From a9a2c587a4de11ce04aaae7a0c1a5dab1430794a Mon Sep 17 00:00:00 2001 From: Alexander Alexeev Date: Wed, 5 Apr 2017 17:36:38 +0700 Subject: login by hash, remember-me --- .../juick/www/configuration/WebSecurityConfig.java | 41 +++++++++++++++------- 1 file changed, 29 insertions(+), 12 deletions(-) (limited to 'juick-www/src/main/java/com/juick/www/configuration') diff --git a/juick-www/src/main/java/com/juick/www/configuration/WebSecurityConfig.java b/juick-www/src/main/java/com/juick/www/configuration/WebSecurityConfig.java index 2b8dc292..3c674d0c 100644 --- a/juick-www/src/main/java/com/juick/www/configuration/WebSecurityConfig.java +++ b/juick-www/src/main/java/com/juick/www/configuration/WebSecurityConfig.java @@ -1,17 +1,20 @@ package com.juick.www.configuration; +import com.juick.server.security.HashParamAuthenticationFilter; import com.juick.server.security.entities.JuickUser; import com.juick.service.UserService; import com.juick.service.security.JuickUserDetailsService; -import com.juick.service.security.deprecated.RequestParamHashRememberMeServices; import org.springframework.beans.factory.annotation.Value; import org.springframework.context.annotation.Bean; +import org.springframework.security.authentication.AuthenticationManager; import org.springframework.security.authentication.dao.DaoAuthenticationProvider; +import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.web.builders.HttpSecurity; +import org.springframework.security.config.annotation.web.builders.WebSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.core.userdetails.UserDetailsService; -import org.springframework.security.web.authentication.RememberMeServices; +import org.springframework.security.web.authentication.www.BasicAuthenticationFilter; import javax.annotation.Resource; @@ -33,8 +36,15 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter { return new JuickUserDetailsService(userService); } + @Bean("authenticationManager") + @Override + public AuthenticationManager authenticationManagerBean() throws Exception { + return super.authenticationManagerBean(); + } + @Override protected void configure(HttpSecurity http) throws Exception { + http.addFilterAfter(hashParamAuthenticationFilter(), BasicAuthenticationFilter.class); http .authorizeRequests() .antMatchers("/settings", "/pm/**").authenticated() @@ -44,7 +54,7 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter { .and() .sessionManagement().invalidSessionUrl("/") .and() - .logout().invalidateHttpSession(true).logoutUrl("/logout").logoutSuccessUrl("/") + .logout().invalidateHttpSession(true).logoutUrl("/logout").logoutSuccessUrl("/login?logout") .and() .formLogin() .loginPage("/login") @@ -53,30 +63,37 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter { .loginProcessingUrl("/login") .usernameParameter("username") .passwordParameter("password") - .failureUrl("/login-error") + .failureUrl("/login?error=1") .and() .rememberMe() .tokenValiditySeconds(6 * 30 * 24 * 3600) .alwaysRemember(true) //.useSecureCookie(true) // TODO Enable if https is supports - .rememberMeCookieDomain(webDomain) + .rememberMeCookieDomain(webDomain).key(rememberMeKey) .userDetailsService(userDetailsServiceBean()) - .rememberMeServices(rememberMeServices()) - .key(rememberMeKey) - .and().authenticationProvider(authenticationProvider()) + .and() + .csrf().disable() + .authenticationProvider(authenticationProvider()) .headers().defaultsDisabled().cacheControl(); } + @Bean - public DaoAuthenticationProvider authenticationProvider() { + public DaoAuthenticationProvider authenticationProvider() throws Exception { DaoAuthenticationProvider authenticationProvider = new DaoAuthenticationProvider(); - authenticationProvider.setUserDetailsService(userDetailsService()); + authenticationProvider.setUserDetailsService(userDetailsServiceBean()); return authenticationProvider; } @Bean - public RememberMeServices rememberMeServices() throws Exception { - return new RequestParamHashRememberMeServices(rememberMeKey, userService); + public HashParamAuthenticationFilter hashParamAuthenticationFilter() { + return new HashParamAuthenticationFilter(userService); + } + + @Override + public void configure(WebSecurity web) throws Exception { + web.debug(false); + web.ignoring().antMatchers("/style.css*", "/scripts.js*"); } } -- cgit v1.2.3