Added forbiden urls and protected
This commit is contained in:
parent
478ea27480
commit
82c4c9d0fe
@ -11,4 +11,7 @@ import org.springframework.stereotype.Repository;
|
||||
public interface UserRepository extends JpaRepository<User, Long> {
|
||||
@Query("FROM User WHERE email = ?1")
|
||||
User getByAuthority(@Param("authority") String authority);
|
||||
|
||||
@Query("FROM User WHERE token = ?1")
|
||||
User getByToken(@Param("token") String token);
|
||||
}
|
@ -38,4 +38,8 @@ public class UserService extends EventWatcher {
|
||||
return this.repo.getByAuthority(email.replace("\n", "").trim());
|
||||
}
|
||||
|
||||
public User getByToken(String token) {
|
||||
return this.repo.getByToken(token);
|
||||
}
|
||||
|
||||
}
|
@ -42,6 +42,12 @@
|
||||
<artifactId>spring-boot-starter-web</artifactId>
|
||||
</dependency>
|
||||
|
||||
<dependency>
|
||||
<groupId>org.springframework.boot</groupId>
|
||||
<artifactId>spring-boot-starter-security</artifactId>
|
||||
<version>2.3.3.RELEASE</version>
|
||||
</dependency>
|
||||
|
||||
<dependency>
|
||||
<groupId>org.springframework.boot</groupId>
|
||||
<artifactId>spring-boot-starter-test</artifactId>
|
||||
@ -54,6 +60,12 @@
|
||||
</exclusions>
|
||||
</dependency>
|
||||
|
||||
<dependency>
|
||||
<groupId>org.apache.commons</groupId>
|
||||
<artifactId>commons-lang3</artifactId>
|
||||
<version>3.8.1</version>
|
||||
</dependency>
|
||||
|
||||
<dependency>
|
||||
<artifactId>buisnesslogic</artifactId>
|
||||
<groupId>com.plannaplan</groupId>
|
||||
|
@ -0,0 +1,49 @@
|
||||
package com.plannaplan.security;
|
||||
|
||||
import java.io.IOException;
|
||||
|
||||
import javax.servlet.FilterChain;
|
||||
import javax.servlet.ServletException;
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
import javax.servlet.http.HttpServletResponse;
|
||||
|
||||
import org.apache.commons.lang3.StringUtils;
|
||||
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
|
||||
import org.springframework.security.core.Authentication;
|
||||
import org.springframework.security.core.AuthenticationException;
|
||||
import org.springframework.security.core.context.SecurityContextHolder;
|
||||
import org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter;
|
||||
import org.springframework.security.web.util.matcher.RequestMatcher;
|
||||
|
||||
import static org.springframework.http.HttpHeaders.AUTHORIZATION;
|
||||
|
||||
public class AuthenticationFilter extends AbstractAuthenticationProcessingFilter {
|
||||
|
||||
AuthenticationFilter(final RequestMatcher requiresAuth) {
|
||||
super(requiresAuth);
|
||||
}
|
||||
|
||||
@Override
|
||||
public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response)
|
||||
throws AuthenticationException, IOException, ServletException {
|
||||
|
||||
String token = request.getHeader(AUTHORIZATION);
|
||||
if (token == null) {
|
||||
token = "";
|
||||
} else {
|
||||
token = StringUtils.removeStart(token, "Bearer").trim();
|
||||
}
|
||||
Authentication requestAuthentication = new UsernamePasswordAuthenticationToken(token, token);
|
||||
return getAuthenticationManager().authenticate(requestAuthentication);
|
||||
|
||||
}
|
||||
|
||||
@Override
|
||||
protected void successfulAuthentication(final HttpServletRequest request, final HttpServletResponse response,
|
||||
final FilterChain chain, final Authentication authResult) throws IOException, ServletException {
|
||||
SecurityContextHolder.getContext().setAuthentication(authResult);
|
||||
|
||||
chain.doFilter(request, response);
|
||||
}
|
||||
|
||||
}
|
@ -0,0 +1,91 @@
|
||||
package com.plannaplan.security;
|
||||
|
||||
import java.util.Collection;
|
||||
|
||||
import com.plannaplan.entities.User;
|
||||
import com.plannaplan.services.UserService;
|
||||
|
||||
import org.springframework.beans.factory.annotation.Autowired;
|
||||
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
|
||||
import org.springframework.security.authentication.dao.AbstractUserDetailsAuthenticationProvider;
|
||||
import org.springframework.security.core.AuthenticationException;
|
||||
import org.springframework.security.core.GrantedAuthority;
|
||||
import org.springframework.security.core.userdetails.UserDetails;
|
||||
import org.springframework.security.core.userdetails.UsernameNotFoundException;
|
||||
import org.springframework.stereotype.Component;
|
||||
|
||||
@Component
|
||||
public class AuthenticationProvider extends AbstractUserDetailsAuthenticationProvider {
|
||||
|
||||
@Autowired
|
||||
private UserService userService;
|
||||
|
||||
@Override
|
||||
protected void additionalAuthenticationChecks(UserDetails userDetails,
|
||||
UsernamePasswordAuthenticationToken authentication) throws AuthenticationException {
|
||||
// TODO Auto-generated method stub
|
||||
|
||||
}
|
||||
|
||||
@Override
|
||||
protected UserDetails retrieveUser(String username, UsernamePasswordAuthenticationToken authentication)
|
||||
throws AuthenticationException {
|
||||
|
||||
String token = authentication.getCredentials().toString();
|
||||
|
||||
User user = this.userService.getByToken(token);
|
||||
|
||||
if (user == null) {
|
||||
throw new UsernameNotFoundException("Cannot find user with authentication token=" + token);
|
||||
}
|
||||
|
||||
UserDetails response = new UserDetails() {
|
||||
|
||||
/**
|
||||
*
|
||||
*/
|
||||
private static final long serialVersionUID = 1L;
|
||||
|
||||
@Override
|
||||
public Collection<? extends GrantedAuthority> getAuthorities() {
|
||||
// TODO Auto-generated method stub
|
||||
return null;
|
||||
}
|
||||
|
||||
@Override
|
||||
public String getPassword() {
|
||||
return null;
|
||||
}
|
||||
|
||||
@Override
|
||||
public String getUsername() {
|
||||
return user.getName() + " " + user.getSurname();
|
||||
}
|
||||
|
||||
@Override
|
||||
public boolean isAccountNonExpired() {
|
||||
return true;
|
||||
}
|
||||
|
||||
@Override
|
||||
public boolean isAccountNonLocked() {
|
||||
return true;
|
||||
}
|
||||
|
||||
@Override
|
||||
public boolean isCredentialsNonExpired() {
|
||||
// TODO Auto-generated method stub
|
||||
return true;
|
||||
}
|
||||
|
||||
@Override
|
||||
public boolean isEnabled() {
|
||||
return true;
|
||||
}
|
||||
|
||||
};
|
||||
|
||||
return response;
|
||||
}
|
||||
|
||||
}
|
@ -0,0 +1,66 @@
|
||||
package com.plannaplan.security;
|
||||
|
||||
import org.springframework.context.annotation.Bean;
|
||||
import org.springframework.context.annotation.Configuration;
|
||||
import org.springframework.http.HttpMethod;
|
||||
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
|
||||
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
|
||||
import org.springframework.security.config.annotation.web.builders.WebSecurity;
|
||||
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
|
||||
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
|
||||
import org.springframework.security.config.http.SessionCreationPolicy;
|
||||
import org.springframework.security.web.AuthenticationEntryPoint;
|
||||
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
|
||||
import org.springframework.security.web.util.matcher.OrRequestMatcher;
|
||||
import org.springframework.security.web.util.matcher.RequestMatcher;
|
||||
import org.springframework.http.HttpStatus;
|
||||
import org.springframework.security.web.authentication.AnonymousAuthenticationFilter;
|
||||
import org.springframework.security.web.authentication.HttpStatusEntryPoint;
|
||||
|
||||
@Configuration
|
||||
@EnableWebSecurity
|
||||
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
|
||||
|
||||
private static final RequestMatcher PROTECTED_URLS = new OrRequestMatcher(new AntPathRequestMatcher("/api/**"));
|
||||
|
||||
AuthenticationProvider provider;
|
||||
|
||||
public WebSecurityConfig(final AuthenticationProvider authenticationProvider) {
|
||||
super();
|
||||
this.provider = authenticationProvider;
|
||||
}
|
||||
|
||||
@Override
|
||||
protected void configure(final AuthenticationManagerBuilder auth) {
|
||||
auth.authenticationProvider(provider);
|
||||
}
|
||||
|
||||
@Override
|
||||
public void configure(final WebSecurity webSecurity) {
|
||||
webSecurity.ignoring().antMatchers("/token**");
|
||||
}
|
||||
|
||||
@Override
|
||||
protected void configure(HttpSecurity http) throws Exception {
|
||||
http.csrf().disable().formLogin().disable().httpBasic().disable().logout().disable().sessionManagement()
|
||||
.sessionCreationPolicy(SessionCreationPolicy.STATELESS).and().exceptionHandling().and()
|
||||
.authenticationProvider(provider)
|
||||
.addFilterBefore(authenticationFilter(), AnonymousAuthenticationFilter.class).authorizeRequests()
|
||||
.antMatchers(HttpMethod.GET, "/token**").permitAll().anyRequest().authenticated();
|
||||
|
||||
}
|
||||
|
||||
@Bean
|
||||
AuthenticationFilter authenticationFilter() throws Exception {
|
||||
final AuthenticationFilter filter = new AuthenticationFilter(PROTECTED_URLS);
|
||||
filter.setAuthenticationManager(authenticationManager());
|
||||
// filter.setAuthenticationSuccessHandler(successHandler());
|
||||
return filter;
|
||||
}
|
||||
|
||||
@Bean
|
||||
AuthenticationEntryPoint forbiddenEntryPoint() {
|
||||
return new HttpStatusEntryPoint(HttpStatus.FORBIDDEN);
|
||||
}
|
||||
|
||||
}
|
Loading…
Reference in New Issue
Block a user