org.shaigor.rest.retro.security.gateway.config.OAuth2SecurityConfigurer.java Source code

Java tutorial

  1. HOME
  2. Java
  3. org.shaigor.rest.retro.security.gateway.config.OAuth2SecurityConfigurer.java

Introduction

Here is the source code for org.shaigor.rest.retro.security.gateway.config.OAuth2SecurityConfigurer.java

Source

/**
 * Copyright 2014 the original author or authors.
 * 
 * This file is part of Retro-fitting Security into REST web services sample (the sample).
 * The sample is part of the talk presented at Java One 2014 
 *    https://oracleus.activeevents.com/2014/connect/sessionDetail.ww?SESSION_ID=1765&tclass=popup
 * 
 * The sample is free software: you can redistribute it and/or modify
 * it under the terms of the GNU Lesser General Public License as published by
 * the Free Software Foundation, either version 3 of the License, or
 * (at your option) any later version.
 * 
 * The sample is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU Lesser General Public License for more details.
 * 
 * You should have received a copy of the GNU Lesser General Public License
 * along with the sample.  If not, see <http://www.gnu.org/licenses/>.
 */
package org.shaigor.rest.retro.security.gateway.config;

import static org.shaigor.rest.retro.security.gateway.oauth.CustomSecurityExpressionMethods.ROLE_WORDS_DEMO;
import static org.shaigor.rest.retro.security.gateway.oauth.CustomSecurityExpressionMethods.ROLE_WORDS_PRODUCTION;

import javax.annotation.Resource;
import javax.sql.DataSource;

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.ComponentScan;
import org.springframework.context.annotation.Configuration;
import org.springframework.http.HttpMethod;
import org.springframework.security.access.expression.SecurityExpressionHandler;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.password.StandardPasswordEncoder;
import org.springframework.security.oauth2.config.annotation.web.configuration.EnableResourceServer;
import org.springframework.security.web.FilterInvocation;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;

@Configuration
@EnableWebSecurity
//@EnableResourceServer
@ComponentScan(basePackages = { "org.shaigor.rest.retro.security.gateway.oauth" })
/**
 * Web Security aspects of configuration
 * 
 * @author Irena Shaigorodsky
 */
public class OAuth2SecurityConfigurer extends WebSecurityConfigurerAdapter {

    @Resource
    private DataSource securityDataSource;
    @Resource
    private String groupAuthoritiesByUsernameSql;

    @Resource(name = "demoOAuth2WebSecurityExpressionHandler")
    private SecurityExpressionHandler<FilterInvocation> expressionHandler;

    @Override
    public void configure(WebSecurity web) throws Exception {
        web.expressionHandler(expressionHandler).ignoring().antMatchers("/oauth/uncache_approvals",
                "/oauth/cache_approvals");
    }

    @Bean(name = "exposedAuthenticationManager")
    @Override
    public AuthenticationManager authenticationManagerBean() throws Exception {
        return super.authenticationManagerBean();
    }

    @Override
    public void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.jdbcAuthentication().dataSource(securityDataSource).rolePrefix("ROLE_")
                .groupAuthoritiesByUsername(groupAuthoritiesByUsernameSql)
                .passwordEncoder(new StandardPasswordEncoder());
    }

    @Override
    public void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests().antMatchers("/login.jsp").permitAll().and().authorizeRequests()
                .expressionHandler(expressionHandler).anyRequest().hasRole("USER").and().authorizeRequests()
                .regexMatchers(HttpMethod.GET, "/word/list(\\?.*)?")
                .access("#oauth2.hasScope('words') and hasRole('ROLE_USER') "
                        //+ "and hasAnyRole('"+ ROLE_WORDS_DEMO +"','" + ROLE_WORDS_PRODUCTION +"') " 
                        + "and #wordsServiceAuthorizer.accessAllowed()")
                .and().exceptionHandling().accessDeniedPage("/login.jsp?authorization_error=true").and()
                // TODO: put CSRF protection back into this endpoint
                .csrf().requireCsrfProtectionMatcher(new AntPathRequestMatcher("/oauth/authorize")).disable()
                .logout().logoutSuccessUrl("/index.jsp").logoutUrl("/logout.do").and().formLogin()
                .usernameParameter("j_username").passwordParameter("j_password")
                .failureUrl("/login.jsp?authentication_error=true").loginPage("/login.jsp")
                .loginProcessingUrl("/j_spring_security_check");
    }
}