* limitations under the License.
* ============LICENSE_END============================================
* ===================================================================
- * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ *
*/
package org.onap.clamp.clds.config.spring;
import java.io.IOException;
+import org.onap.clamp.clds.config.ClampProperties;
import org.onap.clamp.clds.config.CldsUserJsonDecoder;
+import org.onap.clamp.clds.exception.CldsConfigException;
import org.onap.clamp.clds.exception.CldsUsersException;
import org.onap.clamp.clds.service.CldsUser;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
-import org.springframework.context.ApplicationContext;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.Profile;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
+import org.springframework.security.crypto.password.PasswordEncoder;
/**
* This class is used to enable the HTTP authentication to login. It requires a
* specific JSON file containing the user definition
- * (classpath:etc/config/clds/clds-users.json).
- *
+ * (classpath:clds/clds-users.json).
*/
@Configuration
@EnableWebSecurity
@Profile("clamp-spring-authentication")
public class CldsSecurityConfigUsers extends WebSecurityConfigurerAdapter {
- protected static final EELFLogger logger = EELFManager.getInstance()
- .getLogger(CldsSecurityConfigUsers.class);
+ protected static final EELFLogger logger = EELFManager.getInstance().getLogger(CldsSecurityConfigUsers.class);
protected static final EELFLogger metricsLogger = EELFManager.getInstance().getMetricsLogger();
-
@Autowired
- private ApplicationContext appContext;
-
- @Value("${org.onap.clamp.config.files.cldsUsers:'classpath:etc/config/clds/clds-users.json'}")
- private String cldsUsersFile;
-
- @Value("${CLDS_PERMISSION_TYPE_CL:permission-type-cl}")
- private String cldsPersmissionTypeCl;
-
+ private ClampProperties refProp;
+ @Value("${clamp.config.security.permission.type.cl:permission-type-cl}")
+ private String cldsPersmissionTypeCl;
@Value("${CLDS_PERMISSION_INSTANCE:dev}")
- private String cldsPermissionInstance;
+ private String cldsPermissionInstance;
+ @Value("${clamp.config.security.encoder:bcrypt}")
+ private String cldsEncoderMethod;
+ @Value("${clamp.config.security.encoder.bcrypt.strength:10}")
+ private Integer cldsBcryptEncoderStrength;
/**
* This method configures on which URL the authorization will be enabled.
protected void configure(HttpSecurity http) {
try {
http.csrf().disable().httpBasic().and().authorizeRequests().antMatchers("/restservices/clds/v1/user/**")
- .authenticated().anyRequest().permitAll().and().logout();
+ .authenticated().anyRequest().permitAll().and().logout()
+ .and().sessionManagement()
+ .maximumSessions(1)
+ .and().invalidSessionUrl("/designer/timeout.html");
+
} catch (Exception e) {
logger.error("Exception occurred during the setup of the Web users in memory", e);
throw new CldsUsersException("Exception occurred during the setup of the Web users in memory", e);
*/
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) {
+ // configure algorithm used for password hashing
+ final PasswordEncoder passwordEncoder = getPasswordEncoder();
+
try {
CldsUser[] usersList = loadUsers();
-
// no users defined
if (null == usersList) {
- logger.warn("No users defined. Users should be defined under " + cldsUsersFile);
+ logger.warn("No users defined. Users should be defined under clds-users.json");
return;
}
-
for (CldsUser user : usersList) {
auth.inMemoryAuthentication().withUser(user.getUser()).password(user.getPassword())
- .roles(user.getPermissionsString());
+ .roles(user.getPermissionsString()).and().passwordEncoder(passwordEncoder);
}
} catch (Exception e) {
logger.error("Exception occurred during the setup of the Web users in memory", e);
* CldsUser.
*
* @return The array of CldsUser
+ * @throws IOException
+ * In case of the file is not found
*/
- private CldsUser[] loadUsers() {
- try {
- logger.info("Load from clds-users.properties");
- return CldsUserJsonDecoder.decodeJson(appContext.getResource(cldsUsersFile).getInputStream());
- } catch (IOException e) {
- logger.error("Unable to decode the User Json file", e);
- throw new CldsUsersException("Load from clds-users.properties", e);
+ private CldsUser[] loadUsers() throws IOException {
+ logger.info("Load from clds-users.properties");
+ return CldsUserJsonDecoder.decodeJson(refProp.getFileContent("files.cldsUsers"));
+ }
+
+ /**
+ * This methods returns the chosen encoder for password hashing.
+ */
+ private PasswordEncoder getPasswordEncoder() {
+ if ("bcrypt".equals(cldsEncoderMethod)) {
+ return new BCryptPasswordEncoder(cldsBcryptEncoderStrength);
+ } else {
+ throw new CldsConfigException("Invalid clamp.config.security.encoder value. 'bcrypt' is the only option at this time.");
}
}
}