DMC/scipro
7
0
Fork 0
Code Issues31 Pull Requests5 Actions Projects1 Releases Wiki Activity

Merge commit 'd2e5043c959504faad7fd307e9312e89c3c1a96d' into HEAD

Browse Source
This commit is contained in:
Jenkins 2025-03-31 22:48:53 +02:00
commit 1e803ba51f
5 changed files with 61 additions and 23 deletions

2
compose-branch-deploy.yaml

@ -15,7 +15,7 @@ services:
- JDBC_DATABASE_PASSWORD=scipro - JDBC_DATABASE_PASSWORD=scipro
- OAUTH2_AUTHORIZATION_URI=https://oauth2-${VHOST}/authorize - OAUTH2_AUTHORIZATION_URI=https://oauth2-${VHOST}/authorize
- OAUTH2_TOKEN_URI=https://oauth2-${VHOST}/exchange - OAUTH2_TOKEN_URI=https://oauth2-${VHOST}/exchange
- OAUTH2_USER_INFO_URI=https://oauth2-${VHOST}/verify - OAUTH2_USER_INFO_URI=https://oauth2-${VHOST}/introspect
- OAUTH2_CLIENT_ID=scipro_client - OAUTH2_CLIENT_ID=scipro_client
- OAUTH2_CLIENT_SECRET=scipro_secret - OAUTH2_CLIENT_SECRET=scipro_secret
- OAUTH2_RESOURCE_SERVER_ID=scipro_api_client - OAUTH2_RESOURCE_SERVER_ID=scipro_api_client

22
pom.xml

@ -28,12 +28,7 @@
<querydsl.version>5.0.0</querydsl.version> <querydsl.version>5.0.0</querydsl.version>
<poi.version>5.4.0</poi.version> <poi.version>5.4.0</poi.version>
<!-- <spring.boot.version>3.4.4</spring.boot.version>
When updating spring-boot check if the transitive dependency on json-smart has been
updated to 2.5.2 or later.
If so, remove the dependency managed version of json-smart
-->
<spring.boot.version>3.4.1</spring.boot.version>
<springdoc.openapi.version>2.8.3</springdoc.openapi.version> <springdoc.openapi.version>2.8.3</springdoc.openapi.version>
<!-- Database stuff --> <!-- Database stuff -->
@ -115,21 +110,6 @@
<version>32.0.1-jre</version> <version>32.0.1-jre</version>
</dependency> </dependency>
<dependency>
<!--
2.5.1 is brought in transitively by
spring-boot-starter-oauth2-client
spring-security-oauth2-client
oauth2-oidc-sdk
json-smart
it has a known security vulnerability that's fixed in 2.5.2
should be removed when spring-boot-starter-oauth2-client is updated
-->
<groupId>net.minidev</groupId>
<artifactId>json-smart</artifactId>
<version>2.5.2</version>
</dependency>
<dependency> <dependency>
<groupId>org.apache.poi</groupId> <groupId>org.apache.poi</groupId>
<artifactId>poi</artifactId> <artifactId>poi</artifactId>

42
war/src/main/java/se/su/dsv/scipro/war/TokenIntrospectionRequestEntityConverter.java Normal file

@ -0,0 +1,42 @@
package se.su.dsv.scipro.war;
import java.net.URI;
import java.util.Collections;
import org.springframework.core.convert.converter.Converter;
import org.springframework.http.HttpHeaders;
import org.springframework.http.HttpMethod;
import org.springframework.http.MediaType;
import org.springframework.http.RequestEntity;
import org.springframework.security.oauth2.client.registration.ClientRegistration;
import org.springframework.security.oauth2.client.userinfo.OAuth2UserRequest;
import org.springframework.security.oauth2.core.endpoint.OAuth2ParameterNames;
import org.springframework.util.LinkedMultiValueMap;
import org.springframework.util.MultiValueMap;
import org.springframework.web.util.UriComponentsBuilder;
public class TokenIntrospectionRequestEntityConverter implements Converter<OAuth2UserRequest, RequestEntity<?>> {
private static final MediaType FORM_URL_ENCODED = MediaType.valueOf(
MediaType.APPLICATION_FORM_URLENCODED_VALUE + ";charset=UTF-8"
);
@Override
public RequestEntity<?> convert(OAuth2UserRequest userRequest) {
ClientRegistration clientRegistration = userRequest.getClientRegistration();
URI uri = UriComponentsBuilder.fromUriString(
clientRegistration.getProviderDetails().getUserInfoEndpoint().getUri()
)
.build()
.toUri();
HttpHeaders headers = new HttpHeaders();
headers.setBasicAuth(clientRegistration.getClientId(), clientRegistration.getClientSecret());
headers.setAccept(Collections.singletonList(MediaType.ALL));
headers.setContentType(FORM_URL_ENCODED);
MultiValueMap<String, String> formParameters = new LinkedMultiValueMap<>();
formParameters.add(OAuth2ParameterNames.TOKEN, userRequest.getAccessToken().getTokenValue());
return new RequestEntity<>(formParameters, headers, HttpMethod.POST, uri);
}
}

16
war/src/main/java/se/su/dsv/scipro/war/WicketConfiguration.java

@ -14,6 +14,7 @@ import org.springframework.context.annotation.Configuration;
import org.springframework.core.annotation.Order; import org.springframework.core.annotation.Order;
import org.springframework.security.config.Customizer; import org.springframework.security.config.Customizer;
import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.oauth2.client.userinfo.DefaultOAuth2UserService;
import org.springframework.security.web.SecurityFilterChain; import org.springframework.security.web.SecurityFilterChain;
import se.su.dsv.scipro.SciProApplication; import se.su.dsv.scipro.SciProApplication;
import se.su.dsv.scipro.crosscutting.ForwardPhase2Feedback; import se.su.dsv.scipro.crosscutting.ForwardPhase2Feedback;
@ -67,6 +68,21 @@ public class WicketConfiguration {
return http.build(); return http.build();
} }
// Stop gap measure to switch to Token Introspection instead of OIDC UserInfo
// endpoint. This is necessary because the UserInfo endpoint will in soon require
// the "openid" scope, which is not granted to our clients. Unfortunately we can't
// request the scope because that makes Spring require an id token in the token
// exchange which is not granted at the moment.
//
// Once a new authorization server is in place we can remove this bean and use
// straight up id tokens with "openid" scope.
@Bean
public DefaultOAuth2UserService defaultOAuth2UserService() {
DefaultOAuth2UserService defaultOAuth2UserService = new DefaultOAuth2UserService();
defaultOAuth2UserService.setRequestEntityConverter(new TokenIntrospectionRequestEntityConverter());
return defaultOAuth2UserService;
}
@Bean @Bean
public CurrentUserFromSpringSecurity currentUserFromSpringSecurity( public CurrentUserFromSpringSecurity currentUserFromSpringSecurity(
UserService userService, UserService userService,

2
war/src/main/resources/application.properties

@ -22,7 +22,7 @@ spring.security.oauth2.resourceserver.opaquetoken.client-secret=${OAUTH2_RESOURC
spring.security.oauth2.resourceserver.opaquetoken.introspection-uri=${OAUTH2_RESOURCE_SERVER_INTROSPECTION_URI:http://localhost:59733/introspect} spring.security.oauth2.resourceserver.opaquetoken.introspection-uri=${OAUTH2_RESOURCE_SERVER_INTROSPECTION_URI:http://localhost:59733/introspect}
# Log in via local OAuth 2 authorization server # Log in via local OAuth 2 authorization server
spring.security.oauth2.client.provider.docker.user-info-uri=${OAUTH2_USER_INFO_URI:http://localhost:59734/verify} spring.security.oauth2.client.provider.docker.user-info-uri=${OAUTH2_USER_INFO_URI:http://localhost:59734/introspect}
spring.security.oauth2.client.provider.docker.user-name-attribute=sub spring.security.oauth2.client.provider.docker.user-name-attribute=sub
spring.security.oauth2.client.provider.docker.token-uri=${OAUTH2_TOKEN_URI:http://localhost:59734/exchange} spring.security.oauth2.client.provider.docker.token-uri=${OAUTH2_TOKEN_URI:http://localhost:59734/exchange}
spring.security.oauth2.client.provider.docker.authorization-uri=${OAUTH2_AUTHORIZATION_URI:http://localhost:59734/authorize} spring.security.oauth2.client.provider.docker.authorization-uri=${OAUTH2_AUTHORIZATION_URI:http://localhost:59734/authorize}