diff --git a/src/main/java/org/takiguchi/starter/config/security/SecurityConfiguration.java b/src/main/java/org/takiguchi/starter/config/security/SecurityConfiguration.java index 6ecfed7..d0ba8cd 100644 --- a/src/main/java/org/takiguchi/starter/config/security/SecurityConfiguration.java +++ b/src/main/java/org/takiguchi/starter/config/security/SecurityConfiguration.java @@ -3,53 +3,12 @@ package org.takiguchi.starter.config.security; import org.springframework.beans.factory.annotation.Value; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; -import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder; -import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter; - -import javax.servlet.http.HttpServletResponse; - -import static org.springframework.http.HttpMethod.OPTIONS; -import static org.springframework.security.config.http.SessionCreationPolicy.STATELESS; @EnableWebSecurity @Configuration -public class SecurityConfiguration extends WebSecurityConfigurerAdapter { - - private final String signingKey; - private final int accessTokenValiditySeconds; - - public SecurityConfiguration(@Value("${app.security.signing-key}") String signingKey, - @Value("${app.security.access-token-validity-seconds}") int accessTokenValiditySeconds) { - this.signingKey = signingKey; - this.accessTokenValiditySeconds = accessTokenValiditySeconds; - } - - @Override - protected void configure(HttpSecurity http) throws Exception { - http.cors().disable() - .exceptionHandling() - .authenticationEntryPoint((request, response, authResponse) -> response.sendError(HttpServletResponse.SC_UNAUTHORIZED)) - .accessDeniedHandler((request, response, accessDeniedException) -> response.sendError(HttpServletResponse.SC_FORBIDDEN)) - .and() - .addFilterBefore(jwtRequestFilter(tokenProvider(signingKey, accessTokenValiditySeconds)), UsernamePasswordAuthenticationFilter.class) - .sessionManagement().sessionCreationPolicy(STATELESS) - .and() -// .requiresChannel() -// .anyRequest() -// .requiresSecure() -// .and() - .csrf().disable() - .authorizeRequests() - .antMatchers( - "/api/auth/login", - "/api/health/check" - ).permitAll() - .antMatchers(OPTIONS).permitAll() - .anyRequest().authenticated(); - } +public class SecurityConfiguration { @Bean public BCryptPasswordEncoder passwordEncoder() { diff --git a/src/main/java/org/takiguchi/starter/config/security/SpringSecurityConfiguration.java b/src/main/java/org/takiguchi/starter/config/security/SpringSecurityConfiguration.java new file mode 100644 index 0000000..92f443c --- /dev/null +++ b/src/main/java/org/takiguchi/starter/config/security/SpringSecurityConfiguration.java @@ -0,0 +1,48 @@ +package org.takiguchi.starter.config.security; + +import org.springframework.context.annotation.Configuration; +import org.springframework.security.config.annotation.web.builders.HttpSecurity; +import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; +import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; +import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter; + +import javax.servlet.http.HttpServletResponse; + +import static org.springframework.http.HttpMethod.OPTIONS; +import static org.springframework.security.config.http.SessionCreationPolicy.STATELESS; + +@EnableWebSecurity +@Configuration +public class SpringSecurityConfiguration extends WebSecurityConfigurerAdapter { + + private final JwtRequestFilter jwtRequestFilter; + + public SpringSecurityConfiguration(JwtRequestFilter jwtRequestFilter) { + this.jwtRequestFilter = jwtRequestFilter; + } + + @Override + protected void configure(HttpSecurity http) throws Exception { + http.cors().disable() + .exceptionHandling() + .authenticationEntryPoint((request, response, authResponse) -> response.sendError(HttpServletResponse.SC_UNAUTHORIZED)) + .accessDeniedHandler((request, response, accessDeniedException) -> response.sendError(HttpServletResponse.SC_FORBIDDEN)) + .and() + .addFilterBefore(jwtRequestFilter, UsernamePasswordAuthenticationFilter.class) + .sessionManagement().sessionCreationPolicy(STATELESS) + .and() + // To force https +// .requiresChannel() +// .anyRequest() +// .requiresSecure() +// .and() + .csrf().disable() + .authorizeRequests() + .antMatchers( + "/api/auth/login", + "/api/health/check" + ).permitAll() + .antMatchers(OPTIONS).permitAll() + .anyRequest().authenticated(); + } +} diff --git a/src/main/java/org/takiguchi/starter/model/dao/User.java b/src/main/java/org/takiguchi/starter/model/dao/User.java index d70b806..cdb66b3 100644 --- a/src/main/java/org/takiguchi/starter/model/dao/User.java +++ b/src/main/java/org/takiguchi/starter/model/dao/User.java @@ -22,5 +22,4 @@ public class User { private String email; @Column(nullable = false) private String password; - private String username; }