SecurityConfiguration.java example

Explorer

amos-ss15-proj4-master
- src
  - main
    - java
      - de
        fau
        amos4
        Application.java
        annotation
        TheClient.java
        configuration
        AppContext.java
        ApplicationContextProvider.java
        SecurityConfiguration.java
        WebConfiguration.java
        model
        Client.java
        ClientRole.java
        CurrentClient.java
        Employee.java
        Form.java
        FormField.java
        FormGroup.java
        Lodasize.java
        fields
        ContractOptions.java
        Denomination.java
        HealthInsurance.java
        LevelOfEducation.java
        MaritalStatus.java
        NursingCareInsurance.java
        OutputFormat.java
        Parenthood.java
        PensionInsurance.java
        PersonGroup.java
        ProfessionalTraining.java
        Sex.java
        Title.java
        TypeOfContract.java
        TypeOfEmployment.java
        TypeOfFixedTermContract.java
        UnemploymentInsurance.java
        YesNo.java
        service
        ClientRepository.java
        ClientService.java
        ClientServiceImpl.java
        CurrentClientUserService.java
        EmployeeRepository.java
        EmployeeService.java
        EmployeeServiceImpl.java
        TranslatorService.java
        TranslatorServiceImpl.java
        util
        CheckDataInput.java
        EmailSender.java
        FieldOrder.java
        FormGenerator.java
        GroupName.java
        Lodas.java
        StringUtils.java
        TokenGenerator.java
        ValidFormat.java
        ZipGenerator.java
        web
        ClientController.java
        CurrentClientControllerAdvice.java
        EmployeeFormController.java
        LoginFormController.java
        PrintDataController.java
        TestController.java
        form
        ResetPasswordForm.java
  - test
    - java
      - de
        fau
        amos4
        test
        BaseIntegrationTest.java
        BaseWebApplicationContextTests.java
        EditTest.java
        integration
        ClientEditTest.java
        ClientTest.java
        EmployeeTest.java
        helper
        security
        WithMockCustomUser.java
        WithMockCustomUserSecurityContextFactory.java
        unit
        CheckDataInputTest.java
        ClientControllerUnitTest.java
        EmailSenderTest.java
        EmployeeTest.java
        FormGeneratorTest.java
        LODASFormatTest.java

/**
 * Personalfragebogen 2.0. Revolutionize form data entry for taxation and
 * other purposes.
 * Copyright (C) 2015 Attila Bujaki, Werner Sembach, Jonas Gröger, Oswaldo
 *     Bejarano, Ardhi Sutadi, Nikitha Mohan, Benedikt Rauh
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU Affero General Public License as published by
 * the Free Software Foundation, either version 3 of the License, or
 * (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU Affero General Public License for more details.
 *
 * You should have received a copy of the GNU Affero General Public License
 * along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
package de.fau.amos4.configuration;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.autoconfigure.security.SecurityProperties;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.annotation.Order;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;

@Configuration
@EnableGlobalMethodSecurity(prePostEnabled = true)
@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
public class SecurityConfiguration extends WebSecurityConfigurerAdapter
{
    @Autowired
    private UserDetailsService userDetailsService;
    
    /**
     * Authenticate using the the {@link UserDetailsService} and a hashed password.
     * 
     * @param auth
     * @throws Exception
     */
    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception
    {
        auth.userDetailsService(userDetailsService).passwordEncoder(new BCryptPasswordEncoder());
    }
    
    @Override
    public void configure(WebSecurity web) throws Exception
    {
        // /css/**, /js/** and /images/** is done by Spring Boot Security
        web.ignoring().antMatchers("/fonts/**");
    }
    
    /**
     * This is the generic security configuration. Further detailed configuration can be provided
     * using i.e. @PreAuthorize on request mappings.
     * 
     * @param http
     * @throws Exception
     */
    @Override
    protected void configure(HttpSecurity http) throws Exception
    {
        http.authorizeRequests()
        
                // Allow access to the front page.
                .antMatchers("/").permitAll()
                // Allow access to the register page.
                .antMatchers("/client/register").permitAll()
                // Allow access to the submit registration page.
                .antMatchers("/client/submit").permitAll()
                // Allow access to the confirm page.
                .antMatchers("/client/confirm").permitAll()
                // Allow access to the forgot password page.
                .antMatchers("/client/forgotPassword").permitAll()
                //Allow access to FrontPage
                .antMatchers("/employee/token").permitAll()
                .antMatchers("/employee/token/submit").permitAll()
                .antMatchers("/employee/token/wrong").permitAll()
                .antMatchers("/employee/token/preview").permitAll()
                .antMatchers("/employee/confirm").permitAll()
                .antMatchers("/employee/edit/confirm").permitAll()
                .antMatchers("/employee/edit/submit").permitAll()
                .antMatchers("/employee/download/text").permitAll()
                .antMatchers("/employee/download/zip").permitAll()
                .antMatchers("/employee/edit").permitAll()
                .antMatchers("/employee/edit/submit").permitAll()
                .anyRequest().fullyAuthenticated()
                
                .and()
                
                // Login page at /login with email as username
                .formLogin().loginPage("/").loginProcessingUrl("/").defaultSuccessUrl("/client/dashboard")
                    .usernameParameter("email").failureUrl("/?m=invalid").permitAll()
                
                .and()
                
                // Logout page at /logout with redirect to home on logout and cookie removal
                .logout().logoutUrl("/client/logout").deleteCookies("remember-me").logoutSuccessUrl("/").permitAll()
                
                .and()
                
                // Enable the "remember me" functionality (using a cookie).
                .rememberMe();
    }
}