Merge branch 'release-3.0.0' of https://github.com/RADAR-base/ManagementPortal into release-3.0.0-keycloak-fix

Author: mpgxvii

.github/workflows/main.yml

@@ -35,10 +35,10 @@ jobs:
         id: yarn-cache-dir-path
         run: echo "dir=.yarn/cache" >> $GITHUB_OUTPUT
 
-      - uses: actions/setup-java@v3
+      - uses: actions/setup-java@v4
         with:
           distribution: temurin
-          java-version: 17
+          java-version: '17.0.15'
 
       - name: Setup Gradle
         uses: gradle/gradle-build-action@v2
@@ -76,7 +76,7 @@ jobs:
         run: |
           cp src/test/resources/config/keystore.p12 src/main/resources/config/keystore.p12
           ./gradlew bootRun &>mp.log </dev/null &
-          yarn run wait-for-managementportal
+          yarn wait-for-managementportal
           yarn e2e
           ./gradlew --stop
 

src/main/java/org/radarbase/management/config/SecurityConfiguration.kt

@@ -3,6 +3,8 @@ package org.radarbase.management.config
 import org.radarbase.auth.authentication.TokenValidator
 import org.radarbase.auth.jwks.JwkAlgorithmParser
 import org.radarbase.auth.jwks.JwksTokenVerifierLoader
+import org.radarbase.management.config.annotations.AuthServerDisabled
+import org.radarbase.management.config.annotations.AuthServerEnabled
 import org.radarbase.management.repository.UserRepository
 import org.radarbase.management.security.Http401UnauthorizedEntryPoint
 import org.radarbase.management.security.JwtAuthenticationFilter
@@ -41,34 +43,9 @@ class SecurityConfiguration
         private val applicationEventPublisher: ApplicationEventPublisher,
         private val passwordEncoder: PasswordEncoder,
         private val managementPortalProperties: ManagementPortalProperties,
-        private val userRepository: UserRepository
+        private val userRepository: UserRepository,
+        private val tokenValidator: TokenValidator,
     ) : WebSecurityConfigurerAdapter() {
-        /**
-         * Create the token validator instance.
-         * This is a private method to avoid creating multiple instances.
-         */
-        private fun createTokenValidator(): TokenValidator {
-            val loaderList = mutableListOf(
-                JwksTokenVerifierLoader(
-                    managementPortalProperties.authServer.jwksUrl,
-                    RES_MANAGEMENT_PORTAL,
-                    JwkAlgorithmParser(),
-                )
-            )
-
-            // Only load ManagementPortal's own token_key endpoint if the internal auth server is enabled.
-            if (managementPortalProperties.authServer.internal) {
-                loaderList.add(
-                    JwksTokenVerifierLoader(
-                        managementPortalProperties.common.managementPortalBaseUrl + "/oauth/token_key",
-                        RES_MANAGEMENT_PORTAL,
-                        JwkAlgorithmParser()
-                    )
-                )
-            }
-            return TokenValidator(loaderList)
-        }
-
         @PostConstruct
         fun init() {
             try {
@@ -90,10 +67,7 @@ class SecurityConfiguration
         fun http401UnauthorizedEntryPoint(): Http401UnauthorizedEntryPoint = Http401UnauthorizedEntryPoint()
 
         @Bean
-        fun tokenValidatorBean(): TokenValidator = createTokenValidator()
-
-        @Bean
-        fun jwtAuthenticationFilter(tokenValidator: TokenValidator): JwtAuthenticationFilter {
+        fun jwtAuthenticationFilter(): JwtAuthenticationFilter {
             val useInternalAuth = managementPortalProperties.authServer.internal
 
             return JwtAuthenticationFilter(
@@ -165,7 +139,7 @@ class SecurityConfiguration
                 .authenticationEntryPoint(http401UnauthorizedEntryPoint())
                 .and()
                 .addFilterBefore(
-                    jwtAuthenticationFilter(tokenValidatorBean()),
+                    jwtAuthenticationFilter(),
                     UsernamePasswordAuthenticationFilter::class.java,
                 )
                 .authorizeRequests()
@@ -190,3 +164,61 @@ class SecurityConfiguration
             const val RES_MANAGEMENT_PORTAL = "res_ManagementPortal"
         }
 }
+
+/**
+ * TokenValidator configuration for internal auth server.
+ * Active when managementportal.authServer.internal=true (or missing).
+ */
+@AuthServerEnabled
+@Configuration
+class InternalTokenValidatorConfiguration(
+    private val managementPortalProperties: ManagementPortalProperties,
+) {
+
+    @Bean
+    fun internalTokenValidator(): TokenValidator {
+        val loaderList = mutableListOf(
+            JwksTokenVerifierLoader(
+                managementPortalProperties.authServer.jwksUrl,
+                SecurityConfiguration.RES_MANAGEMENT_PORTAL,
+                JwkAlgorithmParser(),
+            )
+        )
+
+        // Also load ManagementPortal's own token_key endpoint for internal auth.
+        loaderList.add(
+            JwksTokenVerifierLoader(
+                managementPortalProperties.common.managementPortalBaseUrl + "/oauth/token_key",
+                SecurityConfiguration.RES_MANAGEMENT_PORTAL,
+                JwkAlgorithmParser()
+            )
+        )
+
+        return TokenValidator(loaderList)
+    }
+}
+
+/**
+ * TokenValidator configuration for external auth server (e.g. Hydra).
+ * Active when managementportal.authServer.internal=false.
+ */
+@AuthServerDisabled
+@Configuration
+class ExternalTokenValidatorConfiguration(
+    private val managementPortalProperties: ManagementPortalProperties,
+) {
+
+    @Bean
+    fun externalTokenValidator(): TokenValidator {
+        val loaderList = listOf(
+            JwksTokenVerifierLoader(
+                managementPortalProperties.authServer.jwksUrl,
+                SecurityConfiguration.RES_MANAGEMENT_PORTAL,
+                JwkAlgorithmParser(),
+            )
+        )
+
+        return TokenValidator(loaderList)
+    }
+}
+

src/main/java/org/radarbase/management/service/DefaultOAuthClientService.kt

@@ -18,15 +18,12 @@ import org.springframework.security.oauth2.provider.NoSuchClientException
 import org.springframework.security.oauth2.provider.OAuth2Authentication
 import org.springframework.security.oauth2.provider.OAuth2Request
 import org.springframework.security.oauth2.provider.client.JdbcClientDetailsService
-import org.springframework.stereotype.Service
 import java.util.*
 
 /**
  * Default implementation of OAuthClientService using Spring OAuth2 and JDBC.
  * This service handles OAuth client and token related functions using the internal OAuth server.
  */
-@AuthServerEnabled
-@Service
 class DefaultOAuthClientService(
     @Autowired private val clientDetailsService: JdbcClientDetailsService,
     @Autowired private val clientDetailsMapper: ClientDetailsMapper,