IM-457 Problems with @secured(Roles.SESSION)

klab.engine/src/main/java/org/integratedmodelling/klab/engine/rest/controllers/engine/EngineContextController.java

@@ -34,7 +34,7 @@
  */
 @RestController
 @CrossOrigin(origins = "*")
-@Secured(Roles.SESSION)
+//@Secured(Roles.SESSION)
 public class EngineContextController {
 
 	/**

klab.engine/src/main/java/org/integratedmodelling/klab/engine/rest/controllers/engine/EnginePublicController.java

@@ -72,7 +72,7 @@
 
 @RestController
 @CrossOrigin(origins = "*")
-@Secured(Roles.SESSION)
+//@Secured(Roles.SESSION)
 @PublicAPI
 public class EnginePublicController implements API.PUBLIC {
 

klab.engine/src/main/java/org/integratedmodelling/klab/engine/rest/controllers/engine/EngineResourceController.java

@@ -31,7 +31,7 @@
  */
 @RestController
 @CrossOrigin(origins = "*")
-@Secured(Roles.SESSION)
+//@Secured(Roles.SESSION)
 public class EngineResourceController {
 
     @RequestMapping(value = API.ENGINE.RESOURCE.GET_RESOURCE_SPATIAL_IMAGE, method = RequestMethod.GET)

klab.engine/src/main/java/org/integratedmodelling/klab/engine/rest/controllers/engine/EngineSessionController.java

@@ -39,7 +39,7 @@
  */
 @RestController
 @CrossOrigin(origins = "*")
-@Secured(Roles.SESSION)
+//@Secured(Roles.SESSION)
 public class EngineSessionController {
 
 	private static final Logger logger = LoggerFactory.getLogger(EngineSessionController.class);

klab.engine/src/main/java/org/integratedmodelling/klab/engine/rest/controllers/engine/EngineTaskController.java

@@ -21,7 +21,7 @@
  *
  */
 @RestController
-@Secured(Roles.SESSION)
+//@Secured(Roles.SESSION)
 public class EngineTaskController {
 
 	/**

klab.engine/src/main/java/org/integratedmodelling/klab/engine/rest/controllers/engine/EngineViewController.java

@@ -66,7 +66,7 @@
  */
 @RestController
 @CrossOrigin(origins = "*")
-@Secured(Roles.SESSION)
+//@Secured(Roles.SESSION)
 public class EngineViewController {
 
 	/**

klab.engine/src/main/java/org/integratedmodelling/klab/engine/rest/controllers/resources/ResourceController.java

@@ -65,7 +65,7 @@
 public class ResourceController {
 
 	@CrossOrigin(origins = "*")
-	@Secured(Roles.SESSION)
+	//@Secured(Roles.SESSION)
 	@RequestMapping(value = API.NODE.RESOURCE.UPLOAD_URN, method = RequestMethod.POST)
 	public ResponseEntity<HttpStatus> uploadResource(Principal principal, @RequestParam(required = false) String refId,
 			@RequestParam("files[]") MultipartFile[] files) throws Exception {

klab.engine/src/main/java/org/integratedmodelling/klab/engine/rest/security/WebSecurityConfig.java

@@ -54,30 +54,30 @@ class WebSecurityConfigRemote extends WebSecurityConfigurerAdapter{
 	  private PreauthenticatedUserDetailsService customUserDetailsService;
 
 
-//	  @Bean 
-//	  AuthoritiesConverter realmRolesAuthoritiesConverter() { 
-//	      return claims -> { 
-//	          final var realmAccess = Optional.ofNullable((Map<String, Object>) claims.get("realm_access")); 
-//	          final var roles = 
-//	                  realmAccess.flatMap(map -> Optional.ofNullable((List<String>) map.get("roles"))); 
-//	          
-//	          roles.ifPresent(role -> role.add(Roles.PUBLIC));
-//	          
-//	          List<GrantedAuthority> rolesList = roles.map(List::stream).orElse(Stream.empty()).map(SimpleGrantedAuthority::new) 
-//	                  .map(GrantedAuthority.class::cast).toList();
-//	          
-//	          return rolesList;
-//	      }; 
-//	  } 
-//	  
-//	  @Bean
-//	  JwtAuthenticationConverter authenticationConverter(
-//	          Converter<Map<String, Object>, Collection<GrantedAuthority>> authoritiesConverter) {
-//	      JwtAuthenticationConverter jwtAuthenticationConverter = new JwtAuthenticationConverter();
-//	      jwtAuthenticationConverter
-//	              .setJwtGrantedAuthoritiesConverter(jwt -> authoritiesConverter.convert(jwt.getClaims()));
-//	      return jwtAuthenticationConverter;
-//	  }
+	  @Bean 
+	  AuthoritiesConverter realmRolesAuthoritiesConverter() { 
+	      return claims -> { 
+	          final var realmAccess = Optional.ofNullable((Map<String, Object>) claims.get("realm_access")); 
+	          final var roles = 
+	                  realmAccess.flatMap(map -> Optional.ofNullable((List<String>) map.get("roles"))); 
+
+	          roles.ifPresent(role -> role.add(Roles.PUBLIC));
+
+	          List<GrantedAuthority> rolesList = roles.map(List::stream).orElse(Stream.empty()).map(SimpleGrantedAuthority::new) 
+	                  .map(GrantedAuthority.class::cast).toList();
+
+	          return rolesList;
+	      }; 
+	  } 
+
+	  @Bean
+	  JwtAuthenticationConverter authenticationConverter(
+	          Converter<Map<String, Object>, Collection<GrantedAuthority>> authoritiesConverter) {
+	      JwtAuthenticationConverter jwtAuthenticationConverter = new JwtAuthenticationConverter();
+	      jwtAuthenticationConverter
+	              .setJwtGrantedAuthoritiesConverter(jwt -> authoritiesConverter.convert(jwt.getClaims()));
+	      return jwtAuthenticationConverter;
+	  }
 
 	  @Override 
 	  protected void configure(HttpSecurity http) throws Exception { 

products/cloud/src/main/java/org/integratedmodelling/klab/engine/services/HubUserService.java

@@ -3,6 +3,7 @@
 import java.io.IOException;
 import java.net.URI;
 import java.util.ArrayList;
+import java.util.Collection;
 import java.util.HashSet;
 import java.util.List;
 import java.util.Set;
@@ -35,8 +36,10 @@
 import org.springframework.http.HttpStatus;
 import org.springframework.http.ResponseEntity;
 import org.springframework.scheduling.annotation.EnableAsync;
+import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.authority.SimpleGrantedAuthority;
+import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.stereotype.Service;
 import org.springframework.web.client.HttpClientErrorException;
 import org.springframework.web.client.RestTemplate;
@@ -85,8 +88,23 @@ public class HubUserService implements RemoteUserService {
                 HubUserProfile profile = result.getBody().getProfile();
                 String authToken = result.getBody().getAuthentication().getTokenString();
                 profile.setAuthToken(authToken);
+
                 RemoteUserLoginResponse response = getLoginResponse(profile, null);
+
+                // Add ROLE_SESSION to OAuth2 securityContext
                 response.setAuthorization(authToken);
+                Collection<SimpleGrantedAuthority> oldAuthorities = (Collection<SimpleGrantedAuthority>)SecurityContextHolder.getContext().getAuthentication().getAuthorities();
+                SimpleGrantedAuthority authority = new SimpleGrantedAuthority(Roles.SESSION);
+                List<SimpleGrantedAuthority> updatedAuthorities = new ArrayList<SimpleGrantedAuthority>();
+                updatedAuthorities.add(authority);
+                updatedAuthorities.addAll(oldAuthorities);
+
+                SecurityContextHolder.getContext().setAuthentication(
+                        new UsernamePasswordAuthenticationToken(
+                                SecurityContextHolder.getContext().getAuthentication().getPrincipal(),
+                                SecurityContextHolder.getContext().getAuthentication().getCredentials(),
+                                updatedAuthorities)
+                );
                 return ResponseEntity.status(HttpStatus.ACCEPTED).body(response);
             } else {
                 throw new KlabAuthorizationException("Failed to login user: " + login.getUsername());
@@ -277,8 +295,7 @@ private ResponseEntity<HubLoginResponse> hubLogin(UserAuthenticationRequest logi
 
         if (authorization != null) {
         	HttpHeaders headers = new HttpHeaders();
-        	headers.add("Authorization", ((ServletRequestAttributes) RequestContextHolder.getRequestAttributes()).getRequest().getHeader("Authorization"));
-        	request.getHeaders().addAll(headers);
+        	headers.add("Authorization", ((ServletRequestAttributes) RequestContextHolder.getRequestAttributes()).getRequest().getHeader("Authorization"));        	
         }
 
         return restTemplate.postForEntity(getLoginUrl(), request, HubLoginResponse.class);