From ec6917145853a99ed28934001dad63d0ec1e23d5 Mon Sep 17 00:00:00 2001 From: killerber4t Date: Tue, 3 Mar 2020 16:44:05 +0100 Subject: [PATCH] add keycloak --- build.gradle | 2 + .../java/mops/gruppen2/KeycloakConfig.java | 18 +++++ .../java/mops/gruppen2/SecurityConfig.java | 81 +++++++++++++++++++ src/main/resources/application.properties | 7 ++ 4 files changed, 108 insertions(+) create mode 100644 src/main/java/mops/gruppen2/KeycloakConfig.java create mode 100644 src/main/java/mops/gruppen2/SecurityConfig.java diff --git a/build.gradle b/build.gradle index b44d451..1faa99c 100644 --- a/build.gradle +++ b/build.gradle @@ -52,6 +52,8 @@ dependencies { implementation 'org.springframework.boot:spring-boot-starter-security' implementation 'org.springframework.boot:spring-boot-starter-thymeleaf' implementation 'org.springframework.boot:spring-boot-starter-web' + implementation 'org.keycloak:keycloak-spring-boot-starter:9.0.0' + implementation 'org.keycloak.bom:keycloak-adapter-bom:3.3.0.Final' compileOnly 'org.projectlombok:lombok' developmentOnly 'org.springframework.boot:spring-boot-devtools' runtimeOnly 'com.h2database:h2' diff --git a/src/main/java/mops/gruppen2/KeycloakConfig.java b/src/main/java/mops/gruppen2/KeycloakConfig.java new file mode 100644 index 0000000..b528805 --- /dev/null +++ b/src/main/java/mops/gruppen2/KeycloakConfig.java @@ -0,0 +1,18 @@ +package mops.gruppen2; + +import org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver; +import org.springframework.context.annotation.Bean; +import org.springframework.context.annotation.Configuration; + +/** + * WORKAROUND for https://issues.redhat.com/browse/KEYCLOAK-11282 + * Bean should move into {@link SecurityConfig} once Bug has been resolved + */ + +@Configuration +public class KeycloakConfig { + @Bean + public KeycloakSpringBootConfigResolver KeycloakConfigResolver() { + return new KeycloakSpringBootConfigResolver(); + } +} \ No newline at end of file diff --git a/src/main/java/mops/gruppen2/SecurityConfig.java b/src/main/java/mops/gruppen2/SecurityConfig.java new file mode 100644 index 0000000..bffa0b2 --- /dev/null +++ b/src/main/java/mops/gruppen2/SecurityConfig.java @@ -0,0 +1,81 @@ +package mops.gruppen2; + +import org.keycloak.KeycloakPrincipal; +import org.keycloak.adapters.springsecurity.KeycloakSecurityComponents; +import org.keycloak.adapters.springsecurity.authentication.KeycloakAuthenticationProvider; +import org.keycloak.adapters.springsecurity.config.KeycloakWebSecurityConfigurerAdapter; +import org.keycloak.representations.AccessToken; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.context.annotation.*; +import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; +import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity; +import org.springframework.security.config.annotation.method.configuration.GlobalMethodSecurityConfiguration; +import org.springframework.security.config.annotation.web.builders.HttpSecurity; +import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; +import org.springframework.security.core.authority.mapping.SimpleAuthorityMapper; +import org.springframework.security.core.session.SessionRegistryImpl; +import org.springframework.security.web.authentication.session.RegisterSessionAuthenticationStrategy; +import org.springframework.security.web.authentication.session.SessionAuthenticationStrategy; +import org.springframework.web.context.WebApplicationContext; +import org.springframework.web.context.request.RequestContextHolder; +import org.springframework.web.context.request.ServletRequestAttributes; + +import javax.servlet.http.HttpServletRequest; + +@Configuration +@EnableWebSecurity +@ComponentScan(basePackageClasses = KeycloakSecurityComponents.class) +class SecurityConfig extends KeycloakWebSecurityConfigurerAdapter { + + @Autowired + public void configureGlobal(AuthenticationManagerBuilder auth) { + KeycloakAuthenticationProvider keycloakAuthenticationProvider + = keycloakAuthenticationProvider(); + keycloakAuthenticationProvider.setGrantedAuthoritiesMapper(new SimpleAuthorityMapper()); + auth.authenticationProvider(keycloakAuthenticationProvider); + } + + @Bean + @Override + protected SessionAuthenticationStrategy sessionAuthenticationStrategy() { + return new RegisterSessionAuthenticationStrategy( + new SessionRegistryImpl()); + } + + @Bean + @Scope(scopeName = WebApplicationContext.SCOPE_REQUEST, + proxyMode = ScopedProxyMode.TARGET_CLASS) + public AccessToken getAccessToken() { + HttpServletRequest request = + ((ServletRequestAttributes) RequestContextHolder + .currentRequestAttributes()).getRequest(); + return ((KeycloakPrincipal) request.getUserPrincipal()) + .getKeycloakSecurityContext().getToken(); + } + + @Override + protected void configure(HttpSecurity http) throws Exception { + super.configure(http); + http.authorizeRequests() + .antMatchers("/actuator/**") + .hasRole("monitoring") + .anyRequest() + .permitAll(); + } + + /** + * Declaring this class enables us to use the Spring specific + * {@link org.springframework.security.access.annotation.Secured} annotation + * or the JSR-250 Java Standard + * {@link javax.annotation.security.RolesAllowed} annotation + * for Role-based authorization + */ + @Configuration + @EnableGlobalMethodSecurity( + prePostEnabled = true, + securedEnabled = true, + jsr250Enabled = true) + public static class MethodSecurityConfig + extends GlobalMethodSecurityConfiguration { + } +} \ No newline at end of file diff --git a/src/main/resources/application.properties b/src/main/resources/application.properties index 78366c4..34d7960 100644 --- a/src/main/resources/application.properties +++ b/src/main/resources/application.properties @@ -8,3 +8,10 @@ spring.datasource.driverClassName=org.h2.Driver spring.datasource.username=root spring.datasource.password=geheim spring.jpa.database-platform=org.hibernate.dialect.H2Dialect + + +keycloak.principal-attribute=preferred_username +keycloak.auth-server-url=https://keycloak.cs.hhu.de/auth +keycloak.realm=MOPS +keycloak.resource=demo +keycloak.public-client=true