Merge pull request #4309 from bogdan-sava/ui

bogdan-sava · web-flow · commit 192feef5e451 · 2020-12-12T00:12:57.000+02:00
[ui-chassis-server] refactor LoginFilter
diff --git a/open-metadata-implementation/user-interfaces/ui-chassis/ui-chassis-spring/src/main/java/org/odpi/openmetadata/userinterface/uichassis/springboot/auth/AuthenticationExceptionHandler.java b/open-metadata-implementation/user-interfaces/ui-chassis/ui-chassis-spring/src/main/java/org/odpi/openmetadata/userinterface/uichassis/springboot/auth/AuthenticationExceptionHandler.java
@@ -0,0 +1,20 @@
+/* SPDX-License-Identifier: Apache-2.0 */
+/* Copyright Contributors to the ODPi Egeria project. */
+package org.odpi.openmetadata.userinterface.uichassis.springboot.auth;
+
+import org.springframework.security.authentication.BadCredentialsException;
+import org.springframework.security.core.AuthenticationException;
+
+/**
+ * Handles AuthenticationException for different instances of WebSecurityConfigurerAdapter used for different
+ * authentication mechanism used
+ */
+public interface AuthenticationExceptionHandler {
+
+    /**
+     *
+     * @param e the AuthenticationException thrown by authentication attempt
+     * @return whether or not is an bad credentials related exception
+     */
+     boolean isBadCredentials(AuthenticationException e);
+}
diff --git a/open-metadata-implementation/user-interfaces/ui-chassis/ui-chassis-spring/src/main/java/org/odpi/openmetadata/userinterface/uichassis/springboot/auth/LoginFilter.java b/open-metadata-implementation/user-interfaces/ui-chassis/ui-chassis-spring/src/main/java/org/odpi/openmetadata/userinterface/uichassis/springboot/auth/LoginFilter.java
@@ -5,10 +5,7 @@
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.http.HttpStatus;
-import org.springframework.ldap.InvalidSearchFilterException;
 import org.springframework.security.authentication.AuthenticationManager;
-import org.springframework.security.authentication.BadCredentialsException;
-import org.springframework.security.authentication.InsufficientAuthenticationException;
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;
@@ -26,37 +23,37 @@ public class LoginFilter extends AbstractAuthenticationProcessingFilter {
     private static final String USERNAME = "username";
     private static final String PASSWORD = "password";
     private final AuthService authenticationService;
+    private final AuthenticationExceptionHandler authenticationExceptionHandler;
 
     Logger log = LoggerFactory.getLogger(this.getClass());
 
-    protected LoginFilter(String urlMapping, AuthenticationManager authenticationManager, AuthService authenticationService) {
+    protected LoginFilter(String urlMapping,
+                          AuthenticationManager authenticationManager,
+                          AuthService authenticationService,
+                          AuthenticationExceptionHandler authenticationExceptionHandler) {
         super(new AntPathRequestMatcher(urlMapping));
         setAuthenticationManager(authenticationManager);
         this.authenticationService = authenticationService;
+        this.authenticationExceptionHandler = authenticationExceptionHandler;
     }
 
     @Override
     public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response)
-            throws AuthenticationException,IOException {
+            throws AuthenticationException {
 
         String username = request.getParameter(USERNAME);
         String password = request.getParameter(PASSWORD);
         Authentication authentication =  getAuthenticationManager()
                 .authenticate(new UsernamePasswordAuthenticationToken( username, password));
-
-        if(authentication.getAuthorities().isEmpty()){
-            log.warn("NO roles for user: {}", request.getParameter(USERNAME));
-            response.sendError(HttpStatus.FORBIDDEN.value(), HttpStatus.FORBIDDEN.getReasonPhrase());
-        }
         return authentication;
     }
 
     @Override
     protected void unsuccessfulAuthentication(HttpServletRequest request, HttpServletResponse response,
                                               AuthenticationException failed) throws IOException {
-        log.info("Unsuccessful Authentication");
-        if(failed instanceof BadCredentialsException || failed.getCause() instanceof InvalidSearchFilterException) {
-            log.warn("Bad credentials UNSUCCESSFUL AUTHENTICATION for user: {}", request.getParameter(USERNAME));
+        log.info("UNSUCCESSFUL Authentication");
+        if( authenticationExceptionHandler.isBadCredentials(failed) ) {
+            log.warn("Bad credentials for user: {}", request.getParameter(USERNAME));
             response.sendError(HttpStatus.UNAUTHORIZED.value(), HttpStatus.UNAUTHORIZED.getReasonPhrase());
         } else {
             log.warn("ERROR AUTHENTICATION for user: {}", request.getParameter(USERNAME), failed);
@@ -66,10 +63,13 @@ protected void unsuccessfulAuthentication(HttpServletRequest request, HttpServle
 
     @Override
     protected void successfulAuthentication(HttpServletRequest request, HttpServletResponse response,
-                                            FilterChain chain, Authentication authentication)  {
-        log.info("Successful Authentication");
+                                            FilterChain chain, Authentication authentication) throws IOException {
+        log.info("SUCCESSFUL Authentication for user {}", request.getParameter(USERNAME));
         authenticationService.addAuthentication(request, response, authentication);
         SecurityContextHolder.getContext().setAuthentication(authentication);
-
+        if(authentication.getAuthorities().isEmpty()){
+            log.warn("NO roles for user: {}", request.getParameter(USERNAME));
+            response.sendError(HttpStatus.FORBIDDEN.value(), HttpStatus.FORBIDDEN.getReasonPhrase());
+        }
     }
 }
diff --git a/open-metadata-implementation/user-interfaces/ui-chassis/ui-chassis-spring/src/main/java/org/odpi/openmetadata/userinterface/uichassis/springboot/auth/SecurityConfig.java b/open-metadata-implementation/user-interfaces/ui-chassis/ui-chassis-spring/src/main/java/org/odpi/openmetadata/userinterface/uichassis/springboot/auth/SecurityConfig.java
@@ -10,7 +10,7 @@
 import org.springframework.security.ldap.userdetails.InetOrgPersonContextMapper;
 import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
 
-public class SecurityConfig extends WebSecurityConfigurerAdapter {
+public abstract class SecurityConfig extends WebSecurityConfigurerAdapter {
 
     @Autowired
     private AuthService authService;
@@ -34,8 +34,11 @@ protected void configure(HttpSecurity http) throws Exception {
             .and()
             .addFilterBefore(new AuthFilter(authService), UsernamePasswordAuthenticationFilter.class)
             .addFilterBefore(new LoggingRequestFilter("/api/auth/login"), UsernamePasswordAuthenticationFilter.class)
-            .addFilterBefore(new LoginFilter("/api/auth/login", authenticationManager(), authService),
-                    UsernamePasswordAuthenticationFilter.class)
+            .addFilterBefore(
+                    new LoginFilter("/api/auth/login",
+                            authenticationManager(),
+                            authService,
+                            getAuthenticationExceptionHandler()),UsernamePasswordAuthenticationFilter.class)
         ;
     }
 
@@ -49,4 +52,6 @@ public AuthenticationManager authenticationManagerBean() throws Exception {
     public InetOrgPersonContextMapper userContextMapper() {
         return new InetOrgPersonContextMapper();
     }
+
+    protected abstract AuthenticationExceptionHandler getAuthenticationExceptionHandler();
 }
diff --git a/open-metadata-implementation/user-interfaces/ui-chassis/ui-chassis-spring/src/main/java/org/odpi/openmetadata/userinterface/uichassis/springboot/auth/db/DbSecurityConfig.java b/open-metadata-implementation/user-interfaces/ui-chassis/ui-chassis-spring/src/main/java/org/odpi/openmetadata/userinterface/uichassis/springboot/auth/db/DbSecurityConfig.java
@@ -2,15 +2,19 @@
 /* Copyright Contributors to the ODPi Egeria project. */
 package org.odpi.openmetadata.userinterface.uichassis.springboot.auth.db;
 
+import org.odpi.openmetadata.userinterface.uichassis.springboot.auth.AuthenticationExceptionHandler;
 import org.odpi.openmetadata.userinterface.uichassis.springboot.auth.SecurityConfig;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Qualifier;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.core.Ordered;
 import org.springframework.core.annotation.Order;
+import org.springframework.ldap.InvalidSearchFilterException;
+import org.springframework.security.authentication.BadCredentialsException;
 import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.core.AuthenticationException;
 import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
 
@@ -29,4 +33,13 @@ protected void configure(AuthenticationManagerBuilder auth) throws Exception {
         auth.userDetailsService(userDetailsService).passwordEncoder(new BCryptPasswordEncoder());
     }
 
+    @Override
+    protected AuthenticationExceptionHandler getAuthenticationExceptionHandler() {
+        return new AuthenticationExceptionHandler() {
+            @Override
+            public boolean isBadCredentials(AuthenticationException e) {
+                return e instanceof BadCredentialsException;
+            }
+        };
+    }
 }
diff --git a/open-metadata-implementation/user-interfaces/ui-chassis/ui-chassis-spring/src/main/java/org/odpi/openmetadata/userinterface/uichassis/springboot/auth/ldap/LdapSecurityConfig.java b/open-metadata-implementation/user-interfaces/ui-chassis/ui-chassis-spring/src/main/java/org/odpi/openmetadata/userinterface/uichassis/springboot/auth/ldap/LdapSecurityConfig.java
@@ -2,14 +2,18 @@
 /* Copyright Contributors to the ODPi Egeria project. */
 package org.odpi.openmetadata.userinterface.uichassis.springboot.auth.ldap;
 
+import org.odpi.openmetadata.userinterface.uichassis.springboot.auth.AuthenticationExceptionHandler;
 import org.odpi.openmetadata.userinterface.uichassis.springboot.auth.SecurityConfig;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.core.Ordered;
 import org.springframework.core.annotation.Order;
+import org.springframework.ldap.InvalidSearchFilterException;
+import org.springframework.security.authentication.BadCredentialsException;
 import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.core.AuthenticationException;
 
 
 @EnableWebSecurity
@@ -67,4 +71,13 @@ protected void configure(AuthenticationManagerBuilder auth) throws Exception {
 
     }
 
+    @Override
+    protected AuthenticationExceptionHandler getAuthenticationExceptionHandler() {
+        return new AuthenticationExceptionHandler() {
+            @Override
+            public boolean isBadCredentials(AuthenticationException e) {
+                return e instanceof BadCredentialsException || e.getCause() instanceof InvalidSearchFilterException;
+            }
+        };
+    }
 }
