juick-api: security WIP

author: Vitaly Takmazov 2016-11-25 13:20:15 +0300
committer: Vitaly Takmazov 2016-11-25 13:20:15 +0300
commit: 55b09a6a3bc4a21201189d855e140308f05016fb (patch)
tree: 543c880aaf15bf396eca6255bd816fb7d5dc9f12 /juick-api/src/main/java/com/juick
parent: efe9b6d78c9aac2b92afe2d55d2f33e4b5e6d179 (diff)
4 files changed, 95 insertions, 18 deletions
diff --git a/juick-api/src/main/java/com/juick/api/configuration/ApiInitializer.java b/juick-api/src/main/java/com/juick/api/configuration/ApiInitializer.java
index f5ba4ff1..2dc25e66 100644
--- a/juick-api/src/main/java/com/juick/api/configuration/ApiInitializer.java
+++ b/juick-api/src/main/java/com/juick/api/configuration/ApiInitializer.java
@@ -17,7 +17,7 @@ public class ApiInitializer extends AbstractAnnotationConfigDispatcherServletIni
 
     @Override
     protected Class<?>[] getServletConfigClasses() {
-        return new Class<?>[]{ApiMvcConfiguration.class};
+        return new Class<?>[]{ApiMvcConfiguration.class, ApiSecurityConfig.class};
     }
 
     @Override
diff --git a/juick-api/src/main/java/com/juick/api/configuration/ApiSecurityConfig.java b/juick-api/src/main/java/com/juick/api/configuration/ApiSecurityConfig.java
new file mode 100644
index 00000000..c0043950
--- /dev/null
+++ b/juick-api/src/main/java/com/juick/api/configuration/ApiSecurityConfig.java
@@ -0,0 +1,79 @@
+package com.juick.api.configuration;
+
+import com.juick.server.security.JuickAuthenticationEntryPoint;
+import com.juick.server.security.JuickAuthenticationProvider;
+import com.juick.server.security.entities.JuickUser;
+import com.juick.service.UserService;
+import org.apache.commons.lang3.StringUtils;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.context.annotation.PropertySource;
+import org.springframework.core.env.Environment;
+import org.springframework.http.HttpMethod;
+import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.builders.WebSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.config.http.SessionCreationPolicy;
+import org.springframework.security.core.userdetails.UserDetailsService;
+import org.springframework.security.core.userdetails.UsernameNotFoundException;
+
+import javax.annotation.Resource;
+import javax.inject.Inject;
+
+/**
+ * Created by aalexeev on 11/21/16.
+ */
+@Configuration
+@EnableWebSecurity
+@PropertySource("classpath:juick.conf")
+public class ApiSecurityConfig extends WebSecurityConfigurerAdapter {
+    @Resource
+    private Environment env;
+    @Resource
+    private UserService userService;
+
+    protected ApiSecurityConfig() {
+        super(true);
+    }
+
+    @Bean
+    public JuickAuthenticationEntryPoint getBasicAuthEntryPoint(){
+        return new JuickAuthenticationEntryPoint();
+    }
+
+    @Bean("userDetailsService")
+    @Override
+    public UserDetailsService userDetailsServiceBean() throws Exception {
+        return username -> {
+            if (StringUtils.isBlank(username))
+                throw new UsernameNotFoundException("Invalid user name " + username);
+
+            com.juick.User user = userService.getUserByName(username);
+
+            if (user != null)
+                return new JuickUser(user);
+
+            throw new UsernameNotFoundException("The username " + username + " is not found");
+        };
+    }
+
+    @Override
+    protected void configure(HttpSecurity http) throws Exception {
+        http
+                .authorizeRequests()
+                .antMatchers("/home").hasRole("USER")
+                .and().httpBasic().authenticationEntryPoint(new JuickAuthenticationEntryPoint())
+                .and().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
+    }
+
+    @Inject
+    public void configureGlobalSecurity(AuthenticationManagerBuilder auth) throws Exception {
+        auth.authenticationProvider(new JuickAuthenticationProvider());
+    }
+    @Override
+    public void configure(WebSecurity web) throws Exception {
+        web.ignoring().antMatchers(HttpMethod.OPTIONS, "/**");
+    }
+}
diff --git a/juick-api/src/main/java/com/juick/api/configuration/ApiSecurityInitializer.java b/juick-api/src/main/java/com/juick/api/configuration/ApiSecurityInitializer.java
new file mode 100644
index 00000000..295e367c
--- /dev/null
+++ b/juick-api/src/main/java/com/juick/api/configuration/ApiSecurityInitializer.java
@@ -0,0 +1,10 @@
+package com.juick.api.configuration;
+
+/**
+ * Created by vitalyster on 25.11.2016.
+ */
+import org.springframework.security.web.context.AbstractSecurityWebApplicationInitializer;
+
+public class ApiSecurityInitializer extends AbstractSecurityWebApplicationInitializer {
+
+}
diff --git a/juick-api/src/main/java/com/juick/api/controllers/Messages.java b/juick-api/src/main/java/com/juick/api/controllers/Messages.java
index f4cde321..36882140 100644
--- a/juick-api/src/main/java/com/juick/api/controllers/Messages.java
+++ b/juick-api/src/main/java/com/juick/api/controllers/Messages.java
@@ -16,7 +16,6 @@ import org.slf4j.LoggerFactory;
 import org.springframework.http.MediaType;
 import org.springframework.stereotype.Controller;
 import org.springframework.util.StringUtils;
-import org.springframework.web.bind.annotation.CrossOrigin;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.bind.annotation.ResponseBody;
@@ -25,6 +24,7 @@ import rocks.xmpp.core.stanza.model.Message;
 
 import javax.inject.Inject;
 import javax.servlet.http.HttpServletRequest;
+import java.security.Principal;
 import java.util.List;
 
 /**
@@ -47,22 +47,10 @@ public class Messages {
     // TODO: serialize image urls
 
     @RequestMapping(value = "/home", method = RequestMethod.GET, produces = MediaType.APPLICATION_JSON_UTF8_VALUE)
-    public List<com.juick.Message> doGetHome(HttpServletRequest request) {
-        // TODO: use spring-security
-        String auth = request.getHeader("Authorization");
-        int vuid = userService.getUIDByHttpAuth(auth);
-        if (vuid == -1) {
-            throw new HttpForbiddenException();
-        }
-        if (vuid == 0) {
-            String hash = request.getParameter("hash");
-            if (hash != null && hash.length() == 16) {
-                vuid  = userService.getUIDbyHash(hash);
-            }
-        }
-        if (vuid == 0) {
-            throw new HttpForbiddenException();
-        }
+    public List<com.juick.Message> doGetHome(HttpServletRequest request, Principal principal) {
+        String name = principal.getName();
+        User visitor = userService.getUserByName(name);
+        int vuid = visitor.getUid();
         int before_mid = NumberUtils.toInt(request.getParameter("before_mid"), 0);
         List<Integer> mids = messagesService.getMyFeed(vuid, before_mid);
         return messagesService.getMessages(mids);
author	Vitaly Takmazov	2016-11-25 13:20:15 +0300
committer	Vitaly Takmazov	2016-11-25 13:20:15 +0300
commit	55b09a6a3bc4a21201189d855e140308f05016fb (patch)
tree	543c880aaf15bf396eca6255bd816fb7d5dc9f12 /juick-api/src/main/java/com/juick
parent	efe9b6d78c9aac2b92afe2d55d2f33e4b5e6d179 (diff)