From: Kai Moritz <kai@juplo.de>
Date: Mon, 1 Feb 2016 08:28:09 +0000 (+0100)
Subject: Simplified the configuration of Spring-Security: defaults are not disabled
X-Git-Url: http://juplo.de/gitweb/?a=commitdiff_plain;h=fad2b31abc3dca5b748565aeee192ac6694bfecb;p=examples%2Ffacebook-app
Simplified the configuration of Spring-Security: defaults are not disabled
---
diff --git a/src/main/java/de/juplo/yourshouter/WebSecurityConfig.java b/src/main/java/de/juplo/yourshouter/WebSecurityConfig.java
index 738485e..2452adc 100644
--- a/src/main/java/de/juplo/yourshouter/WebSecurityConfig.java
+++ b/src/main/java/de/juplo/yourshouter/WebSecurityConfig.java
@@ -7,7 +7,6 @@ import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.web.AuthenticationEntryPoint;
-import org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter;
@Configuration
@@ -17,57 +16,59 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter
@Inject
AuthenticationEntryPoint authenticationEntryPoint;
+
/**
- * We have to disable the default-configuration, because some of it does
- * not work along with the canvas-page:
+ * @{@inheritDoc}
+ *
+ * Override the default-implementation to configure the authentication
+ * mechanism of Spring Security.
* <ul>
* <li>
- * The support for CSRF-tokens consideres the initial call of Facebook to
+ * We suppress the support of CSRF-tokens for our canvas-page, because
+ * the implementation consideres the initial call of Facebook to
* the canvas-page of our app as invalid, because it is issued as a post
* and the CSRF-token is missing.
* </li>
* <li>
- * In the default-configuration, the <code>X-Frame-Options: DENY</code> is
- * set for every response. This prevents the browser from showing our
- * response inside Facebook, becaus that is an iFrame and the header
- * forbidds to display our content in a frame.
+ * We inject our specialized implementation of the
+ * {@link AuthenticationEntryPoint}-interface.
+ * </li>
+ * <li>
+ * We configure the mechanism, that adds securtiy headers to the response,
+ * to disable the headers, that deny, to display our content insiede a frame,
+ * because otherwise, the browser would not render our content, when the
+ * app is displayed inside of Facebook through our canvas-page.
+ * </li>
+ * <li>
+ * Last but not least, we configure the pages, that should be accessible
+ * without authentication.
* </li>
* </ul>
*/
- public WebSecurityConfig()
- {
- super(true);
- }
-
-
- /**
- * @{@inheritDoc}
- *
- * Override the default-implementation to configure the authentication
- * mechanism of Spring Security.
- *
- * We drop the support of CSRF-tokens, inject our specialized implementation
- * of the {@link AuthenticationEntryPoint}-interface , disable the headers,
- * that deny, to display our content insiede a frame and configure the
- * pages, that should be accessible without authentication.
- * We also drop support for a logout-page and the default-login-in-page.
- */
@Override
protected void configure(HttpSecurity http) throws Exception
{
http
- .addFilter(new WebAsyncManagerIntegrationFilter())
+ .csrf()
+ /**
+ * The Facebook-Canvas does not send a proper CSRF-token in its
+ * POST-requests. Hence, this feature has to be disabled for all
+ * pages, that receive an initial call from the Facebook-Canvas.
+ */
+ .ignoringAntMatchers("/canvas/*")
+ .and()
.exceptionHandling()
.authenticationEntryPoint(authenticationEntryPoint)
.and()
.headers()
+ /**
+ * All pages must be allowed, to be displayed inside a frame.
+ * Otherwise, the content will not show up after a successfull
+ * login through the Facebook-Canvas, because it is shown inside
+ * a frame!
+ */
.frameOptions().disable()
.and()
- .sessionManagement().and()
- .securityContext().and()
- .requestCache().and()
- .anonymous().and()
- .servletApi().and()
.authorizeRequests()
.antMatchers("/signin.html", "/signin/*", "/canvas/*").permitAll()
.anyRequest().authenticated();