From bc23d2d2125d2086847397e85335f29a70668f6b Mon Sep 17 00:00:00 2001 From: Alexander Alexeev Date: Mon, 28 Nov 2016 13:39:04 +0700 Subject: remember-me authorization with test; a statndard DaoAuthentication provider used --- .../juick/api/configuration/ApiSecurityConfig.java | 42 ++++++++++++++++----- .../juick/api/configuration/JuickHashFilter.java | 44 ---------------------- 2 files changed, 32 insertions(+), 54 deletions(-) delete mode 100644 juick-api/src/main/java/com/juick/api/configuration/JuickHashFilter.java (limited to 'juick-api/src/main/java/com/juick/api/configuration') diff --git a/juick-api/src/main/java/com/juick/api/configuration/ApiSecurityConfig.java b/juick-api/src/main/java/com/juick/api/configuration/ApiSecurityConfig.java index b3d2d21e..8da51f5a 100644 --- a/juick-api/src/main/java/com/juick/api/configuration/ApiSecurityConfig.java +++ b/juick-api/src/main/java/com/juick/api/configuration/ApiSecurityConfig.java @@ -1,24 +1,27 @@ package com.juick.api.configuration; import com.juick.server.security.JuickAuthenticationEntryPoint; -import com.juick.server.security.JuickAuthenticationProvider; import com.juick.service.UserService; +import com.juick.service.security.JuickUserDetailsService; +import com.juick.service.security.SimpleRememberMeServices; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.context.annotation.PropertySource; import org.springframework.core.env.Environment; import org.springframework.http.HttpMethod; +import org.springframework.security.authentication.dao.DaoAuthenticationProvider; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.config.http.SessionCreationPolicy; -import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter; +import org.springframework.security.web.authentication.RememberMeServices; import org.springframework.web.cors.CorsConfiguration; import org.springframework.web.cors.CorsConfigurationSource; import org.springframework.web.cors.UrlBasedCorsConfigurationSource; import javax.inject.Inject; import java.util.Arrays; +import java.util.concurrent.TimeUnit; /** * Created by aalexeev on 11/21/16. @@ -38,8 +41,7 @@ public class ApiSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { - http.addFilterBefore(getJuickHashFilter(), UsernamePasswordAuthenticationFilter.class) - .authorizeRequests() + http.authorizeRequests() .antMatchers(HttpMethod.OPTIONS).permitAll() .anyRequest().hasRole("USER") .and().httpBasic().authenticationEntryPoint(getJuickAuthenticationEntryPoint()) @@ -48,22 +50,42 @@ public class ApiSecurityConfig extends WebSecurityConfigurerAdapter { .and().servletApi() .and().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS) .and().exceptionHandling().authenticationEntryPoint(getJuickAuthenticationEntryPoint()) - .and().authenticationProvider(new JuickAuthenticationProvider(userService)) + .and() + .rememberMe() + .alwaysRemember(true) + .tokenValiditySeconds((int) TimeUnit.DAYS.toSeconds(6 * 30)) + .rememberMeServices(rememberMeServices()) + .key(env.getProperty("auth_remember_me_key")) + .and().authenticationProvider(authenticationProvider()) .headers().defaultsDisabled().cacheControl(); } @Bean - public JuickAuthenticationEntryPoint getJuickAuthenticationEntryPoint() { - return new JuickAuthenticationEntryPoint(); + public DaoAuthenticationProvider authenticationProvider() { + DaoAuthenticationProvider authenticationProvider = new DaoAuthenticationProvider(); + + authenticationProvider.setUserDetailsService(userDetailsService()); + + return authenticationProvider; + } + + @Bean + public JuickUserDetailsService userDetailsService() { + return new JuickUserDetailsService(userService); + } + + @Bean + public RememberMeServices rememberMeServices() throws Exception { + return new SimpleRememberMeServices(env.getProperty("auth_remember_me_key"), userDetailsService(), userService, env); } @Bean - public JuickHashFilter getJuickHashFilter() { - return new JuickHashFilter(); + public JuickAuthenticationEntryPoint getJuickAuthenticationEntryPoint() { + return new JuickAuthenticationEntryPoint(); } @Bean - CorsConfigurationSource corsConfigurationSource() { + public CorsConfigurationSource corsConfigurationSource() { CorsConfiguration configuration = new CorsConfiguration(); configuration.setAllowedOrigins(Arrays.asList("*")); diff --git a/juick-api/src/main/java/com/juick/api/configuration/JuickHashFilter.java b/juick-api/src/main/java/com/juick/api/configuration/JuickHashFilter.java deleted file mode 100644 index 62e6f3d2..00000000 --- a/juick-api/src/main/java/com/juick/api/configuration/JuickHashFilter.java +++ /dev/null @@ -1,44 +0,0 @@ -package com.juick.api.configuration; - -import com.juick.User; -import com.juick.service.UserService; -import org.springframework.security.authentication.UsernamePasswordAuthenticationToken; -import org.springframework.security.core.GrantedAuthority; -import org.springframework.security.core.authority.SimpleGrantedAuthority; -import org.springframework.security.core.context.SecurityContext; -import org.springframework.security.core.context.SecurityContextHolder; -import org.springframework.security.web.authentication.WebAuthenticationDetails; -import org.springframework.web.filter.GenericFilterBean; - -import javax.inject.Inject; -import javax.servlet.FilterChain; -import javax.servlet.ServletException; -import javax.servlet.ServletRequest; -import javax.servlet.ServletResponse; -import javax.servlet.http.HttpServletRequest; -import java.io.IOException; -import java.util.Collections; -import java.util.List; - -/** - * Created by vitalyster on 27.11.2016. - */ -public class JuickHashFilter extends GenericFilterBean { - @Inject - UserService userService; - - @Override - public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { - String hash = request.getParameter("hash"); - if (hash != null) { - User user = userService.getUserByHash(hash); - if (user.getUid() > 0) { - List authorities = Collections.singletonList(new SimpleGrantedAuthority("ROLE_USER")); - UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(user.getName(), null); - token.setDetails(new WebAuthenticationDetails((HttpServletRequest) request)); - SecurityContextHolder.getContext().setAuthentication(new UsernamePasswordAuthenticationToken(user.getName(), null, authorities)); - } - } - chain.doFilter(request, response); - } - } -- cgit v1.2.3