Use method injection to provide AuthTokenDTOAuthenticationProvider and AuthenticationConfiguration to filterChain(), move HttpSessionSecurityContextRepository creation into WebEidAjaxLoginProcessingFilter constructor, update README

WE2-860

Signed-off-by: Mart Somermaa <[email protected]>

Author: mrts

example/README.md

@@ -17,7 +17,7 @@ Web eID only works over a HTTPS connection with a trusted HTTPS certificate.
 You can either setup a reverse HTTPS proxy during development or, alternatively, configure
 HTTPS support directly in the bundled web server. HTTPS configuration is described in more detail in section _[HTTPS support](#https-support)_ below.
 
-You can use, for example, [_ngrok_](https://ngrok.com/) to get a reverse HTTPS proxy. Download _ngrok_ and run it in a terminal window by providing the protocol and Spring Boot application port arguments as follows:
+You can use, for example, [_ngrok_](https://ngrok.com/) or [_localtunnel_](https://theboroer.github.io/localtunnel-www/) to get a reverse HTTPS proxy. Download _ngrok_ and run it in a terminal window by providing the protocol and Spring Boot application port arguments as follows:
 
     ngrok http 8080
 
@@ -35,7 +35,7 @@ web-eid-auth-token:
 
 ### 3. Configure the trusted certificate authority certificates
 
-The algorithm, which performs the validation of the Web eID authentication token, needs to know which intermediate certificate authorities (CA) are trusted to issue the eID authentication certificates. CA certificates are loaded either from `.cer` files in the profile-specific subdirectory of the [`certs`resource directory](src/main/resources/certs) or the [truststore file](src/main/resources/certs/prod/trusted_certificates.jks). By default, Estonian eID test CA certificates are included in the `dev` profile and production CA certificates in the `prod` profile.
+The algorithm, which performs the validation of the Web eID authentication token, needs to know which intermediate certificate authorities (CA) are trusted to issue the eID authentication certificates. CA certificates are loaded either from `.cer` files in the profile-specific subdirectory of the [`certs` resource directory](src/main/resources/certs) or the [truststore file](src/main/resources/certs/prod/trusted_certificates.jks). By default, Estonian eID test CA certificates are included in the `dev` profile and production CA certificates in the `prod` profile.
 
 In case you need to provide your own CA certificates, either add the `.cer` files to the `src/main/resources/certs/{dev,prod}` profile-specific directory or add the certificates to the truststore file.
 

example/src/main/java/eu/webeid/example/config/ApplicationConfiguration.java

@@ -26,7 +26,6 @@
 import eu.webeid.example.security.WebEidAjaxLoginProcessingFilter;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
-import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.config.annotation.authentication.configuration.AuthenticationConfiguration;
 import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
@@ -35,35 +34,19 @@
 import org.springframework.security.web.SecurityFilterChain;
 import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
 import org.springframework.security.web.authentication.logout.HttpStatusReturningLogoutSuccessHandler;
-import org.springframework.security.web.context.HttpSessionSecurityContextRepository;
-import org.springframework.security.web.context.SecurityContextRepository;
 import org.springframework.web.servlet.config.annotation.ViewControllerRegistry;
 import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
 
 @Configuration
 @EnableWebSecurity
 @EnableMethodSecurity(securedEnabled = true)
 public class ApplicationConfiguration implements WebMvcConfigurer {
-    final AuthTokenDTOAuthenticationProvider authTokenDTOAuthenticationProvider;
-    final SecurityContextRepository securityContextRepository;
-
-    public ApplicationConfiguration(AuthTokenDTOAuthenticationProvider authTokenDTOAuthenticationProvider) {
-        this.authTokenDTOAuthenticationProvider = authTokenDTOAuthenticationProvider;
-        this.securityContextRepository = new HttpSessionSecurityContextRepository();
-    }
-
-    @Bean
-    public AuthenticationManager authenticationManager(AuthenticationConfiguration authenticationConfiguration) throws Exception {
-        return authenticationConfiguration.getAuthenticationManager();
-    }
 
     @Bean
-    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
-        AuthenticationManager manager = authenticationManager(http.getSharedObject(AuthenticationConfiguration.class));
-
+    public SecurityFilterChain filterChain(HttpSecurity http, AuthTokenDTOAuthenticationProvider authTokenDTOAuthenticationProvider, AuthenticationConfiguration authConfig) throws Exception {
         return http
                 .authenticationProvider(authTokenDTOAuthenticationProvider)
-                .addFilterBefore(new WebEidAjaxLoginProcessingFilter("/auth/login", manager, securityContextRepository),
+                .addFilterBefore(new WebEidAjaxLoginProcessingFilter("/auth/login", authConfig.getAuthenticationManager()),
                         UsernamePasswordAuthenticationFilter.class)
                 .logout(logout -> logout.logoutSuccessHandler(new HttpStatusReturningLogoutSuccessHandler()))
                 .headers(headers -> headers.frameOptions(HeadersConfigurer.FrameOptionsConfig::sameOrigin))

example/src/main/java/eu/webeid/example/security/WebEidAjaxLoginProcessingFilter.java

@@ -42,6 +42,7 @@
 import org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter;
 import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken;
 import org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy;
+import org.springframework.security.web.context.HttpSessionSecurityContextRepository;
 import org.springframework.security.web.context.SecurityContextRepository;
 
 import java.io.IOException;
@@ -53,15 +54,14 @@ public class WebEidAjaxLoginProcessingFilter extends AbstractAuthenticationProce
 
     public WebEidAjaxLoginProcessingFilter(
             String defaultFilterProcessesUrl,
-            AuthenticationManager authenticationManager,
-            SecurityContextRepository securityContextRepository
+            AuthenticationManager authenticationManager
     ) {
         super(defaultFilterProcessesUrl);
         this.setAuthenticationManager(authenticationManager);
         this.setAuthenticationSuccessHandler(new AjaxAuthenticationSuccessHandler());
         this.setAuthenticationFailureHandler(new AjaxAuthenticationFailureHandler());
         setSessionAuthenticationStrategy(new SessionFixationProtectionStrategy());
-        this.securityContextRepository = securityContextRepository;
+        this.securityContextRepository = new HttpSessionSecurityContextRepository();
     }
 
     @Override

example/src/test/java/eu/webeid/example/security/WebEidAjaxLoginProcessingFilterTest.java

@@ -1,18 +1,17 @@
 package eu.webeid.example.security;
 
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
 import org.junit.jupiter.api.Test;
 import org.springframework.http.HttpMethod;
 import org.springframework.security.authentication.AuthenticationManager;
 
-import jakarta.servlet.http.HttpServletRequest;
-import jakarta.servlet.http.HttpServletResponse;
 import java.io.BufferedReader;
 import java.io.StringReader;
 
 import static org.junit.jupiter.api.Assertions.assertDoesNotThrow;
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.when;
-import org.springframework.security.web.context.SecurityContextRepository;
 
 class WebEidAjaxLoginProcessingFilterTest {
 
@@ -32,10 +31,9 @@ void testAttemptAuthentication() throws Exception {
         when(request.getReader()).thenReturn(new BufferedReader(new StringReader(AUTH_TOKEN)));
 
         final AuthenticationManager authenticationManager = mock(AuthenticationManager.class);
-        final SecurityContextRepository securityContextRepository = mock(SecurityContextRepository.class);
 
         assertDoesNotThrow(() ->
-                new WebEidAjaxLoginProcessingFilter("/auth/login", authenticationManager, securityContextRepository)
+                new WebEidAjaxLoginProcessingFilter("/auth/login", authenticationManager)
                         .attemptAuthentication(request, response));
     }
 }