package com.juick.api.configuration; import com.juick.server.security.JuickAuthenticationEntryPoint; import com.juick.server.security.JuickAuthenticationProvider; import com.juick.service.UserService; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.context.annotation.PropertySource; import org.springframework.core.env.Environment; import org.springframework.http.HttpMethod; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.config.http.SessionCreationPolicy; import javax.inject.Inject; /** * Created by aalexeev on 11/21/16. */ @Configuration @EnableWebSecurity(debug = true) @PropertySource("classpath:juick.conf") public class ApiSecurityConfig extends WebSecurityConfigurerAdapter { @Inject private Environment env; @Inject private UserService userService; ApiSecurityConfig() { super(true); } @Override protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests() .antMatchers(HttpMethod.OPTIONS).permitAll() .anyRequest().hasRole("USER") .and().httpBasic().authenticationEntryPoint(getJuickAuthenticationEntryPoint()) .and().anonymous() .and().servletApi() .and().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS) .and().exceptionHandling().authenticationEntryPoint(getJuickAuthenticationEntryPoint()) .and().authenticationProvider(new JuickAuthenticationProvider(userService)) .headers().cacheControl(); } @Bean public JuickAuthenticationEntryPoint getJuickAuthenticationEntryPoint() { return new JuickAuthenticationEntryPoint(); } }