -import org.springframework.security.access.AccessDeniedException; import org.springframework.security.core.Authentication; import org.springframework.security.core.context.SecurityContextHolder; import org.springframework.security.crypto.bcrypt.BCrypt; +import javax.mail.MessagingException; import javax.servlet.Filter; import javax.servlet.FilterChain; import javax.servlet.FilterConfig; @@ -29,14 +32,18 @@ */ public class AddNewUserFilter implements Filter { + private static final Logger logger = LoggerFactory.getLogger(AddNewUserFilter.class); + private static final String ROLE_NONE = "ROLE_NONE"; private UserRepository userRepository; private RoleRepository roleRepository; + private EmailService emailService; - public AddNewUserFilter(UserRepository userRepository, RoleRepository roleRepository) { + public AddNewUserFilter(UserRepository userRepository, RoleRepository roleRepository, EmailService emailService) { this.userRepository = userRepository; this.roleRepository = roleRepository; + this.emailService = emailService; } @Override @@ -59,26 +66,26 @@ public void doFilter(ServletRequest request, ServletResponse response, FilterCha roleRepository.save(noRole); user.getRoles().add(noRole); userRepository.save(user); - //TODO: Add call to email service here + try { + emailService.sendNewUserMail(username); + } catch (MessagingException e) { + logger.warn(String.format("Unable to send new user email for user [%s]", username), e); + } } else { user = persistedUser.get(); } if (user.getRole().equals(ROLE_NONE)) { - throw new AccessDeniedException("DENIED!"); -/* response.setContentType(ContentType.APPLICATION_JSON.getMimeType()); + response.setContentType(ContentType.APPLICATION_JSON.getMimeType()); ((HttpServletResponse) response).setStatus(HttpStatus.FORBIDDEN.value()); response.getOutputStream().write(getJsonResponseBytes( new ErrorResponse(String.valueOf(HttpStatus.FORBIDDEN.value()), "Your account is not yet authorized to access ShibUI."))); ((HttpServletResponse) response).sendRedirect("/static.html"); -// return;*/ } else { - chain.doFilter(request, response);// else, user is in the system already, carry on + chain.doFilter(request, response); // else, user is in the system already, carry on } } } - -// chain.doFilter(request, response); } @Override diff --git a/pac4j-module/src/main/java/net/unicon/shibui/pac4j/WebSecurity.java b/pac4j-module/src/main/java/net/unicon/shibui/pac4j/WebSecurity.java index 073e210ac..e0e156eec 100644 --- a/pac4j-module/src/main/java/net/unicon/shibui/pac4j/WebSecurity.java +++ b/pac4j-module/src/main/java/net/unicon/shibui/pac4j/WebSecurity.java @@ -2,8 +2,8 @@ import edu.internet2.tier.shibboleth.admin.ui.security.repository.RoleRepository; import edu.internet2.tier.shibboleth.admin.ui.security.repository.UserRepository; +import edu.internet2.tier.shibboleth.admin.ui.service.EmailService; import org.pac4j.core.config.Config; -import org.pac4j.core.context.HttpConstants; import org.pac4j.springframework.security.web.CallbackFilter; import org.pac4j.springframework.security.web.SecurityFilter; import org.springframework.boot.autoconfigure.AutoConfigureOrder; @@ -13,33 +13,15 @@ import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.config.http.SessionCreationPolicy; -import org.springframework.security.web.access.AccessDeniedHandler; -import org.springframework.security.web.access.AccessDeniedHandlerImpl; -import org.springframework.security.web.access.ExceptionTranslationFilter; import org.springframework.security.web.authentication.www.BasicAuthenticationFilter; import org.springframework.security.web.firewall.StrictHttpFirewall; -import org.springframework.web.bind.annotation.ExceptionHandler; @Configuration @AutoConfigureOrder(-1) public class WebSecurity { @Bean("webSecurityConfig") - public WebSecurityConfigurerAdapter webSecurityConfigurerAdapter(final Config config, UserRepository userRepository, RoleRepository roleRepository) { - return new Pac4jWebSecurityConfigurerAdapter(config, userRepository, roleRepository); - } - - @Bean - @ExceptionHandler - public static AccessDeniedHandler accessDeniedHandler() { - return new net.unicon.shibui.pac4j.AccessDeniedHandler(); - } - - @Bean - public static ExceptionTranslationFilter exceptionTranslationFilter(AccessDeniedHandler accessDeniedHandler) { - ExceptionTranslationFilter exceptionTranslationFilter = new ExceptionTranslationFilter(new RestAuthenticationEntryPoint()); - exceptionTranslationFilter.setAccessDeniedHandler(accessDeniedHandler); - exceptionTranslationFilter.afterPropertiesSet(); - return exceptionTranslationFilter; + public WebSecurityConfigurerAdapter webSecurityConfigurerAdapter(final Config config, UserRepository userRepository, RoleRepository roleRepository, EmailService emailService) { + return new Pac4jWebSecurityConfigurerAdapter(config, userRepository, roleRepository, emailService); } @Configuration @@ -74,11 +56,13 @@ public static class Pac4jWebSecurityConfigurerAdapter extends WebSecurityConfigu private final Config config; private UserRepository userRepository; private RoleRepository roleRepository; + private EmailService emailService; - public Pac4jWebSecurityConfigurerAdapter(final Config config, UserRepository userRepository, RoleRepository roleRepository) { + public Pac4jWebSecurityConfigurerAdapter(final Config config, UserRepository userRepository, RoleRepository roleRepository, EmailService emailService) { this.config = config; this.userRepository = userRepository; this.roleRepository = roleRepository; + this.emailService = emailService; } @Override @@ -86,33 +70,14 @@ protected void configure(HttpSecurity http) throws Exception { final SecurityFilter securityFilter = new SecurityFilter(this.config, "Saml2Client"); final CallbackFilter callbackFilter = new CallbackFilter(this.config); - // http.regexMatcher("/callback").addFilterBefore(callbackFilter, BasicAuthenticationFilter.class); http.antMatcher("/**").addFilterBefore(callbackFilter, BasicAuthenticationFilter.class) .addFilterBefore(securityFilter, BasicAuthenticationFilter.class) - .addFilterAfter(new AddNewUserFilter(userRepository, roleRepository), SecurityFilter.class) - .addFilterAfter(exceptionTranslationFilter(accessDeniedHandler()), ExceptionTranslationFilter.class) - .exceptionHandling().accessDeniedHandler(accessDeniedHandler()); - http.authorizeRequests().anyRequest().fullyAuthenticated(); - -// http.addFilterBefore(securityFilter, BasicAuthenticationFilter.class); + .addFilterAfter(new AddNewUserFilter(userRepository, roleRepository, emailService), SecurityFilter.class); -// http.addFilterAfter(new AddNewUserFilter(userRepository, roleRepository), SecurityFilter.class) -// .exceptionHandling().accessDeniedHandler(accessDeniedHandler()); - - -/* - http.addFilterAfter(exceptionTranslationFilter(accessDeniedHandler()), ExceptionTranslationFilter.class); -*/ -/* - ExceptionTranslationFilter customExceptionTranslationFilter = new ExceptionTranslationFilter(new RestAuthenticationEntryPoint()); - customExceptionTranslationFilter.setAccessDeniedHandler(accessDeniedHandler); - http.addFilterAfter(customExceptionTranslationFilter, AddNewUserFilter.class); -*/ + http.authorizeRequests().anyRequest().fullyAuthenticated(); http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.ALWAYS); - // http.csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()); - http.csrf().disable(); http.headers().frameOptions().disable(); } @@ -121,8 +86,6 @@ protected void configure(HttpSecurity http) throws Exception { public void configure(org.springframework.security.config.annotation.web.builders.WebSecurity web) throws Exception { super.configure(web); -// web.ignoring().antMatchers("/static.html"); - StrictHttpFirewall firewall = new StrictHttpFirewall(); firewall.setAllowUrlEncodedSlash(true); web.httpFirewall(firewall);