Closes #2510 - Fix BootWebSecurityConfigurer for Demo Application in DevMode

rest/taskana-rest-spring-example-boot/src/main/java/pro/taskana/example/boot/security/BootWebSecurityConfigurer.java

@@ -61,23 +61,23 @@ public class BootWebSecurityConfigurer {
 
   @Bean
   public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
-    HttpSecurity httpSecurity =
+    http.authorizeHttpRequests(
-        http.authorizeHttpRequests(
+            authorizeHttpRequests ->
-                authorizeHttpRequests ->
+                authorizeHttpRequests
-                    authorizeHttpRequests
+                    .requestMatchers("/css/**", "/img/**")
-                        .requestMatchers("/css/**", "/img/**")
+                    .permitAll()
-                        .permitAll()
+                    .requestMatchers(HttpMethod.GET, "/docs/**")
-                        .requestMatchers(HttpMethod.GET, "/docs/**")
+                    .permitAll())
-                        .permitAll())
+        .cors(Customizer.withDefaults())
-            .addFilter(jaasApiIntegrationFilter())
+        .addFilter(jaasApiIntegrationFilter())
-            .addFilterAfter(new SpringSecurityToJaasFilter(), JaasApiIntegrationFilter.class);
+        .addFilterAfter(new SpringSecurityToJaasFilter(), JaasApiIntegrationFilter.class);
 
     if (enableCsrf) {
       CookieCsrfTokenRepository csrfTokenRepository = CookieCsrfTokenRepository.withHttpOnlyFalse();
       csrfTokenRepository.setCookiePath("/");
-      httpSecurity.csrf(csrf -> csrf.csrfTokenRepository(csrfTokenRepository));
+      http.csrf(csrf -> csrf.csrfTokenRepository(csrfTokenRepository));
     } else {
-      httpSecurity.csrf(AbstractHttpConfigurer::disable).httpBasic(Customizer.withDefaults());
+      http.csrf(AbstractHttpConfigurer::disable).httpBasic(Customizer.withDefaults());
     }
 
     if (devMode) {
@@ -85,7 +85,12 @@ public class BootWebSecurityConfigurer {
               headers -> headers.frameOptions(HeadersConfigurer.FrameOptionsConfig::sameOrigin))
           .authorizeHttpRequests(
               authorizeHttpRequests ->
-                  authorizeHttpRequests.requestMatchers("/h2-console/**").permitAll());
+                  authorizeHttpRequests
+                      .requestMatchers("/h2-console/**")
+                      .permitAll()
+                      .anyRequest()
+                      .fullyAuthenticated())
+          .logout(logout -> logout.logoutSuccessUrl("http://localhost:4200/#").permitAll());
     } else {
       addLoginPageConfiguration(http);
     }
@@ -93,6 +98,27 @@ public class BootWebSecurityConfigurer {
     return http.build();
   }
 
+  protected void addLoginPageConfiguration(HttpSecurity http) throws Exception {
+    http.authorizeHttpRequests(
+            authorizeHttpRequests -> authorizeHttpRequests.anyRequest().fullyAuthenticated())
+        .formLogin(
+            formLogin ->
+                formLogin
+                    .loginPage("/login")
+                    .failureUrl("/login?error")
+                    .defaultSuccessUrl("/index.html")
+                    .permitAll())
+        .logout(
+            logout ->
+                logout
+                    .invalidateHttpSession(true)
+                    .clearAuthentication(true)
+                    .logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
+                    .logoutSuccessUrl("/login?logout")
+                    .deleteCookies("JSESSIONID")
+                    .permitAll());
+  }
+
   @Bean
   public LdapAuthoritiesPopulator authoritiesPopulator(
       DefaultSpringSecurityContextSource contextSource) {
@@ -120,29 +146,6 @@ public class BootWebSecurityConfigurer {
     return grantedAuthoritiesMapper;
   }
 
-  protected void addLoginPageConfiguration(HttpSecurity http) throws Exception {
-    http.authorizeHttpRequests(
-            authorizeHttpRequests -> authorizeHttpRequests.anyRequest().fullyAuthenticated())
-        .formLogin(
-            formLogin ->
-                formLogin
-                    .loginPage("/login")
-                    .failureUrl("/login?error")
-                    .defaultSuccessUrl("/index.html")
-                    .permitAll()
-        )
-        .logout(
-            logout ->
-                logout
-                    .invalidateHttpSession(true)
-                    .clearAuthentication(true)
-                    .logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
-                    .logoutSuccessUrl("/login?logout")
-                    .deleteCookies("JSESSIONID")
-                    .permitAll()
-        );
-  }
-
   protected JaasApiIntegrationFilter jaasApiIntegrationFilter() {
     JaasApiIntegrationFilter filter = new JaasApiIntegrationFilter();
     filter.setCreateEmptySubject(true);

rest/taskana-rest-spring-example-common/src/main/java/pro/taskana/example/rest/ExampleWebSecurityConfig.java

@@ -1,24 +1,16 @@
 package pro.taskana.example.rest;
 
-import org.springframework.boot.web.servlet.FilterRegistrationBean;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.web.cors.CorsConfiguration;
+import org.springframework.web.cors.CorsConfigurationSource;
 import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
-import org.springframework.web.filter.CorsFilter;
-import org.springframework.web.servlet.config.annotation.CorsRegistry;
-import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
 
 @Configuration
 public class ExampleWebSecurityConfig {
 
   @Bean
-  public WebMvcConfigurer corsConfigurer() {
+  public CorsConfigurationSource corsConfigurationSource() {
-    return new CorsWebMvcConfigurer();
-  }
-
-  @Bean
-  public FilterRegistrationBean<CorsFilter> corsFilter() {
     final UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
     CorsConfiguration config = new CorsConfiguration();
     config.setAllowCredentials(true);
@@ -26,16 +18,6 @@ public class ExampleWebSecurityConfig {
     config.addAllowedHeader("*");
     config.addAllowedMethod("*");
     source.registerCorsConfiguration("/**", config);
-    FilterRegistrationBean<CorsFilter> bean = new FilterRegistrationBean<>(new CorsFilter(source));
+    return source;
-    bean.setOrder(0);
-    return bean;
-  }
-
-  private static class CorsWebMvcConfigurer implements WebMvcConfigurer {
-
-    @Override
-    public void addCorsMappings(CorsRegistry registry) {
-      registry.addMapping("/**").allowedOrigins("*");
-    }
   }
 }

rest/taskana-rest-spring-example-wildfly/src/main/java/pro/taskana/example/wildfly/security/WildflyWebSecurityConfigurer.java

@@ -2,6 +2,7 @@ package pro.taskana.example.wildfly.security;
 
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.security.config.Customizer;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
 import org.springframework.security.web.SecurityFilterChain;
@@ -18,7 +19,8 @@ public class WildflyWebSecurityConfigurer {
   public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
     http.addFilter(jaasApiIntegrationFilter())
         .addFilterAfter(new ElytronToJaasFilter(), JaasApiIntegrationFilter.class)
-        .csrf(AbstractHttpConfigurer::disable);
+        .csrf(AbstractHttpConfigurer::disable)
+        .cors(Customizer.withDefaults());
     return http.build();
   }