1 files changed, 209 insertions, 0 deletions

diff --git a/juick-server/src/main/java/com/juick/server/configuration/SecurityConfig.java b/juick-server/src/main/java/com/juick/server/configuration/SecurityConfig.java
new file mode 100644
index 00000000..cd2ab13a
--- /dev/null
+++ b/juick-server/src/main/java/com/juick/server/configuration/SecurityConfig.java
@@ -0,0 +1,209 @@
+/*
+ * Copyright (C) 2008-2017, Juick
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+package com.juick.server.configuration;
+
+import com.juick.service.UserService;
+import com.juick.service.security.HashParamAuthenticationFilter;
+import com.juick.service.security.JuickUserDetailsService;
+import com.juick.service.security.deprecated.RequestParamHashRememberMeServices;
+import com.juick.service.security.entities.JuickUser;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.core.annotation.Order;
+import org.springframework.http.HttpMethod;
+import org.springframework.http.HttpStatus;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.builders.WebSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.config.http.SessionCreationPolicy;
+import org.springframework.security.core.userdetails.UserDetailsService;
+import org.springframework.security.web.AuthenticationEntryPoint;
+import org.springframework.security.web.authentication.HttpStatusEntryPoint;
+import org.springframework.security.web.authentication.RememberMeServices;
+import org.springframework.security.web.authentication.rememberme.TokenBasedRememberMeServices;
+import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
+import org.springframework.web.cors.CorsConfiguration;
+import org.springframework.web.cors.CorsConfigurationSource;
+import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
+
+import javax.annotation.Resource;
+import javax.inject.Inject;
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.concurrent.TimeUnit;
+
+/**
+ * Created by aalexeev on 11/21/16.
+ */
+@EnableWebSecurity
+public class SecurityConfig {
+    @Resource
+    private UserService userService;
+    @Value("${auth_remember_me_key:secret}")
+    private String rememberMeKey;
+    @Value("${web_domain:localhost}")
+    private String webDomain;
+
+    private static final String COOKIE_NAME = "juick-remember-me";
+
+    @Bean
+    public UserDetailsService userDetailsService() {
+        return new JuickUserDetailsService(userService);
+    }
+    @Bean
+    public RememberMeServices rememberMeServices() throws Exception {
+        TokenBasedRememberMeServices services = new TokenBasedRememberMeServices(
+                rememberMeKey, userDetailsService());
+
+        services.setCookieName(COOKIE_NAME);
+        services.setCookieDomain(webDomain);
+        services.setAlwaysRemember(true);
+        services.setTokenValiditySeconds(6 * 30 * 24 * 3600);
+        services.setUseSecureCookie(false); // TODO set true if https is supports
+
+        return services;
+    }
+    @Bean
+    public HashParamAuthenticationFilter hashParamAuthenticationFilter() throws Exception {
+        return new HashParamAuthenticationFilter(userService, rememberMeServices());
+    }
+
+
+    @Configuration
+    @Order(1)
+    public static class ApiConfig extends WebSecurityConfigurerAdapter {
+        @Value("${auth_remember_me_key:secret}")
+        private String rememberMeKey;
+        @Value("${web_domain:localhost}")
+        private String webDomain;
+        @Resource
+        private UserService userService;
+        @Inject
+        private HashParamAuthenticationFilter hashParamAuthenticationFilter;
+        ApiConfig() {
+            super(true);
+        }
+        @Bean
+        RememberMeServices rememberMeServices(){
+            return new RequestParamHashRememberMeServices(rememberMeKey, userService);
+        }
+
+        @Override
+        protected void configure(HttpSecurity http) throws Exception {
+            http.addFilterAfter(hashParamAuthenticationFilter, BasicAuthenticationFilter.class);
+            http.antMatcher("/api/**").authorizeRequests()
+                    .antMatchers(HttpMethod.OPTIONS).permitAll()
+                    .antMatchers("/api/", "/api/messages", "/api/users", "/api/thread", "/api/tags", "/api/tlgmbtwbhk", "/api/fbwbhk",
+                            "/api/skypebotendpoint", "/api/_fblogin", "/api/_vklogin", "/api/_tglogin", "/api/u/**", "/.well-known/webfinger").permitAll()
+                    .anyRequest().hasRole("USER")
+                    .and()
+                    .anonymous().principal(JuickUser.ANONYMOUS_USER).authorities(JuickUser.ANONYMOUS_AUTHORITY)
+                    .and()
+                    .httpBasic().authenticationEntryPoint(juickAuthenticationEntryPoint())
+                    .and().cors().configurationSource(corsConfigurationSource())
+                    .and().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
+                    .and().exceptionHandling().authenticationEntryPoint(juickAuthenticationEntryPoint())
+                    .and()
+                    .rememberMe()
+                    .alwaysRemember(true)
+                    .tokenValiditySeconds((int) TimeUnit.DAYS.toSeconds(6 * 30))
+                    .rememberMeServices(rememberMeServices())
+                    .key(rememberMeKey)
+                    .and()
+                    .headers().defaultsDisabled().cacheControl();
+        }
+
+        @Bean
+        public AuthenticationEntryPoint juickAuthenticationEntryPoint() {
+            return new HttpStatusEntryPoint(HttpStatus.UNAUTHORIZED);
+        }
+
+        @Bean
+        public CorsConfigurationSource corsConfigurationSource() {
+            CorsConfiguration configuration = new CorsConfiguration();
+
+            configuration.setAllowedOrigins(Collections.singletonList("*"));
+            configuration.setAllowedMethods(Arrays.asList("POST", "GET", "PUT", "OPTIONS", "DELETE"));
+            configuration.setAllowedHeaders(Collections.singletonList("*"));
+
+            UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
+            source.registerCorsConfiguration("/api/**", configuration);
+
+            return source;
+        }
+        @Override
+        public void configure(WebSecurity web) {
+            web.debug(false);
+            web.ignoring().antMatchers("/api/v2/api-docs", "/api/configuration/ui", "/api/swagger-resources/**",
+                    "/api/configuration/**", "/swagger-ui.html", "/webjars/**", "/ws/**", "/rss/**", "/h2-console/**");
+        }
+    }
+
+    @Configuration
+    public static class WebConfig extends WebSecurityConfigurerAdapter {
+        @Inject
+        private RememberMeServices rememberMeServices;
+        @Value("${auth_remember_me_key:secret}")
+        private String rememberMeKey;
+        @Value("${web_domain:localhost}")
+        private String webDomain;
+        @Resource
+        private UserService userService;
+        @Override
+        protected void configure(HttpSecurity http) throws Exception {
+            http
+                    .authorizeRequests()
+                    .antMatchers("/settings", "/pm/**", "/**/bl", "/_twitter", "/post", "/post2", "/comment")
+                    .authenticated()
+                    .anyRequest().permitAll()
+                    .and()
+                    .anonymous().principal(JuickUser.ANONYMOUS_USER).authorities(JuickUser.ANONYMOUS_AUTHORITY)
+                    .and()
+                    .sessionManagement().invalidSessionUrl("/")
+                    .and()
+                    .logout()
+                    .invalidateHttpSession(true)
+                    .logoutUrl("/logout")
+                    .logoutSuccessUrl("/login?logout")
+                    .deleteCookies("hash", COOKIE_NAME)
+                    .and()
+                    .formLogin()
+                    .loginPage("/login")
+                    .permitAll()
+                    .defaultSuccessUrl("/")
+                    .loginProcessingUrl("/login")
+                    .usernameParameter("username")
+                    .passwordParameter("password")
+                    .failureUrl("/login?error=1")
+                    .and()
+                    .rememberMe()
+                    .rememberMeCookieDomain(webDomain).key(rememberMeKey)
+                    .rememberMeServices(rememberMeServices)
+                    .and()
+                    .csrf().disable()
+                    .headers().defaultsDisabled().cacheControl();
+        }
+        @Override
+        public void configure(WebSecurity web) throws Exception {
+            web.debug(false);
+            web.ignoring().antMatchers("/style.css*", "/scripts.js*", "/h2-console/**", "/.well-known/**");
+        }
+    }
+}