Spring Security: Difference between revisions

Latest revision as of 19:40, 7 February 2024

;oauth access token and refresh token
oauth_refresh_token:org.springframework.security.oauth2.provider.token.store.JdbcTokenStore
oauth_access_token:org.springframework.security.oauth2.provider.token.store.JdbcTokenStore
oauth_approvals:org.springframework.security.oauth2.provider.approval.JdbcApprovalStore
;
;oauth client authentication and authorization
oauth_client_details:org.springframework.security.oauth2.provider.client.JdbcClientDetailsService
oauth_client_token:org.springframework.security.oauth2.client.token.JdbcClientTokenServices
oauth_code:org.springframework.security.oauth2.provider.code.JdbcAuthorizationCodeServices

;domain object security
acl_object_identity:org.springframework.security.acls.jdbc.JdbcMutableAclService
acl_entry:org.springframework.security.acls.jdbc.JdbcMutableAclService
acl_class:org.springframework.security.acls.jdbc.JdbcMutableAclService
acl_sid:org.springframework.security.acls.jdbc.JdbcMutableAclService
;
;persistent login/remember me
persistent_logins:org.springframework.security.web.authentication.rememberme.JdbcTokenRepositoryImpl

@Configuration
@EnableWebSecurity
@Import({WebDatasourceConfig.class})
@EnableConfigurationProperties(SecurityProperties.class)
@ComponentScan(basePackages = "org.chorke.academia.auth.security")
@EnableGlobalMethodSecurity(securedEnabled = true, prePostEnabled = true)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    private DataSource dataSource;
    @Autowired
    private SecurityProperties securityProperties;
    @Autowired
    private UserDetailsService userDetailsService;
    @Autowired
    private RestAuthenticationSuccessHandler restAuthenticationSuccessHandler;
    @Autowired
    private RestAuthenticationFailureHandler restAuthenticationFailureHandler;


    @Override
    protected void configure(final HttpSecurity http) throws Exception {
        http.authorizeRequests()
                .antMatchers(securityProperties.getPattern()).permitAll()
                .and()
                    .formLogin()
                        .loginPage(securityProperties.getLoginPage())
                        .successHandler(restAuthenticationSuccessHandler)
                        .failureHandler(restAuthenticationFailureHandler)
                        .usernameParameter(securityProperties.getUsernameParameter())
                        .passwordParameter(securityProperties.getPasswordParameter())
                .and()
                    .logout()
                        .invalidateHttpSession(securityProperties.isInvalidateHttpSession())
                        .clearAuthentication(securityProperties.isClearAuthentication())
                        .logoutRequestMatcher(new AntPathRequestMatcher(securityProperties.getLogoutRequestMatcher()))
                        .logoutSuccessUrl(securityProperties.getLogoutSuccessUrl())
                .and()
                    .sessionManagement()
                        .invalidSessionUrl(securityProperties.getInvalidSessionUrl())
                        .sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED)
                        .maximumSessions(securityProperties.getMaximumSessions())
                        .expiredUrl(securityProperties.getExpiredUrl()).and()
                .and()
                    .rememberMe()
                        .rememberMeParameter(securityProperties.getRememberMeParameter())
                        .rememberMeCookieName(securityProperties.getRememberMeCookieName())
                        .tokenValiditySeconds(securityProperties.getTokenValiditySeconds())
                        .tokenRepository(persistentTokenRepository())
                .and()
                    .csrf().disable();
    }

    @Autowired
    public void configureGlobal(final AuthenticationManagerBuilder auth) throws Exception {
        auth.userDetailsService(userDetailsService).passwordEncoder(passwordEncoder());
    }

    @Bean
    public PersistentTokenRepository persistentTokenRepository() {
        final JdbcTokenRepositoryImpl impl = new JdbcTokenRepositoryImpl();
        impl.setDataSource(dataSource);
        return impl;
    }

    @Bean
    public BCryptPasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder(securityProperties.getStrengthPasswordEncoder());
    }

    @Bean
    public HttpSessionEventPublisher httpSessionEventPublisher() {
        return new HttpSessionEventPublisher();
    }
}

Sign In

curl -i --data "j_username=admin&j_password=right" https://api.chorke.org/auth/j_spring_security_check
HTTP/1.1 302
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Frame-Options: SAMEORIGIN
Set-Cookie: JSESSIONID=84D119A4D9C890AA8A240F45A7CF4CD1; Path=/auth; HttpOnly
Location: https://api.chorke.org/auth/
Content-Length: 0
Date: Sat, 30 Nov 2019 07:54:33 GMT

curl -i --data "j_username=admin&j_password=wrong" https://api.chorke.org/auth/j_spring_security_check
HTTP/1.1 302
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Frame-Options: SAMEORIGIN
Set-Cookie: JSESSIONID=37D858285557F60465AE490F378FB8B3; Path=/auth; HttpOnly
Location: https://api.chorke.org/auth/account/signin?error=true
Content-Length: 0
Date: Sat, 30 Nov 2019 07:56:11 GMT

References

A Custom Security Expression with Spring Security Custom PermissionEvaluator in Spring Boot 2.0 When should I implement Spring Security ACL? Configure oAuth2 with password flow Swagger Accessing spring beans in static method Centralized Authorization with OAuth2 Build LDAP Docker Image from Ubuntu Intro to Spring Security Expressions Persistent Login (Remember-Me) Spring for Android Samples	Spring Security » Exclude URL Patterns From Config Get a property value from an ApplicationContext Add X-XSRF-TOKEN header to Postman requests

Spring Cloud OpenFeign Postman Script HTTP Security Keycloak LDAP

Spring Security: Difference between revisions

Latest revision as of 19:40, 7 February 2024

Sign In

References

Navigation menu

Search