IM-457 feat: add Roles.SESSION in WebSecurityContext to allow session…

…-related authorizations.
integratedmodelling · Nov 25, 2024 · 5e502e7 · 5e502e7
1 parent 50b1603
commit 5e502e7
Show file tree

Hide file tree

Showing 9 changed files with 144 additions and 129 deletions.
diff --git a/.../org/integratedmodelling/klab/engine/rest/controllers/engine/EngineContextController.java b/.../org/integratedmodelling/klab/engine/rest/controllers/engine/EngineContextController.java
@@ -34,7 +34,7 @@
  */
 @RestController
 @CrossOrigin(origins = "*")
-//@Secured(Roles.SESSION)
+@Secured(Roles.SESSION)
 public class EngineContextController {
 
 	/**

diff --git a/...a/org/integratedmodelling/klab/engine/rest/controllers/engine/EnginePublicController.java b/...a/org/integratedmodelling/klab/engine/rest/controllers/engine/EnginePublicController.java
@@ -60,6 +60,7 @@
 import org.integratedmodelling.klab.utils.NumberUtils;
 import org.springframework.http.MediaType;
 import org.springframework.security.access.annotation.Secured;
+import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.web.bind.annotation.CrossOrigin;
 import org.springframework.web.bind.annotation.PathVariable;
 import org.springframework.web.bind.annotation.RequestBody;
@@ -72,7 +73,7 @@
 
 @RestController
 @CrossOrigin(origins = "*")
-//@Secured(Roles.SESSION)
+@Secured(Roles.SESSION)
 @PublicAPI
 public class EnginePublicController implements API.PUBLIC {
 
@@ -81,7 +82,7 @@ public class EnginePublicController implements API.PUBLIC {
     public TicketResponse.Ticket contextRequest(@RequestBody ContextRequest request,
             @RequestHeader(name = "Klab_Authorization") String klabAuth, @RequestHeader(name = "Authorization") String auth) {
 
-    	String session = klabAuth == null ? klabAuth : auth;
+    	String session = klabAuth != null ? klabAuth : auth;
 
         Session s = Authentication.INSTANCE.getIdentity(session, Session.class);
         if (s == null) {
@@ -113,7 +114,7 @@ public TicketResponse.Ticket contextRequest(@RequestBody ContextRequest request,
     public TicketResponse.Ticket observationRequest(@RequestBody ObservationRequest request,
     		@RequestHeader(name = "Klab_Authorization") String klabAuth, @RequestHeader(name = "Authorization") String auth, @PathVariable String context) {
 
-    	String session = klabAuth == null ? klabAuth : auth;
+    	String session = klabAuth != null ? klabAuth : auth;
         Session s = Authentication.INSTANCE.getIdentity(session, Session.class);
 
         if (s == null) {
@@ -149,7 +150,7 @@ public TicketResponse.Ticket observationRequest(@RequestBody ObservationRequest
     public TicketResponse.Ticket submitEstimate(@RequestHeader(name = "Klab_Authorization") String klabAuth, @RequestHeader(name = "Authorization") String auth,
             @PathVariable String estimate) {
 
-    	String session = klabAuth == null ? klabAuth : auth;
+    	String session = klabAuth != null ? klabAuth : auth;
         Session s = Authentication.INSTANCE.getIdentity(session, Session.class);
         if (s == null) {
             // FIXME not illegitimate in case of server failure or restart with persistent
@@ -182,8 +183,8 @@ public void exportData(@PathVariable String export, @RequestHeader(name = "Klab_
             @PathVariable String observation, @RequestHeader(name = "Accept") String format,
             @RequestParam(required = false) String view, @RequestParam(required = false) String viewport,
             @RequestParam(required = false) String locator, HttpServletResponse response) throws IOException {
-
-    	String session = klabAuth == null ? klabAuth : auth;
+    	
+    	String session = klabAuth != null ? klabAuth : auth;
         Session s = Authentication.INSTANCE.getIdentity(session, Session.class);
         if (s == null) {
             throw new KlabIllegalStateException("observe in context: invalid session ID");
@@ -394,7 +395,7 @@ private void outputImage(IObservation obs, HttpServletResponse response, Export
     public TicketResponse.Ticket getTicketInfo(@RequestHeader(name = "Klab_Authorization") String klabAuth, @RequestHeader(name = "Authorization") String auth,
             @PathVariable String ticket) {
 
-    	String session = klabAuth == null ? klabAuth : auth;
+    	String session = klabAuth != null ? klabAuth : auth;
         Session s = Authentication.INSTANCE.getIdentity(session, Session.class);
         if (s == null) {
             // FIXME not illegitimate in case of server failure or restart with persistent

diff --git a/...org/integratedmodelling/klab/engine/rest/controllers/engine/EngineResourceController.java b/...org/integratedmodelling/klab/engine/rest/controllers/engine/EngineResourceController.java
@@ -31,7 +31,7 @@
  */
 @RestController
 @CrossOrigin(origins = "*")
-//@Secured(Roles.SESSION)
+@Secured(Roles.SESSION)
 public class EngineResourceController {
 
     @RequestMapping(value = API.ENGINE.RESOURCE.GET_RESOURCE_SPATIAL_IMAGE, method = RequestMethod.GET)

diff --git a/.../org/integratedmodelling/klab/engine/rest/controllers/engine/EngineSessionController.java b/.../org/integratedmodelling/klab/engine/rest/controllers/engine/EngineSessionController.java
@@ -39,7 +39,7 @@
  */
 @RestController
 @CrossOrigin(origins = "*")
-//@Secured(Roles.SESSION)
+@Secured(Roles.SESSION)
 public class EngineSessionController {
 
 	private static final Logger logger = LoggerFactory.getLogger(EngineSessionController.class);

diff --git a/...ava/org/integratedmodelling/klab/engine/rest/controllers/engine/EngineTaskController.java b/...ava/org/integratedmodelling/klab/engine/rest/controllers/engine/EngineTaskController.java
@@ -21,7 +21,7 @@
  *
  */
 @RestController
-//@Secured(Roles.SESSION)
+@Secured(Roles.SESSION)
 public class EngineTaskController {
 
 	/**

diff --git a/...ava/org/integratedmodelling/klab/engine/rest/controllers/engine/EngineViewController.java b/...ava/org/integratedmodelling/klab/engine/rest/controllers/engine/EngineViewController.java
@@ -66,7 +66,7 @@
  */
 @RestController
 @CrossOrigin(origins = "*")
-//@Secured(Roles.SESSION)
+@Secured(Roles.SESSION)
 public class EngineViewController {
 
 	/**

diff --git a/...va/org/integratedmodelling/klab/engine/rest/controllers/resources/ResourceController.java b/...va/org/integratedmodelling/klab/engine/rest/controllers/resources/ResourceController.java
@@ -65,7 +65,7 @@
 public class ResourceController {
 
 	@CrossOrigin(origins = "*")
-	//@Secured(Roles.SESSION)
+	@Secured(Roles.SESSION)
 	@RequestMapping(value = API.NODE.RESOURCE.UPLOAD_URN, method = RequestMethod.POST)
 	public ResponseEntity<HttpStatus> uploadResource(Principal principal, @RequestParam(required = false) String refId,
 			@RequestParam("files[]") MultipartFile[] files) throws Exception {

diff --git a/.../main/java/org/integratedmodelling/klab/engine/rest/security/PreauthenticationFilter.java b/.../main/java/org/integratedmodelling/klab/engine/rest/security/PreauthenticationFilter.java
@@ -17,6 +17,7 @@ public class PreauthenticationFilter extends AbstractPreAuthenticatedProcessingF
 
 	@Override
 	protected Object getPreAuthenticatedPrincipal(HttpServletRequest request) {
+
 		HttpServletRequest httpRequest = (HttpServletRequest) request;
 
 		Map<String, String> headers = Collections.list(httpRequest.getHeaderNames())
@@ -48,9 +49,7 @@ protected Object getPreAuthenticatedPrincipal(HttpServletRequest request) {
 
 	@Override
 	protected Object getPreAuthenticatedCredentials(HttpServletRequest request) {
-		Map<String, String> headers = Collections.list(request.getHeaderNames())
-			    .stream()
-			    .collect(Collectors.toMap(h -> h, request::getHeader));
+
 		String auth = request.getHeader(HttpHeaders.AUTHORIZATION);
 		String klabAuth = request.getHeader(KlabHttpHeaders.KLAB_AUTHORIZATION);
 		// returning null will refuse authentication