Merge branch 'main' into gh-34

Author: marcusdacoregio

servlet/spring-boot/java/oauth2/resource-server/multi-tenancy/src/main/java/example/OAuth2ResourceServerSecurityConfiguration.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2020 the original author or authors.
+ * Copyright 2020-2021 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -21,60 +21,50 @@
 
 import javax.servlet.http.HttpServletRequest;
 
-import org.springframework.beans.factory.annotation.Value;
 import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
 import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.authentication.AuthenticationManagerResolver;
+import org.springframework.security.authentication.ProviderManager;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
-import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
-import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 import org.springframework.security.oauth2.jwt.JwtDecoder;
-import org.springframework.security.oauth2.jwt.NimbusJwtDecoder;
 import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationProvider;
 import org.springframework.security.oauth2.server.resource.authentication.JwtBearerTokenAuthenticationConverter;
 import org.springframework.security.oauth2.server.resource.authentication.OpaqueTokenAuthenticationProvider;
-import org.springframework.security.oauth2.server.resource.introspection.NimbusOpaqueTokenIntrospector;
 import org.springframework.security.oauth2.server.resource.introspection.OpaqueTokenIntrospector;
+import org.springframework.security.web.SecurityFilterChain;
 
 /**
  * OAuth Resource Security configuration.
  *
  * @author Josh Cummings
  */
-@EnableWebSecurity
-public class OAuth2ResourceServerSecurityConfiguration extends WebSecurityConfigurerAdapter {
+@Configuration
+public class OAuth2ResourceServerSecurityConfiguration {
 
-	@Value("${tenantOne.jwk-set-uri}")
-	String jwkSetUri;
-
-	@Value("${tenantTwo.introspection-uri}")
-	String introspectionUri;
-
-	@Value("${tenantTwo.introspection-client-id}")
-	String introspectionClientId;
-
-	@Value("${tenantTwo.introspection-client-secret}")
-	String introspectionClientSecret;
-
-	@Override
-	protected void configure(HttpSecurity http) throws Exception {
+	@Bean
+	SecurityFilterChain apiSecurity(HttpSecurity http,
+			AuthenticationManagerResolver<HttpServletRequest> authenticationManagerResolver) throws Exception {
 		// @formatter:off
 		http
 			.authorizeRequests((requests) -> requests
-					.mvcMatchers("/**/message/**").hasAuthority("SCOPE_message:read")
-					.anyRequest().authenticated()
+				.mvcMatchers("/**/message/**").hasAuthority("SCOPE_message:read")
+				.anyRequest().authenticated()
 			)
 			.oauth2ResourceServer((resourceServer) -> resourceServer
-					.authenticationManagerResolver(multitenantAuthenticationManager())
+				.authenticationManagerResolver(authenticationManagerResolver)
 			);
 		// @formatter:on
+
+		return http.build();
 	}
 
 	@Bean
-	AuthenticationManagerResolver<HttpServletRequest> multitenantAuthenticationManager() {
+	AuthenticationManagerResolver<HttpServletRequest> multitenantAuthenticationManager(JwtDecoder jwtDecoder,
+			OpaqueTokenIntrospector opaqueTokenIntrospector) {
 		Map<String, AuthenticationManager> authenticationManagers = new HashMap<>();
-		authenticationManagers.put("tenantOne", jwt());
-		authenticationManagers.put("tenantTwo", opaque());
+		authenticationManagers.put("tenantOne", jwt(jwtDecoder));
+		authenticationManagers.put("tenantTwo", opaque(opaqueTokenIntrospector));
 		return (request) -> {
 			String[] pathParts = request.getRequestURI().split("/");
 			String tenantId = (pathParts.length > 0) ? pathParts[1] : null;
@@ -86,17 +76,14 @@ AuthenticationManagerResolver<HttpServletRequest> multitenantAuthenticationManag
 		};
 	}
 
-	AuthenticationManager jwt() {
-		JwtDecoder jwtDecoder = NimbusJwtDecoder.withJwkSetUri(this.jwkSetUri).build();
+	AuthenticationManager jwt(JwtDecoder jwtDecoder) {
 		JwtAuthenticationProvider authenticationProvider = new JwtAuthenticationProvider(jwtDecoder);
 		authenticationProvider.setJwtAuthenticationConverter(new JwtBearerTokenAuthenticationConverter());
-		return authenticationProvider::authenticate;
+		return new ProviderManager(authenticationProvider);
 	}
 
-	AuthenticationManager opaque() {
-		OpaqueTokenIntrospector introspectionClient = new NimbusOpaqueTokenIntrospector(this.introspectionUri,
-				this.introspectionClientId, this.introspectionClientSecret);
-		return new OpaqueTokenAuthenticationProvider(introspectionClient)::authenticate;
+	AuthenticationManager opaque(OpaqueTokenIntrospector introspectionClient) {
+		return new ProviderManager(new OpaqueTokenAuthenticationProvider(introspectionClient));
 	}
 
 }

servlet/spring-boot/java/oauth2/resource-server/multi-tenancy/src/main/resources/application.yml

@@ -1,4 +1,10 @@
-tenantOne.jwk-set-uri: ${mockwebserver.url}/.well-known/jwks.json
-tenantTwo.introspection-uri: ${mockwebserver.url}/introspect
-tenantTwo.introspection-client-id: client
-tenantTwo.introspection-client-secret: secret
+spring:
+  security:
+    oauth2:
+      resourceserver:
+        jwt:
+          jwk-set-uri: ${mockwebserver.url}/.well-known/jwks.json
+        opaquetoken:
+          introspection-uri: ${mockwebserver.url}/introspect
+          client-id: client
+          client-secret: secret

servlet/xml/java/contacts/build.gradle

@@ -0,0 +1,53 @@
+plugins {
+	id "java"
+	id "war"
+	id "nebula.integtest" version "7.0.9"
+	id "org.gretty" version "3.0.3"
+}
+
+apply from: "gradle/gretty.gradle"
+
+repositories {
+	jcenter()
+	maven { url "https://repo.spring.io/snapshot" }
+}
+
+dependencies {
+	implementation platform("org.springframework.security:spring-security-bom:5.6.0-SNAPSHOT")
+	implementation platform("org.springframework:spring-framework-bom:5.3.9")
+	implementation platform("org.junit:junit-bom:5.7.0")
+
+	implementation "org.springframework.security:spring-security-config"
+	implementation "org.springframework.security:spring-security-web"
+	implementation "org.springframework.security:spring-security-acl"
+	implementation "org.springframework.security:spring-security-taglibs"
+	implementation 'org.springframework:spring-web'
+	implementation "org.springframework:spring-webmvc"
+	implementation 'org.springframework:spring-aop'
+	implementation 'org.springframework:spring-beans'
+	implementation 'org.springframework:spring-context'
+	implementation 'org.springframework:spring-jdbc'
+	implementation 'org.springframework:spring-tx'
+	implementation 'org.slf4j:slf4j-api:1.7.30'
+	implementation 'org.slf4j:slf4j-simple:1.7.30'
+	implementation 'javax.servlet:jstl:1.2'
+
+	runtime 'net.sf.ehcache:ehcache:2.10.5'
+	runtime 'org.hsqldb:hsqldb:2.5.0'
+	runtime 'org.springframework:spring-context-support'
+
+	providedCompile 'javax.servlet:javax.servlet-api:4.0.0'
+
+	testImplementation "org.springframework:spring-test"
+	testImplementation "org.springframework.security:spring-security-test"
+	testImplementation("org.junit.jupiter:junit-jupiter-api")
+	testImplementation "org.assertj:assertj-core:3.18.0"
+
+	testRuntimeOnly("org.junit.jupiter:junit-jupiter-engine")
+
+	integTestImplementation "org.seleniumhq.selenium:htmlunit-driver:2.44.0"
+}
+
+tasks.withType(Test).configureEach {
+	useJUnitPlatform()
+}

servlet/xml/java/contacts/client/client.properties

@@ -0,0 +1,8 @@
+# Properties file with server URL settings for remote access.
+# Applied by PropertyPlaceholderConfigurer from "clientContext.xml".
+#
+
+serverName=localhost
+httpPort=8080
+contextPath=/spring-security-sample-contacts-filter
+rmiPort=1099

servlet/xml/java/contacts/client/clientContext.xml

@@ -0,0 +1,73 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE beans PUBLIC "-//SPRING//DTD BEAN//EN" "https://www.springframework.org/dtd/spring-beans.dtd">
+
+<!--
+  - Contacts web application
+  - Client application context
+  -->
+
+<beans>
+
+	<!-- Resolves ${...} placeholders from client.properties -->
+	<bean id="propertyConfigurer" class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer">
+		<property name="location"><value>client.properties</value></property>
+	</bean>
+
+	<!-- Proxy for the RMI-exported ContactManager -->
+	<!-- COMMENTED OUT BY DEFAULT TO AVOID CONFLICTS WITH APPLICATION SERVERS
+	<bean id="rmiProxy" class="org.springframework.remoting.rmi.RmiProxyFactoryBean">
+		<property name="serviceInterface">
+			<value>sample.contact.ContactManager</value>
+		</property>
+		<property name="serviceUrl">
+			<value>rmi://${serverName}:${rmiPort}/contactManager</value>
+		</property>
+		<property name="remoteInvocationFactory">
+			<ref bean="remoteInvocationFactory"/>
+		</property>
+	</bean>
+
+	<bean id="remoteInvocationFactory" class="org.springframework.security.ui.rmi.ContextPropagatingRemoteInvocationFactory"/>
+	-->
+
+	<!-- Proxy for the HTTP-invoker-exported ContactManager -->
+	<!-- Spring's HTTP invoker uses Java serialization via HTTP	 -->
+	<bean id="httpInvokerProxy" class="org.springframework.remoting.httpinvoker.HttpInvokerProxyFactoryBean">
+		<property name="serviceInterface">
+			<value>sample.contact.ContactManager</value>
+		</property>
+		<property name="serviceUrl">
+			<value>http://${serverName}:${httpPort}${contextPath}/remoting/ContactManager-httpinvoker</value>
+		</property>
+		<property name="httpInvokerRequestExecutor">
+			<ref bean="httpInvokerRequestExecutor"/>
+		</property>
+	</bean>
+
+	<!-- Automatically propagates ContextHolder-managed Authentication principal
+		 and credentials to a HTTP invoker BASIC authentication header -->
+	<bean id="httpInvokerRequestExecutor" class="org.springframework.security.core.context.httpinvoker.AuthenticationSimpleHttpInvokerRequestExecutor"/>
+
+	<!-- Proxy for the Hessian-exported ContactManager
+	<bean id="hessianProxy" class="org.springframework.remoting.caucho.HessianProxyFactoryBean">
+		<property name="serviceInterface">
+			<value>sample.contact.ContactManager</value>
+		</property>
+		<property name="serviceUrl">
+			<value>http://${serverName}:${httpPort}${contextPath}/remoting/ContactManager-hessian</value>
+		</property>
+	</bean>
+	-->
+
+	<!-- Proxy for the Burlap-exported ContactManager
+	<bean id="burlapProxy" class="org.springframework.remoting.caucho.BurlapProxyFactoryBean">
+		<property name="serviceInterface">
+			<value>sample.contact.ContactManager</value>
+		</property>
+		<property name="serviceUrl">
+			<value>http://${serverName}:${httpPort}${contextPath}/remoting/ContactManager-burlap</value>
+		</property>
+	</bean>
+	-->
+
+</beans>

servlet/xml/java/contacts/gradle.properties

@@ -0,0 +1 @@
+version=5.6.0-SNAPSHOT

servlet/xml/java/contacts/gradle/gretty.gradle

@@ -0,0 +1,41 @@
+gretty {
+	servletContainer = "tomcat9"
+	contextPath = "/"
+	fileLogEnabled = false
+	integrationTestTask = 'integrationTest'
+}
+
+Task prepareAppServerForIntegrationTests = project.tasks.create('prepareAppServerForIntegrationTests') {
+	group = 'Verification'
+	description = 'Prepares the app server for integration tests'
+	doFirst {
+		project.gretty {
+			httpPort = -1
+		}
+	}
+}
+
+project.tasks.matching { it.name == "appBeforeIntegrationTest" }.all { task ->
+	task.dependsOn prepareAppServerForIntegrationTests
+}
+
+project.tasks.matching { it.name == "integrationTest" }.all {
+	task -> task.doFirst {
+		def gretty = project.gretty
+		String host = project.gretty.host ?: 'localhost'
+		boolean isHttps = gretty.httpsEnabled
+		Integer httpPort = integrationTest.systemProperties['gretty.httpPort']
+		Integer httpsPort = integrationTest.systemProperties['gretty.httpsPort']
+		int port = isHttps ? httpsPort : httpPort
+		String contextPath = project.gretty.contextPath
+		String httpBaseUrl = "http://${host}:${httpPort}${contextPath}"
+		String httpsBaseUrl = "https://${host}:${httpsPort}${contextPath}"
+		String baseUrl = isHttps ? httpsBaseUrl : httpBaseUrl
+		integrationTest.systemProperty 'app.port', port
+		integrationTest.systemProperty 'app.httpPort', httpPort
+		integrationTest.systemProperty 'app.httpsPort', httpsPort
+		integrationTest.systemProperty 'app.baseURI', baseUrl
+		integrationTest.systemProperty 'app.httpBaseURI', httpBaseUrl
+		integrationTest.systemProperty 'app.httpsBaseURI', httpsBaseUrl
+	}
+}

servlet/xml/java/contacts/gradle/wrapper/gradle-wrapper.jar

@@ -0,0 +1,5 @@
+distributionBase=GRADLE_USER_HOME
+distributionPath=wrapper/dists
+distributionUrl=https\://services.gradle.org/distributions/gradle-6.9-bin.zip
+zipStoreBase=GRADLE_USER_HOME
+zipStorePath=wrapper/dists