package com.juick.www.configuration; import com.juick.server.security.entities.JuickUser; import com.juick.service.UserService; import com.juick.service.security.JuickUserDetailsService; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.PropertySource; import org.springframework.core.env.Environment; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.core.userdetails.UserDetailsService; import javax.annotation.Resource; /** * Created by aalexeev on 11/21/16. */ @EnableWebSecurity @PropertySource("classpath:juick.conf") public class WebSecurityConfig extends WebSecurityConfigurerAdapter { @Resource private Environment env; @Resource private UserService userService; @Bean("userDetailsService") @Override public UserDetailsService userDetailsServiceBean() throws Exception { return new JuickUserDetailsService(userService); } @Override protected void configure(HttpSecurity http) throws Exception { http .authorizeRequests() .antMatchers("/settings", "/pm/**").authenticated() .anyRequest().permitAll() .and() .anonymous().principal(JuickUser.ANONYM_USER).authorities(JuickUser.ANONYM_AUTHORITY) .and() .sessionManagement().invalidSessionUrl("/") .and() .logout().invalidateHttpSession(true).logoutUrl("/logout").logoutSuccessUrl("/") .and() .formLogin() .loginPage("/login") .permitAll() .defaultSuccessUrl("/") .loginProcessingUrl("/do_login") .usernameParameter("j_username") .passwordParameter("j_password") .failureUrl("/login-error") .and() .rememberMe() .tokenValiditySeconds(6 * 30 * 24 * 3600) .alwaysRemember(true) //.useSecureCookie(true) // TODO Enable if https is supports .rememberMeCookieDomain(env.getProperty("web_domain", "juick.com")) .userDetailsService(userDetailsServiceBean()) .key(env.getProperty("auth_remember_me_key")) .and() .csrf().disable(); } }