Merge branch 'feature/shibui-1742' of bitbucket.org:unicon/shib-idp-u…

…i into feature/shibui-1742
TIER · Aug 20, 2021 · e3dfc6e · e3dfc6e
2 parents 655d11f + f2b6975
commit e3dfc6e
Show file tree

Hide file tree

Showing 3 changed files with 14 additions and 5 deletions.
diff --git a/...end/src/main/groovy/edu/internet2/tier/shibboleth/admin/ui/configuration/DevConfig.groovy b/...end/src/main/groovy/edu/internet2/tier/shibboleth/admin/ui/configuration/DevConfig.groovy
@@ -96,6 +96,9 @@ class DevConfig {
             }, new Role().with {
                 name = 'ROLE_NONE'
                 it
+            }, new Role().with {
+                name = 'ROLE_ENABLE'
+                it
             }]
             roles.each {
                 roleRepository.save(it)
@@ -207,4 +210,4 @@ class DevConfig {
             return it
         })
     }
-}
+}
diff --git a/...ain/java/edu/internet2/tier/shibboleth/admin/ui/configuration/auto/WebSecurityConfig.java b/...ain/java/edu/internet2/tier/shibboleth/admin/ui/configuration/auto/WebSecurityConfig.java
@@ -9,7 +9,6 @@
 import edu.internet2.tier.shibboleth.admin.ui.security.springsecurity.AdminUserService;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Value;
-import org.springframework.boot.autoconfigure.AutoConfigureBefore;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
@@ -38,6 +37,9 @@
 @ConditionalOnMissingBean(WebSecurityConfigurerAdapter.class)
 public class WebSecurityConfig {
 
+    @Value("${shibui.roles.authenticated}")
+    private String[] acceptedAuthenticationRoles;
+
     @Value("${shibui.logout-url:/dashboard}")
     private String logoutUrl;
 
@@ -76,7 +78,7 @@ protected void configure(HttpSecurity http) throws Exception {
                         .and()
                         .authorizeRequests()
                         .antMatchers("/unsecured/**/*").permitAll()
-                        .anyRequest().hasAnyRole("USER", "ADMIN")
+                        .anyRequest().hasAnyRole(acceptedAuthenticationRoles)
                         .and()
                         .exceptionHandling().accessDeniedHandler((request, response, accessDeniedException) -> response.sendRedirect("/unsecured/error.html"))
                         .and()
@@ -157,5 +159,4 @@ public void configure(WebSecurity web) throws Exception {
             }
         };
     }
-}
-
+}
diff --git a/backend/src/main/resources/application.properties b/backend/src/main/resources/application.properties
@@ -20,6 +20,7 @@ spring.datasource.platform=h2
 spring.datasource.driverClassName=org.h2.Driver
 spring.jpa.database-platform=org.hibernate.dialect.H2Dialect
 spring.h2.console.enabled=true
+spring.h2.console.settings.web-allow-others=true
 
 # spring.jackson.default-property-inclusion=non_absent
 spring.jackson.default-property-inclusion=NON_NULL
@@ -87,7 +88,11 @@ shibui.mail.text-email-template-path-prefix=/mail/text/
 shibui.mail.html.email-template-path-prefix=/mail/html/
 shibui.mail.system-email-address=doNotReply@shibui.org
 
+
+#ShibUIConfiguration slurps in these values and they are bootstrapped in on startup
 shibui.roles=ROLE_ADMIN,ROLE_ENABLE,ROLE_USER,ROLE_NONE
+#Authenticated access roles - used by Spring Security to allow access when authenticated
+shibui.roles.authenticated=ADMIN,ENABLE,USER
 
 #In order to enable authentication via configured pac4j library (with external SAMl Idp, for example)
 #This property must be set to true and pac4j properties configured. For sample pac4j properties, see application.yml