Spring Security: Difference between revisions
Jump to navigation
Jump to search
Line 145: | Line 145: | ||
| valign="top" | | | valign="top" | | ||
* [https://stackoverflow.com/questions/22767205/ Spring Security » Exclude URL Patterns From Config] | |||
* [https://stackoverflow.com/questions/10822951/ Get a property value from an ApplicationContext] | * [https://stackoverflow.com/questions/10822951/ Get a property value from an ApplicationContext] | ||
* [https://keepgrowing.in/tools/how-to-add-x-xsrf-token-header-to-postman-requests/ Add X-XSRF-TOKEN header to Postman requests] | * [https://keepgrowing.in/tools/how-to-add-x-xsrf-token-header-to-postman-requests/ Add X-XSRF-TOKEN header to Postman requests] |
Revision as of 19:39, 7 February 2024
;oauth access token and refresh token
oauth_refresh_token:org.springframework.security.oauth2.provider.token.store.JdbcTokenStore
oauth_access_token:org.springframework.security.oauth2.provider.token.store.JdbcTokenStore
oauth_approvals:org.springframework.security.oauth2.provider.approval.JdbcApprovalStore
;
;oauth client authentication and authorization
oauth_client_details:org.springframework.security.oauth2.provider.client.JdbcClientDetailsService
oauth_client_token:org.springframework.security.oauth2.client.token.JdbcClientTokenServices
oauth_code:org.springframework.security.oauth2.provider.code.JdbcAuthorizationCodeServices
;domain object security
acl_object_identity:org.springframework.security.acls.jdbc.JdbcMutableAclService
acl_entry:org.springframework.security.acls.jdbc.JdbcMutableAclService
acl_class:org.springframework.security.acls.jdbc.JdbcMutableAclService
acl_sid:org.springframework.security.acls.jdbc.JdbcMutableAclService
;
;persistent login/remember me
persistent_logins:org.springframework.security.web.authentication.rememberme.JdbcTokenRepositoryImpl
@Configuration
@EnableWebSecurity
@Import({WebDatasourceConfig.class})
@EnableConfigurationProperties(SecurityProperties.class)
@ComponentScan(basePackages = "org.chorke.academia.auth.security")
@EnableGlobalMethodSecurity(securedEnabled = true, prePostEnabled = true)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private DataSource dataSource;
@Autowired
private SecurityProperties securityProperties;
@Autowired
private UserDetailsService userDetailsService;
@Autowired
private RestAuthenticationSuccessHandler restAuthenticationSuccessHandler;
@Autowired
private RestAuthenticationFailureHandler restAuthenticationFailureHandler;
@Override
protected void configure(final HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers(securityProperties.getPattern()).permitAll()
.and()
.formLogin()
.loginPage(securityProperties.getLoginPage())
.successHandler(restAuthenticationSuccessHandler)
.failureHandler(restAuthenticationFailureHandler)
.usernameParameter(securityProperties.getUsernameParameter())
.passwordParameter(securityProperties.getPasswordParameter())
.and()
.logout()
.invalidateHttpSession(securityProperties.isInvalidateHttpSession())
.clearAuthentication(securityProperties.isClearAuthentication())
.logoutRequestMatcher(new AntPathRequestMatcher(securityProperties.getLogoutRequestMatcher()))
.logoutSuccessUrl(securityProperties.getLogoutSuccessUrl())
.and()
.sessionManagement()
.invalidSessionUrl(securityProperties.getInvalidSessionUrl())
.sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED)
.maximumSessions(securityProperties.getMaximumSessions())
.expiredUrl(securityProperties.getExpiredUrl()).and()
.and()
.rememberMe()
.rememberMeParameter(securityProperties.getRememberMeParameter())
.rememberMeCookieName(securityProperties.getRememberMeCookieName())
.tokenValiditySeconds(securityProperties.getTokenValiditySeconds())
.tokenRepository(persistentTokenRepository())
.and()
.csrf().disable();
}
@Autowired
public void configureGlobal(final AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailsService).passwordEncoder(passwordEncoder());
}
@Bean
public PersistentTokenRepository persistentTokenRepository() {
final JdbcTokenRepositoryImpl impl = new JdbcTokenRepositoryImpl();
impl.setDataSource(dataSource);
return impl;
}
@Bean
public BCryptPasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder(securityProperties.getStrengthPasswordEncoder());
}
@Bean
public HttpSessionEventPublisher httpSessionEventPublisher() {
return new HttpSessionEventPublisher();
}
}
Sign In
curl -i --data "j_username=admin&j_password=right" https://api.chorke.org/auth/j_spring_security_check
HTTP/1.1 302
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Frame-Options: SAMEORIGIN
Set-Cookie: JSESSIONID=84D119A4D9C890AA8A240F45A7CF4CD1; Path=/auth; HttpOnly
Location: https://api.chorke.org/auth/
Content-Length: 0
Date: Sat, 30 Nov 2019 07:54:33 GMT
curl -i --data "j_username=admin&j_password=wrong" https://api.chorke.org/auth/j_spring_security_check
HTTP/1.1 302
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Frame-Options: SAMEORIGIN
Set-Cookie: JSESSIONID=37D858285557F60465AE490F378FB8B3; Path=/auth; HttpOnly
Location: https://api.chorke.org/auth/account/signin?error=true
Content-Length: 0
Date: Sat, 30 Nov 2019 07:56:11 GMT