-
-
Notifications
You must be signed in to change notification settings - Fork 489
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Security configuration for GeoNetwork 4 deployed behing GeoNetwork 5 prototype using simple mode (ie. GN4 MUST not be exposed to intranet and internet). Authentication is managed by version 5 which check user credentials and create user in the database if needed. Then a JWT token is added to a header that version 4 checks. Related to: * JWT headers support #7899 * GeoNetwork 5 auth geonetwork/geonetwork#77 To enable the configuration, use: ```sh mvn jetty:run -Dgeonetwork.security.type=gn5 ```
- Loading branch information
1 parent
80a0fee
commit 5fea3bc
Showing
5 changed files
with
164 additions
and
45 deletions.
There are no files selected for viewing
51 changes: 51 additions & 0 deletions
51
web/src/main/webapp/WEB-INF/config-security/config-security-gn5-overrides.properties
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,51 @@ | ||
| # Copyright (C) 2024 Food and Agriculture Organization of the | ||
| # United Nations (FAO-UN), United Nations World Food Programme (WFP) | ||
| # and United Nations Environment Programme (UNEP) | ||
| # | ||
| # This program is free software; you can redistribute it and/or modify | ||
| # it under the terms of the GNU General Public License as published by | ||
| # the Free Software Foundation; either version 2 of the License, or (at | ||
| # your option) any later version. | ||
| # | ||
| # This program is distributed in the hope that it will be useful, but | ||
| # WITHOUT ANY WARRANTY; without even the implied warranty of | ||
| # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | ||
| # General Public License for more details. | ||
| # | ||
| # You should have received a copy of the GNU General Public License | ||
| # along with this program; if not, write to the Free Software | ||
| # Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA | ||
| # | ||
| # Contact: Jeroen Ticheler - FAO - Viale delle Terme di Caracalla 2, | ||
| # Rome - Italy. email: [email protected] | ||
| jwtheadersConfiguration.JwtConfiguration.userNameHeaderAttributeName=${JWTHEADERS_UserNameHeaderName:gn5.to.gn4.trusted.json.auth} | ||
| jwtheadersConfiguration.JwtConfiguration.userNameFormatChoice=${JWTHEADERS_UserNameFormat:JSON} | ||
|
|
||
| jwtheadersConfiguration.JwtConfiguration.UserNameJsonPath=${JWTHEADERS_UserNameJsonPath:username} | ||
|
|
||
|
|
||
| jwtheadersConfiguration.JwtConfiguration.rolesJsonPath=${JWTHEADERS_RolesJsonPath:resource_access.live-key2.roles} | ||
| jwtheadersConfiguration.JwtConfiguration.rolesHeaderName=${JWTHEADERS_RolesHeaderName:OIDC_id_token_payload} | ||
| jwtheadersConfiguration.JwtConfiguration.jwtHeaderRoleSource=${JWTHEADERS_JwtHeaderRoleSource:DB} | ||
|
|
||
| jwtheadersConfiguration.JwtConfiguration.roleConverterString=${JWTHEADERS_RoleConverterString:"GeonetworkAdministrator=ADMINISTRATOR"} | ||
| jwtheadersConfiguration.JwtConfiguration.onlyExternalListedRoles=${JWTHEADERS_OnlyExternalListedRoles:false} | ||
|
|
||
| jwtheadersConfiguration.JwtConfiguration.validateToken=${JWTHEADERS_ValidateToken:false} | ||
|
|
||
| jwtheadersConfiguration.JwtConfiguration.validateTokenExpiry=${JWTHEADERS_ValidateTokenExpiry:false} | ||
|
|
||
|
|
||
| jwtheadersConfiguration.JwtConfiguration.validateTokenAgainstURL=${JWTHEADERS_ValidateTokenAgainstURL:true} | ||
| jwtheadersConfiguration.JwtConfiguration.validateTokenAgainstURLEndpoint=${JWTHEADERS_ValidateTokenAgainstURLEndpoint:} | ||
| jwtheadersConfiguration.JwtConfiguration.validateSubjectWithEndpoint=${JWTHEADERS_ValidateSubjectWithEndpoint:true} | ||
|
|
||
| jwtheadersConfiguration.JwtConfiguration.validateTokenAudience=${JWTHEADERS_ValidateTokenAudience:true} | ||
| jwtheadersConfiguration.JwtConfiguration.validateTokenAudienceClaimName=${JWTHEADERS_ValidateTokenAudienceClaimName:""} | ||
| jwtheadersConfiguration.JwtConfiguration.validateTokenAudienceClaimValue=${JWTHEADERS_ValidateTokenAudienceClaimValue:""} | ||
|
|
||
| jwtheadersConfiguration.JwtConfiguration.validateTokenSignature=${JWTHEADERS_ValidateTokenSignature:true} | ||
| jwtheadersConfiguration.JwtConfiguration.validateTokenSignatureURL=${JWTHEADERS_ValidateTokenSignatureURL:""} | ||
|
|
||
| jwtHeadersSecurityConfig.UpdateProfile=${JWTHEADERS_UpdateProfile:false} | ||
| jwtHeadersSecurityConfig.UpdateGroup=${JWTHEADERS_UpdateGroup:false} |
36 changes: 36 additions & 0 deletions
36
web/src/main/webapp/WEB-INF/config-security/config-security-gn5.xml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,36 @@ | ||
| <!-- | ||
| ~ Copyright (C) 2024 Food and Agriculture Organization of the | ||
| ~ United Nations (FAO-UN), United Nations World Food Programme (WFP) | ||
| ~ and United Nations Environment Programme (UNEP) | ||
| ~ | ||
| ~ This program is free software; you can redistribute it and/or modify | ||
| ~ it under the terms of the GNU General Public License as published by | ||
| ~ the Free Software Foundation; either version 2 of the License, or (at | ||
| ~ your option) any later version. | ||
| ~ | ||
| ~ This program is distributed in the hope that it will be useful, but | ||
| ~ WITHOUT ANY WARRANTY; without even the implied warranty of | ||
| ~ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | ||
| ~ General Public License for more details. | ||
| ~ | ||
| ~ You should have received a copy of the GNU General Public License | ||
| ~ along with this program; if not, write to the Free Software | ||
| ~ Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA | ||
| ~ | ||
| ~ Contact: Jeroen Ticheler - FAO - Viale delle Terme di Caracalla 2, | ||
| ~ Rome - Italy. email: [email protected] | ||
| --> | ||
| <beans xmlns="http://www.springframework.org/schema/beans" | ||
| xmlns:context="http://www.springframework.org/schema/context" | ||
| xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" | ||
| xsi:schemaLocation="http://www.springframework.org/schema/beans | ||
| http://www.springframework.org/schema/beans/spring-beans-3.0.xsd | ||
| http://www.springframework.org/schema/context | ||
| http://www.springframework.org/schema/context/spring-context-3.0.xsd"> | ||
|
|
||
| <context:property-override | ||
| location="WEB-INF/config-security/config-security-gn5-overrides.properties" | ||
| ignore-resource-not-found="true"/> | ||
|
|
||
| <import resource="config-security-jwt-headers-base.xml"/> | ||
| </beans> |
73 changes: 73 additions & 0 deletions
73
web/src/main/webapp/WEB-INF/config-security/config-security-jwt-headers-base.xml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,73 @@ | ||
| <!-- | ||
| ~ Copyright (C) 2024 Food and Agriculture Organization of the | ||
| ~ United Nations (FAO-UN), United Nations World Food Programme (WFP) | ||
| ~ and United Nations Environment Programme (UNEP) | ||
| ~ | ||
| ~ This program is free software; you can redistribute it and/or modify | ||
| ~ it under the terms of the GNU General Public License as published by | ||
| ~ the Free Software Foundation; either version 2 of the License, or (at | ||
| ~ your option) any later version. | ||
| ~ | ||
| ~ This program is distributed in the hope that it will be useful, but | ||
| ~ WITHOUT ANY WARRANTY; without even the implied warranty of | ||
| ~ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | ||
| ~ General Public License for more details. | ||
| ~ | ||
| ~ You should have received a copy of the GNU General Public License | ||
| ~ along with this program; if not, write to the Free Software | ||
| ~ Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA | ||
| ~ | ||
| ~ Contact: Jeroen Ticheler - FAO - Viale delle Terme di Caracalla 2, | ||
| ~ Rome - Italy. email: [email protected] | ||
| --> | ||
| <beans xmlns="http://www.springframework.org/schema/beans" | ||
| xmlns:context="http://www.springframework.org/schema/context" | ||
| xmlns:security="http://www.springframework.org/schema/security" | ||
| xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" | ||
| xmlns:util="http://www.springframework.org/schema/util" | ||
| xsi:schemaLocation=" | ||
| http://www.springframework.org/schema/beans | ||
| http://www.springframework.org/schema/beans/spring-beans-3.0.xsd | ||
| http://www.springframework.org/schema/context | ||
| http://www.springframework.org/schema/context/spring-context-3.0.xsd | ||
| http://www.springframework.org/schema/util | ||
| http://www.springframework.org/schema/util/spring-util.xsd"> | ||
|
|
||
| <bean id ="jwtHeadersSecurityConfig" class="org.fao.geonet.kernel.security.jwtheaders.JwtHeadersSecurityConfig"/> | ||
|
|
||
| <bean id ="jwtheadersConfiguration" class="org.fao.geonet.kernel.security.jwtheaders.JwtHeadersConfiguration"> | ||
| <constructor-arg ref ="jwtHeadersSecurityConfig" /> | ||
| </bean> | ||
| <bean id ="jwtHeadersUserUtil" class="org.fao.geonet.kernel.security.jwtheaders.JwtHeadersUserUtil"/> | ||
|
|
||
| <bean id="jwtHeadersAuthFilter" class="org.fao.geonet.kernel.security.jwtheaders.JwtHeadersAuthFilter"> | ||
| <constructor-arg ref ="jwtheadersConfiguration" /> | ||
| </bean> | ||
|
|
||
|
|
||
|
|
||
|
|
||
| <bean id="filterChainFilters" class="java.util.ArrayList"> | ||
| <constructor-arg> | ||
| <list> | ||
| <ref bean="securityContextPersistenceFilter"/> | ||
| <!-- To disable csrf security (not recommended) comment the following line --> | ||
| <ref bean="csrfFilter" /> | ||
| <!-- To disable csrf security (not recommended) comment the upper line --> | ||
|
|
||
|
|
||
| <ref bean="logoutFilter"/> | ||
| <ref bean="jwtHeadersAuthFilter"/> | ||
|
|
||
|
|
||
| <ref bean="requestCacheFilter"/> | ||
| <ref bean="anonymousFilter"/> | ||
| <ref bean="sessionMgmtFilter"/> | ||
| <ref bean="exceptionTranslationFilter"/> | ||
| <ref bean="filterSecurityInterceptor"/> | ||
| </list> | ||
| </constructor-arg> | ||
| </bean> | ||
|
|
||
|
|
||
| </beans> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters