Java tutorial
package com.miserablemind.butter.security; import com.miserablemind.butter.bootstrap.config.ConfigSystem; import com.miserablemind.butter.domain.model.user.user.UserManager; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.security.authentication.AuthenticationManager; import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder; import org.springframework.security.web.access.AccessDeniedHandler; import org.springframework.security.web.authentication.rememberme.PersistentTokenBasedRememberMeServices; import org.springframework.security.web.authentication.rememberme.PersistentTokenRepository; /* * Miserable Mind * http://www.butter.miserablemind.com * The MIT License (MIT) */ /** * XML-less Spring Security context configuration. Extends WebSecurityConfigurerAdapter, * overrides some of configure methods and defines necessary beans. * * @author <a href="http://www.miserablemind.com" target="_blank">miserablemind</a> */ @Configuration @EnableWebSecurity @EnableGlobalMethodSecurity(prePostEnabled = true) public class WebSecurityContext extends WebSecurityConfigurerAdapter { @Autowired protected PersistentTokenRepository persistentTokenRepository; @Autowired protected BCryptPasswordEncoder passwordEncoder; @Autowired protected ConfigSystem configSystem; @Autowired protected UserManager userManager; @Autowired protected AccessDeniedHandler accessDeniedHandler; /** * Main configuration method that defines the protected pages, log in form parameters, remember me and access {@link AccessDeniedHandler}. * * @param http A {@link HttpSecurity}. It is similar to Spring Security's XML <http> element in the namespace configuration. * @throws Exception */ @Override protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests().antMatchers("/login", "/signup", "/error/**", "/reset-password/**", "/forgot-password/**", "/js/**", "/img/**", "/css/**").permitAll().anyRequest() .access("hasRole('ROLE_USER')"); http.formLogin().loginPage("/login").failureUrl("/login?error=true").passwordParameter("password") .usernameParameter("username").loginProcessingUrl("/login-submit").defaultSuccessUrl("/"); http.csrf().disable(); http.logout().invalidateHttpSession(true).logoutUrl("/logout-success"); http.rememberMe().key(this.configSystem.getRememberMeKey()).rememberMeServices(this.rememberMeServices()); http.exceptionHandling().accessDeniedHandler(this.accessDeniedHandler); } /** * Configures user detail service with {@link UserManager} and {@link BCryptPasswordEncoder}. * * @param auth {@link org.springframework.security.config.annotation.SecurityBuilder} used to create an {@link AuthenticationManager} * @throws Exception */ @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { auth.userDetailsService(this.userManager).passwordEncoder(this.passwordEncoder); } /** * Remember Me service bean configured with rememberMeKey, {@link UserManager}, {@link PersistentTokenRepository}. * * @return PersistentTokenBasedRememberMeServices bean. */ @Bean(name = "rememberMeServices") public PersistentTokenBasedRememberMeServices rememberMeServices() { PersistentTokenBasedRememberMeServices service = new PersistentTokenBasedRememberMeServices( this.configSystem.getRememberMeKey(), this.userManager, this.persistentTokenRepository); service.setParameter("remember-me"); return service; } /** * Overridden {@link AuthenticationManager} from {@link WebSecurityConfigurerAdapter}. * The context needs to override it so method level security would work such as @PreAuthorize("isFullyAuthenticated"). * * @return AuthenticationManager bean * @throws Exception */ @Bean @Override public AuthenticationManager authenticationManagerBean() throws Exception { return super.authenticationManagerBean(); } }