From 5ba65101b53b7e8f8eea0e5637c5098a9e92a462 Mon Sep 17 00:00:00 2001 From: Gabriel Roldan Date: Sat, 13 Jul 2024 20:24:31 -0300 Subject: [PATCH] Use a GatewayFilter to redirect to the login page when given a login query parameter Configuration required for this gateway change: https://github.com/georchestra/georchestra-gateway/pull/133 This patch adds the `LoginParamRedirect` default filter to the gateway. Note the filter is added by default in the embedded `application.yml`, but since `gateway/application.yaml` is overriding the `spring.cloud.gateway.default-filters` list, it must be added here too. --- gateway/application.yaml | 3 ++- gateway/security.yaml | 8 ++++++++ 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/gateway/application.yaml b/gateway/application.yaml index 2614fec..a87bce1 100644 --- a/gateway/application.yaml +++ b/gateway/application.yaml @@ -22,6 +22,7 @@ spring: # AddSecHeaders appends sec-* headers to proxied requests based on the currently authenticated user - AddSecHeaders - PreserveHostHeader + - LoginParamRedirect #redirects all request with a ?login query param to /login filter: secure-headers: - referrer-policy: strict-origin \ No newline at end of file + referrer-policy: strict-origin diff --git a/gateway/security.yaml b/gateway/security.yaml index bcced76..e2eb6bd 100644 --- a/gateway/security.yaml +++ b/gateway/security.yaml @@ -1,6 +1,14 @@ georchestra: gateway: security: + header-authentication: + # If enabled, pre-authentication is enabled and can be performed by passing + # true to the sec-georchestra-preauthenticated request header, and user details + # through the following request headers: preauth-username, preauth-firstname, + # preauth-lastname, preauth-org, preauth-email, preauth-roles. + # In such case, it is crucial for the reverse proxy in front of the gateway to + # sanitize the mentioned request headers to prevent external impersonation. + enabled: false createNonExistingUsersInLDAP: true enableRabbitmqEvents: true oauth2: