diff --git a/server/ee/libs/automation/automation-api-platform/automation-api-platform-handler/automation-api-platform-handler-rest/build.gradle.kts b/server/ee/libs/automation/automation-api-platform/automation-api-platform-handler/automation-api-platform-handler-rest/build.gradle.kts index 7c0e9768153..b1c4d22485e 100644 --- a/server/ee/libs/automation/automation-api-platform/automation-api-platform-handler/automation-api-platform-handler-rest/build.gradle.kts +++ b/server/ee/libs/automation/automation-api-platform/automation-api-platform-handler/automation-api-platform-handler-rest/build.gradle.kts @@ -13,6 +13,7 @@ dependencies { implementation(project(":server:libs:core:tenant:tenant-api")) implementation(project(":server:libs:platform:platform-component:platform-component-api")) implementation(project(":server:libs:platform:platform-file-storage:platform-file-storage-api")) + implementation(project(":server:libs:platform:platform-security-web:platform-security-web-api")) implementation(project(":server:libs:platform:platform-webhook:platform-webhook-rest:platform-webhook-rest-api")) implementation(project(":server:libs:platform:platform-workflow:platform-workflow-execution:platform-workflow-execution-api")) diff --git a/server/ee/libs/automation/automation-api-platform/automation-api-platform-handler/automation-api-platform-handler-rest/src/main/java/com/bytechef/ee/automation/apiplatform/handler/web/security/config/ApiPlatformCsrfContributor.java b/server/ee/libs/automation/automation-api-platform/automation-api-platform-handler/automation-api-platform-handler-rest/src/main/java/com/bytechef/ee/automation/apiplatform/handler/web/security/config/ApiPlatformCsrfContributor.java new file mode 100644 index 00000000000..7168c25a8ed --- /dev/null +++ b/server/ee/libs/automation/automation-api-platform/automation-api-platform-handler/automation-api-platform-handler-rest/src/main/java/com/bytechef/ee/automation/apiplatform/handler/web/security/config/ApiPlatformCsrfContributor.java @@ -0,0 +1,37 @@ +/* + * Copyright 2025 ByteChef + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package com.bytechef.ee.automation.apiplatform.handler.web.security.config; + +import com.bytechef.platform.security.web.config.CsrfContributor; +import java.util.List; +import org.springframework.security.web.servlet.util.matcher.PathPatternRequestMatcher; +import org.springframework.security.web.util.matcher.RequestMatcher; +import org.springframework.stereotype.Component; + +/** + * @author Ivica Cardic + */ +@Component +public class ApiPlatformCsrfContributor implements CsrfContributor { + + @Override + public List getIgnoringRequestMatchers() { + return List.of( + PathPatternRequestMatcher.withDefaults() + .matcher("/api/o/**")); + } +} diff --git a/server/ee/libs/automation/automation-api-platform/automation-api-platform-handler/automation-api-platform-handler-security-web/automation-api-platform-handler-security-web-impl/src/main/java/com/bytechef/ee/automation/apiplatform/handler/security/web/authentication/ApiClientAuthenticationProvider.java b/server/ee/libs/automation/automation-api-platform/automation-api-platform-handler/automation-api-platform-handler-security-web/automation-api-platform-handler-security-web-impl/src/main/java/com/bytechef/ee/automation/apiplatform/handler/security/web/authentication/ApiPlatformAuthenticationProvider.java similarity index 75% rename from server/ee/libs/automation/automation-api-platform/automation-api-platform-handler/automation-api-platform-handler-security-web/automation-api-platform-handler-security-web-impl/src/main/java/com/bytechef/ee/automation/apiplatform/handler/security/web/authentication/ApiClientAuthenticationProvider.java rename to server/ee/libs/automation/automation-api-platform/automation-api-platform-handler/automation-api-platform-handler-security-web/automation-api-platform-handler-security-web-impl/src/main/java/com/bytechef/ee/automation/apiplatform/handler/security/web/authentication/ApiPlatformAuthenticationProvider.java index 782b0daaf1e..0a2388a292f 100644 --- a/server/ee/libs/automation/automation-api-platform/automation-api-platform-handler/automation-api-platform-handler-security-web/automation-api-platform-handler-security-web-impl/src/main/java/com/bytechef/ee/automation/apiplatform/handler/security/web/authentication/ApiClientAuthenticationProvider.java +++ b/server/ee/libs/automation/automation-api-platform/automation-api-platform-handler/automation-api-platform-handler-security-web/automation-api-platform-handler-security-web-impl/src/main/java/com/bytechef/ee/automation/apiplatform/handler/security/web/authentication/ApiPlatformAuthenticationProvider.java @@ -22,22 +22,22 @@ * * @author Ivica Cardic */ -public class ApiClientAuthenticationProvider implements AuthenticationProvider { +public class ApiPlatformAuthenticationProvider implements AuthenticationProvider { private final ApiClientService apiClientService; @SuppressFBWarnings("EI") - public ApiClientAuthenticationProvider(ApiClientService apiClientService) { + public ApiPlatformAuthenticationProvider(ApiClientService apiClientService) { this.apiClientService = apiClientService; } @Override public Authentication authenticate(Authentication authentication) throws AuthenticationException { - ApiClientKeyAuthenticationToken apiClientKeyAuthenticationToken = - (ApiClientKeyAuthenticationToken) authentication; + ApiPlatformKeyAuthenticationToken apiPlatformKeyAuthenticationToken = + (ApiPlatformKeyAuthenticationToken) authentication; Optional apiClientOptional = apiClientService.fetchApiClient( - apiClientKeyAuthenticationToken.getSecretKey()); + apiPlatformKeyAuthenticationToken.getSecretKey()); if (apiClientOptional.isEmpty()) { throw new BadCredentialsException("Unknown API secret key"); @@ -45,12 +45,12 @@ public Authentication authenticate(Authentication authentication) throws Authent ApiClient apiClient = apiClientOptional.get(); - return new ApiClientKeyAuthenticationToken(createSpringSecurityUser(apiClient.getName())); + return new ApiPlatformKeyAuthenticationToken(createSpringSecurityUser(apiClient.getName())); } @Override public boolean supports(Class authentication) { - return authentication.equals(ApiClientKeyAuthenticationToken.class); + return authentication.equals(ApiPlatformKeyAuthenticationToken.class); } private org.springframework.security.core.userdetails.User createSpringSecurityUser(String secretKey) { diff --git a/server/ee/libs/automation/automation-api-platform/automation-api-platform-handler/automation-api-platform-handler-security-web/automation-api-platform-handler-security-web-impl/src/main/java/com/bytechef/ee/automation/apiplatform/handler/security/web/authentication/ApiClientKeyAuthenticationToken.java b/server/ee/libs/automation/automation-api-platform/automation-api-platform-handler/automation-api-platform-handler-security-web/automation-api-platform-handler-security-web-impl/src/main/java/com/bytechef/ee/automation/apiplatform/handler/security/web/authentication/ApiPlatformKeyAuthenticationToken.java similarity index 76% rename from server/ee/libs/automation/automation-api-platform/automation-api-platform-handler/automation-api-platform-handler-security-web/automation-api-platform-handler-security-web-impl/src/main/java/com/bytechef/ee/automation/apiplatform/handler/security/web/authentication/ApiClientKeyAuthenticationToken.java rename to server/ee/libs/automation/automation-api-platform/automation-api-platform-handler/automation-api-platform-handler-security-web/automation-api-platform-handler-security-web-impl/src/main/java/com/bytechef/ee/automation/apiplatform/handler/security/web/authentication/ApiPlatformKeyAuthenticationToken.java index 8f8708ada19..cbb1035618d 100644 --- a/server/ee/libs/automation/automation-api-platform/automation-api-platform-handler/automation-api-platform-handler-security-web/automation-api-platform-handler-security-web-impl/src/main/java/com/bytechef/ee/automation/apiplatform/handler/security/web/authentication/ApiClientKeyAuthenticationToken.java +++ b/server/ee/libs/automation/automation-api-platform/automation-api-platform-handler/automation-api-platform-handler-security-web/automation-api-platform-handler-security-web-impl/src/main/java/com/bytechef/ee/automation/apiplatform/handler/security/web/authentication/ApiPlatformKeyAuthenticationToken.java @@ -16,18 +16,18 @@ * * @author Ivica Cardic */ -public class ApiClientKeyAuthenticationToken extends AbstractPublicApiAuthenticationToken { +public class ApiPlatformKeyAuthenticationToken extends AbstractPublicApiAuthenticationToken { private String secretKey; - public ApiClientKeyAuthenticationToken(String secretKey, String tenantId) { + public ApiPlatformKeyAuthenticationToken(String secretKey, String tenantId) { super(tenantId); this.secretKey = secretKey; } @SuppressFBWarnings("EI") - public ApiClientKeyAuthenticationToken(User user) { + public ApiPlatformKeyAuthenticationToken(User user) { super(user); } diff --git a/server/ee/libs/automation/automation-api-platform/automation-api-platform-handler/automation-api-platform-handler-security-web/automation-api-platform-handler-security-web-impl/src/main/java/com/bytechef/ee/automation/apiplatform/handler/security/web/filter/ApiClientAuthenticationFilterBeforeContributor.java b/server/ee/libs/automation/automation-api-platform/automation-api-platform-handler/automation-api-platform-handler-security-web/automation-api-platform-handler-security-web-impl/src/main/java/com/bytechef/ee/automation/apiplatform/handler/security/web/config/ApiPlatformApiAuthenticationFilterBeforeContributor.java similarity index 70% rename from server/ee/libs/automation/automation-api-platform/automation-api-platform-handler/automation-api-platform-handler-security-web/automation-api-platform-handler-security-web-impl/src/main/java/com/bytechef/ee/automation/apiplatform/handler/security/web/filter/ApiClientAuthenticationFilterBeforeContributor.java rename to server/ee/libs/automation/automation-api-platform/automation-api-platform-handler/automation-api-platform-handler-security-web/automation-api-platform-handler-security-web-impl/src/main/java/com/bytechef/ee/automation/apiplatform/handler/security/web/config/ApiPlatformApiAuthenticationFilterBeforeContributor.java index 1164c7c7b7a..b684f447135 100644 --- a/server/ee/libs/automation/automation-api-platform/automation-api-platform-handler/automation-api-platform-handler-security-web/automation-api-platform-handler-security-web-impl/src/main/java/com/bytechef/ee/automation/apiplatform/handler/security/web/filter/ApiClientAuthenticationFilterBeforeContributor.java +++ b/server/ee/libs/automation/automation-api-platform/automation-api-platform-handler/automation-api-platform-handler-security-web/automation-api-platform-handler-security-web-impl/src/main/java/com/bytechef/ee/automation/apiplatform/handler/security/web/config/ApiPlatformApiAuthenticationFilterBeforeContributor.java @@ -5,9 +5,10 @@ * you may not use this file except in compliance with the Enterprise License. */ -package com.bytechef.ee.automation.apiplatform.handler.security.web.filter; +package com.bytechef.ee.automation.apiplatform.handler.security.web.config; -import com.bytechef.platform.security.web.filter.FilterBeforeContributor; +import com.bytechef.ee.automation.apiplatform.handler.security.web.filter.ApiPlatformApiAuthenticationFilter; +import com.bytechef.platform.security.web.config.FilterBeforeContributor; import edu.umd.cs.findbugs.annotations.SuppressFBWarnings; import jakarta.servlet.Filter; import org.springframework.security.authentication.AuthenticationManager; @@ -20,12 +21,12 @@ * @author Ivica Cardic */ @Component -public class ApiClientAuthenticationFilterBeforeContributor implements FilterBeforeContributor { +public class ApiPlatformApiAuthenticationFilterBeforeContributor implements FilterBeforeContributor { @Override @SuppressFBWarnings("EI") public Filter getFilter(AuthenticationManager authenticationManager) { - return new ApiClientAuthenticationFilter(authenticationManager); + return new ApiPlatformApiAuthenticationFilter(authenticationManager); } @Override diff --git a/server/ee/libs/automation/automation-api-platform/automation-api-platform-handler/automation-api-platform-handler-security-web/automation-api-platform-handler-security-web-impl/src/main/java/com/bytechef/ee/automation/apiplatform/handler/security/web/authentication/ApiClientAuthenticationProviderContributor.java b/server/ee/libs/automation/automation-api-platform/automation-api-platform-handler/automation-api-platform-handler-security-web/automation-api-platform-handler-security-web-impl/src/main/java/com/bytechef/ee/automation/apiplatform/handler/security/web/config/ApiPlatformAuthenticationProviderContributor.java similarity index 62% rename from server/ee/libs/automation/automation-api-platform/automation-api-platform-handler/automation-api-platform-handler-security-web/automation-api-platform-handler-security-web-impl/src/main/java/com/bytechef/ee/automation/apiplatform/handler/security/web/authentication/ApiClientAuthenticationProviderContributor.java rename to server/ee/libs/automation/automation-api-platform/automation-api-platform-handler/automation-api-platform-handler-security-web/automation-api-platform-handler-security-web-impl/src/main/java/com/bytechef/ee/automation/apiplatform/handler/security/web/config/ApiPlatformAuthenticationProviderContributor.java index b95017770c0..1e9bbb4f63e 100644 --- a/server/ee/libs/automation/automation-api-platform/automation-api-platform-handler/automation-api-platform-handler-security-web/automation-api-platform-handler-security-web-impl/src/main/java/com/bytechef/ee/automation/apiplatform/handler/security/web/authentication/ApiClientAuthenticationProviderContributor.java +++ b/server/ee/libs/automation/automation-api-platform/automation-api-platform-handler/automation-api-platform-handler-security-web/automation-api-platform-handler-security-web-impl/src/main/java/com/bytechef/ee/automation/apiplatform/handler/security/web/config/ApiPlatformAuthenticationProviderContributor.java @@ -5,10 +5,11 @@ * you may not use this file except in compliance with the Enterprise License. */ -package com.bytechef.ee.automation.apiplatform.handler.security.web.authentication; +package com.bytechef.ee.automation.apiplatform.handler.security.web.config; import com.bytechef.ee.automation.apiplatform.configuration.service.ApiClientService; -import com.bytechef.platform.security.web.authentication.AuthenticationProviderContributor; +import com.bytechef.ee.automation.apiplatform.handler.security.web.authentication.ApiPlatformAuthenticationProvider; +import com.bytechef.platform.security.web.config.AuthenticationProviderContributor; import edu.umd.cs.findbugs.annotations.SuppressFBWarnings; import org.springframework.security.authentication.AuthenticationProvider; import org.springframework.stereotype.Component; @@ -19,17 +20,17 @@ * @author Ivica Cardic */ @Component -public class ApiClientAuthenticationProviderContributor implements AuthenticationProviderContributor { +public class ApiPlatformAuthenticationProviderContributor implements AuthenticationProviderContributor { private final ApiClientService apiClientService; @SuppressFBWarnings("EI") - public ApiClientAuthenticationProviderContributor(ApiClientService apiClientService) { + public ApiPlatformAuthenticationProviderContributor(ApiClientService apiClientService) { this.apiClientService = apiClientService; } @Override public AuthenticationProvider getAuthenticationProvider() { - return new ApiClientAuthenticationProvider(apiClientService); + return new ApiPlatformAuthenticationProvider(apiClientService); } } diff --git a/server/ee/libs/automation/automation-api-platform/automation-api-platform-handler/automation-api-platform-handler-security-web/automation-api-platform-handler-security-web-impl/src/main/java/com/bytechef/ee/automation/apiplatform/handler/security/web/filter/ApiClientAuthenticationFilter.java b/server/ee/libs/automation/automation-api-platform/automation-api-platform-handler/automation-api-platform-handler-security-web/automation-api-platform-handler-security-web-impl/src/main/java/com/bytechef/ee/automation/apiplatform/handler/security/web/filter/ApiPlatformApiAuthenticationFilter.java similarity index 70% rename from server/ee/libs/automation/automation-api-platform/automation-api-platform-handler/automation-api-platform-handler-security-web/automation-api-platform-handler-security-web-impl/src/main/java/com/bytechef/ee/automation/apiplatform/handler/security/web/filter/ApiClientAuthenticationFilter.java rename to server/ee/libs/automation/automation-api-platform/automation-api-platform-handler/automation-api-platform-handler-security-web/automation-api-platform-handler-security-web-impl/src/main/java/com/bytechef/ee/automation/apiplatform/handler/security/web/filter/ApiPlatformApiAuthenticationFilter.java index 2dcbcf90b79..a40968aaefc 100644 --- a/server/ee/libs/automation/automation-api-platform/automation-api-platform-handler/automation-api-platform-handler-security-web/automation-api-platform-handler-security-web-impl/src/main/java/com/bytechef/ee/automation/apiplatform/handler/security/web/filter/ApiClientAuthenticationFilter.java +++ b/server/ee/libs/automation/automation-api-platform/automation-api-platform-handler/automation-api-platform-handler-security-web/automation-api-platform-handler-security-web-impl/src/main/java/com/bytechef/ee/automation/apiplatform/handler/security/web/filter/ApiPlatformApiAuthenticationFilter.java @@ -7,8 +7,8 @@ package com.bytechef.ee.automation.apiplatform.handler.security.web.filter; -import com.bytechef.ee.automation.apiplatform.handler.security.web.authentication.ApiClientKeyAuthenticationToken; -import com.bytechef.platform.security.web.filter.AbstractPublicApiAuthenticationFilter; +import com.bytechef.ee.automation.apiplatform.handler.security.web.authentication.ApiPlatformKeyAuthenticationToken; +import com.bytechef.platform.security.web.filter.AbstractApiAuthenticationFilter; import com.bytechef.tenant.domain.TenantKey; import edu.umd.cs.findbugs.annotations.SuppressFBWarnings; import jakarta.servlet.http.HttpServletRequest; @@ -20,10 +20,10 @@ * * @author Ivica Cardic */ -public class ApiClientAuthenticationFilter extends AbstractPublicApiAuthenticationFilter { +public class ApiPlatformApiAuthenticationFilter extends AbstractApiAuthenticationFilter { @SuppressFBWarnings("EI") - public ApiClientAuthenticationFilter(AuthenticationManager authenticationManager) { + public ApiPlatformApiAuthenticationFilter(AuthenticationManager authenticationManager) { super("^/api/o/.+", authenticationManager); } @@ -32,6 +32,6 @@ protected Authentication getAuthentication(HttpServletRequest request) { TenantKey tenantKey = TenantKey.parse(token); - return new ApiClientKeyAuthenticationToken(token, tenantKey.getTenantId()); + return new ApiPlatformKeyAuthenticationToken(token, tenantKey.getTenantId()); } } diff --git a/server/libs/platform/platform-security-web/platform-security-web-api/src/main/java/com/bytechef/platform/security/web/authentication/AuthenticationProviderContributor.java b/server/ee/libs/embedded/embedded-ai/embedded-ai-mcp-server/src/main/java/com/bytechef/embedded/ai/mcp/server/security/web/config/EmbeddedMcpServerAuthorizeHttpRequestContributor.java similarity index 57% rename from server/libs/platform/platform-security-web/platform-security-web-api/src/main/java/com/bytechef/platform/security/web/authentication/AuthenticationProviderContributor.java rename to server/ee/libs/embedded/embedded-ai/embedded-ai-mcp-server/src/main/java/com/bytechef/embedded/ai/mcp/server/security/web/config/EmbeddedMcpServerAuthorizeHttpRequestContributor.java index 370ed2ddfc0..c034ef08cde 100644 --- a/server/libs/platform/platform-security-web/platform-security-web-api/src/main/java/com/bytechef/platform/security/web/authentication/AuthenticationProviderContributor.java +++ b/server/ee/libs/embedded/embedded-ai/embedded-ai-mcp-server/src/main/java/com/bytechef/embedded/ai/mcp/server/security/web/config/EmbeddedMcpServerAuthorizeHttpRequestContributor.java @@ -14,14 +14,20 @@ * limitations under the License. */ -package com.bytechef.platform.security.web.authentication; +package com.bytechef.embedded.ai.mcp.server.security.web.config; -import org.springframework.security.authentication.AuthenticationProvider; +import com.bytechef.platform.security.web.config.AuthorizeHttpRequestContributor; +import java.util.List; +import org.springframework.stereotype.Component; /** * @author Ivica Cardic */ -public interface AuthenticationProviderContributor { +@Component +public class EmbeddedMcpServerAuthorizeHttpRequestContributor implements AuthorizeHttpRequestContributor { - AuthenticationProvider getAuthenticationProvider(); + @Override + public List getApiPermitAllRequestMatcherPaths() { + return List.of("/api/embedded/sse"); + } } diff --git a/server/ee/libs/embedded/embedded-ai/embedded-ai-mcp-server/src/main/java/com/bytechef/embedded/ai/mcp/server/security/web/config/EmbeddedMcpServerCsrfContributor.java b/server/ee/libs/embedded/embedded-ai/embedded-ai-mcp-server/src/main/java/com/bytechef/embedded/ai/mcp/server/security/web/config/EmbeddedMcpServerCsrfContributor.java new file mode 100644 index 00000000000..036c4430d59 --- /dev/null +++ b/server/ee/libs/embedded/embedded-ai/embedded-ai-mcp-server/src/main/java/com/bytechef/embedded/ai/mcp/server/security/web/config/EmbeddedMcpServerCsrfContributor.java @@ -0,0 +1,39 @@ +/* + * Copyright 2025 ByteChef + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package com.bytechef.embedded.ai.mcp.server.security.web.config; + +import com.bytechef.platform.annotation.ConditionalOnEEVersion; +import com.bytechef.platform.security.web.config.CsrfContributor; +import java.util.List; +import org.springframework.security.web.servlet.util.matcher.PathPatternRequestMatcher; +import org.springframework.security.web.util.matcher.RequestMatcher; +import org.springframework.stereotype.Component; + +/** + * @author Ivica Cardic + */ +@Component +@ConditionalOnEEVersion +public class EmbeddedMcpServerCsrfContributor implements CsrfContributor { + + @Override + public List getIgnoringRequestMatchers() { + return List.of( + PathPatternRequestMatcher.withDefaults() + .matcher("/api/embedded/sse")); + } +} diff --git a/server/ee/libs/embedded/embedded-security-web/embedded-security-web-impl/src/main/java/com/bytechef/ee/embedded/security/web/filter/ConnectedUserFilterBeforeContributor.java b/server/ee/libs/embedded/embedded-security-web/embedded-security-web-impl/src/main/java/com/bytechef/ee/embedded/security/web/config/ConnectedUserApiAuthenticationFilterBeforeContributor.java similarity index 66% rename from server/ee/libs/embedded/embedded-security-web/embedded-security-web-impl/src/main/java/com/bytechef/ee/embedded/security/web/filter/ConnectedUserFilterBeforeContributor.java rename to server/ee/libs/embedded/embedded-security-web/embedded-security-web-impl/src/main/java/com/bytechef/ee/embedded/security/web/config/ConnectedUserApiAuthenticationFilterBeforeContributor.java index 6010ae12265..a434bbe5481 100644 --- a/server/ee/libs/embedded/embedded-security-web/embedded-security-web-impl/src/main/java/com/bytechef/ee/embedded/security/web/filter/ConnectedUserFilterBeforeContributor.java +++ b/server/ee/libs/embedded/embedded-security-web/embedded-security-web-impl/src/main/java/com/bytechef/ee/embedded/security/web/config/ConnectedUserApiAuthenticationFilterBeforeContributor.java @@ -5,9 +5,10 @@ * you may not use this file except in compliance with the Enterprise License. */ -package com.bytechef.ee.embedded.security.web.filter; +package com.bytechef.ee.embedded.security.web.config; -import com.bytechef.platform.security.web.filter.FilterBeforeContributor; +import com.bytechef.ee.embedded.security.web.filter.ConnectedUserApiAuthenticationFilter; +import com.bytechef.platform.security.web.config.FilterBeforeContributor; import com.bytechef.platform.user.service.SigningKeyService; import edu.umd.cs.findbugs.annotations.SuppressFBWarnings; import jakarta.servlet.Filter; @@ -21,19 +22,19 @@ * @author Ivica Cardic */ @Component -public class ConnectedUserFilterBeforeContributor implements FilterBeforeContributor { +public class ConnectedUserApiAuthenticationFilterBeforeContributor implements FilterBeforeContributor { private final SigningKeyService signingKeyService; @SuppressFBWarnings("EI") - public ConnectedUserFilterBeforeContributor(SigningKeyService signingKeyService) { + public ConnectedUserApiAuthenticationFilterBeforeContributor(SigningKeyService signingKeyService) { this.signingKeyService = signingKeyService; } @Override @SuppressFBWarnings("EI") public Filter getFilter(AuthenticationManager authenticationManager) { - return new ConnectedUserAuthenticationFilter(authenticationManager, signingKeyService); + return new ConnectedUserApiAuthenticationFilter(authenticationManager, signingKeyService); } @Override diff --git a/server/ee/libs/embedded/embedded-security-web/embedded-security-web-impl/src/main/java/com/bytechef/ee/embedded/security/web/authentication/ConnectedUserAuthenticationProviderContributor.java b/server/ee/libs/embedded/embedded-security-web/embedded-security-web-impl/src/main/java/com/bytechef/ee/embedded/security/web/config/ConnectedUserAuthenticationProviderContributor.java similarity index 81% rename from server/ee/libs/embedded/embedded-security-web/embedded-security-web-impl/src/main/java/com/bytechef/ee/embedded/security/web/authentication/ConnectedUserAuthenticationProviderContributor.java rename to server/ee/libs/embedded/embedded-security-web/embedded-security-web-impl/src/main/java/com/bytechef/ee/embedded/security/web/config/ConnectedUserAuthenticationProviderContributor.java index f84050e0594..5c24a3de943 100644 --- a/server/ee/libs/embedded/embedded-security-web/embedded-security-web-impl/src/main/java/com/bytechef/ee/embedded/security/web/authentication/ConnectedUserAuthenticationProviderContributor.java +++ b/server/ee/libs/embedded/embedded-security-web/embedded-security-web-impl/src/main/java/com/bytechef/ee/embedded/security/web/config/ConnectedUserAuthenticationProviderContributor.java @@ -5,10 +5,11 @@ * you may not use this file except in compliance with the Enterprise License. */ -package com.bytechef.ee.embedded.security.web.authentication; +package com.bytechef.ee.embedded.security.web.config; import com.bytechef.ee.embedded.connected.user.service.ConnectedUserService; -import com.bytechef.platform.security.web.authentication.AuthenticationProviderContributor; +import com.bytechef.ee.embedded.security.web.authentication.ConnectedUserAuthenticationProvider; +import com.bytechef.platform.security.web.config.AuthenticationProviderContributor; import edu.umd.cs.findbugs.annotations.SuppressFBWarnings; import org.springframework.security.authentication.AuthenticationProvider; import org.springframework.stereotype.Component; diff --git a/server/ee/libs/embedded/embedded-security-web/embedded-security-web-impl/src/main/java/com/bytechef/ee/embedded/security/web/config/EmbeddedCsrfContributor.java b/server/ee/libs/embedded/embedded-security-web/embedded-security-web-impl/src/main/java/com/bytechef/ee/embedded/security/web/config/EmbeddedCsrfContributor.java new file mode 100644 index 00000000000..9193225bdcf --- /dev/null +++ b/server/ee/libs/embedded/embedded-security-web/embedded-security-web-impl/src/main/java/com/bytechef/ee/embedded/security/web/config/EmbeddedCsrfContributor.java @@ -0,0 +1,39 @@ +/* + * Copyright 2025 ByteChef + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package com.bytechef.ee.embedded.security.web.config; + +import static org.springframework.security.web.util.matcher.RegexRequestMatcher.regexMatcher; + +import com.bytechef.platform.security.web.config.CsrfContributor; +import java.util.List; +import org.springframework.security.web.util.matcher.RequestMatcher; +import org.springframework.stereotype.Component; + +/** + * @author Ivica Cardic + */ +@Component +public class EmbeddedCsrfContributor implements CsrfContributor { + + @Override + public List getIgnoringRequestMatchers() { + return List.of( + regexMatcher("^/api/embedded/v[0-9]+/.+"), + // For internal calls from the embedded workflow builder + request -> request.getHeader("Authorization") != null); + } +} diff --git a/server/ee/libs/embedded/embedded-security-web/embedded-security-web-impl/src/main/java/com/bytechef/ee/embedded/security/web/filter/ConnectedUserAuthenticationFilter.java b/server/ee/libs/embedded/embedded-security-web/embedded-security-web-impl/src/main/java/com/bytechef/ee/embedded/security/web/filter/ConnectedUserApiAuthenticationFilter.java similarity index 94% rename from server/ee/libs/embedded/embedded-security-web/embedded-security-web-impl/src/main/java/com/bytechef/ee/embedded/security/web/filter/ConnectedUserAuthenticationFilter.java rename to server/ee/libs/embedded/embedded-security-web/embedded-security-web-impl/src/main/java/com/bytechef/ee/embedded/security/web/filter/ConnectedUserApiAuthenticationFilter.java index cdaeda32f0b..728f7d396f6 100644 --- a/server/ee/libs/embedded/embedded-security-web/embedded-security-web-impl/src/main/java/com/bytechef/ee/embedded/security/web/filter/ConnectedUserAuthenticationFilter.java +++ b/server/ee/libs/embedded/embedded-security-web/embedded-security-web-impl/src/main/java/com/bytechef/ee/embedded/security/web/filter/ConnectedUserApiAuthenticationFilter.java @@ -8,7 +8,7 @@ package com.bytechef.ee.embedded.security.web.filter; import com.bytechef.ee.embedded.security.web.authentication.ConnectedUserAuthenticationToken; -import com.bytechef.platform.security.web.filter.AbstractPublicApiAuthenticationFilter; +import com.bytechef.platform.security.web.filter.AbstractApiAuthenticationFilter; import com.bytechef.platform.user.service.SigningKeyService; import com.bytechef.tenant.domain.TenantKey; import com.bytechef.tenant.util.TenantUtils; @@ -31,7 +31,7 @@ * * @author Ivica Cardic */ -public class ConnectedUserAuthenticationFilter extends AbstractPublicApiAuthenticationFilter { +public class ConnectedUserApiAuthenticationFilter extends AbstractApiAuthenticationFilter { private static final Pattern EXTERNAL_USER_ID_PATTERN = Pattern.compile(".*/v\\d+/([^/]+)/.*"); private static final Pattern JWT_TOKEN_PATTERN = @@ -40,7 +40,7 @@ public class ConnectedUserAuthenticationFilter extends AbstractPublicApiAuthenti private final SigningKeyService signingKeyService; @SuppressFBWarnings("EI") - public ConnectedUserAuthenticationFilter( + public ConnectedUserApiAuthenticationFilter( AuthenticationManager authenticationManager, SigningKeyService signingKeyService) { super("^/api/embedded/v[0-9]+/.+|^/api/(?:automation|embedded|platform)/internal/.+", authenticationManager); diff --git a/server/libs/ai/mcp/mcp-server/src/main/java/com/bytechef/ai/mcp/server/config/McpServerConfiguration.java b/server/libs/ai/mcp/mcp-server/src/main/java/com/bytechef/ai/mcp/server/config/McpServerConfiguration.java index 3233ec9618c..8636fe8c118 100644 --- a/server/libs/ai/mcp/mcp-server/src/main/java/com/bytechef/ai/mcp/server/config/McpServerConfiguration.java +++ b/server/libs/ai/mcp/mcp-server/src/main/java/com/bytechef/ai/mcp/server/config/McpServerConfiguration.java @@ -16,6 +16,8 @@ package com.bytechef.ai.mcp.server.config; +import com.bytechef.ai.mcp.server.security.web.config.McpServerAuthorizeHttpRequestContributor; +import com.bytechef.ai.mcp.server.security.web.config.McpServerCsrfContributor; import com.bytechef.ai.mcp.tool.automation.ProjectTools; import com.bytechef.ai.mcp.tool.automation.ProjectWorkflowTools; import com.bytechef.ai.mcp.tool.platform.ComponentTools; @@ -52,7 +54,17 @@ public McpServerConfiguration(ProjectTools projectTools, @Bean ToolCallbackProvider toolCallbackProvider() { - return ToolCallbackProvider - .from(ToolCallbacks.from(projectTools, projectWorkflowTools, componentTools, flowTools)); + return ToolCallbackProvider.from( + ToolCallbacks.from(projectTools, projectWorkflowTools, componentTools, flowTools)); + } + + @Bean + McpServerAuthorizeHttpRequestContributor mcpServerAuthorizeHttpRequestContributor() { + return new McpServerAuthorizeHttpRequestContributor(); + } + + @Bean + McpServerCsrfContributor mcpServerCsrfContributor() { + return new McpServerCsrfContributor(); } } diff --git a/server/libs/ai/mcp/mcp-server/src/main/java/com/bytechef/ai/mcp/server/security/web/filter/ApiKeyAuthenticationFilterBeforeContributor.java b/server/libs/ai/mcp/mcp-server/src/main/java/com/bytechef/ai/mcp/server/security/web/config/McpServerApiAuthenticationFilterBeforeContributor.java similarity index 75% rename from server/libs/ai/mcp/mcp-server/src/main/java/com/bytechef/ai/mcp/server/security/web/filter/ApiKeyAuthenticationFilterBeforeContributor.java rename to server/libs/ai/mcp/mcp-server/src/main/java/com/bytechef/ai/mcp/server/security/web/config/McpServerApiAuthenticationFilterBeforeContributor.java index c8b30565b51..1f07421db6d 100644 --- a/server/libs/ai/mcp/mcp-server/src/main/java/com/bytechef/ai/mcp/server/security/web/filter/ApiKeyAuthenticationFilterBeforeContributor.java +++ b/server/libs/ai/mcp/mcp-server/src/main/java/com/bytechef/ai/mcp/server/security/web/config/McpServerApiAuthenticationFilterBeforeContributor.java @@ -14,9 +14,10 @@ * limitations under the License. */ -package com.bytechef.ai.mcp.server.security.web.filter; +package com.bytechef.ai.mcp.server.security.web.config; -import com.bytechef.platform.security.web.filter.FilterBeforeContributor; +import com.bytechef.ai.mcp.server.security.web.filter.McpServerApiAuthenticationFilter; +import com.bytechef.platform.security.web.config.FilterBeforeContributor; import edu.umd.cs.findbugs.annotations.SuppressFBWarnings; import jakarta.servlet.Filter; import org.springframework.security.authentication.AuthenticationManager; @@ -26,13 +27,13 @@ /** * @author Ivica Cardic */ -@Component("com.bytechef.mcp.server.security.web.filter.ApiKeyAuthenticationFilterBeforeContributor") -public class ApiKeyAuthenticationFilterBeforeContributor implements FilterBeforeContributor { +@Component +public class McpServerApiAuthenticationFilterBeforeContributor implements FilterBeforeContributor { @Override @SuppressFBWarnings("EI") public Filter getFilter(AuthenticationManager authenticationManager) { - return new ApiKeyAuthenticationFilter(authenticationManager); + return new McpServerApiAuthenticationFilter(authenticationManager); } @Override diff --git a/server/libs/platform/platform-security-web/platform-security-web-api/src/main/java/com/bytechef/platform/security/web/filter/FilterBeforeContributor.java b/server/libs/ai/mcp/mcp-server/src/main/java/com/bytechef/ai/mcp/server/security/web/config/McpServerAuthorizeHttpRequestContributor.java similarity index 62% rename from server/libs/platform/platform-security-web/platform-security-web-api/src/main/java/com/bytechef/platform/security/web/filter/FilterBeforeContributor.java rename to server/libs/ai/mcp/mcp-server/src/main/java/com/bytechef/ai/mcp/server/security/web/config/McpServerAuthorizeHttpRequestContributor.java index 75e4e9ef2b2..bac95042607 100644 --- a/server/libs/platform/platform-security-web/platform-security-web-api/src/main/java/com/bytechef/platform/security/web/filter/FilterBeforeContributor.java +++ b/server/libs/ai/mcp/mcp-server/src/main/java/com/bytechef/ai/mcp/server/security/web/config/McpServerAuthorizeHttpRequestContributor.java @@ -14,17 +14,18 @@ * limitations under the License. */ -package com.bytechef.platform.security.web.filter; +package com.bytechef.ai.mcp.server.security.web.config; -import jakarta.servlet.Filter; -import org.springframework.security.authentication.AuthenticationManager; +import com.bytechef.platform.security.web.config.AuthorizeHttpRequestContributor; +import java.util.List; /** * @author Ivica Cardic */ -public interface FilterBeforeContributor { +public class McpServerAuthorizeHttpRequestContributor implements AuthorizeHttpRequestContributor { - Filter getFilter(AuthenticationManager authenticationManager); - - Class getBeforeFilter(); + @Override + public List getApiPermitAllRequestMatcherPaths() { + return List.of("/api/sse"); + } } diff --git a/server/libs/ai/mcp/mcp-server/src/main/java/com/bytechef/ai/mcp/server/security/web/config/McpServerCsrfContributor.java b/server/libs/ai/mcp/mcp-server/src/main/java/com/bytechef/ai/mcp/server/security/web/config/McpServerCsrfContributor.java new file mode 100644 index 00000000000..1dce43d8786 --- /dev/null +++ b/server/libs/ai/mcp/mcp-server/src/main/java/com/bytechef/ai/mcp/server/security/web/config/McpServerCsrfContributor.java @@ -0,0 +1,37 @@ +/* + * Copyright 2025 ByteChef + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package com.bytechef.ai.mcp.server.security.web.config; + +import com.bytechef.platform.security.web.config.CsrfContributor; +import java.util.List; +import org.springframework.security.web.servlet.util.matcher.PathPatternRequestMatcher; +import org.springframework.security.web.util.matcher.RegexRequestMatcher; +import org.springframework.security.web.util.matcher.RequestMatcher; + +/** + * @author Ivica Cardic + */ +public class McpServerCsrfContributor implements CsrfContributor { + + @Override + public List getIgnoringRequestMatchers() { + return List.of( + PathPatternRequestMatcher.withDefaults() + .matcher("/api/sse"), + RegexRequestMatcher.regexMatcher("^/api/v[0-9]+/mcp/.+")); + } +} diff --git a/server/libs/ai/mcp/mcp-server/src/main/java/com/bytechef/ai/mcp/server/security/web/filter/ApiKeyAuthenticationFilter.java b/server/libs/ai/mcp/mcp-server/src/main/java/com/bytechef/ai/mcp/server/security/web/filter/McpServerApiAuthenticationFilter.java similarity index 79% rename from server/libs/ai/mcp/mcp-server/src/main/java/com/bytechef/ai/mcp/server/security/web/filter/ApiKeyAuthenticationFilter.java rename to server/libs/ai/mcp/mcp-server/src/main/java/com/bytechef/ai/mcp/server/security/web/filter/McpServerApiAuthenticationFilter.java index 0a63a3ed891..f0710cda0cb 100644 --- a/server/libs/ai/mcp/mcp-server/src/main/java/com/bytechef/ai/mcp/server/security/web/filter/ApiKeyAuthenticationFilter.java +++ b/server/libs/ai/mcp/mcp-server/src/main/java/com/bytechef/ai/mcp/server/security/web/filter/McpServerApiAuthenticationFilter.java @@ -16,17 +16,17 @@ package com.bytechef.ai.mcp.server.security.web.filter; -import com.bytechef.platform.security.web.filter.AbstractPublicApiAuthenticationFilter; +import com.bytechef.platform.security.web.filter.AbstractApiAuthenticationFilter; import edu.umd.cs.findbugs.annotations.SuppressFBWarnings; import org.springframework.security.authentication.AuthenticationManager; /** * @author Ivica Cardic */ -public class ApiKeyAuthenticationFilter extends AbstractPublicApiAuthenticationFilter { +public class McpServerApiAuthenticationFilter extends AbstractApiAuthenticationFilter { @SuppressFBWarnings("EI") - public ApiKeyAuthenticationFilter(AuthenticationManager authenticationManager) { + public McpServerApiAuthenticationFilter(AuthenticationManager authenticationManager) { super("^/api/v[0-9]+/mcp/.+", authenticationManager); } } diff --git a/server/libs/automation/automation-ai/automation-ai-mcp-server/src/main/java/com/bytechef/automation/ai/mcp/server/security/web/config/AutomationMcpServerAuthorizeHttpRequestContributor.java b/server/libs/automation/automation-ai/automation-ai-mcp-server/src/main/java/com/bytechef/automation/ai/mcp/server/security/web/config/AutomationMcpServerAuthorizeHttpRequestContributor.java new file mode 100644 index 00000000000..9a6ee141688 --- /dev/null +++ b/server/libs/automation/automation-ai/automation-ai-mcp-server/src/main/java/com/bytechef/automation/ai/mcp/server/security/web/config/AutomationMcpServerAuthorizeHttpRequestContributor.java @@ -0,0 +1,33 @@ +/* + * Copyright 2025 ByteChef + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package com.bytechef.automation.ai.mcp.server.security.web.config; + +import com.bytechef.platform.security.web.config.AuthorizeHttpRequestContributor; +import java.util.List; +import org.springframework.stereotype.Component; + +/** + * @author Ivica Cardic + */ +@Component +public class AutomationMcpServerAuthorizeHttpRequestContributor implements AuthorizeHttpRequestContributor { + + @Override + public List getApiPermitAllRequestMatcherPaths() { + return List.of("/api/automation/sse"); + } +} diff --git a/server/libs/automation/automation-ai/automation-ai-mcp-server/src/main/java/com/bytechef/automation/ai/mcp/server/security/web/config/AutomationMcpServerCsrfContributor.java b/server/libs/automation/automation-ai/automation-ai-mcp-server/src/main/java/com/bytechef/automation/ai/mcp/server/security/web/config/AutomationMcpServerCsrfContributor.java new file mode 100644 index 00000000000..60288ac1e78 --- /dev/null +++ b/server/libs/automation/automation-ai/automation-ai-mcp-server/src/main/java/com/bytechef/automation/ai/mcp/server/security/web/config/AutomationMcpServerCsrfContributor.java @@ -0,0 +1,37 @@ +/* + * Copyright 2025 ByteChef + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package com.bytechef.automation.ai.mcp.server.security.web.config; + +import com.bytechef.platform.security.web.config.CsrfContributor; +import java.util.List; +import org.springframework.security.web.servlet.util.matcher.PathPatternRequestMatcher; +import org.springframework.security.web.util.matcher.RequestMatcher; +import org.springframework.stereotype.Component; + +/** + * @author Ivica Cardic + */ +@Component +public class AutomationMcpServerCsrfContributor implements CsrfContributor { + + @Override + public List getIgnoringRequestMatchers() { + return List.of( + PathPatternRequestMatcher.withDefaults() + .matcher("/api/automation/sse")); + } +} diff --git a/server/libs/automation/automation-ai/automation-ai-mcp-server/src/main/java/com/bytechef/automation/ai/mcp/server/security/web/filter/ApiKeyAuthenticationFilterBeforeContributor.java b/server/libs/automation/automation-ai/automation-ai-mcp-server/src/main/java/com/bytechef/automation/ai/mcp/server/security/web/filter/ApiKeyAuthenticationFilterBeforeContributor.java deleted file mode 100644 index 93565d59dcd..00000000000 --- a/server/libs/automation/automation-ai/automation-ai-mcp-server/src/main/java/com/bytechef/automation/ai/mcp/server/security/web/filter/ApiKeyAuthenticationFilterBeforeContributor.java +++ /dev/null @@ -1,42 +0,0 @@ -/* - * Copyright 2025 ByteChef - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * https://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package com.bytechef.automation.ai.mcp.server.security.web.filter; - -import com.bytechef.platform.security.web.filter.FilterBeforeContributor; -import edu.umd.cs.findbugs.annotations.SuppressFBWarnings; -import jakarta.servlet.Filter; -import org.springframework.security.authentication.AuthenticationManager; -import org.springframework.security.web.authentication.www.BasicAuthenticationFilter; -import org.springframework.stereotype.Component; - -/** - * @author Ivica Cardic - */ -@Component("com.bytechef.automation.mcp.server.security.web.filter.ApiKeyAuthenticationFilterBeforeContributor") -public class ApiKeyAuthenticationFilterBeforeContributor implements FilterBeforeContributor { - - @Override - @SuppressFBWarnings("EI") - public Filter getFilter(AuthenticationManager authenticationManager) { - return new ApiKeyAuthenticationFilter(authenticationManager); - } - - @Override - public Class getBeforeFilter() { - return BasicAuthenticationFilter.class; - } -} diff --git a/server/libs/automation/automation-security-web/automation-security-web-impl/src/main/java/com/bytechef/automation/security/web/filter/ApiKeyAuthenticationFilterBeforeContributor.java b/server/libs/automation/automation-security-web/automation-security-web-impl/src/main/java/com/bytechef/automation/security/web/config/AutomationApiAuthenticationFilterBeforeContributor.java similarity index 75% rename from server/libs/automation/automation-security-web/automation-security-web-impl/src/main/java/com/bytechef/automation/security/web/filter/ApiKeyAuthenticationFilterBeforeContributor.java rename to server/libs/automation/automation-security-web/automation-security-web-impl/src/main/java/com/bytechef/automation/security/web/config/AutomationApiAuthenticationFilterBeforeContributor.java index 3404259e254..47496b5719c 100644 --- a/server/libs/automation/automation-security-web/automation-security-web-impl/src/main/java/com/bytechef/automation/security/web/filter/ApiKeyAuthenticationFilterBeforeContributor.java +++ b/server/libs/automation/automation-security-web/automation-security-web-impl/src/main/java/com/bytechef/automation/security/web/config/AutomationApiAuthenticationFilterBeforeContributor.java @@ -14,9 +14,10 @@ * limitations under the License. */ -package com.bytechef.automation.security.web.filter; +package com.bytechef.automation.security.web.config; -import com.bytechef.platform.security.web.filter.FilterBeforeContributor; +import com.bytechef.automation.security.web.filter.AutomationApiAuthenticationFilter; +import com.bytechef.platform.security.web.config.FilterBeforeContributor; import edu.umd.cs.findbugs.annotations.SuppressFBWarnings; import jakarta.servlet.Filter; import org.springframework.security.authentication.AuthenticationManager; @@ -26,13 +27,13 @@ /** * @author Ivica Cardic */ -@Component("com.bytechef.automation.security.web.filter.ApiKeyAuthenticationFilterBeforeContributor") -public class ApiKeyAuthenticationFilterBeforeContributor implements FilterBeforeContributor { +@Component +public class AutomationApiAuthenticationFilterBeforeContributor implements FilterBeforeContributor { @Override @SuppressFBWarnings("EI") public Filter getFilter(AuthenticationManager authenticationManager) { - return new ApiKeyAuthenticationFilter(authenticationManager); + return new AutomationApiAuthenticationFilter(authenticationManager); } @Override diff --git a/server/libs/automation/automation-security-web/automation-security-web-impl/src/main/java/com/bytechef/automation/security/web/config/AutomationCsrfContributor.java b/server/libs/automation/automation-security-web/automation-security-web-impl/src/main/java/com/bytechef/automation/security/web/config/AutomationCsrfContributor.java new file mode 100644 index 00000000000..9248b5749f3 --- /dev/null +++ b/server/libs/automation/automation-security-web/automation-security-web-impl/src/main/java/com/bytechef/automation/security/web/config/AutomationCsrfContributor.java @@ -0,0 +1,36 @@ +/* + * Copyright 2025 ByteChef + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package com.bytechef.automation.security.web.config; + +import static org.springframework.security.web.util.matcher.RegexRequestMatcher.regexMatcher; + +import com.bytechef.platform.security.web.config.CsrfContributor; +import java.util.List; +import org.springframework.security.web.util.matcher.RequestMatcher; +import org.springframework.stereotype.Component; + +/** + * @author Ivica Cardic + */ +@Component +public class AutomationCsrfContributor implements CsrfContributor { + + @Override + public List getIgnoringRequestMatchers() { + return List.of(regexMatcher("^/api/automation/v[0-9]+/.+")); + } +} diff --git a/server/libs/automation/automation-security-web/automation-security-web-impl/src/main/java/com/bytechef/automation/security/web/filter/ApiKeyAuthenticationFilter.java b/server/libs/automation/automation-security-web/automation-security-web-impl/src/main/java/com/bytechef/automation/security/web/filter/AutomationApiAuthenticationFilter.java similarity index 77% rename from server/libs/automation/automation-security-web/automation-security-web-impl/src/main/java/com/bytechef/automation/security/web/filter/ApiKeyAuthenticationFilter.java rename to server/libs/automation/automation-security-web/automation-security-web-impl/src/main/java/com/bytechef/automation/security/web/filter/AutomationApiAuthenticationFilter.java index affe9db5db2..56711268b21 100644 --- a/server/libs/automation/automation-security-web/automation-security-web-impl/src/main/java/com/bytechef/automation/security/web/filter/ApiKeyAuthenticationFilter.java +++ b/server/libs/automation/automation-security-web/automation-security-web-impl/src/main/java/com/bytechef/automation/security/web/filter/AutomationApiAuthenticationFilter.java @@ -16,17 +16,17 @@ package com.bytechef.automation.security.web.filter; -import com.bytechef.platform.security.web.filter.AbstractPublicApiAuthenticationFilter; +import com.bytechef.platform.security.web.filter.AbstractApiAuthenticationFilter; import edu.umd.cs.findbugs.annotations.SuppressFBWarnings; import org.springframework.security.authentication.AuthenticationManager; /** * @author Ivica Cardic */ -public class ApiKeyAuthenticationFilter extends AbstractPublicApiAuthenticationFilter { +public class AutomationApiAuthenticationFilter extends AbstractApiAuthenticationFilter { @SuppressFBWarnings("EI") - public ApiKeyAuthenticationFilter(AuthenticationManager authenticationManager) { + public AutomationApiAuthenticationFilter(AuthenticationManager authenticationManager) { super("^/api/automation/v[0-9]+/.+", authenticationManager); } } diff --git a/server/libs/config/security-config/src/main/java/com/bytechef/security/config/SecurityConfiguration.java b/server/libs/config/security-config/src/main/java/com/bytechef/security/config/SecurityConfiguration.java index 5851f656f11..ce4db985dde 100644 --- a/server/libs/config/security-config/src/main/java/com/bytechef/security/config/SecurityConfiguration.java +++ b/server/libs/config/security-config/src/main/java/com/bytechef/security/config/SecurityConfiguration.java @@ -17,21 +17,24 @@ package com.bytechef.security.config; import static org.springframework.security.config.Customizer.withDefaults; -import static org.springframework.security.web.util.matcher.RegexRequestMatcher.regexMatcher; import com.bytechef.config.ApplicationProperties; import com.bytechef.config.ApplicationProperties.Security; import com.bytechef.config.ApplicationProperties.Security.RememberMe; import com.bytechef.platform.security.constant.AuthorityConstants; -import com.bytechef.platform.security.web.authentication.AuthenticationProviderContributor; -import com.bytechef.platform.security.web.filter.FilterAfterContributor; -import com.bytechef.platform.security.web.filter.FilterBeforeContributor; +import com.bytechef.platform.security.web.config.AuthenticationProviderContributor; +import com.bytechef.platform.security.web.config.AuthorizeHttpRequestContributor; +import com.bytechef.platform.security.web.config.CsrfContributor; +import com.bytechef.platform.security.web.config.FilterAfterContributor; +import com.bytechef.platform.security.web.config.FilterBeforeContributor; +import com.bytechef.platform.security.web.config.SpaWebFilterContributor; import com.bytechef.security.web.filter.CookieCsrfFilter; import com.bytechef.security.web.filter.SpaWebFilter; import edu.umd.cs.findbugs.annotations.SuppressFBWarnings; import jakarta.servlet.http.HttpServletRequest; import jakarta.servlet.http.HttpServletResponse; import java.util.List; +import java.util.Objects; import java.util.function.Supplier; import org.apache.commons.lang3.StringUtils; import org.springframework.context.annotation.Bean; @@ -71,6 +74,7 @@ import org.springframework.security.web.header.writers.ReferrerPolicyHeaderWriter; import org.springframework.security.web.servlet.util.matcher.PathPatternRequestMatcher; import org.springframework.security.web.util.matcher.OrRequestMatcher; +import org.springframework.security.web.util.matcher.RequestMatcher; /** * @author Ivica Cardic @@ -95,13 +99,15 @@ public SecurityConfiguration( this.security = applicationProperties.getSecurity(); } - @Bean - FilterBeforeContributorConfigurer filterBeforeContributorConfigurer( - List filterBeforeContributors) { - - return new FilterBeforeContributorConfigurer<>(filterBeforeContributors); - } - + /** + * Configures the security filter chain for the actuator endpoints, specifying authorization rules, authentication + * mechanisms, and exception handling. + * + * @param http the {@link HttpSecurity} object used to customize security settings for the actuator endpoints + * @param mvc a {@link PathPatternRequestMatcher.Builder} used to create matchers for specific URI patterns + * @return a configured {@link SecurityFilterChain} to handle security for actuator endpoints + * @throws Exception if an error occurs while configuring the security filter chain + */ @Bean @Order(2) public SecurityFilterChain actuatorFilterChain( @@ -139,43 +145,72 @@ public SecurityFilterChain actuatorFilterChain( return http.build(); } + /** + * Configures the security filter chain for API endpoints and GraphQL requests, defining authorization, + * authentication, CSRF settings, and headers for securing requests. + * + * @param http the {@link HttpSecurity} object used to customize the security settings + * for the application. + * @param mvc a {@link PathPatternRequestMatcher.Builder} used to build request + * matchers. + * @param authenticationProviderContributors a list of {@link AuthenticationProviderContributor} instances + * contributing custom {@link AuthenticationProvider}s to handle + * authentication. + * @param authorizeHttpRequestContributors a list of {@link AuthorizeHttpRequestContributor} instances providing + * paths to be configured as permit-all in the API security configuration. + * @param csrfContributors a list of {@link CsrfContributor} instances contributing request + * matchers to be ignored for CSRF protection. + * @param environment the {@link Environment} object used to retrieve profiles and + * environment properties. + * @param filterAfterContributors a list of {@link FilterAfterContributor} instances allowing additional + * filters to be added after default filters in the chain. + * @param filterBeforeContributors a list of {@link FilterBeforeContributor} instances allowing additional + * filters to be added before default filters in the chain. + * @param spaWebFilterContributors a list of {@link SpaWebFilterContributor} instances contributing to the + * customization of SPA-specific filters. + * @return a configured {@link SecurityFilterChain} for securing API and GraphQL endpoints. + * @throws Exception if an error occurs while configuring the security filter chain. + */ @Bean @Order(3) public SecurityFilterChain apiFilterChain( HttpSecurity http, PathPatternRequestMatcher.Builder mvc, - List authenticationProviderContributors, Environment environment, - List filterAfterContributors, List filterBeforeContributors) + List authenticationProviderContributors, + List authorizeHttpRequestContributors, List csrfContributors, + Environment environment, List filterAfterContributors, + List filterBeforeContributors, List spaWebFilterContributors) throws Exception { http .securityMatcher("/api/**", "/graphql") .cors(withDefaults()) - .csrf(csrf -> csrf - .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()) - // See https://stackoverflow.com/q/74447118/65681 - .csrfTokenRequestHandler(new SpaCsrfTokenRequestHandler()) - .ignoringRequestMatchers(regexMatcher("^/api/(automation|embedded|platform)/v[0-9]+/.+")) - .ignoringRequestMatchers(regexMatcher("^/api/v[0-9]+/mcp/.+")) - .ignoringRequestMatchers("/api/o/**") - .ignoringRequestMatchers("/api/sse") - .ignoringRequestMatchers(regexMatcher("^/api/(automation|embedded)/sse")) - // For internal calls from the embedded workflow builder - .ignoringRequestMatchers(request -> request.getHeader("Authorization") != null) - // For internal calls from the swagger UI in the dev profile - .ignoringRequestMatchers(request -> environment.acceptsProfiles(Profiles.of("dev")) && - StringUtils.contains(request.getHeader("Referer"), "/swagger-ui/"))); + .csrf(csrf -> { + csrf + .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()) + // See https://stackoverflow.com/q/74447118/65681 + .csrfTokenRequestHandler(new SpaCsrfTokenRequestHandler()); + + for (CsrfContributor csrfContributor : csrfContributors) { + for (RequestMatcher requestMatcher : csrfContributor.getIgnoringRequestMatchers()) { + csrf.ignoringRequestMatchers(requestMatcher); + } + } + + csrf + // For CORS requests + .ignoringRequestMatchers(request -> Objects.equals(request.getMethod(), "OPTIONS")) + // For internal calls from the swagger UI in the dev profile + .ignoringRequestMatchers(request -> environment.acceptsProfiles(Profiles.of("dev")) && + StringUtils.contains(request.getHeader("Referer"), "/swagger-ui/")); + }); for (AuthenticationProviderContributor authenticationProviderContributor : authenticationProviderContributors) { http.authenticationProvider(authenticationProviderContributor.getAuthenticationProvider()); } - http.addFilterAfter(new SpaWebFilter(), BasicAuthenticationFilter.class) + http.addFilterAfter(new SpaWebFilter(spaWebFilterContributors), BasicAuthenticationFilter.class) .addFilterAfter(new CookieCsrfFilter(), BasicAuthenticationFilter.class); - for (FilterAfterContributor filterAfterContributor : filterAfterContributors) { - http.addFilterAfter(filterAfterContributor.getFilter(), filterAfterContributor.getAfterFilter()); - } - http .headers(headers -> headers .contentSecurityPolicy(csp -> csp.policyDirectives(security.getContentSecurityPolicy())) @@ -185,27 +220,21 @@ public SecurityFilterChain apiFilterChain( .permissionsPolicyHeader(permissions -> permissions .policy( "camera=(), fullscreen=(self), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), payment=(), sync-xhr=()"))) - .authorizeHttpRequests(authz -> authz - .requestMatchers(mvc.matcher("/api/activate")) - .permitAll() - .requestMatchers(mvc.matcher("/api/authenticate")) - .permitAll() - .requestMatchers(mvc.matcher("/api/account/reset-password/finish")) - .permitAll() - .requestMatchers(mvc.matcher("/api/account/reset-password/init")) - .permitAll() - .requestMatchers(mvc.matcher("/api/automation/sse")) - .permitAll() - .requestMatchers(mvc.matcher("/api/embedded/sse")) - .permitAll() - .requestMatchers(mvc.matcher("/api/register")) - .permitAll() - .requestMatchers(mvc.matcher("/api/sse")) - .permitAll() - .requestMatchers(mvc.matcher("/api/**")) - .authenticated() - .requestMatchers(mvc.matcher("/graphql")) - .authenticated()) + .authorizeHttpRequests(authz -> { + for (AuthorizeHttpRequestContributor authorizeHttpRequestContributor : authorizeHttpRequestContributors) { + for (String path : authorizeHttpRequestContributor.getApiPermitAllRequestMatcherPaths()) { + authz + .requestMatchers(mvc.matcher(path)) + .permitAll(); + } + } + + authz + .requestMatchers(mvc.matcher("/api/**")) + .authenticated() + .requestMatchers(mvc.matcher("/graphql")) + .authenticated(); + }) .rememberMe(rememberMe -> rememberMe .rememberMeServices(rememberMeServices) .rememberMeParameter("remember-me") @@ -225,51 +254,81 @@ public SecurityFilterChain apiFilterChain( .logoutSuccessHandler(new HttpStatusReturningLogoutSuccessHandler()) .permitAll()); - http.with(filterBeforeContributorConfigurer(filterBeforeContributors), withDefaults()); + http.with(new FilterAfterContributorConfigurer<>(filterAfterContributors), withDefaults()); + http.with(new FilterBeforeContributorConfigurer<>(filterBeforeContributors), withDefaults()); return http.build(); } + /** + * Configures the security filter chain for the web application, defining authorization, authentication, and the + * integration of SPA-specific and permit-all contributors. + * + * @param http the {@link HttpSecurity} object used to customize security settings for + * the application + * @param mvc a {@link PathPatternRequestMatcher.Builder} used to create request + * matchers for specific URI patterns + * @param authorizeHttpRequestContributors a list of {@link AuthorizeHttpRequestContributor} instances providing + * paths to be configured as permit-all in the security configuration + * + * @param spaWebFilterContributors a list of {@link SpaWebFilterContributor} instances contributing to the + * customization of SPA-specific filters + * @return a configured {@link SecurityFilterChain} for managing security in the application + * @throws Exception if an error occurs while configuring the security filter chain + */ @Bean @Order(4) - public SecurityFilterChain filterChain(HttpSecurity http, PathPatternRequestMatcher.Builder mvc) throws Exception { + public SecurityFilterChain filterChain( + HttpSecurity http, PathPatternRequestMatcher.Builder mvc, + List authorizeHttpRequestContributors, + List spaWebFilterContributors) throws Exception { + http - .addFilterAfter(new SpaWebFilter(), BasicAuthenticationFilter.class) + .addFilterAfter(new SpaWebFilter(spaWebFilterContributors), BasicAuthenticationFilter.class) .cors(withDefaults()) .csrf(AbstractHttpConfigurer::disable) - .authorizeHttpRequests(authz -> authz - .requestMatchers(mvc.matcher("/*.ico"), mvc.matcher("/*.png"), mvc.matcher("/*.svg")) - .permitAll() - .requestMatchers(mvc.matcher("/approvals/**")) - .permitAll() - .requestMatchers(mvc.matcher("/assets/**")) - .permitAll() - .requestMatchers(mvc.matcher("/callback")) - .permitAll() - .requestMatchers(mvc.matcher("/file-entries/**")) - .permitAll() - .requestMatchers(mvc.matcher("/i18n/**")) - .permitAll() - .requestMatchers(mvc.matcher("/icons/**")) - .permitAll() - .requestMatchers(mvc.matcher("/index.html")) - .permitAll() - .requestMatchers(mvc.matcher("/oauth.html")) - .permitAll() - .requestMatchers(mvc.matcher("/swagger-ui/**")) - .permitAll() - .requestMatchers(mvc.matcher("/swagger-ui.html")) - .permitAll() - .requestMatchers(mvc.matcher("/v3/api-docs/**")) - .permitAll() - .requestMatchers(mvc.matcher("/webhooks/**")) - .permitAll() - .anyRequest() - .denyAll()); + .authorizeHttpRequests(authz -> { + for (AuthorizeHttpRequestContributor authorizeHttpRequestContributor : authorizeHttpRequestContributors) { + for (String path : authorizeHttpRequestContributor.getPermitAllRequestMatcherPaths()) { + authz + .requestMatchers(mvc.matcher(path)) + .permitAll(); + } + } + + authz + .requestMatchers(mvc.matcher("/*.ico"), mvc.matcher("/*.png"), mvc.matcher("/*.svg")) + .permitAll() + .requestMatchers(mvc.matcher("/assets/**")) + .permitAll() + .requestMatchers(mvc.matcher("/i18n/**")) + .permitAll() + .requestMatchers(mvc.matcher("/icons/**")) + .permitAll() + .requestMatchers(mvc.matcher("/index.html")) + .permitAll() + .requestMatchers(mvc.matcher("/swagger-ui/**")) + .permitAll() + .requestMatchers(mvc.matcher("/swagger-ui.html")) + .permitAll() + .requestMatchers(mvc.matcher("/v3/api-docs/**")) + .permitAll() + .anyRequest() + .denyAll(); + }); return http.build(); } + /** + * Configures the security filter chain for GraphQL and GraphiQL endpoints in the development profile, defining + * authorization rules, authentication mechanisms, and exception handling. + * + * @param http the {@link HttpSecurity} object used to customize security settings for the GraphQL endpoints + * @param mvc a {@link PathPatternRequestMatcher.Builder} used to create request matchers for specific URI patterns + * @return a configured {@link SecurityFilterChain} for securing GraphQL and GraphiQL endpoints + * @throws Exception if an error occurs while configuring the security filter chain + */ @Bean @Profile("dev") @Order(1) @@ -309,8 +368,6 @@ private DaoAuthenticationProvider getSystemAuthenticationProvider(Security.Syste return null; } - DaoAuthenticationProvider daoAuthenticationProvider = new DaoAuthenticationProvider(); - PasswordEncoder passwordEncoder = passwordEncoder(); UserDetails user = User.withUsername(system.getUsername()) @@ -318,7 +375,8 @@ private DaoAuthenticationProvider getSystemAuthenticationProvider(Security.Syste .authorities(AuthorityConstants.SYSTEM_ADMIN) .build(); - daoAuthenticationProvider.setUserDetailsService(new InMemoryUserDetailsManager(user)); + DaoAuthenticationProvider daoAuthenticationProvider = new DaoAuthenticationProvider( + new InMemoryUserDetailsManager(user)); daoAuthenticationProvider.setPasswordEncoder(passwordEncoder()); @@ -331,6 +389,59 @@ private String getRememberMeKey() { return rememberMe.getKey(); } + /** + * A configuration class for adding custom filters to the security filter chain after specified filters. This class + * allows customization of the filter chain by applying a list of {@link FilterAfterContributor} instances. + * + * @param the type of {@link HttpSecurityBuilder} used for configuring the security filter chain + */ + private static class FilterAfterContributorConfigurer> + extends AbstractHttpConfigurer, HttpSecurity> { + + private final List filterAfterContributors; + + FilterAfterContributorConfigurer(List filterAfterContributors) { + this.filterAfterContributors = filterAfterContributors; + } + + @Override + public void configure(HttpSecurity http) { + for (FilterAfterContributor filterAfterContributor : filterAfterContributors) { + http.addFilterAfter( + filterAfterContributor.getFilter(), + filterAfterContributor.getAfterFilter()); + } + } + } + + /** + * A private configuration class for adding and positioning filters in the web security filter chain before a + * specific set of filters. This configurer uses a list of {@link FilterBeforeContributor} instances to determine + * which filters should be introduced into the chain and their corresponding positions. + * + * @param the type of {@link HttpSecurityBuilder} used to configure the web security filter chain. + */ + private static class FilterBeforeContributorConfigurer> + extends AbstractHttpConfigurer, HttpSecurity> { + + private final List filterBeforeContributors; + + FilterBeforeContributorConfigurer(List filterBeforeContributors) { + this.filterBeforeContributors = filterBeforeContributors; + } + + @Override + public void configure(HttpSecurity http) { + AuthenticationManager authenticationManager = http.getSharedObject(AuthenticationManager.class); + + for (FilterBeforeContributor filterBeforeContributor : filterBeforeContributors) { + http.addFilterBefore( + filterBeforeContributor.getFilter(authenticationManager), + filterBeforeContributor.getBeforeFilter()); + } + } + } + /** * Custom CSRF handler to provide BREACH protection. * @@ -341,7 +452,7 @@ private String getRememberMeKey() { * SpaCsrfTokenRequestHandler to handle CSRF token * @see CSRF protection not working with Spring Security 6 */ - static final class SpaCsrfTokenRequestHandler extends CsrfTokenRequestAttributeHandler { + private static final class SpaCsrfTokenRequestHandler extends CsrfTokenRequestAttributeHandler { private final CsrfTokenRequestHandler delegate = new XorCsrfTokenRequestAttributeHandler(); @@ -373,27 +484,21 @@ public String resolveCsrfTokenValue(HttpServletRequest request, CsrfToken csrfTo } } - static class FilterBeforeContributorConfigurer> - extends AbstractHttpConfigurer, HttpSecurity> { - - private final List filterBeforeContributors; - - FilterBeforeContributorConfigurer(List filterBeforeContributors) { - this.filterBeforeContributors = filterBeforeContributors; - } - - @Override - public void configure(HttpSecurity http) { - AuthenticationManager authenticationManager = http.getSharedObject(AuthenticationManager.class); - - for (FilterBeforeContributor filterBeforeContributor : filterBeforeContributors) { - http.addFilterBefore( - filterBeforeContributor.getFilter(authenticationManager), - filterBeforeContributor.getBeforeFilter()); - } - } - } - + /** + * A custom implementation of {@link BasicAuthenticationEntryPoint} used to handle unauthorized access attempts when + * basic authentication is required. + * + * This class extends the default functionality of {@link BasicAuthenticationEntryPoint} to customize the behavior + * for responding to unauthorized requests. It specifically defines the response headers and status code returned to + * the client upon an authentication failure. + * + * Key functionality: - Sets the "WWW-Authenticate" response header to indicate the required basic authentication + * with a realm. - Responds with the HTTP 401 (Unauthorized) status code to indicate that the request requires + * authentication. + * + * Method: {@link #commence(HttpServletRequest, HttpServletResponse, AuthenticationException)}: - Handles the + * response when an {@link AuthenticationException} occurs, customizing the headers and status code. + */ private static class UnauthorizedBasicAuthenticationEntryPoint extends BasicAuthenticationEntryPoint { @Override diff --git a/server/libs/config/security-config/src/main/java/com/bytechef/security/web/filter/SpaWebFilter.java b/server/libs/config/security-config/src/main/java/com/bytechef/security/web/filter/SpaWebFilter.java index 505421f1e03..725722b9156 100644 --- a/server/libs/config/security-config/src/main/java/com/bytechef/security/web/filter/SpaWebFilter.java +++ b/server/libs/config/security-config/src/main/java/com/bytechef/security/web/filter/SpaWebFilter.java @@ -16,12 +16,14 @@ package com.bytechef.security.web.filter; +import com.bytechef.platform.security.web.config.SpaWebFilterContributor; import jakarta.servlet.FilterChain; import jakarta.servlet.RequestDispatcher; import jakarta.servlet.ServletException; import jakarta.servlet.http.HttpServletRequest; import jakarta.servlet.http.HttpServletResponse; import java.io.IOException; +import java.util.ArrayList; import java.util.Arrays; import java.util.List; import org.springframework.web.filter.OncePerRequestFilter; @@ -31,9 +33,16 @@ */ public class SpaWebFilter extends OncePerRequestFilter { - private static final List NON_SPA_PATH_PREFIXES = Arrays.asList( - "/actuator", "/api", "/approvals", "/callback", "/file-entries", "/graphql", "/graphiql", "/icons", "/oauth", - "/v3/api-docs", "/webhooks"); + private final List nonSpaPathPrefixes = new ArrayList<>(); + + public SpaWebFilter(List spaWebFilterContributors) { + for (SpaWebFilterContributor spaWebFilterContributor : spaWebFilterContributors) { + nonSpaPathPrefixes.addAll(spaWebFilterContributor.getNonSpaPathPrefixes()); + } + + nonSpaPathPrefixes.addAll( + Arrays.asList("/actuator", "/api", "/graphql", "/graphiql", "/icons", "/v3/api-docs")); + } /** * Forwards any HTTP request with an unmapped path (i.e., not handled by other controllers or static resources), @@ -79,8 +88,8 @@ protected void doFilterInternal(HttpServletRequest request, HttpServletResponse filterChain.doFilter(request, response); } - private static boolean isNonSpaPath(String path) { - return NON_SPA_PATH_PREFIXES.stream() + private boolean isNonSpaPath(String path) { + return nonSpaPathPrefixes.stream() .noneMatch(path::startsWith); } } diff --git a/server/libs/platform/platform-security-web/platform-security-web-api/src/main/java/com/bytechef/platform/security/web/config/AuthenticationProviderContributor.java b/server/libs/platform/platform-security-web/platform-security-web-api/src/main/java/com/bytechef/platform/security/web/config/AuthenticationProviderContributor.java new file mode 100644 index 00000000000..02042442f4a --- /dev/null +++ b/server/libs/platform/platform-security-web/platform-security-web-api/src/main/java/com/bytechef/platform/security/web/config/AuthenticationProviderContributor.java @@ -0,0 +1,39 @@ +/* + * Copyright 2025 ByteChef + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package com.bytechef.platform.security.web.config; + +import org.springframework.security.authentication.AuthenticationProvider; + +/** + * Defines an interface for contributing custom {@link AuthenticationProvider} instances to the security configuration. + * Implementations of this interface provide a specific {@link AuthenticationProvider} that is used for handling + * authentication in a customized manner. + * + * This interface is useful for scenarios where multiple authentication mechanisms are required, allowing different + * implementations to contribute distinct {@link AuthenticationProvider}s to the security framework. + * + * @author Ivica Cardic + */ +public interface AuthenticationProviderContributor { + + /** + * Retrieves the {@link AuthenticationProvider} instance contributed by this implementation. + * + * @return the {@link AuthenticationProvider} instance used for authentication purposes. + */ + AuthenticationProvider getAuthenticationProvider(); +} diff --git a/server/libs/platform/platform-security-web/platform-security-web-api/src/main/java/com/bytechef/platform/security/web/config/AuthorizeHttpRequestContributor.java b/server/libs/platform/platform-security-web/platform-security-web-api/src/main/java/com/bytechef/platform/security/web/config/AuthorizeHttpRequestContributor.java new file mode 100644 index 00000000000..d2055b8fa15 --- /dev/null +++ b/server/libs/platform/platform-security-web/platform-security-web-api/src/main/java/com/bytechef/platform/security/web/config/AuthorizeHttpRequestContributor.java @@ -0,0 +1,50 @@ +/* + * Copyright 2025 ByteChef + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package com.bytechef.platform.security.web.config; + +import java.util.List; + +/** + * Defines an interface for contributing HTTP request paths to be designated as permit-all in the API security + * configuration. Implementations of this interface provide specific paths that should be accessible without + * authentication or authorization. + * + * This interface can be implemented for flexible customization of security rules in environments where certain API + * endpoints or request patterns are expected to be publicly accessible. + * + * @author Ivica Cardic + */ +public interface AuthorizeHttpRequestContributor { + + /** + * Provides a list of paths that should be matched as permit-all in the API security configuration. + * + * @return a list of string representations of paths to be allowed without authentication in the API. + */ + default List getApiPermitAllRequestMatcherPaths() { + return List.of(); + } + + /** + * Provides a list of paths that should be set to permit-all in the security configuration. + * + * @return a list of string representations of paths to be granted access without authentication. + */ + default List getPermitAllRequestMatcherPaths() { + return List.of(); + } +} diff --git a/server/libs/platform/platform-security-web/platform-security-web-api/src/main/java/com/bytechef/platform/security/web/config/CsrfContributor.java b/server/libs/platform/platform-security-web/platform-security-web-api/src/main/java/com/bytechef/platform/security/web/config/CsrfContributor.java new file mode 100644 index 00000000000..12b3c554997 --- /dev/null +++ b/server/libs/platform/platform-security-web/platform-security-web-api/src/main/java/com/bytechef/platform/security/web/config/CsrfContributor.java @@ -0,0 +1,40 @@ +/* + * Copyright 2025 ByteChef + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package com.bytechef.platform.security.web.config; + +import java.util.List; +import org.springframework.security.web.util.matcher.RequestMatcher; + +/** + * Defines an interface for contributing CSRF ignoring rules. Implementations of this interface specify a list of + * request matchers that should be exempt from CSRF protection. + * + * This is useful in scenarios where certain API endpoints or request patterns need to bypass CSRF validation, such as + * endpoints used for server-sent events, non-browser client interactions, or internal authenticated requests. + * + * @author Ivica Cardic + */ +public interface CsrfContributor { + + /** + * Returns a list of {@link RequestMatcher}s that should be ignored for CSRF protection. + * + * @return a list of {@link RequestMatcher} instances representing the request patterns to be excluded from CSRF + * protection. + */ + List getIgnoringRequestMatchers(); +} diff --git a/server/libs/platform/platform-security-web/platform-security-web-api/src/main/java/com/bytechef/platform/security/web/config/FilterAfterContributor.java b/server/libs/platform/platform-security-web/platform-security-web-api/src/main/java/com/bytechef/platform/security/web/config/FilterAfterContributor.java new file mode 100644 index 00000000000..a6a25e8517a --- /dev/null +++ b/server/libs/platform/platform-security-web/platform-security-web-api/src/main/java/com/bytechef/platform/security/web/config/FilterAfterContributor.java @@ -0,0 +1,51 @@ +/* + * Copyright 2025 ByteChef + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package com.bytechef.platform.security.web.config; + +import jakarta.servlet.Filter; + +/** + * Defines an interface for contributing servlet filters that should be positioned after a specified filter in the web + * security filter chain. Implementations of this interface provide the filter instance to be added and specify the + * class of the filter it should follow. + * + * This interface is useful for customizations in the filter chain where the placement of a filter relative to others is + * important to ensure the correct order of operations. + * + * @author Ivica Cardic + */ +public interface FilterAfterContributor { + + /** + * Returns the {@link Filter} instance to be added to the web security filter chain. The filter is typically + * configured to be placed after a specific filter class, ensuring proper order within the filter chain. + * + * @return the {@link Filter} instance to be added to the filter chain. + */ + Filter getFilter(); + + /** + * Returns the class of the {@link Filter} that the contributed filter should be positioned after in the web + * security filter chain. + * + * This method is used to ensure the correct order of filters within the filter chain, allowing the contributed + * filter to follow a specific filter class. + * + * @return the class of the filter that this filter should be placed after in the filter chain + */ + Class getAfterFilter(); +} diff --git a/server/libs/platform/platform-security-web/platform-security-web-api/src/main/java/com/bytechef/platform/security/web/config/FilterBeforeContributor.java b/server/libs/platform/platform-security-web/platform-security-web-api/src/main/java/com/bytechef/platform/security/web/config/FilterBeforeContributor.java new file mode 100644 index 00000000000..c38bbe31aa1 --- /dev/null +++ b/server/libs/platform/platform-security-web/platform-security-web-api/src/main/java/com/bytechef/platform/security/web/config/FilterBeforeContributor.java @@ -0,0 +1,55 @@ +/* + * Copyright 2025 ByteChef + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package com.bytechef.platform.security.web.config; + +import jakarta.servlet.Filter; +import org.springframework.security.authentication.AuthenticationManager; + +/** + * Defines an interface for contributing servlet filters that need to be positioned before a specific filter in the web + * security filter chain. Implementations of this interface provide the filter instance to be added and specify the + * class of the filter it should precede. + * + * This interface is particularly useful for customizing the web security filter chain by introducing filters in a + * specific order to ensure the desired behavior and correct interaction between filters. + * + * @author Ivica Cardic + */ +public interface FilterBeforeContributor { + + /** + * Returns a {@link Filter} instance configured using the provided {@link AuthenticationManager}. The returned + * filter is typically added to a security filter chain, positioned before a designated filter. + * + * @param authenticationManager the {@link AuthenticationManager} instance used to configure the {@link Filter}. + * This enables the implementation to use authentication-related logic when creating + * the {@link Filter}. + * @return the {@link Filter} instance to be added to the filter chain. + */ + Filter getFilter(AuthenticationManager authenticationManager); + + /** + * Returns the class of the {@link Filter} that the contributed filter should be placed before in the web security + * filter chain. + * + * This method is used to ensure the correct order of filters within the filter chain, allowing the contributed + * filter to precede a specific filter class. + * + * @return the class of the filter that this filter should be placed before in the filter chain + */ + Class getBeforeFilter(); +} diff --git a/server/libs/platform/platform-security-web/platform-security-web-api/src/main/java/com/bytechef/platform/security/web/config/SpaWebFilterContributor.java b/server/libs/platform/platform-security-web/platform-security-web-api/src/main/java/com/bytechef/platform/security/web/config/SpaWebFilterContributor.java new file mode 100644 index 00000000000..c90f89dd94c --- /dev/null +++ b/server/libs/platform/platform-security-web/platform-security-web-api/src/main/java/com/bytechef/platform/security/web/config/SpaWebFilterContributor.java @@ -0,0 +1,38 @@ +/* + * Copyright 2025 ByteChef + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package com.bytechef.platform.security.web.config; + +import java.util.List; + +/** + * Defines an interface for contributing path prefixes that should not be considered part of a Single Page Application + * (SPA). Implementations of this interface provide flexibility in specifying non-SPA paths that are excluded from SPA + * routing and processed separately, such as by backend services or static resource handlers. + * + * @author Ivica Cardic + */ +public interface SpaWebFilterContributor { + + /** + * Provides a list of path prefixes that should not be considered part of a Single Page Application (SPA). These + * paths are typically excluded from SPA routing and handled differently, such as by backend controllers or static + * resource handling. + * + * @return a list of strings representing path prefixes that are excluded from SPA processing. + */ + List getNonSpaPathPrefixes(); +} diff --git a/server/libs/platform/platform-security-web/platform-security-web-api/src/main/java/com/bytechef/platform/security/web/filter/AbstractPublicApiAuthenticationFilter.java b/server/libs/platform/platform-security-web/platform-security-web-api/src/main/java/com/bytechef/platform/security/web/filter/AbstractApiAuthenticationFilter.java similarity index 86% rename from server/libs/platform/platform-security-web/platform-security-web-api/src/main/java/com/bytechef/platform/security/web/filter/AbstractPublicApiAuthenticationFilter.java rename to server/libs/platform/platform-security-web/platform-security-web-api/src/main/java/com/bytechef/platform/security/web/filter/AbstractApiAuthenticationFilter.java index f5a143a066a..a4227b4de61 100644 --- a/server/libs/platform/platform-security-web/platform-security-web-api/src/main/java/com/bytechef/platform/security/web/filter/AbstractPublicApiAuthenticationFilter.java +++ b/server/libs/platform/platform-security-web/platform-security-web-api/src/main/java/com/bytechef/platform/security/web/filter/AbstractApiAuthenticationFilter.java @@ -40,9 +40,16 @@ import org.springframework.web.filter.OncePerRequestFilter; /** + * An abstract filter class for handling API authentication based on request headers and patterns. This class extends + * the {@link OncePerRequestFilter} and provides methods to authenticate requests against a defined path pattern. + * + * The filter supports tenant-based processing, allowing the execution of actions within a tenant's context. It + * integrates with an {@link AuthenticationManager} to authenticate user credentials and set up the security context for + * authenticated requests. + * * @author Ivica Cardic */ -public abstract class AbstractPublicApiAuthenticationFilter extends OncePerRequestFilter { +public abstract class AbstractApiAuthenticationFilter extends OncePerRequestFilter { protected static final String AUTH_TOKEN_HEADER_NAME = "Authorization"; @@ -50,7 +57,7 @@ public abstract class AbstractPublicApiAuthenticationFilter extends OncePerReque private final RequestMatcher requestMatcher; @SuppressFBWarnings("EI") - public AbstractPublicApiAuthenticationFilter(String pathPatternRegex, AuthenticationManager authenticationManager) { + public AbstractApiAuthenticationFilter(String pathPatternRegex, AuthenticationManager authenticationManager) { this.authenticationManager = authenticationManager; this.requestMatcher = new NegatedRequestMatcher(RegexRequestMatcher.regexMatcher(pathPatternRegex)); } diff --git a/server/libs/platform/platform-security-web/platform-security-web-impl/src/main/java/com/bytechef/platform/security/web/authentication/ApiKeyAuthenticationProviderContributor.java b/server/libs/platform/platform-security-web/platform-security-web-impl/src/main/java/com/bytechef/platform/security/web/authentication/ApiKeyAuthenticationProviderContributor.java index 9aee2e25b92..0cf5d170906 100644 --- a/server/libs/platform/platform-security-web/platform-security-web-impl/src/main/java/com/bytechef/platform/security/web/authentication/ApiKeyAuthenticationProviderContributor.java +++ b/server/libs/platform/platform-security-web/platform-security-web-impl/src/main/java/com/bytechef/platform/security/web/authentication/ApiKeyAuthenticationProviderContributor.java @@ -16,6 +16,7 @@ package com.bytechef.platform.security.web.authentication; +import com.bytechef.platform.security.web.config.AuthenticationProviderContributor; import com.bytechef.platform.user.service.ApiKeyService; import com.bytechef.platform.user.service.AuthorityService; import com.bytechef.platform.user.service.UserService; diff --git a/server/libs/platform/platform-security-web/platform-security-web-impl/src/main/java/com/bytechef/platform/security/web/filter/ApiKeyAuthenticationFilterBeforeContributor.java b/server/libs/platform/platform-security-web/platform-security-web-impl/src/main/java/com/bytechef/platform/security/web/config/PlatformApiAuthenticationFilterBeforeContributor.java similarity index 78% rename from server/libs/platform/platform-security-web/platform-security-web-impl/src/main/java/com/bytechef/platform/security/web/filter/ApiKeyAuthenticationFilterBeforeContributor.java rename to server/libs/platform/platform-security-web/platform-security-web-impl/src/main/java/com/bytechef/platform/security/web/config/PlatformApiAuthenticationFilterBeforeContributor.java index c673c700a3e..0bb780f733d 100644 --- a/server/libs/platform/platform-security-web/platform-security-web-impl/src/main/java/com/bytechef/platform/security/web/filter/ApiKeyAuthenticationFilterBeforeContributor.java +++ b/server/libs/platform/platform-security-web/platform-security-web-impl/src/main/java/com/bytechef/platform/security/web/config/PlatformApiAuthenticationFilterBeforeContributor.java @@ -14,8 +14,9 @@ * limitations under the License. */ -package com.bytechef.platform.security.web.filter; +package com.bytechef.platform.security.web.config; +import com.bytechef.platform.security.web.filter.PlatformApiAuthenticationFilter; import edu.umd.cs.findbugs.annotations.SuppressFBWarnings; import jakarta.servlet.Filter; import org.springframework.security.authentication.AuthenticationManager; @@ -25,13 +26,13 @@ /** * @author Ivica Cardic */ -@Component("com.bytechef.platform.security.web.filter.ApiKeyAuthenticationFilterBeforeContributor") -public class ApiKeyAuthenticationFilterBeforeContributor implements FilterBeforeContributor { +@Component +public class PlatformApiAuthenticationFilterBeforeContributor implements FilterBeforeContributor { @Override @SuppressFBWarnings("EI") public Filter getFilter(AuthenticationManager authenticationManager) { - return new ApiKeyAuthenticationFilter(authenticationManager); + return new PlatformApiAuthenticationFilter(authenticationManager); } @Override diff --git a/server/libs/platform/platform-security-web/platform-security-web-impl/src/main/java/com/bytechef/platform/security/web/config/PlatformCsrfContributor.java b/server/libs/platform/platform-security-web/platform-security-web-impl/src/main/java/com/bytechef/platform/security/web/config/PlatformCsrfContributor.java new file mode 100644 index 00000000000..7677e37c77e --- /dev/null +++ b/server/libs/platform/platform-security-web/platform-security-web-impl/src/main/java/com/bytechef/platform/security/web/config/PlatformCsrfContributor.java @@ -0,0 +1,35 @@ +/* + * Copyright 2025 ByteChef + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package com.bytechef.platform.security.web.config; + +import static org.springframework.security.web.util.matcher.RegexRequestMatcher.regexMatcher; + +import java.util.List; +import org.springframework.security.web.util.matcher.RequestMatcher; +import org.springframework.stereotype.Component; + +/** + * @author Ivica Cardic + */ +@Component +public class PlatformCsrfContributor implements CsrfContributor { + + @Override + public List getIgnoringRequestMatchers() { + return List.of(regexMatcher("^/api/platform/v[0-9]+/.+")); + } +} diff --git a/server/libs/platform/platform-security-web/platform-security-web-impl/src/main/java/com/bytechef/platform/security/web/filter/ApiKeyAuthenticationFilter.java b/server/libs/platform/platform-security-web/platform-security-web-impl/src/main/java/com/bytechef/platform/security/web/filter/PlatformApiAuthenticationFilter.java similarity index 83% rename from server/libs/platform/platform-security-web/platform-security-web-impl/src/main/java/com/bytechef/platform/security/web/filter/ApiKeyAuthenticationFilter.java rename to server/libs/platform/platform-security-web/platform-security-web-impl/src/main/java/com/bytechef/platform/security/web/filter/PlatformApiAuthenticationFilter.java index 116e1db425d..dac5b909a42 100644 --- a/server/libs/platform/platform-security-web/platform-security-web-impl/src/main/java/com/bytechef/platform/security/web/filter/ApiKeyAuthenticationFilter.java +++ b/server/libs/platform/platform-security-web/platform-security-web-impl/src/main/java/com/bytechef/platform/security/web/filter/PlatformApiAuthenticationFilter.java @@ -22,10 +22,10 @@ /** * @author Ivica Cardic */ -public class ApiKeyAuthenticationFilter extends AbstractPublicApiAuthenticationFilter { +public class PlatformApiAuthenticationFilter extends AbstractApiAuthenticationFilter { @SuppressFBWarnings("EI") - public ApiKeyAuthenticationFilter(AuthenticationManager authenticationManager) { + public PlatformApiAuthenticationFilter(AuthenticationManager authenticationManager) { super("^/api/platform/v[0-9]+/.+", authenticationManager); } } diff --git a/server/libs/platform/platform-user/platform-user-rest/platform-user-rest-impl/build.gradle.kts b/server/libs/platform/platform-user/platform-user-rest/platform-user-rest-impl/build.gradle.kts index 94b2959f68b..1e6a7bebe9a 100644 --- a/server/libs/platform/platform-user/platform-user-rest/platform-user-rest-impl/build.gradle.kts +++ b/server/libs/platform/platform-user/platform-user-rest/platform-user-rest-impl/build.gradle.kts @@ -51,6 +51,7 @@ dependencies { implementation(project(":server:libs:core:rest:rest-api")) implementation(project(":server:libs:platform:platform-api")) implementation(project(":server:libs:platform:platform-mail")) + implementation(project(":server:libs:platform:platform-security-web:platform-security-web-api")) implementation(project(":server:libs:platform:platform-user:platform-user-api")) implementation(project(":server:libs:platform:platform-user:platform-user-rest:platform-user-rest-api")) diff --git a/server/libs/automation/automation-ai/automation-ai-mcp-server/src/main/java/com/bytechef/automation/ai/mcp/server/security/web/filter/ApiKeyAuthenticationFilter.java b/server/libs/platform/platform-user/platform-user-rest/platform-user-rest-impl/src/main/java/com/bytechef/platform/user/web/security/config/UserAuthorizeHttpRequestContributor.java similarity index 52% rename from server/libs/automation/automation-ai/automation-ai-mcp-server/src/main/java/com/bytechef/automation/ai/mcp/server/security/web/filter/ApiKeyAuthenticationFilter.java rename to server/libs/platform/platform-user/platform-user-rest/platform-user-rest-impl/src/main/java/com/bytechef/platform/user/web/security/config/UserAuthorizeHttpRequestContributor.java index 6534392fc85..72d4d47993b 100644 --- a/server/libs/automation/automation-ai/automation-ai-mcp-server/src/main/java/com/bytechef/automation/ai/mcp/server/security/web/filter/ApiKeyAuthenticationFilter.java +++ b/server/libs/platform/platform-user/platform-user-rest/platform-user-rest-impl/src/main/java/com/bytechef/platform/user/web/security/config/UserAuthorizeHttpRequestContributor.java @@ -14,19 +14,22 @@ * limitations under the License. */ -package com.bytechef.automation.ai.mcp.server.security.web.filter; +package com.bytechef.platform.user.web.security.config; -import com.bytechef.platform.security.web.filter.AbstractPublicApiAuthenticationFilter; -import edu.umd.cs.findbugs.annotations.SuppressFBWarnings; -import org.springframework.security.authentication.AuthenticationManager; +import com.bytechef.platform.security.web.config.AuthorizeHttpRequestContributor; +import java.util.List; +import org.springframework.stereotype.Component; /** * @author Ivica Cardic */ -public class ApiKeyAuthenticationFilter extends AbstractPublicApiAuthenticationFilter { +@Component +public class UserAuthorizeHttpRequestContributor implements AuthorizeHttpRequestContributor { - @SuppressFBWarnings("EI") - public ApiKeyAuthenticationFilter(AuthenticationManager authenticationManager) { - super("^/api/automation/v[0-9]+/mcp/.+", authenticationManager); + @Override + public List getApiPermitAllRequestMatcherPaths() { + return List.of( + "/api/activate", "/api/authenticate", "/api/account/reset-password/finish", + "/api/account/reset-password/init", "/api/register"); } } diff --git a/server/libs/platform/platform-webhook/platform-webhook-rest/platform-webhook-rest-impl/build.gradle.kts b/server/libs/platform/platform-webhook/platform-webhook-rest/platform-webhook-rest-impl/build.gradle.kts index bf9734221ca..4a2fe4f5bd0 100644 --- a/server/libs/platform/platform-webhook/platform-webhook-rest/platform-webhook-rest-impl/build.gradle.kts +++ b/server/libs/platform/platform-webhook/platform-webhook-rest/platform-webhook-rest-impl/build.gradle.kts @@ -8,6 +8,7 @@ dependencies { implementation(project(":server:libs:config:app-config")) implementation(project(":server:libs:core:commons:commons-util")) implementation(project(":server:libs:core:tenant:tenant-api")) + implementation(project(":server:libs:platform:platform-security-web:platform-security-web-api")) implementation(project(":server:libs:platform:platform-webhook:platform-webhook-rest:platform-webhook-rest-api")) testImplementation("org.springframework.boot:spring-boot-starter-web") diff --git a/server/libs/platform/platform-security-web/platform-security-web-api/src/main/java/com/bytechef/platform/security/web/filter/FilterAfterContributor.java b/server/libs/platform/platform-webhook/platform-webhook-rest/platform-webhook-rest-impl/src/main/java/com/bytechef/platform/webhook/web/security/config/WebhookSpaWebFilterContributor.java similarity index 57% rename from server/libs/platform/platform-security-web/platform-security-web-api/src/main/java/com/bytechef/platform/security/web/filter/FilterAfterContributor.java rename to server/libs/platform/platform-webhook/platform-webhook-rest/platform-webhook-rest-impl/src/main/java/com/bytechef/platform/webhook/web/security/config/WebhookSpaWebFilterContributor.java index 5e4afd05b77..0966c87b793 100644 --- a/server/libs/platform/platform-security-web/platform-security-web-api/src/main/java/com/bytechef/platform/security/web/filter/FilterAfterContributor.java +++ b/server/libs/platform/platform-webhook/platform-webhook-rest/platform-webhook-rest-impl/src/main/java/com/bytechef/platform/webhook/web/security/config/WebhookSpaWebFilterContributor.java @@ -14,16 +14,19 @@ * limitations under the License. */ -package com.bytechef.platform.security.web.filter; +package com.bytechef.platform.webhook.web.security.config; -import jakarta.servlet.Filter; +import com.bytechef.platform.security.web.config.SpaWebFilterContributor; +import java.util.List; +import org.springframework.stereotype.Component; /** * @author Ivica Cardic */ -public interface FilterAfterContributor { - - Filter getFilter(); - - Class getAfterFilter(); +@Component +public class WebhookSpaWebFilterContributor implements SpaWebFilterContributor { + @Override + public List getNonSpaPathPrefixes() { + return List.of("/approvals", "/callback", "/file-entries", "/oauth", "/webhooks"); + } } diff --git a/server/libs/platform/platform-webhook/platform-webhook-rest/platform-webhook-rest-impl/src/main/java/com/bytechef/platform/webhook/web/security/config/WebhookrAuthorizeHttpRequestContributor.java b/server/libs/platform/platform-webhook/platform-webhook-rest/platform-webhook-rest-impl/src/main/java/com/bytechef/platform/webhook/web/security/config/WebhookrAuthorizeHttpRequestContributor.java new file mode 100644 index 00000000000..7af4e5fdedf --- /dev/null +++ b/server/libs/platform/platform-webhook/platform-webhook-rest/platform-webhook-rest-impl/src/main/java/com/bytechef/platform/webhook/web/security/config/WebhookrAuthorizeHttpRequestContributor.java @@ -0,0 +1,33 @@ +/* + * Copyright 2025 ByteChef + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package com.bytechef.platform.webhook.web.security.config; + +import com.bytechef.platform.security.web.config.AuthorizeHttpRequestContributor; +import java.util.List; +import org.springframework.stereotype.Component; + +/** + * @author Ivica Cardic + */ +@Component +public class WebhookrAuthorizeHttpRequestContributor implements AuthorizeHttpRequestContributor { + + @Override + public List getPermitAllRequestMatcherPaths() { + return List.of("/approvals/**", "/callback", "/file-entries/**", "/oauth.html", "/webhooks/**"); + } +}