NFC-109 Conditional mobile authentication security configuration

Author: aarmam

example/src/main/java/eu/webeid/example/config/ApplicationConfiguration.java

@@ -28,6 +28,7 @@
 import eu.webeid.example.security.WebEidMobileAuthInitFilter;
 import eu.webeid.example.security.ui.WebEidLoginPageGeneratingFilter;
 import eu.webeid.security.challenge.ChallengeNonceGenerator;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnBooleanProperty;
 import org.springframework.boot.context.properties.ConfigurationPropertiesScan;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
@@ -48,7 +49,8 @@
 public class ApplicationConfiguration {
 
     @Bean
-    public SecurityFilterChain filterChain(
+    @ConditionalOnBooleanProperty(name = "web-eid-mobile.enabled", matchIfMissing = true)
+    public SecurityFilterChain webEidPluginAndMobileSecurityFilterChain(
         HttpSecurity http,
         WebEidAuthenticationProvider webEidAuthenticationProvider,
         AuthenticationConfiguration authConfig,
@@ -71,4 +73,27 @@ public SecurityFilterChain filterChain(
             .headers(h -> h.frameOptions(HeadersConfigurer.FrameOptionsConfig::sameOrigin))
             .build();
     }
+
+    @Bean
+    @ConditionalOnBooleanProperty(name = "web-eid-mobile.enabled", havingValue = false)
+    public SecurityFilterChain webEidPluginOnlySecurityFilterChain(
+        HttpSecurity http,
+        WebEidAuthenticationProvider webEidAuthenticationProvider,
+        AuthenticationConfiguration authConfig,
+        ChallengeNonceGenerator challengeNonceGenerator
+    ) throws Exception {
+        return http
+            .authorizeHttpRequests(auth -> auth
+                .requestMatchers("/css/**", "/files/**", "/img/**", "/js/**", "/scripts/**").permitAll()
+                .requestMatchers("/").permitAll()
+                .anyRequest().authenticated()
+            )
+            .authenticationProvider(webEidAuthenticationProvider)
+            .addFilterBefore(new WebEidChallengeNonceFilter("/auth/challenge", challengeNonceGenerator), UsernamePasswordAuthenticationFilter.class)
+            .addFilterBefore(new WebEidAjaxLoginProcessingFilter("/auth/login", authConfig.getAuthenticationManager()), UsernamePasswordAuthenticationFilter.class)
+            .logout(l -> l.logoutSuccessHandler(new HttpStatusReturningLogoutSuccessHandler()))
+            .headers(h -> h.frameOptions(HeadersConfigurer.FrameOptionsConfig::sameOrigin))
+            .build();
+    }
+
 }

example/src/main/resources/application-dev.yaml

@@ -3,5 +3,6 @@ web-eid-auth-token:
     use-digi-doc4j-prod-configuration: false
     local-origin: "https://test.web-eid.eu"
 web-eid-mobile:
+  enabled: true
   base-request-uri: "web-eid-mobile://"
   request-signing-cert: false

example/src/main/resources/templates/index.html

@@ -62,7 +62,7 @@ <h4>Table of contents</h4>
                                 <li><a href="#for-developers">For developers</a></li>
                             </ul>
                         </li>
-                        <li>
+                        <li th:if="${@environment.getProperty('web-eid-mobile.enabled')}">
                             <a href="#usage-without-plugin">Usage without Web eID plugin</a>
                             <ul>
                                 <li><a href="#documentation-mobile">Documentation</a></li>
@@ -427,51 +427,53 @@ <h4 class="accordion-header" id="headingDevelopers">
                         </div>
                     </div>
 
-                    <hr />
-                    <h3><a id="usage-without-plugin"></a>Usage without Web eID plugin</h3>
-                    <p>
-                        The Web eID solution can also be used without installing the Web eID native app and browser
-                        extension. This includes devices like mobile phones, tablets, and some Chromebooks, where the
-                        Web eID plugin cannot currently be installed.
-                    </p>
-                    <p class="text-center p-4">
-                        <button id="webeid-mobile-auth-button" class="btn btn-primary">Authenticate</button>
-                    </p>
-
-                    <hr />
-                    <div class="accordion accordion-flush" id="accordionMobileInfo">
-                        <div class="accordion-item border-0">
-                            <h4 class="accordion-header" id="headingDocumentationMobile">
-                                <button
-                                    class="accordion-button collapsed ps-0"
-                                    id="documentation-mobile"
-                                    type="button"
-                                    data-bs-toggle="collapse"
-                                    data-bs-target="#collapseDocumentationMobile"
-                                    aria-expanded="false"
-                                    aria-controls="collapseDocumentationMobile"
+                    <div th:if="${@environment.getProperty('web-eid-mobile.enabled')}">
+                        <hr />
+                        <h3><a id="usage-without-plugin"></a>Usage without Web eID plugin</h3>
+                        <p>
+                            The Web eID solution can also be used without installing the Web eID native app and browser
+                            extension. This includes devices like mobile phones, tablets, and some Chromebooks, where the
+                            Web eID plugin cannot currently be installed.
+                        </p>
+                        <p class="text-center p-4">
+                            <button id="webeid-mobile-auth-button" class="btn btn-primary">Authenticate</button>
+                        </p>
+
+                        <hr />
+                        <div class="accordion accordion-flush" id="accordionMobileInfo">
+                            <div class="accordion-item border-0">
+                                <h4 class="accordion-header" id="headingDocumentationMobile">
+                                    <button
+                                        class="accordion-button collapsed ps-0"
+                                        id="documentation-mobile"
+                                        type="button"
+                                        data-bs-toggle="collapse"
+                                        data-bs-target="#collapseDocumentationMobile"
+                                        aria-expanded="false"
+                                        aria-controls="collapseDocumentationMobile"
+                                    >
+                                        Documentation
+                                    </button>
+                                </h4>
+                                <div
+                                    id="collapseDocumentationMobile"
+                                    class="accordion-collapse collapse"
+                                    aria-labelledby="headingDocumentationMobile"
+                                    data-bs-parent="#accordionMobileInfo"
                                 >
-                                    Documentation
-                                </button>
-                            </h4>
-                            <div
-                                id="collapseDocumentationMobile"
-                                class="accordion-collapse collapse"
-                                aria-labelledby="headingDocumentationMobile"
-                                data-bs-parent="#accordionMobileInfo"
-                            >
-                                <div class="accordion-body ps-0">
-                                    <p>
-                                        Technical overview of the solution is available in the project
-                                        <a href="https://github.com/web-eid/web-eid-for-mobile-architecture-doc"
-                                            >system architecture document</a
-                                        >. Overview of authentication token validation implementation in the back end is
-                                        available in the <i>web-eid-authtoken-validation-java</i> Java library
-                                        <a
-                                            href="https://github.com/web-eid/web-eid-authtoken-validation-java#authentication-token-validation"
-                                            >README</a
-                                        >.
-                                    </p>
+                                    <div class="accordion-body ps-0">
+                                        <p>
+                                            Technical overview of the solution is available in the project
+                                            <a href="https://github.com/web-eid/web-eid-for-mobile-architecture-doc"
+                                                >system architecture document</a
+                                            >. Overview of authentication token validation implementation in the back end is
+                                            available in the <i>web-eid-authtoken-validation-java</i> Java library
+                                            <a
+                                                href="https://github.com/web-eid/web-eid-authtoken-validation-java#authentication-token-validation"
+                                                >README</a
+                                            >.
+                                        </p>
+                                    </div>
                                 </div>
                             </div>
                         </div>