From a9a2c587a4de11ce04aaae7a0c1a5dab1430794a Mon Sep 17 00:00:00 2001
From: Alexander Alexeev
Date: Wed, 5 Apr 2017 17:36:38 +0700
Subject: login by hash, remember-me

---
 .../juick/www/configuration/WebSecurityConfig.java | 41 +++++++++++++++-------
 .../main/java/com/juick/www/controllers/Login.java | 40 +++++----------------
 2 files changed, 38 insertions(+), 43 deletions(-)

(limited to 'juick-www/src/main/java/com/juick/www')

diff --git a/juick-www/src/main/java/com/juick/www/configuration/WebSecurityConfig.java b/juick-www/src/main/java/com/juick/www/configuration/WebSecurityConfig.java
index 2b8dc292..3c674d0c 100644
--- a/juick-www/src/main/java/com/juick/www/configuration/WebSecurityConfig.java
+++ b/juick-www/src/main/java/com/juick/www/configuration/WebSecurityConfig.java
@@ -1,17 +1,20 @@
 package com.juick.www.configuration;
 
+import com.juick.server.security.HashParamAuthenticationFilter;
 import com.juick.server.security.entities.JuickUser;
 import com.juick.service.UserService;
 import com.juick.service.security.JuickUserDetailsService;
-import com.juick.service.security.deprecated.RequestParamHashRememberMeServices;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.context.annotation.Bean;
+import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.authentication.dao.DaoAuthenticationProvider;
+import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.builders.WebSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 import org.springframework.security.core.userdetails.UserDetailsService;
-import org.springframework.security.web.authentication.RememberMeServices;
+import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
 
 import javax.annotation.Resource;
 
@@ -33,8 +36,15 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
         return new JuickUserDetailsService(userService);
     }
 
+    @Bean("authenticationManager")
+    @Override
+    public AuthenticationManager authenticationManagerBean() throws Exception {
+        return super.authenticationManagerBean();
+    }
+
     @Override
     protected void configure(HttpSecurity http) throws Exception {
+        http.addFilterAfter(hashParamAuthenticationFilter(), BasicAuthenticationFilter.class);
         http
                 .authorizeRequests()
                 .antMatchers("/settings", "/pm/**").authenticated()
@@ -44,7 +54,7 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
                 .and()
                 .sessionManagement().invalidSessionUrl("/")
                 .and()
-                .logout().invalidateHttpSession(true).logoutUrl("/logout").logoutSuccessUrl("/")
+                .logout().invalidateHttpSession(true).logoutUrl("/logout").logoutSuccessUrl("/login?logout")
                 .and()
                 .formLogin()
                 .loginPage("/login")
@@ -53,30 +63,37 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
                 .loginProcessingUrl("/login")
                 .usernameParameter("username")
                 .passwordParameter("password")
-                .failureUrl("/login-error")
+                .failureUrl("/login?error=1")
                 .and()
                 .rememberMe()
                 .tokenValiditySeconds(6 * 30 * 24 * 3600)
                 .alwaysRemember(true)
                 //.useSecureCookie(true) // TODO Enable if https is supports
-                .rememberMeCookieDomain(webDomain)
+                .rememberMeCookieDomain(webDomain).key(rememberMeKey)
                 .userDetailsService(userDetailsServiceBean())
-                .rememberMeServices(rememberMeServices())
-                .key(rememberMeKey)
-                .and().authenticationProvider(authenticationProvider())
+                .and()
+                .csrf().disable()
+                .authenticationProvider(authenticationProvider())
                 .headers().defaultsDisabled().cacheControl();
     }
+
     @Bean
-    public DaoAuthenticationProvider authenticationProvider() {
+    public DaoAuthenticationProvider authenticationProvider() throws Exception {
         DaoAuthenticationProvider authenticationProvider = new DaoAuthenticationProvider();
 
-        authenticationProvider.setUserDetailsService(userDetailsService());
+        authenticationProvider.setUserDetailsService(userDetailsServiceBean());
 
         return authenticationProvider;
     }
 
     @Bean
-    public RememberMeServices rememberMeServices() throws Exception {
-        return new RequestParamHashRememberMeServices(rememberMeKey, userService);
+    public HashParamAuthenticationFilter hashParamAuthenticationFilter() {
+        return new HashParamAuthenticationFilter(userService);
+    }
+
+    @Override
+    public void configure(WebSecurity web) throws Exception {
+        web.debug(false);
+        web.ignoring().antMatchers("/style.css*", "/scripts.js*");
     }
 }
diff --git a/juick-www/src/main/java/com/juick/www/controllers/Login.java b/juick-www/src/main/java/com/juick/www/controllers/Login.java
index a83cbc16..8f9a993a 100644
--- a/juick-www/src/main/java/com/juick/www/controllers/Login.java
+++ b/juick-www/src/main/java/com/juick/www/controllers/Login.java
@@ -19,47 +19,25 @@ package com.juick.www.controllers;
 
 import com.juick.service.UserService;
 import com.juick.util.UserUtils;
-import com.juick.www.Utils;
-import com.juick.www.WebApp;
-import org.springframework.security.core.Authentication;
-import org.springframework.security.core.context.SecurityContextHolder;
-import org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler;
+import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Controller;
-import org.springframework.web.bind.annotation.RequestMapping;
-import org.springframework.web.bind.annotation.RequestMethod;
-
-import javax.inject.Inject;
-import javax.servlet.http.Cookie;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-import java.io.IOException;
-import java.io.PrintWriter;
+import org.springframework.web.bind.annotation.GetMapping;
 
 /**
- *
  * @author Ugnich Anton
  */
 @Controller
 public class Login {
-    @Inject
-    UserService userService;
-    @Inject
-    WebApp webApp;
+    @Autowired
+    private UserService userService;
 
-    @RequestMapping(value = "/login", method = RequestMethod.GET)
-    protected String doGetLoginForm(HttpServletRequest request, HttpServletResponse response) throws IOException {
+    @GetMapping("/login")
+    public String getloginForm() {
         com.juick.User visitor = UserUtils.getCurrentUser();
-        if (!visitor.isAnonymous()) {
+
+        if (!visitor.isAnonymous())
             return "redirect:/";
-        }
+
         return "views/login";
     }
-    @RequestMapping(value="/logout", method = RequestMethod.GET)
-    public String logoutPage (HttpServletRequest request, HttpServletResponse response) {
-        Authentication auth = SecurityContextHolder.getContext().getAuthentication();
-        if (auth != null){
-            new SecurityContextLogoutHandler().logout(request, response, auth);
-        }
-        return "redirect:/login?logout";
-    }
 }
-- 
cgit v1.2.3