SHIBUI-2327

Correcting security filter to work properly using the pac4j settup Former-commit-id: 563d725369ed11e770e802d14393b33fefc53ae1
TIER · Aug 1, 2022 · effede9 · effede9
1 parent 789d9f7
commit effede9
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 3 deletions.
diff --git a/pac4j-module/src/main/java/net/unicon/shibui/pac4j/WebSecurity.java b/pac4j-module/src/main/java/net/unicon/shibui/pac4j/WebSecurity.java
@@ -5,7 +5,7 @@
 import edu.internet2.tier.shibboleth.admin.ui.security.service.IRolesService;
 import edu.internet2.tier.shibboleth.admin.ui.security.service.UserService;
 import edu.internet2.tier.shibboleth.admin.ui.service.EmailService;
-import static net.unicon.shibui.pac4j.Pac4jConfiguration.PAC4J_CLIENT_NAME;
+import org.pac4j.core.authorization.authorizer.DefaultAuthorizers;
 import org.pac4j.core.config.Config;
 import org.pac4j.core.matching.matcher.Matcher;
 import org.pac4j.springframework.security.web.CallbackFilter;
@@ -26,6 +26,8 @@
 import javax.servlet.Filter;
 import java.util.Optional;
 
+import static net.unicon.shibui.pac4j.Pac4jConfiguration.PAC4J_CLIENT_NAME;
+
 @Configuration
 @AutoConfigureOrder(-1)
 @ConditionalOnProperty(name = "shibui.pac4j-enabled", havingValue = "true")
@@ -62,7 +64,8 @@ public Pac4jWebSecurityConfigurerAdapter(final Config config, UserService userSe
         protected void configure(HttpSecurity http) throws Exception {
             http.authorizeRequests().antMatchers("/unsecured/**/*").permitAll();
 
-            final SecurityFilter securityFilter = new SecurityFilter(this.config, PAC4J_CLIENT_NAME);
+            // adding the authorizor bypasses the default behavior of checking CSRF in Pac4J's default securitylogic+defaultauthorizationchecker
+            final SecurityFilter securityFilter = new SecurityFilter(this.config, PAC4J_CLIENT_NAME, DefaultAuthorizers.IS_AUTHENTICATED);
 
             // add filter based on auth type 
             http.antMatcher("/**").addFilterBefore(getFilter(config, pac4jConfigurationProperties.getTypeOfAuth()), BasicAuthenticationFilter.class);

diff --git a/testbed/authentication/docker-compose.yml b/testbed/authentication/docker-compose.yml
@@ -20,7 +20,7 @@ services:
       - "8080:8080"
       - "443:443"
       - "8443:8443"
-#      - "8000:8000"
+      - "9090:9090"
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock
       - ../reverse-proxy/:/configuration/
@@ -72,6 +72,7 @@ services:
       - ./shibui/application.yml:/application.yml
     ports:
       - "8000:8000"
+#      - "9090:9090"
     entrypoint: ["/usr/bin/java", "-agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=*:8000", "-jar", "app.war"]
 networks:
   reverse-proxy: