diff options
author | Alexander Alexeev | 2016-12-09 22:57:52 +0700 |
---|---|---|
committer | Alexander Alexeev | 2016-12-09 22:57:52 +0700 |
commit | 990ca2bf911181c3af9cd6375534553b9355b3a2 (patch) | |
tree | 4f1865a341d29d00366aa958e14b9b3216125776 /juick-spring-www | |
parent | e2a018e998e125ee2ec983962059c4d2b733a4b4 (diff) |
security settings
Diffstat (limited to 'juick-spring-www')
6 files changed, 62 insertions, 72 deletions
diff --git a/juick-spring-www/src/main/java/com/juick/www/configuration/WebAppConfiguration.java b/juick-spring-www/src/main/java/com/juick/www/configuration/WebAppConfiguration.java index eaed8ebd..c9ecfeac 100644 --- a/juick-spring-www/src/main/java/com/juick/www/configuration/WebAppConfiguration.java +++ b/juick-spring-www/src/main/java/com/juick/www/configuration/WebAppConfiguration.java @@ -35,6 +35,7 @@ public class WebAppConfiguration { public TemplateSettingsHolder settingsHolder() { return new TemplateSettingsHolder(env); } + @Bean public WebApp webApp() { return new WebApp(env); diff --git a/juick-spring-www/src/main/java/com/juick/www/configuration/WebSecurityConfig.java b/juick-spring-www/src/main/java/com/juick/www/configuration/WebSecurityConfig.java index 95a94642..759eba5a 100644 --- a/juick-spring-www/src/main/java/com/juick/www/configuration/WebSecurityConfig.java +++ b/juick-spring-www/src/main/java/com/juick/www/configuration/WebSecurityConfig.java @@ -8,6 +8,7 @@ import org.springframework.core.env.Environment; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; +import org.springframework.security.config.http.SessionCreationPolicy; import org.springframework.security.core.userdetails.UserDetailsService; import javax.annotation.Resource; @@ -23,10 +24,6 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter { @Resource private UserService userService; - protected WebSecurityConfig() { - super(true); - } - @Bean("userDetailsService") @Override public UserDetailsService userDetailsServiceBean() throws Exception { @@ -38,27 +35,27 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter { http .authorizeRequests() .antMatchers("/settings", "/pm/**").authenticated() - .anyRequest().authenticated() + .anyRequest().permitAll() + .and() + .anonymous().authorities("ROLE_ANONYM") .and() - .anonymous() - .authorities("ROLE_ANONYM") + .sessionManagement().invalidSessionUrl("/").sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED) .and() - .logout() - .invalidateHttpSession(true) - .logoutUrl("/logout") - .logoutSuccessUrl("/") + .logout().invalidateHttpSession(true).logoutUrl("/logout").logoutSuccessUrl("/") .and() .formLogin() .loginPage("/login") .permitAll() .defaultSuccessUrl("/") - .failureForwardUrl("/login") + .failureForwardUrl("/login?error=1") + .loginProcessingUrl("/do_login") + .usernameParameter("j_username") + .passwordParameter("j_password") .and() .rememberMe() .tokenValiditySeconds(6 * 30 * 24 * 3600) .alwaysRemember(true) .useSecureCookie(true) - .rememberMeCookieName(env.getProperty("auth_cookie_name", "hash")) .rememberMeCookieDomain(env.getProperty("web_domain", "juick.com")) .and() .csrf().disable(); diff --git a/juick-spring-www/src/main/java/com/juick/www/configuration/WwwSecurityInitializer.java b/juick-spring-www/src/main/java/com/juick/www/configuration/WwwSecurityInitializer.java new file mode 100644 index 00000000..0ea8c907 --- /dev/null +++ b/juick-spring-www/src/main/java/com/juick/www/configuration/WwwSecurityInitializer.java @@ -0,0 +1,20 @@ +package com.juick.www.configuration; + +/** + * Created by vitalyster on 25.11.2016. + */ + +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.springframework.security.web.context.AbstractSecurityWebApplicationInitializer; + +import javax.servlet.ServletContext; + +public class WwwSecurityInitializer extends AbstractSecurityWebApplicationInitializer { + private final Logger logger = LoggerFactory.getLogger(getClass()); + + @Override + protected void afterSpringSecurityFilterChain(ServletContext servletContext) { + logger.info("SpringSecurityFilterChain initialized"); + } +} diff --git a/juick-spring-www/src/main/java/com/juick/www/controllers/IndexController.java b/juick-spring-www/src/main/java/com/juick/www/controllers/IndexController.java index 91efd8aa..c6de2fbf 100644 --- a/juick-spring-www/src/main/java/com/juick/www/controllers/IndexController.java +++ b/juick-spring-www/src/main/java/com/juick/www/controllers/IndexController.java @@ -9,6 +9,7 @@ import com.juick.util.UserUtils; import com.juick.www.util.EncodeUtils; import org.apache.commons.lang3.StringEscapeUtils; import org.apache.commons.lang3.StringUtils; +import org.springframework.context.MessageSource; import org.springframework.stereotype.Controller; import org.springframework.ui.ModelMap; import org.springframework.web.bind.annotation.*; @@ -27,32 +28,31 @@ import java.util.stream.Collectors; */ @Controller public class IndexController { - @Inject - UserService userService; + private MessageSource messageSource; + @Inject + private UserService userService; @Inject - MessagesService messagesService; + private MessagesService messagesService; @Inject - TagService tagService; + private TagService tagService; @RequestMapping(value = "/", method = RequestMethod.GET) - protected String doGet( + public String indexPage( Principal principal, @CookieValue("ref") Optional<String> ref, @RequestHeader("Referer") Optional<String> referer, @RequestParam("show") Optional<String> paramShow, @RequestParam("tag") Optional<String> paramTagStr, - @RequestParam(value = "before", required = false) Integer paramBefore, + @RequestParam(value = "before") Optional<Integer> paramBefore, @RequestParam(value = "search", required = false) String paramSearch, ModelMap model) throws IOException { - if (paramTagStr.isPresent()) { + if (paramTagStr.isPresent()) return "redirect:/tag/" + URLEncoder.encode(paramTagStr.get(), "UTF-8"); - } - if (StringUtils.isNotEmpty(paramSearch) && paramSearch.length() > 64) { + if (StringUtils.isNotEmpty(paramSearch) && paramSearch.length() > 64) paramSearch = ""; - } String name = UserUtils.getUsername(principal, null); User visitor = userService.getUserByName(name); @@ -63,34 +63,37 @@ public class IndexController { } else { title = "Микроблоги Juick: популярные записи"; } + + int before = paramBefore.orElse(0); + List<Integer> mids = new ArrayList<>(); if (StringUtils.isNotEmpty(paramSearch)) { title = "Поиск: " + StringEscapeUtils.escapeHtml4(paramSearch); mids = messagesService.getSearch(EncodeUtils.encodeSphinx(paramSearch), - paramBefore); + before); } else if (!paramShow.isPresent()) { - mids = messagesService.getPopular(visitor.getUid(), paramBefore); + mids = messagesService.getPopular(visitor.getUid(), before); } else if (paramShow.get().equals("top")) { return "redirect:/"; } else if (paramShow.get().equals("my") && visitor.getUid() > 0) { title = "Моя лента"; - mids = messagesService.getMyFeed(visitor.getUid(), paramBefore); + mids = messagesService.getMyFeed(visitor.getUid(), before); } else if (paramShow.get().equals("private") && visitor.getUid() > 0) { title = "Приватные"; - mids = messagesService.getPrivate(visitor.getUid(), paramBefore); + mids = messagesService.getPrivate(visitor.getUid(), before); } else if (paramShow.get().equals("discuss") && visitor.getUid() > 0) { title = "Обсуждения"; - mids = messagesService.getDiscussions(visitor.getUid(), paramBefore); + mids = messagesService.getDiscussions(visitor.getUid(), before); } else if (paramShow.get().equals("recommended") && visitor.getUid() > 0) { title = "Рекомендации"; - mids = messagesService.getRecommended(visitor.getUid(), paramBefore); + mids = messagesService.getRecommended(visitor.getUid(), before); } else if (paramShow.get().equals("photos")) { title = "Фотографии"; - mids = messagesService.getPhotos(visitor.getUid(), paramBefore); + mids = messagesService.getPhotos(visitor.getUid(), before); } else if (paramShow.get().equals("all")) { title = "Все сообщения"; - mids = messagesService.getAll(visitor.getUid(), paramBefore); + mids = messagesService.getAll(visitor.getUid(), before); } model.addAttribute("title", title); model.addAttribute("visitor", visitor); @@ -116,6 +119,6 @@ public class IndexController { model.addAttribute("nextpage", nextpage); } //model.addAttribute("isModerator", userService.getModerators().contains(visitor.getUid())); - return "blog/index"; + return "index"; } } diff --git a/juick-spring-www/src/main/java/com/juick/www/controllers/LoginController.java b/juick-spring-www/src/main/java/com/juick/www/controllers/LoginController.java index 8a474c9b..8827d948 100644 --- a/juick-spring-www/src/main/java/com/juick/www/controllers/LoginController.java +++ b/juick-spring-www/src/main/java/com/juick/www/controllers/LoginController.java @@ -1,23 +1,15 @@ package com.juick.www.controllers; import com.juick.User; -import com.juick.server.util.HttpBadRequestException; -import com.juick.server.util.HttpForbiddenException; import com.juick.service.UserService; import com.juick.util.UserUtils; import org.springframework.core.env.Environment; import org.springframework.stereotype.Controller; -import org.springframework.web.bind.annotation.RequestHeader; import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.RequestMethod; -import org.springframework.web.bind.annotation.RequestParam; import javax.inject.Inject; -import javax.servlet.http.Cookie; -import javax.servlet.http.HttpServletResponse; -import java.net.URI; import java.security.Principal; -import java.util.Optional; /** * Created by vitalyster on 09.12.2016. @@ -25,41 +17,18 @@ import java.util.Optional; @Controller public class LoginController { @Inject - UserService userService; + private UserService userService; @Inject - Environment env; + private Environment env; @RequestMapping(value = "/login", method = RequestMethod.GET) - public String doGetLoginForm(Principal principal) { + public String getLoginForm(Principal principal) { String name = UserUtils.getUsername(principal, null); User visitor = userService.getUserByName(name); - if (visitor.getUid() > 0) { + + if (visitor.getUid() > 0) return "redirect:/login"; - } - return "views/login"; - } - @RequestMapping(value = "/login", method = RequestMethod.POST) - protected String doPostLogin( - @RequestParam("username") Optional<String> username, - @RequestParam("password") Optional<String> password, - @RequestHeader("Referer") Optional<String> referer, - HttpServletResponse response) { - if (!username.isPresent() && password.isPresent()) { - throw new HttpBadRequestException(); - } - int uid = userService.checkPassword(username.get(), password.get()); - if (uid > 0) { - if (referer.isPresent()) { - URI refererURI = URI.create(referer.get()); - if (refererURI.getHost().equals(env.getProperty("web_domain")) - && !refererURI.getPath().equals("/login")) { - return "redirect:" + referer.get(); - } else { - return "redirect:/"; - } - } - } - throw new HttpForbiddenException(); + return "views/login"; } } diff --git a/juick-spring-www/src/main/webapp/WEB-INF/templates/views/login.html b/juick-spring-www/src/main/webapp/WEB-INF/templates/views/login.html index ae3aede6..990797c9 100644 --- a/juick-spring-www/src/main/webapp/WEB-INF/templates/views/login.html +++ b/juick-spring-www/src/main/webapp/WEB-INF/templates/views/login.html @@ -128,9 +128,9 @@ </div> </div> <div id="signin"><a href="#" onclick="$('#signinform').toggle(); $('#nickinput').focus(); return false">Уже зарегистрированы?</a> - <div id="signinform"><form action="/login" method="POST"> - <input class="txt" type="text" name="username" placeholder="Имя пользователя" id="nickinput"/> - <input class="txt" type="password" name="password" placeholder="Пароль"/> + <div id="signinform"><form action="/do_login" method="POST"> + <input class="txt" type="text" name="j_username" placeholder="Имя пользователя" id="nickinput"/> + <input class="txt" type="password" name="j_password" placeholder="Пароль"/> <input class="submit" type="submit" value="OK"/> </form></div> </div> |