/** * */ package de.bstly.board.security; import javax.sql.DataSource; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.beans.factory.annotation.Value; import org.springframework.context.annotation.Bean; import org.springframework.http.HttpStatus; import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.crypto.argon2.Argon2PasswordEncoder; import org.springframework.security.web.authentication.HttpStatusEntryPoint; import org.springframework.security.web.authentication.RememberMeServices; import org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler; import org.springframework.security.web.authentication.logout.HttpStatusReturningLogoutSuccessHandler; import org.springframework.security.web.authentication.rememberme.JdbcTokenRepositoryImpl; import org.springframework.security.web.authentication.rememberme.PersistentTokenBasedRememberMeServices; import org.springframework.security.web.authentication.rememberme.PersistentTokenRepository; import org.springframework.security.web.util.matcher.AntPathRequestMatcher; import de.bstly.board.businesslogic.UserManager; /** * * @author monitoring@bstly.de * */ @EnableWebSecurity @EnableGlobalMethodSecurity(prePostEnabled = true) public class SecurityConfig extends WebSecurityConfigurerAdapter { @Autowired private UserManager localUserManager; @Autowired private OAuth2AuthenticationSuccessHandler oAuth2AuthenticationSuccessHandler; @Autowired private DataSource dataSource; @Value("${loginUrl:/login}") private String loginUrl; @Value("${loginTargetUrl:/}") private String loginTargetUrl; /* * * @see org.springframework.security.config.annotation.web.configuration. * WebSecurityConfigurerAdapter#configure(org.springframework.security.config. * annotation.web.builders.HttpSecurity) */ @Override protected void configure(HttpSecurity http) throws Exception { oAuth2AuthenticationSuccessHandler.setDefaultTargetUrl(loginTargetUrl); oAuth2AuthenticationSuccessHandler.setRememberMeServices(rememberMeServices()); http // crsf .csrf().disable() // anonymous .anonymous().disable() // login .formLogin().loginPage("/login").defaultSuccessUrl(loginTargetUrl) .failureHandler(new SimpleUrlAuthenticationFailureHandler(loginUrl + "?error")) .and() // remember me .rememberMe().rememberMeServices(rememberMeServices()).and() // logout .logout().logoutUrl("/logout") .logoutSuccessHandler(new HttpStatusReturningLogoutSuccessHandler(HttpStatus.OK)) .and() // exception .exceptionHandling() .defaultAuthenticationEntryPointFor( new HttpStatusEntryPoint(HttpStatus.UNAUTHORIZED), new AntPathRequestMatcher("/api/**")) .and() // oidc .oauth2Login().successHandler(oAuth2AuthenticationSuccessHandler) .failureHandler(new SimpleUrlAuthenticationFailureHandler(loginUrl + "?externalError")) .loginPage("/login"); } /** * * @return */ @Bean(name = "passwordEncoder") public Argon2PasswordEncoder passwordEncoder() { return new Argon2PasswordEncoder(); } @Bean public PersistentTokenRepository persistentTokenRepository() { JdbcTokenRepositoryImpl tokenRepository = new JdbcTokenRepositoryImpl(); tokenRepository.setDataSource(dataSource); return tokenRepository; } @Bean public RememberMeServices rememberMeServices() { PersistentTokenBasedRememberMeServices rememberMeServices = new LocalRememberMeServices( "remember-me", localUserManager, persistentTokenRepository()); return rememberMeServices; } }