Merge pull request #3345 from fhanik/pr/approvals-endpoints.xml

fhanik · web-flow · commit ea5a53962564 · 2025-03-12T13:12:24.000-07:00
move approvalsSecurity filterchain to java
diff --git a/server/src/main/java/org/cloudfoundry/identity/uaa/approval/beans/ApprovalsSecurityConfiguration.java b/server/src/main/java/org/cloudfoundry/identity/uaa/approval/beans/ApprovalsSecurityConfiguration.java
@@ -0,0 +1,70 @@
+package org.cloudfoundry.identity.uaa.approval.beans;
+
+import org.cloudfoundry.identity.uaa.oauth.UaaTokenServices;
+import org.cloudfoundry.identity.uaa.oauth.provider.authentication.OAuth2AuthenticationManager;
+import org.cloudfoundry.identity.uaa.oauth.provider.authentication.OAuth2AuthenticationProcessingFilter;
+import org.cloudfoundry.identity.uaa.oauth.provider.error.OAuth2AccessDeniedHandler;
+import org.cloudfoundry.identity.uaa.oauth.provider.error.OAuth2AuthenticationEntryPoint;
+import org.cloudfoundry.identity.uaa.web.FilterChainOrder;
+import org.cloudfoundry.identity.uaa.web.UaaFilterChain;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.beans.factory.annotation.Qualifier;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.core.annotation.Order;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.config.annotation.web.configurers.CsrfConfigurer;
+import org.springframework.security.config.http.SessionCreationPolicy;
+import org.springframework.security.web.SecurityFilterChain;
+import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
+
+import static org.cloudfoundry.identity.uaa.web.AuthorizationManagersUtils.anyOf;
+
+@Configuration
+@EnableWebSecurity
+public class ApprovalsSecurityConfiguration {
+
+    @Autowired
+    @Qualifier("tokenServices")
+    private UaaTokenServices tokenServices;
+
+    @Autowired
+    @Qualifier("oauthAuthenticationEntryPoint")
+    OAuth2AuthenticationEntryPoint oauthAuthenticationEntryPoint;
+
+    @Autowired
+    @Qualifier("oauthAccessDeniedHandler")
+    OAuth2AccessDeniedHandler oauthAccessDeniedHandler;
+
+
+    @Bean
+    OAuth2AuthenticationProcessingFilter approvalsResourceAuthenticationFilter() {
+        OAuth2AuthenticationProcessingFilter bean = new OAuth2AuthenticationProcessingFilter();
+        OAuth2AuthenticationManager authenticationManager = new OAuth2AuthenticationManager();
+        authenticationManager.setResourceId("oauth");
+        authenticationManager.setTokenServices(tokenServices);
+        bean.setAuthenticationManager(authenticationManager);
+        return bean;
+    }
+    @Bean
+    @Order(FilterChainOrder.APPROVAL)
+    UaaFilterChain approvalsSecurity(HttpSecurity http) throws Exception {
+        SecurityFilterChain chain = http
+                .securityMatcher("/approvals/**")
+                .authorizeHttpRequests( auth -> {
+                    auth.requestMatchers("/**").access(anyOf(true).hasScope("oauth.approvals"));
+                    auth.anyRequest().denyAll();
+                })
+                .sessionManagement(session -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
+                .addFilterBefore(approvalsResourceAuthenticationFilter(), BasicAuthenticationFilter.class)
+                .csrf(CsrfConfigurer::disable)
+                .exceptionHandling(exception ->
+                        exception.authenticationEntryPoint(oauthAuthenticationEntryPoint)
+                                .accessDeniedHandler(oauthAccessDeniedHandler)
+                )
+                .build();
+
+        return new UaaFilterChain(chain, "approvalsSecurity");
+    }
+}
diff --git a/server/src/main/java/org/cloudfoundry/identity/uaa/scim/beans/ScimSecurityConfiguration.java b/server/src/main/java/org/cloudfoundry/identity/uaa/scim/beans/ScimSecurityConfiguration.java
@@ -34,7 +34,7 @@ class ScimSecurityConfiguration {
     @Qualifier("tokenServices")
     private UaaTokenServices tokenServices;
 
-    @Autowired()
+    @Autowired
     @Qualifier("oauthAuthenticationEntryPoint")
     OAuth2AuthenticationEntryPoint oauthAuthenticationEntryPoint;
 
diff --git a/server/src/main/java/org/cloudfoundry/identity/uaa/web/FilterChainOrder.java b/server/src/main/java/org/cloudfoundry/identity/uaa/web/FilterChainOrder.java
@@ -21,6 +21,7 @@ public class FilterChainOrder {
     // multitenant-endpoints.xml: 400
 
     // approval-endpoints.xml: 500
+    public static final int APPROVAL = 500;
 
     // client-admin-endpoints.xml: 600
 
diff --git a/uaa/src/main/webapp/WEB-INF/spring-servlet.xml b/uaa/src/main/webapp/WEB-INF/spring-servlet.xml
@@ -351,7 +351,6 @@
     <import resource="spring/login-server-security.xml"/>
     <import resource="spring/oauth-endpoints.xml"/>
     <import resource="spring/multitenant-endpoints.xml"/>
-    <import resource="spring/approvals-endpoints.xml"/>
     <import resource="spring/client-admin-endpoints.xml"/>
 
     <bean id="messageSource" class="org.springframework.context.support.ReloadableResourceBundleMessageSource">
diff --git a/uaa/src/main/webapp/WEB-INF/spring/approvals-endpoints.xml b/uaa/src/main/webapp/WEB-INF/spring/approvals-endpoints.xml
diff --git a/uaa/src/main/webapp/WEB-INF/spring/oauth-endpoints.xml b/uaa/src/main/webapp/WEB-INF/spring/oauth-endpoints.xml
@@ -527,6 +527,10 @@
         <constructor-arg name="approvalService" ref="approvalService"/>
     </bean>
 
+    <bean id="approvalStore" class="org.cloudfoundry.identity.uaa.approval.JdbcApprovalStore">
+        <constructor-arg ref="jdbcTemplate"/>
+    </bean>
+
     <bean id="approvalService" class="org.cloudfoundry.identity.uaa.approval.ApprovalService">
         <constructor-arg name="timeService" ref="timeService"/>
         <constructor-arg name="approvalStore" ref="approvalStore"/>
