Closes #2510 - Fix BootWebSecurityConfigurer for Demo Application in DevMode
This commit is contained in:
Norman Schmidt
parent
1d59ca4ba2
commit
5e52b3dc9c
|
|
@ -61,23 +61,23 @@ public class BootWebSecurityConfigurer {
|
|||
|
||||
@Bean
|
||||
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
|
||||
HttpSecurity httpSecurity =
|
||||
http.authorizeHttpRequests(
|
||||
authorizeHttpRequests ->
|
||||
authorizeHttpRequests
|
||||
.requestMatchers("/css/**", "/img/**")
|
||||
.permitAll()
|
||||
.requestMatchers(HttpMethod.GET, "/docs/**")
|
||||
.permitAll())
|
||||
.addFilter(jaasApiIntegrationFilter())
|
||||
.addFilterAfter(new SpringSecurityToJaasFilter(), JaasApiIntegrationFilter.class);
|
||||
http.authorizeHttpRequests(
|
||||
authorizeHttpRequests ->
|
||||
authorizeHttpRequests
|
||||
.requestMatchers("/css/**", "/img/**")
|
||||
.permitAll()
|
||||
.requestMatchers(HttpMethod.GET, "/docs/**")
|
||||
.permitAll())
|
||||
.cors(Customizer.withDefaults())
|
||||
.addFilter(jaasApiIntegrationFilter())
|
||||
.addFilterAfter(new SpringSecurityToJaasFilter(), JaasApiIntegrationFilter.class);
|
||||
|
||||
if (enableCsrf) {
|
||||
CookieCsrfTokenRepository csrfTokenRepository = CookieCsrfTokenRepository.withHttpOnlyFalse();
|
||||
csrfTokenRepository.setCookiePath("/");
|
||||
httpSecurity.csrf(csrf -> csrf.csrfTokenRepository(csrfTokenRepository));
|
||||
http.csrf(csrf -> csrf.csrfTokenRepository(csrfTokenRepository));
|
||||
} else {
|
||||
httpSecurity.csrf(AbstractHttpConfigurer::disable).httpBasic(Customizer.withDefaults());
|
||||
http.csrf(AbstractHttpConfigurer::disable).httpBasic(Customizer.withDefaults());
|
||||
}
|
||||
|
||||
if (devMode) {
|
||||
|
|
@ -85,7 +85,12 @@ public class BootWebSecurityConfigurer {
|
|||
headers -> headers.frameOptions(HeadersConfigurer.FrameOptionsConfig::sameOrigin))
|
||||
.authorizeHttpRequests(
|
||||
authorizeHttpRequests ->
|
||||
authorizeHttpRequests.requestMatchers("/h2-console/**").permitAll());
|
||||
authorizeHttpRequests
|
||||
.requestMatchers("/h2-console/**")
|
||||
.permitAll()
|
||||
.anyRequest()
|
||||
.fullyAuthenticated())
|
||||
.logout(logout -> logout.logoutSuccessUrl("http://localhost:4200/#").permitAll());
|
||||
} else {
|
||||
addLoginPageConfiguration(http);
|
||||
}
|
||||
|
|
@ -93,6 +98,27 @@ public class BootWebSecurityConfigurer {
|
|||
return http.build();
|
||||
}
|
||||
|
||||
protected void addLoginPageConfiguration(HttpSecurity http) throws Exception {
|
||||
http.authorizeHttpRequests(
|
||||
authorizeHttpRequests -> authorizeHttpRequests.anyRequest().fullyAuthenticated())
|
||||
.formLogin(
|
||||
formLogin ->
|
||||
formLogin
|
||||
.loginPage("/login")
|
||||
.failureUrl("/login?error")
|
||||
.defaultSuccessUrl("/index.html")
|
||||
.permitAll())
|
||||
.logout(
|
||||
logout ->
|
||||
logout
|
||||
.invalidateHttpSession(true)
|
||||
.clearAuthentication(true)
|
||||
.logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
|
||||
.logoutSuccessUrl("/login?logout")
|
||||
.deleteCookies("JSESSIONID")
|
||||
.permitAll());
|
||||
}
|
||||
|
||||
@Bean
|
||||
public LdapAuthoritiesPopulator authoritiesPopulator(
|
||||
DefaultSpringSecurityContextSource contextSource) {
|
||||
|
|
@ -120,29 +146,6 @@ public class BootWebSecurityConfigurer {
|
|||
return grantedAuthoritiesMapper;
|
||||
}
|
||||
|
||||
protected void addLoginPageConfiguration(HttpSecurity http) throws Exception {
|
||||
http.authorizeHttpRequests(
|
||||
authorizeHttpRequests -> authorizeHttpRequests.anyRequest().fullyAuthenticated())
|
||||
.formLogin(
|
||||
formLogin ->
|
||||
formLogin
|
||||
.loginPage("/login")
|
||||
.failureUrl("/login?error")
|
||||
.defaultSuccessUrl("/index.html")
|
||||
.permitAll()
|
||||
)
|
||||
.logout(
|
||||
logout ->
|
||||
logout
|
||||
.invalidateHttpSession(true)
|
||||
.clearAuthentication(true)
|
||||
.logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
|
||||
.logoutSuccessUrl("/login?logout")
|
||||
.deleteCookies("JSESSIONID")
|
||||
.permitAll()
|
||||
);
|
||||
}
|
||||
|
||||
protected JaasApiIntegrationFilter jaasApiIntegrationFilter() {
|
||||
JaasApiIntegrationFilter filter = new JaasApiIntegrationFilter();
|
||||
filter.setCreateEmptySubject(true);
|
||||
|
|
|
|||
|
|
@ -1,24 +1,16 @@
|
|||
package pro.taskana.example.rest;
|
||||
|
||||
import org.springframework.boot.web.servlet.FilterRegistrationBean;
|
||||
import org.springframework.context.annotation.Bean;
|
||||
import org.springframework.context.annotation.Configuration;
|
||||
import org.springframework.web.cors.CorsConfiguration;
|
||||
import org.springframework.web.cors.CorsConfigurationSource;
|
||||
import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
|
||||
import org.springframework.web.filter.CorsFilter;
|
||||
import org.springframework.web.servlet.config.annotation.CorsRegistry;
|
||||
import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
|
||||
|
||||
@Configuration
|
||||
public class ExampleWebSecurityConfig {
|
||||
|
||||
@Bean
|
||||
public WebMvcConfigurer corsConfigurer() {
|
||||
return new CorsWebMvcConfigurer();
|
||||
}
|
||||
|
||||
@Bean
|
||||
public FilterRegistrationBean<CorsFilter> corsFilter() {
|
||||
public CorsConfigurationSource corsConfigurationSource() {
|
||||
final UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
|
||||
CorsConfiguration config = new CorsConfiguration();
|
||||
config.setAllowCredentials(true);
|
||||
|
|
@ -26,16 +18,6 @@ public class ExampleWebSecurityConfig {
|
|||
config.addAllowedHeader("*");
|
||||
config.addAllowedMethod("*");
|
||||
source.registerCorsConfiguration("/**", config);
|
||||
FilterRegistrationBean<CorsFilter> bean = new FilterRegistrationBean<>(new CorsFilter(source));
|
||||
bean.setOrder(0);
|
||||
return bean;
|
||||
}
|
||||
|
||||
private static class CorsWebMvcConfigurer implements WebMvcConfigurer {
|
||||
|
||||
@Override
|
||||
public void addCorsMappings(CorsRegistry registry) {
|
||||
registry.addMapping("/**").allowedOrigins("*");
|
||||
}
|
||||
return source;
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -2,6 +2,7 @@ package pro.taskana.example.wildfly.security;
|
|||
|
||||
import org.springframework.context.annotation.Bean;
|
||||
import org.springframework.context.annotation.Configuration;
|
||||
import org.springframework.security.config.Customizer;
|
||||
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
|
||||
import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
|
||||
import org.springframework.security.web.SecurityFilterChain;
|
||||
|
|
@ -18,7 +19,8 @@ public class WildflyWebSecurityConfigurer {
|
|||
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
|
||||
http.addFilter(jaasApiIntegrationFilter())
|
||||
.addFilterAfter(new ElytronToJaasFilter(), JaasApiIntegrationFilter.class)
|
||||
.csrf(AbstractHttpConfigurer::disable);
|
||||
.csrf(AbstractHttpConfigurer::disable)
|
||||
.cors(Customizer.withDefaults());
|
||||
return http.build();
|
||||
}
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue