Updated security config

This commit is contained in:
Rohan Sircar 2020-07-31 12:43:17 +05:30
parent 2a2844afcc
commit 42f8978d06

View File

@ -20,14 +20,17 @@ import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
import lombok.RequiredArgsConstructor;
@Configuration
@EnableWebSecurity
@RequiredArgsConstructor
public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {
@Autowired
private MyUserDetailsService myUserDetailsService;
private final MyUserDetailsService myUserDetailsService;
@Autowired
private PasswordEncoder passwordEncoder;
private final PasswordEncoder passwordEncoder;
@Override
@Bean
@ -37,7 +40,7 @@ public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {
@Bean
public AuthenticationProvider authenticationProvider() {
DaoAuthenticationProvider provider = new DaoAuthenticationProvider();
final DaoAuthenticationProvider provider = new DaoAuthenticationProvider();
provider.setUserDetailsService(myUserDetailsService);
provider.setPasswordEncoder(passwordEncoder);
return provider;
@ -50,80 +53,76 @@ public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {
@Configuration
@Order(1)
@RequiredArgsConstructor
public static class ApiWebSecurity extends WebSecurityConfigurerAdapter {
@Autowired
private RESTAuthenticationEntryPoint authenticationEntryPoint;
private final RESTAuthenticationEntryPoint authenticationEntryPoint;
@Autowired
private CustomBasicAuthenticationFilter customBasicAuthFilter;
private final CustomBasicAuthenticationFilter customBasicAuthFilter;
@Autowired
private TokenAuthenticationFilter tokenFilter;
private final TokenAuthenticationFilter tokenFilter;
@Override
protected void configure(HttpSecurity http) throws Exception {
protected void configure(final HttpSecurity http) throws Exception {
http.csrf().disable().exceptionHandling()
.and().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()
// .cors().and()
.and().sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
// .cors().and()
.antMatcher("/api/**").authorizeRequests()
.antMatchers("/api/chat/**").hasAnyRole("USER", "ADMIN", "SUPER_USER")
.antMatchers("/api/chat/**")
.hasAnyRole("USER", "ADMIN", "SUPER_USER")
.antMatchers("/api/admin/**")
.hasAnyRole("ADMIN", "SUPER_USER")
.antMatchers("/api/demo/**").hasRole("SUPER_USER")
// .antMatchers("/perform-login").permitAll()
.anyRequest()
// .hasAnyRole("USER", "ADMIN", "SUPER_USER")
.authenticated()
.and().httpBasic().authenticationEntryPoint(authenticationEntryPoint)
;
http.addFilterBefore(tokenFilter, BasicAuthenticationFilter.class);
// Creating token when basic authentication is successful and the same token can
// be used to authenticate for further requests
// final CustomBasicAuthenticationFilter customBasicAuthFilter = new CustomBasicAuthenticationFilter(
// authenticationManagerBean());
http.addFilter(customBasicAuthFilter);
.anyRequest().authenticated().and().httpBasic()
.authenticationEntryPoint(authenticationEntryPoint).and()
.addFilterBefore(tokenFilter,
BasicAuthenticationFilter.class)
// Creating token when basic authentication is successful
// and the
// same token can
// be used to authenticate for further requests
.addFilter(customBasicAuthFilter);
}
}
@Configuration
@Order(2)
@RequiredArgsConstructor
public static class FormWebSecurity extends WebSecurityConfigurerAdapter {
@Autowired
private UserSessionLoggingLoginSuccessHandler loginSuccessHandler;
private final UserSessionLoggingLoginSuccessHandler loginSuccessHandler;
@Autowired
private UserSessionLoggingLogoutSuccessHandler logoutSuccessHandler;
private final UserSessionLoggingLogoutSuccessHandler logoutSuccessHandler;
@Override
protected void configure(HttpSecurity httpSecurity) throws Exception {
httpSecurity.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.ALWAYS).and()
protected void configure(final HttpSecurity httpSecurity)
throws Exception {
httpSecurity.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.ALWAYS).and()
.authorizeRequests()
// .antMatchers(HttpMethod.POST, "/api/**").permitAll()
.antMatchers("/", "perform_login", "/logout**", "/favicon.ico", "/login*", "/registration",
"/perform_registration", "/css/**", "/js/**", "/img/**")
.permitAll()
// .antMatchers("/","/api**","/api/**","/login*","/registration","/perform_registration","/css/**", "/js/**", "/images/**").permitAll()
.antMatchers("/user/**").hasAnyRole("USER", "ADMIN", "SUPER_USER").antMatchers("/admin/**")
.hasAnyRole("ADMIN", "SUPER_USER")
// .and()
// .antMatcher("/api/**")
// .authorizeRequests()
.antMatchers("/", "perform_login", "/logout**",
"/favicon.ico", "/login*", "/registration",
"/perform_registration", "/css/**", "/js/**",
"/img/**")
.permitAll().antMatchers("/user/**")
.hasAnyRole("USER", "ADMIN", "SUPER_USER")
.antMatchers("/admin/**").hasAnyRole("ADMIN", "SUPER_USER")
.anyRequest().authenticated()
.and()
.formLogin().loginPage("/login").permitAll().loginProcessingUrl("/perform_login")
.formLogin().loginPage("/login").permitAll()
.loginProcessingUrl("/perform_login")
.successHandler(loginSuccessHandler).and().logout()
.logoutSuccessHandler(logoutSuccessHandler)
;
.logoutSuccessHandler(logoutSuccessHandler);
}
// }
}
}