From bed67773b341af400db355654916599e57128a70 Mon Sep 17 00:00:00 2001
From: John Neal <john.neal@qlik.com>
Date: Mon, 24 May 2021 14:59:44 -0500
Subject: [PATCH 1/5] added login page

---
 pom.xml                                       |  5 ++
 .../config/WebSecurityConfiguration.java      | 69 +++++++++++++++++++
 .../kafdrop/controller/AuthController.java    | 24 +++++++
 src/main/resources/application.yml            |  7 +-
 src/main/resources/templates/login.ftlh       | 30 ++++++++
 5 files changed, 134 insertions(+), 1 deletion(-)
 create mode 100644 src/main/java/kafdrop/config/WebSecurityConfiguration.java
 create mode 100644 src/main/java/kafdrop/controller/AuthController.java
 create mode 100644 src/main/resources/templates/login.ftlh

diff --git a/pom.xml b/pom.xml
index fcb5cd8d..2a424690 100644
--- a/pom.xml
+++ b/pom.xml
@@ -149,6 +149,11 @@
             <groupId>org.springframework.boot</groupId>
             <artifactId>spring-boot-starter-validation</artifactId>
         </dependency>
+        <!-- security starter required for login page -->
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-security</artifactId>
+        </dependency>
         <dependency>
             <groupId>org.springframework.kafka</groupId>
             <artifactId>spring-kafka</artifactId>
diff --git a/src/main/java/kafdrop/config/WebSecurityConfiguration.java b/src/main/java/kafdrop/config/WebSecurityConfiguration.java
new file mode 100644
index 00000000..34e09b0d
--- /dev/null
+++ b/src/main/java/kafdrop/config/WebSecurityConfiguration.java
@@ -0,0 +1,69 @@
+package kafdrop.config;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.boot.context.properties.ConfigurationProperties;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.builders.WebSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
+import org.springframework.security.crypto.password.PasswordEncoder;
+
+@Configuration
+@EnableWebSecurity
+@ConfigurationProperties(prefix = "spring.security.user")
+public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {
+    private static final Logger LOG = LoggerFactory.getLogger(WebSecurityConfiguration.class);
+
+    private String name;
+    private String password;
+    private String roles;
+
+    // public setters required for property initialization
+    public void setName(String name) { this.name = name; }
+    public void setPassword(String password) { this.password = password; }
+    public void setRoles(String roles) { this.roles = roles; }
+
+
+    // allow access to /login. Require authentication for all other pages.
+    @Override
+    protected void configure(HttpSecurity http) throws Exception {
+        http
+                .csrf().disable()
+                .authorizeRequests()
+                .antMatchers("/login*").permitAll()
+                .anyRequest().authenticated()
+              .and()
+                .formLogin()
+                .loginPage("/login")
+                .permitAll();
+
+    }
+
+    // authenticate user
+    @Override
+    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
+        LOG.info(String.format("authenticating user with name: %s password: %s role: %s",
+                this.name, this.password, this.roles));
+        auth.inMemoryAuthentication()
+                .passwordEncoder(passwordEncoder())
+                .withUser(this.name)
+                .password(passwordEncoder().encode(this.password))
+                .roles(this.roles);
+    }
+
+    @Bean
+    public PasswordEncoder passwordEncoder() {
+        return new BCryptPasswordEncoder();
+    }
+
+    // don't enforce access to these static resources
+    @Override
+    public void configure(WebSecurity web) throws Exception {
+        web.ignoring().antMatchers("/resources/**", "/static/**", "/css/**", "/js/**", "/images/**");
+    }
+}
diff --git a/src/main/java/kafdrop/controller/AuthController.java b/src/main/java/kafdrop/controller/AuthController.java
new file mode 100644
index 00000000..47efd42b
--- /dev/null
+++ b/src/main/java/kafdrop/controller/AuthController.java
@@ -0,0 +1,24 @@
+package kafdrop.controller;
+
+import org.springframework.stereotype.Controller;
+import org.springframework.ui.Model;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestMethod;
+
+@Controller
+public class AuthController {
+
+    @RequestMapping(value = "/login", method = RequestMethod.GET)
+    public String login(Model model, String error, String logout) {
+        if (error != null) {
+            model.addAttribute("errorMsg", "Your username and password are invalid.");
+        }
+
+        if (logout != null) {
+            model.addAttribute("msg", "You have been logged out successfully.");
+        }
+
+        return "login";
+    }
+
+}
diff --git a/src/main/resources/application.yml b/src/main/resources/application.yml
index 23bdeb25..f7b19c7d 100644
--- a/src/main/resources/application.yml
+++ b/src/main/resources/application.yml
@@ -7,6 +7,11 @@ server:
       enabled: false
 
 spring:
+  security:
+    user:
+      name: admin
+      password: admin
+      roles: USER
   jmx:
     enabled: true
     default_domain: Kafdrop
@@ -33,4 +38,4 @@ kafka:
   securityProtocol: "SASL_PLAINTEXT"
   truststoreFile: "${KAFKA_TRUSTSTORE_FILE:kafka.truststore.jks}"
   propertiesFile : "${KAFKA_PROPERTIES_FILE:kafka.properties}"
-  keystoreFile: "${KAFKA_KEYSTORE_FILE:kafka.keystore.jks}"
\ No newline at end of file
+  keystoreFile: "${KAFKA_KEYSTORE_FILE:kafka.keystore.jks}"
diff --git a/src/main/resources/templates/login.ftlh b/src/main/resources/templates/login.ftlh
new file mode 100644
index 00000000..538abbca
--- /dev/null
+++ b/src/main/resources/templates/login.ftlh
@@ -0,0 +1,30 @@
+<#import "/spring.ftl" as spring />
+<#import "lib/template.ftlh" as template>
+<@template.header "Enter Login Information"/>
+
+<div class="container ">
+    <br/><br/><br/>
+    <div class="row ">
+        <div class="col-md"><span></span></div>
+        <div class="col-md"><span></span></div>
+        <div class="col-md">
+            <form method="post" action="/login">
+                <h3 class="form-signin-heading">Please sign in</h3><br/>
+                <p>
+                    <label for="username">User Name:</label><br/>
+                    <input type="text" id="username" name="username" placeholder="Username" required>
+                </p>
+                <p>
+                    <label for="password">Password:</label><br/>
+                    <input type="password" id="password" name="password" placeholder="Password" required>
+                </p>
+                <input name="_csrf" type="hidden" value="fbf19afb-bc00-4cb6-90e2-8c3b5254bd41"/>
+                <button type="submit">Sign in</button>
+            </form>
+        </div>
+        <div class="col-md"><span></span></div>
+        <div class="col-md"><span></span></div>
+    </div>
+</div>
+
+<@template.footer/>

From 6199bc0f9f8dd4068ffce3d6f8e479dff003c088 Mon Sep 17 00:00:00 2001
From: John Neal <john.neal@qlik.com>
Date: Mon, 24 May 2021 16:33:35 -0500
Subject: [PATCH 2/5] removed dependency on csrf.disable()

---
 pom.xml                                                    | 5 +++++
 src/main/java/kafdrop/config/WebSecurityConfiguration.java | 2 +-
 src/main/resources/templates/login.ftlh                    | 2 +-
 3 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/pom.xml b/pom.xml
index 2a424690..4d05a41b 100644
--- a/pom.xml
+++ b/pom.xml
@@ -154,6 +154,11 @@
             <groupId>org.springframework.boot</groupId>
             <artifactId>spring-boot-starter-security</artifactId>
         </dependency>
+        <!-- security taglibs required to enable csrf -->
+        <dependency>
+             <groupId>org.springframework.security</groupId>
+             <artifactId>spring-security-taglibs</artifactId>
+        </dependency>
         <dependency>
             <groupId>org.springframework.kafka</groupId>
             <artifactId>spring-kafka</artifactId>
diff --git a/src/main/java/kafdrop/config/WebSecurityConfiguration.java b/src/main/java/kafdrop/config/WebSecurityConfiguration.java
index 34e09b0d..9ed90734 100644
--- a/src/main/java/kafdrop/config/WebSecurityConfiguration.java
+++ b/src/main/java/kafdrop/config/WebSecurityConfiguration.java
@@ -33,7 +33,6 @@ public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {
     @Override
     protected void configure(HttpSecurity http) throws Exception {
         http
-                .csrf().disable()
                 .authorizeRequests()
                 .antMatchers("/login*").permitAll()
                 .anyRequest().authenticated()
@@ -42,6 +41,7 @@ protected void configure(HttpSecurity http) throws Exception {
                 .loginPage("/login")
                 .permitAll();
 
+        // http.csrf().disable();
     }
 
     // authenticate user
diff --git a/src/main/resources/templates/login.ftlh b/src/main/resources/templates/login.ftlh
index 538abbca..e0d12356 100644
--- a/src/main/resources/templates/login.ftlh
+++ b/src/main/resources/templates/login.ftlh
@@ -18,7 +18,7 @@
                     <label for="password">Password:</label><br/>
                     <input type="password" id="password" name="password" placeholder="Password" required>
                 </p>
-                <input name="_csrf" type="hidden" value="fbf19afb-bc00-4cb6-90e2-8c3b5254bd41"/>
+                <input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
                 <button type="submit">Sign in</button>
             </form>
         </div>

From b7ea24a18f12a912f90cfbfadb9832a09ca7180f Mon Sep 17 00:00:00 2001
From: John Neal <john.neal@qlik.com>
Date: Thu, 27 May 2021 12:25:18 -0500
Subject: [PATCH 3/5] issue when setting context path

---
 src/main/resources/templates/login.ftlh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/main/resources/templates/login.ftlh b/src/main/resources/templates/login.ftlh
index e0d12356..e240267f 100644
--- a/src/main/resources/templates/login.ftlh
+++ b/src/main/resources/templates/login.ftlh
@@ -8,7 +8,7 @@
         <div class="col-md"><span></span></div>
         <div class="col-md"><span></span></div>
         <div class="col-md">
-            <form method="post" action="/login">
+            <form method="post" action="<@spring.url '/login'/>">
                 <h3 class="form-signin-heading">Please sign in</h3><br/>
                 <p>
                     <label for="username">User Name:</label><br/>

From 832276bb9f09cffcd6e5e62973bae4e8fd340961 Mon Sep 17 00:00:00 2001
From: John Neal <johnneal@verybluemoon.net>
Date: Thu, 3 Jun 2021 16:23:38 -0500
Subject: [PATCH 4/5] Update topic-create.ftlh

corrected issue caused by enabling http.csrf() that was not caught in initial testing.
---
 src/main/resources/templates/topic-create.ftlh | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/main/resources/templates/topic-create.ftlh b/src/main/resources/templates/topic-create.ftlh
index 804013b5..f0846f6a 100644
--- a/src/main/resources/templates/topic-create.ftlh
+++ b/src/main/resources/templates/topic-create.ftlh
@@ -46,6 +46,8 @@
                     </tr>
                     </tbody>
                 </table>
+                <input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
+
 
                 <button class="btn btn-success" type="submit">
                     <i class="fa fa-plus"></i> Create

From 1e9143ac4b140abb48f5c24513435f2594a37953 Mon Sep 17 00:00:00 2001
From: John Neal <johnneal@verybluemoon.net>
Date: Fri, 4 Jun 2021 11:40:16 -0500
Subject: [PATCH 5/5] fixed delete topic issue

fixed issue with delete topic after http.csrf() was enabled with addition of login screen
---
 src/main/resources/templates/topic-detail.ftlh | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/main/resources/templates/topic-detail.ftlh b/src/main/resources/templates/topic-detail.ftlh
index c4a68144..c81b5c64 100644
--- a/src/main/resources/templates/topic-detail.ftlh
+++ b/src/main/resources/templates/topic-detail.ftlh
@@ -47,6 +47,7 @@
     <#if topicDeleteEnabled>
         <form id="delete-topic-form" action="<@spring.url '/topic/${topic.name}/delete'/>" method="POST">
             <button class="btn btn-danger" type="submit"><i class="fa fa-remove"></i> Delete topic</button>
+            <input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
         </form>
     </#if>
 </div>