feat: Configurable OAuth2 login page

spring-cloud-common-security-config/spring-cloud-common-security-config-web/src/main/java/org/springframework/cloud/common/security/AuthorizationProperties.java

@@ -30,24 +30,27 @@
  */
 public class AuthorizationProperties {
 
+	public static final String FRONTEND_LOGIN_URL = "/dashboard/index.html#/authentication-required";
 	private String externalAuthoritiesUrl;
 
 	private List<String> rules = new ArrayList<>();
 
 	private String dashboardUrl = "/dashboard";
 
-	private String loginUrl = "/#/login";
+	private String loginUrl = "/login";
 
-	private String loginProcessingUrl = "/login";
+	private String loginSuccessUrl = dashboardUrl;
 
 	private String logoutUrl = "/logout";
 
-	private String logoutSuccessUrl = "/logout-success.html";
+	private String logoutSuccessUrl = dashboardUrl + "/logout-success-oauth.html";
 
 	private List<String> permitAllPaths = new ArrayList<>();
 
 	private List<String> authenticatedPaths = new ArrayList<>();
 
+	private List<String> anonymousPaths = new ArrayList<>(0);
+
 	/**
 	 * Role-mapping configuration per OAuth2 provider.
 	 */
@@ -91,12 +94,12 @@ public void setLoginUrl(String loginUrl) {
 		this.loginUrl = loginUrl;
 	}
 
-	public String getLoginProcessingUrl() {
-		return loginProcessingUrl;
+	public String getLoginSuccessUrl() {
+		return loginSuccessUrl;
 	}
 
-	public void setLoginProcessingUrl(String loginProcessingUrl) {
-		this.loginProcessingUrl = loginProcessingUrl;
+	public void setLoginSuccessUrl(String loginSuccessUrl) {
+		this.loginSuccessUrl = loginSuccessUrl;
 	}
 
 	public String getLogoutUrl() {
@@ -131,6 +134,14 @@ public void setAuthenticatedPaths(List<String> authenticatedPaths) {
 		this.authenticatedPaths = authenticatedPaths;
 	}
 
+	public List<String> getAnonymousPaths() {
+		return anonymousPaths;
+	}
+
+	public void setAnonymousPaths(List<String> anonymousPaths) {
+		this.anonymousPaths = anonymousPaths;
+	}
+
 	public void setDefaultProviderId(String defaultProviderId) {
 		this.defaultProviderId = defaultProviderId;
 	}

spring-cloud-common-security-config/spring-cloud-common-security-config-web/src/main/java/org/springframework/cloud/common/security/OAuthSecurityConfiguration.java

@@ -216,28 +216,45 @@ protected void configure(HttpSecurity http) throws Exception {
 			http.addFilter(basicAuthenticationFilter);
 		}
 
+		// Anonymous paths for the login page
+		this.authorizationProperties.getAnonymousPaths().add(authorizationProperties.getLoginUrl());
+		this.authorizationProperties.getAnonymousPaths().add("/login");
+
+		// All paths should be available only for authenticated users
 		this.authorizationProperties.getAuthenticatedPaths().add("/");
-		this.authorizationProperties.getAuthenticatedPaths()
-				.add(dashboard(authorizationProperties, "/**"));
-		this.authorizationProperties.getAuthenticatedPaths()
-				.add(this.authorizationProperties.getDashboardUrl());
-		this.authorizationProperties.getPermitAllPaths()
-				.add(this.authorizationProperties.getDashboardUrl());
-		this.authorizationProperties.getPermitAllPaths()
-				.add(dashboard(authorizationProperties, "/**"));
-		ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry security =
-
-				http.authorizeRequests()
-						.antMatchers(this.authorizationProperties.getPermitAllPaths()
-								.toArray(new String[0]))
-						.permitAll()
-						.antMatchers(this.authorizationProperties.getAuthenticatedPaths()
-								.toArray(new String[0]))
-						.authenticated();
+		this.authorizationProperties.getAuthenticatedPaths().add(this.authorizationProperties.getDashboardUrl());
+		this.authorizationProperties.getAuthenticatedPaths().add(dashboard(authorizationProperties, "/**"));
+
+		// Permit for all users as the visibility is managed through roles
+		this.authorizationProperties.getPermitAllPaths().add(this.authorizationProperties.getDashboardUrl());
+		this.authorizationProperties.getPermitAllPaths().add(dashboard(authorizationProperties, "/**"));
+
+		ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry security;
+
+		if (AuthorizationProperties.FRONTEND_LOGIN_URL.equals(this.authorizationProperties.getLoginUrl())) {
+			security =
+					http.authorizeRequests()
+							.antMatchers(this.authorizationProperties.getAuthenticatedPaths().toArray(new String[0]))
+							.authenticated()
+							.antMatchers(this.authorizationProperties.getPermitAllPaths().toArray(new String[0]))
+							.permitAll()
+							.antMatchers(this.authorizationProperties.getAnonymousPaths().toArray(new String[0]))
+							.anonymous();
+
+		} else {
+			security =
+					http.authorizeRequests()
+							.antMatchers(this.authorizationProperties.getPermitAllPaths().toArray(new String[0]))
+							.permitAll()
+							.antMatchers(this.authorizationProperties.getAuthenticatedPaths().toArray(new String[0]))
+							.authenticated()
+							.antMatchers(this.authorizationProperties.getAnonymousPaths().toArray(new String[0]))
+							.anonymous();
+		}
+
 		security = SecurityConfigUtils.configureSimpleSecurity(security, this.authorizationProperties);
 		security.anyRequest().denyAll();
 
-
 		http.httpBasic().and()
 				.logout()
 				.logoutSuccessHandler(logoutSuccessHandler)
@@ -248,11 +265,13 @@ protected void configure(HttpSecurity http) throws Exception {
 						new HttpStatusEntryPoint(HttpStatus.UNAUTHORIZED),
 						new RequestHeaderRequestMatcher("X-Requested-With", "XMLHttpRequest"))
 				.defaultAuthenticationEntryPointFor(
-						new LoginUrlAuthenticationEntryPoint(this.authorizationProperties.getLoginProcessingUrl()),
+						new LoginUrlAuthenticationEntryPoint(authorizationProperties.getLoginUrl()),
 						textHtmlMatcher)
 				.defaultAuthenticationEntryPointFor(basicAuthenticationEntryPoint, AnyRequestMatcher.INSTANCE);
 
-		http.oauth2Login().userInfoEndpoint()
+		http.oauth2Login()
+				.defaultSuccessUrl(authorizationProperties.getLoginSuccessUrl())
+				.userInfoEndpoint()
 				.userService(this.plainOauth2UserService)
 				.oidcUserService(this.oidcUserService);
 
@@ -401,7 +420,7 @@ protected LogoutSuccessHandler logoutSuccessHandler(AuthorizationProperties auth
 				OAuth2TokenUtilsService oauth2TokenUtilsService) {
 			AccessTokenClearingLogoutSuccessHandler logoutSuccessHandler =
 					new AccessTokenClearingLogoutSuccessHandler(oauth2TokenUtilsService);
-			logoutSuccessHandler.setDefaultTargetUrl(dashboard(authorizationProperties, "/logout-success-oauth.html"));
+			logoutSuccessHandler.setDefaultTargetUrl(authorizationProperties.getLogoutSuccessUrl());
 			return logoutSuccessHandler;
 		}
 	}

spring-cloud-dataflow-rest-resource/src/main/java/org/springframework/cloud/dataflow/rest/resource/about/SecurityInfo.java

@@ -35,6 +35,8 @@ public class SecurityInfo {
 
 	private List<String> roles = new ArrayList<>(0);
 
+	private List<String> clientRegistrations = new ArrayList<>(0);
+
 	/**
 	 * Default constructor for serialization frameworks.
 	 */
@@ -85,6 +87,18 @@ public void setRoles(List<String> roles) {
 		this.roles = roles;
 	}
 
+	/**
+	 *
+	 * @return List of all available client registrations
+	 */
+	public List<String> getClientRegistrations() {
+		return clientRegistrations;
+	}
+
+	public void setClientRegistrations(List<String> clientRegistrations) {
+		this.clientRegistrations = clientRegistrations;
+	}
+
 	/**
 	 * @param role Adds the role to {@link #roles}
 	 * @return the security related meta-information

spring-cloud-dataflow-rest-resource/src/main/java/org/springframework/cloud/dataflow/rest/resource/security/SecurityInfoResource.java

@@ -37,6 +37,8 @@ public class SecurityInfoResource extends RepresentationModel {
 
 	private List<String> roles = new ArrayList<>(0);
 
+	private List<String> clientRegistrations = new ArrayList<>(0);
+
 	/**
 	 * Default constructor for serialization frameworks.
 	 */
@@ -87,6 +89,18 @@ public void setRoles(List<String> roles) {
 		this.roles = roles;
 	}
 
+	/**
+	 *
+	 * @return List of all available client registrations
+	 */
+	public List<String> getClientRegistrations() {
+		return clientRegistrations;
+	}
+
+	public void setClientRegistrations(List<String> clientRegistrations) {
+		this.clientRegistrations = clientRegistrations;
+	}
+
 	/**
 	 * @param role Adds the role to {@link #roles}
 	 * @return the resource with an additional role

spring-cloud-dataflow-server-core/src/main/java/org/springframework/cloud/dataflow/server/config/DataFlowControllerAutoConfiguration.java

@@ -21,6 +21,8 @@
 import java.util.Optional;
 import java.util.concurrent.ForkJoinPool;
 
+import javax.annotation.Nullable;
+
 import com.fasterxml.jackson.databind.DeserializationFeature;
 import com.fasterxml.jackson.databind.ObjectMapper;
 import org.slf4j.Logger;
@@ -31,6 +33,7 @@
 import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
 import org.springframework.boot.autoconfigure.domain.EntityScan;
+import org.springframework.boot.autoconfigure.security.oauth2.client.OAuth2ClientProperties;
 import org.springframework.boot.context.properties.ConfigurationProperties;
 import org.springframework.boot.context.properties.EnableConfigurationProperties;
 import org.springframework.boot.web.client.RestTemplateBuilder;
@@ -140,7 +143,6 @@
 import org.springframework.hateoas.server.core.AnnotationLinkRelationProvider;
 import org.springframework.http.converter.StringHttpMessageConverter;
 import org.springframework.http.converter.json.MappingJackson2HttpMessageConverter;
-import org.springframework.lang.Nullable;
 import org.springframework.scheduling.concurrent.ForkJoinPoolFactoryBean;
 import org.springframework.transaction.annotation.EnableTransactionManagement;
 import org.springframework.web.client.RestTemplate;
@@ -198,9 +200,11 @@ public AboutController aboutController(ObjectProvider<StreamDeployer> streamDepl
 										   FeaturesProperties featuresProperties,
 										   VersionInfoProperties versionInfoProperties,
 										   SecurityStateBean securityStateBean,
-										   DataflowMetricsProperties monitoringDashboardInfoProperties) {
+										   DataflowMetricsProperties monitoringDashboardInfoProperties,
+	                                       @Nullable OAuth2ClientProperties oAuth2ClientProperties) {
 		return new AboutController(streamDeployer.getIfAvailable(), launcherRepository.getIfAvailable(),
-				featuresProperties, versionInfoProperties, securityStateBean, monitoringDashboardInfoProperties);
+				featuresProperties, versionInfoProperties, securityStateBean, monitoringDashboardInfoProperties,
+				oAuth2ClientProperties);
 	}
 
 	@Bean
@@ -542,8 +546,9 @@ public SecurityStateBean securityStateBean() {
 		}
 
 		@Bean
-		public SecurityController securityController(SecurityStateBean securityStateBean) {
-			return new SecurityController(securityStateBean);
+		public SecurityController securityController(SecurityStateBean securityStateBean,
+													 @Nullable OAuth2ClientProperties oAuth2ClientProperties) {
+			return new SecurityController(securityStateBean, oAuth2ClientProperties);
 		}
 
 		@Bean

spring-cloud-dataflow-server-core/src/main/java/org/springframework/cloud/dataflow/server/controller/AboutController.java

@@ -17,6 +17,10 @@
 
 import java.util.ArrayList;
 import java.util.List;
+import java.util.Map;
+import java.util.stream.Collectors;
+
+import javax.annotation.Nullable;
 
 import org.apache.http.conn.ssl.NoopHostnameVerifier;
 import org.apache.http.impl.client.CloseableHttpClient;
@@ -25,6 +29,7 @@
 import org.slf4j.LoggerFactory;
 
 import org.springframework.beans.factory.annotation.Value;
+import org.springframework.boot.autoconfigure.security.oauth2.client.OAuth2ClientProperties;
 import org.springframework.boot.context.properties.EnableConfigurationProperties;
 import org.springframework.cloud.common.security.support.SecurityStateBean;
 import org.springframework.cloud.dataflow.core.Launcher;
@@ -53,6 +58,7 @@
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.oauth2.core.AuthorizationGrantType;
 import org.springframework.util.StringUtils;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
@@ -88,6 +94,8 @@ public class AboutController {
 
 	private final SecurityStateBean securityStateBean;
 
+	private final OAuth2ClientProperties oAuth2ClientProperties;
+
 	@Value("${security.oauth2.client.client-id:#{null}}")
 	private String oauthClientId;
 
@@ -102,13 +110,15 @@ public class AboutController {
 	private DataflowMetricsProperties dataflowMetricsProperties;
 
 	public AboutController(StreamDeployer streamDeployer, LauncherRepository launcherRepository, FeaturesProperties featuresProperties,
-			VersionInfoProperties versionInfoProperties, SecurityStateBean securityStateBean, DataflowMetricsProperties monitoringProperties) {
+			VersionInfoProperties versionInfoProperties, SecurityStateBean securityStateBean, DataflowMetricsProperties monitoringProperties,
+			@Nullable OAuth2ClientProperties oAuth2ClientProperties) {
 		this.streamDeployer = streamDeployer;
 		this.launcherRepository = launcherRepository;
 		this.featuresProperties = featuresProperties;
 		this.versionInfoProperties = versionInfoProperties;
 		this.securityStateBean = securityStateBean;
 		this.dataflowMetricsProperties = monitoringProperties;
+		this.oAuth2ClientProperties = oAuth2ClientProperties;
 	}
 
 	/**
@@ -138,7 +148,7 @@ public AboutResource getAboutResource() {
 
 		if (authenticationEnabled && SecurityContextHolder.getContext() != null) {
 			final Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
-			if (!(authentication instanceof AnonymousAuthenticationToken)) {
+			if (!(authentication instanceof AnonymousAuthenticationToken) && authentication != null) {
 				securityInfo.setAuthenticated(authentication.isAuthenticated());
 				securityInfo.setUsername(authentication.getName());
 
@@ -147,6 +157,16 @@ public AboutResource getAboutResource() {
 					securityInfo.addRole(grantedAuthority.getAuthority());
 				}
 			}
+
+			// Apply all client registrations to security infos which are based on authorization_code
+			if(oAuth2ClientProperties != null) {
+				List<String> authorizationCodeBasedClientRegistrations = oAuth2ClientProperties.getRegistration()
+						.entrySet()
+						.stream()
+						.filter(entry -> AuthorizationGrantType.AUTHORIZATION_CODE.getValue().equals(entry.getValue().getAuthorizationGrantType()))
+						.map(Map.Entry::getKey).collect(Collectors.toList());
+				securityInfo.setClientRegistrations(authorizationCodeBasedClientRegistrations);
+			}
 		}
 
 		aboutResource.setSecurityInfo(securityInfo);