View Javadoc
1   package net.sumaris.server.http.security;
2   
3   /*-
4    * #%L
5    * SUMARiS:: Server
6    * %%
7    * Copyright (C) 2018 - 2019 SUMARiS Consortium
8    * %%
9    * This program is free software: you can redistribute it and/or modify
10   * it under the terms of the GNU General Public License as
11   * published by the Free Software Foundation, either version 3 of the
12   * License, or (at your option) any later version.
13   * 
14   * This program is distributed in the hope that it will be useful,
15   * but WITHOUT ANY WARRANTY; without even the implied warranty of
16   * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
17   * GNU General Public License for more details.
18   * 
19   * You should have received a copy of the GNU General Public
20   * License along with this program.  If not, see
21   * <http://www.gnu.org/licenses/gpl-3.0.html>.
22   * #L%
23   */
24  
25  import org.springframework.boot.web.servlet.FilterRegistrationBean;
26  import org.springframework.context.annotation.Bean;
27  import org.springframework.context.annotation.Configuration;
28  import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
29  import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
30  import org.springframework.security.config.annotation.web.builders.HttpSecurity;
31  import org.springframework.security.config.annotation.web.builders.WebSecurity;
32  import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
33  import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
34  import org.springframework.security.web.AuthenticationEntryPoint;
35  import org.springframework.security.web.authentication.AnonymousAuthenticationFilter;
36  import org.springframework.security.web.authentication.HttpStatusEntryPoint;
37  import org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler;
38  import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
39  import org.springframework.security.web.util.matcher.NegatedRequestMatcher;
40  import org.springframework.security.web.util.matcher.OrRequestMatcher;
41  import org.springframework.security.web.util.matcher.RequestMatcher;
42  
43  import java.util.Objects;
44  
45  import static org.springframework.http.HttpStatus.FORBIDDEN;
46  import static org.springframework.security.config.http.SessionCreationPolicy.STATELESS;
47  
48  /**
49   * @author peck7 on 30/11/2018.
50   */
51  @Configuration
52  @EnableWebSecurity
53  @EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true, jsr250Enabled = true)
54  public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
55  
56      private static final RequestMatcher PUBLIC_URLS = new OrRequestMatcher(
57              new AntPathRequestMatcher("/"),
58              new AntPathRequestMatcher("/favicon.ico"),
59              new AntPathRequestMatcher("/core/**"),
60              new AntPathRequestMatcher("/api/**"),
61              new AntPathRequestMatcher("/graphiql/**"),
62              new AntPathRequestMatcher("/jena/**"),
63              new AntPathRequestMatcher("/graphql/websocket/**"),
64              new AntPathRequestMatcher("/error")
65      );
66      private static final RequestMatcher PROTECTED_URLS = new NegatedRequestMatcher(PUBLIC_URLS);
67  
68      private final TokenAuthenticationProvider provider;
69  
70      public WebSecurityConfig(TokenAuthenticationProvider provider) {
71          super();
72          this.provider = Objects.requireNonNull(provider);
73      }
74  
75      @Override
76      protected void configure(AuthenticationManagerBuilder auth) {
77          auth.authenticationProvider(provider);
78      }
79  
80      @Override
81      public void configure(WebSecurity web) {
82          web.ignoring().requestMatchers(PUBLIC_URLS);
83      }
84  
85      @Override
86      protected void configure(HttpSecurity http) throws Exception {
87          http
88                  .sessionManagement()
89                  .sessionCreationPolicy(STATELESS)
90                  .and()
91                  .exceptionHandling()
92                  // this entry point handles when you request a protected page and you are not yet
93                  // authenticated
94                  .defaultAuthenticationEntryPointFor(forbiddenEntryPoint(), PROTECTED_URLS)
95                  .and()
96                  .authenticationProvider(provider)
97                  .addFilterBefore(restAuthenticationFilter(), AnonymousAuthenticationFilter.class)
98                  .authorizeRequests()
99                  .requestMatchers(PROTECTED_URLS)
100                 .authenticated()
101                 .and()
102                 .csrf().disable()
103                 .formLogin().disable()
104                 .httpBasic().disable()
105                 .logout().disable();
106     }
107 
108     @Bean
109     TokenAuthenticationFilter restAuthenticationFilter() throws Exception {
110         final TokenAuthenticationFilterticationFilter.html#TokenAuthenticationFilter">TokenAuthenticationFilter filter = new TokenAuthenticationFilter(PROTECTED_URLS);
111         filter.setAuthenticationManager(authenticationManager());
112         filter.setAuthenticationSuccessHandler(successHandler());
113         return filter;
114     }
115 
116     @Bean
117     SimpleUrlAuthenticationSuccessHandler successHandler() {
118         final SimpleUrlAuthenticationSuccessHandler successHandler = new SimpleUrlAuthenticationSuccessHandler();
119         successHandler.setRedirectStrategy(new NoRedirectStrategy());
120         return successHandler;
121     }
122 
123     /**
124      * Disable Spring boot automatic tripFilter registration.
125      */
126     @Bean
127     FilterRegistrationBean disableAutoRegistration(final TokenAuthenticationFilter filter) {
128         final FilterRegistrationBean<TokenAuthenticationFilter> registration = new FilterRegistrationBean<>(filter);
129         registration.setEnabled(false);
130         return registration;
131     }
132 
133     @Bean
134     AuthenticationEntryPoint forbiddenEntryPoint() {
135         return new HttpStatusEntryPoint(FORBIDDEN);
136     }
137 }