From 9f770c26d1e4f392d591bf35886e3dcc7371d64f Mon Sep 17 00:00:00 2001 From: Vitaly Takmazov Date: Wed, 29 Mar 2017 14:11:46 +0300 Subject: juick-www: Spring Security --- juick-www/src/main/java/com/juick/www/WebApp.java | 17 ------ .../juick/www/configuration/WebSecurityConfig.java | 63 ++++++++++++++++++++++ .../juick/www/configuration/WwwInitializer.java | 3 +- .../www/configuration/WwwSecurityInitializer.java | 20 +++++++ .../main/java/com/juick/www/controllers/Help.java | 3 +- .../main/java/com/juick/www/controllers/Home.java | 3 +- .../main/java/com/juick/www/controllers/Login.java | 44 +-------------- .../java/com/juick/www/controllers/NewMessage.java | 9 ++-- .../main/java/com/juick/www/controllers/PM.java | 7 +-- .../java/com/juick/www/controllers/Settings.java | 4 +- .../java/com/juick/www/controllers/SignUp.java | 5 +- .../main/java/com/juick/www/controllers/Tags.java | 3 +- .../main/java/com/juick/www/controllers/User.java | 9 ++-- .../java/com/juick/www/controllers/UserThread.java | 3 +- .../java/com/juick/www/controllers/XMPPPost.java | 3 +- 15 files changed, 116 insertions(+), 80 deletions(-) create mode 100644 juick-www/src/main/java/com/juick/www/configuration/WebSecurityConfig.java create mode 100644 juick-www/src/main/java/com/juick/www/configuration/WwwSecurityInitializer.java (limited to 'juick-www/src/main') diff --git a/juick-www/src/main/java/com/juick/www/WebApp.java b/juick-www/src/main/java/com/juick/www/WebApp.java index 2d95cb85..72eb3fbc 100644 --- a/juick-www/src/main/java/com/juick/www/WebApp.java +++ b/juick-www/src/main/java/com/juick/www/WebApp.java @@ -19,7 +19,6 @@ package com.juick.www; import com.juick.Message; import com.juick.Tag; -import com.juick.User; import com.juick.service.TagService; import com.juick.service.UserService; import com.juick.www.controllers.PageTemplates; @@ -36,8 +35,6 @@ import rocks.xmpp.core.session.XmppSessionConfiguration; import rocks.xmpp.core.session.debug.LogbackDebugger; import rocks.xmpp.extensions.component.accept.ExternalComponent; -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; import java.util.ArrayList; import java.util.Arrays; import java.util.List; @@ -103,20 +100,6 @@ public class WebApp implements AutoCloseable { return xmpp; } - - public com.juick.User getVisitorUser(HttpServletRequest request, HttpServletResponse response) { - String hash = Utils.getCookie(request, "hash"); - if (hash != null) { - com.juick.User visitor = userService.getUserByHash(hash); - if (response != null && visitor.getUid() > 0) { - response.setHeader("X-Username", visitor.getName()); - } - return visitor; - } else { - return new User(); - } - } - public String getImgDir() { return imgDir; } diff --git a/juick-www/src/main/java/com/juick/www/configuration/WebSecurityConfig.java b/juick-www/src/main/java/com/juick/www/configuration/WebSecurityConfig.java new file mode 100644 index 00000000..9d603da8 --- /dev/null +++ b/juick-www/src/main/java/com/juick/www/configuration/WebSecurityConfig.java @@ -0,0 +1,63 @@ +package com.juick.www.configuration; + +import com.juick.server.security.entities.JuickUser; +import com.juick.service.UserService; +import com.juick.service.security.JuickUserDetailsService; +import org.springframework.context.annotation.Bean; +import org.springframework.core.env.Environment; +import org.springframework.security.config.annotation.web.builders.HttpSecurity; +import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; +import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; +import org.springframework.security.core.userdetails.UserDetailsService; + +import javax.annotation.Resource; + +/** + * Created by aalexeev on 11/21/16. + */ +@EnableWebSecurity +public class WebSecurityConfig extends WebSecurityConfigurerAdapter { + @Resource + private Environment env; + @Resource + private UserService userService; + + @Bean("userDetailsService") + @Override + public UserDetailsService userDetailsServiceBean() throws Exception { + return new JuickUserDetailsService(userService); + } + + @Override + protected void configure(HttpSecurity http) throws Exception { + http + .authorizeRequests() + .antMatchers("/settings", "/pm/**").authenticated() + .anyRequest().permitAll() + .and() + .anonymous().principal(JuickUser.ANONYMOUS_USER).authorities(JuickUser.ANONYMOUS_AUTHORITY) + .and() + .sessionManagement().invalidSessionUrl("/") + .and() + .logout().invalidateHttpSession(true).logoutUrl("/logout").logoutSuccessUrl("/") + .and() + .formLogin() + .loginPage("/login") + .permitAll() + .defaultSuccessUrl("/") + .loginProcessingUrl("/login") + .usernameParameter("username") + .passwordParameter("password") + .failureUrl("/login-error") + .and() + .rememberMe() + .tokenValiditySeconds(6 * 30 * 24 * 3600) + .alwaysRemember(true) + //.useSecureCookie(true) // TODO Enable if https is supports + .rememberMeCookieDomain(env.getProperty("web_domain", "juick.com")) + .userDetailsService(userDetailsServiceBean()) + .key(env.getProperty("auth_remember_me_key")) + .and() + .csrf().disable(); + } +} diff --git a/juick-www/src/main/java/com/juick/www/configuration/WwwInitializer.java b/juick-www/src/main/java/com/juick/www/configuration/WwwInitializer.java index 204d8c6c..138c7121 100644 --- a/juick-www/src/main/java/com/juick/www/configuration/WwwInitializer.java +++ b/juick-www/src/main/java/com/juick/www/configuration/WwwInitializer.java @@ -21,7 +21,8 @@ public class WwwInitializer extends AbstractAnnotationConfigDispatcherServletIni WwwAppConfiguration.class, DataConfiguration.class, SearchConfiguration.class, - SapeConfiguration.class + SapeConfiguration.class, + WebSecurityConfig.class }; } diff --git a/juick-www/src/main/java/com/juick/www/configuration/WwwSecurityInitializer.java b/juick-www/src/main/java/com/juick/www/configuration/WwwSecurityInitializer.java new file mode 100644 index 00000000..0ea8c907 --- /dev/null +++ b/juick-www/src/main/java/com/juick/www/configuration/WwwSecurityInitializer.java @@ -0,0 +1,20 @@ +package com.juick.www.configuration; + +/** + * Created by vitalyster on 25.11.2016. + */ + +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.springframework.security.web.context.AbstractSecurityWebApplicationInitializer; + +import javax.servlet.ServletContext; + +public class WwwSecurityInitializer extends AbstractSecurityWebApplicationInitializer { + private final Logger logger = LoggerFactory.getLogger(getClass()); + + @Override + protected void afterSpringSecurityFilterChain(ServletContext servletContext) { + logger.info("SpringSecurityFilterChain initialized"); + } +} diff --git a/juick-www/src/main/java/com/juick/www/controllers/Help.java b/juick-www/src/main/java/com/juick/www/controllers/Help.java index 361d5efc..8256b4be 100644 --- a/juick-www/src/main/java/com/juick/www/controllers/Help.java +++ b/juick-www/src/main/java/com/juick/www/controllers/Help.java @@ -2,6 +2,7 @@ package com.juick.www.controllers; import com.juick.server.util.HttpNotFoundException; import com.juick.service.MessagesService; +import com.juick.util.UserUtils; import com.juick.www.HelpService; import com.juick.www.WebApp; import org.springframework.stereotype.Controller; @@ -39,7 +40,7 @@ public class Help { @PathVariable("page") Optional pageParam, @PathVariable("langOrPage") Optional langOrPageParam, Model model) throws IOException, URISyntaxException { - com.juick.User visitor = webApp.getVisitorUser(request, response); + com.juick.User visitor = UserUtils.getCurrentUser(); String page = pageParam.orElse("index"); String lang = langParam.orElse(locale.getLanguage()); diff --git a/juick-www/src/main/java/com/juick/www/controllers/Home.java b/juick-www/src/main/java/com/juick/www/controllers/Home.java index 405a4bd6..4f597d5a 100644 --- a/juick-www/src/main/java/com/juick/www/controllers/Home.java +++ b/juick-www/src/main/java/com/juick/www/controllers/Home.java @@ -20,6 +20,7 @@ package com.juick.www.controllers; import com.juick.service.AdsService; import com.juick.service.MessagesService; import com.juick.service.UserService; +import com.juick.util.UserUtils; import com.juick.util.WebUtils; import com.juick.www.Utils; import com.juick.www.WebApp; @@ -100,7 +101,7 @@ public class Home { if (tag != null) { Utils.sendPermanentRedirect(response, "/tag/" + URLEncoder.encode(tag, CharEncoding.UTF_8)); } - com.juick.User visitor = webApp.getVisitorUser(request, response); + com.juick.User visitor = UserUtils.getCurrentUser(); int paramBefore = NumberUtils.toInt(request.getParameter("before"), 0); String paramSearch = request.getParameter("search"); diff --git a/juick-www/src/main/java/com/juick/www/controllers/Login.java b/juick-www/src/main/java/com/juick/www/controllers/Login.java index c9056f22..2d41d9b4 100644 --- a/juick-www/src/main/java/com/juick/www/controllers/Login.java +++ b/juick-www/src/main/java/com/juick/www/controllers/Login.java @@ -18,6 +18,7 @@ package com.juick.www.controllers; import com.juick.service.UserService; +import com.juick.util.UserUtils; import com.juick.www.Utils; import com.juick.www.WebApp; import org.springframework.stereotype.Controller; @@ -60,7 +61,7 @@ public class Login { response.sendError(HttpServletResponse.SC_FORBIDDEN); } } - com.juick.User visitor = webApp.getVisitorUser(request, response); + com.juick.User visitor = UserUtils.getCurrentUser(); if (visitor.getUid() > 0) { Utils.sendTemporaryRedirect(response, "/"); return; @@ -209,45 +210,4 @@ public class Login { out.println(""); } } - - @RequestMapping(value = "/login", method = RequestMethod.POST) - protected void doPostLogin(HttpServletRequest request, HttpServletResponse response) throws IOException { - String username = request.getParameter("username"); - String password = request.getParameter("password"); - if (username == null || password == null || username.length() > 32 || password.isEmpty()) { - response.sendError(HttpServletResponse.SC_BAD_REQUEST); - return; - } - - int uid = userService.checkPassword(username, password); - if (uid > 0) { - String hash = userService.getHashByUID(uid); - Cookie c = new Cookie("hash", hash); - c.setMaxAge(365 * 24 * 60 * 60); - response.addCookie(c); - - String referer = request.getHeader("Referer"); - if (referer != null && referer.startsWith("http://juick.com/") && !referer.equals("http://juick.com/login")) { - response.sendRedirect(referer); - } else { - response.sendRedirect("/"); - } - } else { - response.sendError(HttpServletResponse.SC_FORBIDDEN); - } - } - - @RequestMapping(value = "/logout", method = RequestMethod.GET) - protected void doGetLogout(HttpServletRequest request, HttpServletResponse response) throws IOException { - com.juick.User visitor = webApp.getVisitorUser(request, response); - if (visitor.getUid() > 0) { - userService.logout(visitor.getUid()); - } - - Cookie c2 = new Cookie("hash", "-"); - c2.setMaxAge(0); - response.addCookie(c2); - - response.sendRedirect("/"); - } } diff --git a/juick-www/src/main/java/com/juick/www/controllers/NewMessage.java b/juick-www/src/main/java/com/juick/www/controllers/NewMessage.java index 1993737b..fcd27710 100644 --- a/juick-www/src/main/java/com/juick/www/controllers/NewMessage.java +++ b/juick-www/src/main/java/com/juick/www/controllers/NewMessage.java @@ -22,6 +22,7 @@ import com.juick.server.helpers.TagStats; import com.juick.server.util.HttpBadRequestException; import com.juick.server.util.HttpUtils; import com.juick.service.*; +import com.juick.util.UserUtils; import com.juick.www.Utils; import com.juick.www.WebApp; import org.apache.commons.io.FilenameUtils; @@ -87,7 +88,7 @@ public class NewMessage { @RequestMapping(value = "/post", method = RequestMethod.GET) protected void doGetNewMessage(HttpServletRequest request, HttpServletResponse response) throws IOException { - com.juick.User visitor = webApp.getVisitorUser(request, response); + com.juick.User visitor = UserUtils.getCurrentUser(); if (visitor.getUid() == 0) { Utils.sendTemporaryRedirect(response, "/login"); return; @@ -184,7 +185,7 @@ public class NewMessage { public void doPostMessage(HttpServletRequest request, HttpServletResponse response, @RequestParam(required = false) String img, @RequestParam(required = false) MultipartFile attach) throws IOException { - com.juick.User visitor = webApp.getVisitorUser(request, response); + com.juick.User visitor = UserUtils.getCurrentUser(); if (visitor.getUid() == 0) { response.sendError(HttpServletResponse.SC_FORBIDDEN); return; @@ -317,7 +318,7 @@ public class NewMessage { public void doPostComment(HttpServletRequest request, HttpServletResponse response, @RequestParam(required = false) String img, @RequestParam(required = false) MultipartFile attach) throws IOException { - com.juick.User visitor = webApp.getVisitorUser(request, response); + com.juick.User visitor = UserUtils.getCurrentUser(); if (visitor.getUid() == 0) { response.sendError(HttpServletResponse.SC_FORBIDDEN); return; @@ -433,7 +434,7 @@ public class NewMessage { @RequestMapping(value = "/like", method = RequestMethod.POST) public void doPostRecomm(HttpServletRequest request, HttpServletResponse response) throws IOException { - com.juick.User visitor = webApp.getVisitorUser(request, response); + com.juick.User visitor = UserUtils.getCurrentUser(); if (visitor.getUid() == 0) { response.sendError(HttpServletResponse.SC_FORBIDDEN); return; diff --git a/juick-www/src/main/java/com/juick/www/controllers/PM.java b/juick-www/src/main/java/com/juick/www/controllers/PM.java index 028feabc..9cc29129 100644 --- a/juick-www/src/main/java/com/juick/www/controllers/PM.java +++ b/juick-www/src/main/java/com/juick/www/controllers/PM.java @@ -22,6 +22,7 @@ import com.juick.service.PMQueriesService; import com.juick.service.TagService; import com.juick.service.UserService; import com.juick.util.MessageUtils; +import com.juick.util.UserUtils; import com.juick.util.WebUtils; import com.juick.www.Utils; import com.juick.www.WebApp; @@ -62,7 +63,7 @@ public class PM { @RequestMapping(value = "/pm/inbox", method = RequestMethod.GET) protected String doGetInbox(HttpServletRequest request, HttpServletResponse response, ModelMap model) { - com.juick.User visitor = webApp.getVisitorUser(request, response); + com.juick.User visitor = UserUtils.getCurrentUser(); if (visitor.getUid() == 0) { Utils.sendTemporaryRedirect(response, "/login"); } @@ -79,7 +80,7 @@ public class PM { @RequestMapping(value = "/pm/sent", method = RequestMethod.GET) protected String doGetSent(HttpServletRequest request, HttpServletResponse response, ModelMap model) { - com.juick.User visitor = webApp.getVisitorUser(request, response); + com.juick.User visitor = UserUtils.getCurrentUser(); if (visitor.getUid() == 0) { Utils.sendTemporaryRedirect(response, "/login"); } @@ -102,7 +103,7 @@ public class PM { @RequestMapping(value = "/pm/send", method = RequestMethod.POST) public void doPostPM(HttpServletRequest request, HttpServletResponse response) throws IOException { - com.juick.User visitor = webApp.getVisitorUser(request, response); + com.juick.User visitor = UserUtils.getCurrentUser(); if (visitor.getUid() == 0 || visitor.isBanned()) { response.sendError(HttpServletResponse.SC_FORBIDDEN); return; diff --git a/juick-www/src/main/java/com/juick/www/controllers/Settings.java b/juick-www/src/main/java/com/juick/www/controllers/Settings.java index 053a014e..43215c62 100644 --- a/juick-www/src/main/java/com/juick/www/controllers/Settings.java +++ b/juick-www/src/main/java/com/juick/www/controllers/Settings.java @@ -86,7 +86,7 @@ public class Settings { @RequestMapping(value = "/settings", method = RequestMethod.GET) protected String doGet(HttpServletRequest request, HttpServletResponse response, ModelMap model) throws IOException { - com.juick.User visitor = webApp.getVisitorUser(request, response); + com.juick.User visitor = UserUtils.getCurrentUser(); if (visitor.getUid() == 0) { response.sendRedirect("/login"); } @@ -129,7 +129,7 @@ public class Settings { @RequestParam(required = false) MultipartFile avatar, ModelMap model) throws IOException, ServletException { - com.juick.User visitor = webApp.getVisitorUser(request, response); + com.juick.User visitor = UserUtils.getCurrentUser(); if (visitor.getUid() == 0) { throw new HttpBadRequestException(); } diff --git a/juick-www/src/main/java/com/juick/www/controllers/SignUp.java b/juick-www/src/main/java/com/juick/www/controllers/SignUp.java index ad148265..4c20e513 100644 --- a/juick-www/src/main/java/com/juick/www/controllers/SignUp.java +++ b/juick-www/src/main/java/com/juick/www/controllers/SignUp.java @@ -22,6 +22,7 @@ import com.juick.server.util.HttpForbiddenException; import com.juick.service.CrosspostService; import com.juick.service.MessagesService; import com.juick.service.UserService; +import com.juick.util.UserUtils; import com.juick.www.Utils; import com.juick.www.WebApp; import org.springframework.stereotype.Controller; @@ -53,7 +54,7 @@ public class SignUp { @RequestMapping(value = "/signup", method = RequestMethod.GET) protected String doGet(HttpServletRequest request, HttpServletResponse response, ModelMap model) { - com.juick.User visitor = webApp.getVisitorUser(request, response); + com.juick.User visitor = UserUtils.getCurrentUser(); String type = request.getParameter("type"); String hash = request.getParameter("hash"); @@ -92,7 +93,7 @@ public class SignUp { @RequestMapping(value = "/signup", method = RequestMethod.POST) protected String doPost(HttpServletRequest request, HttpServletResponse response) { - com.juick.User visitor = webApp.getVisitorUser(request, response); + com.juick.User visitor = UserUtils.getCurrentUser(); int uid = 0; String type = request.getParameter("type"); diff --git a/juick-www/src/main/java/com/juick/www/controllers/Tags.java b/juick-www/src/main/java/com/juick/www/controllers/Tags.java index 73813179..a0682a45 100644 --- a/juick-www/src/main/java/com/juick/www/controllers/Tags.java +++ b/juick-www/src/main/java/com/juick/www/controllers/Tags.java @@ -20,6 +20,7 @@ package com.juick.www.controllers; import com.juick.service.AdsService; import com.juick.service.MessagesService; import com.juick.service.TagService; +import com.juick.util.UserUtils; import com.juick.www.Utils; import com.juick.www.WebApp; import org.apache.commons.lang3.CharEncoding; @@ -61,7 +62,7 @@ public class Tags { @PathVariable String tagName, @RequestParam(required = false, defaultValue = "0") int before, HttpServletResponse response) throws IOException { - com.juick.User visitor = webApp.getVisitorUser(request, response); + com.juick.User visitor = UserUtils.getCurrentUser(); String paramTagStr = StringEscapeUtils.unescapeHtml4(tagName); com.juick.Tag paramTag = tagService.getTag(paramTagStr, false); diff --git a/juick-www/src/main/java/com/juick/www/controllers/User.java b/juick-www/src/main/java/com/juick/www/controllers/User.java index e84c8913..28a91298 100644 --- a/juick-www/src/main/java/com/juick/www/controllers/User.java +++ b/juick-www/src/main/java/com/juick/www/controllers/User.java @@ -21,6 +21,7 @@ import com.juick.server.helpers.TagStats; import com.juick.service.MessagesService; import com.juick.service.TagService; import com.juick.service.UserService; +import com.juick.util.UserUtils; import com.juick.www.Utils; import com.juick.www.WebApp; import org.apache.commons.lang3.CharEncoding; @@ -66,7 +67,7 @@ public class User { @PathVariable String uname, @RequestParam(required = false, defaultValue = "0") Integer before) throws IOException { com.juick.User user = userService.getUserByName(uname); - com.juick.User visitor = webApp.getVisitorUser(request, response); + com.juick.User visitor = UserUtils.getCurrentUser(); if (user.isBanned()) { response.sendError(HttpServletResponse.SC_NOT_FOUND); return; @@ -180,7 +181,7 @@ public class User { protected void doGetTags(HttpServletRequest request, HttpServletResponse response, @PathVariable String uname) throws IOException { com.juick.User user = userService.getUserByName(uname); - com.juick.User visitor = webApp.getVisitorUser(request, response); + com.juick.User visitor = UserUtils.getCurrentUser(); if (visitor.isBanned()) { response.sendError(HttpServletResponse.SC_NOT_FOUND); return; @@ -206,7 +207,7 @@ public class User { protected void doGetFriends(HttpServletRequest request, HttpServletResponse response, @PathVariable String uname) throws ServletException, IOException { com.juick.User user = userService.getUserByName(uname); - com.juick.User visitor = webApp.getVisitorUser(request, response); + com.juick.User visitor = UserUtils.getCurrentUser(); if (visitor.isBanned()) { response.sendError(HttpServletResponse.SC_NOT_FOUND); return; @@ -244,7 +245,7 @@ public class User { protected void doGetReaders(HttpServletRequest request, HttpServletResponse response, @PathVariable String uname) throws ServletException, IOException { com.juick.User user = userService.getUserByName(uname); - com.juick.User visitor = webApp.getVisitorUser(request, response); + com.juick.User visitor = UserUtils.getCurrentUser(); if (visitor.isBanned()) { response.sendError(HttpServletResponse.SC_NOT_FOUND); return; diff --git a/juick-www/src/main/java/com/juick/www/controllers/UserThread.java b/juick-www/src/main/java/com/juick/www/controllers/UserThread.java index 7d3894a8..27788d9b 100644 --- a/juick-www/src/main/java/com/juick/www/controllers/UserThread.java +++ b/juick-www/src/main/java/com/juick/www/controllers/UserThread.java @@ -24,6 +24,7 @@ import com.juick.service.MessagesService; import com.juick.service.TagService; import com.juick.service.UserService; import com.juick.util.MessageUtils; +import com.juick.util.UserUtils; import com.juick.www.WebApp; import org.springframework.http.HttpStatus; import org.springframework.http.ResponseEntity; @@ -64,7 +65,7 @@ public class UserThread { protected void doGetThread(HttpServletRequest request, HttpServletResponse response, @PathVariable String uname, @PathVariable int mid) throws ServletException, IOException { - com.juick.User visitor = webApp.getVisitorUser(request, response); + com.juick.User visitor = UserUtils.getCurrentUser(); if (!messagesService.canViewThread(mid, visitor.getUid())) { response.sendError(HttpServletResponse.SC_FORBIDDEN); diff --git a/juick-www/src/main/java/com/juick/www/controllers/XMPPPost.java b/juick-www/src/main/java/com/juick/www/controllers/XMPPPost.java index f64907b2..f4b8717a 100644 --- a/juick-www/src/main/java/com/juick/www/controllers/XMPPPost.java +++ b/juick-www/src/main/java/com/juick/www/controllers/XMPPPost.java @@ -3,6 +3,7 @@ package com.juick.www.controllers; import com.juick.server.util.HttpBadRequestException; import com.juick.server.util.HttpUtils; import com.juick.service.TagService; +import com.juick.util.UserUtils; import com.juick.www.WebApp; import org.apache.commons.lang3.StringUtils; import org.slf4j.Logger; @@ -41,7 +42,7 @@ public class XMPPPost { @RequestParam(required = false) String img, @RequestParam(required = false) MultipartFile attach) throws IOException { - com.juick.User visitor = webApp.getVisitorUser(request, response); + com.juick.User visitor = UserUtils.getCurrentUser(); if (visitor.getUid() == 0 || visitor.isBanned()) { response.sendError(HttpServletResponse.SC_FORBIDDEN); return; -- cgit v1.2.3