Security

Owned by Petr Jůza
Last updated: Mar 15, 2017

OpenHub defines basic security configuration out-of-box via GlobalSecurityConfig class. This configuration activates default Spring authentication manager as in-memory implementation with 3 types of user:

  • WS user (used for all web services)
  • WEB user (used for administration)
  • and MONITORING user (used for monitoring).

Each type of user owns a role that reflects expected behaviour and actions. See DefaultSecurityUsers (or application.properties) class that collects all usernames and passwords for default users. To define which URL is secured by which role an OpenHub uses WebSecurityConfig, respectively AdminSecurityConfig classes.

There are the following default users and passwords from application.properties:

# username and password for accessing web service of this integration platform by other systems
security.user.ws-user=wsUser
security.user.ws-password=wsPassword

# username and password for accessing web admin GUI
security.user.web-user=webUser
security.user.web-password=webPassword

# username and password for accessing web monitoring GUI
security.user.monitoring-user=monUser
security.user.monitoring-password=monPassword

Custom security

If custom security is required first of all is to define own global authentication via GlobalAuthenticationConfigurerAdapter (see GlobalSecurityConfig). Probably you will use #init(AuthenticationManagerBuilder) method to define authentication manager (manager of users and their roles). 

GlobalSecurityConfig
@Configuration
@AutoConfigureBefore(GlobalSecurityConfig.class)
public class CustomSecurityConfig extends GlobalAuthenticationConfigurerAdapter {

    @Override
    public void init(AuthenticationManagerBuilder auth) throws Exception {
        // @formatter:off
        auth.ldapAuthentication()...        
        // @formatter:on
    }
}

Second step is about security configuration - which role can what. You have to define own WebSecurityConfigurerAdapter with highest precedence than for example WsSecurityConfig.

CustomWebSecurityConfig
@Configuration
@Order(CustomWebSecurityConfig.ORDER)
public class CustomWsSecurityConfig extends WebSecurityConfig {

	/**
	* Order of this {@link CustomWsSecurityConfig}.
    */
	public static final int ORDER = WebSecurityConfig.WsSecurityConfig.ORDER - 5;

    @Override
    protected void configure(HttpSecurity http) throws Exception {
            // @formatter:off
            http.csrf().disable() // HTTP with disabled CSRF
                    .antMatcher(WS_URI_PREFIX + DEFAULT_PATH_PATTERN)
                    ...
            // @formatter:on
        }
    }
}