Merge pull request #1 from maximthomas/features/add-spring-profiles

add maven profiles and GitHub actions

.github/workflows/build.yml

@@ -0,0 +1,32 @@
+name: Build
+
+on:
+  push:
+  pull_request:
+    branches: [ master ]
+jobs:
+  build-maven:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        java: [ '17' ]
+        os: [ 'ubuntu-latest' ]
+      fail-fast: false
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          submodules: recursive
+      - name: Java ${{ matrix.Java }} (${{ matrix.os }})
+        uses: actions/setup-java@v4
+        with:
+          java-version: ${{ matrix.java }}
+          distribution: 'temurin'
+      - name: Cache Maven packages
+        uses: actions/cache@v4
+        with:
+          path: ~/.m2/repository
+          key: ${{ runner.os }}-m2-repository-${{ hashFiles('**/pom.xml') }}
+          restore-keys: ${{ runner.os }}-m2-repository
+      - name: Build with Maven
+        run: mvn package --file pom.xml

Dockerfile

@@ -0,0 +1,6 @@
+FROM eclipse-temurin:17-jre-alpine
+RUN addgroup -S app && adduser -S app -G app
+USER app
+ARG JAR_FILE=target/*.jar
+COPY ${JAR_FILE} app.jar
+ENTRYPOINT ["sh", "-c", "java ${JAVA_OPTS} -jar /app.jar ${0} ${@}"]

build-docker.sh

@@ -0,0 +1 @@
+mvn clean package && docker build -t openidentityplatform/spring-security-openam-example .

pom.xml

@@ -5,7 +5,7 @@
     <parent>
         <groupId>org.springframework.boot</groupId>
         <artifactId>spring-boot-starter-parent</artifactId>
-        <version>3.2.1</version>
+        <version>3.2.4</version>
         <relativePath/> <!-- lookup parent from repository -->
     </parent>
     <groupId>org.openidentityplatform.openam.examples</groupId>

src/main/java/org/openidentityplatform/openamsecured/configuration/OpenAmAuthenticationFilter.java

@@ -3,6 +3,7 @@
 import jakarta.servlet.http.Cookie;
 import jakarta.servlet.http.HttpServletRequest;
 import jakarta.servlet.http.HttpServletResponse;
+import org.springframework.beans.factory.annotation.Value;
 import org.springframework.core.ParameterizedTypeReference;
 import org.springframework.http.HttpEntity;
 import org.springframework.http.HttpHeaders;
@@ -28,7 +29,9 @@
 public class OpenAmAuthenticationFilter extends AbstractAuthenticationProcessingFilter {
 
     private final String openAmUrl = "http://openam.example.org:8080/openam";
-    private final String openAuthUrl = openAmUrl.concat("/XUI/#login");
+    private final String openAuthUrl = openAmUrl.concat("/XUI/");
+
+    private String openamRealm = "/";
 
     private final String openAmUserInfoUrl = openAmUrl.concat("/json/users?_action=idFromSession");
     private final String openAmCookieName = "iPlanetDirectoryPro";
@@ -49,7 +52,8 @@ public Authentication attemptAuthentication(HttpServletRequest request, HttpServ
         Optional<Cookie> openamCookie = Arrays.stream(request.getCookies())
                 .filter(c -> c.getName().equals(openAmCookieName)).findFirst();
         if(openamCookie.isEmpty()) {
-           response.sendRedirect(openAuthUrl + "&goto=" + URLEncoder.encode(redirectUrl, StandardCharsets.UTF_8));
+           response.sendRedirect(openAuthUrl + "?goto=" + URLEncoder.encode(redirectUrl, StandardCharsets.UTF_8)
+                   + "&realm=".concat(URLEncoder.encode(openamRealm, StandardCharsets.UTF_8)));
            return null;
         } else {
             String userId = getUserIdFromSession(openamCookie.get().getValue());
@@ -78,4 +82,10 @@ protected String getUserIdFromSession(String sessionId) {
         return body.get("id");
     }
 
+    @Value("${openam.auth.realm:/}")
+    public void setOpenamRealm(String openamRealm) {
+        this.openamRealm = openamRealm;
+    }
+
+
 }

src/main/java/org/openidentityplatform/openamsecured/configuration/SecurityConfiguration.java

@@ -3,6 +3,7 @@
 
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.context.annotation.Profile;
 import org.springframework.core.annotation.Order;
 import org.springframework.security.config.Customizer;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
@@ -16,6 +17,7 @@
 public class SecurityConfiguration {
     @Bean
     @Order(1)
+    @Profile("oauth")
     public SecurityFilterChain securityWebFilterChain(HttpSecurity http) throws Exception {
         http.securityMatcher("/protected-oauth", "/oauth2/**", "/login/oauth2/**").authorizeHttpRequests((authorize) ->
                         authorize.anyRequest().fullyAuthenticated())
@@ -26,6 +28,7 @@ public SecurityFilterChain securityWebFilterChain(HttpSecurity http) throws Exce
 
     @Bean
     @Order(2)
+    @Profile("saml")
     public SecurityFilterChain securitySamlFilterChain(HttpSecurity http) throws Exception {
         http.securityMatcher("/protected-saml", "/saml2/**", "/login/saml2/**")
                 .authorizeHttpRequests((authorize) ->
@@ -38,9 +41,10 @@ public SecurityFilterChain securitySamlFilterChain(HttpSecurity http) throws Exc
 
     @Bean
     @Order(3)
+    @Profile("cookie")
     public SecurityFilterChain securityOpenAmFilterChain(HttpSecurity http) throws Exception {
         http.securityMatcher("/protected-openam", OpenAmAuthenticationFilter.OPENAM_AUTH_URI)
-                .addFilterAt(new OpenAmAuthenticationFilter(), RememberMeAuthenticationFilter.class)
+                .addFilterAt(openAmAuthenticationFilter(), RememberMeAuthenticationFilter.class)
                 .authorizeHttpRequests((authorize) ->
                         authorize.anyRequest().fullyAuthenticated())
                 .exceptionHandling(e ->
@@ -60,6 +64,11 @@ public SecurityFilterChain securityPermitAllFilterChain(HttpSecurity http) throw
 
         return http.build();
     }
+
+    @Bean
+    public OpenAmAuthenticationFilter openAmAuthenticationFilter() {
+        return new OpenAmAuthenticationFilter();
+    }
 }
 
 

src/main/resources/application.yml

@@ -1,6 +1,21 @@
 server:
   port: 8081
+openam:
+  auth:
+    realm: "/"
+logging:
+  level:
+    org:
+      springframework:
+        security: DEBUG
+spring:
+  profiles:
+    active: "cookie"
+---
 spring:
+  config:
+    activate:
+      on-profile: "oauth"
   security:
     oauth2:
       client:
@@ -18,6 +33,12 @@ spring:
             token-uri: http://openam.example.org:8080/openam/oauth2/access_token
             user-name-attribute: sub
             issuer-uri: http://openam.example.org:8080/openam/oauth2
+---
+spring:
+  config:
+    activate:
+      on-profile: "saml"
+  security:
     saml2:
       relyingparty:
         registration:
@@ -32,8 +53,3 @@ spring:
             assertingparty:
               metadata-uri: http://openam.example.org:8080/openam/saml2/jsp/exportmetadata.jsp
 
-logging:
-  level:
-    org:
-      springframework:
-        security: DEBUG

src/main/resources/templates/index.html

@@ -1,15 +1,15 @@
 <!DOCTYPE html>
-<html>
+<html xmlns:th="http://www.thymeleaf.org">
 <head>
     <link rel="icon" href="data:;base64,iVBORw0KGgo="/>
 </head>
 <body>
 <h1>OpenAM Spring Security Integration</h1>
 <h2>Test Authentication</h2>
 <ul>
-    <li><a href="/protected-oauth">OAuth2/OIDC</a></li>
-    <li><a href="/protected-saml">SAMLv2</a></li>
-    <li><a href="/protected-openam">OpenAM Cookie</a></li>
+    <li th:if="${#arrays.contains(@environment.getActiveProfiles(), 'oauth')}"><a href="/protected-oauth">OAuth2/OIDC</a></li>
+    <li th:if="${#arrays.contains(@environment.getActiveProfiles(), 'saml')}"><a href="/protected-saml">SAMLv2</a></li>
+    <li th:if="${#arrays.contains(@environment.getActiveProfiles(), 'cookie')}"><a href="/protected-openam">OpenAM Cookie</a></li>
 </ul>
 </body>
 </html>