From 4e9cc6683cd9c2a9189512af12cf6fa5f3b204d3 Mon Sep 17 00:00:00 2001
From: chasegawa <chasegawa@unicon.net>
Date: Mon, 1 Aug 2022 12:27:39 -0700
Subject: [PATCH] SHIBUI-2327

Correcting security filter to work properly using the pac4j settup
---
 .../src/main/java/net/unicon/shibui/pac4j/WebSecurity.java | 7 +++++--
 testbed/authentication/docker-compose.yml                  | 3 ++-
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/pac4j-module/src/main/java/net/unicon/shibui/pac4j/WebSecurity.java b/pac4j-module/src/main/java/net/unicon/shibui/pac4j/WebSecurity.java
index a67bf4a96..884569ac7 100644
--- a/pac4j-module/src/main/java/net/unicon/shibui/pac4j/WebSecurity.java
+++ b/pac4j-module/src/main/java/net/unicon/shibui/pac4j/WebSecurity.java
@@ -5,7 +5,7 @@
 import edu.internet2.tier.shibboleth.admin.ui.security.service.IRolesService;
 import edu.internet2.tier.shibboleth.admin.ui.security.service.UserService;
 import edu.internet2.tier.shibboleth.admin.ui.service.EmailService;
-import static net.unicon.shibui.pac4j.Pac4jConfiguration.PAC4J_CLIENT_NAME;
+import org.pac4j.core.authorization.authorizer.DefaultAuthorizers;
 import org.pac4j.core.config.Config;
 import org.pac4j.core.matching.matcher.Matcher;
 import org.pac4j.springframework.security.web.CallbackFilter;
@@ -26,6 +26,8 @@
 import javax.servlet.Filter;
 import java.util.Optional;
 
+import static net.unicon.shibui.pac4j.Pac4jConfiguration.PAC4J_CLIENT_NAME;
+
 @Configuration
 @AutoConfigureOrder(-1)
 @ConditionalOnProperty(name = "shibui.pac4j-enabled", havingValue = "true")
@@ -62,7 +64,8 @@ public Pac4jWebSecurityConfigurerAdapter(final Config config, UserService userSe
         protected void configure(HttpSecurity http) throws Exception {
             http.authorizeRequests().antMatchers("/unsecured/**/*").permitAll();
 
-            final SecurityFilter securityFilter = new SecurityFilter(this.config, PAC4J_CLIENT_NAME);
+            // adding the authorizor bypasses the default behavior of checking CSRF in Pac4J's default securitylogic+defaultauthorizationchecker
+            final SecurityFilter securityFilter = new SecurityFilter(this.config, PAC4J_CLIENT_NAME, DefaultAuthorizers.IS_AUTHENTICATED);
 
             // add filter based on auth type 
             http.antMatcher("/**").addFilterBefore(getFilter(config, pac4jConfigurationProperties.getTypeOfAuth()), BasicAuthenticationFilter.class);
diff --git a/testbed/authentication/docker-compose.yml b/testbed/authentication/docker-compose.yml
index 884042c4a..42b12cb6a 100644
--- a/testbed/authentication/docker-compose.yml
+++ b/testbed/authentication/docker-compose.yml
@@ -20,7 +20,7 @@ services:
       - "8080:8080"
       - "443:443"
       - "8443:8443"
-#      - "8000:8000"
+      - "9090:9090"
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock
       - ../reverse-proxy/:/configuration/
@@ -72,6 +72,7 @@ services:
       - ./shibui/application.yml:/application.yml
     ports:
       - "8000:8000"
+#      - "9090:9090"
     entrypoint: ["/usr/bin/java", "-agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=*:8000", "-jar", "app.war"]
 networks:
   reverse-proxy: