JaxRs authenticationfilter, drop JA-spi (#2549)

Author: jolarsen

web/pom.xml

@@ -56,14 +56,8 @@
 
         <!-- Server Provided Libraries. Transitive avhengigheter som ikke burde vært her da de trekkes inn av server. -->
         <dependency>
-            <groupId>no.nav.foreldrepenger.felles.sikkerhet</groupId>
-            <artifactId>felles-sikkerhet</artifactId>
-            <exclusions>
-                <exclusion>
-                    <groupId>org.codehaus.woodstox</groupId>
-                    <artifactId>woodstox-core-asl</artifactId>
-                </exclusion>
-            </exclusions>
+            <groupId>no.nav.foreldrepenger.felles</groupId>
+            <artifactId>felles-auth-filter</artifactId>
         </dependency>
         <dependency>
             <groupId>no.nav.foreldrepenger.felles</groupId>
@@ -121,23 +115,11 @@
             <groupId>org.eclipse.jetty.ee10</groupId>
             <artifactId>jetty-ee10-plus</artifactId>
         </dependency>
-        <dependency>
-            <groupId>org.eclipse.jetty.ee10</groupId>
-            <artifactId>jetty-ee10-annotations</artifactId>
-        </dependency>
         <dependency>
             <groupId>org.eclipse.jetty.ee10</groupId>
             <artifactId>jetty-ee10-cdi</artifactId>
         </dependency>
 
-        <dependency>
-            <groupId>org.eclipse.jetty</groupId>
-            <artifactId>jetty-security</artifactId>
-        </dependency>
-        <dependency>
-            <groupId>org.eclipse.jetty.ee10</groupId>
-            <artifactId>jetty-ee10-jaspi</artifactId>
-        </dependency>
         <dependency>
             <groupId>org.eclipse.jetty.ee10</groupId>
             <artifactId>jetty-ee10-webapp</artifactId>

web/src/main/java/no/nav/foreldrepenger/abakus/app/konfig/ApiConfig.java

@@ -75,7 +75,7 @@ public Set<Class<?>> getClasses() {
 
             ForvaltningRestTjeneste.class, DiagnostikkRestTjeneste.class, RapporteringRestTjeneste.class,
 
-            OpenApiResource.class, JacksonJsonConfig.class, ConstraintViolationMapper.class, JsonMappingExceptionMapper.class,
+            AuthenticationFilter.class, OpenApiResource.class, JacksonJsonConfig.class, ConstraintViolationMapper.class, JsonMappingExceptionMapper.class,
             JsonParseExceptionMapper.class, GeneralRestExceptionMapper.class);
     }
 

web/src/main/java/no/nav/foreldrepenger/abakus/app/konfig/AuthenticationFilter.java

@@ -0,0 +1,35 @@
+package no.nav.foreldrepenger.abakus.app.konfig;
+
+import jakarta.annotation.Priority;
+import jakarta.ws.rs.Priorities;
+import jakarta.ws.rs.container.ContainerRequestContext;
+import jakarta.ws.rs.container.ContainerRequestFilter;
+import jakarta.ws.rs.container.ContainerResponseContext;
+import jakarta.ws.rs.container.ContainerResponseFilter;
+import jakarta.ws.rs.container.ResourceInfo;
+import jakarta.ws.rs.core.Context;
+import jakarta.ws.rs.ext.Provider;
+import no.nav.vedtak.sikkerhet.jaxrs.AuthenticationFilterDelegate;
+
+@Provider
+@Priority(Priorities.AUTHENTICATION)
+public class AuthenticationFilter implements ContainerRequestFilter, ContainerResponseFilter {
+
+    @Context
+    private ResourceInfo resourceinfo;
+
+    public AuthenticationFilter() {
+        // Ingenting
+    }
+
+    @Override
+    public void filter(ContainerRequestContext req, ContainerResponseContext res) {
+        AuthenticationFilterDelegate.fjernKontekst();
+    }
+
+    @Override
+    public void filter(ContainerRequestContext req) {
+        AuthenticationFilterDelegate.validerSettKontekst(resourceinfo, req);
+    }
+
+}

web/src/main/java/no/nav/foreldrepenger/abakus/app/konfig/EksternApiConfig.java

@@ -5,9 +5,6 @@
 import java.util.Set;
 import java.util.stream.Collectors;
 
-import jakarta.ws.rs.ApplicationPath;
-import jakarta.ws.rs.core.Application;
-
 import org.glassfish.jersey.server.ServerProperties;
 
 import io.swagger.v3.jaxrs2.integration.JaxrsOpenApiContextBuilder;
@@ -17,6 +14,8 @@
 import io.swagger.v3.oas.models.OpenAPI;
 import io.swagger.v3.oas.models.info.Info;
 import io.swagger.v3.oas.models.servers.Server;
+import jakarta.ws.rs.ApplicationPath;
+import jakarta.ws.rs.core.Application;
 import no.nav.foreldrepenger.abakus.app.exceptions.ConstraintViolationMapper;
 import no.nav.foreldrepenger.abakus.app.exceptions.GeneralRestExceptionMapper;
 import no.nav.foreldrepenger.abakus.app.exceptions.JsonMappingExceptionMapper;
@@ -62,6 +61,7 @@ public Set<Class<?>> getClasses() {
 
         return Set.of(EksternDelingAvYtelserRestTjeneste.class,
             // Applikasjonsoppsett
+            AuthenticationFilter.class,
             JacksonJsonConfig.class,
             // Swagger
             OpenApiResource.class,

web/src/main/java/no/nav/foreldrepenger/abakus/app/konfig/InternalApiConfig.java

@@ -4,14 +4,13 @@
 
 import jakarta.ws.rs.ApplicationPath;
 import jakarta.ws.rs.core.Application;
-
-import no.nav.foreldrepenger.abakus.app.metrics.PrometheusRestService;
 import no.nav.foreldrepenger.abakus.app.healthcheck.HealthCheckRestService;
+import no.nav.foreldrepenger.abakus.app.metrics.PrometheusRestService;
 
-@ApplicationPath(InternalApiConfig.API_URL)
+@ApplicationPath(InternalApiConfig.API_URI)
 public class InternalApiConfig extends Application {
 
-    public static final String API_URL = "internal";
+    public static final String API_URI = "/internal";
 
     public InternalApiConfig() {
         // CDI

web/src/main/java/no/nav/foreldrepenger/abakus/jetty/JettyServer.java

@@ -11,35 +11,29 @@
 
 import org.eclipse.jetty.ee10.cdi.CdiDecoratingListener;
 import org.eclipse.jetty.ee10.cdi.CdiServletContainerInitializer;
-import org.eclipse.jetty.plus.jndi.EnvEntry;
-import org.eclipse.jetty.ee10.security.jaspi.DefaultAuthConfigFactory;
-import org.eclipse.jetty.ee10.security.jaspi.JaspiAuthenticatorFactory;
-import org.eclipse.jetty.ee10.security.jaspi.provider.JaspiAuthConfigProvider;
+import org.eclipse.jetty.ee10.servlet.ErrorPageErrorHandler;
+import org.eclipse.jetty.ee10.servlet.ServletContextHandler;
+import org.eclipse.jetty.ee10.servlet.security.ConstraintMapping;
 import org.eclipse.jetty.ee10.servlet.security.ConstraintSecurityHandler;
 import org.eclipse.jetty.ee10.webapp.WebAppContext;
-import org.eclipse.jetty.security.DefaultIdentityService;
-import org.eclipse.jetty.security.SecurityHandler;
-import org.eclipse.jetty.security.jaas.JAASLoginService;
+import org.eclipse.jetty.plus.jndi.EnvEntry;
+import org.eclipse.jetty.security.Constraint;
 import org.eclipse.jetty.server.Connector;
-import org.eclipse.jetty.server.Handler;
 import org.eclipse.jetty.server.HttpConfiguration;
 import org.eclipse.jetty.server.HttpConnectionFactory;
-import org.eclipse.jetty.server.Request;
-import org.eclipse.jetty.server.Response;
 import org.eclipse.jetty.server.Server;
 import org.eclipse.jetty.server.ServerConnector;
 import org.eclipse.jetty.server.handler.ContextHandler;
-import org.eclipse.jetty.util.Callback;
 import org.eclipse.jetty.util.resource.ResourceFactory;
 import org.flywaydb.core.Flyway;
 import org.flywaydb.core.api.FlywayException;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
-import org.slf4j.MDC;
 
-import jakarta.security.auth.message.config.AuthConfigFactory;
+import no.nav.foreldrepenger.abakus.app.konfig.ApiConfig;
+import no.nav.foreldrepenger.abakus.app.konfig.EksternApiConfig;
+import no.nav.foreldrepenger.abakus.app.konfig.InternalApiConfig;
 import no.nav.foreldrepenger.konfig.Environment;
-import no.nav.vedtak.sikkerhet.jaspic.OidcAuthModule;
 
 public class JettyServer {
 
@@ -84,20 +78,17 @@ private static void initTrustStore() {
     }
 
     private ContextHandler createContext() throws IOException {
-        var ctx = new WebAppContext();
+        var ctx = new WebAppContext(CONTEXT_PATH, null, simpleConstraints(), null,
+            new ErrorPageErrorHandler(), ServletContextHandler.NO_SESSIONS);
+
         ctx.setParentLoaderPriority(true);
 
         // må hoppe litt bukk for å hente web.xml fra classpath i stedet for fra filsystem.
-        String descriptor;
         String baseResource;
         try (var factory = ResourceFactory.closeable()) {
-            var resource = factory.newClassLoaderResource("/WEB-INF/web.xml", false);
-            descriptor = resource.getURI().toURL().toExternalForm();
             baseResource = factory.newResource(".").getRealURI().toURL().toExternalForm();
         }
-        ctx.setDescriptor(descriptor);
 
-        ctx.setContextPath(CONTEXT_PATH);
         ctx.setBaseResourceAsString(baseResource);
         ctx.setInitParameter("org.eclipse.jetty.servlet.Default.dirAllowed", "false"); // Default servlet convention
         ctx.setInitParameter("pathInfoOnly", "true");
@@ -110,7 +101,6 @@ private ContextHandler createContext() throws IOException {
         ctx.addServletContainerInitializer(new CdiServletContainerInitializer());
         ctx.addServletContainerInitializer(new org.jboss.weld.environment.servlet.EnhancedListener());
 
-        ctx.setSecurityHandler(createSecurityHandler());
         ctx.setThrowUnavailableOnStartupException(true);
 
         return ctx;
@@ -125,18 +115,6 @@ private static HttpConfiguration createHttpConfiguration() {
 
     }
 
-    private static SecurityHandler createSecurityHandler() {
-        var securityHandler = new ConstraintSecurityHandler();
-        securityHandler.setAuthenticatorFactory(new JaspiAuthenticatorFactory());
-
-        var loginService = new JAASLoginService();
-        loginService.setName("jetty-login");
-        loginService.setLoginModuleName("jetty-login");
-        loginService.setIdentityService(new DefaultIdentityService());
-        securityHandler.setLoginService(loginService);
-        return securityHandler;
-    }
-
     void bootStrap() throws Exception {
         konfigurerSikkerhet();
         konfigurerJndi();
@@ -148,12 +126,6 @@ private void konfigurerSikkerhet() {
         if (ENV.isLocal()) {
             initTrustStore();
         }
-
-        var factory = new DefaultAuthConfigFactory();
-        factory.registerConfigProvider(new JaspiAuthConfigProvider(new OidcAuthModule()), "HttpServlet", "server " + CONTEXT_PATH,
-            "OIDC Authentication");
-
-        AuthConfigFactory.setFactory(factory);
     }
 
     protected void konfigurerJndi() throws NamingException {
@@ -178,8 +150,7 @@ void migrerDatabaser() {
     private void start() throws Exception {
         var server = new Server(getServerPort());
         server.setConnectors(createConnectors(server).toArray(new Connector[]{}));
-        var handlers = new Handler.Sequence(new ResetLogContextHandler(), createContext());
-        server.setHandler(handlers);
+        server.setHandler(createContext());
         server.start();
         server.join();
     }
@@ -192,18 +163,28 @@ private List<Connector> createConnectors(Server server) {
         return connectors;
     }
 
+    private static ConstraintSecurityHandler simpleConstraints() {
+        var handler = new ConstraintSecurityHandler();
+        // Slipp gjennom kall fra plattform til JaxRs. Foreløpig kun behov for GET
+        handler.addConstraintMapping(pathConstraint(Constraint.ALLOWED, InternalApiConfig.API_URI + "/*"));
+        // Slipp gjennom til autentisering i JaxRs / auth-filter
+        handler.addConstraintMapping(pathConstraint(Constraint.ALLOWED, ApiConfig.API_URI + "/*"));
+        // Slipp gjennom til autentisering i JaxRs / auth-filter
+        handler.addConstraintMapping(pathConstraint(Constraint.ALLOWED, EksternApiConfig.API_URI + "/*"));
+        // Alt annet av paths og metoder forbudt - 403
+        handler.addConstraintMapping(pathConstraint(Constraint.FORBIDDEN, "/*"));
+        return handler;
+    }
+
+    private static ConstraintMapping pathConstraint(Constraint constraint, String path) {
+        var mapping = new ConstraintMapping();
+        mapping.setConstraint(constraint);
+        mapping.setPathSpec(path);
+        return mapping;
+    }
+
     private Integer getServerPort() {
         return this.serverPort;
     }
 
-    /**
-     * Legges først slik at alltid resetter context før prosesserer nye requests. Kjøres først så ikke risikerer andre har satt Request#setHandled(true).
-     */
-    static final class ResetLogContextHandler extends Handler.Abstract {
-        @Override
-        public boolean handle(Request request, Response response, Callback callback) {
-            MDC.clear();
-            return false;
-        }
-    }
 }