Switch authentication to OAuth 2 #27

ansv7779 · 2024-11-26T15:33:39+01:00

ansv7779 commented

2024-11-26 15:33:39 +01:00

This is one requirement in bringing #15 to reality.

Currently the way to log in to SciPro is by having a locally modified web.xml that emulates being authenticated via single sign-on (SSO). This method can not work on an automatically deployed test server. It is also not possible to have real SSO configured for the test servers due to their dynamic nature and that they are given a new hostname each time. Our current SSO solution requires there to be certificate issued to specific hostnames. Even if it were possible to get SSO set up how would the username received from SSO match to test data? We would have to have real usernames in our test data which is not desirable.

To solve both of the problems described above - requiring a locally modified version of a git tracked file and needing an authentication mechanism that works for dynamic test servers - a change of the authentication mechanism from Tomcat controlled SSO to application controlled OAuth 2 is proposed. There is already an OAuth 2 authorization server running in production which itself is authenticates users via SSO that will be used in production and for the permanent test servers. In development and for the dynamic test servers a local authorization server running in Docker is provided.

For "regular" users there will be no noticeable change, they will be prompted to log in via SSO and then they get access to the system. For users with high developer access they will, on the permanent test servers, be prompted to "issue token". On that page they can use the top form to authenticate as themselves based on their SSO authentication, or use the bottom form to issue a completely custom authentication and log in as whatever username they deem necessary. The temporary test servers and during local development will work similarly with the only difference being that there is no SSO log in first and you will be prompted to issue a token immediately. The default authentication (top form) will be a local sys-admin level user.

How to test

Start the local OAuth 2 authorization server with docker compose up
Start SciPro
Attempt to log in

This is one requirement in bringing #15 to reality. Currently the way to log in to SciPro is by having a locally modified `web.xml` that emulates being authenticated via single sign-on (SSO). This method can not work on an automatically deployed test server. It is also not possible to have real SSO configured for the test servers due to their dynamic nature and that they are given a new hostname each time. Our current SSO solution requires there to be certificate issued to specific hostnames. Even if it were possible to get SSO set up how would the username received from SSO match to test data? We would have to have real usernames in our test data which is not desirable. To solve both of the problems described above - requiring a locally modified version of a git tracked file and needing an authentication mechanism that works for dynamic test servers - a change of the authentication mechanism from Tomcat controlled SSO to application controlled OAuth 2 is proposed. There is already an OAuth 2 authorization server running in production which itself is authenticates users via SSO that will be used in production and for the permanent test servers. In development and for the dynamic test servers a local authorization server running in Docker is provided. For "regular" users there will be no noticeable change, they will be prompted to log in via SSO and then they get access to the system. For users with high developer access they will, on the permanent test servers, be prompted to "issue token". On that page they can use the top form to authenticate as themselves based on their SSO authentication, or use the bottom form to issue a completely custom authentication and log in as whatever username they deem necessary. The temporary test servers and during local development will work similarly with the only difference being that there is no SSO log in first and you will be prompted to issue a token immediately. The default authentication (top form) will be a local sys-admin level user. ## How to test 1. Start the local OAuth 2 authorization server with `docker compose up` 2. Start SciPro 3. Attempt to log in

ansv7779 added 3 commits 2024-11-26 15:33:39 +01:00

Switch to Spring Security for authentication and allow local OAuth 2 log in 615953117d

Instead of storing the current user in the Wicket session, let Spring Security handle it. The CurrentUser implementation has been changed to look it up from there instead of the Wicket session.

Also enable, in addition to Shibboleth (pre-authenticated remote user), OAuth 2 login which removes the need for the locally modified web.xml with a faked remote user. The Docker Compose file has been updated to run a OAuth 2 container for this type of login.

Remove Shibboleth (SAML) log in f6acbd805b

Tomcat/Apache integration for SAML will populate the ServletRequest#getRemoteUser with an empty string rather than null when not authenticated. This confuses Spring Security to think the user is authenticated but with an empty string as the principal name. This causes problems further down the line in Spring Security since an empty principal is not accepted.

To get around this we simply remove the SAML integration and rely solely on OAuth 2.0 for log in. An alternative would be to apply a servlet filter beforehand that would send null if the string is empty. But that has the downside of having different authentication mechanism for production and development. By using only OAuth 2.0 everywhere it works the same, and it is easier to troubleshoot.

Allow logging in with the default OAuth 2 principal

Build and test / build-and-test (push) Successful in 6m54s

Details

c3aeb32045

The default principal is "dev@localhost", if you run the system with the development profile (DEV) a user with sys-admin role will be created with that principal as username.

ansv7779 requested review from niat8586 2024-11-28 18:09:26 +01:00

ansv7779 requested review from tozh4728 2024-11-28 18:09:26 +01:00

ansv7779 added 1 commit 2024-11-28 18:12:13 +01:00

Merge branch 'develop' into oauth2-login

Build and test / build-and-test (push) Successful in 11m52s

Details

26991e5a8f

ansv7779 added 1 commit 2024-12-02 14:43:52 +01:00

Merge branch 'develop' into oauth2-login

Build and test / build-and-test (push) Successful in 7m41s

Details

305685283d

# Conflicts:
#	view/src/main/java/se/su/dsv/scipro/CurrentUserFromWicketSession.java
#	view/src/main/java/se/su/dsv/scipro/loginlogout/pages/SSOPage.java
#	view/src/main/java/se/su/dsv/scipro/security/auth/MockRemoteUserFilter.java
#	view/src/main/java/se/su/dsv/scipro/session/SciProSession.java
#	view/src/test/java/se/su/dsv/scipro/SciProTest.java

Build and test / build-and-test (push) Successful in 7m41s

Details

This pull request doesn't have enough approvals yet. 0 of 1 approvals granted.

This branch is out-of-date with the base branch

You are not authorized to merge this pull request.

View command line instructions.