nationalsecurityagency / datawave-spring-boot-starter Goto Github PK
View Code? Open in Web Editor NEWLicense: Apache License 2.0
License: Apache License 2.0
When the ProxiedEntityX509Filter is in the filter chain, the JWTAuthenticationFilter is configured to be run first.
The logic in ProxiedEntityX509Filter.principalChanged, specifically currentAuthentication.getCredentials() instanceof SubjectIssuerDNPair (credentials are an empty String when I debugged) ensure that false is always returned. When I fixed that logic, I saw that if both a JWT and either a client cert or trusted headers were provided with different principals, then a principal change would be detected and the client cert or trusted headers would be used.
To ensure that a provided JWT is used (the intent of putting the JWTAuthorizationFilter first), we need to set setCheckForPrincipalChanges(false) instead of true.
Currently, the collection retrieved by ProxiedUserDetails.getProxiedUsers (which are all users) has the final caller as the first entry followed by the entities in the call chain in the order that they happened. This creates some minor complexity in finding the primaryUser and in explaining this order to others.
Modify the places where ProxiedUserDetails iws created such that the proxied entities are first (already in chronological order) and the final caller is last ..... making it also in chronological order
This is needed to allow the authorization service to use a custom AllowedCallersFilter to permit calls to the oauth operations from entities not on the allowedCallers list. These operations either have their own form of security (/v2/oauth/authorize, /v2/oauth/token) or are meant to be called by all users (/v2/oauth/user, /v2/oauth/users) to get information about a certificate or token.
ProxiedUserDetails currently maintains the list of users as a LinkedHashSet which hides any duplcate users or call chain cycles from our logs and monitoring. Change the LinkedHashSet to an ArrayList and verify that our internal security mechanisms function correctly.
When there are no entries in X-ProxiedEntitiesChain, ProxiedEntityX509Filter currently adds the caller (cert or trusted header) to the list of proxiedUsers. This appears to be unnecessary and is currently being compensated for by using a LinkedHashSet in ProxiedUserDetails. Here are the three WebSecurityConfigurerAdapters that we use:
not remoteauth profile - JWTAuthenticationFilter/JWTAuthenticationProvider decode the Authorization Bearer token (JWT) and use the contained DatawaveUsers
JWTSecurityConfigurer sets up:
filters:
authenticationProviders:
remoteauth profile - Either JWT token (see above) or RemoteAuthorizationServiceUserDetailsService sends both the caller and proxiedEntities to the authorization service.
RemoteAuthServiceSecurityConfigurer sets up:
filters:
authenticationProviders:
authorization service - ProxiedEntityUserDetailsService (authorization service) can be modified to add both the caller and proxiedUsers and then the authorization service can ignore the caller in the authorize and whoami operations and use the caller and proxiedUsers in the oauth calls.
AuthorizationSecurityConfigurer sets up:
filters:
authenticationProviders:
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.