From c4c0c227205d96e436a70885611e955e6fef7746 Mon Sep 17 00:00:00 2001 From: Vitaly Takmazov Date: Wed, 31 May 2023 22:00:06 +0300 Subject: Modernize spring-security configuration and minor changes * Clean up warnings --- src/main/java/com/juick/ServerManager.java | 1 - src/main/java/com/juick/config/SecurityConfig.java | 48 ++++++++++++++-------- .../java/com/juick/service/EmailServiceImpl.java | 1 - .../java/com/juick/util/PrettyTimeFormatter.java | 1 - .../java/com/juick/www/api/ApiSocialLogin.java | 3 -- .../java/com/juick/www/api/activity/Profile.java | 1 - src/main/java/com/juick/www/controllers/Help.java | 1 - .../java/com/juick/www/controllers/SignUp.java | 1 - src/main/java/com/juick/www/rss/MessagesView.java | 2 - 9 files changed, 32 insertions(+), 27 deletions(-) (limited to 'src/main/java/com/juick') diff --git a/src/main/java/com/juick/ServerManager.java b/src/main/java/com/juick/ServerManager.java index a33d7d9a..60b6010f 100644 --- a/src/main/java/com/juick/ServerManager.java +++ b/src/main/java/com/juick/ServerManager.java @@ -38,7 +38,6 @@ import java.util.Arrays; import java.util.Collections; import java.util.List; import java.util.concurrent.CopyOnWriteArrayList; -import java.util.stream.Collectors; /** * @author Ugnich Anton diff --git a/src/main/java/com/juick/config/SecurityConfig.java b/src/main/java/com/juick/config/SecurityConfig.java index 8a41ab5b..70dc19fa 100644 --- a/src/main/java/com/juick/config/SecurityConfig.java +++ b/src/main/java/com/juick/config/SecurityConfig.java @@ -40,7 +40,6 @@ import org.springframework.security.config.Customizer; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer; -import org.springframework.security.config.annotation.web.configurers.oauth2.server.resource.OAuth2ResourceServerConfigurer; import org.springframework.security.config.http.SessionCreationPolicy; import org.springframework.security.core.userdetails.UserDetailsService; import org.springframework.security.oauth2.jwt.JwtDecoder; @@ -68,6 +67,8 @@ import java.security.interfaces.RSAPublicKey; import java.util.Arrays; import java.util.Collections; +import static org.springframework.security.config.Customizer.withDefaults; + /** * Created by aalexeev on 11/21/16. */ @@ -81,6 +82,7 @@ public class SecurityConfig { @Inject private JdbcTemplate jdbcTemplate; private static final String COOKIE_NAME = "juick-remember-me"; + @Bean UserDetailsService userDetailsService() { return new JuickUserDetailsService(userService); @@ -139,27 +141,25 @@ public class SecurityConfig { services.setUseSecureCookie(false); // TODO set true if https is supports return services; } + @Bean @Order(Ordered.HIGHEST_PRECEDENCE) public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception { OAuth2AuthorizationServerConfiguration.applyDefaultSecurity(http); http.getConfigurer(OAuth2AuthorizationServerConfigurer.class) - .authorizationServerSettings(AuthorizationServerSettings.builder() - .authorizationEndpoint("/oauth/authorize") - .tokenEndpoint("/oauth/token") - .build()) .oidc(Customizer.withDefaults()); http.cors(cors -> cors.configurationSource(corsConfigurationSource())) // Accept access tokens for User Info and/or Client Registration - .oauth2ResourceServer(OAuth2ResourceServerConfigurer::jwt); - + .oauth2ResourceServer(resourceServer -> resourceServer.jwt(withDefaults())); return http.formLogin(Customizer.withDefaults()).build(); } + @Bean public RegisteredClientRepository registeredClientRepository() { return new JdbcRegisteredClientRepository(jdbcTemplate); } + @Bean public JWKSource jwkSource() { RSAPublicKey publicKey = (RSAPublicKey) keystoreManager.getPublicKey(); @@ -171,10 +171,20 @@ public class SecurityConfig { JWKSet jwkSet = new JWKSet(rsaKey); return new ImmutableJWKSet<>(jwkSet); } + @Bean public JwtDecoder jwtDecoder(JWKSource jwkSource) { return OAuth2AuthorizationServerConfiguration.jwtDecoder(jwkSource); } + + @Bean + public AuthorizationServerSettings authorizationServerSettings() { + return AuthorizationServerSettings.builder() + .authorizationEndpoint("/oauth/authorize") + .tokenEndpoint("/oauth/token") + .build(); + } + @Bean @Order(Ordered.HIGHEST_PRECEDENCE + 1) SecurityFilterChain apiChain(HttpSecurity http) throws Exception { @@ -194,8 +204,10 @@ public class SecurityConfig { "/api/skypebotendpoint", "/api/_fblogin", "/api/_vklogin", "/api/_tglogin", "/api/_google", "/api/_applelogin", "/api/signup", - "/api/inbox", "/api/events", "/api/u/", "/u/**", "/n/**", - "/api/info/**", "/api/v1/apps", "/api/v1/instance", "/api/v2/instance", + "/api/inbox", "/api/events", "/api/u/", "/u/**", + "/n/**", + "/api/info/**", "/api/v1/apps", "/api/v1/instance", + "/api/v2/instance", "/api/nodeinfo/2.0", "/oauth/**") .permitAll() .anyRequest().hasAnyAuthority("SCOPE_write", "ROLE_USER")) @@ -204,36 +216,39 @@ public class SecurityConfig { .httpBasic(httpBasic -> httpBasic .authenticationEntryPoint(apiAuthenticationEntryPoint())) .cors(cors -> cors.configurationSource(corsConfigurationSource())) - .oauth2ResourceServer(OAuth2ResourceServerConfigurer::jwt) + .oauth2ResourceServer(resourceServer -> resourceServer.jwt(withDefaults())) .sessionManagement(sessionManagement -> sessionManagement .sessionCreationPolicy(SessionCreationPolicy.STATELESS)) .exceptionHandling(exceptionHandling -> exceptionHandling .authenticationEntryPoint(apiAuthenticationEntryPoint())) - .csrf().disable() - .headers().defaultsDisabled().cacheControl(); + .csrf(AbstractHttpConfigurer::disable) + .headers(headers -> headers.defaultsDisabled().cacheControl(withDefaults())); return http.build(); } + @Bean - SecurityFilterChain h2ConsoFilterChain(HttpSecurity http) throws Exception { + SecurityFilterChain h2ConsoleFilterChain(HttpSecurity http) throws Exception { http.securityMatcher("/h2-console/**") .authorizeHttpRequests(auth -> auth .anyRequest().permitAll()) .anonymous(anonymous -> anonymous.principal(JuickUser.ANONYMOUS_USER) .authorities(JuickUser.ANONYMOUS_AUTHORITY)) - .csrf().disable() + .csrf(AbstractHttpConfigurer::disable) .sessionManagement(sessionManagement -> sessionManagement .sessionCreationPolicy(SessionCreationPolicy.STATELESS)) .exceptionHandling(exceptionHandling -> exceptionHandling .authenticationEntryPoint(apiAuthenticationEntryPoint())) - .headers().defaultsDisabled().cacheControl(); + .headers(headers -> headers.defaultsDisabled().cacheControl(withDefaults())); return http.build(); } + @Bean AuthenticationSuccessHandler successHandler() { var handler = new SavedRequestAwareAuthenticationSuccessHandler(); handler.setUseReferer(true); return handler; } + @Bean @Order(Ordered.HIGHEST_PRECEDENCE + 2) SecurityFilterChain wwwChain(HttpSecurity http) throws Exception { @@ -263,9 +278,10 @@ public class SecurityConfig { .rememberMe(rememberMe -> rememberMe .rememberMeCookieDomain(webDomain).key(rememberMeKey) .rememberMeServices(hashCookieServices())) - .headers().defaultsDisabled().cacheControl(); + .headers(headers -> headers.defaultsDisabled().cacheControl(withDefaults())); return http.build(); } + @Bean public SecurityFilterChain securityWebFilterChain( HttpSecurity http) throws Exception { diff --git a/src/main/java/com/juick/service/EmailServiceImpl.java b/src/main/java/com/juick/service/EmailServiceImpl.java index 85e56a05..383dbdaf 100644 --- a/src/main/java/com/juick/service/EmailServiceImpl.java +++ b/src/main/java/com/juick/service/EmailServiceImpl.java @@ -24,7 +24,6 @@ import org.springframework.jdbc.core.namedparam.MapSqlParameterSource; import org.springframework.stereotype.Repository; import org.springframework.transaction.annotation.Transactional; -import java.sql.Types; import java.time.Instant; import java.time.ZoneOffset; import java.time.temporal.ChronoUnit; diff --git a/src/main/java/com/juick/util/PrettyTimeFormatter.java b/src/main/java/com/juick/util/PrettyTimeFormatter.java index 79240eb2..65813d93 100644 --- a/src/main/java/com/juick/util/PrettyTimeFormatter.java +++ b/src/main/java/com/juick/util/PrettyTimeFormatter.java @@ -20,7 +20,6 @@ package com.juick.util; import org.ocpsoft.prettytime.PrettyTime; import java.time.Instant; -import java.util.Date; import java.util.LinkedHashMap; import java.util.Locale; import java.util.Map; diff --git a/src/main/java/com/juick/www/api/ApiSocialLogin.java b/src/main/java/com/juick/www/api/ApiSocialLogin.java index bf0d26bc..c8758d59 100644 --- a/src/main/java/com/juick/www/api/ApiSocialLogin.java +++ b/src/main/java/com/juick/www/api/ApiSocialLogin.java @@ -51,7 +51,6 @@ import org.springframework.web.util.UriComponentsBuilder; import jakarta.annotation.PostConstruct; import javax.inject.Inject; import java.io.IOException; -import java.security.GeneralSecurityException; import java.util.Map; import java.util.Optional; import java.util.UUID; @@ -72,7 +71,6 @@ public class ApiSocialLogin { private String FACEBOOK_SECRET; private static final String FACEBOOK_REDIRECT = "https://api.juick.com/_fblogin"; private static final String VK_REDIRECT = "https://api.juick.com/_vklogin"; - private static final String TWITTER_VERIFY_URL = "https://api.twitter.com/1.1/account/verify_credentials.json"; @Inject private ObjectMapper jsonMapper; private OAuth20Service facebookAuthService, vkAuthService, appleSignInService; @@ -104,7 +102,6 @@ public class ApiSocialLogin { @PostConstruct public void init() { ServiceBuilder facebookBuilder = new ServiceBuilder(FACEBOOK_APPID); - ServiceBuilder twitterBuilder = new ServiceBuilder(twitterConsumerKey); ServiceBuilder vkBuilder = new ServiceBuilder(VK_APPID); facebookAuthService = facebookBuilder .apiSecret(FACEBOOK_SECRET) diff --git a/src/main/java/com/juick/www/api/activity/Profile.java b/src/main/java/com/juick/www/api/activity/Profile.java index a8ff003f..0a6726ee 100644 --- a/src/main/java/com/juick/www/api/activity/Profile.java +++ b/src/main/java/com/juick/www/api/activity/Profile.java @@ -74,7 +74,6 @@ import java.io.InputStream; import java.net.URI; import java.nio.charset.StandardCharsets; import java.util.List; -import java.util.NoSuchElementException; import java.util.stream.Stream; @RestController diff --git a/src/main/java/com/juick/www/controllers/Help.java b/src/main/java/com/juick/www/controllers/Help.java index ec60d7df..ae722594 100644 --- a/src/main/java/com/juick/www/controllers/Help.java +++ b/src/main/java/com/juick/www/controllers/Help.java @@ -27,7 +27,6 @@ import org.commonmark.renderer.html.HtmlRenderer; import org.springframework.stereotype.Controller; import org.springframework.ui.Model; import org.springframework.web.bind.annotation.GetMapping; -import org.springframework.web.bind.annotation.ModelAttribute; import org.springframework.web.bind.annotation.PathVariable; import javax.inject.Inject; diff --git a/src/main/java/com/juick/www/controllers/SignUp.java b/src/main/java/com/juick/www/controllers/SignUp.java index 87182ebd..50ce6955 100644 --- a/src/main/java/com/juick/www/controllers/SignUp.java +++ b/src/main/java/com/juick/www/controllers/SignUp.java @@ -34,7 +34,6 @@ import org.springframework.security.web.authentication.rememberme.AbstractRememb import org.springframework.stereotype.Controller; import org.springframework.ui.ModelMap; import org.springframework.web.bind.annotation.GetMapping; -import org.springframework.web.bind.annotation.ModelAttribute; import org.springframework.web.bind.annotation.PostMapping; import org.springframework.web.bind.annotation.RequestParam; diff --git a/src/main/java/com/juick/www/rss/MessagesView.java b/src/main/java/com/juick/www/rss/MessagesView.java index d6edeb28..cb4eea2e 100644 --- a/src/main/java/com/juick/www/rss/MessagesView.java +++ b/src/main/java/com/juick/www/rss/MessagesView.java @@ -24,8 +24,6 @@ import java.util.Collections; import java.util.Date; import java.util.List; import java.util.Map; -import java.util.stream.Collectors; - import javax.inject.Inject; import com.juick.model.Attachment; -- cgit v1.2.3