Merge pull request 'Improve possibilities to debug OpenID issues' (#20) from feature/23998 into develop

Author: fmichielssen

src/main/java/eu/openanalytics/containerproxy/ContainerProxyApplication.java

@@ -155,6 +155,8 @@ private static void setDefaultProperties(SpringApplication app ) {
 
 		// disable logging of requests, since this reads part of the requests and therefore undertow is unable to correctly handle those requests
 		properties.put("logging.level.org.springframework.web.servlet.DispatcherServlet", "INFO");
+		
+		properties.put("spring.application.name", "ContainerProxy");
 		app.setDefaultProperties(properties);
 	}
 

src/main/java/eu/openanalytics/containerproxy/auth/impl/KeycloakAuthenticationBackend.java

@@ -30,7 +30,6 @@
 import javax.inject.Inject;
 import javax.servlet.ServletException;
 
-import org.keycloak.OAuth2Constants;
 import org.keycloak.adapters.AdapterDeploymentContext;
 import org.keycloak.adapters.KeycloakConfigResolver;
 import org.keycloak.adapters.KeycloakDeployment;
@@ -44,7 +43,6 @@
 import org.keycloak.adapters.springsecurity.authentication.KeycloakLogoutHandler;
 import org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticationProcessingFilter;
 import org.keycloak.adapters.springsecurity.filter.KeycloakPreAuthActionsFilter;
-import org.keycloak.adapters.springsecurity.filter.QueryParamPresenceRequestMatcher;
 import org.keycloak.adapters.springsecurity.management.HttpSessionManager;
 import org.keycloak.adapters.springsecurity.token.KeycloakAuthenticationToken;
 import org.keycloak.representations.IDToken;
@@ -53,9 +51,9 @@
 import org.springframework.context.ApplicationContext;
 import org.springframework.context.annotation.Bean;
 import org.springframework.core.env.Environment;
-import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 import org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer.AuthorizedUrl;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;
@@ -83,7 +81,7 @@ public class KeycloakAuthenticationBackend implements IAuthenticationBackend {
 	Environment environment;
 
 	@Inject
-	AuthenticationManager authenticationManager;
+	WebSecurityConfigurerAdapter webSecurityConfigurerAdapter;
 
 	@Inject
 	ApplicationContext ctx;
@@ -135,7 +133,7 @@ protected KeycloakAuthenticationProcessingFilter keycloakAuthenticationProcessin
 	                    new RequestHeaderRequestMatcher(KeycloakAuthenticationProcessingFilter.AUTHORIZATION_HEADER)
 	            );
 
-		KeycloakAuthenticationProcessingFilter filter = new KeycloakAuthenticationProcessingFilter(authenticationManager, requestMatcher);
+		KeycloakAuthenticationProcessingFilter filter = new KeycloakAuthenticationProcessingFilter(webSecurityConfigurerAdapter.authenticationManagerBean(), requestMatcher);
 		filter.setSessionAuthenticationStrategy(sessionAuthenticationStrategy());
 		// Fix: call afterPropertiesSet manually, because Spring doesn't invoke it for some reason.
 		filter.setApplicationContext(ctx);

src/main/java/eu/openanalytics/containerproxy/auth/impl/OpenIDAuthenticationBackend.java

@@ -20,6 +20,7 @@
  */
 package eu.openanalytics.containerproxy.auth.impl;
 
+import java.io.IOException;
 import java.util.ArrayList;
 import java.util.Collections;
 import java.util.HashSet;
@@ -28,6 +29,9 @@
 import java.util.stream.Collectors;
 
 import javax.inject.Inject;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
 
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
@@ -36,6 +40,7 @@
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer.AuthorizedUrl;
 import org.springframework.security.core.Authentication;
+import org.springframework.security.core.AuthenticationException;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.authority.SimpleGrantedAuthority;
 import org.springframework.security.core.authority.mapping.GrantedAuthoritiesMapper;
@@ -56,6 +61,7 @@
 import org.springframework.security.oauth2.core.oidc.user.DefaultOidcUser;
 import org.springframework.security.oauth2.core.oidc.user.OidcUser;
 import org.springframework.security.oauth2.core.oidc.user.OidcUserAuthority;
+import org.springframework.security.web.authentication.AuthenticationFailureHandler;
 
 import eu.openanalytics.containerproxy.auth.IAuthenticationBackend;
 import eu.openanalytics.containerproxy.security.FixedDefaultOAuth2AuthorizationRequestResolver;
@@ -103,6 +109,16 @@ public void configureHttpSecurity(HttpSecurity http, AuthorizedUrl anyRequestCon
 				.authorizationEndpoint()
 					.authorizationRequestResolver(new FixedDefaultOAuth2AuthorizationRequestResolver(clientRegistrationRepo, OAuth2AuthorizationRequestRedirectFilter.DEFAULT_AUTHORIZATION_REQUEST_BASE_URI))
 				.and()
+				.failureHandler(new AuthenticationFailureHandler() {
+
+					@Override
+					public void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response,
+							AuthenticationException exception) throws IOException, ServletException {
+						log.error(exception);
+						response.sendRedirect("/auth-error");
+					}
+					
+				})
 				.userInfoEndpoint()
 					.userAuthoritiesMapper(createAuthoritiesMapper())
 					.oidcUserService(createOidcUserService());

src/main/java/eu/openanalytics/containerproxy/security/WebSecurityConfig.java

@@ -29,19 +29,16 @@
 import org.springframework.context.annotation.Configuration;
 import org.springframework.core.env.Environment;
 import org.springframework.security.authentication.AuthenticationEventPublisher;
-import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
 import org.springframework.security.config.annotation.authentication.configuration.GlobalAuthenticationConfigurerAdapter;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
-import org.springframework.security.config.annotation.web.builders.HttpSecurity.RequestMatcherConfigurer;
 import org.springframework.security.config.annotation.web.builders.WebSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 import org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer;
 import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
 import org.springframework.security.web.header.writers.StaticHeadersWriter;
 import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
-import org.springframework.security.web.util.matcher.AnyRequestMatcher;
 
 import eu.openanalytics.containerproxy.auth.IAuthenticationBackend;
 import eu.openanalytics.containerproxy.auth.UserLogoutHandler;
@@ -128,7 +125,7 @@ protected void configure(HttpSecurity http) throws Exception {
 
 		if (auth.hasAuthorization()) {
 			http.authorizeRequests().antMatchers(
-						"/login", "/signin/**",
+						"/login", "/signin/**", "/auth-error",
 						"/favicon.ico", "/css/**", "/img/**", "/js/**", "/assets/**", "/webjars/**").permitAll();
 			http
 				.formLogin()
@@ -166,9 +163,4 @@ public void init(AuthenticationManagerBuilder amb) throws Exception {
 		};
 	}
 
-	@Bean(name="authenticationManager")
-	@Override
-	public AuthenticationManager authenticationManagerBean() throws Exception {
-		return super.authenticationManagerBean();
-	}
 }

src/main/java/eu/openanalytics/containerproxy/ui/AuthErrorController.java

@@ -0,0 +1,46 @@
+/**
+ * ContainerProxy
+ *
+ * Copyright (C) 2016-2020 Open Analytics
+ *
+ * ===========================================================================
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the Apache License as published by
+ * The Apache Software Foundation, either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * Apache License for more details.
+ *
+ * You should have received a copy of the Apache License
+ * along with this program.  If not, see <http://www.apache.org/licenses/>
+ */
+package eu.openanalytics.containerproxy.ui;
+
+import javax.inject.Inject;
+import javax.servlet.http.HttpServletRequest;
+
+import org.springframework.core.env.Environment;
+import org.springframework.stereotype.Controller;
+import org.springframework.ui.ModelMap;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestMethod;
+
+import eu.openanalytics.containerproxy.api.BaseController;
+
+@Controller
+public class AuthErrorController extends BaseController {
+
+	@Inject
+	private Environment environment;
+
+	@RequestMapping(value = "/auth-error", method = RequestMethod.GET)
+	public String getAuthErrorPage(ModelMap map, HttpServletRequest request) {
+		map.put("application_name", environment.getProperty("spring.application.name"));
+		return "auth-error";
+	}
+
+}

src/main/resources/templates/auth-error.html

@@ -0,0 +1,55 @@
+<!--
+
+    ContainerProxy
+
+    Copyright (C) 2016-2020 Open Analytics
+
+    ===========================================================================
+
+    This program is free software: you can redistribute it and/or modify
+    it under the terms of the Apache License as published by
+    The Apache Software Foundation, either version 2 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    Apache License for more details.
+
+    You should have received a copy of the Apache License
+    along with this program.  If not, see <http://www.apache.org/licenses/>
+
+-->
+<!DOCTYPE html>
+<html
+	xmlns:th="http://www.thymeleaf.org"
+	xmlns:sec="http://www.thymeleaf.org/thymeleaf-extras-springsecurity4">
+
+<head lang="en">
+	<title th:text="${title}"></title>
+	<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
+	<link rel="stylesheet" media="screen" th:href="@{/webjars/bootstrap/3.4.1/css/bootstrap.min.css}"/>
+	<link rel="stylesheet" media="screen" th:href="@{/css/login.css}"/>
+	<link rel="stylesheet" media="screen" type="text/css" href="https://cdn.jsdelivr.net/bootstrap-social/5.1.1/bootstrap-social.css"/>
+	<link rel="stylesheet" media="screen" type="text/css" href="https://cdn.jsdelivr.net/fontawesome/4.7.0/css/font-awesome.min.css"/>
+	<script th:src="@{/webjars/jquery/3.5.0/jquery.min.js}"></script>
+	<script th:src="@{/webjars/bootstrap/3.4.1/js/bootstrap.min.js}"></script>
+</head>
+
+<body>
+	<div class="container">
+		<h2>An error occurred during the authentication procedure.</h2>
+		<p><b>If you are a user of <span th:text="${application_name}"></span>:</b> please report this issue to your administrator.</p>
+		<p><b>If you are an administrator of <span th:text="${application_name}"></span>:</b> this error page is typically shown because of an configuration error in the OpenID setup. See the ShinyProxy logs for more information.</p>
+	</div>
+
+<style>
+h2 {
+    margin-bottom: 20px;
+    margin-top: 20px;
+}
+</style>
+	
+</body>
+
+</html>