io.lsn.spring.auth.configuration.LsnSecurityConfiguration Maven / Gradle / Ivy

Go to download
Show more of this group Show more artifacts with this name
Show all versions of spring-auth Show documentation
There is a newer version: 2.2.0
package io.lsn.spring.auth.configuration;

import io.lsn.spring.auth.configuration.properties.SecurityProperties;
import io.lsn.spring.auth.provider.AuthenticationProvider;
import io.lsn.spring.auth.transport.InAuthFilter;
import io.lsn.spring.auth.transport.cookie.InAuthCookieFilter;
import io.lsn.spring.auth.transport.header.InAuthHeaderFilter;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.context.properties.EnableConfigurationProperties;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.http.HttpStatus;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.web.authentication.HttpStatusEntryPoint;
import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
import org.springframework.security.web.firewall.DefaultHttpFirewall;
import org.springframework.security.web.firewall.HttpFirewall;

import java.util.Arrays;
import java.util.List;

/**
 * @author Patryk Szlagowski 
 */
@Configuration
@EnableConfigurationProperties({SecurityProperties.class})
public class LsnSecurityConfiguration extends WebSecurityConfigurerAdapter {

    public static List DISABLED_TOKEN_VERIFICATION_PATHS = Arrays.asList(
            "/api/user/init",
            "/api/user/login"
    );

    @Autowired
    private AuthenticationProvider provider;

    @Autowired
    private SecurityProperties properties;

    @Bean
    public HttpFirewall allowUrlEncodedSlashHttpFirewall() {
        DefaultHttpFirewall firewall = new DefaultHttpFirewall();
        firewall.setAllowUrlEncodedSlash(true);
        return firewall;
    }

    @Override
    public void configure(WebSecurity web) throws Exception {
        web.httpFirewall(allowUrlEncodedSlashHttpFirewall());
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        InAuthFilter inAuthFilter = properties.getTransportMethod().equals(SecurityProperties.TransportMethod.COOKIE)
                ? new InAuthCookieFilter()
                : new InAuthHeaderFilter();
        http
                .csrf().disable()
                .sessionManagement()
                .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
                .and()
                .addFilterBefore(inAuthFilter, BasicAuthenticationFilter.class)
                .authenticationProvider(provider)
                .exceptionHandling()
                .authenticationEntryPoint(new HttpStatusEntryPoint(HttpStatus.UNAUTHORIZED))
                .and()
                .authorizeRequests()
                .antMatchers("/").permitAll()
                .antMatchers("/api/user/init").permitAll()
                .antMatchers("/api/user/login").permitAll()
                .antMatchers("/api/user/logout").permitAll()
                .antMatchers("/api/user/password/reset").permitAll()
                .antMatchers("/api/user/password/change").permitAll()
                .antMatchers("/api/public/**").permitAll()
                .antMatchers("/api/**").fullyAuthenticated()
        ;
    }
}