diff --git a/src/main/java/org/wikitolearn/gateway/pwa/config/SecurityConfiguration.java b/src/main/java/org/wikitolearn/gateway/pwa/config/SecurityConfiguration.java index bec62a6..cdd19fc 100644 --- a/src/main/java/org/wikitolearn/gateway/pwa/config/SecurityConfiguration.java +++ b/src/main/java/org/wikitolearn/gateway/pwa/config/SecurityConfiguration.java @@ -1,102 +1,63 @@ package org.wikitolearn.gateway.pwa.config; import java.util.Arrays; -import java.util.Map; -import java.util.Optional; -import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty; import org.springframework.boot.autoconfigure.security.oauth2.resource.ResourceServerProperties; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.core.Ordered; import org.springframework.core.annotation.Order; -import org.springframework.http.HttpEntity; -import org.springframework.http.HttpHeaders; import org.springframework.http.HttpMethod; import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.http.SessionCreationPolicy; import org.springframework.security.oauth2.config.annotation.web.configuration.EnableResourceServer; import org.springframework.security.oauth2.config.annotation.web.configuration.ResourceServerConfigurerAdapter; import org.springframework.security.oauth2.config.annotation.web.configurers.ResourceServerSecurityConfigurer; -import org.springframework.security.oauth2.provider.token.TokenStore; -import org.springframework.security.oauth2.provider.token.store.JwtAccessTokenConverter; -import org.springframework.security.oauth2.provider.token.store.JwtTokenStore; -import org.springframework.security.web.csrf.CookieCsrfTokenRepository; -import org.springframework.web.client.RestTemplate; import org.springframework.web.cors.CorsConfiguration; import org.springframework.web.cors.CorsConfigurationSource; import org.springframework.web.cors.UrlBasedCorsConfigurationSource; @Configuration @EnableResourceServer @EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true) public class SecurityConfiguration extends ResourceServerConfigurerAdapter { private final ResourceServerProperties resourceServerProperties; public SecurityConfiguration(ResourceServerProperties resourceServerProperties) { this.resourceServerProperties = resourceServerProperties; } @Override public void configure(HttpSecurity http) throws Exception { http .sessionManagement() .sessionCreationPolicy(SessionCreationPolicy.STATELESS) .and() .authorizeRequests() .antMatchers(HttpMethod.HEAD).permitAll() .antMatchers(HttpMethod.OPTIONS).permitAll() .antMatchers(HttpMethod.GET, "/api/**").permitAll() .antMatchers("/api/**").authenticated() .and() .cors(); } @Bean @Order(Ordered.HIGHEST_PRECEDENCE) public CorsConfigurationSource corsConfigurationSource() { final CorsConfiguration configuration = new CorsConfiguration(); configuration.setAllowedOrigins(Arrays.asList("*")); configuration.setAllowedMethods(Arrays.asList("*")); configuration.setAllowedHeaders(Arrays.asList("*")); final UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource(); source.registerCorsConfiguration("/**", configuration); return source; } @Override public void configure(ResourceServerSecurityConfigurer resources) throws Exception { resources.resourceId(resourceServerProperties.getResourceId()); } - - @Bean - @ConditionalOnProperty("security.oauth2.resource.jwt.key-uri") - public TokenStore tokenStore(JwtAccessTokenConverter jwtAccessTokenConverter) { - return new JwtTokenStore(jwtAccessTokenConverter); - } - - @Bean - @ConditionalOnProperty("security.oauth2.resource.jwt.key-uri") - public JwtAccessTokenConverter jwtAccessTokenConverter() { - JwtAccessTokenConverter converter = new JwtAccessTokenConverter(); - converter.setVerifierKey(getKeyFromAuthorizationServer()); - return converter; - } - - private String getKeyFromAuthorizationServer() { - return Optional.ofNullable( - new RestTemplate() - .exchange( - resourceServerProperties.getJwt().getKeyUri(), - HttpMethod.GET, - new HttpEntity(new HttpHeaders()), - Map.class - ) - .getBody() - .get("public_key")) - .map(publicKey -> String.format("-----BEGIN PUBLIC KEY-----\n%s\n-----END PUBLIC KEY-----", publicKey)) - .orElse(resourceServerProperties.getJwt().getKeyValue()); - } } diff --git a/src/main/resources/application.yml b/src/main/resources/application.yml index 938488d..4955d5a 100644 --- a/src/main/resources/application.yml +++ b/src/main/resources/application.yml @@ -1,55 +1,55 @@ # Spring properties spring: application: name: PWAGateway output: ansi: enabled: DETECT # Zuul properties zuul: sslHostnameValidationEnabled: false prefix: /api/v1 sensitive-headers: Cookie,Set-Cookie routes: history: url: ${COURSE_MIDTIER_URI}/history/courses path: /history/courses/** courses: url: ${COURSE_MIDTIER_URI}/courses path: /courses/** chapters: url: ${COURSE_MIDTIER_URI}/chapters path: /chapters/** pages: url: ${COURSE_MIDTIER_URI}/pages path: /pages/** # Security properties security: oauth2: resource: user-info-uri: ${KEYCLOAK_URI}/auth/realms/${KEYCLOAK_AUTH_REALM}/protocol/openid-connect/userinfo token-info-uri: ${KEYCLOAK_URI}/auth/realms/${KEYCLOAK_AUTH_REALM}/protocol/openid-connect/token/introspect prefer-token-info: false - jwt: - key-uri: ${KEYCLOAK_URI}/auth/realms/${KEYCLOAK_AUTH_REALM} - + jwk: + key-set-uri: ${KEYCLOAK_URI}/auth/realms/${KEYCLOAK_AUTH_REALM}/protocol/openid-connect/certs + # Loggin properties logging: pattern: file: '%d{"yyyy-MM-dd HH:mm:ss,SSS"} %-5level [%c] \(%thread\) : %msg%n' console: '%d{"yyyy-MM-dd HH:mm:ss,SSS"} %-5level [%c] \(%thread\) : %msg%n' # Server properties server: port: ${SERVICE_PORT} ssl: enabled: ${SSL_ENABLED} key-store: file:./app-keystore.jks key-store-password: changeme key-alias: client key-password: changeme trust-store: file:./app-truststore.jks trust-store-password: changeme client-auth: ${MTLS_STATUS} \ No newline at end of file