Commit 118d7260 authored by Aleksandr Sharaban's avatar Aleksandr Sharaban Committed by Matija Obreza

Migrated spring-security.xml and spring-security-oauth.xml to Java Config

parent 41fdf29c
......@@ -92,7 +92,7 @@
<aspectj.version>1.7.2</aspectj.version>
<mysql.version>5.1.31</mysql.version>
<hazelcast.version>3.4</hazelcast.version>
<hazelcast.version>3.6</hazelcast.version>
<oval.version>1.81</oval.version>
<jackson.version>2.2.1</jackson.version>
......
package org.genesys2.server.config;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.access.PermissionEvaluator;
import org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler;
import org.springframework.security.access.expression.method.MethodSecurityExpressionHandler;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.method.configuration.GlobalMethodSecurityConfiguration;
@Configuration
@EnableGlobalMethodSecurity(prePostEnabled = true, proxyTargetClass = true)
public class MethodSecurityConfig extends GlobalMethodSecurityConfiguration {
@Autowired
@Qualifier("permissionEvaluator")
private PermissionEvaluator permissionEvaluator;
@Bean
public MethodSecurityExpressionHandler expressionHandler() {
DefaultMethodSecurityExpressionHandler expressionHandler = new DefaultMethodSecurityExpressionHandler();
expressionHandler.setPermissionEvaluator(permissionEvaluator);
return expressionHandler;
}
}
package org.genesys2.server.config;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.annotation.Order;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.core.session.SessionRegistry;
import org.springframework.security.core.session.SessionRegistryImpl;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler;
import javax.inject.Named;
@Configuration
@Order(1)
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
@Named("authUserDetailsService")
private UserDetailsService userDetailsService;
@Autowired
@Qualifier("webExpressionHandler")
private DefaultWebSecurityExpressionHandler expressionHandler;
@Bean(name = "passwordEncoder")
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
@Bean
public SessionRegistry sessionRegistry() {
return new SessionRegistryImpl();
}
@Override
public void configure(AuthenticationManagerBuilder auth) throws Exception {
auth
.userDetailsService(userDetailsService)
.passwordEncoder(passwordEncoder());
}
@Override
public void configure(WebSecurity web) throws Exception {
//Do not filter static resources and other stuff
web.ignoring()
.antMatchers("/html/**", "/webapi/**");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
//Closed page and Authentication filter
http
.authorizeRequests()
.expressionHandler(expressionHandler)
// .antMatchers("/data/**").authenticated()
.antMatchers("/admin/**").access("hasRole('ADMINISTRATOR')")
.antMatchers("/1/admin/**").access("hasRole('ADMINISTRATOR')")
.antMatchers("/profile**").authenticated()
.antMatchers("/oauth/authorize").authenticated()
//Override default login and logout pages
.and()
.formLogin().loginPage("/login")
.failureUrl("/login?error=1")
.loginProcessingUrl("/login-attempt")
.defaultSuccessUrl("/", false)
.and()
// session-fixation-protection
.sessionManagement()
.sessionFixation().migrateSession()
.and()
.logout()
.logoutUrl("/logout")
.logoutSuccessUrl("/")
.and()
.exceptionHandling()
.accessDeniedPage("/access-denied")
//Enable CSRF protection
.and()
.csrf();
}
}
......@@ -18,18 +18,21 @@ package org.genesys2.spring.config;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.genesys2.server.config.MethodSecurityConfig;
import org.genesys2.server.config.SecurityConfig;
import org.genesys2.server.config.SecurityOauthConfig;
import org.genesys2.spring.DefaultRolesPrefixPostProcessor;
import org.genesys2.transifex.client.TransifexService;
import org.genesys2.transifex.client.TransifexServiceImpl;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.Import;
import org.springframework.context.annotation.ImportResource;
@Configuration
@ImportResource({ "classpath:/spring/spring-security.xml" })
@Import({ SpringProperties.class, SpringCommonConfig.class, SpringAclConfig.class, SpringSchedulerConfig.class, SpringDataBaseConfig.class,
SpringMailConfig.class, SpringSecurityOauthConfig.class, SpringCacheConfig.class, ElasticsearchConfig.class, FileRepositoryConfig.class })
SpringMailConfig.class, SpringCacheConfig.class, ElasticsearchConfig.class, FileRepositoryConfig.class,
SecurityConfig.class, MethodSecurityConfig.class, SecurityOauthConfig.class, SecurityOauthConfig.OauthTokenConfig.class,
SecurityOauthConfig.OauthUsersClientsConfig.class, SecurityOauthConfig.OauthApiConfig.class})
public class ApplicationConfig {
public static final Log LOG = LogFactory.getLog(ApplicationConfig.class);
......
......@@ -25,6 +25,7 @@ import com.hazelcast.core.IQueue;
import com.hazelcast.spring.cache.HazelcastCacheManager;
import com.hazelcast.web.WebFilter;
import com.hazelcast.web.spring.SpringAwareWebFilter;
import org.genesys2.server.security.lockout.AccountLockoutManager.AttemptStatistics;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.cache.annotation.EnableCaching;
......@@ -84,7 +85,7 @@ public class SpringCacheConfig {
@Bean
public WebFilter hazelcastWebFilter() {
return new WebFilter(filterProps());
return new SpringAwareWebFilter(filterProps());
}
private Properties filterProps() {
......
/**
* Copyright 2014 Global Crop Diversity Trust
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
**/
package org.genesys2.spring.config;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.ImportResource;
@Configuration
@ImportResource("classpath:/spring/spring-security-oauth.xml")
public class SpringSecurityOauthConfig {
}
<?xml version="1.0" encoding="UTF-8" ?>
<!--
Copyright 2014 Global Crop Diversity Trust
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:oauth="http://www.springframework.org/schema/security/oauth2" xmlns:sec="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/security/oauth2 http://www.springframework.org/schema/security/spring-security-oauth2-1.0.xsd
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd">
<!-- <bean id="accessDecisionManager" class="org.springframework.security.access.vote.UnanimousBased" xmlns="http://www.springframework.org/schema/beans">
<constructor-arg>
<list>
<bean class="org.springframework.security.oauth2.provider.vote.ScopeVoter" />
<bean class="org.springframework.security.access.vote.RoleVoter" />
<bean class="org.springframework.security.access.vote.AuthenticatedVoter" />
</list>
</constructor-arg>
</bean> -->
<bean id="oauthAccessDeniedHandler" class="org.springframework.security.oauth2.provider.error.OAuth2AccessDeniedHandler" />
<bean id="clientDetailsUserService" class="org.springframework.security.oauth2.provider.client.ClientDetailsUserDetailsService">
<constructor-arg ref="clientDetails" />
</bean>
<bean id="tokenServices" class="org.springframework.security.oauth2.provider.token.DefaultTokenServices">
<property name="tokenStore" ref="tokenStore" />
<property name="supportRefreshToken" value="true" />
<property name="clientDetailsService" ref="clientDetails" />
</bean>
<sec:authentication-manager id="clientAuthenticationManager">
<sec:authentication-provider user-service-ref="clientDetailsUserService">
<!-- <sec:password-encoder ref="passwordEncoder" /> -->
</sec:authentication-provider>
</sec:authentication-manager>
<oauth:authorization-server client-details-service-ref="clientDetails" token-services-ref="tokenServices">
<oauth:authorization-code authorization-code-services-ref="verificationCodeService" />
<oauth:refresh-token />
<oauth:password disabled="false" authentication-manager-ref="authenticationManager" />
</oauth:authorization-server>
<oauth:resource-server id="resourceServerFilter" resource-id="crophub_oauth_server" token-services-ref="tokenServices" />
<oauth:expression-handler id="oauthExpressionHandler" />
<oauth:web-expression-handler id="oauthWebExpressionHandler" />
<sec:http pattern="/oauth/token" authentication-manager-ref="clientAuthenticationManager" create-session="stateless" xmlns="http://www.springframework.org/schema/security">
<sec:intercept-url pattern="/oauth/token" access="isAuthenticated()" />
<sec:anonymous enabled="false" />
<sec:http-basic entry-point-ref="clientAuthenticationEntryPoint" />
<!-- include this only if you need to authenticate clients via request parameters -->
<sec:custom-filter ref="clientCredentialsTokenEndpointFilter" after="BASIC_AUTH_FILTER" />
<sec:access-denied-handler ref="oauthAccessDeniedHandler" />
<sec:csrf disabled="true" />
</sec:http>
<!-- The OAuth2 protected resources are separated out into their own block so we can deal with authorization and error handling
separately. This isn't mandatory, but it makes it easier to control the behaviour. -->
<sec:http pattern="/oauth/(users|clients)/.*" authentication-manager-ref="clientAuthenticationManager" request-matcher="regex" create-session="stateless" entry-point-ref="oauthAuthenticationEntryPoint" use-expressions="true" xmlns="http://www.springframework.org/schema/security">
<sec:anonymous enabled="false" />
<sec:intercept-url pattern="/oauth/users/([^/].*?)/tokens/.*" access="#oauth2.clientHasRole('ROLE_CLIENT') and (hasRole('ROLE_USER') or #oauth2.isClient()) and #oauth2.hasScope('write')" method="DELETE" />
<sec:intercept-url pattern="/oauth/users/.*" access="#oauth2.clientHasRole('ROLE_CLIENT') and (hasRole('ROLE_USER') or #oauth2.isClient()) and #oauth2.hasScope('read')" method="GET" />
<sec:intercept-url pattern="/oauth/clients/.*" access="#oauth2.clientHasRole('ROLE_CLIENT') and #oauth2.isClient() and #oauth2.hasScope('read')" method="GET" />
<sec:intercept-url pattern="/**" access="denyAll()" />
<sec:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
<sec:access-denied-handler ref="oauthAccessDeniedHandler" />
<sec:expression-handler ref="oauthWebExpressionHandler" />
</sec:http>
<sec:http pattern="/api/v0/.*" authentication-manager-ref="clientAuthenticationManager" request-matcher="regex" create-session="stateless" entry-point-ref="oauthAuthenticationEntryPoint" use-expressions="true"
xmlns="http://www.springframework.org/schema/security">
<sec:anonymous enabled="false" />
<sec:intercept-url pattern="/api/v0/.*" access="isAuthenticated()" />
<sec:intercept-url pattern="/**" access="denyAll()" />
<sec:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
<sec:http-basic entry-point-ref="oauthAuthenticationEntryPoint" />
<sec:access-denied-handler ref="oauthAccessDeniedHandler" />
<sec:expression-handler ref="oauthWebExpressionHandler" />
<sec:csrf disabled="true" />
</sec:http>
<bean id="oauthAuthenticationEntryPoint" class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint">
<property name="realmName" value="genesys2" />
</bean>
<bean id="clientAuthenticationEntryPoint" class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint">
<property name="realmName" value="genesys2/client" />
<property name="typeName" value="Basic" />
</bean>
<bean id="clientCredentialsTokenEndpointFilter" class="org.springframework.security.oauth2.provider.client.ClientCredentialsTokenEndpointFilter">
<property name="authenticationManager" ref="clientAuthenticationManager" />
</bean>
</beans>
<?xml version="1.0" encoding="UTF-8"?>
<!--
Copyright 2014 Global Crop Diversity Trust
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:sec="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd">
<!--
<bean name="authUserDetailsService" class="org.genesys2.server.service.impl.AuthUserDetailsService" />
-->
<!-- Authentication manager -->
<bean name="passwordEncoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder" />
<sec:authentication-manager alias="authenticationManager">
<sec:authentication-provider user-service-ref="authUserDetailsService">
<sec:password-encoder ref="passwordEncoder" />
</sec:authentication-provider>
</sec:authentication-manager>
<bean id="securityExpressionHandler" class="org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler">
<property name="permissionEvaluator" ref="permissionEvaluator" />
</bean>
<sec:global-method-security secured-annotations="enabled" pre-post-annotations="enabled">
<sec:expression-handler ref="securityExpressionHandler" />
</sec:global-method-security>
<!--Do not filter static resources -->
<sec:http pattern="/html/**" security="none" create-session="stateless" />
<!-- And other stuff -->
<sec:http pattern="/webapi/**" security="none" create-session="stateless" />
<!-- Closed page and Authentication filter -->
<sec:http auto-config="true" use-expressions="true">
<!-- <intercept-url pattern="/data/**" access="isAuthenticated()" /> -->
<sec:intercept-url pattern="/admin/**" access="hasRole('ADMINISTRATOR')" />
<sec:intercept-url pattern="/1/admin/**" access="hasRole('ADMINISTRATOR')" />
<sec:intercept-url pattern="/profile**" access="isAuthenticated()" />
<sec:intercept-url pattern="/oauth/authorize" access="isAuthenticated()" />
<!--Override default login and logout pages -->
<sec:form-login login-page="/login" authentication-failure-url="/login?error=1" login-processing-url="/login-attempt" default-target-url="/" always-use-default-target="false" />
<sec:session-management session-fixation-protection="migrateSession" />
<sec:logout logout-url="/logout" logout-success-url="/" />
<sec:access-denied-handler error-page="/access-denied" />
<sec:expression-handler ref="webExpressionHandler" />
<!--enable CSRF protection-->
<sec:csrf />
</sec:http>
</beans>
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment