Build basic auth into registry

[mcquinne]

Summary

As a	data manager
I want to be able to	access create/update/delete endpoints in the registry using basic auth
So that I can	use the same API endpoints consistently to manage data

Description

We need to expose some registry endpoints to the public, e.g. for retrieving raw xml metadata, but we can't fully expose the registry api through the gateway unless the potentially destructive endpoints are configured to require authentication. We can get started by simply installing Spring security using embedded basic auth and evolving into more advanced authN/Z approaches down the road.

Tasks

• [x] Install Spring Security into the registry
  • ~Configured to use basic authentication for now~
  • spring-webmvc-pac4j is already installed in the project to integrate pac4j w/ Spring
• [ ] Add ~@Secured~ pac4j annotations to potentially destructive endpoints
• [ ] Use authentication hooks to restrict access to records marked as private
• [x] Decision: Remove previous CAS integration via pac4j implementation?
  • No We need to retain CAS support for the on-prem deployment and can leverage it in the cloud as well

[mcquinne]

After research and discussion we've decided our path is to retain and leverage the integration with CAS in our cloud deployment. We have a basic helm chart to deploy it locally already, which we will leverage in order to deploy it to the CIRES cloud.