End security setup.

2020-07-19 19:29:13 +02:00
parent 36089cacfa
commit 50157ed4e7
3 changed files with 49 additions and 43 deletions
--- a/src/main/java/org/takiguchi/starter/config/security/SecurityConfiguration.java
+++ b/src/main/java/org/takiguchi/starter/config/security/SecurityConfiguration.java
@@ -3,53 +3,12 @@ package org.takiguchi.starter.config.security;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
-import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
-import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
-import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
-
-import javax.servlet.http.HttpServletResponse;
-
-import static org.springframework.http.HttpMethod.OPTIONS;
-import static org.springframework.security.config.http.SessionCreationPolicy.STATELESS;

@EnableWebSecurity
@Configuration
-public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
-
-    private final String signingKey;
-    private final int accessTokenValiditySeconds;
-
-    public SecurityConfiguration(@Value("${app.security.signing-key}") String signingKey,
-                                 @Value("${app.security.access-token-validity-seconds}") int accessTokenValiditySeconds) {
-        this.signingKey = signingKey;
-        this.accessTokenValiditySeconds = accessTokenValiditySeconds;
-    }
-
-    @Override
-    protected void configure(HttpSecurity http) throws Exception {
-        http.cors().disable()
-                .exceptionHandling()
-                .authenticationEntryPoint((request, response, authResponse) -> response.sendError(HttpServletResponse.SC_UNAUTHORIZED))
-                .accessDeniedHandler((request, response, accessDeniedException) -> response.sendError(HttpServletResponse.SC_FORBIDDEN))
-                .and()
-                .addFilterBefore(jwtRequestFilter(tokenProvider(signingKey, accessTokenValiditySeconds)), UsernamePasswordAuthenticationFilter.class)
-                .sessionManagement().sessionCreationPolicy(STATELESS)
-                .and()
-//                .requiresChannel()
-//                    .anyRequest()
-//                    .requiresSecure()
-//                .and()
-                .csrf().disable()
-                .authorizeRequests()
-                .antMatchers(
-                        "/api/auth/login",
-                        "/api/health/check"
-                ).permitAll()
-                .antMatchers(OPTIONS).permitAll()
-                .anyRequest().authenticated();
-    }
+public class SecurityConfiguration {

    @Bean
    public BCryptPasswordEncoder passwordEncoder() {
--- a/src/main/java/org/takiguchi/starter/config/security/SpringSecurityConfiguration.java
+++ b/src/main/java/org/takiguchi/starter/config/security/SpringSecurityConfiguration.java
@@ -0,0 +1,48 @@
+package org.takiguchi.starter.config.security;
+
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
+
+import javax.servlet.http.HttpServletResponse;
+
+import static org.springframework.http.HttpMethod.OPTIONS;
+import static org.springframework.security.config.http.SessionCreationPolicy.STATELESS;
+
+@EnableWebSecurity
+@Configuration
+public class SpringSecurityConfiguration extends WebSecurityConfigurerAdapter {
+
+    private final JwtRequestFilter jwtRequestFilter;
+
+    public SpringSecurityConfiguration(JwtRequestFilter jwtRequestFilter) {
+        this.jwtRequestFilter = jwtRequestFilter;
+    }
+
+    @Override
+    protected void configure(HttpSecurity http) throws Exception {
+        http.cors().disable()
+                .exceptionHandling()
+                .authenticationEntryPoint((request, response, authResponse) -> response.sendError(HttpServletResponse.SC_UNAUTHORIZED))
+                .accessDeniedHandler((request, response, accessDeniedException) -> response.sendError(HttpServletResponse.SC_FORBIDDEN))
+                .and()
+                .addFilterBefore(jwtRequestFilter, UsernamePasswordAuthenticationFilter.class)
+                .sessionManagement().sessionCreationPolicy(STATELESS)
+                .and()
+                // To force https
+//                .requiresChannel()
+//                    .anyRequest()
+//                    .requiresSecure()
+//                .and()
+                .csrf().disable()
+                .authorizeRequests()
+                .antMatchers(
+                        "/api/auth/login",
+                        "/api/health/check"
+                ).permitAll()
+                .antMatchers(OPTIONS).permitAll()
+                .anyRequest().authenticated();
+    }
+}
--- a/src/main/java/org/takiguchi/starter/model/dao/User.java
+++ b/src/main/java/org/takiguchi/starter/model/dao/User.java
@@ -22,5 +22,4 @@ public class User {
    private String email;
    @Column(nullable = false)
    private String password;
-    private String username;
 }