com.miserablemind.butter.security.WebSecurityContext.java Source code

Introduction

Here is the source code for com.miserablemind.butter.security.WebSecurityContext.java

Source

package com.miserablemind.butter.security;

import com.miserablemind.butter.bootstrap.config.ConfigSystem;
import com.miserablemind.butter.domain.model.user.user.UserManager;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.web.access.AccessDeniedHandler;
import org.springframework.security.web.authentication.rememberme.PersistentTokenBasedRememberMeServices;
import org.springframework.security.web.authentication.rememberme.PersistentTokenRepository;

/*
 * Miserable Mind
 * http://www.butter.miserablemind.com
 * The MIT License (MIT)
 */

/**
 * XML-less Spring Security context configuration. Extends WebSecurityConfigurerAdapter,
 * overrides some of configure methods and defines necessary beans.
 *
 * @author <a href="http://www.miserablemind.com" target="_blank">miserablemind</a>
 */
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class WebSecurityContext extends WebSecurityConfigurerAdapter {

    @Autowired
    protected PersistentTokenRepository persistentTokenRepository;

    @Autowired
    protected BCryptPasswordEncoder passwordEncoder;

    @Autowired
    protected ConfigSystem configSystem;

    @Autowired
    protected UserManager userManager;

    @Autowired
    protected AccessDeniedHandler accessDeniedHandler;

    /**
     * Main configuration method that defines the protected pages, log in form parameters, remember me and access {@link AccessDeniedHandler}.
     *
     * @param http A {@link HttpSecurity}. It is similar to Spring Security's XML &lt;http&gt; element in the namespace configuration.
     * @throws Exception
     */
    @Override
    protected void configure(HttpSecurity http) throws Exception {

        http.authorizeRequests().antMatchers("/login", "/signup", "/error/**", "/reset-password/**",
                "/forgot-password/**", "/js/**", "/img/**", "/css/**").permitAll().anyRequest()
                .access("hasRole('ROLE_USER')");

        http.formLogin().loginPage("/login").failureUrl("/login?error=true").passwordParameter("password")
                .usernameParameter("username").loginProcessingUrl("/login-submit").defaultSuccessUrl("/");

        http.csrf().disable();

        http.logout().invalidateHttpSession(true).logoutUrl("/logout-success");

        http.rememberMe().key(this.configSystem.getRememberMeKey()).rememberMeServices(this.rememberMeServices());
        http.exceptionHandling().accessDeniedHandler(this.accessDeniedHandler);
    }

    /**
     * Configures user detail service with {@link UserManager} and {@link BCryptPasswordEncoder}.
     *
     * @param auth {@link org.springframework.security.config.annotation.SecurityBuilder} used to create an {@link AuthenticationManager}
     * @throws Exception
     */
    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.userDetailsService(this.userManager).passwordEncoder(this.passwordEncoder);
    }

    /**
     * Remember Me service bean configured with rememberMeKey, {@link UserManager}, {@link PersistentTokenRepository}.
     *
     * @return PersistentTokenBasedRememberMeServices bean.
     */
    @Bean(name = "rememberMeServices")
    public PersistentTokenBasedRememberMeServices rememberMeServices() {
        PersistentTokenBasedRememberMeServices service = new PersistentTokenBasedRememberMeServices(
                this.configSystem.getRememberMeKey(), this.userManager, this.persistentTokenRepository);
        service.setParameter("remember-me");
        return service;
    }

    /**
     * Overridden {@link AuthenticationManager} from {@link WebSecurityConfigurerAdapter}.
     * The context needs to override it so method level security would work such as @PreAuthorize("isFullyAuthenticated").
     *
     * @return AuthenticationManager bean
     * @throws Exception
     */
    @Bean
    @Override
    public AuthenticationManager authenticationManagerBean() throws Exception {
        return super.authenticationManagerBean();
    }

}