Updated authorization strategy: authentication mandatory, authorizati…

…on optional

app/credentials-management/src/main/java/org/phoebus/applications/credentialsmanagement/CredentialsManagementApp.java

@@ -61,7 +61,7 @@ public String getDisplayName() {
     public AppInstance create() {
         List<ServiceAuthenticationProvider> authenticationProviders =
                 ServiceLoader.load(ServiceAuthenticationProvider.class).stream().map(Provider::get)
-                        .filter(ServiceAuthenticationProvider::isActive).collect(Collectors.toList());
+                        .collect(Collectors.toList());
         try {
             SecureStore secureStore = new SecureStore();
             new CredentialsManagementStage(authenticationProviders, secureStore).show();

app/save-and-restore/app/src/main/java/org/phoebus/applications/saveandrestore/Preferences.java

@@ -31,9 +31,6 @@ public class Preferences {
     @Preference
     public static String default_snapshot_name_date_format;
 
-    @Preference
-    public static boolean authentication_enabled;
-
     static
     {
         AnnotatedPreferences.initialize(Preferences.class, "/save_and_restore_preferences.properties");

app/save-and-restore/app/src/main/java/org/phoebus/applications/saveandrestore/authentication/SaveAndRestoreAuthenticationProvider.java

@@ -54,8 +54,4 @@ public AuthenticationScope getAuthenticationScope(){
         return AuthenticationScope.SAVE_AND_RESTORE;
     }
 
-    @Override
-    public boolean isActive(){
-        return Preferences.authentication_enabled;
-    }
 }

app/save-and-restore/app/src/main/resources/save_and_restore_preferences.properties

@@ -25,6 +25,3 @@ httpClient.readTimeout=1000
 
 # Connect timeout in (ms) used by the Jersey client
 httpClient.connectTimeout=1000
-
-# Authentication/authorization enabled/disabled
-authentication_enabled=false

core/security/src/main/java/org/phoebus/security/authorization/ServiceAuthenticationProvider.java

@@ -52,12 +52,4 @@ public interface ServiceAuthenticationProvider {
      */
     AuthenticationScope getAuthenticationScope();
 
-    /**
-     * Indicates if a provider is active. Inactive providers suggest authentication is disabled or should
-     * not be accessible in the credentials management UI.
-     * @return <code>true</code> if the authentication provider is active, otherwise <code>false</code>.
-     */
-    default boolean isActive(){
-        return true;
-    }
 }

services/save-and-restore/src/main/java/org/phoebus/service/saveandrestore/web/config/WebSecurityConfig.java

@@ -30,9 +30,8 @@
 @Configuration
 @EnableWebSecurity
 @EnableGlobalMethodSecurity(prePostEnabled = true)
-@Conditional(AuthEnabledCondition.class)
 @SuppressWarnings("unused")
-public class WebSecurityConfig extends AnonymousWebSecurityConfig {
+public class WebSecurityConfig {
 
     /**
      * Authentication implementation.
@@ -69,6 +68,74 @@ public class WebSecurityConfig extends AnonymousWebSecurityConfig {
     @Value("${ldap.user.search.filter:invalid}")
     String ldap_user_search_filter;
 
+    @Value("${role.user:sar-user}")
+    public String roleUser;
+
+    @Value("${role.admin:sar-admin}")
+    public String roleAdmin;
+
+    @Value("${demo.user:user}")
+    public String demoUser;
+
+    @Value("${demo.user.password:userPass}")
+    public String demoUserPassword;
+
+    @Value("${demo.admin:admin}")
+    public String demoAdmin;
+
+    @Value("${demo.admin.password:adminPass}")
+    public String demoAdminPassword;
+
+    @Value("${demo.readOnly:johndoe}")
+    public String demoReadOnly;
+
+    @Value("${demo.readOnly.password:1234}")
+    public String demoReadOnlyPassword;
+
+    @Bean
+    public String roleUser() {
+        return roleUser.toUpperCase();
+    }
+
+    @Bean
+    public String roleAdmin() {
+        return roleAdmin.toUpperCase();
+    }
+
+    @Bean
+    public String demoUser(){
+        return demoUser;
+    }
+
+    @Bean
+    public String demoUserPassword(){
+        return demoUserPassword;
+    }
+
+    @Bean
+    public String demoAdmin(){
+        return demoAdmin;
+    }
+
+    @Bean
+    public String demoAdminPassword(){
+        return demoAdminPassword;
+    }
+
+    @Bean
+    public String demoReadOnly(){
+        return demoReadOnly;
+    }
+
+    @Bean
+    public String demoReadOnlyPassword(){
+        return demoReadOnlyPassword;
+    }
+
+    @Bean
+    public String authenticationImplementation(){
+        return authenitcationImplementation;
+    }
     @Bean
     public WebSecurityCustomizer ignoringCustomizer() {
         return web -> {
@@ -81,7 +148,12 @@ public WebSecurityCustomizer ignoringCustomizer() {
     @Bean
     public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
         http.csrf().disable();
-        http.authorizeRequests().anyRequest().authenticated();
+        if("none".equalsIgnoreCase(authenitcationImplementation.trim())){
+            http.authorizeRequests().antMatchers("/**").permitAll();
+        }
+        else{
+            http.authorizeRequests().anyRequest().authenticated();
+        }
         http.httpBasic();
 
         return http.build();

services/save-and-restore/src/main/java/org/phoebus/service/saveandrestore/web/controllers/AuthenticationController.java

@@ -40,7 +40,6 @@
 
 @SuppressWarnings("unused")
 @RestController
-@Conditional(AuthEnabledCondition.class)
 public class AuthenticationController extends BaseController {
 
     @Autowired