From c63f24ecec3e438600bc5171d8e75c4a5d8dbc10 Mon Sep 17 00:00:00 2001 From: --show-origin Date: Sat, 17 Feb 2024 03:02:57 -0800 Subject: [PATCH] feat(SecurityConfig): configure Swagger API-Key usage globally --- .../backend/common/security/SecurityConfig.java | 16 +++++++++++++--- .../logic/ApiKeyAuthenticationFilter.java | 16 +++++++++------- 2 files changed, 22 insertions(+), 10 deletions(-) diff --git a/backend/src/main/java/org/eclipse/tractusx/puris/backend/common/security/SecurityConfig.java b/backend/src/main/java/org/eclipse/tractusx/puris/backend/common/security/SecurityConfig.java index 7b3264db..53179935 100644 --- a/backend/src/main/java/org/eclipse/tractusx/puris/backend/common/security/SecurityConfig.java +++ b/backend/src/main/java/org/eclipse/tractusx/puris/backend/common/security/SecurityConfig.java @@ -1,6 +1,6 @@ /* - * Copyright (c) 2023, 2024 Volkswagen AG - * Copyright (c) 2023, 2024 Contributors to the Eclipse Foundation + * Copyright (c) 2023-2024 Volkswagen AG + * Copyright (c) 2023-2024 Contributors to the Eclipse Foundation * * See the NOTICE file(s) distributed with this work for additional * information regarding copyright ownership. @@ -20,6 +20,12 @@ package org.eclipse.tractusx.puris.backend.common.security; +import io.swagger.v3.oas.annotations.OpenAPIDefinition; +import io.swagger.v3.oas.annotations.enums.SecuritySchemeIn; +import io.swagger.v3.oas.annotations.enums.SecuritySchemeType; +import io.swagger.v3.oas.annotations.info.Info; +import io.swagger.v3.oas.annotations.security.SecurityRequirement; +import io.swagger.v3.oas.annotations.security.SecurityScheme; import jakarta.servlet.DispatcherType; import lombok.AllArgsConstructor; import lombok.extern.slf4j.Slf4j; @@ -43,8 +49,12 @@ @EnableWebSecurity @AllArgsConstructor @Slf4j +@SecurityScheme(type = SecuritySchemeType.APIKEY, name = SecurityConfig.API_KEY_HEADER_NAME, in = SecuritySchemeIn.HEADER) +@OpenAPIDefinition(info = @Info(title = "PURIS FOSS Open API", version = "1.0.0"), security = {@SecurityRequirement(name = "X-API-KEY")}) public class SecurityConfig { + public static final String API_KEY_HEADER_NAME = "X-API-KEY"; + private final ApiKeyAuthenticationFilter apiKeyAuthenticationFilter; @Bean @@ -69,7 +79,7 @@ public SecurityFilterChain filterChain(HttpSecurity http) throws Exception { .authorizeHttpRequests( // any request in spring context (authorizeHttpRequests) -> authorizeHttpRequests - .requestMatchers("/stockView/**", "/partners/**", "/materials/**", "/materialpartnerrelations/**", "/item-stock/**", "/edrendpoint/**", "/edc/**").authenticated() + .requestMatchers("/stockView/**", "/partners/**", "/materials/**", "/materialpartnerrelations/**", "/item-stock/**", "/edrendpoint/**", "/edc/**").authenticated() .requestMatchers("/swagger-ui/**", "/v3/api-docs/**", "/health/**").permitAll() .dispatcherTypeMatchers(DispatcherType.ERROR).permitAll() ) diff --git a/backend/src/main/java/org/eclipse/tractusx/puris/backend/common/security/logic/ApiKeyAuthenticationFilter.java b/backend/src/main/java/org/eclipse/tractusx/puris/backend/common/security/logic/ApiKeyAuthenticationFilter.java index c53aa9e8..b4d3ca24 100644 --- a/backend/src/main/java/org/eclipse/tractusx/puris/backend/common/security/logic/ApiKeyAuthenticationFilter.java +++ b/backend/src/main/java/org/eclipse/tractusx/puris/backend/common/security/logic/ApiKeyAuthenticationFilter.java @@ -1,6 +1,6 @@ /* - * Copyright (c) 2023 Volkswagen AG - * Copyright (c) 2023 Contributors to the Eclipse Foundation + * Copyright (c) 2023-2024 Volkswagen AG + * Copyright (c) 2023-2024 Contributors to the Eclipse Foundation * * See the NOTICE file(s) distributed with this work for additional * information regarding copyright ownership. @@ -24,7 +24,9 @@ import jakarta.servlet.http.HttpServletRequest; import jakarta.servlet.http.HttpServletResponse; import lombok.AllArgsConstructor; +import org.eclipse.tractusx.puris.backend.common.security.SecurityConfig; import org.eclipse.tractusx.puris.backend.common.security.domain.ApiKeyAuthentication; +import org.jetbrains.annotations.NotNull; import org.springframework.security.core.Authentication; import org.springframework.security.core.context.SecurityContextHolder; import org.springframework.stereotype.Component; @@ -39,18 +41,18 @@ @AllArgsConstructor public class ApiKeyAuthenticationFilter extends OncePerRequestFilter { - public final String API_KEY_HEADER = "X-API-KEY"; private final ApiKeyAuthenticationProvider apiKeyAuthenticationProvider; + @Override - protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException { - String headerKey = request.getHeader(API_KEY_HEADER); + protected void doFilterInternal(HttpServletRequest request, @NotNull HttpServletResponse response, @NotNull FilterChain filterChain) throws ServletException, IOException { + String headerKey = request.getHeader(SecurityConfig.API_KEY_HEADER_NAME); - if (headerKey != null){ + if (headerKey != null) { ApiKeyAuthentication apiKeyAuthentication = new ApiKeyAuthentication(headerKey, false); Authentication authenticatedObject = apiKeyAuthenticationProvider.authenticate(apiKeyAuthentication); SecurityContextHolder.getContext().setAuthentication(authenticatedObject); } - filterChain.doFilter(request,response); + filterChain.doFilter(request, response); } }