From a9a2c587a4de11ce04aaae7a0c1a5dab1430794a Mon Sep 17 00:00:00 2001 From: Alexander Alexeev Date: Wed, 5 Apr 2017 17:36:38 +0700 Subject: login by hash, remember-me --- .../juick/www/configuration/WebSecurityConfig.java | 41 +++++++++++++++------- .../main/java/com/juick/www/controllers/Login.java | 40 +++++---------------- 2 files changed, 38 insertions(+), 43 deletions(-) (limited to 'juick-www/src') diff --git a/juick-www/src/main/java/com/juick/www/configuration/WebSecurityConfig.java b/juick-www/src/main/java/com/juick/www/configuration/WebSecurityConfig.java index 2b8dc292..3c674d0c 100644 --- a/juick-www/src/main/java/com/juick/www/configuration/WebSecurityConfig.java +++ b/juick-www/src/main/java/com/juick/www/configuration/WebSecurityConfig.java @@ -1,17 +1,20 @@ package com.juick.www.configuration; +import com.juick.server.security.HashParamAuthenticationFilter; import com.juick.server.security.entities.JuickUser; import com.juick.service.UserService; import com.juick.service.security.JuickUserDetailsService; -import com.juick.service.security.deprecated.RequestParamHashRememberMeServices; import org.springframework.beans.factory.annotation.Value; import org.springframework.context.annotation.Bean; +import org.springframework.security.authentication.AuthenticationManager; import org.springframework.security.authentication.dao.DaoAuthenticationProvider; +import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.web.builders.HttpSecurity; +import org.springframework.security.config.annotation.web.builders.WebSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.core.userdetails.UserDetailsService; -import org.springframework.security.web.authentication.RememberMeServices; +import org.springframework.security.web.authentication.www.BasicAuthenticationFilter; import javax.annotation.Resource; @@ -33,8 +36,15 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter { return new JuickUserDetailsService(userService); } + @Bean("authenticationManager") + @Override + public AuthenticationManager authenticationManagerBean() throws Exception { + return super.authenticationManagerBean(); + } + @Override protected void configure(HttpSecurity http) throws Exception { + http.addFilterAfter(hashParamAuthenticationFilter(), BasicAuthenticationFilter.class); http .authorizeRequests() .antMatchers("/settings", "/pm/**").authenticated() @@ -44,7 +54,7 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter { .and() .sessionManagement().invalidSessionUrl("/") .and() - .logout().invalidateHttpSession(true).logoutUrl("/logout").logoutSuccessUrl("/") + .logout().invalidateHttpSession(true).logoutUrl("/logout").logoutSuccessUrl("/login?logout") .and() .formLogin() .loginPage("/login") @@ -53,30 +63,37 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter { .loginProcessingUrl("/login") .usernameParameter("username") .passwordParameter("password") - .failureUrl("/login-error") + .failureUrl("/login?error=1") .and() .rememberMe() .tokenValiditySeconds(6 * 30 * 24 * 3600) .alwaysRemember(true) //.useSecureCookie(true) // TODO Enable if https is supports - .rememberMeCookieDomain(webDomain) + .rememberMeCookieDomain(webDomain).key(rememberMeKey) .userDetailsService(userDetailsServiceBean()) - .rememberMeServices(rememberMeServices()) - .key(rememberMeKey) - .and().authenticationProvider(authenticationProvider()) + .and() + .csrf().disable() + .authenticationProvider(authenticationProvider()) .headers().defaultsDisabled().cacheControl(); } + @Bean - public DaoAuthenticationProvider authenticationProvider() { + public DaoAuthenticationProvider authenticationProvider() throws Exception { DaoAuthenticationProvider authenticationProvider = new DaoAuthenticationProvider(); - authenticationProvider.setUserDetailsService(userDetailsService()); + authenticationProvider.setUserDetailsService(userDetailsServiceBean()); return authenticationProvider; } @Bean - public RememberMeServices rememberMeServices() throws Exception { - return new RequestParamHashRememberMeServices(rememberMeKey, userService); + public HashParamAuthenticationFilter hashParamAuthenticationFilter() { + return new HashParamAuthenticationFilter(userService); + } + + @Override + public void configure(WebSecurity web) throws Exception { + web.debug(false); + web.ignoring().antMatchers("/style.css*", "/scripts.js*"); } } diff --git a/juick-www/src/main/java/com/juick/www/controllers/Login.java b/juick-www/src/main/java/com/juick/www/controllers/Login.java index a83cbc16..8f9a993a 100644 --- a/juick-www/src/main/java/com/juick/www/controllers/Login.java +++ b/juick-www/src/main/java/com/juick/www/controllers/Login.java @@ -19,47 +19,25 @@ package com.juick.www.controllers; import com.juick.service.UserService; import com.juick.util.UserUtils; -import com.juick.www.Utils; -import com.juick.www.WebApp; -import org.springframework.security.core.Authentication; -import org.springframework.security.core.context.SecurityContextHolder; -import org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler; +import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Controller; -import org.springframework.web.bind.annotation.RequestMapping; -import org.springframework.web.bind.annotation.RequestMethod; - -import javax.inject.Inject; -import javax.servlet.http.Cookie; -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; -import java.io.IOException; -import java.io.PrintWriter; +import org.springframework.web.bind.annotation.GetMapping; /** - * * @author Ugnich Anton */ @Controller public class Login { - @Inject - UserService userService; - @Inject - WebApp webApp; + @Autowired + private UserService userService; - @RequestMapping(value = "/login", method = RequestMethod.GET) - protected String doGetLoginForm(HttpServletRequest request, HttpServletResponse response) throws IOException { + @GetMapping("/login") + public String getloginForm() { com.juick.User visitor = UserUtils.getCurrentUser(); - if (!visitor.isAnonymous()) { + + if (!visitor.isAnonymous()) return "redirect:/"; - } + return "views/login"; } - @RequestMapping(value="/logout", method = RequestMethod.GET) - public String logoutPage (HttpServletRequest request, HttpServletResponse response) { - Authentication auth = SecurityContextHolder.getContext().getAuthentication(); - if (auth != null){ - new SecurityContextLogoutHandler().logout(request, response, auth); - } - return "redirect:/login?logout"; - } } -- cgit v1.2.3