FINERACT-1490: SSL configuration based on application.properties

djamoapp · Feb 20, 2022 · b96cae3 · b96cae3
1 parent 45264ea
commit b96cae3
Show file tree

Hide file tree

Showing 9 changed files with 61 additions and 175 deletions.
diff --git a/README.md b/README.md
@@ -186,6 +186,19 @@ Please check `application.properties` to see which connection pool settings can
 
 NOTE: we'll keep backwards compatibility until one of the next releases to ensure that things are working as expected. Environment variables prefixed `fineract_tenants_*` can still be used to configure the database connection, but we strongly encourage using `FINERACT_HIKARI_*` with more options.
 
+SSL configuration
+=================
+
+By default SSL is enabled, but all SSL related properties are now tunable. SSL can be turned off by setting the environment variable `FINERACT_SERVER_SSL_ENABLED` to false. If you do that then please make sure to also change the server port to `8080` via the variable `FINERACT_SERVER_PORT`, just for the sake of keeping the conventions.
+You can choose now easily a different SSL keystore by setting `FINERACT_SERVER_SSL_KEY_STORE` with a path to a different (not embedded) keystore. The password can be set via `FINERACT_SERVER_SSL_KEY_STORE_PASSWORD`. See the `application.properties` file and the latest Spring Boot documentation (https://docs.spring.io/spring-boot/docs/current/reference/html/application-properties.html) for more details.
+
+
+Tomcat configuration
+====================
+
+Please refer to the `application.properties` and the official Spring Boot documentation (https://docs.spring.io/spring-boot/docs/current/reference/html/application-properties.html) on how to do performance tuning for Tomcat. Note: you can set now the acceptable form POST size (default is 2MB) via environment variable `FINERACT_SERVER_TOMCAT_MAX_HTTP_FORM_POST_SIZE`.
+
+
 Instructions to run on Kubernetes
 =================================
 

diff --git a/fineract-provider/src/main/java/org/apache/fineract/ServerApplication.java b/fineract-provider/src/main/java/org/apache/fineract/ServerApplication.java
@@ -20,12 +20,10 @@
 
 import java.io.IOException;
 import org.apache.fineract.infrastructure.core.boot.AbstractApplicationConfiguration;
-import org.apache.fineract.infrastructure.core.boot.EmbeddedTomcatWithSSLConfiguration;
 import org.springframework.boot.autoconfigure.jdbc.DataSourceProperties;
 import org.springframework.boot.builder.SpringApplicationBuilder;
 import org.springframework.boot.web.servlet.support.SpringBootServletInitializer;
 import org.springframework.context.ConfigurableApplicationContext;
-import org.springframework.context.annotation.Import;
 
 /**
  * Fineract main() application which launches Fineract in an embedded Tomcat HTTP (using Spring Boot).
@@ -42,7 +40,6 @@
 
 public class ServerApplication extends SpringBootServletInitializer {
 
- @Import({ EmbeddedTomcatWithSSLConfiguration.class })
  private static class Configuration extends AbstractApplicationConfiguration {}
 
  @Override

diff --git a/...java/org/apache/fineract/infrastructure/core/boot/EmbeddedTomcatWithSSLConfiguration.java b/...java/org/apache/fineract/infrastructure/core/boot/EmbeddedTomcatWithSSLConfiguration.java
diff --git a/...er/src/main/java/org/apache/fineract/infrastructure/core/config/OAuth2SecurityConfig.java b/...er/src/main/java/org/apache/fineract/infrastructure/core/config/OAuth2SecurityConfig.java
@@ -30,6 +30,7 @@
 import org.apache.fineract.infrastructure.security.vote.SelfServiceUserAccessVote;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
+import org.springframework.boot.autoconfigure.web.ServerProperties;
 import org.springframework.boot.web.servlet.FilterRegistrationBean;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
@@ -72,6 +73,9 @@ public class OAuth2SecurityConfig extends WebSecurityConfigurerAdapter {
  @Autowired
  private TenantAwareJpaPlatformUserDetailsService userDetailsService;
 
+ @Autowired
+ private ServerProperties serverProperties;
+
  private static final JwtGrantedAuthoritiesConverter jwtGrantedAuthoritiesConverter = new JwtGrantedAuthoritiesConverter();
 
  @Override
@@ -97,8 +101,13 @@ protected void configure(HttpSecurity http) throws Exception {
  .sessionCreationPolicy(SessionCreationPolicy.STATELESS) //
  .and() //
  .addFilterAfter(tenantAwareTenantIdentifierFilter, SecurityContextPersistenceFilter.class) //
- .addFilterAfter(twoFactorAuthenticationFilter, BasicAuthenticationFilter.class) //
- .requiresChannel(channel -> channel.antMatchers("/api/**").requiresSecure());
+ .addFilterAfter(twoFactorAuthenticationFilter, BasicAuthenticationFilter.class); //
+
+ if (serverProperties.getSsl().isEnabled()) {
+ http.requiresChannel(channel -> channel.antMatchers("/api/**").requiresSecure());
+ } else {
+ http.requiresChannel(channel -> channel.antMatchers("/api/**").requiresInsecure());
+ }
  }
 
  @Bean

diff --git a/...provider/src/main/java/org/apache/fineract/infrastructure/core/config/SecurityConfig.java b/...provider/src/main/java/org/apache/fineract/infrastructure/core/config/SecurityConfig.java
@@ -24,6 +24,7 @@
 import org.apache.fineract.infrastructure.security.service.TenantAwareJpaPlatformUserDetailsService;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
+import org.springframework.boot.autoconfigure.web.ServerProperties;
 import org.springframework.boot.web.servlet.FilterRegistrationBean;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
@@ -52,6 +53,9 @@ public class SecurityConfig extends WebSecurityConfigurerAdapter {
  @Autowired
  private TwoFactorAuthenticationFilter twoFactorAuthenticationFilter;
 
+ @Autowired
+ private ServerProperties serverProperties;
+
  @Override
  protected void configure(HttpSecurity http) throws Exception {
 
@@ -74,9 +78,13 @@ protected void configure(HttpSecurity http) throws Exception {
  .sessionCreationPolicy(SessionCreationPolicy.STATELESS) //
  .and() //
  .addFilterAfter(tenantAwareBasicAuthenticationFilter(), SecurityContextPersistenceFilter.class) //
- .addFilterAfter(twoFactorAuthenticationFilter, BasicAuthenticationFilter.class) //
- .requiresChannel(channel -> channel.antMatchers("/api/**").requiresSecure());
+ .addFilterAfter(twoFactorAuthenticationFilter, BasicAuthenticationFilter.class); //
 
+ if (serverProperties.getSsl().isEnabled()) {
+ http.requiresChannel(channel -> channel.antMatchers("/api/**").requiresSecure());
+ } else {
+ http.requiresChannel(channel -> channel.antMatchers("/api/**").requiresInsecure());
+ }
  }
 
  @Bean

diff --git a/fineract-provider/src/main/resources/application.properties b/fineract-provider/src/main/resources/application.properties
@@ -46,6 +46,24 @@ management.endpoints.web.exposure.include=health,info
 
 # FINERACT-914
 server.forward-headers-strategy=framework
+server.port=${FINERACT_SERVER_PORT:8443}
+server.servlet.context-path=${FINERACT_SERVER_SERVLET_CONTEXT_PATH:/fineract-provider}
+server.compression.enabled=${FINERACT_SERVER_COMPRESSION_ENABLED:true}
+
+server.ssl.enabled=${FINERACT_SERVER_SSL_ENABLED:true}
+server.ssl.protocol=TLS
+#server.ssl.ciphers=${FINERACT_SERVER_SSL_CIPHERS:TLS_RSA_WITH_AES_128_CBC_SHA256}
+#server.ssl.enabled-protocols=${FINERACT_SERVER_SSL_PROTOCOLS:TLSv1.2}
+server.ssl.key-store=${FINERACT_SERVER_SSL_KEY_STORE:classpath:keystore.jks}
+server.ssl.key-store-password=${FINERACT_SERVER_SSL_KEY_STORE_PASSWORD:openmf}
+
+server.tomcat.accept-count=${FINERACT_SERVER_TOMCAT_ACCEPT_COUNT:100}
+server.tomcat.accesslog.enabled=${FINERACT_SERVER_TOMCAT_ACCESSLOG_ENABLED:false}
+server.tomcat.max-connections=${FINERACT_SERVER_TOMCAT_MAX_CONNECTIONS:8192}
+server.tomcat.max-http-form-post-size=${FINERACT_SERVER_TOMCAT_MAX_HTTP_FORM_POST_SIZE:2MB}
+server.tomcat.max-keep-alive-requests=${FINERACT_SERVER_TOMCAT_MAX_KEEP_ALIVE_REQUESTS:100}
+server.tomcat.threads.max=${FINERACT_SERVER_TOMCAT_THREADS_MAX:200}
+server.tomcat.threads.min-spare=${FINERACT_SERVER_TOMCAT_THREADS_MIN_SPARE:10}
 
 # OAuth authorisation server endpoint
 spring.security.oauth2.resourceserver.jwt.issuer-uri=http:https://localhost:9000/auth/realms/fineract

diff --git a/...pache/fineract/infrastructure/core/boot/tests/EmbeddedTomcatWithSSLConfigurationTest.java b/...pache/fineract/infrastructure/core/boot/tests/EmbeddedTomcatWithSSLConfigurationTest.java
diff --git a/fineract-provider/src/test/resources/application-test.properties b/fineract-provider/src/test/resources/application-test.properties
@@ -46,6 +46,14 @@ management.endpoints.web.exposure.include=health,info
 
 # FINERACT-914
 server.forward-headers-strategy=framework
+server.port=8443
+server.servlet.context-path=/fineract-provider
+server.compression.enabled=true
+
+server.ssl.enabled=true
+server.ssl.protocol=TLS
+server.ssl.key-store=keystore.jks
+server.ssl.key-store-password=openmf
 
 spring.datasource.hikari.driverClassName=org.mariadb.jdbc.Driver
 spring.datasource.hikari.jdbcUrl=jdbc:mariadb:https://localhost:3306/fineract_tenants

diff --git a/integration-tests/build.gradle b/integration-tests/build.gradle
@@ -38,6 +38,7 @@ cargo {
  }
 
  local {
+ logLevel = 'medium'
  installer {
  installConfiguration = configurations.tomcat
  downloadDir = file("$buildDir/download")