Merge pull request #1249 from stormpath/1204_disable.spring_sec.and.stormpath

1204 and 1217: Stormpath and Spring Security disable

Author: mrioan

docs/source/quickstart.rst

@@ -159,7 +159,7 @@ By default, all paths are locked down with Spring Security. Stormpath's Spring S
 Disabling Spring Security
 """""""""""""""""""""""""
 
-If you do not want to use our Spring Security integration, set the following two config properties:
+If you do not want to use our Spring Security integration, set the following config property:
 
 .. code-block:: yaml
 
@@ -169,10 +169,18 @@ If you do not want to use our Spring Security integration, set the following two
        security:
          enabled: false
 
-   # disable Spring Security entirely:
-   security:
-     basic:
-       enabled: false
+.. note::
+
+   Alternatively you can disable Spring Security for good by having the following property in your configuration file:
+
+   .. code-block:: yaml
+
+      # disable Spring Security altogether:
+      security:
+        basic:
+          enabled: false
+
+   This will disable Spring Security along with the Stormpath Spring Security integration.
 
 #end
 
@@ -232,6 +240,13 @@ Any Problems?
 
 Did you experience any problems with this quickstart?  It might not have worked perfectly for you if:
 
+* There might be some cases in which you want to completely turn Stormpath off. For example, if you do not have an ApiKey in
+  your machine then Stormpath will simply not boot. In those scenarios you can add the following property in the configuration file:
+
+  .. code-block:: properties
+
+     stormpath.enabled = false
+
 #if( $servlet )
 
 * you have more than one Application registered with Stormpath.  If this is the case, you'll need to configure your

docs/source/tutorial.rst

@@ -240,9 +240,13 @@ disable it. That's where the ``application.properties`` files comes in:
     :linenos:
 
     stormpath.spring.security.enabled = false
-    security.basic.enabled = false
 
-The first line disables Stormpath's hooks into Spring Security and the second line disables Spring Security itself.
+That property disables Spring Security and avoids our Spring Security integration to be loaded.
+
+.. note::
+   Alternatively you can disable the Stormpath Spring Security integration while keeping Spring Security enabled. Such setup will allow you
+   to take full control of Spring Security's configuration without having Stormath's integration in the mix. This can be
+   achieved by having `stormpath.spring.security.enabled = false` in your configuration file.
 
 Pretty simple setup, right? In the next section, we'll layer in some flow logic based on logged-in state. And then we
 will refine that to make use of all the Spring Security has to offer in making our lives easier.
@@ -895,6 +899,14 @@ As you can see from the examples above, Stormpath provides powerful oauth2 Token
 ``/oauth/token`` endpoint. There is no additional coding required on your part to make use of the Token Management
 feature.
 
+#if( $springboot )
+You may notice that there is no class in this part of the tutorial that extends ``WebSecurityConfigurerAdapter``.
+In this particular case, *all* user-defined paths are locked down. This is the default for Spring Security and the
+Stormpath Spring Security integration follows suit.
+
+If you fire up the tutorial app and browse to the home page: http://localhost:8080/, you will be redirected to `/login`.
+#end
+
 .. _wrapping-up:
 
 Wrapping Up

extensions/servlet/src/main/java/com/stormpath/sdk/servlet/config/Config.java

@@ -78,6 +78,8 @@ public interface Config extends Map<String, String> {
 
     ControllerConfig getVerifyConfig();
 
+    ControllerConfig getSamlConfig();
+
     ChangePasswordConfig getChangePasswordConfig();
 
     Saver<AuthenticationResult> getAuthenticationResultSaver();
@@ -109,6 +111,8 @@ public interface Config extends Map<String, String> {
 
     String getAccessTokenUrl();
 
+    String getRevokeTokenUrl();
+
     String getUnauthorizedUrl();
 
     boolean isMeEnabled();

extensions/servlet/src/main/java/com/stormpath/sdk/servlet/config/filter/DefaultFilterChainManagerConfigurer.java

@@ -107,12 +107,16 @@ public FilterChainManager configure() throws ServletException {
         boolean accessTokenChainSpecified = false;
         boolean oauthEnabled = config.isOAuthEnabled();
 
+        String revokeTokenUrl = config.getRevokeTokenUrl();
+        String revokeTokenUrlPattern = cleanUri(revokeTokenUrl);
+        boolean revokeTokenChainSpecified = false;
+
         String unauthorizedUrl = config.getUnauthorizedUrl();
         String unauthorizedUrlPattern = cleanUri(unauthorizedUrl);
         boolean unauthorizedChainSpecified = false;
 
-        //TODO 542: what is this?
-        String samlUrl = "/saml";
+        //fixed per https://github.com/stormpath/stormpath-sdk-java/issues/1254
+        String samlUrl = config.getSamlConfig().getUri();
         String samlUrlPattern = cleanUri(samlUrl);
         String samlCallbackUrl = config.getCallbackUri();
         String samlCallbackPattern = cleanUri(samlCallbackUrl);
@@ -240,6 +244,14 @@ public FilterChainManager configure() throws ServletException {
                         chainDefinition += Strings.DEFAULT_DELIMITER_CHAR + filterName;
                     }
 
+                } else if (uriPattern.startsWith(revokeTokenUrlPattern)) {
+                    revokeTokenChainSpecified = true;
+
+                    String filterName = DefaultFilter.revokeToken.name();
+                    if (!chainDefinition.contains(filterName)) {
+                        chainDefinition += Strings.DEFAULT_DELIMITER_CHAR + filterName;
+                    }
+
                 } else if (uriPattern.startsWith(unauthorizedUrlPattern)) {
                     unauthorizedChainSpecified = true;
 
@@ -321,6 +333,9 @@ public FilterChainManager configure() throws ServletException {
         if (!accessTokenChainSpecified && oauthEnabled) {
             mgr.createChain(accessTokenUrlPattern, DefaultFilter.accessToken.name());
         }
+        if (!revokeTokenChainSpecified && oauthEnabled) {
+            mgr.createChain(revokeTokenUrlPattern, DefaultFilter.revokeToken.name());
+        }
         if (!samlChainSpecified && callbackEnabled) {
             mgr.createChain(samlUrlPattern, DefaultFilter.saml.name());
             mgr.createChain(samlCallbackPattern, DefaultFilter.samlResult.name());

extensions/servlet/src/main/java/com/stormpath/sdk/servlet/config/filter/LoginFilterFactory.java

@@ -40,6 +40,7 @@ protected void doConfigure(LoginController controller, Config config) {
         controller.setForgotPasswordUri(config.getForgotPasswordConfig().getUri());
         controller.setVerifyEnabled(config.getVerifyConfig().isEnabled());
         controller.setVerifyUri(config.getVerifyConfig().getUri());
+        controller.setSamlUri(config.getSamlConfig().getUri());
         controller.setRegisterEnabledResolver(config.getRegisterEnabledResolver());
         controller.setRegisterUri(config.getRegisterConfig().getUri());
         controller.setLogoutUri(config.getLogoutConfig().getUri());

extensions/servlet/src/main/java/com/stormpath/sdk/servlet/config/filter/RevokeTokenFilterFactory.java

@@ -0,0 +1,37 @@
+/*
+ * Copyright 2017 Stormpath, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.stormpath.sdk.servlet.config.filter;
+
+import com.stormpath.sdk.servlet.config.Config;
+import com.stormpath.sdk.servlet.mvc.RevokeTokenController;
+
+/**
+ * https://github.com/stormpath/stormpath-sdk-java/issues/1247
+ *
+ * @since 1.5.0
+ */
+public class RevokeTokenFilterFactory extends ControllerFilterFactory<RevokeTokenController> {
+
+    @Override
+    protected RevokeTokenController newController() {
+        return new RevokeTokenController();
+    }
+
+    @Override
+    protected void configure(RevokeTokenController controller, Config config) throws Exception {
+        controller.setApplicationResolver(config.getApplicationResolver());
+    }
+}

extensions/servlet/src/main/java/com/stormpath/sdk/servlet/config/impl/DefaultConfig.java

@@ -80,6 +80,7 @@ public class DefaultConfig implements Config {
     public static final String UNAUTHORIZED_URL = "stormpath.web.unauthorized.uri";
     public static final String LOGOUT_INVALIDATE_HTTP_SESSION = "stormpath.web.logout.invalidateHttpSession";
     public static final String ACCESS_TOKEN_URL = "stormpath.web.oauth2.uri";
+    public static final String REVOKE_TOKEN_URL = "stormpath.web.oauth2.revoke.uri";
     public static final String ACCESS_TOKEN_VALIDATION_STRATEGY = "stormpath.web.oauth2.password.validationStrategy";
 
     protected static final String SERVER_URI_RESOLVER = "stormpath.web.oauth2.origin.authorizer.serverUriResolver";
@@ -215,6 +216,11 @@ public ControllerConfig getVerifyConfig() {
         return new ServletControllerConfig("verifyEmail", this);
     }
 
+    @Override
+    public ControllerConfig getSamlConfig() {
+        return new ServletControllerConfig("saml", this);
+    }
+
     @Override
     public ChangePasswordConfig getChangePasswordConfig() {
         return new ChangePasswordServletControllerConfig(this, "changePassword");
@@ -274,6 +280,11 @@ public String getAccessTokenUrl() {
         return CFG.getString(ACCESS_TOKEN_URL);
     }
 
+    @Override
+    public String getRevokeTokenUrl() {
+        return CFG.getString(REVOKE_TOKEN_URL);
+    }
+
     @Override
     public String getUnauthorizedUrl() {
         return CFG.getString(UNAUTHORIZED_URL);

extensions/servlet/src/main/java/com/stormpath/sdk/servlet/event/TokenRevocationRequestEventListener.java

@@ -15,17 +15,28 @@
  */
 package com.stormpath.sdk.servlet.event;
 
+import com.stormpath.sdk.application.Application;
 import com.stormpath.sdk.client.Client;
 import com.stormpath.sdk.impl.ds.InternalDataStore;
+import com.stormpath.sdk.impl.error.DefaultError;
+import com.stormpath.sdk.lang.Strings;
 import com.stormpath.sdk.oauth.AccessToken;
+import com.stormpath.sdk.oauth.OAuthRequests;
+import com.stormpath.sdk.oauth.OAuthRevocationRequest;
+import com.stormpath.sdk.oauth.OAuthRevocationRequestBuilder;
+import com.stormpath.sdk.oauth.OAuthTokenRevocators;
 import com.stormpath.sdk.oauth.RefreshToken;
+import com.stormpath.sdk.oauth.TokenTypeHint;
 import com.stormpath.sdk.resource.ResourceException;
 import com.stormpath.sdk.servlet.account.event.RegisteredAccountRequestEvent;
 import com.stormpath.sdk.servlet.account.event.VerifiedAccountRequestEvent;
+import com.stormpath.sdk.servlet.application.ApplicationResolver;
 import com.stormpath.sdk.servlet.authc.FailedAuthenticationRequestEvent;
 import com.stormpath.sdk.servlet.authc.LogoutRequestEvent;
 import com.stormpath.sdk.servlet.authc.SuccessfulAuthenticationRequestEvent;
 import com.stormpath.sdk.servlet.client.ClientResolver;
+import com.stormpath.sdk.servlet.filter.oauth.OAuthErrorCode;
+import com.stormpath.sdk.servlet.filter.oauth.OAuthException;
 import com.stormpath.sdk.servlet.http.CookieResolver;
 import com.stormpath.sdk.servlet.oauth.impl.JwtTokenSigningKeyResolver;
 import io.jsonwebtoken.Claims;
@@ -37,6 +48,7 @@
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
+import javax.servlet.http.HttpServletRequest;
 import java.security.Key;
 import java.util.LinkedHashMap;
 import java.util.Map;
@@ -51,9 +63,7 @@ public class TokenRevocationRequestEventListener implements RequestEventListener
     private final TokenExtractor tokenExtractor = new BearerHeaderTokenExtractor();
     private final CookieResolver accessTokenCookieResolver = new CookieResolver("access_token");
 
-    private final JwtTokenSigningKeyResolver jwtTokenSigningKeyResolver = new JwtTokenSigningKeyResolver();
-
-    private Client client = null;
+    protected ApplicationResolver applicationResolver = ApplicationResolver.INSTANCE;
 
     @Override
     public void on(SuccessfulAuthenticationRequestEvent event) {
@@ -78,30 +88,17 @@ public void on(VerifiedAccountRequestEvent event) {
     @Override
     public void on(LogoutRequestEvent event) {
         String jwt = getJwtFromLogoutRequestEvent(event);
-        if (jwt != null) {
-            if (this.client == null) {
-                this.client = ClientResolver.INSTANCE.getClient(event.getRequest()); //will throw if not found
-            }
-
-            Key signingKey = jwtTokenSigningKeyResolver.getSigningKey(event.getRequest(), event.getResponse(), null, SignatureAlgorithm.HS256);
-            JwsHeader header = Jwts.parser().setSigningKey(signingKey.getEncoded()).parseClaimsJws(jwt).getHeader();
-            Claims claims = Jwts.parser().setSigningKey(signingKey.getEncoded()).parseClaimsJws(jwt).getBody();
-
-            //Let's be sure this jwt is actually an access token otherwise we will have an error when trying to retrieve
-            //a resource (in order to delete it) that actually is not what we expect
-            if (isAccessToken(header)) {
-                gracefullyDeleteRefreshToken((String) claims.get("rti"));
-                gracefullyDeleteAccessToken(claims.getId());
+        HttpServletRequest request = event.getRequest();
+        Application application = applicationResolver.getApplication(request);
+        if (application != null && jwt != null) {
+            try {
+                OAuthRevocationRequest revocationRequest = OAuthRequests.OAUTH_TOKEN_REVOCATION_REQUEST.builder().setToken(jwt).build();
+                OAuthTokenRevocators.OAUTH_TOKEN_REVOCATOR.forApplication(application).revoke(revocationRequest);
+            } catch (ResourceException e) {
+                com.stormpath.sdk.error.Error error = e.getStormpathError();
+                String message = error.getMessage();
+                log.warn("There was an error trying to revoke a token", message);
             }
-            //There should never be a refresh token here. Therefore we will not even try to identify if the received JWT is
-            //a refresh token. That would be a bug in the filter chain as a refresh token should never be used to anything other than
-            //obtaining a new access token
-
-            //Fix for https://github.com/stormpath/stormpath-sdk-java/issues/611
-            log.debug(
-                "The current access and refresh tokens for '{}' have been revoked.",
-                (event.getAccount() != null) ? event.getAccount().getEmail() : "unknown user"
-            );
         }
     }
 
@@ -117,34 +114,4 @@ protected String getJwtFromLogoutRequestEvent(LogoutRequestEvent event) {
         return jwt;
     }
 
-    private boolean isAccessToken(JwsHeader header) {
-        return header.get("stt").equals("access");
-    }
-
-    private void gracefullyDeleteAccessToken(String accessTokenId) {
-        try {
-            String href = "/accessTokens/" + accessTokenId;
-            Map<String, Object> map = new LinkedHashMap<String, Object>();
-            map.put("href", href);
-            AccessToken accessToken = ((InternalDataStore)client.getDataStore()).instantiate(AccessToken.class, map, true);
-            accessToken.delete();
-        } catch (ResourceException e) {
-            //Let's prevent an error to allow the flow to continue
-            log.warn("There was an error trying to delete access token with ID {}", accessTokenId, e);
-        }
-    }
-
-    private void gracefullyDeleteRefreshToken(String refreshTokenId) {
-        try{
-            String href =  "/refreshTokens/" + refreshTokenId;
-            Map<String, Object> map = new LinkedHashMap<String, Object>();
-            map.put("href", href);
-            RefreshToken refreshToken = ((InternalDataStore)client.getDataStore()).instantiate(RefreshToken.class, map, true);
-            refreshToken.delete();
-        } catch (ResourceException e) {
-            //Let's prevent an error to allow the flow to continue, this component is basically a listener that tries to delete
-            //the current access and refresh tokens on logout, we will only post this error in the log
-            log.warn("There was an error trying to delete refresh token with ID {}", refreshTokenId, e);
-        }
-    }
 }

extensions/servlet/src/main/java/com/stormpath/sdk/servlet/filter/DefaultFilter.java

@@ -34,6 +34,7 @@
 import com.stormpath.sdk.servlet.config.filter.LogoutFilterFactory;
 import com.stormpath.sdk.servlet.config.filter.MeFilterFactory;
 import com.stormpath.sdk.servlet.config.filter.RegisterFilterFactory;
+import com.stormpath.sdk.servlet.config.filter.RevokeTokenFilterFactory;
 import com.stormpath.sdk.servlet.config.filter.SamlFilterFactory;
 import com.stormpath.sdk.servlet.config.filter.SamlResultFilterFactory;
 import com.stormpath.sdk.servlet.config.filter.StaticResourceFilterFactory;
@@ -51,6 +52,7 @@
 public enum DefaultFilter {
 
     accessToken(ControllerFilter.class, AccessTokenFilterFactory.class),
+    revokeToken(ControllerFilter.class, RevokeTokenFilterFactory.class),
     account(AccountAuthorizationFilter.class, AccountAuthorizationFilterFactory.class),
     anon(AnonymousFilter.class, null),
     authc(AuthenticationFilter.class, AuthenticationFilterFactory.class),

extensions/servlet/src/main/java/com/stormpath/sdk/servlet/mvc/LoginController.java

@@ -50,6 +50,7 @@ public class LoginController extends FormController {
     private String verifyUri;
     private String registerUri;
     private String logoutUri;
+    private String samlUri;
     private boolean verifyEnabled = true;
     private boolean forgotPasswordEnabled = true;
     private boolean idSiteEnabled;
@@ -79,6 +80,10 @@ public void setLogoutUri(String logoutUri) {
         this.logoutUri = logoutUri;
     }
 
+    public void setSamlUri(String samlUri) {
+        this.samlUri = samlUri;
+    }
+
     public void setVerifyEnabled(boolean verifyEnabled) {
         this.verifyEnabled = verifyEnabled;
     }
@@ -149,6 +154,7 @@ public void init() throws Exception {
         Assert.hasText(this.registerUri, "registerUri property cannot be null or empty.");
         Assert.notNull(this.registerEnabledResolver, "registerEnabledResolver cannot be null.");
         Assert.hasText(this.logoutUri, "logoutUri property cannot be null or empty.");
+        Assert.hasText(this.samlUri, "samlUri property cannot be null or empty.");
         Assert.notNull(this.authenticationResultSaver, "authenticationResultSaver property cannot be null.");
         Assert.notNull(this.errorModelFactory, "errorModelFactory cannot be null.");
         Assert.notNull(this.preLoginHandler, "preLoginHandler cannot be null.");
@@ -193,6 +199,7 @@ protected void appendModel(HttpServletRequest request, HttpServletResponse respo
             model.put("verifyUri", verifyUri);
             model.put("registerEnabled", registerEnabledResolver.get(request, response));
             model.put("registerUri", registerUri);
+            model.put("samlUri", samlUri);
             model.put("oauthStateToken", UUID.randomUUID().toString());
             String status = request.getParameter("status");
             if (status != null) {