1 package net.sumaris.server.http.security;
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25 import org.springframework.boot.web.servlet.FilterRegistrationBean;
26 import org.springframework.context.annotation.Bean;
27 import org.springframework.context.annotation.Configuration;
28 import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
29 import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
30 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
31 import org.springframework.security.config.annotation.web.builders.WebSecurity;
32 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
33 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
34 import org.springframework.security.web.AuthenticationEntryPoint;
35 import org.springframework.security.web.authentication.AnonymousAuthenticationFilter;
36 import org.springframework.security.web.authentication.HttpStatusEntryPoint;
37 import org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler;
38 import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
39 import org.springframework.security.web.util.matcher.NegatedRequestMatcher;
40 import org.springframework.security.web.util.matcher.OrRequestMatcher;
41 import org.springframework.security.web.util.matcher.RequestMatcher;
42
43 import java.util.Objects;
44
45 import static org.springframework.http.HttpStatus.FORBIDDEN;
46 import static org.springframework.security.config.http.SessionCreationPolicy.STATELESS;
47
48
49
50
51 @Configuration
52 @EnableWebSecurity
53 @EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true, jsr250Enabled = true)
54 public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
55
56 private static final RequestMatcher PUBLIC_URLS = new OrRequestMatcher(
57 new AntPathRequestMatcher("/"),
58 new AntPathRequestMatcher("/favicon.ico"),
59 new AntPathRequestMatcher("/core/**"),
60 new AntPathRequestMatcher("/api/**"),
61 new AntPathRequestMatcher("/graphiql/**"),
62 new AntPathRequestMatcher("/jena/**"),
63 new AntPathRequestMatcher("/graphql/websocket/**"),
64 new AntPathRequestMatcher("/error")
65 );
66 private static final RequestMatcher PROTECTED_URLS = new NegatedRequestMatcher(PUBLIC_URLS);
67
68 private final TokenAuthenticationProvider provider;
69
70 public WebSecurityConfig(TokenAuthenticationProvider provider) {
71 super();
72 this.provider = Objects.requireNonNull(provider);
73 }
74
75 @Override
76 protected void configure(AuthenticationManagerBuilder auth) {
77 auth.authenticationProvider(provider);
78 }
79
80 @Override
81 public void configure(WebSecurity web) {
82 web.ignoring().requestMatchers(PUBLIC_URLS);
83 }
84
85 @Override
86 protected void configure(HttpSecurity http) throws Exception {
87 http
88 .sessionManagement()
89 .sessionCreationPolicy(STATELESS)
90 .and()
91 .exceptionHandling()
92
93
94 .defaultAuthenticationEntryPointFor(forbiddenEntryPoint(), PROTECTED_URLS)
95 .and()
96 .authenticationProvider(provider)
97 .addFilterBefore(restAuthenticationFilter(), AnonymousAuthenticationFilter.class)
98 .authorizeRequests()
99 .requestMatchers(PROTECTED_URLS)
100 .authenticated()
101 .and()
102 .csrf().disable()
103 .formLogin().disable()
104 .httpBasic().disable()
105 .logout().disable();
106 }
107
108 @Bean
109 TokenAuthenticationFilter restAuthenticationFilter() throws Exception {
110 final TokenAuthenticationFilterticationFilter.html#TokenAuthenticationFilter">TokenAuthenticationFilter filter = new TokenAuthenticationFilter(PROTECTED_URLS);
111 filter.setAuthenticationManager(authenticationManager());
112 filter.setAuthenticationSuccessHandler(successHandler());
113 return filter;
114 }
115
116 @Bean
117 SimpleUrlAuthenticationSuccessHandler successHandler() {
118 final SimpleUrlAuthenticationSuccessHandler successHandler = new SimpleUrlAuthenticationSuccessHandler();
119 successHandler.setRedirectStrategy(new NoRedirectStrategy());
120 return successHandler;
121 }
122
123
124
125
126 @Bean
127 FilterRegistrationBean disableAutoRegistration(final TokenAuthenticationFilter filter) {
128 final FilterRegistrationBean<TokenAuthenticationFilter> registration = new FilterRegistrationBean<>(filter);
129 registration.setEnabled(false);
130 return registration;
131 }
132
133 @Bean
134 AuthenticationEntryPoint forbiddenEntryPoint() {
135 return new HttpStatusEntryPoint(FORBIDDEN);
136 }
137 }