From bc23d2d2125d2086847397e85335f29a70668f6b Mon Sep 17 00:00:00 2001
From: Alexander Alexeev
Date: Mon, 28 Nov 2016 13:39:04 +0700
Subject: remember-me authorization with test; a statndard DaoAuthentication
 provider used

---
 .../juick/api/configuration/ApiSecurityConfig.java | 42 ++++++++++++++++-----
 .../juick/api/configuration/JuickHashFilter.java   | 44 ----------------------
 2 files changed, 32 insertions(+), 54 deletions(-)
 delete mode 100644 juick-api/src/main/java/com/juick/api/configuration/JuickHashFilter.java

(limited to 'juick-api/src/main/java/com/juick/api/configuration')

diff --git a/juick-api/src/main/java/com/juick/api/configuration/ApiSecurityConfig.java b/juick-api/src/main/java/com/juick/api/configuration/ApiSecurityConfig.java
index b3d2d21e..8da51f5a 100644
--- a/juick-api/src/main/java/com/juick/api/configuration/ApiSecurityConfig.java
+++ b/juick-api/src/main/java/com/juick/api/configuration/ApiSecurityConfig.java
@@ -1,24 +1,27 @@
 package com.juick.api.configuration;
 
 import com.juick.server.security.JuickAuthenticationEntryPoint;
-import com.juick.server.security.JuickAuthenticationProvider;
 import com.juick.service.UserService;
+import com.juick.service.security.JuickUserDetailsService;
+import com.juick.service.security.SimpleRememberMeServices;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.context.annotation.PropertySource;
 import org.springframework.core.env.Environment;
 import org.springframework.http.HttpMethod;
+import org.springframework.security.authentication.dao.DaoAuthenticationProvider;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 import org.springframework.security.config.http.SessionCreationPolicy;
-import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
+import org.springframework.security.web.authentication.RememberMeServices;
 import org.springframework.web.cors.CorsConfiguration;
 import org.springframework.web.cors.CorsConfigurationSource;
 import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
 
 import javax.inject.Inject;
 import java.util.Arrays;
+import java.util.concurrent.TimeUnit;
 
 /**
  * Created by aalexeev on 11/21/16.
@@ -38,8 +41,7 @@ public class ApiSecurityConfig extends WebSecurityConfigurerAdapter {
 
     @Override
     protected void configure(HttpSecurity http) throws Exception {
-        http.addFilterBefore(getJuickHashFilter(), UsernamePasswordAuthenticationFilter.class)
-                .authorizeRequests()
+        http.authorizeRequests()
                 .antMatchers(HttpMethod.OPTIONS).permitAll()
                 .anyRequest().hasRole("USER")
                 .and().httpBasic().authenticationEntryPoint(getJuickAuthenticationEntryPoint())
@@ -48,22 +50,42 @@ public class ApiSecurityConfig extends WebSecurityConfigurerAdapter {
                 .and().servletApi()
                 .and().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
                 .and().exceptionHandling().authenticationEntryPoint(getJuickAuthenticationEntryPoint())
-                .and().authenticationProvider(new JuickAuthenticationProvider(userService))
+                .and()
+                .rememberMe()
+                .alwaysRemember(true)
+                .tokenValiditySeconds((int) TimeUnit.DAYS.toSeconds(6 * 30))
+                .rememberMeServices(rememberMeServices())
+                .key(env.getProperty("auth_remember_me_key"))
+                .and().authenticationProvider(authenticationProvider())
                 .headers().defaultsDisabled().cacheControl();
     }
 
     @Bean
-    public JuickAuthenticationEntryPoint getJuickAuthenticationEntryPoint() {
-        return new JuickAuthenticationEntryPoint();
+    public DaoAuthenticationProvider authenticationProvider() {
+        DaoAuthenticationProvider authenticationProvider = new DaoAuthenticationProvider();
+
+        authenticationProvider.setUserDetailsService(userDetailsService());
+
+        return authenticationProvider;
+    }
+
+    @Bean
+    public JuickUserDetailsService userDetailsService() {
+        return new JuickUserDetailsService(userService);
+    }
+
+    @Bean
+    public RememberMeServices rememberMeServices() throws Exception {
+        return new SimpleRememberMeServices(env.getProperty("auth_remember_me_key"), userDetailsService(), userService, env);
     }
 
     @Bean
-    public JuickHashFilter getJuickHashFilter() {
-        return new JuickHashFilter();
+    public JuickAuthenticationEntryPoint getJuickAuthenticationEntryPoint() {
+        return new JuickAuthenticationEntryPoint();
     }
 
     @Bean
-    CorsConfigurationSource corsConfigurationSource() {
+    public CorsConfigurationSource corsConfigurationSource() {
         CorsConfiguration configuration = new CorsConfiguration();
 
         configuration.setAllowedOrigins(Arrays.asList("*"));
diff --git a/juick-api/src/main/java/com/juick/api/configuration/JuickHashFilter.java b/juick-api/src/main/java/com/juick/api/configuration/JuickHashFilter.java
deleted file mode 100644
index 62e6f3d2..00000000
--- a/juick-api/src/main/java/com/juick/api/configuration/JuickHashFilter.java
+++ /dev/null
@@ -1,44 +0,0 @@
-package com.juick.api.configuration;
-
-import com.juick.User;
-import com.juick.service.UserService;
-import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
-import org.springframework.security.core.GrantedAuthority;
-import org.springframework.security.core.authority.SimpleGrantedAuthority;
-import org.springframework.security.core.context.SecurityContext;
-import org.springframework.security.core.context.SecurityContextHolder;
-import org.springframework.security.web.authentication.WebAuthenticationDetails;
-import org.springframework.web.filter.GenericFilterBean;
-
-import javax.inject.Inject;
-import javax.servlet.FilterChain;
-import javax.servlet.ServletException;
-import javax.servlet.ServletRequest;
-import javax.servlet.ServletResponse;
-import javax.servlet.http.HttpServletRequest;
-import java.io.IOException;
-import java.util.Collections;
-import java.util.List;
-
-/**
- * Created by vitalyster on 27.11.2016.
- */
-public class JuickHashFilter extends GenericFilterBean {
-    @Inject
-    UserService userService;
-
-    @Override
-    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
-        String hash = request.getParameter("hash");
-        if (hash != null) {
-            User user = userService.getUserByHash(hash);
-            if (user.getUid() > 0) {
-                List<GrantedAuthority> authorities = Collections.singletonList(new SimpleGrantedAuthority("ROLE_USER"));
-                UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(user.getName(), null);
-                token.setDetails(new WebAuthenticationDetails((HttpServletRequest) request));
-                SecurityContextHolder.getContext().setAuthentication(new UsernamePasswordAuthenticationToken(user.getName(), null, authorities));
-            }
-        }
-        chain.doFilter(request, response);
-    }
- }
-- 
cgit v1.2.3