micord/ervu-lkrp-fl
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

SUPPORT-8830 first fixes

Browse source
This commit is contained in:
kochetkov 2024-12-27 09:16:13 +03:00
parent 2bd86a7993
commit 2747452b88
6 changed files with 82 additions and 54 deletions
Download patch file Download diff file Expand all files Collapse all files

4
backend/src/main/java/ru/micord/ervu/security/LogoutSuccessHandler.java
View file

@ -25,9 +25,7 @@ public class LogoutSuccessHandler
public void onLogoutSuccess(HttpServletRequest request, HttpServletResponse response, public void onLogoutSuccess(HttpServletRequest request, HttpServletResponse response,
Authentication authentication) throws IOException { Authentication authentication) throws IOException {
String url = esiaAuthService.logout(request, response); String url = esiaAuthService.logout(request, response);
response.setStatus(HttpServletResponse.SC_OK); response.sendRedirect(url);
response.getWriter().write(url);
response.getWriter().flush();
CsrfToken csrfToken = this.csrfTokenRepository.generateToken(request); CsrfToken csrfToken = this.csrfTokenRepository.generateToken(request);
this.csrfTokenRepository.saveToken(csrfToken, request, response); this.csrfTokenRepository.saveToken(csrfToken, request, response);
} }

11
backend/src/main/java/ru/micord/ervu/security/esia/service/EsiaAuthService.java
View file

@ -13,7 +13,6 @@ import java.time.format.DateTimeFormatter;
import java.util.LinkedHashMap; import java.util.LinkedHashMap;
import java.util.Map; import java.util.Map;
import java.util.UUID; import java.util.UUID;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpServletResponse;
@ -204,8 +203,7 @@ public class EsiaAuthService {
Response ervuIdResponse = getErvuIdResponse(esiaAccessTokenStr); Response ervuIdResponse = getErvuIdResponse(esiaAccessTokenStr);
Token token = jwtTokenService.createAccessToken(esiaAccessToken.getSbj_id(), expiresIn, ervuIdResponse.getErvuId()); Token token = jwtTokenService.createAccessToken(esiaAccessToken.getSbj_id(), expiresIn, ervuIdResponse.getErvuId());
int expiry = tokenResponse.getExpires_in().intValue(); int expiry = tokenResponse.getExpires_in().intValue();
Cookie accessCookie = securityHelper.createAccessCookie(token.getValue(), expiry); securityHelper.addAccessCookies(response, token.getValue(), expiry);
response.addCookie(accessCookie);
UsernamePasswordAuthenticationToken usernamePasswordAuthenticationToken = UsernamePasswordAuthenticationToken usernamePasswordAuthenticationToken =
new UsernamePasswordAuthenticationToken(token.getUserAccountId(), null); new UsernamePasswordAuthenticationToken(token.getUserAccountId(), null);
SecurityContext context = SecurityContextHolder.createEmptyContext(); SecurityContext context = SecurityContextHolder.createEmptyContext();
@ -214,8 +212,6 @@ public class EsiaAuthService {
authenticationManager.authenticate(jwtAuthentication); authenticationManager.authenticate(jwtAuthentication);
context.setAuthentication(jwtAuthentication); context.setAuthentication(jwtAuthentication);
SecurityContextHolder.setContext(context); SecurityContextHolder.setContext(context);
Cookie authMarkerCookie = securityHelper.createAuthMarkerCookie("true", expiry);
response.addCookie(authMarkerCookie);
return ResponseEntity.ok("Authentication successful"); return ResponseEntity.ok("Authentication successful");
} }
catch (Exception e) { catch (Exception e) {
@ -281,8 +277,7 @@ public class EsiaAuthService {
Response ervuIdResponse = getErvuIdResponse(esiaAccessTokenStr); Response ervuIdResponse = getErvuIdResponse(esiaAccessTokenStr);
Token token = jwtTokenService.createAccessToken(esiaAccessToken.getSbj_id(), expiresIn, ervuIdResponse.getErvuId()); Token token = jwtTokenService.createAccessToken(esiaAccessToken.getSbj_id(), expiresIn, ervuIdResponse.getErvuId());
int expiry = tokenResponse.getExpires_in().intValue(); int expiry = tokenResponse.getExpires_in().intValue();
Cookie accessCookie = securityHelper.createAccessCookie(token.getValue(), expiry); securityHelper.addAccessCookies(response, token.getValue(), expiry);
response.addCookie(accessCookie);
UsernamePasswordAuthenticationToken usernamePasswordAuthenticationToken = UsernamePasswordAuthenticationToken usernamePasswordAuthenticationToken =
new UsernamePasswordAuthenticationToken(token.getUserAccountId(), null); new UsernamePasswordAuthenticationToken(token.getUserAccountId(), null);
SecurityContext context = SecurityContextHolder.createEmptyContext(); SecurityContext context = SecurityContextHolder.createEmptyContext();
@ -291,8 +286,6 @@ public class EsiaAuthService {
authenticationManager.authenticate(jwtAuthentication); authenticationManager.authenticate(jwtAuthentication);
context.setAuthentication(jwtAuthentication); context.setAuthentication(jwtAuthentication);
SecurityContextHolder.setContext(context); SecurityContextHolder.setContext(context);
Cookie authMarkerCookie = securityHelper.createAuthMarkerCookie("true", expiry);
response.addCookie(authMarkerCookie);
} }
catch (Exception e) { catch (Exception e) {
throw new RuntimeException(e); throw new RuntimeException(e);

90
backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/helper/SecurityHelper.java
View file

@ -1,43 +1,89 @@
package ru.micord.ervu.security.webbpm.jwt.helper; package ru.micord.ervu.security.webbpm.jwt.helper;
import javax.servlet.http.Cookie; import java.net.IDN;
import java.net.URLEncoder;
import java.nio.charset.StandardCharsets;
import javax.annotation.PostConstruct;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpServletResponse;
import org.springframework.beans.factory.annotation.Value; import org.springframework.beans.factory.annotation.Value;
import ru.micord.ervu.security.webbpm.jwt.util.SecurityUtil; import org.springframework.http.HttpHeaders;
import org.springframework.http.ResponseCookie;
import org.springframework.web.context.request.RequestAttributes;
import org.springframework.web.context.request.RequestContextHolder;
import static org.springframework.web.context.request.RequestAttributes.REFERENCE_REQUEST;
import static ru.micord.ervu.security.webbpm.jwt.util.SecurityUtil.AUTH_MARKER; import static ru.micord.ervu.security.webbpm.jwt.util.SecurityUtil.AUTH_MARKER;
import static ru.micord.ervu.security.webbpm.jwt.util.SecurityUtil.AUTH_TOKEN; import static ru.micord.ervu.security.webbpm.jwt.util.SecurityUtil.AUTH_TOKEN;
import static ru.micord.ervu.security.webbpm.jwt.util.SecurityUtil.createCookie;
public final class SecurityHelper { public final class SecurityHelper {
@Value("${cookie.path:#{null}}") @Value("${cookie.path:#{null}}")
private String accessCookiePath; private String accessCookiePath;
@Value("${cookie.domain:#{null}}")
private String accessCookieDomain;
@Value("${cookie.secure:false}")
private boolean accessCookieSecure;
@Value("${cookie.same.site:Lax}")
private String accessCookieSameSite;
@PostConstruct
private void init() {
if (accessCookieDomain != null) {
accessCookieDomain = IDN.toASCII(accessCookieDomain);
}
}
public void clearAccessCookies(HttpServletResponse response) { public void clearAccessCookies(HttpServletResponse response) {
Cookie tokenCookie = createCookie(AUTH_TOKEN, null, null); ResponseCookie emptyAuthToken = createCookie(AUTH_TOKEN, null, accessCookiePath)
tokenCookie.setMaxAge(0); .maxAge(0).build();
tokenCookie.setPath(accessCookiePath); addResponseCookie(response, emptyAuthToken);
tokenCookie.setHttpOnly(true);
response.addCookie(tokenCookie);
Cookie markerCookie = createCookie(AUTH_MARKER, null, null); ResponseCookie emptyAuthMarker = createCookie(AUTH_MARKER, null, "/")
markerCookie.setMaxAge(0); .maxAge(0)
markerCookie.setPath("/"); .secure(false)
response.addCookie(markerCookie); .httpOnly(false)
.build();
addResponseCookie(response, emptyAuthMarker);
} }
public Cookie createAccessCookie(String cookieValue, int expiry) { private void addResponseCookie(HttpServletResponse response, ResponseCookie cookie) {
Cookie authToken = createCookie(SecurityUtil.AUTH_TOKEN, cookieValue, accessCookiePath); response.addHeader(HttpHeaders.SET_COOKIE, cookie.toString());
authToken.setPath(accessCookiePath);
authToken.setMaxAge(expiry);
return authToken;
} }
public Cookie createAuthMarkerCookie(String cookieValue, int expiry) { public void addAccessCookies(HttpServletResponse response, String cookieValue, int expiry) {
Cookie marker = createCookie(AUTH_MARKER, cookieValue, "/"); ResponseCookie authTokenCookie = createCookie(AUTH_TOKEN, cookieValue, accessCookiePath)
marker.setMaxAge(expiry); .maxAge(expiry)
marker.setHttpOnly(false); .build();
return marker; addResponseCookie(response, authTokenCookie);
ResponseCookie authMarker = createCookie(AUTH_MARKER, "true", "/")
.maxAge(expiry)
.secure(false)
.httpOnly(false)
.build();
addResponseCookie(response, authMarker);
}
public ResponseCookie.ResponseCookieBuilder createCookie(String name, String value, String path) {
RequestAttributes requestAttributes = RequestContextHolder.getRequestAttributes();
if (requestAttributes == null) {
throw new IllegalStateException("Must be called only in request context");
}
HttpServletRequest request = (HttpServletRequest) requestAttributes.resolveReference(
REFERENCE_REQUEST);
if (request == null) {
throw new IllegalStateException("Must be called only in request context");
}
String cookieValue = value != null ? URLEncoder.encode(value, StandardCharsets.UTF_8) : "";
return ResponseCookie.from(name, cookieValue)
.path(path != null ? path : request.getContextPath())
.httpOnly(true)
.domain(accessCookieDomain)
.secure(accessCookieSecure)
.sameSite(accessCookieSameSite);
} }
} }

18
backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/util/SecurityUtil.java
View file

@ -23,24 +23,6 @@ public final class SecurityUtil {
//empty //empty
} }
public static Cookie createCookie(String name, String value, String path) {
String cookieValue = value != null ? URLEncoder.encode(value, StandardCharsets.UTF_8) : null;
Cookie cookie = new Cookie(name, cookieValue);
RequestAttributes requestAttributes = RequestContextHolder.getRequestAttributes();
HttpServletRequest request = (HttpServletRequest) requestAttributes.resolveReference(
REFERENCE_REQUEST);
if (path != null) {
cookie.setPath(path);
}
else {
cookie.setPath(request.getContextPath());
}
cookie.setHttpOnly(true);
return cookie;
}
public static String extractAuthToken(HttpServletRequest httpRequest) { public static String extractAuthToken(HttpServletRequest httpRequest) {
Cookie cookie = WebUtils.getCookie(httpRequest, AUTH_TOKEN); Cookie cookie = WebUtils.getCookie(httpRequest, AUTH_TOKEN);
return cookie != null ? cookie.getValue() : null; return cookie != null ? cookie.getValue() : null;

5
frontend/index.webpack.html
View file

@ -4,6 +4,11 @@
<title>Личный кабинет физ.лица</title> <title>Личный кабинет физ.лица</title>
<meta http-equiv="content-type" content="text/html; charset=UTF-8"> <meta http-equiv="content-type" content="text/html; charset=UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1"> <meta name="viewport" content="width=device-width, initial-scale=1">
<!-- <meta http-equiv="Content-Security-Policy"-->
<!-- content="default-src 'self' 'unsafe-inline'; img-src https://* 'self' data:;">-->
<meta http-equiv="Content-Security-Policy"
content="frame-ancestors 'none'; default-src 'self'; style-src 'self'; script-src 'self';"/>
<meta name="referrer" content="strict-origin-when-cross-origin"/>
<link rel="icon" type="image/png" href="src/resources/img/logo.png"/> <link rel="icon" type="image/png" href="src/resources/img/logo.png"/>
</head> </head>
<body webbpm class="webbpm ervu_lkrp_fl"> <body webbpm class="webbpm ervu_lkrp_fl">

8
frontend/src/resources/template/app/component/log_out.html
View file

@ -1,6 +1,10 @@
<button class="user-info" ngbDropdownToggle *ngIf="getIsAuth()">{{getUserFullname()}}</button> <button class="user-info" ngbDropdownToggle *ngIf="getIsAuth()">{{getUserFullname()}}</button>
<div ngbDropdownMenu *ngIf="getIsAuth()"> <div ngbDropdownMenu *ngIf="getIsAuth()">
<a routerLink="/mydata" class="data">Мои данные</a> <a routerLink="/mydata" class="data">Мои данные</a>
<button ngbDropdownItem class="exit" (click)="logout()">Выйти</button> <form ngbDropdownItem method="post" action="/esia/logout">
<button class="exit" type="submit">Выйти</button>
</form>
</div> </div>
<button class="exit" *ngIf="!getIsAuth()" (click)="logout()">Выйти</button> <form method="post" action="/esia/logout">
<button class="exit" type="submit">Выйти</button>
</form>