From 42f8978d06f1b5688cfd7f1779cfc1b7cfd65aec Mon Sep 17 00:00:00 2001 From: Rohan Sircar Date: Fri, 31 Jul 2020 12:43:17 +0530 Subject: [PATCH] Updated security config --- .../ros/chatto/WebSecurityConfiguration.java | 95 +++++++++---------- 1 file changed, 47 insertions(+), 48 deletions(-) diff --git a/src/main/java/org/ros/chatto/WebSecurityConfiguration.java b/src/main/java/org/ros/chatto/WebSecurityConfiguration.java index 202fd51..628689f 100644 --- a/src/main/java/org/ros/chatto/WebSecurityConfiguration.java +++ b/src/main/java/org/ros/chatto/WebSecurityConfiguration.java @@ -20,14 +20,17 @@ import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder; import org.springframework.security.crypto.password.PasswordEncoder; import org.springframework.security.web.authentication.www.BasicAuthenticationFilter; +import lombok.RequiredArgsConstructor; + @Configuration @EnableWebSecurity +@RequiredArgsConstructor public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter { @Autowired - private MyUserDetailsService myUserDetailsService; + private final MyUserDetailsService myUserDetailsService; @Autowired - private PasswordEncoder passwordEncoder; + private final PasswordEncoder passwordEncoder; @Override @Bean @@ -37,7 +40,7 @@ public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter { @Bean public AuthenticationProvider authenticationProvider() { - DaoAuthenticationProvider provider = new DaoAuthenticationProvider(); + final DaoAuthenticationProvider provider = new DaoAuthenticationProvider(); provider.setUserDetailsService(myUserDetailsService); provider.setPasswordEncoder(passwordEncoder); return provider; @@ -50,80 +53,76 @@ public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter { @Configuration @Order(1) + @RequiredArgsConstructor public static class ApiWebSecurity extends WebSecurityConfigurerAdapter { @Autowired - private RESTAuthenticationEntryPoint authenticationEntryPoint; - - @Autowired - private CustomBasicAuthenticationFilter customBasicAuthFilter; + private final RESTAuthenticationEntryPoint authenticationEntryPoint; @Autowired - private TokenAuthenticationFilter tokenFilter; + private final CustomBasicAuthenticationFilter customBasicAuthFilter; + + @Autowired + private final TokenAuthenticationFilter tokenFilter; @Override - protected void configure(HttpSecurity http) throws Exception { + protected void configure(final HttpSecurity http) throws Exception { http.csrf().disable().exceptionHandling() - .and().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and() -// .cors().and() - + .and().sessionManagement() + .sessionCreationPolicy(SessionCreationPolicy.STATELESS) + .and() + // .cors().and() .antMatcher("/api/**").authorizeRequests() - .antMatchers("/api/chat/**").hasAnyRole("USER", "ADMIN", "SUPER_USER") + .antMatchers("/api/chat/**") + .hasAnyRole("USER", "ADMIN", "SUPER_USER") + .antMatchers("/api/admin/**") + .hasAnyRole("ADMIN", "SUPER_USER") .antMatchers("/api/demo/**").hasRole("SUPER_USER") -// .antMatchers("/perform-login").permitAll() - - .anyRequest() -// .hasAnyRole("USER", "ADMIN", "SUPER_USER") - .authenticated() - .and().httpBasic().authenticationEntryPoint(authenticationEntryPoint) - ; - - http.addFilterBefore(tokenFilter, BasicAuthenticationFilter.class); - - // Creating token when basic authentication is successful and the same token can - // be used to authenticate for further requests -// final CustomBasicAuthenticationFilter customBasicAuthFilter = new CustomBasicAuthenticationFilter( -// authenticationManagerBean()); - http.addFilter(customBasicAuthFilter); - + .anyRequest().authenticated().and().httpBasic() + .authenticationEntryPoint(authenticationEntryPoint).and() + .addFilterBefore(tokenFilter, + BasicAuthenticationFilter.class) + // Creating token when basic authentication is successful + // and the + // same token can + // be used to authenticate for further requests + .addFilter(customBasicAuthFilter); } } @Configuration @Order(2) + @RequiredArgsConstructor public static class FormWebSecurity extends WebSecurityConfigurerAdapter { @Autowired - private UserSessionLoggingLoginSuccessHandler loginSuccessHandler; + private final UserSessionLoggingLoginSuccessHandler loginSuccessHandler; @Autowired - private UserSessionLoggingLogoutSuccessHandler logoutSuccessHandler; + private final UserSessionLoggingLogoutSuccessHandler logoutSuccessHandler; @Override - protected void configure(HttpSecurity httpSecurity) throws Exception { - httpSecurity.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.ALWAYS).and() + protected void configure(final HttpSecurity httpSecurity) + throws Exception { + httpSecurity.sessionManagement() + .sessionCreationPolicy(SessionCreationPolicy.ALWAYS).and() .authorizeRequests() -// .antMatchers(HttpMethod.POST, "/api/**").permitAll() - .antMatchers("/", "perform_login", "/logout**", "/favicon.ico", "/login*", "/registration", - "/perform_registration", "/css/**", "/js/**", "/img/**") - .permitAll() -// .antMatchers("/","/api**","/api/**","/login*","/registration","/perform_registration","/css/**", "/js/**", "/images/**").permitAll() - .antMatchers("/user/**").hasAnyRole("USER", "ADMIN", "SUPER_USER").antMatchers("/admin/**") - .hasAnyRole("ADMIN", "SUPER_USER") -// .and() -// .antMatcher("/api/**") -// .authorizeRequests() + .antMatchers("/", "perform_login", "/logout**", + "/favicon.ico", "/login*", "/registration", + "/perform_registration", "/css/**", "/js/**", + "/img/**") + .permitAll().antMatchers("/user/**") + .hasAnyRole("USER", "ADMIN", "SUPER_USER") + .antMatchers("/admin/**").hasAnyRole("ADMIN", "SUPER_USER") .anyRequest().authenticated() .and() - .formLogin().loginPage("/login").permitAll().loginProcessingUrl("/perform_login") + .formLogin().loginPage("/login").permitAll() + .loginProcessingUrl("/perform_login") .successHandler(loginSuccessHandler).and().logout() - .logoutSuccessHandler(logoutSuccessHandler) - ; + .logoutSuccessHandler(logoutSuccessHandler); } -// } - } }