Search in sources :

Example 1 with BeanSupplier

use of org.apereo.cas.util.spring.beans.BeanSupplier in project cas by apereo.

the class CasWebSecurityConfigurerAdapter method configure.

/**
 * Disable Spring Security configuration for protocol endpoints
 * allowing CAS' own security configuration to handle protection
 * of endpoints where necessary.
 *
 * @param http http security
 */
@Override
protected void configure(final HttpSecurity http) throws Exception {
    http.csrf().disable().headers().disable().logout().disable().requiresChannel().requestMatchers(r -> r.getHeader("X-Forwarded-Proto") != null).requiresSecure();
    val requests = http.authorizeRequests().expressionHandler(casWebSecurityExpressionHandler);
    val patterns = protocolEndpointWebSecurityConfigurers.stream().filter(BeanSupplier::isNotProxy).map(ProtocolEndpointWebSecurityConfigurer::getIgnoredEndpoints).flatMap(List<String>::stream).map(endpoint -> StringUtils.prependIfMissing(endpoint, "/").concat("/**")).collect(Collectors.toList());
    patterns.add("/webjars/**");
    patterns.add("/js/**");
    patterns.add("/css/**");
    patterns.add("/images/**");
    patterns.add("/static/**");
    patterns.add("/error");
    patterns.add("/favicon.ico");
    LOGGER.debug("Configuring protocol endpoints [{}] to exclude/ignore from web security", patterns);
    requests.antMatchers(patterns.toArray(String[]::new)).permitAll();
    val endpoints = casProperties.getMonitor().getEndpoints().getEndpoint();
    endpoints.forEach(Unchecked.biConsumer((k, v) -> {
        val endpoint = EndpointRequest.to(k);
        v.getAccess().forEach(Unchecked.consumer(access -> configureEndpointAccess(http, requests, access, v, endpoint)));
    }));
    configureEndpointAccessToDenyUndefined(http, requests);
    configureEndpointAccessForStaticResources(requests);
    protocolEndpointWebSecurityConfigurers.forEach(cfg -> cfg.configure(http));
}
Also used : CasConfigurationProperties(org.apereo.cas.configuration.CasConfigurationProperties) JaasSecurityActuatorEndpointsMonitorProperties(org.apereo.cas.configuration.model.core.monitor.JaasSecurityActuatorEndpointsMonitorProperties) EndpointLdapAuthenticationProvider(org.apereo.cas.web.security.authentication.EndpointLdapAuthenticationProvider) SneakyThrows(lombok.SneakyThrows) RequiredArgsConstructor(lombok.RequiredArgsConstructor) ArrayUtils(org.apache.commons.lang3.ArrayUtils) HttpSecurity(org.springframework.security.config.annotation.web.builders.HttpSecurity) StringUtils(org.apache.commons.lang3.StringUtils) BeanSupplier(org.apereo.cas.util.spring.beans.BeanSupplier) WebSecurityConfigurerAdapter(org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter) ObjectProvider(org.springframework.beans.factory.ObjectProvider) AuthenticationManagerBuilder(org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder) ProtocolEndpointWebSecurityConfigurer(org.apereo.cas.web.ProtocolEndpointWebSecurityConfigurer) JaasAuthenticationProvider(org.springframework.security.authentication.jaas.JaasAuthenticationProvider) SecurityExpressionHandler(org.springframework.security.access.expression.SecurityExpressionHandler) SecurityProperties(org.springframework.boot.autoconfigure.security.SecurityProperties) Order(org.springframework.core.annotation.Order) PathRequest(org.springframework.boot.autoconfigure.security.servlet.PathRequest) Unchecked(org.jooq.lambda.Unchecked) ExpressionUrlAuthorizationConfigurer(org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer) lombok.val(lombok.val) EndpointRequest(org.springframework.boot.actuate.autoconfigure.security.servlet.EndpointRequest) Collectors(java.util.stream.Collectors) LdapSecurityActuatorEndpointsMonitorProperties(org.apereo.cas.configuration.model.core.monitor.LdapSecurityActuatorEndpointsMonitorProperties) Slf4j(lombok.extern.slf4j.Slf4j) List(java.util.List) CasWebSecurityConstants(org.apereo.cas.web.CasWebSecurityConstants) ActuatorEndpointProperties(org.apereo.cas.configuration.model.core.monitor.ActuatorEndpointProperties) DisposableBean(org.springframework.beans.factory.DisposableBean) FilterInvocation(org.springframework.security.web.FilterInvocation) PathMappedEndpoints(org.springframework.boot.actuate.endpoint.web.PathMappedEndpoints) LdapUtils(org.apereo.cas.util.LdapUtils) lombok.val(lombok.val) BeanSupplier(org.apereo.cas.util.spring.beans.BeanSupplier) List(java.util.List)

Aggregations

List (java.util.List)1 Collectors (java.util.stream.Collectors)1 RequiredArgsConstructor (lombok.RequiredArgsConstructor)1 SneakyThrows (lombok.SneakyThrows)1 Slf4j (lombok.extern.slf4j.Slf4j)1 lombok.val (lombok.val)1 ArrayUtils (org.apache.commons.lang3.ArrayUtils)1 StringUtils (org.apache.commons.lang3.StringUtils)1 CasConfigurationProperties (org.apereo.cas.configuration.CasConfigurationProperties)1 ActuatorEndpointProperties (org.apereo.cas.configuration.model.core.monitor.ActuatorEndpointProperties)1 JaasSecurityActuatorEndpointsMonitorProperties (org.apereo.cas.configuration.model.core.monitor.JaasSecurityActuatorEndpointsMonitorProperties)1 LdapSecurityActuatorEndpointsMonitorProperties (org.apereo.cas.configuration.model.core.monitor.LdapSecurityActuatorEndpointsMonitorProperties)1 LdapUtils (org.apereo.cas.util.LdapUtils)1 BeanSupplier (org.apereo.cas.util.spring.beans.BeanSupplier)1 CasWebSecurityConstants (org.apereo.cas.web.CasWebSecurityConstants)1 ProtocolEndpointWebSecurityConfigurer (org.apereo.cas.web.ProtocolEndpointWebSecurityConfigurer)1 EndpointLdapAuthenticationProvider (org.apereo.cas.web.security.authentication.EndpointLdapAuthenticationProvider)1 Unchecked (org.jooq.lambda.Unchecked)1 DisposableBean (org.springframework.beans.factory.DisposableBean)1 ObjectProvider (org.springframework.beans.factory.ObjectProvider)1