diff options
Diffstat (limited to 'src/main/java/com/juick/config/SecurityConfig.java')
-rw-r--r-- | src/main/java/com/juick/config/SecurityConfig.java | 48 |
1 files changed, 32 insertions, 16 deletions
diff --git a/src/main/java/com/juick/config/SecurityConfig.java b/src/main/java/com/juick/config/SecurityConfig.java index 8a41ab5b..70dc19fa 100644 --- a/src/main/java/com/juick/config/SecurityConfig.java +++ b/src/main/java/com/juick/config/SecurityConfig.java @@ -40,7 +40,6 @@ import org.springframework.security.config.Customizer; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer; -import org.springframework.security.config.annotation.web.configurers.oauth2.server.resource.OAuth2ResourceServerConfigurer; import org.springframework.security.config.http.SessionCreationPolicy; import org.springframework.security.core.userdetails.UserDetailsService; import org.springframework.security.oauth2.jwt.JwtDecoder; @@ -68,6 +67,8 @@ import java.security.interfaces.RSAPublicKey; import java.util.Arrays; import java.util.Collections; +import static org.springframework.security.config.Customizer.withDefaults; + /** * Created by aalexeev on 11/21/16. */ @@ -81,6 +82,7 @@ public class SecurityConfig { @Inject private JdbcTemplate jdbcTemplate; private static final String COOKIE_NAME = "juick-remember-me"; + @Bean UserDetailsService userDetailsService() { return new JuickUserDetailsService(userService); @@ -139,27 +141,25 @@ public class SecurityConfig { services.setUseSecureCookie(false); // TODO set true if https is supports return services; } + @Bean @Order(Ordered.HIGHEST_PRECEDENCE) public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception { OAuth2AuthorizationServerConfiguration.applyDefaultSecurity(http); http.getConfigurer(OAuth2AuthorizationServerConfigurer.class) - .authorizationServerSettings(AuthorizationServerSettings.builder() - .authorizationEndpoint("/oauth/authorize") - .tokenEndpoint("/oauth/token") - .build()) .oidc(Customizer.withDefaults()); http.cors(cors -> cors.configurationSource(corsConfigurationSource())) // Accept access tokens for User Info and/or Client Registration - .oauth2ResourceServer(OAuth2ResourceServerConfigurer::jwt); - + .oauth2ResourceServer(resourceServer -> resourceServer.jwt(withDefaults())); return http.formLogin(Customizer.withDefaults()).build(); } + @Bean public RegisteredClientRepository registeredClientRepository() { return new JdbcRegisteredClientRepository(jdbcTemplate); } + @Bean public JWKSource<SecurityContext> jwkSource() { RSAPublicKey publicKey = (RSAPublicKey) keystoreManager.getPublicKey(); @@ -171,10 +171,20 @@ public class SecurityConfig { JWKSet jwkSet = new JWKSet(rsaKey); return new ImmutableJWKSet<>(jwkSet); } + @Bean public JwtDecoder jwtDecoder(JWKSource<SecurityContext> jwkSource) { return OAuth2AuthorizationServerConfiguration.jwtDecoder(jwkSource); } + + @Bean + public AuthorizationServerSettings authorizationServerSettings() { + return AuthorizationServerSettings.builder() + .authorizationEndpoint("/oauth/authorize") + .tokenEndpoint("/oauth/token") + .build(); + } + @Bean @Order(Ordered.HIGHEST_PRECEDENCE + 1) SecurityFilterChain apiChain(HttpSecurity http) throws Exception { @@ -194,8 +204,10 @@ public class SecurityConfig { "/api/skypebotendpoint", "/api/_fblogin", "/api/_vklogin", "/api/_tglogin", "/api/_google", "/api/_applelogin", "/api/signup", - "/api/inbox", "/api/events", "/api/u/", "/u/**", "/n/**", - "/api/info/**", "/api/v1/apps", "/api/v1/instance", "/api/v2/instance", + "/api/inbox", "/api/events", "/api/u/", "/u/**", + "/n/**", + "/api/info/**", "/api/v1/apps", "/api/v1/instance", + "/api/v2/instance", "/api/nodeinfo/2.0", "/oauth/**") .permitAll() .anyRequest().hasAnyAuthority("SCOPE_write", "ROLE_USER")) @@ -204,36 +216,39 @@ public class SecurityConfig { .httpBasic(httpBasic -> httpBasic .authenticationEntryPoint(apiAuthenticationEntryPoint())) .cors(cors -> cors.configurationSource(corsConfigurationSource())) - .oauth2ResourceServer(OAuth2ResourceServerConfigurer::jwt) + .oauth2ResourceServer(resourceServer -> resourceServer.jwt(withDefaults())) .sessionManagement(sessionManagement -> sessionManagement .sessionCreationPolicy(SessionCreationPolicy.STATELESS)) .exceptionHandling(exceptionHandling -> exceptionHandling .authenticationEntryPoint(apiAuthenticationEntryPoint())) - .csrf().disable() - .headers().defaultsDisabled().cacheControl(); + .csrf(AbstractHttpConfigurer::disable) + .headers(headers -> headers.defaultsDisabled().cacheControl(withDefaults())); return http.build(); } + @Bean - SecurityFilterChain h2ConsoFilterChain(HttpSecurity http) throws Exception { + SecurityFilterChain h2ConsoleFilterChain(HttpSecurity http) throws Exception { http.securityMatcher("/h2-console/**") .authorizeHttpRequests(auth -> auth .anyRequest().permitAll()) .anonymous(anonymous -> anonymous.principal(JuickUser.ANONYMOUS_USER) .authorities(JuickUser.ANONYMOUS_AUTHORITY)) - .csrf().disable() + .csrf(AbstractHttpConfigurer::disable) .sessionManagement(sessionManagement -> sessionManagement .sessionCreationPolicy(SessionCreationPolicy.STATELESS)) .exceptionHandling(exceptionHandling -> exceptionHandling .authenticationEntryPoint(apiAuthenticationEntryPoint())) - .headers().defaultsDisabled().cacheControl(); + .headers(headers -> headers.defaultsDisabled().cacheControl(withDefaults())); return http.build(); } + @Bean AuthenticationSuccessHandler successHandler() { var handler = new SavedRequestAwareAuthenticationSuccessHandler(); handler.setUseReferer(true); return handler; } + @Bean @Order(Ordered.HIGHEST_PRECEDENCE + 2) SecurityFilterChain wwwChain(HttpSecurity http) throws Exception { @@ -263,9 +278,10 @@ public class SecurityConfig { .rememberMe(rememberMe -> rememberMe .rememberMeCookieDomain(webDomain).key(rememberMeKey) .rememberMeServices(hashCookieServices())) - .headers().defaultsDisabled().cacheControl(); + .headers(headers -> headers.defaultsDisabled().cacheControl(withDefaults())); return http.build(); } + @Bean public SecurityFilterChain securityWebFilterChain( HttpSecurity http) throws Exception { |