Make FileDTO Serializable, enable Thymeleaf cache in production, use Jackson ObjectWriter and other minor cleanup

mrts · mrts · commit bfe9739e8cb3 · 2024-04-30T13:30:28.000+03:00
WE2-860

Signed-off-by: Mart Somermaa &lt;mrts@users.noreply.github.com&gt;
diff --git a/example/src/main/java/eu/webeid/example/config/ApplicationConfiguration.java b/example/src/main/java/eu/webeid/example/config/ApplicationConfiguration.java
@@ -31,6 +31,7 @@
 import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.config.annotation.web.configurers.HeadersConfigurer;
 import org.springframework.security.web.SecurityFilterChain;
 import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
 import org.springframework.security.web.authentication.logout.HttpStatusReturningLogoutSuccessHandler;
@@ -65,7 +66,7 @@ public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
                 .addFilterBefore(new WebEidAjaxLoginProcessingFilter("/auth/login", manager, securityContextRepository),
                         UsernamePasswordAuthenticationFilter.class)
                 .logout(logout -> logout.logoutSuccessHandler(new HttpStatusReturningLogoutSuccessHandler()))
-                .headers(headers -> headers.frameOptions(options -> options.sameOrigin()))
+                .headers(headers -> headers.frameOptions(HeadersConfigurer.FrameOptionsConfig::sameOrigin))
                 .build();
     }
 
diff --git a/example/src/main/java/eu/webeid/example/security/AuthTokenDTOAuthenticationProvider.java b/example/src/main/java/eu/webeid/example/security/AuthTokenDTOAuthenticationProvider.java
@@ -23,9 +23,12 @@
 package eu.webeid.example.security;
 
 import eu.webeid.example.security.dto.AuthTokenDTO;
+import eu.webeid.security.authtoken.WebEidAuthToken;
+import eu.webeid.security.challenge.ChallengeNonceStore;
+import eu.webeid.security.exceptions.AuthTokenException;
+import eu.webeid.security.validator.AuthTokenValidator;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
-import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.security.authentication.AuthenticationProvider;
 import org.springframework.security.authentication.AuthenticationServiceException;
 import org.springframework.security.core.Authentication;
@@ -34,15 +37,9 @@
 import org.springframework.security.core.authority.SimpleGrantedAuthority;
 import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken;
 import org.springframework.stereotype.Component;
-import eu.webeid.security.authtoken.WebEidAuthToken;
-import eu.webeid.security.challenge.ChallengeNonceStore;
-import eu.webeid.security.exceptions.AuthTokenException;
-import eu.webeid.security.validator.AuthTokenValidator;
 
 import java.security.cert.CertificateEncodingException;
 import java.security.cert.X509Certificate;
-import java.util.ArrayList;
-import java.util.Arrays;
 import java.util.Collections;
 import java.util.List;
 
@@ -56,10 +53,13 @@ public class AuthTokenDTOAuthenticationProvider implements AuthenticationProvide
 
     private static final Logger LOG = LoggerFactory.getLogger(AuthTokenDTOAuthenticationProvider.class);
 
-    @Autowired
-    private AuthTokenValidator tokenValidator;
-    @Autowired
-    private ChallengeNonceStore challengeNonceStore;
+    private final AuthTokenValidator tokenValidator;
+    private final ChallengeNonceStore challengeNonceStore;
+
+    public AuthTokenDTOAuthenticationProvider(AuthTokenValidator tokenValidator, ChallengeNonceStore challengeNonceStore) {
+        this.tokenValidator = tokenValidator;
+        this.challengeNonceStore = challengeNonceStore;
+    }
 
     @Override
     public Authentication authenticate(Authentication auth) throws AuthenticationException {
diff --git a/example/src/main/java/eu/webeid/example/security/WebEidAjaxLoginProcessingFilter.java b/example/src/main/java/eu/webeid/example/security/WebEidAjaxLoginProcessingFilter.java
@@ -23,15 +23,14 @@
 package eu.webeid.example.security;
 
 import com.fasterxml.jackson.databind.ObjectMapper;
-import java.io.IOException;
-import jakarta.servlet.http.HttpServletRequest;
-import jakarta.servlet.http.HttpServletResponse;
-
+import com.fasterxml.jackson.databind.ObjectReader;
 import eu.webeid.example.security.ajax.AjaxAuthenticationFailureHandler;
 import eu.webeid.example.security.ajax.AjaxAuthenticationSuccessHandler;
 import eu.webeid.example.security.dto.AuthTokenDTO;
 import jakarta.servlet.FilterChain;
 import jakarta.servlet.ServletException;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.http.HttpMethod;
@@ -45,14 +44,17 @@
 import org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy;
 import org.springframework.security.web.context.SecurityContextRepository;
 
+import java.io.IOException;
+
 public class WebEidAjaxLoginProcessingFilter extends AbstractAuthenticationProcessingFilter {
     private static final Logger LOG = LoggerFactory.getLogger(WebEidAjaxLoginProcessingFilter.class);
+    private final ObjectReader OBJECT_READER = new ObjectMapper().readerFor(AuthTokenDTO.class);
     private final SecurityContextRepository securityContextRepository;
 
     public WebEidAjaxLoginProcessingFilter(
-        String defaultFilterProcessesUrl,
-        AuthenticationManager authenticationManager,
-        SecurityContextRepository securityContextRepository
+            String defaultFilterProcessesUrl,
+            AuthenticationManager authenticationManager,
+            SecurityContextRepository securityContextRepository
     ) {
         super(defaultFilterProcessesUrl);
         this.setAuthenticationManager(authenticationManager);
@@ -64,7 +66,7 @@ public WebEidAjaxLoginProcessingFilter(
 
     @Override
     public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response)
-        throws AuthenticationException, IOException {
+            throws AuthenticationException, IOException {
         if (!HttpMethod.POST.name().equals(request.getMethod())) {
             LOG.warn("HttpMethod not supported: {}", request.getMethod());
             throw new AuthenticationServiceException("HttpMethod not supported: " + request.getMethod());
@@ -76,8 +78,7 @@ public Authentication attemptAuthentication(HttpServletRequest request, HttpServ
         }
 
         LOG.info("attemptAuthentication(): Reading request body");
-        final ObjectMapper objectMapper = new ObjectMapper();
-        final AuthTokenDTO authTokenDTO = objectMapper.readValue(request.getReader(), AuthTokenDTO.class);
+        final AuthTokenDTO authTokenDTO = OBJECT_READER.readValue(request.getReader());
         LOG.info("attemptAuthentication(): Creating token");
         final PreAuthenticatedAuthenticationToken token = new PreAuthenticatedAuthenticationToken(null, authTokenDTO);
         LOG.info("attemptAuthentication(): Calling authentication manager");
@@ -86,7 +87,7 @@ public Authentication attemptAuthentication(HttpServletRequest request, HttpServ
 
     @Override
     protected void successfulAuthentication(HttpServletRequest request, HttpServletResponse response, FilterChain chain, Authentication authResult) throws IOException, ServletException {
-        super.successfulAuthentication(request, response, chain, authResult); // Generated from nbfs://nbhost/SystemFileSystem/Templates/Classes/Code/OverriddenMethodBody
+        super.successfulAuthentication(request, response, chain, authResult);
         securityContextRepository.saveContext(SecurityContextHolder.getContext(), request, response);
     }
 }
diff --git a/example/src/main/java/eu/webeid/example/security/ajax/AjaxAuthenticationSuccessHandler.java b/example/src/main/java/eu/webeid/example/security/ajax/AjaxAuthenticationSuccessHandler.java
@@ -25,19 +25,17 @@
 import com.fasterxml.jackson.annotation.JsonProperty;
 import com.fasterxml.jackson.core.JsonProcessingException;
 import com.fasterxml.jackson.databind.ObjectMapper;
-import java.io.IOException;
-import java.util.Collection;
-import java.util.List;
-import java.util.stream.Collectors;
+import com.fasterxml.jackson.databind.ObjectWriter;
 import jakarta.servlet.http.HttpServletRequest;
 import jakarta.servlet.http.HttpServletResponse;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.security.core.Authentication;
-import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler;
 import org.springframework.stereotype.Component;
 
+import java.io.IOException;
+
 /**
  * Write custom response on having user successfully authenticated.
  * <p>
@@ -50,11 +48,11 @@ public class AjaxAuthenticationSuccessHandler extends SimpleUrlAuthenticationSuc
 
     @Override
     public void onAuthenticationSuccess(
-        HttpServletRequest request,
-        HttpServletResponse response,
-        Authentication authentication
+            HttpServletRequest request,
+            HttpServletResponse response,
+            Authentication authentication
     )
-        throws IOException {
+            throws IOException {
         LOG.info("onAuthenticationSuccess(): {}", authentication);
 
         response.setStatus(HttpServletResponse.SC_OK);
@@ -64,23 +62,19 @@ public void onAuthenticationSuccess(
     }
 
     public static class AuthSuccessDTO {
-        private final ObjectMapper objectMapper = new ObjectMapper();
+        private static final ObjectWriter OBJECT_WRITER = new ObjectMapper().writerFor(AuthSuccessDTO.class);
 
         @JsonProperty("sub")
         private String sub;
 
         @JsonProperty("auth")
-        private List<String> auth;
+        private String auth;
 
         public static String asJson(Authentication authentication) throws JsonProcessingException {
             final AuthSuccessDTO dto = new AuthSuccessDTO();
             dto.sub = authentication.getName();
-            dto.auth = convertAuthorities(authentication.getAuthorities());
-            return dto.objectMapper.writeValueAsString(dto);
-        }
-
-        private static List<String> convertAuthorities(Collection<? extends GrantedAuthority> authorities) {
-            return authorities.stream().map(GrantedAuthority::toString).collect(Collectors.toList());
+            dto.auth = authentication.getAuthorities().toString();
+            return OBJECT_WRITER.writeValueAsString(dto);
         }
     }
 }
diff --git a/example/src/main/java/eu/webeid/example/service/SigningService.java b/example/src/main/java/eu/webeid/example/service/SigningService.java
@@ -64,7 +64,7 @@ public class SigningService {
     private static final Logger LOG = LoggerFactory.getLogger(SigningService.class);
     private final Configuration signingConfiguration;
 
-    ObjectFactory<HttpSession> httpSessionFactory;
+    private final ObjectFactory<HttpSession> httpSessionFactory;
 
     public SigningService(ObjectFactory<HttpSession> httpSessionFactory, YAMLConfig yamlConfig) {
         this.httpSessionFactory = httpSessionFactory;
diff --git a/example/src/main/java/eu/webeid/example/service/dto/FileDTO.java b/example/src/main/java/eu/webeid/example/service/dto/FileDTO.java
@@ -27,12 +27,13 @@
 import org.springframework.web.multipart.MultipartFile;
 
 import java.io.IOException;
+import java.io.Serializable;
 import java.net.URI;
 import java.nio.file.Files;
 import java.nio.file.Paths;
 import java.util.Objects;
 
-public class FileDTO {
+public class FileDTO implements Serializable {
     private static final String EXAMPLE_FILENAME = "example-for-signing.txt";
 
     private final String name;
diff --git a/example/src/main/java/eu/webeid/example/web/rest/ChallengeController.java b/example/src/main/java/eu/webeid/example/web/rest/ChallengeController.java
@@ -23,10 +23,10 @@
 package eu.webeid.example.web.rest;
 
 import eu.webeid.example.service.dto.ChallengeDTO;
+import eu.webeid.security.challenge.ChallengeNonceGenerator;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RestController;
-import eu.webeid.security.challenge.ChallengeNonceGenerator;
 
 @RestController
 @RequestMapping("auth")
diff --git a/example/src/main/resources/application-prod.yaml b/example/src/main/resources/application-prod.yaml
@@ -3,3 +3,6 @@ web-eid-auth-token:
     use-digidoc4j-prod-configuration: true
     local-origin: "https://web-eid.eu"
     truststore-password: "changeit"
+spring:
+  thymeleaf:
+    cache: true
diff --git a/example/src/test/java/eu/webeid/example/WebApplicationTest.java b/example/src/test/java/eu/webeid/example/WebApplicationTest.java
@@ -110,7 +110,7 @@ public void validateOcspResponse(XadesSignature xadesSignature) {
         MvcResult result = HttpHelper.login(mvcBuilder, session, ObjectMother.mockAuthToken());
         session = (MockHttpSession) result.getRequest().getSession();
         MockHttpServletResponse response = result.getResponse();
-        assertEquals("{\"sub\":\"JAAK-KRISTJAN JÕEORG\",\"auth\":[\"ROLE_USER\"]}", response.getContentAsString());
+        assertEquals("{\"sub\":\"JAAK-KRISTJAN JÕEORG\",\"auth\":\"[ROLE_USER]\"}", response.getContentAsString());
 
         /* Example how to test file upload.
         response = HttpHelper.upload(mvcBuilder, session, mockMultipartFile());
