From 990ca2bf911181c3af9cd6375534553b9355b3a2 Mon Sep 17 00:00:00 2001
From: Alexander Alexeev
Date: Fri, 9 Dec 2016 22:57:52 +0700
Subject: security settings

---
 .../www/configuration/WebAppConfiguration.java     |  1 +
 .../juick/www/configuration/WebSecurityConfig.java | 23 +++++-------
 .../www/configuration/WwwSecurityInitializer.java  | 20 ++++++++++
 .../com/juick/www/controllers/IndexController.java | 41 +++++++++++----------
 .../com/juick/www/controllers/LoginController.java | 43 +++-------------------
 .../main/webapp/WEB-INF/templates/views/login.html |  6 +--
 6 files changed, 62 insertions(+), 72 deletions(-)
 create mode 100644 juick-spring-www/src/main/java/com/juick/www/configuration/WwwSecurityInitializer.java

diff --git a/juick-spring-www/src/main/java/com/juick/www/configuration/WebAppConfiguration.java b/juick-spring-www/src/main/java/com/juick/www/configuration/WebAppConfiguration.java
index eaed8ebd..c9ecfeac 100644
--- a/juick-spring-www/src/main/java/com/juick/www/configuration/WebAppConfiguration.java
+++ b/juick-spring-www/src/main/java/com/juick/www/configuration/WebAppConfiguration.java
@@ -35,6 +35,7 @@ public class WebAppConfiguration {
     public TemplateSettingsHolder settingsHolder() {
         return new TemplateSettingsHolder(env);
     }
+
     @Bean
     public WebApp webApp() {
         return new WebApp(env);
diff --git a/juick-spring-www/src/main/java/com/juick/www/configuration/WebSecurityConfig.java b/juick-spring-www/src/main/java/com/juick/www/configuration/WebSecurityConfig.java
index 95a94642..759eba5a 100644
--- a/juick-spring-www/src/main/java/com/juick/www/configuration/WebSecurityConfig.java
+++ b/juick-spring-www/src/main/java/com/juick/www/configuration/WebSecurityConfig.java
@@ -8,6 +8,7 @@ import org.springframework.core.env.Environment;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.config.http.SessionCreationPolicy;
 import org.springframework.security.core.userdetails.UserDetailsService;
 
 import javax.annotation.Resource;
@@ -23,10 +24,6 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
     @Resource
     private UserService userService;
 
-    protected WebSecurityConfig() {
-        super(true);
-    }
-
     @Bean("userDetailsService")
     @Override
     public UserDetailsService userDetailsServiceBean() throws Exception {
@@ -38,27 +35,27 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
         http
                 .authorizeRequests()
                 .antMatchers("/settings", "/pm/**").authenticated()
-                .anyRequest().authenticated()
+                .anyRequest().permitAll()
+                .and()
+                .anonymous().authorities("ROLE_ANONYM")
                 .and()
-                .anonymous()
-                .authorities("ROLE_ANONYM")
+                .sessionManagement().invalidSessionUrl("/").sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED)
                 .and()
-                .logout()
-                .invalidateHttpSession(true)
-                .logoutUrl("/logout")
-                .logoutSuccessUrl("/")
+                .logout().invalidateHttpSession(true).logoutUrl("/logout").logoutSuccessUrl("/")
                 .and()
                 .formLogin()
                 .loginPage("/login")
                 .permitAll()
                 .defaultSuccessUrl("/")
-                .failureForwardUrl("/login")
+                .failureForwardUrl("/login?error=1")
+                .loginProcessingUrl("/do_login")
+                .usernameParameter("j_username")
+                .passwordParameter("j_password")
                 .and()
                 .rememberMe()
                 .tokenValiditySeconds(6 * 30 * 24 * 3600)
                 .alwaysRemember(true)
                 .useSecureCookie(true)
-                .rememberMeCookieName(env.getProperty("auth_cookie_name", "hash"))
                 .rememberMeCookieDomain(env.getProperty("web_domain", "juick.com"))
                 .and()
                 .csrf().disable();
diff --git a/juick-spring-www/src/main/java/com/juick/www/configuration/WwwSecurityInitializer.java b/juick-spring-www/src/main/java/com/juick/www/configuration/WwwSecurityInitializer.java
new file mode 100644
index 00000000..0ea8c907
--- /dev/null
+++ b/juick-spring-www/src/main/java/com/juick/www/configuration/WwwSecurityInitializer.java
@@ -0,0 +1,20 @@
+package com.juick.www.configuration;
+
+/**
+ * Created by vitalyster on 25.11.2016.
+ */
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.security.web.context.AbstractSecurityWebApplicationInitializer;
+
+import javax.servlet.ServletContext;
+
+public class WwwSecurityInitializer extends AbstractSecurityWebApplicationInitializer {
+    private final Logger logger = LoggerFactory.getLogger(getClass());
+
+    @Override
+    protected void afterSpringSecurityFilterChain(ServletContext servletContext) {
+        logger.info("SpringSecurityFilterChain initialized");
+    }
+}
diff --git a/juick-spring-www/src/main/java/com/juick/www/controllers/IndexController.java b/juick-spring-www/src/main/java/com/juick/www/controllers/IndexController.java
index 91efd8aa..c6de2fbf 100644
--- a/juick-spring-www/src/main/java/com/juick/www/controllers/IndexController.java
+++ b/juick-spring-www/src/main/java/com/juick/www/controllers/IndexController.java
@@ -9,6 +9,7 @@ import com.juick.util.UserUtils;
 import com.juick.www.util.EncodeUtils;
 import org.apache.commons.lang3.StringEscapeUtils;
 import org.apache.commons.lang3.StringUtils;
+import org.springframework.context.MessageSource;
 import org.springframework.stereotype.Controller;
 import org.springframework.ui.ModelMap;
 import org.springframework.web.bind.annotation.*;
@@ -27,32 +28,31 @@ import java.util.stream.Collectors;
  */
 @Controller
 public class IndexController {
-
     @Inject
-    UserService userService;
+    private MessageSource messageSource;
+    @Inject
+    private UserService userService;
     @Inject
-    MessagesService messagesService;
+    private MessagesService messagesService;
     @Inject
-    TagService tagService;
+    private TagService tagService;
 
     @RequestMapping(value = "/", method = RequestMethod.GET)
-    protected String doGet(
+    public String indexPage(
             Principal principal,
             @CookieValue("ref") Optional<String> ref,
             @RequestHeader("Referer") Optional<String> referer,
             @RequestParam("show") Optional<String> paramShow,
             @RequestParam("tag") Optional<String> paramTagStr,
-            @RequestParam(value = "before", required = false) Integer paramBefore,
+            @RequestParam(value = "before") Optional<Integer> paramBefore,
             @RequestParam(value = "search", required = false) String paramSearch,
             ModelMap model) throws IOException {
 
-        if (paramTagStr.isPresent()) {
+        if (paramTagStr.isPresent())
             return  "redirect:/tag/" + URLEncoder.encode(paramTagStr.get(), "UTF-8");
-        }
 
-        if (StringUtils.isNotEmpty(paramSearch) && paramSearch.length() > 64) {
+        if (StringUtils.isNotEmpty(paramSearch) && paramSearch.length() > 64)
             paramSearch = "";
-        }
 
         String name = UserUtils.getUsername(principal, null);
         User visitor = userService.getUserByName(name);
@@ -63,34 +63,37 @@ public class IndexController {
         } else {
             title = "Микроблоги Juick: популярные записи";
         }
+
+        int before = paramBefore.orElse(0);
+
         List<Integer> mids = new ArrayList<>();
 
         if (StringUtils.isNotEmpty(paramSearch)) {
             title = "Поиск: " + StringEscapeUtils.escapeHtml4(paramSearch);
             mids = messagesService.getSearch(EncodeUtils.encodeSphinx(paramSearch),
-                    paramBefore);
+                    before);
         } else if (!paramShow.isPresent()) {
-            mids = messagesService.getPopular(visitor.getUid(), paramBefore);
+            mids = messagesService.getPopular(visitor.getUid(), before);
         } else if (paramShow.get().equals("top")) {
             return "redirect:/";
         } else if (paramShow.get().equals("my") && visitor.getUid() > 0) {
             title = "Моя лента";
-            mids = messagesService.getMyFeed(visitor.getUid(), paramBefore);
+            mids = messagesService.getMyFeed(visitor.getUid(), before);
         } else if (paramShow.get().equals("private") && visitor.getUid() > 0) {
             title = "Приватные";
-            mids = messagesService.getPrivate(visitor.getUid(), paramBefore);
+            mids = messagesService.getPrivate(visitor.getUid(), before);
         } else if (paramShow.get().equals("discuss") && visitor.getUid() > 0) {
             title = "Обсуждения";
-            mids = messagesService.getDiscussions(visitor.getUid(), paramBefore);
+            mids = messagesService.getDiscussions(visitor.getUid(), before);
         } else if (paramShow.get().equals("recommended") && visitor.getUid() > 0) {
             title = "Рекомендации";
-            mids = messagesService.getRecommended(visitor.getUid(), paramBefore);
+            mids = messagesService.getRecommended(visitor.getUid(), before);
         } else if (paramShow.get().equals("photos")) {
             title = "Фотографии";
-            mids = messagesService.getPhotos(visitor.getUid(), paramBefore);
+            mids = messagesService.getPhotos(visitor.getUid(), before);
         } else if (paramShow.get().equals("all")) {
             title = "Все сообщения";
-            mids = messagesService.getAll(visitor.getUid(), paramBefore);
+            mids = messagesService.getAll(visitor.getUid(), before);
         }
         model.addAttribute("title", title);
         model.addAttribute("visitor", visitor);
@@ -116,6 +119,6 @@ public class IndexController {
             model.addAttribute("nextpage", nextpage);
         }
         //model.addAttribute("isModerator", userService.getModerators().contains(visitor.getUid()));
-        return "blog/index";
+        return "index";
     }
 }
diff --git a/juick-spring-www/src/main/java/com/juick/www/controllers/LoginController.java b/juick-spring-www/src/main/java/com/juick/www/controllers/LoginController.java
index 8a474c9b..8827d948 100644
--- a/juick-spring-www/src/main/java/com/juick/www/controllers/LoginController.java
+++ b/juick-spring-www/src/main/java/com/juick/www/controllers/LoginController.java
@@ -1,23 +1,15 @@
 package com.juick.www.controllers;
 
 import com.juick.User;
-import com.juick.server.util.HttpBadRequestException;
-import com.juick.server.util.HttpForbiddenException;
 import com.juick.service.UserService;
 import com.juick.util.UserUtils;
 import org.springframework.core.env.Environment;
 import org.springframework.stereotype.Controller;
-import org.springframework.web.bind.annotation.RequestHeader;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
-import org.springframework.web.bind.annotation.RequestParam;
 
 import javax.inject.Inject;
-import javax.servlet.http.Cookie;
-import javax.servlet.http.HttpServletResponse;
-import java.net.URI;
 import java.security.Principal;
-import java.util.Optional;
 
 /**
  * Created by vitalyster on 09.12.2016.
@@ -25,41 +17,18 @@ import java.util.Optional;
 @Controller
 public class LoginController {
     @Inject
-    UserService userService;
+    private UserService userService;
     @Inject
-    Environment env;
+    private Environment env;
 
     @RequestMapping(value = "/login", method = RequestMethod.GET)
-    public String doGetLoginForm(Principal principal) {
+    public String getLoginForm(Principal principal) {
         String name = UserUtils.getUsername(principal, null);
         User visitor = userService.getUserByName(name);
-        if (visitor.getUid() > 0) {
+
+        if (visitor.getUid() > 0)
             return "redirect:/login";
-        }
-        return "views/login";
-    }
-    @RequestMapping(value = "/login", method = RequestMethod.POST)
-    protected String doPostLogin(
-            @RequestParam("username") Optional<String> username,
-            @RequestParam("password") Optional<String> password,
-            @RequestHeader("Referer") Optional<String> referer,
-            HttpServletResponse response) {
-        if (!username.isPresent() && password.isPresent()) {
-            throw new HttpBadRequestException();
-        }
 
-        int uid = userService.checkPassword(username.get(), password.get());
-        if (uid > 0) {
-            if (referer.isPresent()) {
-                URI refererURI = URI.create(referer.get());
-                if (refererURI.getHost().equals(env.getProperty("web_domain"))
-                        && !refererURI.getPath().equals("/login")) {
-                    return "redirect:" + referer.get();
-                } else {
-                    return "redirect:/";
-                }
-            }
-        }
-        throw new HttpForbiddenException();
+        return "views/login";
     }
 }
diff --git a/juick-spring-www/src/main/webapp/WEB-INF/templates/views/login.html b/juick-spring-www/src/main/webapp/WEB-INF/templates/views/login.html
index ae3aede6..990797c9 100644
--- a/juick-spring-www/src/main/webapp/WEB-INF/templates/views/login.html
+++ b/juick-spring-www/src/main/webapp/WEB-INF/templates/views/login.html
@@ -128,9 +128,9 @@
     </div>
 </div>
 <div id="signin"><a href="#" onclick="$('#signinform').toggle(); $('#nickinput').focus(); return false">Уже зарегистрированы?</a>
-    <div id="signinform"><form action="/login" method="POST">
-        <input class="txt" type="text" name="username" placeholder="Имя пользователя" id="nickinput"/>
-        <input class="txt" type="password" name="password" placeholder="Пароль"/>
+    <div id="signinform"><form action="/do_login" method="POST">
+        <input class="txt" type="text" name="j_username" placeholder="Имя пользователя" id="nickinput"/>
+        <input class="txt" type="password" name="j_password" placeholder="Пароль"/>
         <input class="submit" type="submit" value="OK"/>
     </form></div>
 </div>
-- 
cgit v1.2.3