diff --git a/README.md b/README.md index a03a53d0b..4ec4f8196 100644 --- a/README.md +++ b/README.md @@ -47,12 +47,7 @@ The easiest way to do this in a servlet container is through the use of system p ## Authentication Currently, the application is wired with very simple authentication. A password for the user `root` -can be set with the `shibui.default-password` property. If none is set, a default password -will be generated and logged: - -``` -Using default security password: a3d9ab96-9c63-414f-b199-26fcf59e1ffa -``` +can be set with the `shibui.default-password` property. ## Default Properties diff --git a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/configuration/auto/WebSecurityConfig.java b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/configuration/auto/WebSecurityConfig.java index e330e0c05..b24cad7c2 100644 --- a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/configuration/auto/WebSecurityConfig.java +++ b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/configuration/auto/WebSecurityConfig.java @@ -1,6 +1,9 @@ package edu.internet2.tier.shibboleth.admin.ui.configuration.auto; import edu.internet2.tier.shibboleth.admin.ui.security.DefaultAuditorAware; +import edu.internet2.tier.shibboleth.admin.ui.security.model.Role; +import edu.internet2.tier.shibboleth.admin.ui.security.model.User; +import edu.internet2.tier.shibboleth.admin.ui.security.repository.RoleRepository; import edu.internet2.tier.shibboleth.admin.ui.security.repository.UserRepository; import edu.internet2.tier.shibboleth.admin.ui.security.springsecurity.AdminUserService; import org.springframework.beans.factory.annotation.Autowired; @@ -12,23 +15,18 @@ import org.springframework.context.annotation.Configuration; import org.springframework.context.annotation.Profile; import org.springframework.data.domain.AuditorAware; -import org.springframework.security.access.AccessDeniedException; import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.builders.WebSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.crypto.factory.PasswordEncoderFactories; import org.springframework.security.crypto.password.PasswordEncoder; -import org.springframework.security.web.access.AccessDeniedHandler; import org.springframework.security.web.csrf.CookieCsrfTokenRepository; import org.springframework.security.web.firewall.HttpFirewall; import org.springframework.security.web.firewall.StrictHttpFirewall; import org.springframework.security.web.util.matcher.AntPathRequestMatcher; -import javax.servlet.ServletException; -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; -import java.io.IOException; +import java.util.Collections; /** * Web security configuration. @@ -49,6 +47,9 @@ public class WebSecurityConfig { @Autowired private UserRepository userRepository; + @Autowired + private RoleRepository roleRepository; + @Bean public HttpFirewall allowUrlEncodedSlashHttpFirewall() { StrictHttpFirewall firewall = new StrictHttpFirewall(); @@ -82,6 +83,25 @@ protected void configure(AuthenticationManagerBuilder auth) throws Exception { // TODO: more configurable authentication PasswordEncoder passwordEncoder = PasswordEncoderFactories.createDelegatingPasswordEncoder(); if (defaultPassword != null && !"".equals(defaultPassword)) { + // TODO: yeah, this isn't good, but we gotta initialize this user for now + User adminUser = userRepository.findByUsername("root").orElseGet(() ->{ + User u = new User(); + u.setUsername("root"); + u.setPassword(defaultPassword); + u.setFirstName("admin"); + u.setLastName("user"); + Role adminRole = roleRepository.findByName("ROLE_ADMIN").orElseGet(() -> { + Role r = new Role(); + r.setName("ROLE_ADMIN"); + return roleRepository.saveAndFlush(r); + }); + u.setRoles(Collections.singleton(adminRole)); + u.setEmailAddress("admin@localhost"); + return userRepository.saveAndFlush(u); + }); + adminUser.setPassword(defaultPassword); + userRepository.saveAndFlush(adminUser); + auth .inMemoryAuthentication() .withUser("root") diff --git a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/service/JPAEntityServiceImpl.java b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/service/JPAEntityServiceImpl.java index 5724e8dd4..7afbac551 100644 --- a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/service/JPAEntityServiceImpl.java +++ b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/service/JPAEntityServiceImpl.java @@ -97,7 +97,7 @@ public List getAttributeListFromAttributeReleaseList(List att edu.internet2.tier.shibboleth.admin.ui.domain.Attribute getAttributeFromObjectAndRelyingPartyOverrideProperty(Object o, RelyingPartyOverrideProperty overrideProperty) { switch (ModelRepresentationConversions.AttributeTypes.valueOf(overrideProperty.getDisplayType().toUpperCase())) { case BOOLEAN: - if ((o instanceof Boolean && ((Boolean)o) || (!(Boolean)o && Boolean.valueOf(overrideProperty.getInvert()))) || + if ((o instanceof Boolean && ((Boolean)o)) || (o instanceof String) && Boolean.valueOf((String)o)) { if (overrideProperty.getPersistType() != null && !overrideProperty.getPersistType().equalsIgnoreCase("boolean")) { diff --git a/backend/src/main/resources/application.properties b/backend/src/main/resources/application.properties index 69c2ed7fe..fb57a3034 100644 --- a/backend/src/main/resources/application.properties +++ b/backend/src/main/resources/application.properties @@ -19,6 +19,7 @@ spring.datasource.driverClassName=org.h2.Driver spring.jpa.database-platform=org.hibernate.dialect.H2Dialect spring.h2.console.enabled=true +# spring.jackson.default-property-inclusion=non_absent # Database Configuration PostgreSQL #spring.datasource.url=jdbc:postgresql://localhost:5432/shibui diff --git a/backend/src/main/resources/application.yml b/backend/src/main/resources/application.yml index 12bfd55cc..8e823e8a3 100644 --- a/backend/src/main/resources/application.yml +++ b/backend/src/main/resources/application.yml @@ -61,6 +61,7 @@ custom: helpText: tooltip.dont-sign-response attributeName: http://shibboleth.net/ns/profiles/saml2/sso/browser/signResponses attributeFriendlyName: signResponses + invert: true - name: turnOffEncryption displayName: label.turn-off-encryption-of-response displayType: boolean @@ -68,6 +69,7 @@ custom: helpText: tooltip.turn-off-encryption attributeName: http://shibboleth.net/ns/profiles/encryptAssertions attributeFriendlyName: encryptAssertions + invert: true - name: useSha displayName: label.use-sha1-signing-algorithm displayType: boolean @@ -93,6 +95,7 @@ custom: helpText: tooltip.omit-not-before-condition attributeName: http://shibboleth.net/ns/profiles/includeConditionsNotBefore attributeFriendlyName: includeConditionsNotBefore + invert: true - name: responderId displayName: label.responder-id displayType: string diff --git a/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/service/AuxiliaryJPAEntityServiceTests.groovy b/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/service/AuxiliaryJPAEntityServiceTests.groovy index dccf8c8fd..92c2627aa 100644 --- a/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/service/AuxiliaryJPAEntityServiceTests.groovy +++ b/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/service/AuxiliaryJPAEntityServiceTests.groovy @@ -41,6 +41,5 @@ class AuxiliaryJPAEntityServiceTests extends Specification { where: input | output true | false - false | true } }