diff --git a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/X509Data.java b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/X509Data.java index e875932cd..7afd88814 100644 --- a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/X509Data.java +++ b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/X509Data.java @@ -19,6 +19,7 @@ import javax.xml.namespace.QName; import java.util.ArrayList; import java.util.Arrays; +import java.util.Collections; import java.util.List; import java.util.stream.Collectors; @@ -74,10 +75,11 @@ public void addX509Certificate(edu.internet2.tier.shibboleth.admin.ui.domain.X50 this.xmlObjects.add(x509Certificate); } + // TODO: might need to really implement this @Nonnull @Override public List getX509CRLs() { - return null; + return Collections.EMPTY_LIST; } @Nonnull diff --git a/backend/src/main/resources/jpa-signature-config.xml b/backend/src/main/resources/jpa-signature-config.xml index 0a6696db5..9a8da32e8 100644 --- a/backend/src/main/resources/jpa-signature-config.xml +++ b/backend/src/main/resources/jpa-signature-config.xml @@ -39,7 +39,275 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - + \ No newline at end of file diff --git a/backend/src/main/resources/modified-saml2-assertion-config.xml b/backend/src/main/resources/modified-saml2-assertion-config.xml index 2f09fa77b..3349e4558 100644 --- a/backend/src/main/resources/modified-saml2-assertion-config.xml +++ b/backend/src/main/resources/modified-saml2-assertion-config.xml @@ -230,7 +230,19 @@ - + + + + + + + + + + + + + diff --git a/pac4j-module/build.gradle b/pac4j-module/build.gradle index 6a1295758..4080df12a 100644 --- a/pac4j-module/build.gradle +++ b/pac4j-module/build.gradle @@ -46,8 +46,11 @@ dependencies { exclude group: 'org.opensaml' exclude group: 'commons-collections' } + // But we do need this opensaml lib that wasn't provided + implementation "org.opensaml:opensaml-storage-impl:${project.'opensamlVersion'}" compile "org.apache.commons:commons-collections4:${project.'commonsCollections4Version'}" + testCompile project(':backend') testCompile "org.opensaml:opensaml-saml-api:${project.'opensamlVersion'}" diff --git a/pac4j-module/src/main/java/net/unicon/shibui/pac4j/WebSecurity.java b/pac4j-module/src/main/java/net/unicon/shibui/pac4j/WebSecurity.java index a67bf4a96..884569ac7 100644 --- a/pac4j-module/src/main/java/net/unicon/shibui/pac4j/WebSecurity.java +++ b/pac4j-module/src/main/java/net/unicon/shibui/pac4j/WebSecurity.java @@ -5,7 +5,7 @@ import edu.internet2.tier.shibboleth.admin.ui.security.service.IRolesService; import edu.internet2.tier.shibboleth.admin.ui.security.service.UserService; import edu.internet2.tier.shibboleth.admin.ui.service.EmailService; -import static net.unicon.shibui.pac4j.Pac4jConfiguration.PAC4J_CLIENT_NAME; +import org.pac4j.core.authorization.authorizer.DefaultAuthorizers; import org.pac4j.core.config.Config; import org.pac4j.core.matching.matcher.Matcher; import org.pac4j.springframework.security.web.CallbackFilter; @@ -26,6 +26,8 @@ import javax.servlet.Filter; import java.util.Optional; +import static net.unicon.shibui.pac4j.Pac4jConfiguration.PAC4J_CLIENT_NAME; + @Configuration @AutoConfigureOrder(-1) @ConditionalOnProperty(name = "shibui.pac4j-enabled", havingValue = "true") @@ -62,7 +64,8 @@ public Pac4jWebSecurityConfigurerAdapter(final Config config, UserService userSe protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests().antMatchers("/unsecured/**/*").permitAll(); - final SecurityFilter securityFilter = new SecurityFilter(this.config, PAC4J_CLIENT_NAME); + // adding the authorizor bypasses the default behavior of checking CSRF in Pac4J's default securitylogic+defaultauthorizationchecker + final SecurityFilter securityFilter = new SecurityFilter(this.config, PAC4J_CLIENT_NAME, DefaultAuthorizers.IS_AUTHENTICATED); // add filter based on auth type http.antMatcher("/**").addFilterBefore(getFilter(config, pac4jConfigurationProperties.getTypeOfAuth()), BasicAuthenticationFilter.class); diff --git a/testbed/authentication/docker-compose.yml b/testbed/authentication/docker-compose.yml index 884042c4a..42b12cb6a 100644 --- a/testbed/authentication/docker-compose.yml +++ b/testbed/authentication/docker-compose.yml @@ -20,7 +20,7 @@ services: - "8080:8080" - "443:443" - "8443:8443" -# - "8000:8000" + - "9090:9090" volumes: - /var/run/docker.sock:/var/run/docker.sock - ../reverse-proxy/:/configuration/ @@ -72,6 +72,7 @@ services: - ./shibui/application.yml:/application.yml ports: - "8000:8000" +# - "9090:9090" entrypoint: ["/usr/bin/java", "-agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=*:8000", "-jar", "app.war"] networks: reverse-proxy: