Skip to content
Snippets Groups Projects
Commit 623bc0c7 authored by Julian Horner's avatar Julian Horner
Browse files

Adjust security configurations

parent 0d3600e0
No related branches found
No related tags found
No related merge requests found
...@@ -5,11 +5,8 @@ ...@@ -5,11 +5,8 @@
package de.rtuni.ms.apig; package de.rtuni.ms.apig;
import javax.servlet.http.HttpServletResponse;
import org.springframework.beans.factory.annotation.Autowired; import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Bean;
import org.springframework.http.HttpMethod;
import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
...@@ -17,7 +14,7 @@ import org.springframework.security.config.http.SessionCreationPolicy; ...@@ -17,7 +14,7 @@ import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter; import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
/** /**
* Class that handles security configuration. * Class that enables custom security configuration.
* *
* @author Julian * @author Julian
*/ */
...@@ -25,32 +22,41 @@ import org.springframework.security.web.authentication.UsernamePasswordAuthentic ...@@ -25,32 +22,41 @@ import org.springframework.security.web.authentication.UsernamePasswordAuthentic
public class SecurityConfiguration extends WebSecurityConfigurerAdapter { public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
//---------------------------------------------------------------------------------------------- //----------------------------------------------------------------------------------------------
/** The configuration for the json web token. */ /** The <code>JwtConfig</code> for the json web token. */
@Autowired @Autowired
private JwtConfig jwtConfig; private JwtConfig jwtConfig;
//---------------------------------------------------------------------------------------------- //----------------------------------------------------------------------------------------------
/** /**
* Overrides the default configuration. * Overrides the default security configuration.
*/ */
@Override @Override
protected void configure(HttpSecurity http) throws Exception { protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable() http.csrf().disable()
// make sure we use stateless session; session won't be used to store user's state. // make sure we use stateless session; session won't be used to store user's state.
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and() .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()
// handle an authorized attempts
.exceptionHandling().authenticationEntryPoint( // Add a filter to validate the tokens with every request.
(req, rsp, e) -> rsp.sendError(HttpServletResponse.SC_UNAUTHORIZED)).and()
// Add a filter to validate the tokens with every request
.addFilterAfter(new JwtTokenAuthenticationFilter(jwtConfig), .addFilterAfter(new JwtTokenAuthenticationFilter(jwtConfig),
UsernamePasswordAuthenticationFilter.class) UsernamePasswordAuthenticationFilter.class)
// authorization requests config
.authorizeRequests() .authorizeRequests()
// allow all who are accessing "auth" service .antMatchers("/auth/**").permitAll()
.antMatchers(HttpMethod.POST, jwtConfig.getUri()).permitAll() // Anyone who is trying to access the securedPage must be an ADMIN.
// must be an admin if trying to access secured page (authentication is also required) // TODO can we change the path to /securedPage?
.antMatchers("/securedPage/**").hasRole("ADMIN"); .antMatchers("/securedPage/**").hasRole("ADMIN")
// Permit default path.
.antMatchers("/login").permitAll().and()
// Configures where to forward if authentication is required.
.formLogin().loginPage("/login")
// Configures url for processing of login data.
.loginProcessingUrl("process_login") // TODO can we remove this?
// Configures where to go if there is no previous visited page.
.defaultSuccessUrl("/", true).and()
// Configures url for processing of logout.
.logout().logoutUrl("/process_logout")
.deleteCookies("JSESSIONID"); // TODO i think we can remove this
} }
//---------------------------------------------------------------------------------------------- //----------------------------------------------------------------------------------------------
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment