mirror of
https://github.com/Frooodle/Stirling-PDF.git
synced 2025-10-20 11:16:24 +02:00
b98f8627ac
This pull request includes several changes to the `SecurityConfiguration` and other related classes to enhance security and configuration management. The most important changes involve adding new beans, modifying logging levels, and updating dependency injections. Enhancements to security configuration: * [`src/main/java/stirling/software/SPDF/config/security/SecurityConfiguration.java`](diffhunk://#diff-49df1b16b72e9fcaa7d0c58f46c94ffda0033f5f5e3ddab90a88e2f9022b66f4L3-L36): Added new dependencies and beans for `GrantedAuthoritiesMapper`, `RelyingPartyRegistrationRepository`, and `OpenSaml4AuthenticationRequestResolver`. Removed unused imports and simplified the class by removing the `@Lazy` annotation from `UserService`. [[1]](diffhunk://#diff-49df1b16b72e9fcaa7d0c58f46c94ffda0033f5f5e3ddab90a88e2f9022b66f4L3-L36) [[2]](diffhunk://#diff-49df1b16b72e9fcaa7d0c58f46c94ffda0033f5f5e3ddab90a88e2f9022b66f4L46-L63) [[3]](diffhunk://#diff-49df1b16b72e9fcaa7d0c58f46c94ffda0033f5f5e3ddab90a88e2f9022b66f4L75-R52) [[4]](diffhunk://#diff-49df1b16b72e9fcaa7d0c58f46c94ffda0033f5f5e3ddab90a88e2f9022b66f4R66-L98) [[5]](diffhunk://#diff-49df1b16b72e9fcaa7d0c58f46c94ffda0033f5f5e3ddab90a88e2f9022b66f4L109-R85) [[6]](diffhunk://#diff-49df1b16b72e9fcaa7d0c58f46c94ffda0033f5f5e3ddab90a88e2f9022b66f4R96-R98) Logging improvements: * [`src/main/java/stirling/software/SPDF/EE/KeygenLicenseVerifier.java`](diffhunk://#diff-742f789731a32cb5aa20f7067ef18049002eec2a4909ef6f240d2a26bdcb53c4L97-R97): Changed the logging level from `info` to `debug` for the license validation response body to reduce log verbosity in production. Configuration updates: * [`src/main/java/stirling/software/SPDF/EE/EEAppConfig.java`](diffhunk://#diff-d842c2a4cf43f37ab5edcd644b19a51d614cb0e39963789e1c7e9fb28ddc1de8R30-R34): Added a new bean `ssoAutoLogin` to manage single sign-on auto-login configuration in the enterprise edition. These changes collectively enhance the security configuration and logging management of the application. Please provide a summary of the changes, including relevant motivation and context. Closes #(issue_number) ## Checklist - [ ] I have read the [Contribution Guidelines](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/CONTRIBUTING.md) - [ ] I have performed a self-review of my own code - [ ] I have attached images of the change if it is UI based - [ ] I have commented my code, particularly in hard-to-understand areas - [ ] If my code has heavily changed functionality I have updated relevant docs on [Stirling-PDFs doc repo](https://github.com/Stirling-Tools/Stirling-Tools.github.io/blob/main/docs/) - [ ] My changes generate no new warnings - [ ] I have read the section [Add New Translation Tags](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/HowToAddNewLanguage.md#add-new-translation-tags) (for new translation tags only)
321 lines
19 KiB
Java
321 lines
19 KiB
Java
package stirling.software.SPDF.config.security;
|
|
|
|
import java.util.*;
|
|
|
|
import org.springframework.beans.factory.annotation.Autowired;
|
|
import org.springframework.beans.factory.annotation.Qualifier;
|
|
import org.springframework.context.annotation.Bean;
|
|
import org.springframework.context.annotation.Configuration;
|
|
import org.springframework.context.annotation.DependsOn;
|
|
import org.springframework.context.annotation.Lazy;
|
|
import org.springframework.security.authentication.ProviderManager;
|
|
import org.springframework.security.authentication.dao.DaoAuthenticationProvider;
|
|
import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;
|
|
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
|
|
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
|
|
import org.springframework.security.config.http.SessionCreationPolicy;
|
|
import org.springframework.security.core.authority.mapping.GrantedAuthoritiesMapper;
|
|
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
|
|
import org.springframework.security.crypto.password.PasswordEncoder;
|
|
import org.springframework.security.saml2.provider.service.authentication.OpenSaml4AuthenticationProvider;
|
|
import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistrationRepository;
|
|
import org.springframework.security.saml2.provider.service.web.authentication.OpenSaml4AuthenticationRequestResolver;
|
|
import org.springframework.security.web.SecurityFilterChain;
|
|
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
|
|
import org.springframework.security.web.authentication.rememberme.PersistentTokenRepository;
|
|
import org.springframework.security.web.csrf.CookieCsrfTokenRepository;
|
|
import org.springframework.security.web.csrf.CsrfTokenRequestAttributeHandler;
|
|
import org.springframework.security.web.savedrequest.NullRequestCache;
|
|
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
|
|
|
|
import lombok.extern.slf4j.Slf4j;
|
|
import stirling.software.SPDF.config.security.oauth2.CustomOAuth2AuthenticationFailureHandler;
|
|
import stirling.software.SPDF.config.security.oauth2.CustomOAuth2AuthenticationSuccessHandler;
|
|
import stirling.software.SPDF.config.security.oauth2.CustomOAuth2UserService;
|
|
import stirling.software.SPDF.config.security.saml2.CustomSaml2AuthenticationFailureHandler;
|
|
import stirling.software.SPDF.config.security.saml2.CustomSaml2AuthenticationSuccessHandler;
|
|
import stirling.software.SPDF.config.security.saml2.CustomSaml2ResponseAuthenticationConverter;
|
|
import stirling.software.SPDF.config.security.session.SessionPersistentRegistry;
|
|
import stirling.software.SPDF.model.ApplicationProperties;
|
|
import stirling.software.SPDF.model.User;
|
|
import stirling.software.SPDF.repository.JPATokenRepositoryImpl;
|
|
import stirling.software.SPDF.repository.PersistentLoginRepository;
|
|
|
|
@Configuration
|
|
@EnableWebSecurity
|
|
@EnableMethodSecurity
|
|
@Slf4j
|
|
@DependsOn("runningEE")
|
|
public class SecurityConfiguration {
|
|
|
|
private final CustomUserDetailsService userDetailsService;
|
|
private final UserService userService;
|
|
|
|
@Qualifier("loginEnabled")
|
|
private final boolean loginEnabledValue;
|
|
|
|
@Qualifier("runningEE")
|
|
private final boolean runningEE;
|
|
|
|
private final ApplicationProperties applicationProperties;
|
|
private final UserAuthenticationFilter userAuthenticationFilter;
|
|
private final LoginAttemptService loginAttemptService;
|
|
private final FirstLoginFilter firstLoginFilter;
|
|
private final SessionPersistentRegistry sessionRegistry;
|
|
private final PersistentLoginRepository persistentLoginRepository;
|
|
private final GrantedAuthoritiesMapper oAuth2userAuthoritiesMapper;
|
|
private final RelyingPartyRegistrationRepository saml2RelyingPartyRegistrations;
|
|
private final OpenSaml4AuthenticationRequestResolver saml2AuthenticationRequestResolver;
|
|
|
|
public SecurityConfiguration(
|
|
PersistentLoginRepository persistentLoginRepository,
|
|
CustomUserDetailsService userDetailsService,
|
|
@Lazy UserService userService,
|
|
@Qualifier("loginEnabled") boolean loginEnabledValue,
|
|
@Qualifier("runningEE") boolean runningEE,
|
|
ApplicationProperties applicationProperties,
|
|
UserAuthenticationFilter userAuthenticationFilter,
|
|
LoginAttemptService loginAttemptService,
|
|
FirstLoginFilter firstLoginFilter,
|
|
SessionPersistentRegistry sessionRegistry,
|
|
@Autowired(required = false) GrantedAuthoritiesMapper oAuth2userAuthoritiesMapper,
|
|
@Autowired(required = false)
|
|
RelyingPartyRegistrationRepository saml2RelyingPartyRegistrations,
|
|
@Autowired(required = false)
|
|
OpenSaml4AuthenticationRequestResolver saml2AuthenticationRequestResolver) {
|
|
this.userDetailsService = userDetailsService;
|
|
this.userService = userService;
|
|
this.loginEnabledValue = loginEnabledValue;
|
|
this.runningEE = runningEE;
|
|
this.applicationProperties = applicationProperties;
|
|
this.userAuthenticationFilter = userAuthenticationFilter;
|
|
this.loginAttemptService = loginAttemptService;
|
|
this.firstLoginFilter = firstLoginFilter;
|
|
this.sessionRegistry = sessionRegistry;
|
|
this.persistentLoginRepository = persistentLoginRepository;
|
|
this.oAuth2userAuthoritiesMapper = oAuth2userAuthoritiesMapper;
|
|
this.saml2RelyingPartyRegistrations = saml2RelyingPartyRegistrations;
|
|
this.saml2AuthenticationRequestResolver = saml2AuthenticationRequestResolver;
|
|
}
|
|
|
|
@Bean
|
|
public PasswordEncoder passwordEncoder() {
|
|
return new BCryptPasswordEncoder();
|
|
}
|
|
|
|
@Bean
|
|
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
|
|
if (applicationProperties.getSecurity().getCsrfDisabled() || !loginEnabledValue) {
|
|
http.csrf(csrf -> csrf.disable());
|
|
}
|
|
if (loginEnabledValue) {
|
|
http.addFilterBefore(
|
|
userAuthenticationFilter, UsernamePasswordAuthenticationFilter.class);
|
|
if (!applicationProperties.getSecurity().getCsrfDisabled()) {
|
|
CookieCsrfTokenRepository cookieRepo =
|
|
CookieCsrfTokenRepository.withHttpOnlyFalse();
|
|
CsrfTokenRequestAttributeHandler requestHandler =
|
|
new CsrfTokenRequestAttributeHandler();
|
|
requestHandler.setCsrfRequestAttributeName(null);
|
|
http.csrf(
|
|
csrf ->
|
|
csrf.ignoringRequestMatchers(
|
|
request -> {
|
|
String apiKey = request.getHeader("X-API-KEY");
|
|
// If there's no API key, don't ignore CSRF
|
|
// (return false)
|
|
if (apiKey == null || apiKey.trim().isEmpty()) {
|
|
return false;
|
|
}
|
|
// Validate API key using existing UserService
|
|
try {
|
|
Optional<User> user =
|
|
userService.getUserByApiKey(apiKey);
|
|
// If API key is valid, ignore CSRF (return
|
|
// true)
|
|
// If API key is invalid, don't ignore CSRF
|
|
// (return false)
|
|
return user.isPresent();
|
|
} catch (Exception e) {
|
|
// If there's any error validating the API
|
|
// key, don't ignore CSRF
|
|
return false;
|
|
}
|
|
})
|
|
.csrfTokenRepository(cookieRepo)
|
|
.csrfTokenRequestHandler(requestHandler));
|
|
}
|
|
http.addFilterBefore(rateLimitingFilter(), UsernamePasswordAuthenticationFilter.class);
|
|
http.addFilterAfter(firstLoginFilter, UsernamePasswordAuthenticationFilter.class);
|
|
http.sessionManagement(
|
|
sessionManagement ->
|
|
sessionManagement
|
|
.sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED)
|
|
.maximumSessions(10)
|
|
.maxSessionsPreventsLogin(false)
|
|
.sessionRegistry(sessionRegistry)
|
|
.expiredUrl("/login?logout=true"));
|
|
http.authenticationProvider(daoAuthenticationProvider());
|
|
http.requestCache(requestCache -> requestCache.requestCache(new NullRequestCache()));
|
|
http.logout(
|
|
logout ->
|
|
logout.logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
|
|
.logoutSuccessHandler(
|
|
new CustomLogoutSuccessHandler(applicationProperties))
|
|
.clearAuthentication(true)
|
|
.invalidateHttpSession( // Invalidate session
|
|
true)
|
|
.deleteCookies("JSESSIONID", "remember-me"));
|
|
http.rememberMe(
|
|
rememberMeConfigurer -> // Use the configurator directly
|
|
rememberMeConfigurer
|
|
.tokenRepository(persistentTokenRepository())
|
|
.tokenValiditySeconds( // 14 days
|
|
14 * 24 * 60 * 60)
|
|
.userDetailsService( // Your existing UserDetailsService
|
|
userDetailsService)
|
|
.useSecureCookie( // Enable secure cookie
|
|
true)
|
|
.rememberMeParameter( // Form parameter name
|
|
"remember-me")
|
|
.rememberMeCookieName( // Cookie name
|
|
"remember-me")
|
|
.alwaysRemember(false));
|
|
http.authorizeHttpRequests(
|
|
authz ->
|
|
authz.requestMatchers(
|
|
req -> {
|
|
String uri = req.getRequestURI();
|
|
String contextPath = req.getContextPath();
|
|
// Remove the context path from the URI
|
|
String trimmedUri =
|
|
uri.startsWith(contextPath)
|
|
? uri.substring(
|
|
contextPath.length())
|
|
: uri;
|
|
return trimmedUri.startsWith("/login")
|
|
|| trimmedUri.startsWith("/oauth")
|
|
|| trimmedUri.startsWith("/saml2")
|
|
|| trimmedUri.endsWith(".svg")
|
|
|| trimmedUri.startsWith("/register")
|
|
|| trimmedUri.startsWith("/error")
|
|
|| trimmedUri.startsWith("/images/")
|
|
|| trimmedUri.startsWith("/public/")
|
|
|| trimmedUri.startsWith("/css/")
|
|
|| trimmedUri.startsWith("/fonts/")
|
|
|| trimmedUri.startsWith("/js/")
|
|
|| trimmedUri.startsWith(
|
|
"/api/v1/info/status");
|
|
})
|
|
.permitAll()
|
|
.anyRequest()
|
|
.authenticated());
|
|
// Handle User/Password Logins
|
|
if (applicationProperties.getSecurity().isUserPass()) {
|
|
http.formLogin(
|
|
formLogin ->
|
|
formLogin
|
|
.loginPage("/login")
|
|
.successHandler(
|
|
new CustomAuthenticationSuccessHandler(
|
|
loginAttemptService, userService))
|
|
.failureHandler(
|
|
new CustomAuthenticationFailureHandler(
|
|
loginAttemptService, userService))
|
|
.defaultSuccessUrl("/")
|
|
.permitAll());
|
|
}
|
|
// Handle OAUTH2 Logins
|
|
if (applicationProperties.getSecurity().isOauth2Activ()) {
|
|
http.oauth2Login(
|
|
oauth2 ->
|
|
oauth2.loginPage("/oauth2")
|
|
.
|
|
/*
|
|
This Custom handler is used to check if the OAUTH2 user trying to log in, already exists in the database.
|
|
If user exists, login proceeds as usual. If user does not exist, then it is autocreated but only if 'OAUTH2AutoCreateUser'
|
|
is set as true, else login fails with an error message advising the same.
|
|
*/
|
|
successHandler(
|
|
new CustomOAuth2AuthenticationSuccessHandler(
|
|
loginAttemptService,
|
|
applicationProperties,
|
|
userService))
|
|
.failureHandler(
|
|
new CustomOAuth2AuthenticationFailureHandler())
|
|
. // Add existing Authorities from the database
|
|
userInfoEndpoint(
|
|
userInfoEndpoint ->
|
|
userInfoEndpoint
|
|
.oidcUserService(
|
|
new CustomOAuth2UserService(
|
|
applicationProperties,
|
|
userService,
|
|
loginAttemptService))
|
|
.userAuthoritiesMapper(
|
|
oAuth2userAuthoritiesMapper))
|
|
.permitAll());
|
|
}
|
|
// Handle SAML
|
|
if (applicationProperties.getSecurity().isSaml2Activ()) {
|
|
// && runningEE
|
|
// Configure the authentication provider
|
|
OpenSaml4AuthenticationProvider authenticationProvider =
|
|
new OpenSaml4AuthenticationProvider();
|
|
authenticationProvider.setResponseAuthenticationConverter(
|
|
new CustomSaml2ResponseAuthenticationConverter(userService));
|
|
http.authenticationProvider(authenticationProvider)
|
|
.saml2Login(
|
|
saml2 -> {
|
|
try {
|
|
saml2.loginPage("/saml2")
|
|
.relyingPartyRegistrationRepository(
|
|
saml2RelyingPartyRegistrations)
|
|
.authenticationManager(
|
|
new ProviderManager(authenticationProvider))
|
|
.successHandler(
|
|
new CustomSaml2AuthenticationSuccessHandler(
|
|
loginAttemptService,
|
|
applicationProperties,
|
|
userService))
|
|
.failureHandler(
|
|
new CustomSaml2AuthenticationFailureHandler())
|
|
.authenticationRequestResolver(
|
|
saml2AuthenticationRequestResolver);
|
|
} catch (Exception e) {
|
|
log.error("Error configuring SAML2 login", e);
|
|
throw new RuntimeException(e);
|
|
}
|
|
});
|
|
}
|
|
} else {
|
|
http.authorizeHttpRequests(authz -> authz.anyRequest().permitAll());
|
|
}
|
|
return http.build();
|
|
}
|
|
|
|
public DaoAuthenticationProvider daoAuthenticationProvider() {
|
|
DaoAuthenticationProvider provider = new DaoAuthenticationProvider();
|
|
provider.setUserDetailsService(userDetailsService);
|
|
provider.setPasswordEncoder(passwordEncoder());
|
|
return provider;
|
|
}
|
|
|
|
@Bean
|
|
public IPRateLimitingFilter rateLimitingFilter() {
|
|
// Example limit TODO add config level
|
|
int maxRequestsPerIp = 1000000;
|
|
return new IPRateLimitingFilter(maxRequestsPerIp, maxRequestsPerIp);
|
|
}
|
|
|
|
@Bean
|
|
public PersistentTokenRepository persistentTokenRepository() {
|
|
return new JPATokenRepositoryImpl(persistentLoginRepository);
|
|
}
|
|
|
|
@Bean
|
|
public boolean activSecurity() {
|
|
return true;
|
|
}
|
|
}
|