Commit 2bdb796e authored by Sascha Herzinger's avatar Sascha Herzinger
Browse files

security-context.xml -> SpringSecurity.java

parent 21bc5988
Pipeline #7451 passed with stage
in 10 minutes and 58 seconds
package lcsb.mapviewer.services;
import lcsb.mapviewer.persist.SpringPersistConfig;
import lcsb.mapviewer.services.impl.Md5PasswordEncoder;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.ComponentScan;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.Import;
import org.springframework.security.core.session.SessionRegistry;
import org.springframework.security.core.session.SessionRegistryImpl;
@Configuration
@Import({SpringPersistConfig.class})
@ComponentScan(basePackages = {"lcsb.mapviewer.services"})
public class SpringServiceConfig {
......@@ -14,4 +19,9 @@ public class SpringServiceConfig {
return new Md5PasswordEncoder();
}
@Bean
public SessionRegistry sessionRegistry() {
return new SessionRegistryImpl();
}
}
package lcsb.mapviewer.web.config;
import lcsb.mapviewer.api.users.CustomAuthenticationProvider;
import lcsb.mapviewer.services.impl.UserService;
import lcsb.mapviewer.web.security.MvAuthenticationFailureHandler;
import lcsb.mapviewer.web.security.MvAuthenticationSuccessHandler;
import lcsb.mapviewer.web.security.MvUsernamePasswordAuthenticationFilter;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.core.session.SessionRegistry;
import org.springframework.security.core.session.SessionRegistryImpl;
import org.springframework.security.web.authentication.AuthenticationFailureHandler;
import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
import org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
import org.springframework.security.web.authentication.session.*;
import org.springframework.security.web.context.HttpSessionSecurityContextRepository;
import org.springframework.security.web.session.ConcurrentSessionFilter;
import org.springframework.security.web.session.SessionManagementFilter;
import java.util.Arrays;
@Configuration
@EnableWebSecurity
public class SpringSecurityConfig extends WebSecurityConfigurerAdapter {
private SessionRegistry sessionRegistry;
private UserService userService;
private AuthenticationProvider authenticationProvider;
private AuthenticationSuccessHandler authenticationSuccessHandler;
private AuthenticationFailureHandler authenticationFailureHandler;
private SessionAuthenticationStrategy sessionAuthenticationStrategy;
private SessionManagementFilter sessionManagementFilter;
private ConcurrentSessionFilter concurrentSessionFilter;
private UsernamePasswordAuthenticationFilter usernamePasswordAuthenticationFilter;
private LoginUrlAuthenticationEntryPoint loginUrlAuthenticationEntryPoint;
@Autowired
public SpringSecurityConfig(SessionRegistry sessionRegistry,
UserService userService,
AuthenticationProvider authenticationProvider,
AuthenticationSuccessHandler authenticationSuccessHandler,
AuthenticationFailureHandler authenticationFailureHandler,
SessionAuthenticationStrategy sessionAuthenticationStrategy,
SessionManagementFilter sessionManagementFilter,
ConcurrentSessionFilter concurrentSessionFilter,
UsernamePasswordAuthenticationFilter usernamePasswordAuthenticationFilter,
LoginUrlAuthenticationEntryPoint loginUrlAuthenticationEntryPoint) {
this.sessionRegistry = sessionRegistry;
this.userService = userService;
this.authenticationProvider = authenticationProvider;
this.authenticationSuccessHandler = authenticationSuccessHandler;
this.authenticationFailureHandler = authenticationFailureHandler;
this.sessionAuthenticationStrategy = sessionAuthenticationStrategy;
this.sessionManagementFilter = sessionManagementFilter;
this.concurrentSessionFilter = concurrentSessionFilter;
this.usernamePasswordAuthenticationFilter = usernamePasswordAuthenticationFilter;
this.loginUrlAuthenticationEntryPoint = loginUrlAuthenticationEntryPoint;
}
@Bean
public SessionRegistry sessionRegistry() {
return new SessionRegistryImpl();
}
@Bean
public SessionAuthenticationStrategy sessionAuthenticationStrategy(SessionRegistry sessionRegistry) {
ConcurrentSessionControlAuthenticationStrategy strategy1 =
new ConcurrentSessionControlAuthenticationStrategy(sessionRegistry());
strategy1.setMaximumSessions(-1);
strategy1.setExceptionIfMaximumExceeded(true);
SessionFixationProtectionStrategy strategy2 = new SessionFixationProtectionStrategy();
RegisterSessionAuthenticationStrategy strategy3 = new RegisterSessionAuthenticationStrategy(sessionRegistry);
return new CompositeSessionAuthenticationStrategy(Arrays.asList(
strategy1,
strategy2,
strategy3
));
}
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring()
.antMatchers("/resources/css/**")
.antMatchers("/resources/js/**")
.antMatchers("/resources/js_tests/**")
.antMatchers("/resources/images/**")
.antMatchers("/resources/other/**")
.antMatchers("/javax.faces.resource/**");
}
@Bean
public HttpSessionSecurityContextRepository httpSessionSecurityContextRepository() {
return new HttpSessionSecurityContextRepository();
}
@Bean
public CustomAuthenticationProvider authenticationProvider() {
CustomAuthenticationProvider provider = new CustomAuthenticationProvider();
provider.setUserService(userService);
return provider;
}
@Bean
public MvAuthenticationSuccessHandler authenticationSuccessHandler() {
MvAuthenticationSuccessHandler handler = new MvAuthenticationSuccessHandler();
handler.setDefaultTargetUrl("/login.xhtml");
return handler;
}
@Bean
public MvAuthenticationFailureHandler authenticationFailureHandler() {
return new MvAuthenticationFailureHandler("/login.xhtml");
}
@Bean
public SessionManagementFilter sessionManagementFilter(
HttpSessionSecurityContextRepository httpSessionSecurityContextRepository,
AuthenticationFailureHandler authenticationFailureHandler) {
SessionManagementFilter filter = new SessionManagementFilter(httpSessionSecurityContextRepository);
filter.setAuthenticationFailureHandler(authenticationFailureHandler);
return filter;
}
@Bean
public ConcurrentSessionFilter concurrentSessionFilter() {
return new ConcurrentSessionFilter(sessionRegistry, "/index.xhtml");
}
@Bean
public MvUsernamePasswordAuthenticationFilter mvUsernamePasswordAuthenticationFilter() {
MvUsernamePasswordAuthenticationFilter filter = new MvUsernamePasswordAuthenticationFilter();
filter.setSessionAuthenticationStrategy(sessionAuthenticationStrategy);
filter.setAuthenticationSuccessHandler(authenticationSuccessHandler);
filter.setAuthenticationFailureHandler(authenticationFailureHandler);
return filter;
}
@Bean
public LoginUrlAuthenticationEntryPoint loginUrlAuthenticationEntryPoint() {
return new LoginUrlAuthenticationEntryPoint("/login.xhtml");
}
@Override
public void configure(HttpSecurity http) throws Exception {
http
.httpBasic()
.authenticationEntryPoint(loginUrlAuthenticationEntryPoint)
.and()
.authenticationProvider(authenticationProvider)
.addFilterBefore(sessionManagementFilter, SessionManagementFilter.class)
.addFilterAt(concurrentSessionFilter, ConcurrentSessionFilter.class)
.addFilterAt(usernamePasswordAuthenticationFilter, UsernamePasswordAuthenticationFilter.class)
.sessionManagement()
.sessionAuthenticationStrategy(sessionAuthenticationStrategy)
.and()
.authorizeRequests()
.antMatchers("/login**").permitAll()
.antMatchers("/index**").permitAll()
.antMatchers("/export**").permitAll()
.antMatchers("/galaxy**").permitAll()
.antMatchers("/map**").permitAll()
.antMatchers("/map/**").permitAll()
.antMatchers("/api**").permitAll()
.antMatchers("/api/**").permitAll()
.antMatchers("/fonts/**").permitAll()
.antMatchers("/plugins/**").permitAll()
.antMatchers("/**").authenticated()
.and()
.headers()
.frameOptions().disable()
.and()
.csrf().disable()
.logout()
.logoutUrl("/j_spring_security_logout")
.logoutSuccessUrl("/login.xhtml")
.invalidateHttpSession(true);
}
}
......@@ -8,7 +8,7 @@ import org.springframework.web.servlet.config.annotation.*;
@Configuration
@EnableWebMvc
@Import({SpringServiceConfig.class})
@Import({SpringServiceConfig.class, SpringSecurityConfig.class})
@ComponentScan(basePackages = {"lcsb.mapviewer.web"})
public class SpringWebConfig extends WebMvcConfigurerAdapter {
......
......@@ -144,7 +144,7 @@ public class WebAppInitializer implements WebApplicationInitializer {
DelegatingFilterProxy delegatingFilterProxy = new DelegatingFilterProxy();
FilterRegistration.Dynamic delegatingFilterProxyReg = container.addFilter("springSecurityFilterChain", delegatingFilterProxy);
delegatingFilterProxyReg.addMappingForUrlPatterns(EnumSet.of(DispatcherType.FORWARD, DispatcherType.REQUEST), true, "/*");
delegatingFilterProxyReg.addMappingForUrlPatterns(EnumSet.of(DispatcherType.FORWARD, DispatcherType.REQUEST), false, "/*");
/*
===============
......
<beans
xmlns="http://www.springframework.org/schema/beans"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-4.3.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-4.2.xsd">
<security:http pattern="/resources/css/**" security="none" />
<security:http pattern="/resources/js/**" security="none" />
<security:http pattern="/resources/js_tests/**" security="none" />
<security:http pattern="/resources/images/**" security="none" />
<security:http pattern="/resources/other/**" security="none" />
<security:http pattern="/javax.faces.resource/**" security="none"/>
<security:http auto-config="false" use-expressions='true' entry-point-ref="loginUrlAuthenticationEntryPoint">
<security:custom-filter before="SESSION_MANAGEMENT_FILTER" ref="sessionManagementFilter" />
<security:custom-filter position="CONCURRENT_SESSION_FILTER" ref="concurrencyFilter" />
<security:custom-filter position="FORM_LOGIN_FILTER" ref="mapViewerUsernamePasswordAuthenticationFilter"/>
<security:session-management session-authentication-strategy-ref="sas"/>
<security:intercept-url pattern="/login**" access="permitAll"/>
<security:intercept-url pattern="/index**" access="permitAll"/>
<security:intercept-url pattern="/export**" access="permitAll"/>
<security:intercept-url pattern="/galaxy**" access="permitAll"/>
<security:intercept-url pattern="/map**" access="permitAll"/>
<security:intercept-url pattern="/map/**" access="permitAll"/>
<security:intercept-url pattern="/api**" access="permitAll"/>
<security:intercept-url pattern="/api/**" access="permitAll"/>
<security:intercept-url pattern="/fonts/**" access="permitAll"/>
<security:intercept-url pattern="/plugins/**" access="permitAll"/>
<security:intercept-url pattern="/**" access="isAuthenticated()"/>
<security:logout logout-url="/j_spring_security_logout" logout-success-url="/login.xhtml" invalidate-session="true"/>
<security:headers>
<!-- we aply custom filtering of x-frames, more info in the class: lcsb.mapviewer.bean.utils.XFrameAccessControlFilter -->
<security:frame-options disabled="true"/>
</security:headers>
<security:csrf disabled="true"/>
</security:http>
<bean id="sessionManagementFilter" class="org.springframework.security.web.session.SessionManagementFilter">
<constructor-arg name="securityContextRepository" ref="httpSessionSecurityContextRepository" />
<!-- <property name="invalidSessionStrategy" ref="mapViewerInvalidSessionStrategy"/> -->
<property name="authenticationFailureHandler" ref="authenticationFailureHandler"/>
</bean>
<bean id="concurrencyFilter" class="org.springframework.security.web.session.ConcurrentSessionFilter">
<constructor-arg name="sessionRegistry" ref="sessionRegistry" />
<constructor-arg name="expiredUrl" value="/index.xhtml" />
</bean>
<bean id="mapViewerUsernamePasswordAuthenticationFilter" class="lcsb.mapviewer.web.security.MvUsernamePasswordAuthenticationFilter">
<property name="sessionAuthenticationStrategy" ref="sas" />
<property name="authenticationManager" ref="authenticationManager"/>
<property name="authenticationFailureHandler" ref="authenticationFailureHandler"/>
<property name="authenticationSuccessHandler" ref="authenticationSuccessHandler"/>
</bean>
<bean id="authenticationSuccessHandler" class="lcsb.mapviewer.web.security.MvAuthenticationSuccessHandler">
<property name="defaultTargetUrl" value="/login.xhtml"/>
</bean>
<bean id="authenticationFailureHandler" class="lcsb.mapviewer.web.security.MvAuthenticationFailureHandler">
<constructor-arg value="/login.xhtml"></constructor-arg>
</bean>
<bean id="sas" class="org.springframework.security.web.authentication.session.CompositeSessionAuthenticationStrategy">
<constructor-arg>
<list>
<bean class="org.springframework.security.web.authentication.session.ConcurrentSessionControlAuthenticationStrategy">
<constructor-arg ref="sessionRegistry"/>
<property name="maximumSessions" value="-1" />
<property name="exceptionIfMaximumExceeded" value="true" />
</bean>
<bean class="org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy">
</bean>
<bean class="org.springframework.security.web.authentication.session.RegisterSessionAuthenticationStrategy">
<constructor-arg ref="sessionRegistry"/>
</bean>
</list>
</constructor-arg>
</bean>
<bean id="sessionRegistry" class="org.springframework.security.core.session.SessionRegistryImpl" />
<bean id="httpSessionSecurityContextRepository" class="org.springframework.security.web.context.HttpSessionSecurityContextRepository"/>
<bean id="authenticationProvider" class="lcsb.mapviewer.api.users.CustomAuthenticationProvider">
<property name="userService" ref="UserService" />
</bean>
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider ref="authenticationProvider" />
</security:authentication-manager>
<bean id="loginUrlAuthenticationEntryPoint" class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
<!-- <property name="loginFormUrl" value="/login.xhtml"/> -->
<constructor-arg value="/login.xhtml"/>
</bean>
</beans>
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment