From 990ca2bf911181c3af9cd6375534553b9355b3a2 Mon Sep 17 00:00:00 2001 From: Alexander Alexeev Date: Fri, 9 Dec 2016 22:57:52 +0700 Subject: security settings --- .../www/configuration/WebAppConfiguration.java | 1 + .../juick/www/configuration/WebSecurityConfig.java | 23 +++++------- .../www/configuration/WwwSecurityInitializer.java | 20 ++++++++++ .../com/juick/www/controllers/IndexController.java | 41 +++++++++++---------- .../com/juick/www/controllers/LoginController.java | 43 +++------------------- 5 files changed, 59 insertions(+), 69 deletions(-) create mode 100644 juick-spring-www/src/main/java/com/juick/www/configuration/WwwSecurityInitializer.java (limited to 'juick-spring-www/src/main/java/com') diff --git a/juick-spring-www/src/main/java/com/juick/www/configuration/WebAppConfiguration.java b/juick-spring-www/src/main/java/com/juick/www/configuration/WebAppConfiguration.java index eaed8ebd..c9ecfeac 100644 --- a/juick-spring-www/src/main/java/com/juick/www/configuration/WebAppConfiguration.java +++ b/juick-spring-www/src/main/java/com/juick/www/configuration/WebAppConfiguration.java @@ -35,6 +35,7 @@ public class WebAppConfiguration { public TemplateSettingsHolder settingsHolder() { return new TemplateSettingsHolder(env); } + @Bean public WebApp webApp() { return new WebApp(env); diff --git a/juick-spring-www/src/main/java/com/juick/www/configuration/WebSecurityConfig.java b/juick-spring-www/src/main/java/com/juick/www/configuration/WebSecurityConfig.java index 95a94642..759eba5a 100644 --- a/juick-spring-www/src/main/java/com/juick/www/configuration/WebSecurityConfig.java +++ b/juick-spring-www/src/main/java/com/juick/www/configuration/WebSecurityConfig.java @@ -8,6 +8,7 @@ import org.springframework.core.env.Environment; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; +import org.springframework.security.config.http.SessionCreationPolicy; import org.springframework.security.core.userdetails.UserDetailsService; import javax.annotation.Resource; @@ -23,10 +24,6 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter { @Resource private UserService userService; - protected WebSecurityConfig() { - super(true); - } - @Bean("userDetailsService") @Override public UserDetailsService userDetailsServiceBean() throws Exception { @@ -38,27 +35,27 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter { http .authorizeRequests() .antMatchers("/settings", "/pm/**").authenticated() - .anyRequest().authenticated() + .anyRequest().permitAll() + .and() + .anonymous().authorities("ROLE_ANONYM") .and() - .anonymous() - .authorities("ROLE_ANONYM") + .sessionManagement().invalidSessionUrl("/").sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED) .and() - .logout() - .invalidateHttpSession(true) - .logoutUrl("/logout") - .logoutSuccessUrl("/") + .logout().invalidateHttpSession(true).logoutUrl("/logout").logoutSuccessUrl("/") .and() .formLogin() .loginPage("/login") .permitAll() .defaultSuccessUrl("/") - .failureForwardUrl("/login") + .failureForwardUrl("/login?error=1") + .loginProcessingUrl("/do_login") + .usernameParameter("j_username") + .passwordParameter("j_password") .and() .rememberMe() .tokenValiditySeconds(6 * 30 * 24 * 3600) .alwaysRemember(true) .useSecureCookie(true) - .rememberMeCookieName(env.getProperty("auth_cookie_name", "hash")) .rememberMeCookieDomain(env.getProperty("web_domain", "juick.com")) .and() .csrf().disable(); diff --git a/juick-spring-www/src/main/java/com/juick/www/configuration/WwwSecurityInitializer.java b/juick-spring-www/src/main/java/com/juick/www/configuration/WwwSecurityInitializer.java new file mode 100644 index 00000000..0ea8c907 --- /dev/null +++ b/juick-spring-www/src/main/java/com/juick/www/configuration/WwwSecurityInitializer.java @@ -0,0 +1,20 @@ +package com.juick.www.configuration; + +/** + * Created by vitalyster on 25.11.2016. + */ + +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.springframework.security.web.context.AbstractSecurityWebApplicationInitializer; + +import javax.servlet.ServletContext; + +public class WwwSecurityInitializer extends AbstractSecurityWebApplicationInitializer { + private final Logger logger = LoggerFactory.getLogger(getClass()); + + @Override + protected void afterSpringSecurityFilterChain(ServletContext servletContext) { + logger.info("SpringSecurityFilterChain initialized"); + } +} diff --git a/juick-spring-www/src/main/java/com/juick/www/controllers/IndexController.java b/juick-spring-www/src/main/java/com/juick/www/controllers/IndexController.java index 91efd8aa..c6de2fbf 100644 --- a/juick-spring-www/src/main/java/com/juick/www/controllers/IndexController.java +++ b/juick-spring-www/src/main/java/com/juick/www/controllers/IndexController.java @@ -9,6 +9,7 @@ import com.juick.util.UserUtils; import com.juick.www.util.EncodeUtils; import org.apache.commons.lang3.StringEscapeUtils; import org.apache.commons.lang3.StringUtils; +import org.springframework.context.MessageSource; import org.springframework.stereotype.Controller; import org.springframework.ui.ModelMap; import org.springframework.web.bind.annotation.*; @@ -27,32 +28,31 @@ import java.util.stream.Collectors; */ @Controller public class IndexController { - @Inject - UserService userService; + private MessageSource messageSource; + @Inject + private UserService userService; @Inject - MessagesService messagesService; + private MessagesService messagesService; @Inject - TagService tagService; + private TagService tagService; @RequestMapping(value = "/", method = RequestMethod.GET) - protected String doGet( + public String indexPage( Principal principal, @CookieValue("ref") Optional ref, @RequestHeader("Referer") Optional referer, @RequestParam("show") Optional paramShow, @RequestParam("tag") Optional paramTagStr, - @RequestParam(value = "before", required = false) Integer paramBefore, + @RequestParam(value = "before") Optional paramBefore, @RequestParam(value = "search", required = false) String paramSearch, ModelMap model) throws IOException { - if (paramTagStr.isPresent()) { + if (paramTagStr.isPresent()) return "redirect:/tag/" + URLEncoder.encode(paramTagStr.get(), "UTF-8"); - } - if (StringUtils.isNotEmpty(paramSearch) && paramSearch.length() > 64) { + if (StringUtils.isNotEmpty(paramSearch) && paramSearch.length() > 64) paramSearch = ""; - } String name = UserUtils.getUsername(principal, null); User visitor = userService.getUserByName(name); @@ -63,34 +63,37 @@ public class IndexController { } else { title = "Микроблоги Juick: популярные записи"; } + + int before = paramBefore.orElse(0); + List mids = new ArrayList<>(); if (StringUtils.isNotEmpty(paramSearch)) { title = "Поиск: " + StringEscapeUtils.escapeHtml4(paramSearch); mids = messagesService.getSearch(EncodeUtils.encodeSphinx(paramSearch), - paramBefore); + before); } else if (!paramShow.isPresent()) { - mids = messagesService.getPopular(visitor.getUid(), paramBefore); + mids = messagesService.getPopular(visitor.getUid(), before); } else if (paramShow.get().equals("top")) { return "redirect:/"; } else if (paramShow.get().equals("my") && visitor.getUid() > 0) { title = "Моя лента"; - mids = messagesService.getMyFeed(visitor.getUid(), paramBefore); + mids = messagesService.getMyFeed(visitor.getUid(), before); } else if (paramShow.get().equals("private") && visitor.getUid() > 0) { title = "Приватные"; - mids = messagesService.getPrivate(visitor.getUid(), paramBefore); + mids = messagesService.getPrivate(visitor.getUid(), before); } else if (paramShow.get().equals("discuss") && visitor.getUid() > 0) { title = "Обсуждения"; - mids = messagesService.getDiscussions(visitor.getUid(), paramBefore); + mids = messagesService.getDiscussions(visitor.getUid(), before); } else if (paramShow.get().equals("recommended") && visitor.getUid() > 0) { title = "Рекомендации"; - mids = messagesService.getRecommended(visitor.getUid(), paramBefore); + mids = messagesService.getRecommended(visitor.getUid(), before); } else if (paramShow.get().equals("photos")) { title = "Фотографии"; - mids = messagesService.getPhotos(visitor.getUid(), paramBefore); + mids = messagesService.getPhotos(visitor.getUid(), before); } else if (paramShow.get().equals("all")) { title = "Все сообщения"; - mids = messagesService.getAll(visitor.getUid(), paramBefore); + mids = messagesService.getAll(visitor.getUid(), before); } model.addAttribute("title", title); model.addAttribute("visitor", visitor); @@ -116,6 +119,6 @@ public class IndexController { model.addAttribute("nextpage", nextpage); } //model.addAttribute("isModerator", userService.getModerators().contains(visitor.getUid())); - return "blog/index"; + return "index"; } } diff --git a/juick-spring-www/src/main/java/com/juick/www/controllers/LoginController.java b/juick-spring-www/src/main/java/com/juick/www/controllers/LoginController.java index 8a474c9b..8827d948 100644 --- a/juick-spring-www/src/main/java/com/juick/www/controllers/LoginController.java +++ b/juick-spring-www/src/main/java/com/juick/www/controllers/LoginController.java @@ -1,23 +1,15 @@ package com.juick.www.controllers; import com.juick.User; -import com.juick.server.util.HttpBadRequestException; -import com.juick.server.util.HttpForbiddenException; import com.juick.service.UserService; import com.juick.util.UserUtils; import org.springframework.core.env.Environment; import org.springframework.stereotype.Controller; -import org.springframework.web.bind.annotation.RequestHeader; import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.RequestMethod; -import org.springframework.web.bind.annotation.RequestParam; import javax.inject.Inject; -import javax.servlet.http.Cookie; -import javax.servlet.http.HttpServletResponse; -import java.net.URI; import java.security.Principal; -import java.util.Optional; /** * Created by vitalyster on 09.12.2016. @@ -25,41 +17,18 @@ import java.util.Optional; @Controller public class LoginController { @Inject - UserService userService; + private UserService userService; @Inject - Environment env; + private Environment env; @RequestMapping(value = "/login", method = RequestMethod.GET) - public String doGetLoginForm(Principal principal) { + public String getLoginForm(Principal principal) { String name = UserUtils.getUsername(principal, null); User visitor = userService.getUserByName(name); - if (visitor.getUid() > 0) { + + if (visitor.getUid() > 0) return "redirect:/login"; - } - return "views/login"; - } - @RequestMapping(value = "/login", method = RequestMethod.POST) - protected String doPostLogin( - @RequestParam("username") Optional username, - @RequestParam("password") Optional password, - @RequestHeader("Referer") Optional referer, - HttpServletResponse response) { - if (!username.isPresent() && password.isPresent()) { - throw new HttpBadRequestException(); - } - int uid = userService.checkPassword(username.get(), password.get()); - if (uid > 0) { - if (referer.isPresent()) { - URI refererURI = URI.create(referer.get()); - if (refererURI.getHost().equals(env.getProperty("web_domain")) - && !refererURI.getPath().equals("/login")) { - return "redirect:" + referer.get(); - } else { - return "redirect:/"; - } - } - } - throw new HttpForbiddenException(); + return "views/login"; } } -- cgit v1.2.3