Merged
Conversation
…ity module - Deleted FlowPropertiesTest, FlowEnforcementAspectTest, FlowValidatorTest, SecurityExpressionRootTest classes as they are no longer needed. - Updated pom.xml to add core-security module to the project structure.
- Introduced PolicyEngineTest to validate policy evaluation logic. - Added PolicyServiceTest to ensure correct policy retrieval based on client ID. - Created SecurityConfigTest to verify security configuration and filter chain setup. - Implemented AuthTypeEnforcementFilterTest to test authentication flow enforcement. - Added AuthFlowResolverTest to validate authentication flow resolution based on JWT claims. - Created AzureJwtAuthenticationConverterTest for testing JWT authority extraction. - Added ApiDefinitionResolverTest and CoreApiRegistryTest to ensure API definition resolution works as expected. - Removed outdated CustomRoleConverterTest and SecurityConfigTest from the tests directory.
📊 Static Analysis Summary🔍 Code Quality Checks
📦 Download detailed reports from the workflow artifacts. |
…pdate imports in tests - Moved MarketplaceExternalServicePlaceholder to its own file for better modularity - Updated ComponentsFacade and ComponentsServiceTest to reference the new class location - Cleaned up unused imports and improved static import specificity in test classes - Minor code cleanup in PolicyAuthorizationManager and PolicyService
📊 Static Analysis Summary🔍 Code Quality Checks
📦 Download detailed reports from the workflow artifacts. |
…eation to use authenticated client
📊 Static Analysis Summary🔍 Code Quality Checks
📦 Download detailed reports from the workflow artifacts. |
…flavor handling in authorization
📊 Static Analysis Summary🔍 Code Quality Checks
📦 Download detailed reports from the workflow artifacts. |
…rite requests and update SecurityConfig to include CachedBodyRequestFilter
…rt reading request bodies multiple times; refactor ClientCredentialFlowValidator and FlavorRestrictionEvaluator for improved clarity
📊 Static Analysis Summary🔍 Code Quality Checks
📦 Download detailed reports from the workflow artifacts. |
…for setting API definition attribute; update SecurityUtils to simplify error message for invalid authentication tokens
|
📊 Static Analysis Summary🔍 Code Quality Checks
📦 Download detailed reports from the workflow artifacts. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This pull request introduces a new modular security layer for the project by adding a
core-securitymodule. The changes implement a flexible policy-based authorization system integrated with Spring Security and Azure AD JWT authentication. The security configuration is now externalized, supporting public endpoints and dynamic policy evaluation for API requests. The main areas of change are the addition of new security components, policy evaluation infrastructure, and configuration updates.Security configuration and integration:
core-securitymodule with its ownpom.xml, including dependencies for Spring Security, OAuth2 resource server, and project contracts.SecurityConfigandSecurityPropertiesto configure Spring Security, define public endpoints, and integrate JWT authentication with Azure AD. [1] [2]application.yamlto configure OAuth2 resource server with Azure AD issuer and define public endpoints for health checks.Policy-based authorization system:
PolicyAuthorizationManager,PolicyEngine, andPolicyServiceto support dynamic, rule-based authorization decisions for API requests. These components resolve API definitions, retrieve relevant policies, and evaluate them to allow or deny access. [1] [2] [3]PolicyContextFactoryto build policy evaluation contexts from HTTP requests and JWT claims.Policy evaluators:
AllowedClientsEvaluatorandFlavorRestrictionEvaluatoras concrete policy evaluators, supporting client-based and request-body-based authorization rules, respectively. [1] [2]Authentication flow enforcement:
AuthTypeEnforcementFilter,AuthFlowResolver, andAuthFlowValidatorto ensure that only allowed authentication flows (e.g., OBO, client credentials) are accepted for each API, with flow-specific validation. [1] [2] [3]