package com.juick.api.configuration; import com.juick.server.security.ForbiddenStatusAuthenticationEntryPoint; import com.juick.service.UserService; import com.juick.service.security.JuickUserDetailsService; import com.juick.service.security.deprecated.RequestParamHashRememberMeServices; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.context.annotation.PropertySource; import org.springframework.core.env.Environment; import org.springframework.http.HttpMethod; import org.springframework.security.authentication.dao.DaoAuthenticationProvider; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.config.http.SessionCreationPolicy; import org.springframework.security.web.authentication.RememberMeServices; import org.springframework.web.cors.CorsConfiguration; import org.springframework.web.cors.CorsConfigurationSource; import org.springframework.web.cors.UrlBasedCorsConfigurationSource; import javax.inject.Inject; import java.util.Arrays; import java.util.Collections; import java.util.concurrent.TimeUnit; /** * Created by aalexeev on 11/21/16. */ @Configuration @EnableWebSecurity @PropertySource("classpath:juick.conf") public class ApiSecurityConfig extends WebSecurityConfigurerAdapter { @Inject private Environment env; @Inject private UserService userService; ApiSecurityConfig() { super(true); } @Override protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests() .antMatchers(HttpMethod.OPTIONS).permitAll() .antMatchers("/messages", "/users", "/thread", "/tags", "/tlgmbtwbhk").permitAll() .anyRequest().hasRole("USER") .and().httpBasic().authenticationEntryPoint(getJuickAuthenticationEntryPoint()) .and().anonymous() .and().cors().configurationSource(corsConfigurationSource()) .and().servletApi() .and().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS) .and().exceptionHandling().authenticationEntryPoint(getJuickAuthenticationEntryPoint()) .and() .rememberMe() .alwaysRemember(true) .tokenValiditySeconds((int) TimeUnit.DAYS.toSeconds(6 * 30)) .rememberMeServices(rememberMeServices()) .key(env.getProperty("auth_remember_me_key")) .and().authenticationProvider(authenticationProvider()) .headers().defaultsDisabled().cacheControl(); } @Bean public DaoAuthenticationProvider authenticationProvider() { DaoAuthenticationProvider authenticationProvider = new DaoAuthenticationProvider(); authenticationProvider.setUserDetailsService(userDetailsService()); return authenticationProvider; } @Bean public JuickUserDetailsService userDetailsService() { return new JuickUserDetailsService(userService); } @Bean public RememberMeServices rememberMeServices() throws Exception { return new RequestParamHashRememberMeServices(env.getProperty("auth_remember_me_key"), userService); } @Bean public ForbiddenStatusAuthenticationEntryPoint getJuickAuthenticationEntryPoint() { return new ForbiddenStatusAuthenticationEntryPoint(); } @Bean public CorsConfigurationSource corsConfigurationSource() { CorsConfiguration configuration = new CorsConfiguration(); configuration.setAllowedOrigins(Collections.singletonList("*")); configuration.setAllowedMethods(Arrays.asList("POST", "GET", "PUT", "OPTIONS", "DELETE")); configuration.setAllowedHeaders(Collections.singletonList("*")); UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource(); source.registerCorsConfiguration("/**", configuration); return source; } }