All Downloads are FREE. Search and download functionalities are using the official Maven repository.

com.netgrif.application.engine.configuration.AbstractSecurityConfiguration Maven / Gradle / Ivy

package com.netgrif.application.engine.configuration;

import com.google.common.collect.Ordering;
import com.netgrif.application.engine.configuration.authentication.providers.NaeAuthProperties;
import com.netgrif.application.engine.configuration.authentication.providers.NetgrifAuthenticationProvider;
import com.netgrif.application.engine.configuration.properties.SecurityConfigProperties;
import com.netgrif.application.engine.configuration.properties.ServerAuthProperties;
import com.netgrif.application.engine.configuration.properties.enumeration.HSTS;
import com.netgrif.application.engine.configuration.properties.enumeration.XFrameOptionsMode;
import com.netgrif.application.engine.configuration.properties.enumeration.XXSSProtection;
import com.netgrif.application.engine.configuration.security.SessionUtilsProperties;
import com.netgrif.application.engine.ldap.filters.LoginAttemptsFilter;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.ApplicationContext;
import org.springframework.core.env.Environment;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.web.access.channel.ChannelProcessingFilter;
import org.springframework.security.web.csrf.CookieCsrfTokenRepository;
import org.springframework.security.web.header.writers.StaticHeadersWriter;

import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
import java.util.Objects;
import java.util.stream.Collectors;

public abstract class AbstractSecurityConfiguration extends WebSecurityConfigurerAdapter {

    @Autowired
    protected ServerAuthProperties serverAuthProperties;

    @Autowired
    protected SessionUtilsProperties sessionUtilsProperties;

    @Autowired
    private NaeAuthProperties naeAuthProperties;

    @Autowired
    private ApplicationContext context;

    protected void setHeaders(HttpSecurity http) throws Exception {
        setStrictTransportSecurity(http);
        setContentSecurityPolicy(http);
        setXFrameOptions(http);
        setXXSSProtection(http);

    }

    protected void setStrictTransportSecurity(HttpSecurity http) throws Exception {
        if (existConfigurationHeaders()
                && getSecurityConfigProperties().getHeaders().getHsts() != null
                && getSecurityConfigProperties().getHeaders().getHsts().isEnable()
                && getSecurityConfigProperties().getHeaders().getHsts().getMaxAge() >= 0) {
            HSTS headers = getSecurityConfigProperties().getHeaders().getHsts();
            if (Objects.nonNull(headers.isIncludeSubDomains())
                    && Objects.nonNull(headers.isPreload())) {
                http
                        .headers()
                        .httpStrictTransportSecurity()
                        .maxAgeInSeconds(headers.getMaxAge())
                        .includeSubDomains(headers.isIncludeSubDomains())
                        .preload(headers.isPreload());

            } else if (Objects.nonNull(headers.isIncludeSubDomains())
                    && Objects.isNull(headers.isPreload())) {
                http
                        .headers()
                        .httpStrictTransportSecurity()
                        .maxAgeInSeconds(headers.getMaxAge())
                        .includeSubDomains(headers.isIncludeSubDomains());
            } else if (Objects.isNull(headers.isIncludeSubDomains())
                    && Objects.nonNull(headers.isPreload())) {
                http
                        .headers()
                        .httpStrictTransportSecurity()
                        .maxAgeInSeconds(headers.getMaxAge())
                        .preload(headers.isPreload());
            } else {
                http
                        .headers()
                        .httpStrictTransportSecurity()
                        .maxAgeInSeconds(headers.getMaxAge());
            }
        } else {
            http
                    .headers()
                    .httpStrictTransportSecurity().disable();
        }
    }

    protected void setXXSSProtection(HttpSecurity http) throws Exception {
        XXSSProtection mode;
        if (!existConfigurationHeaders()
                || getSecurityConfigProperties().getHeaders().getXXssProtection() == null) {
            mode = XXSSProtection.ENABLE;
        } else {
            mode = getSecurityConfigProperties().getHeaders().getXXssProtection();
        }
        switch (mode) {
            case DISABLE:
                http
                        .headers()
                        .xssProtection().disable();
                break;
            case DISABLE_XSS:
                http
                        .headers()
                        .xssProtection();
                break;
            case ENABLE:
                http
                        .headers()
                        .xssProtection().xssProtectionEnabled(false);
                break;
            case ENABLE_MODE:
                http
                        .headers()
                        .xssProtection().xssProtectionEnabled(true);
                break;
        }
    }

    protected void setContentSecurityPolicy(HttpSecurity http) throws Exception {
        if (!existConfigurationHeaders()
                || getSecurityConfigProperties().getHeaders().getContentSecurityPolicy() == null
                || getSecurityConfigProperties().getHeaders().getContentSecurityPolicy().isEmpty()) {
            http
                    .headers()
                    .addHeaderWriter(new StaticHeadersWriter("X-Content-Security-Policy", "frame-src: 'none'"));
        } else {
            http
                    .headers()
                    .contentSecurityPolicy(getSecurityConfigProperties().getHeaders().getContentSecurityPolicy());
        }
    }

    protected void setXFrameOptions(HttpSecurity http) throws Exception {
        XFrameOptionsMode mode;
        if (!existConfigurationHeaders() || getSecurityConfigProperties().getHeaders().getXFrameOptions() == null) {
            mode = XFrameOptionsMode.DISABLE;
        } else {
            mode = getSecurityConfigProperties().getHeaders().getXFrameOptions();
        }
        switch (mode) {
            case SAMEORIGIN:
                http
                        .headers()
                        .frameOptions()
                        .sameOrigin();
                break;
            case DENY:
                http
                        .headers()
                        .frameOptions()
                        .deny();
                break;
            case DISABLE:
            default:
                http
                        .headers()
                        .frameOptions()
                        .disable();
                break;
        }
    }

    protected void setCsrf(HttpSecurity http) throws Exception {
        if (isCsrfEnabled()) {
            http
                    .csrf()
                    .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse());
        } else {
            http
                    .csrf()
                    .disable();
        }
    }

    protected void corsEnable(HttpSecurity http) throws Exception {
        if (isCorsEnabled()) {
            http
                    .cors();
        }
    }

    @Override
    public void configure(AuthenticationManagerBuilder auth) throws Exception {
        List properties = Arrays.stream(naeAuthProperties.getProviders()).map(String::toLowerCase).collect(Collectors.toList());
        context.getBeansOfType(NetgrifAuthenticationProvider.class)
                .entrySet().stream()
                .filter(it -> properties.contains(it.getKey().toLowerCase()))
                .sorted(Ordering.explicit(properties).onResultOf(entry -> entry.getKey().toLowerCase()))
                .forEach(it -> auth.authenticationProvider(it.getValue()));
    }

    protected String[] getPatterns() {
        List patterns = new ArrayList<>(Arrays.asList(getStaticPatterns()));
        patterns.addAll(Arrays.asList(getServerPatterns()));
        patterns.addAll(Arrays.asList(serverAuthProperties.getNoAuthenticationPatterns()));
        if (isOpenRegistration()) {
            patterns.add("/api/auth/invite");
        }
        if (Arrays.asList(getEnvironment().getActiveProfiles()).contains("dev")) {
            patterns.add("/dev/**");
        }
        return patterns.toArray(new String[0]);
    }

    protected void configureSession(HttpSecurity http) throws Exception {
        if (sessionUtilsProperties.isEnabledLimitSession()) {
            http.sessionManagement()
                    .maximumSessions(sessionUtilsProperties.getMaxSession())
                    .and()
                    .sessionFixation().newSession();
        }
    }

    protected void configureFilters(HttpSecurity http) {
        if (sessionUtilsProperties.isEnabledFilter()) {
            http.addFilterBefore(new LoginAttemptsFilter(), ChannelProcessingFilter.class);
        }
    }

    protected boolean existConfigurationHeaders() {
        return getSecurityConfigProperties() != null && getSecurityConfigProperties().getHeaders() != null;
    }

    protected abstract boolean isOpenRegistration();

    protected abstract boolean isCsrfEnabled();

    protected abstract boolean isCorsEnabled();

    protected abstract String[] getStaticPatterns();

    protected abstract String[] getServerPatterns();

    protected abstract Environment getEnvironment();

    protected abstract SecurityConfigProperties getSecurityConfigProperties();

}




© 2015 - 2025 Weber Informatics LLC | Privacy Policy