diff --git a/src/main/java/org/edgegallery/website/config/ClientWebSecurityConfigurer.java b/src/main/java/org/edgegallery/website/config/ClientWebSecurityConfigurer.java index c5efe6ed19148d06643bacba98c0356d10c7ce33..270b16a8a078d34355efe71c273f1515ddf5f9a1 100644 --- a/src/main/java/org/edgegallery/website/config/ClientWebSecurityConfigurer.java +++ b/src/main/java/org/edgegallery/website/config/ClientWebSecurityConfigurer.java @@ -37,6 +37,8 @@ import org.springframework.cloud.netflix.zuul.filters.support.FilterConstants; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.http.HttpMethod; +import org.springframework.security.access.intercept.AbstractSecurityInterceptor; +import org.springframework.security.config.annotation.ObjectPostProcessor; import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.builders.WebSecurity; @@ -48,10 +50,12 @@ import org.springframework.security.oauth2.client.filter.OAuth2ClientAuthenticat import org.springframework.security.oauth2.provider.authentication.OAuth2AuthenticationDetails; import org.springframework.security.oauth2.provider.token.DefaultTokenServices; import org.springframework.security.oauth2.provider.token.TokenStore; +import org.springframework.security.web.access.intercept.FilterSecurityInterceptor; import org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler; import org.springframework.security.web.authentication.logout.LogoutHandler; import org.springframework.security.web.authentication.www.BasicAuthenticationFilter; import org.springframework.security.web.csrf.CookieCsrfTokenRepository; +import org.springframework.security.web.header.HeaderWriterFilter; import org.springframework.util.StringUtils; import org.springframework.web.socket.server.standard.ServerEndpointExporter; @@ -84,7 +88,16 @@ public class ClientWebSecurityConfigurer extends WebSecurityConfigurerAdapter { @Override public void configure(final HttpSecurity http) throws Exception { - http.headers().frameOptions().disable(); + http.headers().frameOptions().disable() + .addObjectPostProcessor(new ObjectPostProcessor() { + @Override + public O postProcess(O object) { + LOGGER.info("postProcess setAlwaysReauthenticate true."); + object.setAlwaysReauthenticate(true); + return object; + } + }); + http.authorizeRequests().antMatchers("/login", "/auth/logout").permitAll() // this api will be used by health-check service, so permit all roles to get mec host list in v1.2 .antMatchers(HttpMethod.GET, "/mecm-inventory/inventory/v1/mechosts").permitAll() diff --git a/src/main/java/org/edgegallery/website/config/MyAuthenticationSuccessHandler.java b/src/main/java/org/edgegallery/website/config/MyAuthenticationSuccessHandler.java deleted file mode 100644 index 50390db7156ab3b3c27dbf4d5299c11c8a5efbda..0000000000000000000000000000000000000000 --- a/src/main/java/org/edgegallery/website/config/MyAuthenticationSuccessHandler.java +++ /dev/null @@ -1,42 +0,0 @@ -package org.edgegallery.website.config; - -import java.io.IOException; -import java.util.Map; -import javax.servlet.ServletContext; -import javax.servlet.ServletException; -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; -import javax.servlet.http.HttpSession; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; -import org.springframework.beans.factory.annotation.Autowired; -import org.springframework.security.core.Authentication; -import org.springframework.security.oauth2.provider.authentication.OAuth2AuthenticationDetails; -import org.springframework.security.oauth2.provider.token.TokenStore; -import org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler; -import org.springframework.stereotype.Component; - -@Component -public class MyAuthenticationSuccessHandler extends SavedRequestAwareAuthenticationSuccessHandler { - private static final Logger LOGGER = LoggerFactory.getLogger(MyAuthenticationSuccessHandler.class); - - @Autowired - private TokenStore jwtTokenStore; - - @Autowired - private ServletContext servletContext; - - @Override - public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response, - Authentication authentication) throws ServletException, IOException { - LOGGER.info("MyAuthenticationSuccessHandler onAuthenticationSuccess in."); - HttpSession session = request.getSession(false); - OAuth2AuthenticationDetails details = (OAuth2AuthenticationDetails) authentication.getDetails(); - Map additionalInformation = jwtTokenStore.readAccessToken(details.getTokenValue()) - .getAdditionalInformation(); - //TODO DELETE LOG - LOGGER.info("MyAuthenticationSuccessHandler additionalInformation: {}", - additionalInformation.get("ssoSessionId").toString()); - servletContext.setAttribute(additionalInformation.get("ssoSessionId").toString(), session); - } -}