From 55b09a6a3bc4a21201189d855e140308f05016fb Mon Sep 17 00:00:00 2001 From: Vitaly Takmazov Date: Fri, 25 Nov 2016 13:20:15 +0300 Subject: juick-api: security WIP --- .../juick/api/configuration/ApiInitializer.java | 2 +- .../juick/api/configuration/ApiSecurityConfig.java | 79 ++++++++++++++++++++++ .../api/configuration/ApiSecurityInitializer.java | 10 +++ .../java/com/juick/api/controllers/Messages.java | 22 ++---- juick-api/src/main/webapp/WEB-INF/web.xml | 1 + .../java/com/juick/api/tests/MessagesTests.java | 3 +- 6 files changed, 98 insertions(+), 19 deletions(-) create mode 100644 juick-api/src/main/java/com/juick/api/configuration/ApiSecurityConfig.java create mode 100644 juick-api/src/main/java/com/juick/api/configuration/ApiSecurityInitializer.java (limited to 'juick-api/src') diff --git a/juick-api/src/main/java/com/juick/api/configuration/ApiInitializer.java b/juick-api/src/main/java/com/juick/api/configuration/ApiInitializer.java index f5ba4ff1..2dc25e66 100644 --- a/juick-api/src/main/java/com/juick/api/configuration/ApiInitializer.java +++ b/juick-api/src/main/java/com/juick/api/configuration/ApiInitializer.java @@ -17,7 +17,7 @@ public class ApiInitializer extends AbstractAnnotationConfigDispatcherServletIni @Override protected Class[] getServletConfigClasses() { - return new Class[]{ApiMvcConfiguration.class}; + return new Class[]{ApiMvcConfiguration.class, ApiSecurityConfig.class}; } @Override diff --git a/juick-api/src/main/java/com/juick/api/configuration/ApiSecurityConfig.java b/juick-api/src/main/java/com/juick/api/configuration/ApiSecurityConfig.java new file mode 100644 index 00000000..c0043950 --- /dev/null +++ b/juick-api/src/main/java/com/juick/api/configuration/ApiSecurityConfig.java @@ -0,0 +1,79 @@ +package com.juick.api.configuration; + +import com.juick.server.security.JuickAuthenticationEntryPoint; +import com.juick.server.security.JuickAuthenticationProvider; +import com.juick.server.security.entities.JuickUser; +import com.juick.service.UserService; +import org.apache.commons.lang3.StringUtils; +import org.springframework.context.annotation.Bean; +import org.springframework.context.annotation.Configuration; +import org.springframework.context.annotation.PropertySource; +import org.springframework.core.env.Environment; +import org.springframework.http.HttpMethod; +import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; +import org.springframework.security.config.annotation.web.builders.HttpSecurity; +import org.springframework.security.config.annotation.web.builders.WebSecurity; +import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; +import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; +import org.springframework.security.config.http.SessionCreationPolicy; +import org.springframework.security.core.userdetails.UserDetailsService; +import org.springframework.security.core.userdetails.UsernameNotFoundException; + +import javax.annotation.Resource; +import javax.inject.Inject; + +/** + * Created by aalexeev on 11/21/16. + */ +@Configuration +@EnableWebSecurity +@PropertySource("classpath:juick.conf") +public class ApiSecurityConfig extends WebSecurityConfigurerAdapter { + @Resource + private Environment env; + @Resource + private UserService userService; + + protected ApiSecurityConfig() { + super(true); + } + + @Bean + public JuickAuthenticationEntryPoint getBasicAuthEntryPoint(){ + return new JuickAuthenticationEntryPoint(); + } + + @Bean("userDetailsService") + @Override + public UserDetailsService userDetailsServiceBean() throws Exception { + return username -> { + if (StringUtils.isBlank(username)) + throw new UsernameNotFoundException("Invalid user name " + username); + + com.juick.User user = userService.getUserByName(username); + + if (user != null) + return new JuickUser(user); + + throw new UsernameNotFoundException("The username " + username + " is not found"); + }; + } + + @Override + protected void configure(HttpSecurity http) throws Exception { + http + .authorizeRequests() + .antMatchers("/home").hasRole("USER") + .and().httpBasic().authenticationEntryPoint(new JuickAuthenticationEntryPoint()) + .and().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS); + } + + @Inject + public void configureGlobalSecurity(AuthenticationManagerBuilder auth) throws Exception { + auth.authenticationProvider(new JuickAuthenticationProvider()); + } + @Override + public void configure(WebSecurity web) throws Exception { + web.ignoring().antMatchers(HttpMethod.OPTIONS, "/**"); + } +} diff --git a/juick-api/src/main/java/com/juick/api/configuration/ApiSecurityInitializer.java b/juick-api/src/main/java/com/juick/api/configuration/ApiSecurityInitializer.java new file mode 100644 index 00000000..295e367c --- /dev/null +++ b/juick-api/src/main/java/com/juick/api/configuration/ApiSecurityInitializer.java @@ -0,0 +1,10 @@ +package com.juick.api.configuration; + +/** + * Created by vitalyster on 25.11.2016. + */ +import org.springframework.security.web.context.AbstractSecurityWebApplicationInitializer; + +public class ApiSecurityInitializer extends AbstractSecurityWebApplicationInitializer { + +} diff --git a/juick-api/src/main/java/com/juick/api/controllers/Messages.java b/juick-api/src/main/java/com/juick/api/controllers/Messages.java index f4cde321..36882140 100644 --- a/juick-api/src/main/java/com/juick/api/controllers/Messages.java +++ b/juick-api/src/main/java/com/juick/api/controllers/Messages.java @@ -16,7 +16,6 @@ import org.slf4j.LoggerFactory; import org.springframework.http.MediaType; import org.springframework.stereotype.Controller; import org.springframework.util.StringUtils; -import org.springframework.web.bind.annotation.CrossOrigin; import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.RequestMethod; import org.springframework.web.bind.annotation.ResponseBody; @@ -25,6 +24,7 @@ import rocks.xmpp.core.stanza.model.Message; import javax.inject.Inject; import javax.servlet.http.HttpServletRequest; +import java.security.Principal; import java.util.List; /** @@ -47,22 +47,10 @@ public class Messages { // TODO: serialize image urls @RequestMapping(value = "/home", method = RequestMethod.GET, produces = MediaType.APPLICATION_JSON_UTF8_VALUE) - public List doGetHome(HttpServletRequest request) { - // TODO: use spring-security - String auth = request.getHeader("Authorization"); - int vuid = userService.getUIDByHttpAuth(auth); - if (vuid == -1) { - throw new HttpForbiddenException(); - } - if (vuid == 0) { - String hash = request.getParameter("hash"); - if (hash != null && hash.length() == 16) { - vuid = userService.getUIDbyHash(hash); - } - } - if (vuid == 0) { - throw new HttpForbiddenException(); - } + public List doGetHome(HttpServletRequest request, Principal principal) { + String name = principal.getName(); + User visitor = userService.getUserByName(name); + int vuid = visitor.getUid(); int before_mid = NumberUtils.toInt(request.getParameter("before_mid"), 0); List mids = messagesService.getMyFeed(vuid, before_mid); return messagesService.getMessages(mids); diff --git a/juick-api/src/main/webapp/WEB-INF/web.xml b/juick-api/src/main/webapp/WEB-INF/web.xml index 7b33aefc..7e1c30d0 100644 --- a/juick-api/src/main/webapp/WEB-INF/web.xml +++ b/juick-api/src/main/webapp/WEB-INF/web.xml @@ -1,3 +1,4 @@ + diff --git a/juick-api/src/test/java/com/juick/api/tests/MessagesTests.java b/juick-api/src/test/java/com/juick/api/tests/MessagesTests.java index 9f324686..1dec4b7c 100644 --- a/juick-api/src/test/java/com/juick/api/tests/MessagesTests.java +++ b/juick-api/src/test/java/com/juick/api/tests/MessagesTests.java @@ -5,6 +5,7 @@ import com.juick.Tag; import com.juick.User; import com.juick.api.configuration.ApiAppConfiguration; import com.juick.api.configuration.ApiMvcConfiguration; +import com.juick.api.configuration.ApiSecurityConfig; import com.juick.service.MessagesService; import com.juick.service.UserService; import org.junit.Before; @@ -42,7 +43,7 @@ import static org.springframework.test.web.servlet.result.MockMvcResultMatchers. @WebAppConfiguration public class MessagesTests { @Configuration - @Import(value={ApiMvcConfiguration.class, ApiAppConfiguration.class}) + @Import(value={ApiMvcConfiguration.class, ApiAppConfiguration.class, ApiSecurityConfig.class}) static class Config { @Bean @Primary -- cgit v1.2.3