a4de2a7b79
Implement three-phase security upgrade: Phase 1 - RBAC: Extend JWT with roles claim, populate Spring GrantedAuthority in filter, enforce role-based access (AGENT for data/heartbeat/SSE, VIEWER+ for search/diagrams, OPERATOR+ for commands, ADMIN for user management). Configurable JWT secret via CAMELEER_JWT_SECRET env var for token persistence across restarts. Phase 2 - User persistence: ClickHouse users table with ReplacingMergeTree, UserRepository interface + ClickHouse impl, UserAdminController for CRUD at /api/v1/admin/users. Local login upserts user on each authentication. Phase 3 - OIDC: Token exchange flow where SPA sends auth code, server exchanges it server-side (keeping client_secret secure), validates id_token via JWKS, resolves roles (DB override > OIDC claim > default), issues internal JWT. Conditional on CAMELEER_OIDC_ENABLED=true. Uses oauth2-oidc-sdk for standards compliance. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
161 lines
6.0 KiB
XML
161 lines
6.0 KiB
XML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<project xmlns="http://maven.apache.org/POM/4.0.0"
|
|
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
|
|
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
|
|
<modelVersion>4.0.0</modelVersion>
|
|
|
|
<parent>
|
|
<groupId>com.cameleer3</groupId>
|
|
<artifactId>cameleer3-server-parent</artifactId>
|
|
<version>1.0-SNAPSHOT</version>
|
|
</parent>
|
|
|
|
<artifactId>cameleer3-server-app</artifactId>
|
|
<name>Cameleer3 Server App</name>
|
|
<description>Spring Boot web app with REST controllers and SSE</description>
|
|
|
|
<dependencies>
|
|
<dependency>
|
|
<groupId>com.cameleer3</groupId>
|
|
<artifactId>cameleer3-server-core</artifactId>
|
|
</dependency>
|
|
<dependency>
|
|
<groupId>org.springframework.boot</groupId>
|
|
<artifactId>spring-boot-starter-web</artifactId>
|
|
</dependency>
|
|
<dependency>
|
|
<groupId>org.springframework.boot</groupId>
|
|
<artifactId>spring-boot-starter-websocket</artifactId>
|
|
</dependency>
|
|
<dependency>
|
|
<groupId>org.springframework.boot</groupId>
|
|
<artifactId>spring-boot-starter-actuator</artifactId>
|
|
</dependency>
|
|
<dependency>
|
|
<groupId>org.springframework.boot</groupId>
|
|
<artifactId>spring-boot-starter-jdbc</artifactId>
|
|
</dependency>
|
|
<dependency>
|
|
<groupId>com.clickhouse</groupId>
|
|
<artifactId>clickhouse-jdbc</artifactId>
|
|
<version>0.9.7</version>
|
|
<classifier>all</classifier>
|
|
</dependency>
|
|
<dependency>
|
|
<groupId>org.springdoc</groupId>
|
|
<artifactId>springdoc-openapi-starter-webmvc-ui</artifactId>
|
|
<version>2.8.6</version>
|
|
</dependency>
|
|
<dependency>
|
|
<groupId>org.eclipse.elk</groupId>
|
|
<artifactId>org.eclipse.elk.core</artifactId>
|
|
<version>0.11.0</version>
|
|
</dependency>
|
|
<dependency>
|
|
<groupId>org.eclipse.elk</groupId>
|
|
<artifactId>org.eclipse.elk.alg.layered</artifactId>
|
|
<version>0.11.0</version>
|
|
</dependency>
|
|
<dependency>
|
|
<groupId>org.jfree</groupId>
|
|
<artifactId>org.jfree.svg</artifactId>
|
|
<version>5.0.7</version>
|
|
</dependency>
|
|
<dependency>
|
|
<groupId>org.eclipse.xtext</groupId>
|
|
<artifactId>org.eclipse.xtext.xbase.lib</artifactId>
|
|
<version>2.37.0</version>
|
|
</dependency>
|
|
<dependency>
|
|
<groupId>org.springframework.boot</groupId>
|
|
<artifactId>spring-boot-starter-security</artifactId>
|
|
</dependency>
|
|
<dependency>
|
|
<groupId>com.nimbusds</groupId>
|
|
<artifactId>nimbus-jose-jwt</artifactId>
|
|
<version>9.47</version>
|
|
</dependency>
|
|
<dependency>
|
|
<groupId>com.nimbusds</groupId>
|
|
<artifactId>oauth2-oidc-sdk</artifactId>
|
|
<version>11.23.1</version>
|
|
</dependency>
|
|
<dependency>
|
|
<groupId>org.springframework.boot</groupId>
|
|
<artifactId>spring-boot-starter-test</artifactId>
|
|
<scope>test</scope>
|
|
</dependency>
|
|
<dependency>
|
|
<groupId>org.springframework.security</groupId>
|
|
<artifactId>spring-security-test</artifactId>
|
|
<scope>test</scope>
|
|
</dependency>
|
|
<dependency>
|
|
<groupId>org.testcontainers</groupId>
|
|
<artifactId>testcontainers-clickhouse</artifactId>
|
|
<version>2.0.3</version>
|
|
<scope>test</scope>
|
|
</dependency>
|
|
<dependency>
|
|
<groupId>org.awaitility</groupId>
|
|
<artifactId>awaitility</artifactId>
|
|
<scope>test</scope>
|
|
</dependency>
|
|
</dependencies>
|
|
|
|
<build>
|
|
<plugins>
|
|
<plugin>
|
|
<groupId>org.springframework.boot</groupId>
|
|
<artifactId>spring-boot-maven-plugin</artifactId>
|
|
</plugin>
|
|
<plugin>
|
|
<groupId>org.apache.maven.plugins</groupId>
|
|
<artifactId>maven-resources-plugin</artifactId>
|
|
<executions>
|
|
<execution>
|
|
<id>copy-ui-dist</id>
|
|
<phase>generate-resources</phase>
|
|
<goals>
|
|
<goal>copy-resources</goal>
|
|
</goals>
|
|
<configuration>
|
|
<outputDirectory>${project.build.directory}/classes/static</outputDirectory>
|
|
<resources>
|
|
<resource>
|
|
<directory>${project.basedir}/../ui/dist</directory>
|
|
<filtering>false</filtering>
|
|
</resource>
|
|
</resources>
|
|
</configuration>
|
|
</execution>
|
|
</executions>
|
|
</plugin>
|
|
<plugin>
|
|
<groupId>org.apache.maven.plugins</groupId>
|
|
<artifactId>maven-surefire-plugin</artifactId>
|
|
<configuration>
|
|
<forkCount>1</forkCount>
|
|
<reuseForks>false</reuseForks>
|
|
</configuration>
|
|
</plugin>
|
|
<plugin>
|
|
<groupId>org.apache.maven.plugins</groupId>
|
|
<artifactId>maven-failsafe-plugin</artifactId>
|
|
<configuration>
|
|
<forkCount>1</forkCount>
|
|
<reuseForks>false</reuseForks>
|
|
</configuration>
|
|
<executions>
|
|
<execution>
|
|
<goals>
|
|
<goal>integration-test</goal>
|
|
<goal>verify</goal>
|
|
</goals>
|
|
</execution>
|
|
</executions>
|
|
</plugin>
|
|
</plugins>
|
|
</build>
|
|
</project>
|