Versions Compared

Old Version 10

changes.mady.by.user Unknown User (m.woudstra)

Saved on

compared with

New Version Current

changes.mady.by.user Tijmen Daatselaar

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrate text box

...

Warning
titleWarning

Please make sure you thoroughly test custom security configurations. By disabling the default security configuration you are fully responsible for HTTP security and thus of the security of the runtime.

 

In Blueriq the HTTP security configuration is implemented in Java using a Configurer bean, as shown below.

Code Block
titleHttp security configuration
@Configuration
@Order(50)
@ConditionalOnProperty(name = "blueriq.security.http.interactions.enabled", havingValue = "true", matchIfMissing = true)
public class RuntimeWebSecurityConfigurer extends WebSecurityConfigurerAdapter {

  private static final Logger LOG = LoggerFactory.getLogger(RuntimeWebSecurityConfigurer.class);

  @Autowired
  @Qualifier("blueriqAuthenticationManager")
  private AuthenticationManager authManager;

  @Autowired
  private SecurityConfigProperties securityProperties;

  @Autowired
  private MvcRedirectHelper redirectHelper;

  @Autowired
  private SecurityContextRepository securityContextRepository;

  public static class Mappings {
    public static final String TRIGGER_SECURITY_CHECK = "/server/noaccess.html";
    public static final String PERFORM_SECURITY_CHECK = "/server/securityCheck";
    public static final String LOGIN_PAGE = "/server/session/login.html";
    public static final String LOGOUT_PAGE = "/server/session/logout.html";
    public static final String LOGIN_SUCCESS_URL = "/server/start?loginSuccess=true";
    public static final String LOGIN_PAGE_ERROR = "/server/session/login.html?loginError=true";
  }

  @Override
  protected AuthenticationManager authenticationManager() throws Exception {
    return this.authManager;
  }

  @Override
  protected void configure(HttpSecurity http) throws Exception {
    http //
        .csrf().disable() //
        .headers() //
        .defaultsDisabled() //
        .addHeaderWriter(new ClickJackingProtectionHeaderWriter(this.securityProperties)) //
        .addHeaderWriter(new StrictTransportProtectionHeaderWriter(this.securityProperties)) //
        .addHeaderWriter(new ContentTypeOptionsHeaderWriter(this.securityProperties)) //
        .addHeaderWriter(new XssProtectionHeaderWriter(this.securityProperties)) //
        .and() //
        .sessionManagement() //
        .sessionFixation() //
        .none() //
        .and() //
        .authorizeRequests() //
        .antMatchers(this.redirectHelper.getNoAccessPath()) //
        .authenticated() //
        .and() //
        .formLogin() //
        .defaultSuccessUrl(Mappings.LOGIN_SUCCESS_URL, true) //
        .loginPage(Mappings.LOGIN_PAGE) //
        .loginProcessingUrl(Mappings.PERFORM_SECURITY_CHECK) //
        .permitAll() //
        .failureUrl(Mappings.LOGIN_PAGE_ERROR) //
        .and() //
        .anonymous() //
        .key("doesNotMatter").and() //
        .securityContext() //
        .securityContextRepository(securityContextRepository);
  }

  @Bean
  @ConditionalOnMissingBean(SecurityContextRepository.class)
  public SecurityContextRepository defaultSecurityContextRepository() {
    if (LOG.isInfoEnabled()) {
      LOG.info("Using default security context repository");
    }

    HttpSessionSecurityContextRepository repository = new HttpSessionSecurityContextRepository();
    repository.setDisableUrlRewriting(true);

    return repository;
  }

  @Autowired(required = false)
  public void registerXssWhitelist(IXssWhitelist whitelist) {
    XssSafeValueFormatter.register(whitelist);
  }

  @Autowired(required = false)
  public void registerXssBlacklist(IXssBlacklist blacklist) {
    XssSafeValueFormatter.register(blacklist);
  }

}

 

 

UI Text Box
typenote
Before Blueriq 10, the HTTP security configuration was defined in XML configuration in the file security-config.xml.
1. Disabling the default HTTP security configuration
The default HTTP security configuration can be disabled by setting the blueriq.security.http.runtime.enabled property to false. Once disabled, another configurer bean should be provided in the Spring Context.
 Code Block
titleapplication.properties
blueriq.security.http.interactions.enabled=false 
2. Overriding the authentication manager
The HTTP security configuration requires an authentication manager bean which is used to authenticate and authorize users when certain URL patterns are requested. In a custom configuration, it is possible to either use a custom authentication manager or use the default Blueriq authentication manager which supports the registration of custom authentication providers. See Runtime Authenticationauthentication for more details about how to register a custom authentication provider with the Blueriq authentication manager. The following example illustrates how the authentication manager can be overridden while keeping the default HTTP security configuration: 
 Code Block
@Configuration
public class CustomWebSecurityConfigurer extends RuntimeWebSecurityConfigurer {
 
	@Autowired
	@Qualifier("customAuthenticationManager")
	private AuthenticationManager customAuthenticationManager;
 
	@Override
	public AuthenticationManager authenticationManager() throws Exception {
		return customAuthenticationManager
	}
}
 Warning
titleWarning
Apart from changing the authentication manager, the default security configuration is not suitable for extension. 
3. Configurable security headers
Spring' Security headers are disabled by default and re-added based on how security is configured in application.properties. By default, http request methods are by default not restricted, HTTP strict transport security is disabled by default, content sniffing protection is disabled by default, Blueriq's controller are protecetd protected against cross-site reqiest request forgery, and click jackin gprotection jacking protection is default enabled. Please also see Security.
4. Configuring authentication and authorization for URL patterns
By default a single URL requires authentication. Internally, the Blueriq Runtime will redirect to this URL whenever a flow requires authentication. Custom configurations may add other URL patterns that require authentication and/or authorization, as in the following example: 
 Code Block
@Configuration
public class CustomWebSecurityConfigurer extends WebSecurityConfigurerAdapter {
 
	// 1. inject any required dependencies
	@Autowired
	private IAuthorisationManager authorisationManager;
 
	@Autowired
	@Qualifier("blueriqAuthenticationManager")
	private AuthenticationManager authenticationManager;
 
	// 2. specify the authenticationmanager
	@Override
	public AuthenticationManager authenticationManager() throws Exception {
		return authenticationManager;
	}
 
	// 3. configure HTTP security
	@Override
	protected void configure(HttpSecurity http) throws Exception {
		http()
			.authorizeRequests()
				.antMatchers(authorisationManager.getOnFlowAccessExceptionUrl()).authenticated()
				.antMatchers("/server/custom/controller").hasRole("CUSTOM_ROLE")
	}
}
Please note that custom configurations should configure not only authorizations for URL patterns, but also the login mechanism, headers and any other applicable security settings. The URL patterns should be relative to the web application context. 
5. Reserved Order values for Blueriq out of the box Spring Security filterchain
Out of the box the number of Blueriq entries in the Spring Security filterchain varies depending on the active profiles and property settings. To register these security entries Blueriq reserves the following org.springframework.core.annotation.Order values:
...
 Note
When the Blueriq RuntimeWebSecurityConfigurer is disabled in favour of a custom HTTP security configuration implementation for the Runtime it is advised to use Order 50
6. Noaccess.html
Blueriq uses a mechanism that whenever a flow is started, it is checked if the flow requires authentication and the current user has matching credentials. If this is not the case, the user is automatically redirected to the virtual page noaccess.html. This page does not exist, but is merely there to redirect to the login page as shown in the excerpt below from the HTTP security configuration.
 Code Block
.authorizeRequests()
.antMatchers(redirectHelper.getNoAccessPath()).authenticated()
.and()
...
If one chooses to configure a custom security approach, for instance by passing through credentials via HTTP headers, noaccess.html 
...
6. Noaccess.html
Blueriq uses a mechanism that whenever a flow is started, it is checked if the flow requires authentication and the current user has matching credentials. If this is not the case, the user is automatically redirected to the virtual page noaccess.html. This page does not exist, but is merely there to redirect to the login page as shown in the excerpt below from the HTTP security configuration.
 Code Block
.authorizeRequests()
.antMatchers(redirectHelper.getNoAccessPath()).authenticated()
.and()
 
If one chooses to configure a custom security approach, for instance by passing through credentials via HTTP headers, noaccess.html is not in reach, and users are already logged in at the moment they reach Blueriq. will not be presented to the end user because of the divergent authentication approach. A custom page that indicates that no access is allowed is in that case out of Blueriq's hands and the responsibility of the project.
...