dhis2-devs team mailing list archive
-
dhis2-devs team
-
Mailing list archive
-
Message #38152
[Branch ~dhis2-devs-core/dhis2/trunk] Rev 19476: enabled password/refresh_token based oauth2 grant_types, removed AuthenticationListener for now, ...
------------------------------------------------------------
revno: 19476
committer: Morten Olav Hansen <mortenoh@xxxxxxxxx>
branch nick: dhis2
timestamp: Sun 2015-06-21 16:08:48 +0700
message:
enabled password/refresh_token based oauth2 grant_types, removed AuthenticationListener for now, adds LoggerListener from spring security instead (more chatty, but also more robust)
modified:
dhis-2/dhis-web/dhis-web-api/src/main/resources/META-INF/dhis/servlet.xml
dhis-2/dhis-web/dhis-web-commons/src/main/resources/META-INF/dhis/security.xml
--
lp:dhis2
https://code.launchpad.net/~dhis2-devs-core/dhis2/trunk
Your team DHIS 2 developers is subscribed to branch lp:dhis2.
To unsubscribe from this branch go to https://code.launchpad.net/~dhis2-devs-core/dhis2/trunk/+edit-subscription
=== modified file 'dhis-2/dhis-web/dhis-web-api/src/main/resources/META-INF/dhis/servlet.xml'
--- dhis-2/dhis-web/dhis-web-api/src/main/resources/META-INF/dhis/servlet.xml 2015-05-11 07:10:34 +0000
+++ dhis-2/dhis-web/dhis-web-api/src/main/resources/META-INF/dhis/servlet.xml 2015-06-21 09:08:48 +0000
@@ -3,11 +3,11 @@
xmlns="http://www.springframework.org/schema/beans";
xmlns:context="http://www.springframework.org/schema/context";
xmlns:mvc="http://www.springframework.org/schema/mvc";
- xmlns:sec="http://www.springframework.org/schema/security";
+ xmlns:sec="http://www.springframework.org/schema/security"; xmlns:oauth="http://www.springframework.org/schema/security/oauth2";
xsi:schemaLocation="http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-4.1.xsd
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.1.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.2.xsd
- http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-4.1.xsd";>
+ http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-4.1.xsd http://www.springframework.org/schema/security/oauth2 http://www.springframework.org/schema/security/spring-security-oauth2.xsd";>
<sec:global-method-security pre-post-annotations="enabled" />
@@ -31,9 +31,9 @@
<ref bean="csvMessageConverter" />
<ref bean="pdfMessageConverter" />
<ref bean="excelMessageConverter" />
- <bean class="org.springframework.http.converter.StringHttpMessageConverter"/>
- <bean class="org.springframework.http.converter.ByteArrayHttpMessageConverter"/>
- <bean class="org.springframework.http.converter.FormHttpMessageConverter"/>
+ <bean class="org.springframework.http.converter.StringHttpMessageConverter" />
+ <bean class="org.springframework.http.converter.ByteArrayHttpMessageConverter" />
+ <bean class="org.springframework.http.converter.FormHttpMessageConverter" />
<bean class="org.hisp.dhis.api.mobile.support.DataStreamSerializableMessageConverter" />
<ref bean="org.hisp.dhis.webapi.utils.RenderServiceMessageConverter" />
</mvc:message-converters>
@@ -138,4 +138,11 @@
</bean>
+ <!-- OAuth2 -->
+ <oauth:authorization-server client-details-service-ref="clientDetailsService" token-services-ref="tokenServices">
+ <oauth:refresh-token />
+ <oauth:password authentication-manager-ref="authenticationManager" />
+ </oauth:authorization-server>
+ <!-- End OAuth2 -->
+
</beans>
=== modified file 'dhis-2/dhis-web/dhis-web-commons/src/main/resources/META-INF/dhis/security.xml'
--- dhis-2/dhis-web/dhis-web-commons/src/main/resources/META-INF/dhis/security.xml 2015-06-21 04:35:23 +0000
+++ dhis-2/dhis-web/dhis-web-commons/src/main/resources/META-INF/dhis/security.xml 2015-06-21 09:08:48 +0000
@@ -2,10 +2,31 @@
<beans xmlns="http://www.springframework.org/schema/beans"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xmlns:sec="http://www.springframework.org/schema/security"; xmlns:oauth="http://www.springframework.org/schema/security/oauth2";
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.1.xsd
- http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.2.xsd
- http://www.springframework.org/schema/security/oauth2 http://www.springframework.org/schema/security/spring-security-oauth2.xsd";>
-
- <!-- /oauth/authorize
+ http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.2.xsd http://www.springframework.org/schema/security/oauth2 http://www.springframework.org/schema/security/spring-security-oauth2.xsd";>
+
+ <!-- OAuth2 -->
+ <bean id="oauthAuthenticationEntryPoint"
+ class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint">
+ <property name="realmName" value="dhis2/oauth2" />
+ </bean>
+
+ <bean id="oauthAccessDeniedHandler" class="org.springframework.security.oauth2.provider.error.OAuth2AccessDeniedHandler" />
+
+ <bean id="clientCredentialsTokenEndpointFilter" class="org.springframework.security.oauth2.provider.client.ClientCredentialsTokenEndpointFilter">
+ <property name="authenticationManager" ref="clientAuthenticationManager" />
+ </bean>
+
+ <sec:http pattern="/api/oauth/token" create-session="stateless" authentication-manager-ref="clientAuthenticationManager">
+ <sec:intercept-url pattern="/api/oauth/token" access="IS_AUTHENTICATED_FULLY" />
+ <sec:anonymous enabled="false" />
+ <sec:http-basic entry-point-ref="oauthAuthenticationEntryPoint" />
+ <sec:custom-filter ref="clientCredentialsTokenEndpointFilter" before="BASIC_AUTH_FILTER" />
+ <sec:access-denied-handler ref="oauthAccessDeniedHandler" />
+ </sec:http>
+
+ <oauth:resource-server id="resourceServerFilter" token-services-ref="tokenServices" entry-point-ref="oauthAuthenticationEntryPoint" />
+
+ <!--
<sec:http pattern="/oauth/authorize/**" access-denied-page="/login.jsp?authorization_error=true" disable-url-rewriting="true">
<sec:intercept-url pattern="/oauth/authorize/**" access="IS_AUTHENTICATED_FULLY" />
<sec:form-login authentication-failure-url="/login.jsp?authentication_error=true"
@@ -15,35 +36,7 @@
<sec:anonymous />
</sec:http>
-->
-
- <!-- OAuth2
- <sec:http pattern="/oauth/token" create-session="stateless" authentication-manager-ref="clientAuthenticationManager">
- <sec:intercept-url pattern="/oauth/token" access="IS_AUTHENTICATED_FULLY" />
- <sec:anonymous enabled="false" />
- <sec:http-basic entry-point-ref="oauthAuthenticationEntryPoint" />
- <sec:custom-filter ref="clientCredentialsTokenEndpointFilter" before="BASIC_AUTH_FILTER" />
- <sec:access-denied-handler ref="oauthAccessDeniedHandler" />
- </sec:http>
-
- <oauth:authorization-server client-details-service-ref="clientDetailsService" token-services-ref="tokenServices">
- <oauth:authorization-code />
- <oauth:implicit />
- <oauth:refresh-token />
- <oauth:client-credentials />
- <oauth:password />
- </oauth:authorization-server>
-
- <bean id="oauthAuthenticationEntryPoint"
- class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint">
- <property name="realmName" value="dhis2/oauth2" />
- </bean>
-
- <bean id="oauthAccessDeniedHandler" class="org.springframework.security.oauth2.provider.error.OAuth2AccessDeniedHandler" />
-
- <bean id="clientCredentialsTokenEndpointFilter" class="org.springframework.security.oauth2.provider.client.ClientCredentialsTokenEndpointFilter">
- <property name="authenticationManager" ref="clientAuthenticationManager" />
- </bean>
- -->
+ <!-- End OAuth2 -->
<bean id="mappedRedirectStrategy" class="org.hisp.dhis.security.MappedRedirectStrategy">
<property name="redirectMap">
@@ -122,6 +115,7 @@
<sec:intercept-url pattern="/api/account/password" access="permitAll()" />
<sec:intercept-url pattern="/api/account" access="permitAll()" />
<sec:intercept-url pattern="/**" access="isAuthenticated()" />
+ <sec:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
<sec:custom-filter ref="automaticAccessFilter" before="LOGOUT_FILTER" />
<sec:custom-filter ref="corsFilter" before="BASIC_AUTH_FILTER" />
<sec:custom-filter ref="customAuthenticationFilter" before="FORM_LOGIN_FILTER" />
@@ -157,10 +151,14 @@
<!-- Security : Listener -->
+ <bean id="loggerListener" class="org.springframework.security.authentication.event.LoggerListener" />
+
+ <!--
<bean id="authenticationListener" class="org.hisp.dhis.security.listener.AuthenticationListener">
<property name="userAuditService" ref="org.hisp.dhis.useraudit.UserAuditService" />
<property name="userService" ref="org.hisp.dhis.user.UserService" />
</bean>
+ -->
<!-- Security : AccessProvider -->
@@ -184,6 +182,7 @@
<bean id="accessDecisionManager" class="org.hisp.dhis.security.vote.LogicalOrAccessDecisionManager">
<property name="accessDecisionManagers">
<list>
+ <!-- <ref bean="scopeAccessDecisionVoting" /> We don't use scopes right now-->
<ref bean="adminAccessDecisionVoting" />
<ref bean="regularAccessDecisionVoting" />
<ref bean="webAccessDecisionVoting" />
@@ -192,6 +191,14 @@
</property>
</bean>
+ <bean id="scopeAccessDecisionVoting" class="org.springframework.security.access.vote.UnanimousBased">
+ <constructor-arg name="decisionVoters">
+ <list>
+ <ref bean="scopeVoter" />
+ </list>
+ </constructor-arg>
+ </bean>
+
<bean id="adminAccessDecisionVoting" class="org.springframework.security.access.vote.UnanimousBased">
<constructor-arg name="decisionVoters">
<list>
