search

kakawait / cas-security-spring-boot-starter

Spring boot starter for Apereo CAS client fully integrated with Spring security
MIT License
153 stars 45 forks source link

Added extra SecurityAuthorizeMode option #141

Closed aktse closed 4 years ago

aktse commented 4 years ago

Added extra SecurityAuthorizeMode option to allow downstream authorization configuration

aktse commented 4 years ago

We were experiencing similar issues as #129

Due to the ordering of the CasSecurityAutoConfiguration, it would always be higher on the filter chain than any custom configurer that we wrote and so we were unable add custom authorization rules.

As an example, we want to implement something along the lines of 

http.authorizeRequests()
    .antMatchers("/login/impersonate*")
        .hasAuthority(Permissions.ADMIN)
        .anyRequest().authenticated();

However, there was no SecurityAuthorizeMode that would allow for this as each of the modes forces an authorization type on all requests and is placed at the top of the filter chain so we would be unable to ever extend this behavior.

                CasSecurityProperties.SecurityAuthorizeMode mode = casSecurityProperties.getAuthorization().getMode();
                if (mode == CasSecurityProperties.SecurityAuthorizeMode.ROLE) {
                    String[] roles = casSecurityProperties.getAuthorization().getRoles();
                    http.authorizeRequests().anyRequest().hasAnyRole(roles);
                } else if (mode == CasSecurityProperties.SecurityAuthorizeMode.AUTHENTICATED) {
                    http.authorizeRequests().anyRequest().authenticated();
                } else if (mode == CasSecurityProperties.SecurityAuthorizeMode.NONE) {
                    http.authorizeRequests().anyRequest().permitAll();
                }

Let me know if there's an alternative solution you would prefer

aktse commented 4 years ago

I'm unable to view the snyk logs to see how to resolve the failing checks and Travis has reported the following

[INFO] ------------------------------------------------------------------------
[INFO] Building Cas security spring boot parent 1.0.2
[INFO] ------------------------------------------------------------------------
[INFO] 
[INFO] --- sonar-maven-plugin:3.7.0.1746:sonar (default-cli) @ cas-security-spring-boot-parent ---
[INFO] User cache: /home/travis/.sonar/cache
[ERROR] SonarQube server [http://localhost:9000] can not be reached
[INFO] ------------------------------------------------------------------------
[INFO] Reactor Summary:
[INFO] 
[INFO] Cas security spring boot parent .................... FAILURE [  0.268 s]
[INFO] Spring security cas extension ...................... SUCCESS [  8.193 s]
[INFO] Cas security spring boot autoconfigure ............. SUCCESS [ 14.109 s]
[INFO] Cas security spring boot starter ................... SUCCESS [  0.121 s]
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------

Please advise how I should go about resolving these errors

aktse commented 4 years ago

My mistake, upon further review, it looks like we were using 1.0.0-beta-1 and this has since been fixed. I wasn't careful enough in reviewing which class I was making a modification to. Sorry for the confusion!