Use Spring Boot properties

Closes gh-30
This commit is contained in:
Josh Cummings 2021-09-03 16:36:06 -06:00
parent 1ad87dcaf5
commit 4ccd5ce84b
2 changed files with 32 additions and 39 deletions

View File

@ -1,5 +1,5 @@
/* /*
* Copyright 2020 the original author or authors. * Copyright 2020-2021 the original author or authors.
* *
* Licensed under the Apache License, Version 2.0 (the "License"); * Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License. * you may not use this file except in compliance with the License.
@ -21,60 +21,50 @@ import java.util.Optional;
import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequest;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.AuthenticationManager; import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.AuthenticationManagerResolver; import org.springframework.security.authentication.AuthenticationManagerResolver;
import org.springframework.security.authentication.ProviderManager;
import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.oauth2.jwt.JwtDecoder; import org.springframework.security.oauth2.jwt.JwtDecoder;
import org.springframework.security.oauth2.jwt.NimbusJwtDecoder;
import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationProvider; import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationProvider;
import org.springframework.security.oauth2.server.resource.authentication.JwtBearerTokenAuthenticationConverter; import org.springframework.security.oauth2.server.resource.authentication.JwtBearerTokenAuthenticationConverter;
import org.springframework.security.oauth2.server.resource.authentication.OpaqueTokenAuthenticationProvider; import org.springframework.security.oauth2.server.resource.authentication.OpaqueTokenAuthenticationProvider;
import org.springframework.security.oauth2.server.resource.introspection.NimbusOpaqueTokenIntrospector;
import org.springframework.security.oauth2.server.resource.introspection.OpaqueTokenIntrospector; import org.springframework.security.oauth2.server.resource.introspection.OpaqueTokenIntrospector;
import org.springframework.security.web.SecurityFilterChain;
/** /**
* OAuth Resource Security configuration. * OAuth Resource Security configuration.
* *
* @author Josh Cummings * @author Josh Cummings
*/ */
@EnableWebSecurity @Configuration
public class OAuth2ResourceServerSecurityConfiguration extends WebSecurityConfigurerAdapter { public class OAuth2ResourceServerSecurityConfiguration {
@Value("${tenantOne.jwk-set-uri}") @Bean
String jwkSetUri; SecurityFilterChain apiSecurity(HttpSecurity http,
AuthenticationManagerResolver<HttpServletRequest> authenticationManagerResolver) throws Exception {
@Value("${tenantTwo.introspection-uri}")
String introspectionUri;
@Value("${tenantTwo.introspection-client-id}")
String introspectionClientId;
@Value("${tenantTwo.introspection-client-secret}")
String introspectionClientSecret;
@Override
protected void configure(HttpSecurity http) throws Exception {
// @formatter:off // @formatter:off
http http
.authorizeRequests((requests) -> requests .authorizeRequests((requests) -> requests
.mvcMatchers("/**/message/**").hasAuthority("SCOPE_message:read") .mvcMatchers("/**/message/**").hasAuthority("SCOPE_message:read")
.anyRequest().authenticated() .anyRequest().authenticated()
) )
.oauth2ResourceServer((resourceServer) -> resourceServer .oauth2ResourceServer((resourceServer) -> resourceServer
.authenticationManagerResolver(multitenantAuthenticationManager()) .authenticationManagerResolver(authenticationManagerResolver)
); );
// @formatter:on // @formatter:on
return http.build();
} }
@Bean @Bean
AuthenticationManagerResolver<HttpServletRequest> multitenantAuthenticationManager() { AuthenticationManagerResolver<HttpServletRequest> multitenantAuthenticationManager(JwtDecoder jwtDecoder,
OpaqueTokenIntrospector opaqueTokenIntrospector) {
Map<String, AuthenticationManager> authenticationManagers = new HashMap<>(); Map<String, AuthenticationManager> authenticationManagers = new HashMap<>();
authenticationManagers.put("tenantOne", jwt()); authenticationManagers.put("tenantOne", jwt(jwtDecoder));
authenticationManagers.put("tenantTwo", opaque()); authenticationManagers.put("tenantTwo", opaque(opaqueTokenIntrospector));
return (request) -> { return (request) -> {
String[] pathParts = request.getRequestURI().split("/"); String[] pathParts = request.getRequestURI().split("/");
String tenantId = (pathParts.length > 0) ? pathParts[1] : null; String tenantId = (pathParts.length > 0) ? pathParts[1] : null;
@ -86,17 +76,14 @@ public class OAuth2ResourceServerSecurityConfiguration extends WebSecurityConfig
}; };
} }
AuthenticationManager jwt() { AuthenticationManager jwt(JwtDecoder jwtDecoder) {
JwtDecoder jwtDecoder = NimbusJwtDecoder.withJwkSetUri(this.jwkSetUri).build();
JwtAuthenticationProvider authenticationProvider = new JwtAuthenticationProvider(jwtDecoder); JwtAuthenticationProvider authenticationProvider = new JwtAuthenticationProvider(jwtDecoder);
authenticationProvider.setJwtAuthenticationConverter(new JwtBearerTokenAuthenticationConverter()); authenticationProvider.setJwtAuthenticationConverter(new JwtBearerTokenAuthenticationConverter());
return authenticationProvider::authenticate; return new ProviderManager(authenticationProvider);
} }
AuthenticationManager opaque() { AuthenticationManager opaque(OpaqueTokenIntrospector introspectionClient) {
OpaqueTokenIntrospector introspectionClient = new NimbusOpaqueTokenIntrospector(this.introspectionUri, return new ProviderManager(new OpaqueTokenAuthenticationProvider(introspectionClient));
this.introspectionClientId, this.introspectionClientSecret);
return new OpaqueTokenAuthenticationProvider(introspectionClient)::authenticate;
} }
} }

View File

@ -1,4 +1,10 @@
tenantOne.jwk-set-uri: ${mockwebserver.url}/.well-known/jwks.json spring:
tenantTwo.introspection-uri: ${mockwebserver.url}/introspect security:
tenantTwo.introspection-client-id: client oauth2:
tenantTwo.introspection-client-secret: secret resourceserver:
jwt:
jwk-set-uri: ${mockwebserver.url}/.well-known/jwks.json
opaquetoken:
introspection-uri: ${mockwebserver.url}/introspect
client-id: client
client-secret: secret