Andreas Svanberg
f6acbd805b
Tomcat/Apache integration for SAML will populate the ServletRequest#getRemoteUser with an empty string rather than null when not authenticated. This confuses Spring Security to think the user is authenticated but with an empty string as the principal name. This causes problems further down the line in Spring Security since an empty principal is not accepted. To get around this we simply remove the SAML integration and rely solely on OAuth 2.0 for log in. An alternative would be to apply a servlet filter beforehand that would send null if the string is empty. But that has the downside of having different authentication mechanism for production and development. By using only OAuth 2.0 everywhere it works the same, and it is easier to troubleshoot.
Working with the web GUI (Wicket)
The web GUI is protected by OAuth 2 log in. Run the Docker Compose containers with
docker compose up to start the authorization server to be able to log in.
Working with the API
The API is protected by OAuth 2 acting as a resource server verifying tokens using token introspection.
When developing it uses a locally running instance of an
authorization server
that is run inside Docker. It can be started with docker compose -f docker-compose.yml up.
Since there is no frontend to interact with the authorization server there's a helper script in
GetToken.java that can be run directly with java GetToken.java to run through the authorization flow
and get an access token.
Once the token has been obtained go to the Swagger UI to interact with the API. Click the "Authorize" button in the top right and paste the access token to log in.