HodSecurity.java example

Explorer
find-master
- webapp
/*
 * Copyright 2015 Hewlett-Packard Development Company, L.P.
 * Licensed under the MIT License (the "License"); you may not use this file except in compliance with the License.
 */

package com.hp.autonomy.frontend.find.hod.beanconfiguration;

import com.hp.autonomy.frontend.find.core.beanconfiguration.BiConfiguration;
import com.hp.autonomy.frontend.find.core.beanconfiguration.DispatcherServletConfiguration;
import com.hp.autonomy.frontend.find.core.beanconfiguration.FindRole;
import com.hp.autonomy.frontend.find.core.web.FindController;
import com.hp.autonomy.frontend.find.hod.web.SsoController;
import com.hp.autonomy.hod.client.api.authentication.AuthenticationService;
import com.hp.autonomy.hod.client.api.authentication.EntityType;
import com.hp.autonomy.hod.client.api.authentication.TokenType;
import com.hp.autonomy.hod.client.api.authentication.tokeninformation.GroupInformation;
import com.hp.autonomy.hod.client.api.userstore.user.UserStoreUsersService;
import com.hp.autonomy.hod.client.token.TokenRepository;
import com.hp.autonomy.hod.sso.*;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.annotation.Order;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.web.AuthenticationEntryPoint;
import org.springframework.security.web.authentication.logout.LogoutSuccessHandler;
import org.springframework.security.web.authentication.preauth.AbstractPreAuthenticatedProcessingFilter;

import java.util.ArrayList;
import java.util.Collection;

@Configuration
@Order(99)
public class HodSecurity extends WebSecurityConfigurerAdapter {
    private static final String HOD_BI_ROLE = "bi";

    @Value("${" + BiConfiguration.BI_PROPERTY + '}')
    private boolean enableBi;

    @Autowired
    private TokenRepository tokenRepository;

    @Autowired
    private AuthenticationService authenticationService;

    @Autowired
    private UnboundTokenService<TokenType.HmacSha1> unboundTokenService;

    @Autowired
    private UserStoreUsersService userStoreUsersService;

    @Autowired
    private HodUserMetadataResolver hodUserMetadataResolver;

    @SuppressWarnings("ProhibitedExceptionDeclared")
    @Override
    protected void configure(final AuthenticationManagerBuilder auth) throws Exception {
        auth.authenticationProvider(new HodAuthenticationProvider(
                tokenRepository,
                (tokenProxy, combinedTokenInformation) -> {
                    final Collection<GrantedAuthority> grantedAuthorities = new ArrayList<>(2);
                    grantedAuthorities.add(new SimpleGrantedAuthority(FindRole.USER.toString()));

                    for (final GroupInformation groupInformation : combinedTokenInformation.getUser().getGroups()) {
                        if (enableBi && groupInformation.getGroups().contains(HOD_BI_ROLE)) {
                            grantedAuthorities.add(new SimpleGrantedAuthority(FindRole.BI.toString()));
                            break;
                        }
                    }

                    return grantedAuthorities;
                },
                authenticationService,
                unboundTokenService,
                userStoreUsersService,
                hodUserMetadataResolver,
                null
        ));
    }

    @SuppressWarnings("ProhibitedExceptionDeclared")
    @Override
    protected void configure(final HttpSecurity http) throws Exception {
        final AuthenticationEntryPoint ssoEntryPoint = new SsoAuthenticationEntryPoint(SsoController.SSO_PAGE);

        final SsoAuthenticationFilter<?> ssoAuthenticationFilter = new SsoAuthenticationFilter<>(SsoController.SSO_AUTHENTICATION_URI, EntityType.CombinedSso.INSTANCE);
        ssoAuthenticationFilter.setAuthenticationManager(authenticationManager());

        final LogoutSuccessHandler logoutSuccessHandler = new HodTokenLogoutSuccessHandler(SsoController.SSO_LOGOUT_PAGE, tokenRepository);

        http.regexMatcher("/public(/.*)?|/sso|/authenticate-sso|/api/authentication/.*|/logout")
            .csrf()
                .disable()
            .exceptionHandling()
                .authenticationEntryPoint(ssoEntryPoint)
                .accessDeniedPage(DispatcherServletConfiguration.AUTHENTICATION_ERROR_PATH)
                .and()
            .authorizeRequests()
                .antMatchers(FindController.APP_PATH + "/**").hasRole(FindRole.USER.name())
                .and()
            .logout()
                .logoutSuccessHandler(logoutSuccessHandler)
                .and()
            .addFilterAfter(ssoAuthenticationFilter, AbstractPreAuthenticatedProcessingFilter.class);
    }
}