Versions Compared

Old Version 3

changes.mady.by.user Unknown User (m.woudstra)

Saved on

compared with

New Version 4

changes.mady.by.user Geert Graat

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Warning
titleWarning

Please make sure you thoroughly test custom security configurations. By disabling the default security configuration you are fully responsible for HTTP security and thus of the security of the runtime.

 

In Blueriq 9, the HTTP security configuration was defined in the security-config.xml file. In Blueriq 10 the HTTP security configuration is implemented in Java using a configurer bean:

 

Configurer bean, as shown below.

code
Code Block
titleHTTP security configuration
@Configuration
@Order(50)
@ConditionalOnProperty(name = "blueriq.security.http.interactions.enabled", havingValue = "true", matchIfMissing = true) // 1
public class RuntimeWebSecurityConfigurer extends WebSecurityConfigurerAdapter {
	
	public static class Mappings {
        public static final String TRIGGER_SECURITY_CHECK = "/server/noaccess.html";
        public static final String PERFORM_SECURITY_CHECK = "/server/securityCheck";
        public static final String LOGIN_PAGE = "/server/session/login.html";
        public static final String LOGOUT_PAGE = "/server/session/logout.html";
        public static final String LOGIN_SUCCESS_URL= "/server/start?loginSuccess=true";
    }

	@Autowired // 2
	@Qualifier("blueriqAuthenticationManager")
	private AuthenticationManager authenticationManager;
	
	@Autowired // 3
	private IConfiguration configuration;
	
	@Autowired
	private MvcRedirectHelper redirectHelper; // 4

	@Override 
	protected AuthenticationManager authenticationManager() throws Exception {
		return authenticationManager; // 2
	}	
	
	@Override
	protected void configure(HttpSecurity http) throws Exception {
		
	    // @formatter:off
		http
		    .csrf().disable()
		    .headers()
		        .defaultsDisabled() // 3
		        .and()
		    .sessionManagement()
		        .sessionFixation().none()
		        .and()
		    .authorizeRequests() // 4
		    	.antMatchers(redirectHelper.getNoAccessPath()).authenticated()
				.antMatchers("/h2-console/**").permitAll()
				.and()
			.formLogin()
				.defaultSuccessUrl(Mappings.LOGIN_SUCCESS_URL, true)
				.loginPage(Mappings.LOGIN_PAGE)
				.loginProcessingUrl(Mappings.PERFORM_SECURITY_CHECK).permitAll()
				.failureUrl(Mappings.LOGIN_PAGE)
				.and()
			.anonymous()
			    .key("doesNotMatter");
			 
		if (configuration.isClickJackingProtectionEnabled()) { // 3
			http.headers()
				.frameOptions().sameOrigin()
				.addHeaderWriter(new StaticHeadersWriter("Content-Security-Policy","frame-ancestors 'self'"));
		}
		
		if (configuration.isStrictTransportProtectionEnabled()) { // 3
			http.headers()
				.httpStrictTransportSecurity()
					.includeSubDomains(true)
					.maxAgeInSeconds(31536000);
		}
		
		if (configuration.isXContentTypeProtectionEnabled()) { // 3
			http.headers().contentTypeOptions();
		} else {
			http.headers().contentTypeOptions().disable();
		}
        // @formatter:on
	}
}

...

 UI Text Box
typenote
Before Blueriq 10, the HTTP security configuration was defined in XML configuration in the file security-config.xml.
1. Disabling the default HTTP security configuration
...
 Code Block
titleapplication.properties
blueriq.security.http.interactions.enabled=false 
...
2. Overriding the authentication manager
The HTTP security configuration requires an authentication manager bean which is used to authenticate and authorize users when certain URL patterns are requested. In a custom configuration, it is possible to either use a custom authentication manager or use the default Blueriq authentication manager which supports the registration of custom authentication providers. See Runtime Authentication for more details about how to register a custom authentication provider with the Blueriq authentication manager. The following example illustrates how the authentication manager can be overridden while keeping the default HTTP security configuration:
...
 Warning
titleWarning
Apart from changing the authentication manager, the default security configuration is not suitable for extension.  
3. Configurable security headers
The default Spring Security headers are disabled and re-added depending on properties in the Spring environment.
...
Out of the box the number of Blueriq entries in the Spring Security filterchain varies depending on the active profiles and property settings. To register these security entries Blueriq reserves the following org.springframework.core.annotation.Order values:
OrderSecurity ConfigurerActivation conditionActive?
10BaasWebSecurityConfigureralways
20BaarsWebSecurityConfigureralways
26H2ConsoleSecurityConfigurerWith the development-tools profile 
When the 
 Include Page
_ProfileDevelopmentTools
_ProfileDevelopmentTools
profile is enabled
30RestApiOAuthWebSecurityConfigureralways
40RestApiWebSecurityConfigureralways
50RuntimeWebSecurityConfigurerBy default (can be disabled by setting the property blueriq.security.http.interactions.enabled not set to false)
 Note
When the Blueriq RuntimeWebSecurityConfigurer is disabled in favour of a custom HTTP security configuration implementation for the Runtime the Order value of 50 is advised and can be used for it.it is advised to use Order 50
6. Noaccess.html
...
Blueriq 's http security is based on the assumption that users require themselves access through logging in. If a user's credentials fail to grant the user access, one is redirected from noaccess.html to the login page. This redirection requires the virtual page called noaccess.html that is further configured as follows:uses a mechanism that whenever a flow is started, it is checked if the flow requires authentication and the current user has matching credentials. If this is not the case, the user is automatically redirected to the virtual page noaccess.html. This page does not exist, but is merely there to redirect to the login page as shown in the excerpt below from the HTTP security configuration.
 Code Block
.authorizeRequests()
.antMatchers(redirectHelper.getNoAccessPath()).authenticated()
.and()
...
If one chooses to configure a custom security approach, for instance by passing through credentials via http HTTP headers, noaccess.html is not in reach, and users are already logged in at the moment they reach Blueriq. A custom page that indicates that no access is allowed is in that case out of Blueriq's hands and the responsibility of the project.
...