Disable LDAP-based auth (#223)

mmwinther · web-flow · commit e9f5f53a4af9 · 2025-06-10T09:43:05.000+02:00
* Disable current auth config

* Add token validation dependencies

* Disable LDAP based auth, hardcode user

* Deploy from branch

* Look in Maven Central first

* Put central at the start of repository list

* Keep the Postgres driver dependency

* Adjust resources to recommended

* Remove commented code

* Reset deploy workflow trigger
diff --git a/.mvn/settings.xml b/.mvn/settings.xml
@@ -10,11 +10,21 @@
                 <activeByDefault>true</activeByDefault>
             </activation>
             <repositories>
+                <repository>
+                    <id>central</id>
+                    <name>Central Repository</name>
+                    <url>https://repo.maven.apache.org/maven2</url>
+                    <snapshots>
+                        <enabled>false</enabled>
+                    </snapshots>
+                </repository>
+
                 <repository>
                     <id>github</id>
                     <name>GitHub Packages</name>
                     <url>https://maven.pkg.github.com/${github.repository}</url>
                 </repository>
+                
                 <repository>
                     <id>maven-restlet</id>
                     <name>Public online Restlet repository</name>
@@ -23,12 +33,4 @@
             </repositories>
         </profile>
     </profiles>
-
-    <mirrors>
-        <mirror>
-            <id>maven-restletMirror</id>
-            <url>https://maven.restlet.talend.com</url>
-            <mirrorOf>maven-restlet</mirrorOf>
-        </mirror>
-    </mirrors>
 </settings>
diff --git a/.nais/test/klass-forvaltning.yaml b/.nais/test/klass-forvaltning.yaml
@@ -17,10 +17,10 @@ spec:
     max: 1
   resources:
     requests:
-      cpu: 100m
-      memory: 768Mi
+      cpu: 400m
+      memory: 448Mi
     limits:
-      memory: 768Mi
+      memory: 576Mi
   env:
     - name: SPRING_PROFILES_ACTIVE
       value: frontend, postgres, small-import, skip-indexing, ad-offline, embedded-solr
diff --git a/Makefile b/Makefile
@@ -45,6 +45,15 @@ run-klass-forvaltning-local:
 	popd; \
 	${sdk} env clear
 
+.PHONY: run-klass-forvaltning-local-postgres
+run-klass-forvaltning-local-postgres:
+	pushd klass-forvaltning && \
+	${sdk} env && \
+	mvn spring-boot\:run  -Dspring.profiles.active=postgres-local,embedded-solr,frontend,skip-indexing,small-import,ad-offline; \
+	popd; \
+	${sdk} env clear
+
+
 .PHONY: run-klass-forvaltning-local-mariadb
 # Requires that a MariaDB instance is already running with a database called klass and a user called klass.
 # The environment variable KLASS_ENV_MARIADB_PASSWORD must be specified with the password for the klass user.
diff --git a/klass-forvaltning/pom.xml b/klass-forvaltning/pom.xml
@@ -11,6 +11,9 @@
 
     <properties>
         <java.version>1.8</java.version>
+        <maven.compiler.source>1.8</maven.compiler.source>
+        <maven.compiler.target>1.8</maven.compiler.target>
+
         <github.repository>statisticsnorway/klass</github.repository>
         <!-- Klass dependencies are built with support for Java 8 and Spring Boot 1.4.4.
              Newer versions are not supported -->
@@ -38,6 +41,7 @@
         <spring-restdocs.version>1.2.1.RELEASE</spring-restdocs.version>
         <solr-version>5.5.5</solr-version>
         <spring-data-solr-version>2.1.0.RELEASE</spring-data-solr-version>
+        <postgresql.version>42.7.5</postgresql.version>
     </properties>
 
     <parent>
@@ -54,14 +58,15 @@
     </scm>
 
     <repositories>
-        <repository>
-            <id>vaadin-addons</id>
-            <url>https://maven.vaadin.com/vaadin-addons</url>
-        </repository>
         <repository>
             <id>github</id>
             <url>https://maven.pkg.github.com/${github.repository}</url>
         </repository>
+
+        <repository>
+            <id>vaadin-addons</id>
+            <url>https://maven.vaadin.com/vaadin-addons</url>
+        </repository>
     </repositories>
 
     <dependencies>
@@ -81,6 +86,22 @@
             <artifactId>spring-data-solr</artifactId>
             <version>${spring-data-solr-version}</version>
         </dependency>
+        <dependency>
+            <groupId>org.postgresql</groupId>
+            <artifactId>postgresql</artifactId>
+            <version>${postgresql.version}</version>
+        </dependency>
+
+        <dependency>
+            <groupId>org.springframework.security</groupId>
+            <artifactId>spring-security-oauth2-resource-server</artifactId>
+            <version>5.1.13.RELEASE</version>
+        </dependency>
+        <dependency>
+            <groupId>org.springframework.security</groupId>
+            <artifactId>spring-security-oauth2-jose</artifactId>
+            <version>5.1.13.RELEASE</version>
+        </dependency>
 
         <!--TOMCAT-->
         <dependency>
diff --git a/klass-forvaltning/src/main/java/no/ssb/klass/designer/MainView.java b/klass-forvaltning/src/main/java/no/ssb/klass/designer/MainView.java
@@ -1,13 +1,5 @@
 package no.ssb.klass.designer;
 
-import static com.google.common.base.Preconditions.*;
-
-import java.util.List;
-
-import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.security.core.Authentication;
-import org.vaadin.spring.security.VaadinSecurity;
-
 import com.google.common.collect.Iterables;
 import com.vaadin.navigator.Navigator;
 import com.vaadin.navigator.ViewChangeListener;
@@ -17,7 +9,6 @@
 import com.vaadin.ui.MenuBar;
 import com.vaadin.ui.NativeSelect;
 import com.vaadin.ui.UI;
-
 import no.ssb.klass.core.model.ClassificationType;
 import no.ssb.klass.core.model.User;
 import no.ssb.klass.designer.admin.AdminView;
@@ -31,10 +22,19 @@
 import no.ssb.klass.designer.util.KlassTheme;
 import no.ssb.klass.designer.util.ParameterUtil;
 import no.ssb.klass.designer.util.VaadinUtil;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.vaadin.spring.security.VaadinSecurity;
+
+import java.util.List;
+
+import static com.google.common.base.Preconditions.checkNotNull;
 
 @SpringUI
 @SuppressWarnings("serial")
 public class MainView extends MainDesign implements ViewChangeListener {
+    private static final Logger log = LoggerFactory.getLogger(MainView.class);
     private Navigator navigator;
 
     private final SpringViewProvider springViewProvider;
@@ -46,7 +46,7 @@ public class MainView extends MainDesign implements ViewChangeListener {
 
     @Autowired
     public MainView(ClassificationFacade classificationFacade, SpringViewProvider springViewProvider,
-            VaadinSecurity vaadinSecurity, KlassLoginService vaadinLoginService, UserContext userContext) {
+                    VaadinSecurity vaadinSecurity, KlassLoginService vaadinLoginService, UserContext userContext) {
         this.springViewProvider = springViewProvider;
         this.klassLoginService = vaadinLoginService;
         this.vaadinSecurity = vaadinSecurity;
@@ -84,15 +84,12 @@ private void createInnholdBruksstatistikkView() {
     }
 
     private void verifyUser() {
-        Authentication authentication = vaadinSecurity.getAuthentication();
-        if (!userContext.hasUser() && vaadinSecurity.isRememberMeAuthenticated()) {
-            // create user based on remembered credentials (Remember me)
-            try {
-                User user = klassLoginService.getUserFromAuthentication(authentication);
-                userContext.setUser(user);
-            } catch (Exception e) {
-                vaadinSecurity.logout();
-            }
+        if (!userContext.hasUser()) {
+        /* TODO https://statistics-norway.atlassian.net/browse/DPMETA-916
+                Replace hardcoded user with user info extracted from the token
+        */
+            log.debug("Set User {}", userContext);
+            userContext.setUser(new User("kno@ssb.no", "Kari Nordmann", "854"));
         }
     }
 
diff --git a/klass-forvaltning/src/main/java/no/ssb/klass/forvaltning/config/production/KlassAuthenticationConfiguration.java b/klass-forvaltning/src/main/java/no/ssb/klass/forvaltning/config/production/KlassAuthenticationConfiguration.java
@@ -1,10 +1,9 @@
 package no.ssb.klass.forvaltning.config.production;
 
+import no.ssb.klass.core.ldap.KlassUserDetailsMapper;
 import org.hibernate.validator.constraints.NotEmpty;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.context.annotation.Bean;
-import org.springframework.context.annotation.Configuration;
-import org.springframework.context.annotation.Profile;
 import org.springframework.ldap.core.support.LdapContextSource;
 import org.springframework.security.authentication.AuthenticationProvider;
 import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
@@ -18,16 +17,13 @@
 import org.springframework.security.web.authentication.rememberme.InMemoryTokenRepositoryImpl;
 import org.springframework.security.web.authentication.rememberme.PersistentTokenBasedRememberMeServices;
 
-import no.ssb.klass.core.config.ConfigurationProfiles;
-import no.ssb.klass.core.ldap.KlassUserDetailsMapper;
-
 /**
  * Configuration for production environment, all test beans are excluded
  *
  * @author Mads Lundemo, SSB.
  */
-@Configuration
-@Profile(value = ConfigurationProfiles.PRODUCTION)
+//@Configuration
+//@Profile(value = ConfigurationProfiles.PRODUCTION)
 public class KlassAuthenticationConfiguration extends GlobalAuthenticationConfigurerAdapter {
 
     /**
@@ -86,11 +82,11 @@ public LdapContextSource ldapContext() {
     @Bean
     public FilterBasedLdapUserSearch ldapUserSearch(LdapContextSource ldapContext) {
         FilterBasedLdapUserSearch search = new FilterBasedLdapUserSearch(searchBase, searchFilter, ldapContext);
-        String[] attributes = { KlassUserDetailsMapper.SECTION_ATTRIBUTE,
+        String[] attributes = {KlassUserDetailsMapper.SECTION_ATTRIBUTE,
                 KlassUserDetailsMapper.NAME_ATTRIBUTE,
                 KlassUserDetailsMapper.MAIL_ATTRIBUTE,
                 KlassUserDetailsMapper.MOBILE_PHONE_ATTRIBUTE,
-                KlassUserDetailsMapper.LANDLINE_PHONE_ATTRIBUTE };
+                KlassUserDetailsMapper.LANDLINE_PHONE_ATTRIBUTE};
         search.setReturningAttributes(attributes);
         search.setSearchSubtree(true);
         return search;
diff --git a/klass-forvaltning/src/main/java/no/ssb/klass/forvaltning/config/production/KlassSecurityConfiguration.java b/klass-forvaltning/src/main/java/no/ssb/klass/forvaltning/config/production/KlassSecurityConfiguration.java
@@ -1,29 +1,22 @@
 package no.ssb.klass.forvaltning.config.production;
 
-import no.ssb.klass.core.config.ConfigurationProfiles;
-import org.hibernate.validator.constraints.NotEmpty;
-import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.beans.factory.annotation.Value;
+import no.ssb.klass.designer.ui.LoginUI;
+import no.ssb.klass.forvaltning.config.test.KlassTestAuthenticationConfiguration;
+import no.ssb.klass.forvaltning.controllers.monitor.MonitorController;
+import no.ssb.klass.forvaltning.controllers.ping.PingController;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.context.annotation.Import;
 import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.builders.WebSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
-import org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint;
-import org.springframework.security.web.authentication.RememberMeServices;
 import org.vaadin.spring.annotation.EnableVaadinExtensions;
 import org.vaadin.spring.security.annotation.EnableVaadinSharedSecurity;
 
-import no.ssb.klass.forvaltning.config.test.KlassTestAuthenticationConfiguration;
-import no.ssb.klass.forvaltning.controllers.monitor.MonitorController;
-import no.ssb.klass.forvaltning.controllers.ping.PingController;
-import no.ssb.klass.designer.ui.KlassUI;
-import no.ssb.klass.designer.ui.LoginUI;
-
 /**
  * @author Mads Lundemo, SSB.
  */
+
 @Configuration
 @EnableVaadinExtensions
 @EnableVaadinSharedSecurity
@@ -33,45 +26,26 @@ public class KlassSecurityConfiguration extends WebSecurityConfigurerAdapter {
 
     private static final String WILDCARD = "**";
 
-    @NotEmpty
-    @Value("${klass.env.security.ldap.remember.time}")
-    private int rememberTime;
-
-    @NotEmpty
-    @Value("${klass.env.security.remember.key}")
-    private String rememberKey;
-
-    @Autowired
-    private RememberMeServices rememberMeServices;
-
     @Override
     public void configure(WebSecurity web) throws Exception {
         web.ignoring().antMatchers("/VAADIN/" + WILDCARD);
     }
 
     @Override
     protected void configure(HttpSecurity http) throws Exception {
-        http.exceptionHandling().authenticationEntryPoint(new LoginUrlAuthenticationEntryPoint("/" + LoginUI.PATH));
-        http.rememberMe()
-                .key(rememberKey)
-                .rememberMeServices(rememberMeServices)
-                .tokenValiditySeconds(rememberTime);
-        // .useSecureCookie(true); TODO enable secure cookie when(or if) we switch to
-        // https
-
         http.authorizeRequests()
                 .antMatchers("/" + LoginUI.PATH).permitAll()
                 .antMatchers("/vaadinServlet/UIDL/" + WILDCARD).permitAll()
-                .antMatchers("/vaadinServlet/HEARTBEAT/" + WILDCARD).authenticated()
-                .antMatchers("/" + KlassUI.PATH + "/" + WILDCARD).authenticated()
+//                .antMatchers("/vaadinServlet/HEARTBEAT/" + WILDCARD).authenticated()
+//                .antMatchers("/" + KlassUI.PATH + "/" + WILDCARD).authenticated()
                 .antMatchers("/manage/" + WILDCARD).hasRole("KLASS_ADMINISTRATOR")
                 .antMatchers("/" + WILDCARD).permitAll()
 
                 .antMatchers(PingController.PATH).permitAll()
                 .antMatchers(MonitorController.PATH).permitAll()
-                .anyRequest().authenticated().and().sessionManagement()
-                .sessionFixation()
-                .migrateSession()
+//                .anyRequest().authenticated().and().sessionManagement()
+//                .sessionFixation()
+//                .migrateSession()
                 .and()
                 // disable csrf to avoid conflict with vaadins (or else we would have two csrfs)
                 .csrf().disable()
diff --git a/klass-shared/pom.xml b/klass-shared/pom.xml
@@ -25,7 +25,6 @@
         <klass.doc.env.url/>
         <klass.doc.env.port/>
 
-        <postgresql.version>42.7.5</postgresql.version>
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
         <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
         <findbugs-version>3.0.5</findbugs-version>
@@ -39,6 +38,7 @@
         <asciidoctor-version>1.6.0</asciidoctor-version>
         <maven-jaxb2-plugin-version>2.5.0</maven-jaxb2-plugin-version>
         <tomcat7-maven-plugin-version>2.2</tomcat7-maven-plugin-version>
+        <postgresql.version>42.7.5</postgresql.version>
     </properties>
 
     <dependencies>
