From d4f2026fb30f6a8f9d42adbffc816b304f70f7e6 Mon Sep 17 00:00:00 2001 From: Bill Smith Date: Thu, 17 Jan 2019 17:43:42 -0700 Subject: [PATCH] [SHIBUI-1029] Various attempts at getting from the AddNewUserFilter to our new /static.html page. No joy so far. --- .../shibui/pac4j/AccessDeniedHandler.java | 19 +++++++++++++ .../unicon/shibui/pac4j/AddNewUserFilter.java | 4 +++ .../ExceptionHandlerExceptionResolver.java | 8 ++++++ .../pac4j/RestAuthenticationEntryPoint.java | 20 ++++++++++++++ .../net/unicon/shibui/pac4j/WebSecurity.java | 27 ++++++++++++++++++- .../src/test/docker/conf/application.yml | 4 +-- 6 files changed, 79 insertions(+), 3 deletions(-) create mode 100644 pac4j-module/src/main/java/net/unicon/shibui/pac4j/AccessDeniedHandler.java create mode 100644 pac4j-module/src/main/java/net/unicon/shibui/pac4j/ExceptionHandlerExceptionResolver.java create mode 100644 pac4j-module/src/main/java/net/unicon/shibui/pac4j/RestAuthenticationEntryPoint.java diff --git a/pac4j-module/src/main/java/net/unicon/shibui/pac4j/AccessDeniedHandler.java b/pac4j-module/src/main/java/net/unicon/shibui/pac4j/AccessDeniedHandler.java new file mode 100644 index 000000000..8fe233dc2 --- /dev/null +++ b/pac4j-module/src/main/java/net/unicon/shibui/pac4j/AccessDeniedHandler.java @@ -0,0 +1,19 @@ +package net.unicon.shibui.pac4j; + +import org.springframework.security.access.AccessDeniedException; + +import javax.servlet.ServletException; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; +import java.io.IOException; + +/** + * @author Bill Smith (wsmith@unicon.net) + */ +public class AccessDeniedHandler implements org.springframework.security.web.access.AccessDeniedHandler { + @Override + public void handle(HttpServletRequest request, HttpServletResponse response, AccessDeniedException accessDeniedException) throws IOException, ServletException { + System.out.println("WOO! In handle!"); + response.sendRedirect("/static.html"); + } +} diff --git a/pac4j-module/src/main/java/net/unicon/shibui/pac4j/AddNewUserFilter.java b/pac4j-module/src/main/java/net/unicon/shibui/pac4j/AddNewUserFilter.java index 0d9f6b723..a6a75fac1 100644 --- a/pac4j-module/src/main/java/net/unicon/shibui/pac4j/AddNewUserFilter.java +++ b/pac4j-module/src/main/java/net/unicon/shibui/pac4j/AddNewUserFilter.java @@ -9,6 +9,7 @@ import org.apache.commons.lang.RandomStringUtils; import org.apache.http.entity.ContentType; import org.springframework.http.HttpStatus; +import org.springframework.security.access.AccessDeniedException; import org.springframework.security.core.Authentication; import org.springframework.security.core.context.SecurityContextHolder; import org.springframework.security.crypto.bcrypt.BCrypt; @@ -55,6 +56,7 @@ public void doFilter(ServletRequest request, ServletResponse response, FilterCha user.setUsername(username); user.setPassword(BCrypt.hashpw(RandomStringUtils.randomAlphanumeric(20), BCrypt.gensalt())); Role noRole = roleRepository.findByName(ROLE_NONE).orElse(new Role(ROLE_NONE)); + roleRepository.save(noRole); user.getRoles().add(noRole); userRepository.save(user); //TODO: Add call to email service here @@ -62,11 +64,13 @@ public void doFilter(ServletRequest request, ServletResponse response, FilterCha user = persistedUser.get(); } if (user.getRole().equals(ROLE_NONE)) { +// throw new AccessDeniedException("DENIED!"); response.setContentType(ContentType.APPLICATION_JSON.getMimeType()); ((HttpServletResponse) response).setStatus(HttpStatus.FORBIDDEN.value()); response.getOutputStream().write(getJsonResponseBytes( new ErrorResponse(String.valueOf(HttpStatus.FORBIDDEN.value()), "Your account is not yet authorized to access ShibUI."))); + ((HttpServletResponse) response).sendRedirect("/static.html"); return; } // else, user is in the system already, carry on } diff --git a/pac4j-module/src/main/java/net/unicon/shibui/pac4j/ExceptionHandlerExceptionResolver.java b/pac4j-module/src/main/java/net/unicon/shibui/pac4j/ExceptionHandlerExceptionResolver.java new file mode 100644 index 000000000..640fde822 --- /dev/null +++ b/pac4j-module/src/main/java/net/unicon/shibui/pac4j/ExceptionHandlerExceptionResolver.java @@ -0,0 +1,8 @@ +package net.unicon.shibui.pac4j; + +/** + * @author Bill Smith (wsmith@unicon.net) + */ +public class ExceptionHandlerExceptionResolver extends org.springframework.web.servlet.mvc.method.annotation.ExceptionHandlerExceptionResolver { + +} diff --git a/pac4j-module/src/main/java/net/unicon/shibui/pac4j/RestAuthenticationEntryPoint.java b/pac4j-module/src/main/java/net/unicon/shibui/pac4j/RestAuthenticationEntryPoint.java new file mode 100644 index 000000000..825e8ae98 --- /dev/null +++ b/pac4j-module/src/main/java/net/unicon/shibui/pac4j/RestAuthenticationEntryPoint.java @@ -0,0 +1,20 @@ +package net.unicon.shibui.pac4j; + +import org.springframework.security.core.AuthenticationException; +import org.springframework.security.web.AuthenticationEntryPoint; + +import javax.servlet.ServletException; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; +import java.io.IOException; + +/** + * @author Bill Smith (wsmith@unicon.net) + */ +public class RestAuthenticationEntryPoint implements AuthenticationEntryPoint { + @Override + public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException authException) throws IOException, ServletException { + System.out.println("WOO! In auth!"); + response.sendRedirect("/static.html"); + } +} diff --git a/pac4j-module/src/main/java/net/unicon/shibui/pac4j/WebSecurity.java b/pac4j-module/src/main/java/net/unicon/shibui/pac4j/WebSecurity.java index 02106124e..30bdc22d6 100644 --- a/pac4j-module/src/main/java/net/unicon/shibui/pac4j/WebSecurity.java +++ b/pac4j-module/src/main/java/net/unicon/shibui/pac4j/WebSecurity.java @@ -12,6 +12,9 @@ import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.config.http.SessionCreationPolicy; +import org.springframework.security.web.access.AccessDeniedHandler; +import org.springframework.security.web.access.AccessDeniedHandlerImpl; +import org.springframework.security.web.access.ExceptionTranslationFilter; import org.springframework.security.web.authentication.www.BasicAuthenticationFilter; import org.springframework.security.web.firewall.StrictHttpFirewall; @@ -23,6 +26,19 @@ public WebSecurityConfigurerAdapter webSecurityConfigurerAdapter(final Config co return new Pac4jWebSecurityConfigurerAdapter(config, userRepository, roleRepository); } + @Bean + public static AccessDeniedHandler accessDeniedHandler() { + return new net.unicon.shibui.pac4j.AccessDeniedHandler(); + } + + @Bean + public static ExceptionTranslationFilter exceptionTranslationFilter(AccessDeniedHandler accessDeniedHandler) { + ExceptionTranslationFilter exceptionTranslationFilter = new ExceptionTranslationFilter(new RestAuthenticationEntryPoint()); + exceptionTranslationFilter.setAccessDeniedHandler(accessDeniedHandler); + exceptionTranslationFilter.afterPropertiesSet(); + return exceptionTranslationFilter; + } + @Configuration @Order(0) public static class FaviconSecurityConfiguration extends WebSecurityConfigurerAdapter { @@ -55,7 +71,16 @@ protected void configure(HttpSecurity http) throws Exception { http.addFilterBefore(securityFilter, BasicAuthenticationFilter.class); - http.addFilterAfter(new AddNewUserFilter(userRepository, roleRepository), BasicAuthenticationFilter.class); + http.addFilterAfter(new AddNewUserFilter(userRepository, roleRepository), SecurityFilter.class); +/* + .exceptionHandling().accessDeniedHandler(accessDeniedHandler()); + http.addFilterAfter(exceptionTranslationFilter(accessDeniedHandler()), ExceptionTranslationFilter.class); +*/ +/* + ExceptionTranslationFilter customExceptionTranslationFilter = new ExceptionTranslationFilter(new RestAuthenticationEntryPoint()); + customExceptionTranslationFilter.setAccessDeniedHandler(accessDeniedHandler); + http.addFilterAfter(customExceptionTranslationFilter, AddNewUserFilter.class); +*/ http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.ALWAYS); diff --git a/pac4j-module/src/test/docker/conf/application.yml b/pac4j-module/src/test/docker/conf/application.yml index 41832e741..e4083f2d3 100644 --- a/pac4j-module/src/test/docker/conf/application.yml +++ b/pac4j-module/src/test/docker/conf/application.yml @@ -10,7 +10,7 @@ shibui: keystorePath: "/conf/samlKeystore.jks" keystorePassword: "changeit" privateKeyPassword: "changeit" - serviceProviderEntityId: "https://unicon.net/dev/shibui" + serviceProviderEntityId: "https://unicon.net/test/shibui" serviceProviderMetadataPath: "/conf/sp-metadata.xml" identityProviderMetadataPath: "/conf/idp-metadata.xml" forceServiceProviderMetadataGeneration: true @@ -19,4 +19,4 @@ shibui: logging: level: org.pac4j: "TRACE" - org.opensaml: "INFO" \ No newline at end of file + org.opensaml: "INFO"