fix: set secure response headers in any condition auf SdaSecurityConfiguration

Author: JoergSiebahn

sda-commons-web-autoconfigure/src/main/java/org/sdase/commons/spring/boot/web/auth/SdaAccessDecisionManager.java

@@ -8,6 +8,7 @@
 package org.sdase.commons.spring.boot.web.auth;
 
 import java.util.List;
+import org.sdase.commons.spring.boot.web.auth.management.ManagementAccessDecisionVoter;
 import org.sdase.commons.spring.boot.web.auth.opa.OpaAccessDecisionVoter;
 import org.sdase.commons.spring.boot.web.auth.opa.OpaExcludesDecisionVoter;
 import org.springframework.security.access.vote.UnanimousBased;
@@ -17,8 +18,9 @@
 public class SdaAccessDecisionManager extends UnanimousBased {
 
   public SdaAccessDecisionManager(
+      ManagementAccessDecisionVoter managementAccessDecisionVoter,
       OpaExcludesDecisionVoter opaExcludesDecisionVoter,
       OpaAccessDecisionVoter opaAccessDecisionVoter) {
-    super(List.of(opaExcludesDecisionVoter, opaAccessDecisionVoter));
+    super(List.of(managementAccessDecisionVoter, opaExcludesDecisionVoter, opaAccessDecisionVoter));
   }
 }

sda-commons-web-autoconfigure/src/main/java/org/sdase/commons/spring/boot/web/auth/SdaMonitoringSecurityConfiguration.java

@@ -8,8 +8,10 @@
 package org.sdase.commons.spring.boot.web.auth;
 
 import java.util.List;
+import java.util.Optional;
 import java.util.stream.Stream;
 import javax.servlet.http.HttpServletRequest;
+import org.sdase.commons.spring.boot.web.security.headers.SdaSecurityHeaders;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Value;
@@ -26,6 +28,7 @@
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.oauth2.server.resource.authentication.JwtIssuerAuthenticationManagerResolver;
 import org.springframework.security.web.SecurityFilterChain;
+import org.springframework.security.web.header.writers.StaticHeadersWriter;
 import org.springframework.util.StringUtils;
 
 @EnableWebSecurity
@@ -41,6 +44,8 @@ public class SdaSecurityConfiguration {
 
   private final SdaAccessDecisionManager sdaAccessDecisionManager;
 
+  private final SdaSecurityHeaders sdaSecurityHeaders;
+
   /**
    * @param issuers Comma separated string of open id discovery key sources with required issuers.
    * @param disableAuthentication Disables all authentication
@@ -50,10 +55,12 @@ public class SdaSecurityConfiguration {
   public SdaSecurityConfiguration(
       @Value("${auth.issuers:}") String issuers,
       @Value("${auth.disable:false}") boolean disableAuthentication,
-      SdaAccessDecisionManager sdaAccessDecisionManager) {
+      SdaAccessDecisionManager sdaAccessDecisionManager,
+      Optional<SdaSecurityHeaders> sdaSecurityHeaders) {
     this.issuers = issuers;
     this.disableAuthentication = disableAuthentication;
     this.sdaAccessDecisionManager = sdaAccessDecisionManager;
+    this.sdaSecurityHeaders = sdaSecurityHeaders.orElse(List::of);
   }
 
   @Bean
@@ -82,7 +89,11 @@ private void oidcAuthentication(HttpSecurity http) throws Exception {
             authorize ->
                 authorize.anyRequest().permitAll().accessDecisionManager(sdaAccessDecisionManager))
         .oauth2ResourceServer(
-            oauth2 -> oauth2.authenticationManagerResolver(authenticationManagerResolver));
+            oauth2 -> oauth2.authenticationManagerResolver(authenticationManagerResolver))
+        .headers(
+            configurer ->
+                configurer.addHeaderWriter(
+                    new StaticHeadersWriter(sdaSecurityHeaders.getSecurityHeaders())));
   }
 
   private AuthenticationManagerResolver<HttpServletRequest> createAuthenticationManagerResolver() {
@@ -111,7 +122,11 @@ private void noAuthentication(HttpSecurity http) throws Exception {
         .disable() // NOSONAR
         .authorizeRequests(
             authorize ->
-                authorize.anyRequest().permitAll().accessDecisionManager(sdaAccessDecisionManager));
+                authorize.anyRequest().permitAll().accessDecisionManager(sdaAccessDecisionManager))
+        .headers(
+            configurer ->
+                configurer.addHeaderWriter(
+                    new StaticHeadersWriter(sdaSecurityHeaders.getSecurityHeaders())));
   }
 
   private List<String> commaSeparatedStringToList(String issuers) {

sda-commons-web-autoconfigure/src/main/java/org/sdase/commons/spring/boot/web/auth/SdaSecurityConfiguration.java

@@ -0,0 +1,84 @@
+/*
+ * Copyright 2022- SDA SE Open Industry Solutions (https://www.sda.se)
+ *
+ * Use of this source code is governed by an MIT-style
+ * license that can be found in the LICENSE file or at
+ * https://opensource.org/licenses/MIT.
+ */
+package org.sdase.commons.spring.boot.web.auth.management;
+
+import java.util.Collection;
+import org.springframework.boot.actuate.autoconfigure.web.server.ConditionalOnManagementPort;
+import org.springframework.boot.actuate.autoconfigure.web.server.ManagementPortType;
+import org.springframework.boot.web.servlet.context.ServletWebServerInitializedEvent;
+import org.springframework.context.event.EventListener;
+import org.springframework.security.access.AccessDecisionVoter;
+import org.springframework.security.access.ConfigAttribute;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.web.FilterInvocation;
+import org.springframework.stereotype.Component;
+
+public interface ManagementAccessDecisionVoter extends AccessDecisionVoter<FilterInvocation> {
+
+  @Override
+  default boolean supports(ConfigAttribute attribute) {
+    return true;
+  }
+
+  @Override
+  default boolean supports(Class<?> clazz) {
+    return FilterInvocation.class.isAssignableFrom(clazz);
+  }
+
+  @Component
+  @ConditionalOnManagementPort(ManagementPortType.DIFFERENT)
+  class DifferentPortManagementAccessDecisionVoter implements ManagementAccessDecisionVoter {
+
+    /**
+     * The management port discovered in {@link
+     * #onApplicationEvent(ServletWebServerInitializedEvent)}. Initially a value that can't be an
+     * existing port to avoid granting access by accident to the application API.
+     */
+    private int managementPort = -1;
+
+    @EventListener
+    public void onApplicationEvent(ServletWebServerInitializedEvent event) {
+      if ("management".equals(event.getApplicationContext().getServerNamespace())) {
+        this.managementPort = event.getWebServer().getPort();
+      }
+    }
+
+    @Override
+    public int vote(
+        Authentication authentication,
+        FilterInvocation filterInvocation,
+        Collection<ConfigAttribute> attributes) {
+      int requestLocalPort = filterInvocation.getRequest().getLocalPort();
+      return requestLocalPort == this.managementPort ? ACCESS_GRANTED : ACCESS_ABSTAIN;
+    }
+  }
+
+  @Component
+  @ConditionalOnManagementPort(ManagementPortType.SAME)
+  class IgnoreSamePortManagementAccessDecisionVoter implements ManagementAccessDecisionVoter {
+    @Override
+    public int vote(
+        Authentication authentication,
+        FilterInvocation filterInvocation,
+        Collection<ConfigAttribute> attributes) {
+      return ACCESS_ABSTAIN;
+    }
+  }
+
+  @Component
+  @ConditionalOnManagementPort(ManagementPortType.DISABLED)
+  class DisabledManagementAccessDecisionVoter implements ManagementAccessDecisionVoter {
+    @Override
+    public int vote(
+        Authentication authentication,
+        FilterInvocation filterInvocation,
+        Collection<ConfigAttribute> attributes) {
+      return ACCESS_ABSTAIN;
+    }
+  }
+}

sda-commons-web-autoconfigure/src/main/java/org/sdase/commons/spring/boot/web/auth/management/ManagementAccessDecisionVoter.java

@@ -8,8 +8,6 @@
 package org.sdase.commons.spring.boot.web.security.headers;
 
 import org.springframework.context.annotation.Bean;
-import org.springframework.security.config.annotation.web.builders.HttpSecurity;
-import org.springframework.security.web.SecurityFilterChain;
 
 /**
  * This filter adds headers to the response that enhance the security of web applications. Usually
@@ -34,9 +32,7 @@ public class FrontendSecurityConfiguration {
   public static final String FRONTEND_SECURITY_ADVICE_BEAN_NAME = "frontendHeadersAdvice";
 
   @Bean(FRONTEND_SECURITY_ADVICE_BEAN_NAME)
-  public SecurityFilterChain frontendHeadersAdvice(HttpSecurity http) throws Exception {
-    // add specific headers for frontends
-    http.headers(HttpHeadersAdvice::addFrontendHttpHeadersCustomizer);
-    return http.build();
+  public SdaSecurityHeaders sdaSecurityHeaders() {
+    return SdaSecurityType.FRONTEND_SECURITY::headers;
   }
 }

sda-commons-web-autoconfigure/src/main/java/org/sdase/commons/spring/boot/web/security/headers/FrontendSecurityConfiguration.java

@@ -10,8 +10,6 @@
 import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
-import org.springframework.security.config.annotation.web.builders.HttpSecurity;
-import org.springframework.security.web.SecurityFilterChain;
 
 /**
  * This filter adds headers to the response that enhance the security of applications that serve
@@ -27,12 +25,9 @@
  */
 @Configuration
 public class RestfulApiSecurityConfiguration {
-
   @Bean
   @ConditionalOnMissingBean(name = FrontendSecurityConfiguration.FRONTEND_SECURITY_ADVICE_BEAN_NAME)
-  public SecurityFilterChain restfulApiHeadersAdvice(HttpSecurity http) throws Exception {
-    // define specific headers for restful apis
-    http.headers(HttpHeadersAdvice::addRestfulHttpHeadersCustomizer);
-    return http.build();
+  public SdaSecurityHeaders sdaSecurityHeaders() {
+    return SdaSecurityType.RESTFUL_SECURITY::headers;
   }
 }

sda-commons-web-autoconfigure/src/main/java/org/sdase/commons/spring/boot/web/security/headers/HttpHeadersAdvice.java

@@ -0,0 +1,16 @@
+/*
+ * Copyright 2022- SDA SE Open Industry Solutions (https://www.sda.se)
+ *
+ * Use of this source code is governed by an MIT-style
+ * license that can be found in the LICENSE file or at
+ * https://opensource.org/licenses/MIT.
+ */
+package org.sdase.commons.spring.boot.web.security.headers;
+
+import java.util.List;
+import org.springframework.security.web.header.Header;
+
+public interface SdaSecurityHeaders {
+
+  List<Header> getSecurityHeaders();
+}