Merge pull request #23 from hhu-propra2/keycloak

Keycloak

build.gradle

@@ -57,6 +57,8 @@ dependencies {
 	implementation 'org.springframework.boot:spring-boot-starter-security'
 	implementation 'org.springframework.boot:spring-boot-starter-thymeleaf'
 	implementation 'org.springframework.boot:spring-boot-starter-web'
+	implementation 'org.keycloak:keycloak-spring-boot-starter:9.0.0'
+	implementation 'org.keycloak.bom:keycloak-adapter-bom:3.3.0.Final'
 	implementation 'mops:styleguide:2.0.0'
 	compile group: 'io.springfox', name: 'springfox-swagger2', version: '2.7.0'
 	compile group: 'io.springfox', name: 'springfox-swagger-ui', version: '2.7.0'

src/main/java/mops/gruppen2/controllers/Gruppen2Controller.java

@@ -1,14 +1,44 @@
 package mops.gruppen2.controllers;
 
+import javax.annotation.security.RolesAllowed;
+import mops.gruppen2.security.Account;
+import org.keycloak.KeycloakPrincipal;
+import org.keycloak.adapters.springsecurity.token.KeycloakAuthenticationToken;
 import org.springframework.stereotype.Controller;
+import org.springframework.ui.Model;
 import org.springframework.web.bind.annotation.GetMapping;
-import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.context.annotation.SessionScope;
 
-@RequestMapping("/gruppen2")
+@SessionScope
 @Controller
 public class Gruppen2Controller {
+    /**
+     * Creates an Account.
+     *
+     * @param token Ein toller token
+     * @return Account with current userdata
+     */
+    private Account createAccountFromPrincipal(KeycloakAuthenticationToken token) {
+        KeycloakPrincipal principal = (KeycloakPrincipal) token.getPrincipal();
+        return new Account(
+                principal.getName(),
+                principal.getKeycloakSecurityContext().getIdToken().getEmail(),
+                null,
+                principal.getKeycloakSecurityContext().getIdToken().getGivenName(),
+                principal.getKeycloakSecurityContext().getIdToken().getFamilyName(),
+                token.getAccount().getRoles());
+    }
+
+    /**Zeigt die index.html an.
+     *
+     * @param token toller token
+     * @param model tolles model
+     * @return index.html
+     */
     @GetMapping("/")
-    public String index() {
+    @RolesAllowed({"ROLE_orga", "ROLE_studentin", "ROLE_actuator)"})
+    public String index(KeycloakAuthenticationToken token, Model model) {
+        model.addAttribute("account", createAccountFromPrincipal(token));
         return "index";
     }
 }

src/main/java/mops/gruppen2/security/Account.java

@@ -0,0 +1,16 @@
+package mops.gruppen2.security;
+
+import java.util.Set;
+import lombok.AllArgsConstructor;
+import lombok.Getter;
+
+@Getter
+@AllArgsConstructor
+public class Account {
+    private final String name;
+    private final String email;
+    private final String image;
+    private final String givenname;
+    private final String familyname;
+    private final Set<String> roles;
+}

src/main/java/mops/gruppen2/security/KeycloakConfig.java

@@ -0,0 +1,18 @@
+package mops.gruppen2.security;
+
+import org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+
+/**
+ * WORKAROUND for https://issues.redhat.com/browse/KEYCLOAK-11282
+ * Bean should move into {@link SecurityConfig} once Bug has been resolved
+ */
+
+@Configuration
+public class KeycloakConfig {
+    @Bean
+    public KeycloakSpringBootConfigResolver keycloakConfigResolver() {
+        return new KeycloakSpringBootConfigResolver();
+    }
+}

src/main/java/mops/gruppen2/security/SecurityConfig.java

@@ -0,0 +1,84 @@
+package mops.gruppen2.security;
+
+import javax.servlet.http.HttpServletRequest;
+import org.keycloak.KeycloakPrincipal;
+import org.keycloak.adapters.springsecurity.KeycloakSecurityComponents;
+import org.keycloak.adapters.springsecurity.authentication.KeycloakAuthenticationProvider;
+import org.keycloak.adapters.springsecurity.config.KeycloakWebSecurityConfigurerAdapter;
+import org.keycloak.representations.AccessToken;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.ComponentScan;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.context.annotation.Scope;
+import org.springframework.context.annotation.ScopedProxyMode;
+import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
+import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
+import org.springframework.security.config.annotation.method.configuration.GlobalMethodSecurityConfiguration;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.core.authority.mapping.SimpleAuthorityMapper;
+import org.springframework.security.core.session.SessionRegistryImpl;
+import org.springframework.security.web.authentication.session.RegisterSessionAuthenticationStrategy;
+import org.springframework.security.web.authentication.session.SessionAuthenticationStrategy;
+import org.springframework.web.context.WebApplicationContext;
+import org.springframework.web.context.request.RequestContextHolder;
+import org.springframework.web.context.request.ServletRequestAttributes;
+
+@Configuration
+@EnableWebSecurity
+@ComponentScan(basePackageClasses = KeycloakSecurityComponents.class)
+class SecurityConfig extends KeycloakWebSecurityConfigurerAdapter {
+
+    @Autowired
+    public void configureGlobal(AuthenticationManagerBuilder auth) {
+        KeycloakAuthenticationProvider keycloakAuthenticationProvider
+                = keycloakAuthenticationProvider();
+        keycloakAuthenticationProvider.setGrantedAuthoritiesMapper(new SimpleAuthorityMapper());
+        auth.authenticationProvider(keycloakAuthenticationProvider);
+    }
+
+    @Bean
+    @Override
+    protected SessionAuthenticationStrategy sessionAuthenticationStrategy() {
+        return new RegisterSessionAuthenticationStrategy(
+                new SessionRegistryImpl());
+    }
+
+    @Bean
+    @Scope(scopeName = WebApplicationContext.SCOPE_REQUEST,
+            proxyMode = ScopedProxyMode.TARGET_CLASS)
+    public AccessToken getAccessToken() {
+        HttpServletRequest request =
+                ((ServletRequestAttributes) RequestContextHolder
+                        .currentRequestAttributes()).getRequest();
+        return ((KeycloakPrincipal) request.getUserPrincipal())
+                .getKeycloakSecurityContext().getToken();
+    }
+
+    @Override
+    protected void configure(HttpSecurity http) throws Exception {
+        super.configure(http);
+        http.authorizeRequests()
+                .antMatchers("/actuator/**")
+                .hasRole("monitoring")
+                .anyRequest()
+                .permitAll();
+    }
+
+    /**
+     * Declaring this class enables us to use the Spring specific
+     * {@link org.springframework.security.access.annotation.Secured} annotation
+     * or the JSR-250 Java Standard
+     * {@link javax.annotation.security.RolesAllowed} annotation
+     * for Role-based authorization.
+     **/
+    @Configuration
+    @EnableGlobalMethodSecurity(
+            prePostEnabled = true,
+            securedEnabled = true,
+            jsr250Enabled = true)
+    public static class MethodSecurityConfig
+            extends GlobalMethodSecurityConfiguration {
+    }
+}

src/main/resources/application.properties

@@ -9,7 +9,8 @@ spring.datasource.username=root
 spring.datasource.password=geheim
 spring.jpa.database-platform=org.hibernate.dialect.H2Dialect
 
-spring.security.user.name=root
-spring.security.user.password=1234
-spring.security.user.roles=ADMIN
-
+keycloak.principal-attribute=preferred_username
+keycloak.auth-server-url=https://keycloak.cs.hhu.de/auth
+keycloak.realm=MOPS
+keycloak.resource=demo
+keycloak.public-client=true