DMC/scipro
7
0
Fork 0
Code Issues 20 Pull Requests 1 Actions Projects 1 Wiki Activity

Switch authentication to OAuth 2 #27

Merged
ansv7779 merged 6 commits from oauth2-login into develop 2024-12-16 16:55:49 +01:00
Conversation 1 Commits 6 Files Changed 15 +192 -115

6 Commits

Author SHA1 Message Date
Nico Athanassiadis
a0d32f3409 Merge branch 'develop' into oauth2-login
All checks were successful
Build and test / build-and-test (push) Successful in 15m39s
Details
2024-12-16 14:58:45 +01:00
Andreas Svanberg
305685283d Merge branch 'develop' into oauth2-login
All checks were successful
Build and test / build-and-test (push) Successful in 7m41s
Details 
# Conflicts:
#	view/src/main/java/se/su/dsv/scipro/CurrentUserFromWicketSession.java
#	view/src/main/java/se/su/dsv/scipro/loginlogout/pages/SSOPage.java
#	view/src/main/java/se/su/dsv/scipro/security/auth/MockRemoteUserFilter.java
#	view/src/main/java/se/su/dsv/scipro/session/SciProSession.java
#	view/src/test/java/se/su/dsv/scipro/SciProTest.java
 2024-12-02 14:36:23 +01:00
Andreas Svanberg
26991e5a8f Merge branch 'develop' into oauth2-login
All checks were successful
Build and test / build-and-test (push) Successful in 11m52s
Details
2024-11-28 18:12:09 +01:00
Andreas Svanberg
c3aeb32045 Allow logging in with the default OAuth 2 principal
All checks were successful
Build and test / build-and-test (push) Successful in 6m54s
Details 
The default principal is "dev@localhost", if you run the system with the development profile (DEV) a user with sys-admin role will be created with that principal as username.
 2024-11-26 13:10:36 +01:00
Andreas Svanberg
f6acbd805b Remove Shibboleth (SAML) log in 
Tomcat/Apache integration for SAML will populate the ServletRequest#getRemoteUser with an empty string rather than null when not authenticated. This confuses Spring Security to think the user is authenticated but with an empty string as the principal name. This causes problems further down the line in Spring Security since an empty principal is not accepted.

To get around this we simply remove the SAML integration and rely solely on OAuth 2.0 for log in. An alternative would be to apply a servlet filter beforehand that would send null if the string is empty. But that has the downside of having different authentication mechanism for production and development. By using only OAuth 2.0 everywhere it works the same, and it is easier to troubleshoot.
 2024-11-26 12:51:06 +01:00
Andreas Svanberg
615953117d Switch to Spring Security for authentication and allow local OAuth 2 log in 
Instead of storing the current user in the Wicket session, let Spring Security handle it. The CurrentUser implementation has been changed to look it up from there instead of the Wicket session.

Also enable, in addition to Shibboleth (pre-authenticated remote user), OAuth 2 login which removes the need for the locally modified web.xml with a faked remote user. The Docker Compose file has been updated to run a OAuth 2 container for this type of login.
 2024-11-26 12:51:06 +01:00