Support dual stateful/stateless security configs

Introduce four SecurityFilterChain beans:
- JWT (stateless): handles JWT-based requests
- Header (stateless): handles x-forwarded-user based requests - refactored to be moved out from stateful
- Stateful (old): handles session-based requests
- Fallback: applies when no chain matches and always returns 401. Meant to block if no other authentication is set up

Author: ja-openai

webapp/src/main/java/com/box/l10n/mojito/security/AuthTypesCondition.java

@@ -0,0 +1,34 @@
+package com.box.l10n.mojito.security;
+
+import com.box.l10n.mojito.security.SecurityConfig.AuthenticationType;
+import java.util.Arrays;
+import java.util.Set;
+import java.util.stream.Collectors;
+import org.springframework.context.annotation.Condition;
+import org.springframework.context.annotation.ConditionContext;
+import org.springframework.core.type.AnnotatedTypeMetadata;
+
+public class AuthTypesCondition implements Condition {
+
+  private static final String KEY = "l10n.security.authenticationType";
+
+  @Override
+  public boolean matches(ConditionContext ctx, AnnotatedTypeMetadata md) {
+    String raw = ctx.getEnvironment().getProperty(KEY, "");
+    Set<String> types =
+        Arrays.stream(raw.split(","))
+            .map(String::trim)
+            .filter(s -> !s.isEmpty())
+            .map(String::toUpperCase)
+            .collect(Collectors.toSet());
+
+    var attrs = md.getAnnotationAttributes(ConditionalOnAuthTypes.class.getName());
+    AuthenticationType[] required = (AuthenticationType[]) attrs.get("anyOf");
+    boolean matchIfMissing = (boolean) attrs.get("matchIfMissing");
+
+    if (types.isEmpty()) {
+      return matchIfMissing;
+    }
+    return Arrays.stream(required).map(Enum::name).anyMatch(types::contains);
+  }
+}

webapp/src/main/java/com/box/l10n/mojito/security/ConditionalOnAuthTypes.java

@@ -0,0 +1,14 @@
+package com.box.l10n.mojito.security;
+
+import java.lang.annotation.*;
+import org.springframework.context.annotation.Conditional;
+
+@Target({ElementType.TYPE, ElementType.METHOD})
+@Retention(RetentionPolicy.RUNTIME)
+@Documented
+@Conditional(AuthTypesCondition.class)
+public @interface ConditionalOnAuthTypes {
+  SecurityConfig.AuthenticationType[] anyOf() default {};
+
+  boolean matchIfMissing() default false;
+}

webapp/src/main/java/com/box/l10n/mojito/security/SecurityConfig.java

@@ -64,7 +64,8 @@ public enum AuthenticationType {
     DATABASE,
     AD,
     HEADER,
-    OAUTH2
+    OAUTH2,
+    JWT
   }
 
   public static class OAuth2 {

webapp/src/main/java/com/box/l10n/mojito/security/WebSecurityConfig.java

@@ -2,16 +2,15 @@
 
 import com.box.l10n.mojito.ActuatorHealthLegacyConfig;
 import com.box.l10n.mojito.service.security.user.UserService;
-import com.google.common.base.Preconditions;
 import java.util.ArrayList;
 import java.util.List;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
 import org.springframework.context.annotation.AdviceMode;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.core.annotation.Order;
 import org.springframework.http.HttpMethod;
 import org.springframework.http.HttpStatus;
 import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
@@ -25,9 +24,6 @@
 import org.springframework.security.web.SecurityFilterChain;
 import org.springframework.security.web.authentication.HttpStatusEntryPoint;
 import org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint;
-import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider;
-import org.springframework.security.web.authentication.preauth.RequestHeaderAuthenticationFilter;
-import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
 import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
 
 /**
@@ -37,9 +33,13 @@
 // TOOD(spring2) we don't use method level security, do we? remove?
 @EnableGlobalMethodSecurity(securedEnabled = true, mode = AdviceMode.ASPECTJ)
 @Configuration
-@ConditionalOnProperty(
-    value = "l10n.security.stateless.enabled",
-    havingValue = "false",
+@ConditionalOnAuthTypes(
+    anyOf = {
+      SecurityConfig.AuthenticationType.AD,
+      SecurityConfig.AuthenticationType.DATABASE,
+      SecurityConfig.AuthenticationType.LDAP,
+      SecurityConfig.AuthenticationType.OAUTH2
+    },
     matchIfMissing = true)
 public class WebSecurityConfig {
 
@@ -60,12 +60,6 @@ public class WebSecurityConfig {
 
   @Autowired UserDetailsContextMapperImpl userDetailsContextMapperImpl;
 
-  @Autowired(required = false)
-  RequestHeaderAuthenticationFilter requestHeaderAuthenticationFilter;
-
-  @Autowired(required = false)
-  PreAuthenticatedAuthenticationProvider preAuthenticatedAuthenticationProvider;
-
   @Autowired UserService userService;
 
   @Autowired UserDetailsServiceImpl userDetailsService;
@@ -84,9 +78,6 @@ public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception
         case AD:
           configureActiveDirectory(auth);
           break;
-        case HEADER:
-          configureHeaderAuth(auth);
-          break;
       }
     }
   }
@@ -134,14 +125,6 @@ void configureLdap(AuthenticationManagerBuilder auth) throws Exception {
         .ldif(ldapConfig.getLdif());
   }
 
-  void configureHeaderAuth(AuthenticationManagerBuilder auth) {
-    Preconditions.checkNotNull(
-        preAuthenticatedAuthenticationProvider,
-        "The preAuthenticatedAuthenticationProvider must be configured");
-    logger.debug("Configuring in pre authentication");
-    auth.authenticationProvider(preAuthenticatedAuthenticationProvider);
-  }
-
   static void setAuthorizationRequests(HttpSecurity http, List<String> extraPermitAllPatterns)
       throws Exception {
 
@@ -216,6 +199,7 @@ static void setAuthorizationRequests(HttpSecurity http, List<String> extraPermit
   }
 
   @Bean
+  @Order(3)
   public SecurityFilterChain configure(HttpSecurity http) throws Exception {
     logger.debug("Configuring web security");
 
@@ -249,15 +233,6 @@ public SecurityFilterChain configure(HttpSecurity http) throws Exception {
     for (SecurityConfig.AuthenticationType authenticationType :
         securityConfig.getAuthenticationType()) {
       switch (authenticationType) {
-        case HEADER:
-          Preconditions.checkNotNull(
-              requestHeaderAuthenticationFilter,
-              "The requestHeaderAuthenticationFilter must be configured");
-          logger.debug("Add request header Auth filter");
-          requestHeaderAuthenticationFilter.setAuthenticationManager(
-              authenticationConfiguration.getAuthenticationManager());
-          http.addFilterBefore(requestHeaderAuthenticationFilter, BasicAuthenticationFilter.class);
-          break;
         case OAUTH2:
           logger.debug("Configure OAuth2");
           http.oauth2Login(

webapp/src/main/java/com/box/l10n/mojito/security/WebSecurityFallbackConfig.java

@@ -0,0 +1,32 @@
+package com.box.l10n.mojito.security;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.core.annotation.Order;
+import org.springframework.http.HttpStatus;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.web.SecurityFilterChain;
+import org.springframework.security.web.authentication.HttpStatusEntryPoint;
+
+@EnableWebSecurity
+@Configuration
+public class WebSecurityFallbackConfig {
+
+  /** logger */
+  static Logger logger = LoggerFactory.getLogger(WebSecurityFallbackConfig.class);
+
+  @Bean
+  @Order(99)
+  SecurityFilterChain securityFallbackBlock(HttpSecurity http) throws Exception {
+    WebSecurityJWTConfig.applyStatelessSharedConfig(http);
+    HttpStatusEntryPoint httpStatusEntryPoint = new HttpStatusEntryPoint(HttpStatus.UNAUTHORIZED);
+    http.exceptionHandling(
+        e -> {
+          e.authenticationEntryPoint(httpStatusEntryPoint);
+        });
+    return http.build();
+  }
+}

webapp/src/main/java/com/box/l10n/mojito/security/WebSecurityHeaderConfig.java

@@ -1,53 +1,66 @@
 package com.box.l10n.mojito.security;
 
-import org.springframework.boot.autoconfigure.condition.ConditionalOnExpression;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
-import org.springframework.security.authentication.AuthenticationManager;
-import org.springframework.security.core.Authentication;
-import org.springframework.security.core.AuthenticationException;
+import org.springframework.core.annotation.Order;
+import org.springframework.security.authentication.ProviderManager;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper;
+import org.springframework.security.oauth2.server.resource.web.authentication.BearerTokenAuthenticationFilter;
+import org.springframework.security.web.SecurityFilterChain;
 import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider;
+import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken;
 import org.springframework.security.web.authentication.preauth.RequestHeaderAuthenticationFilter;
 
-// This must in sync with {@link
-// com.box.l10n.mojito.security.SecurityConfig.AuthenticationType#HEADER}
-@ConditionalOnExpression("'${l10n.security.authenticationType:}'.toUpperCase().contains('HEADER')")
+@ConditionalOnAuthTypes(anyOf = SecurityConfig.AuthenticationType.HEADER)
 @Configuration
 class WebSecurityHeaderConfig {
 
+  public static final String X_FORWARDED_USER = "x-forwarded-user";
+
   @Bean
-  RequestHeaderAuthenticationFilter requestHeaderAuthenticationFilter() throws Exception {
-    RequestHeaderAuthenticationFilter requestHeaderAuthenticationFilter =
-        new RequestHeaderAuthenticationFilter();
-    requestHeaderAuthenticationFilter.setPrincipalRequestHeader("x-forwarded-user");
-    requestHeaderAuthenticationFilter.setExceptionIfHeaderMissing(false);
-    requestHeaderAuthenticationFilter.setAuthenticationManager(
-        new AuthenticationManager() {
-          @Override
-          public Authentication authenticate(Authentication authentication)
-              throws AuthenticationException {
-            throw new RuntimeException(
-                "This must be overridden with the actual authentication manager of the app - it is not injectable yet with this config style");
-          }
-        });
-
-    return requestHeaderAuthenticationFilter;
+  PreAuthenticatedAuthenticationProvider preAuthenticatedAuthenticationProvider(
+      UserDetailsServiceCreatePartialImpl uds) {
+
+    UserDetailsByNameServiceWrapper<PreAuthenticatedAuthenticationToken> wrapper =
+        new UserDetailsByNameServiceWrapper<>(uds);
+
+    PreAuthenticatedAuthenticationProvider p = new PreAuthenticatedAuthenticationProvider();
+    p.setPreAuthenticatedUserDetailsService(wrapper);
+    return p;
   }
 
   @Bean
-  PreAuthenticatedAuthenticationProvider preAuthenticatedAuthenticationProvider() {
-    PreAuthenticatedAuthenticationProvider preAuthenticatedAuthenticationProvider =
-        new PreAuthenticatedAuthenticationProvider();
-    UserDetailsByNameServiceWrapper userDetailsByNameServiceWrapper =
-        new UserDetailsByNameServiceWrapper(getUserDetailsServiceCreatePartial());
-    preAuthenticatedAuthenticationProvider.setPreAuthenticatedUserDetailsService(
-        userDetailsByNameServiceWrapper);
-    return preAuthenticatedAuthenticationProvider;
+  RequestHeaderAuthenticationFilter requestHeaderAuthenticationFilter(
+      PreAuthenticatedAuthenticationProvider preAuthenticatedAuthenticationProvider) {
+    RequestHeaderAuthenticationFilter f = new RequestHeaderAuthenticationFilter();
+    f.setPrincipalRequestHeader(X_FORWARDED_USER);
+    f.setCredentialsRequestHeader(X_FORWARDED_USER);
+    f.setExceptionIfHeaderMissing(false);
+    f.setAuthenticationManager(new ProviderManager(preAuthenticatedAuthenticationProvider));
+    return f;
   }
 
   @Bean
   protected UserDetailsServiceCreatePartialImpl getUserDetailsServiceCreatePartial() {
     return new UserDetailsServiceCreatePartialImpl();
   }
+
+  @Bean
+  @Order(1)
+  SecurityFilterChain headerPreAuthenticated(
+      HttpSecurity http,
+      RequestHeaderAuthenticationFilter headerFilter,
+      PreAuthenticatedAuthenticationProvider preauthProvider)
+      throws Exception {
+
+    http.securityMatcher(req -> req.getHeader(X_FORWARDED_USER) != null);
+
+    WebSecurityJWTConfig.applyStatelessSharedConfig(http);
+
+    http.authenticationProvider(preauthProvider);
+    http.addFilterBefore(headerFilter, BearerTokenAuthenticationFilter.class);
+
+    return http.build();
+  }
 }