From 5a032d3122edeb7d4433134b3874b5fbc32d0ced Mon Sep 17 00:00:00 2001
From: chasegawa <chasegawa@unicon.net>
Date: Fri, 20 Aug 2021 11:38:25 -0700
Subject: [PATCH 1/2] SHIBUI-2030

fix login issue
---
 .../admin/ui/configuration/auto/WebSecurityConfig.java   | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/configuration/auto/WebSecurityConfig.java b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/configuration/auto/WebSecurityConfig.java
index 3d66de957..7e19425e7 100644
--- a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/configuration/auto/WebSecurityConfig.java
+++ b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/configuration/auto/WebSecurityConfig.java
@@ -9,7 +9,6 @@
 import edu.internet2.tier.shibboleth.admin.ui.security.springsecurity.AdminUserService;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Value;
-import org.springframework.boot.autoconfigure.AutoConfigureBefore;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
@@ -38,6 +37,9 @@
 @ConditionalOnMissingBean(WebSecurityConfigurerAdapter.class)
 public class WebSecurityConfig {
 
+    @Value("${shibui.roles.authenticated}")
+    private String[] acceptedAuthenticationRoles;
+
     @Value("${shibui.logout-url:/dashboard}")
     private String logoutUrl;
 
@@ -76,7 +78,7 @@ protected void configure(HttpSecurity http) throws Exception {
                         .and()
                         .authorizeRequests()
                         .antMatchers("/unsecured/**/*").permitAll()
-                        .anyRequest().hasAnyRole("USER", "ADMIN")
+                        .anyRequest().hasAnyRole(acceptedAuthenticationRoles)
                         .and()
                         .exceptionHandling().accessDeniedHandler((request, response, accessDeniedException) -> response.sendRedirect("/unsecured/error.html"))
                         .and()
@@ -157,5 +159,4 @@ public void configure(WebSecurity web) throws Exception {
             }
         };
     }
-}
-
+}
\ No newline at end of file

From f2b6975fffdbbd6f2f76fefacfc94e114a54d999 Mon Sep 17 00:00:00 2001
From: chasegawa <chasegawa@unicon.net>
Date: Fri, 20 Aug 2021 11:42:12 -0700
Subject: [PATCH 2/2] SHIBUI-2030

fix login issue
---
 .../tier/shibboleth/admin/ui/configuration/DevConfig.groovy  | 5 ++++-
 backend/src/main/resources/application.properties            | 5 +++++
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/backend/src/main/groovy/edu/internet2/tier/shibboleth/admin/ui/configuration/DevConfig.groovy b/backend/src/main/groovy/edu/internet2/tier/shibboleth/admin/ui/configuration/DevConfig.groovy
index 46ff633cd..62fda2ed9 100644
--- a/backend/src/main/groovy/edu/internet2/tier/shibboleth/admin/ui/configuration/DevConfig.groovy
+++ b/backend/src/main/groovy/edu/internet2/tier/shibboleth/admin/ui/configuration/DevConfig.groovy
@@ -96,6 +96,9 @@ class DevConfig {
             }, new Role().with {
                 name = 'ROLE_NONE'
                 it
+            }, new Role().with {
+                name = 'ROLE_ENABLE'
+                it
             }]
             roles.each {
                 roleRepository.save(it)
@@ -207,4 +210,4 @@ class DevConfig {
             return it
         })
     }
-}
+}
\ No newline at end of file
diff --git a/backend/src/main/resources/application.properties b/backend/src/main/resources/application.properties
index 6f8b837e3..400212d09 100644
--- a/backend/src/main/resources/application.properties
+++ b/backend/src/main/resources/application.properties
@@ -20,6 +20,7 @@ spring.datasource.platform=h2
 spring.datasource.driverClassName=org.h2.Driver
 spring.jpa.database-platform=org.hibernate.dialect.H2Dialect
 spring.h2.console.enabled=true
+spring.h2.console.settings.web-allow-others=true
 
 # spring.jackson.default-property-inclusion=non_absent
 spring.jackson.default-property-inclusion=NON_NULL
@@ -87,7 +88,11 @@ shibui.mail.text-email-template-path-prefix=/mail/text/
 shibui.mail.html.email-template-path-prefix=/mail/html/
 shibui.mail.system-email-address=doNotReply@shibui.org
 
+
+#ShibUIConfiguration slurps in these values and they are bootstrapped in on startup
 shibui.roles=ROLE_ADMIN,ROLE_ENABLE,ROLE_USER,ROLE_NONE
+#Authenticated access roles - used by Spring Security to allow access when authenticated
+shibui.roles.authenticated=ADMIN,ENABLE,USER
 
 #In order to enable authentication via configured pac4j library (with external SAMl Idp, for example)
 #This property must be set to true and pac4j properties configured. For sample pac4j properties, see application.yml