changed securityconfig to allow certain endpoints. better logging

pom.xml

@@ -10,7 +10,7 @@
     </parent>
     <groupId>edu.stanford.protege</groupId>
     <artifactId>webprotege-gwt-api-gateway</artifactId>
-    <version>1.0.3</version>
+    <version>1.0.4</version>
     <name>webprotege-gwt-api-gateway</name>
     <description>The API Gateway for the WebProtégé GWT User Interface</description>
     <properties>
@@ -136,7 +136,7 @@
         <dependency>
             <groupId>edu.stanford.protege</groupId>
             <artifactId>webprotege-backend-api</artifactId>
-            <version>1.0.2</version>
+            <version>1.0.3</version>
         </dependency>
 
         <dependency>

src/main/java/edu/stanford/protege/webprotege/gateway/SecurityConfig.java

@@ -53,8 +53,7 @@ public WebSecurityCustomizer webSecurityCustomizer() {
     public SecurityFilterChain resourceServerFilterChain(HttpSecurity http) throws Exception {
         http.csrf(AbstractHttpConfigurer::disable)
                 .authorizeHttpRequests(auth -> auth
-                        .requestMatchers("/api/execute", "/wsapps")
-                        .permitAll()
+                        .requestMatchers("/wsapps").permitAll()
                         .anyRequest()
                         .authenticated()
                 );

src/main/java/edu/stanford/protege/webprotege/gateway/websocket/config/ProjectEventsInterceptor.java

@@ -7,6 +7,8 @@
 import edu.stanford.protege.webprotege.gateway.websocket.AccessManager;
 import edu.stanford.protege.webprotege.gateway.websocket.dto.BuiltInAction;
 import edu.stanford.protege.webprotege.ipc.ExecutionContext;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 import org.springframework.messaging.Message;
 import org.springframework.messaging.MessageChannel;
 import org.springframework.messaging.simp.SimpMessageType;
@@ -18,6 +20,7 @@
 
 public class ProjectEventsInterceptor  implements ChannelInterceptor {
 
+    private final static Logger LOGGER = LoggerFactory.getLogger(ProjectEventsInterceptor.class);
     private final AccessManager accessManager;
 
     public ProjectEventsInterceptor(AccessManager accessManager) {
@@ -32,14 +35,19 @@ public Message<?> preSend(Message<?> message, MessageChannel channel) {
             List<String> tokenHeaders = accessor.getNativeHeader("token");
             List<String> userIdHeaders = accessor.getNativeHeader("userId");
             if(tokenHeaders == null || tokenHeaders.isEmpty()) {
+                LOGGER.error("Missing token header");
                 throw new AuthorizationServiceException("Missing token header");
             }
             if(userIdHeaders == null || userIdHeaders.isEmpty()) {
+                LOGGER.error("Missing userId header");
+
                 throw new AuthorizationServiceException("Missing userId header");
             }
             String token = tokenHeaders.get(0);
             String userId = userIdHeaders.get(0);
             String projectId = extractProjectId(accessor.getDestination());
+            LOGGER.info("Validation subscription. User {} project {}", userId, projectId);
+
             var hasAccessToProject = accessManager.hasPermission(Subject.forUser(userId)
                     , ProjectResource.forProject(ProjectId.valueOf(projectId)), BuiltInAction.VIEW_PROJECT,
                             new ExecutionContext(UserId.valueOf(userId), token));

src/main/java/edu/stanford/protege/webprotege/gateway/websocket/config/WebsocketConfig.java

@@ -3,7 +3,10 @@
 import edu.stanford.protege.webprotege.gateway.websocket.AccessManager;
 import jakarta.websocket.ContainerProvider;
 import jakarta.websocket.WebSocketContainer;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.beans.factory.annotation.Value;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.messaging.simp.config.ChannelRegistration;
@@ -19,6 +22,11 @@
 public class WebsocketConfig implements WebSocketMessageBrokerConfigurer {
     private static final int MAX_TEXT_MESSAGE_BUFFER_SIZE = 1024 * 1024;
 
+    private final static Logger LOGGER = LoggerFactory.getLogger(WebsocketConfig.class);
+
+    @Value("${webprotege.allowedOrigin}")
+    private String allowedWebsocketOrigin;
+
 
     @Autowired
     private AccessManager accessManager;
@@ -31,7 +39,7 @@ public void configureMessageBroker(MessageBrokerRegistry config) {
 
     @Override
     public void registerStompEndpoints(StompEndpointRegistry registry) {
-        registry.addEndpoint("/wsapps");
+        registry.addEndpoint("/wsapps").setAllowedOrigins(allowedWebsocketOrigin);
 
     }
 

src/main/resources/application.yaml

@@ -19,6 +19,7 @@ webprotege:
     eventsqueue: webprotege-gwt-api-gateway-event-queue
     timeout: 60000
     event-subscribe: true
+  allowedOrigin: webprotege-local.edu
 
 spring.security.oauth2:
   client:

src/test/resources/application.yaml

@@ -25,5 +25,6 @@ webprotege:
   gateway:
     reply-channel: ${spring.application.name}-replies
     timeout: 600000 # Ten minutes
+  allowedOrigin: webprotege-local.edu