{"id":25284401,"url":"https://github.com/cognizone/security","last_synced_at":"2025-04-06T14:36:11.226Z","repository":{"id":104268829,"uuid":"573897065","full_name":"cognizone/security","owner":"cognizone","description":null,"archived":false,"fork":false,"pushed_at":"2024-09-09T14:59:03.000Z","size":141,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-02-12T20:39:13.015Z","etag":null,"topics":["cz","libs"],"latest_commit_sha":null,"homepage":"","language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/cognizone.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"security-empty-permission/src/main/java/zone/cogni/lib/security/permission/Permission.java","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-12-03T19:22:09.000Z","updated_at":"2023-08-18T15:05:13.000Z","dependencies_parsed_at":"2024-09-05T14:14:06.028Z","dependency_job_id":"6d1e5383-022f-4607-ab17-3754d9d1e76a","html_url":"https://github.com/cognizone/security","commit_stats":null,"previous_names":[],"tags_count":26,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cognizone%2Fsecurity","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cognizone%2Fsecurity/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cognizone%2Fsecurity/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cognizone%2Fsecurity/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/cognizone","download_url":"https://codeload.github.com/cognizone/security/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247496776,"owners_count":20948294,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cz","libs"],"created_at":"2025-02-12T20:38:30.663Z","updated_at":"2025-04-06T14:36:11.199Z","avatar_url":"https://github.com/cognizone.png","language":"Java","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Cognizone Security\n\n## Needed code to make it work\n```java\n@Configuration\n//Use any of the following\n//@EnableSecuritySaml2\n@EnableSecureBasicAuth\n//@EnableSecurityOff\n//@EnableSecurity\npublic class WebSecurityConfig {\n\n //Inject this using your favorite way\n private final SecurityHttpConfigurer\u003c? extends SecurityHttpConfigurer\u003e security2HttpConfigurer;\n\n @Bean\n public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {\n http.apply(security2HttpConfigurer) //this is the only mandatory part\n \n //Example of extra configuration\n .and()\n //configure what we can access freely and what needs authentication\n .authorizeRequests()\n .mvcMatchers(\"/user/info\").permitAll() //user info page is free\n .anyRequest().authenticated(); //all rest needs authentication\n return http.build();\n }\n}\n```\nBeside the auth type passed via the Enable annotation, no other code needs to be changed. Everything will be set via configuration.\n\nUsing `@EnableSecurity`, the auth type selection is done via configuration, so no code change needed if auth type changes.\n\n## Configuration for type selection with `@EnableSecurity`\n```yaml\ncognizone:\n security:\n auth-method: basic # other accepted values are: saml2, off\n```\n\n## Configuration example - SAML2\n\n### Spring Yaml configuration\n```yaml\ncognizone:\n security:\n saml2:\n logSamlResponse: true # optional, if set to true, logs the saml XML response\n role-mapping-url: classpath:/security/samlRoleMapping-aws.json # Mapping between role defined in SAML server and your application\n baseUrl: https://myserv.com/myAppContext #optional baseURL of you application (useful in case the infra has some intermediate proxies and spring cannot correctly find the real external URL) \n assertionConsumerServiceUrl: https://myapp.myserver.com/someapp/saml/SSO # optional: for example in case you want to reuse the configuration from another saml implementation \n signing-key-store: # Information to get application certificate registered in SAML server \n type: jks # At the moment only JKS is supported\n store-url: classpath:/security/saml-signing.jks\n keystore-password: '********'\n alias: key-alias-in-JKS-file\n certificate-password: '********'\n idp-url: classpath:/security/keycloak-aws-cz.xml # Info from your SAML server \n attributes: # Keys of the user medata from SAML - Depending on you SAML server configuration \n loginid: urn:oid:2.5.4.45\n firstname: urn:oid:2.5.4.42\n lastname: urn:oid:2.5.4.4\n displayname: displayName\n roles: urn:oid:2.5.4.72\n email: urn:oid:1.2.840.113549.1.9.1\n registration-id: myApplication # Registration ID, used to register the application in SAML \n entity-id: \"urn:test.server.com:sp:MyApplication\" # Entity ID (can be templated), optional and defaults to \"{baseUrl}/saml2/service-provider-metadata/{registrationId}\"\n basic-auth-users: # Optional: configuration to be able to do basic-auth call's (for example for API calls)\n admin:\n password: \"{bcrypt}$2a$12$.6Mn9xZi5a1vwCBtH6Yy4ulmoTr8qvoS9tgZTk/UXy/OOwa4r14cG\"\n displayName: \"el adminos\" # optional values which can be used as displayName\n email: \"mail@admin.com\" # optional \n roles:\n - admin\n - view\n user:\n password: \"{noop}plainPasswordNotGood\"\n roles:\n - view\n```\n_Note1: if **basic-auth** users are passed, they will only be taken into account if the correct basic-auth header is passed.\nIf the header is incorrect (no user, wrong password,...), this will just be ignored._\n\n_Note2: if you want to use **{registrationId}** in your **assertionConsumerServiceUrl**, \nthis has to be at the end of the url and as a separate path part._\n### JSON role mapping file example\n```json\n{\n \"saml-admin-role\": \"application-admin\",\n \"saml-view-role\": \"application-user\"\n}\n```\n\n## Configuration example - BasicAuthentication\n\n### Minimal example\n```yaml\ncognizone:\n security:\n basic-auth:\n users:\n admin:\n password: \"{bcrypt}$2a$12$.6Mn9xZi5a1vwCBtH6Yy4ulmoTr8qvoS9tgZTk/UXy/OOwa4r14cG\"\n```\n### Complete example\n```yaml\ncognizone:\n security:\n basic-auth:\n realm: Hanami is asking who you are #Realm is optional\n users:\n admin:\n password: \"{bcrypt}$2a$12$.6Mn9xZi5a1vwCBtH6Yy4ulmoTr8qvoS9tgZTk/UXy/OOwa4r14cG\"\n roles: #roles are optional\n - admin\n - view\n jef:\n password: \"{noop}plainPasswordOfJef\"\n roles: #roles are optional\n - view\n```\n## Password encryption\nFor validation of encrypted passwords in the config files the default `\"DelegatingPasswordEncoder\"` of spring is used. So different encodings can be used. More information can be found here:\n- https://docs.spring.io/spring-security/reference/features/authentication/password-storage.html#authentication-password-storage-dpe\n- https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/crypto/factory/PasswordEncoderFactories.html\n\nIn the configuration examples, the bcrypt encoded passwords represent plain password \"_admin_\". \n\n## Configure Logout\n```yaml\ncognizone:\n security:\n global-properties:\n logout:\n url: /api/logout # URL to use to trigger logout, \n success-url: https://www.gruutemet.be/ # [OPTIONAL] URL to go to after successful logout (logout URL has to be set)\n```\n\n## User details\nThe method `getDetails()` on `org.springframework.security.core.Authentication` will return a `zone.cogni.lib.security.DefaultUserDetails` object.\nThis object contains data like displayName and email (if available ofc).\n\n## PermissionService\nTo enable just add this config:\n````yaml\ncognizone:\n security:\n permission-service:\n enabled: true\n roleAccess: classpath:security/rolesAccess.json\n````\nBeside that an enum with the permissions needs to be created in this package/class: `zone.cogni.lib.security.permission.Permission`\n```java\npackage zone.cogni.lib.security.permission;\n\npublic enum Permission {\n mainPage_requestTransformation_isEnabled,\n navigation_admin_isEnabled\n}\n```\nAfter that, the PermissionService will be available to Inject in any service. \nAlso the annotation @HasPermission can be used to check the permissions in the Controller classes.\n\n_Note1: if you want to use permission strings with special characters, you can make the Permission enum implement PermissionValue.\nWhen using string, this will match the enum name and the getValue() from PermissionValue._\n```java\npublic enum Permission implements PermissionValue {\n navigation_admin_isEnabled(\"navigation/admin:isEnabled\");\n\n private final String value;\n\n Permission(String value) {\n this.value = value;\n }\n\n @Override\n public String getValue() {\n return value;\n }\n}\n```\n_Note2: You can mix the usage of Permission enum and String values. \nAlso, not all String values need to be represented by a Permission enum._ \n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcognizone%2Fsecurity","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcognizone%2Fsecurity","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcognizone%2Fsecurity/lists"}