From a9a2c587a4de11ce04aaae7a0c1a5dab1430794a Mon Sep 17 00:00:00 2001
From: Alexander Alexeev
Date: Wed, 5 Apr 2017 17:36:38 +0700
Subject: login by hash, remember-me

---
 .../juick/www/configuration/WebSecurityConfig.java | 41 +++++++++++++++-------
 1 file changed, 29 insertions(+), 12 deletions(-)

(limited to 'juick-www/src/main/java/com/juick/www/configuration/WebSecurityConfig.java')

diff --git a/juick-www/src/main/java/com/juick/www/configuration/WebSecurityConfig.java b/juick-www/src/main/java/com/juick/www/configuration/WebSecurityConfig.java
index 2b8dc292..3c674d0c 100644
--- a/juick-www/src/main/java/com/juick/www/configuration/WebSecurityConfig.java
+++ b/juick-www/src/main/java/com/juick/www/configuration/WebSecurityConfig.java
@@ -1,17 +1,20 @@
 package com.juick.www.configuration;
 
+import com.juick.server.security.HashParamAuthenticationFilter;
 import com.juick.server.security.entities.JuickUser;
 import com.juick.service.UserService;
 import com.juick.service.security.JuickUserDetailsService;
-import com.juick.service.security.deprecated.RequestParamHashRememberMeServices;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.context.annotation.Bean;
+import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.authentication.dao.DaoAuthenticationProvider;
+import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.builders.WebSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 import org.springframework.security.core.userdetails.UserDetailsService;
-import org.springframework.security.web.authentication.RememberMeServices;
+import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
 
 import javax.annotation.Resource;
 
@@ -33,8 +36,15 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
         return new JuickUserDetailsService(userService);
     }
 
+    @Bean("authenticationManager")
+    @Override
+    public AuthenticationManager authenticationManagerBean() throws Exception {
+        return super.authenticationManagerBean();
+    }
+
     @Override
     protected void configure(HttpSecurity http) throws Exception {
+        http.addFilterAfter(hashParamAuthenticationFilter(), BasicAuthenticationFilter.class);
         http
                 .authorizeRequests()
                 .antMatchers("/settings", "/pm/**").authenticated()
@@ -44,7 +54,7 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
                 .and()
                 .sessionManagement().invalidSessionUrl("/")
                 .and()
-                .logout().invalidateHttpSession(true).logoutUrl("/logout").logoutSuccessUrl("/")
+                .logout().invalidateHttpSession(true).logoutUrl("/logout").logoutSuccessUrl("/login?logout")
                 .and()
                 .formLogin()
                 .loginPage("/login")
@@ -53,30 +63,37 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
                 .loginProcessingUrl("/login")
                 .usernameParameter("username")
                 .passwordParameter("password")
-                .failureUrl("/login-error")
+                .failureUrl("/login?error=1")
                 .and()
                 .rememberMe()
                 .tokenValiditySeconds(6 * 30 * 24 * 3600)
                 .alwaysRemember(true)
                 //.useSecureCookie(true) // TODO Enable if https is supports
-                .rememberMeCookieDomain(webDomain)
+                .rememberMeCookieDomain(webDomain).key(rememberMeKey)
                 .userDetailsService(userDetailsServiceBean())
-                .rememberMeServices(rememberMeServices())
-                .key(rememberMeKey)
-                .and().authenticationProvider(authenticationProvider())
+                .and()
+                .csrf().disable()
+                .authenticationProvider(authenticationProvider())
                 .headers().defaultsDisabled().cacheControl();
     }
+
     @Bean
-    public DaoAuthenticationProvider authenticationProvider() {
+    public DaoAuthenticationProvider authenticationProvider() throws Exception {
         DaoAuthenticationProvider authenticationProvider = new DaoAuthenticationProvider();
 
-        authenticationProvider.setUserDetailsService(userDetailsService());
+        authenticationProvider.setUserDetailsService(userDetailsServiceBean());
 
         return authenticationProvider;
     }
 
     @Bean
-    public RememberMeServices rememberMeServices() throws Exception {
-        return new RequestParamHashRememberMeServices(rememberMeKey, userService);
+    public HashParamAuthenticationFilter hashParamAuthenticationFilter() {
+        return new HashParamAuthenticationFilter(userService);
+    }
+
+    @Override
+    public void configure(WebSecurity web) throws Exception {
+        web.debug(false);
+        web.ignoring().antMatchers("/style.css*", "/scripts.js*");
     }
 }
-- 
cgit v1.2.3