LF8/src/main/java/de/szut/lf8_starter/security/KeycloakSecurityConfig.java

package de.szut.lf8_starter.security;

import java.util.*;
import java.util.stream.Collectors;

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.Profile;
import org.springframework.http.HttpMethod;
import org.springframework.security.config.Customizer;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.authority.mapping.GrantedAuthoritiesMapper;
import org.springframework.security.core.session.SessionRegistry;
import org.springframework.security.core.session.SessionRegistryImpl;
import org.springframework.security.oauth2.core.oidc.user.OidcUserAuthority;
import org.springframework.security.oauth2.core.user.OAuth2UserAuthority;
import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationConverter;
import org.springframework.security.oauth2.server.resource.authentication.JwtGrantedAuthoritiesConverter;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.authentication.session.RegisterSessionAuthenticationStrategy;
import org.springframework.security.web.authentication.session.SessionAuthenticationStrategy;
import org.springframework.security.web.session.HttpSessionEventPublisher;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;

@Configuration
@EnableWebSecurity
class KeycloakSecurityConfig {

    private static final String GROUPS = "groups";
    private static final String REALM_ACCESS_CLAIM = "realm_access";
    private static final String ROLES_CLAIM = "roles";

    private final KeycloakLogoutHandler keycloakLogoutHandler;

    KeycloakSecurityConfig(KeycloakLogoutHandler keycloakLogoutHandler) {
        this.keycloakLogoutHandler = keycloakLogoutHandler;
    }

    @Bean
    public SessionRegistry sessionRegistry() {
        return new SessionRegistryImpl();
    }

    @Bean
    protected SessionAuthenticationStrategy sessionAuthenticationStrategy() {
        return new RegisterSessionAuthenticationStrategy(sessionRegistry());
    }

    @Bean
    public HttpSessionEventPublisher httpSessionEventPublisher() {
        return new HttpSessionEventPublisher();
    }


    @Bean
    public SecurityFilterChain resourceServerFilterChain(HttpSecurity http) throws Exception {

        http.authorizeHttpRequests(auth -> auth
                .requestMatchers(new AntPathRequestMatcher("/welcome"))
                .permitAll()
                .requestMatchers(
                        new AntPathRequestMatcher("/swagger"),
                        new AntPathRequestMatcher("/swagger-ui/**"),
                        new AntPathRequestMatcher("/v3/api-docs/**"))
                .permitAll()
                .requestMatchers(new AntPathRequestMatcher("/hello/**"))
                .hasRole("user")
                .requestMatchers(new AntPathRequestMatcher("/roles"))
                .authenticated()
                .requestMatchers(new AntPathRequestMatcher("/"))
                .permitAll()
                .anyRequest()
                .authenticated()).oauth2ResourceServer(spec -> spec.jwt(Customizer.withDefaults()));
        return http.build();
    }

    @Bean
    public JwtAuthenticationConverter jwtAuthenticationConverter() {
        JwtAuthenticationConverter jwtAuthenticationConverter = new JwtAuthenticationConverter();
        jwtAuthenticationConverter.setJwtGrantedAuthoritiesConverter(jwt -> {
            List<GrantedAuthority> grantedAuthorities = new ArrayList<>();

            Map<String, Object> realmAccess = jwt.getClaim(REALM_ACCESS_CLAIM);
            if (realmAccess != null && realmAccess.containsKey(ROLES_CLAIM)) {
                List<String> roles = (List<String>) realmAccess.get(ROLES_CLAIM);
                for (String role : roles) {
                    grantedAuthorities.add(new SimpleGrantedAuthority("ROLE_" + role));
                }
            }

            return grantedAuthorities;
        });
        return jwtAuthenticationConverter;
    }
}
first 2024-09-03 15:01:50 +02:00			`package de.szut.lf8_starter.security;`

			`import java.util.*;`
			`import java.util.stream.Collectors;`

			`import org.springframework.context.annotation.Bean;`
			`import org.springframework.context.annotation.Configuration;`
feat(project): Get all projects (SCRUM-15) (!10) SCRUM-15 #close Reviewed-on: https://git.kjan.de/jank/LF8/pulls/10 Reviewed-by: Phan Huy Tran <ptran@noreply.localhost> 2024-09-25 11:38:31 +00:00			`import org.springframework.context.annotation.Profile;`
first 2024-09-03 15:01:50 +02:00			`import org.springframework.http.HttpMethod;`
			`import org.springframework.security.config.Customizer;`
			`import org.springframework.security.config.annotation.web.builders.HttpSecurity;`
			`import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;`
			`import org.springframework.security.core.GrantedAuthority;`
			`import org.springframework.security.core.authority.SimpleGrantedAuthority;`
			`import org.springframework.security.core.authority.mapping.GrantedAuthoritiesMapper;`
			`import org.springframework.security.core.session.SessionRegistry;`
			`import org.springframework.security.core.session.SessionRegistryImpl;`
			`import org.springframework.security.oauth2.core.oidc.user.OidcUserAuthority;`
			`import org.springframework.security.oauth2.core.user.OAuth2UserAuthority;`
			`import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationConverter;`
			`import org.springframework.security.oauth2.server.resource.authentication.JwtGrantedAuthoritiesConverter;`
			`import org.springframework.security.web.SecurityFilterChain;`
			`import org.springframework.security.web.authentication.session.RegisterSessionAuthenticationStrategy;`
			`import org.springframework.security.web.authentication.session.SessionAuthenticationStrategy;`
			`import org.springframework.security.web.session.HttpSessionEventPublisher;`
			`import org.springframework.security.web.util.matcher.AntPathRequestMatcher;`

			`@Configuration`
			`@EnableWebSecurity`
			`class KeycloakSecurityConfig {`

			`private static final String GROUPS = "groups";`
			`private static final String REALM_ACCESS_CLAIM = "realm_access";`
			`private static final String ROLES_CLAIM = "roles";`

			`private final KeycloakLogoutHandler keycloakLogoutHandler;`

			`KeycloakSecurityConfig(KeycloakLogoutHandler keycloakLogoutHandler) {`
			`this.keycloakLogoutHandler = keycloakLogoutHandler;`
			`}`

			`@Bean`
			`public SessionRegistry sessionRegistry() {`
			`return new SessionRegistryImpl();`
			`}`

			`@Bean`
			`protected SessionAuthenticationStrategy sessionAuthenticationStrategy() {`
			`return new RegisterSessionAuthenticationStrategy(sessionRegistry());`
			`}`

			`@Bean`
			`public HttpSessionEventPublisher httpSessionEventPublisher() {`
			`return new HttpSessionEventPublisher();`
			`}`


			`@Bean`
			`public SecurityFilterChain resourceServerFilterChain(HttpSecurity http) throws Exception {`

			`http.authorizeHttpRequests(auth -> auth`
			`.requestMatchers(new AntPathRequestMatcher("/welcome"))`
			`.permitAll()`
			`.requestMatchers(`
			`new AntPathRequestMatcher("/swagger"),`
			`new AntPathRequestMatcher("/swagger-ui/**"),`
			`new AntPathRequestMatcher("/v3/api-docs/**"))`
			`.permitAll()`
			`.requestMatchers(new AntPathRequestMatcher("/hello/**"))`
			`.hasRole("user")`
			`.requestMatchers(new AntPathRequestMatcher("/roles"))`
			`.authenticated()`
			`.requestMatchers(new AntPathRequestMatcher("/"))`
			`.permitAll()`
			`.anyRequest()`
			`.authenticated()).oauth2ResourceServer(spec -> spec.jwt(Customizer.withDefaults()));`
			`return http.build();`
			`}`

			`@Bean`
			`public JwtAuthenticationConverter jwtAuthenticationConverter() {`
			`JwtAuthenticationConverter jwtAuthenticationConverter = new JwtAuthenticationConverter();`
			`jwtAuthenticationConverter.setJwtGrantedAuthoritiesConverter(jwt -> {`
			`List<GrantedAuthority> grantedAuthorities = new ArrayList<>();`

refactor(security): replace string literal with constant key 2024-10-02 09:30:18 +02:00			`Map<String, Object> realmAccess = jwt.getClaim(REALM_ACCESS_CLAIM);`
fix(security): update roles claim for granted authorities 2024-10-02 09:34:26 +02:00			`if (realmAccess != null && realmAccess.containsKey(ROLES_CLAIM)) {`
			`List<String> roles = (List<String>) realmAccess.get(ROLES_CLAIM);`
first 2024-09-03 15:01:50 +02:00			`for (String role : roles) {`
			`grantedAuthorities.add(new SimpleGrantedAuthority("ROLE_" + role));`
			`}`
			`}`

			`return grantedAuthorities;`
			`});`
			`return jwtAuthenticationConverter;`
			`}`
feat: Add pipelines (SCRUM-44) (!6) SCRUM-44 #closenot Co-authored-by: Phan Huy Tran <ptran@noreply.localhost> Reviewed-on: https://git.kjan.de/jank/LF8/pulls/6 Co-authored-by: Jan Klattenhoff <jan@kjan.de> Co-committed-by: Jan Klattenhoff <jan@kjan.de> 2024-09-25 09:15:39 +00:00			`}`