package com.juick.www.configuration; import com.juick.server.security.HashParamAuthenticationFilter; import com.juick.server.security.entities.JuickUser; import com.juick.service.UserService; import com.juick.service.security.JuickUserDetailsService; import org.springframework.beans.factory.annotation.Value; import org.springframework.context.annotation.Bean; import org.springframework.security.authentication.AuthenticationManager; import org.springframework.security.authentication.dao.DaoAuthenticationProvider; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.builders.WebSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.core.userdetails.UserDetailsService; import org.springframework.security.web.authentication.RememberMeServices; import org.springframework.security.web.authentication.rememberme.TokenBasedRememberMeServices; import org.springframework.security.web.authentication.www.BasicAuthenticationFilter; import javax.annotation.Resource; /** * Created by aalexeev on 11/21/16. */ @EnableWebSecurity public class WebSecurityConfig extends WebSecurityConfigurerAdapter { @Value("${auth_remember_me_key}") private String rememberMeKey; @Value("${web_domain:juick.com}") private String webDomain; @Resource private UserService userService; @Bean("userDetailsService") @Override public UserDetailsService userDetailsServiceBean() throws Exception { return super.userDetailsServiceBean(); } @Override public UserDetailsService userDetailsService() { return new JuickUserDetailsService(userService); } @Bean("authenticationManager") @Override public AuthenticationManager authenticationManagerBean() throws Exception { return super.authenticationManagerBean(); } @Override protected void configure(HttpSecurity http) throws Exception { http.addFilterAfter(hashParamAuthenticationFilter(), BasicAuthenticationFilter.class); http .authorizeRequests() .antMatchers("/settings", "/pm/**").authenticated() .anyRequest().permitAll() .and() .anonymous().principal(JuickUser.ANONYMOUS_USER).authorities(JuickUser.ANONYMOUS_AUTHORITY) .and() .sessionManagement().invalidSessionUrl("/") .and() .logout() .invalidateHttpSession(true) .logoutUrl("/logout") .logoutSuccessUrl("/login?logout") .deleteCookies("hash", "remember-me") .and() .formLogin() .loginPage("/login") .permitAll() .defaultSuccessUrl("/") .loginProcessingUrl("/login") .usernameParameter("username") .passwordParameter("password") .failureUrl("/login?error=1") .and() .rememberMe() .rememberMeCookieDomain(webDomain).key(rememberMeKey) .rememberMeServices(rememberMeServices()) .and() .csrf().disable() .authenticationProvider(authenticationProvider()) .headers().defaultsDisabled().cacheControl(); } @Bean public DaoAuthenticationProvider authenticationProvider() throws Exception { DaoAuthenticationProvider authenticationProvider = new DaoAuthenticationProvider(); authenticationProvider.setUserDetailsService(userDetailsService()); return authenticationProvider; } @Bean public HashParamAuthenticationFilter hashParamAuthenticationFilter() throws Exception { return new HashParamAuthenticationFilter(userService, rememberMeServices()); } @Bean public RememberMeServices rememberMeServices() throws Exception { TokenBasedRememberMeServices services = new TokenBasedRememberMeServices( rememberMeKey, userDetailsService()); services.setCookieName("juick-remember-me"); services.setCookieDomain(webDomain); services.setAlwaysRemember(true); services.setTokenValiditySeconds(6 * 30 * 24 * 3600); services.setUseSecureCookie(false); // TODO set true if https is supports return services; } @Override public void configure(WebSecurity web) throws Exception { web.debug(false); web.ignoring().antMatchers("/style.css*", "/scripts.js*"); } }