From fad2b31abc3dca5b748565aeee192ac6694bfecb Mon Sep 17 00:00:00 2001 From: Kai Moritz Date: Mon, 1 Feb 2016 09:28:09 +0100 Subject: [PATCH] Simplified the configuration of Spring-Security: defaults are not disabled --- .../juplo/yourshouter/WebSecurityConfig.java | 65 ++++++++++--------- 1 file changed, 33 insertions(+), 32 deletions(-) diff --git a/src/main/java/de/juplo/yourshouter/WebSecurityConfig.java b/src/main/java/de/juplo/yourshouter/WebSecurityConfig.java index 738485e..2452adc 100644 --- a/src/main/java/de/juplo/yourshouter/WebSecurityConfig.java +++ b/src/main/java/de/juplo/yourshouter/WebSecurityConfig.java @@ -7,7 +7,6 @@ import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.web.AuthenticationEntryPoint; -import org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter; @Configuration @@ -17,57 +16,59 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter @Inject AuthenticationEntryPoint authenticationEntryPoint; + /** - * We have to disable the default-configuration, because some of it does - * not work along with the canvas-page: + * @{@inheritDoc} + * + * Override the default-implementation to configure the authentication + * mechanism of Spring Security. * */ - public WebSecurityConfig() - { - super(true); - } - - - /** - * @{@inheritDoc} - * - * Override the default-implementation to configure the authentication - * mechanism of Spring Security. - * - * We drop the support of CSRF-tokens, inject our specialized implementation - * of the {@link AuthenticationEntryPoint}-interface , disable the headers, - * that deny, to display our content insiede a frame and configure the - * pages, that should be accessible without authentication. - * We also drop support for a logout-page and the default-login-in-page. - */ @Override protected void configure(HttpSecurity http) throws Exception { http - .addFilter(new WebAsyncManagerIntegrationFilter()) + .csrf() + /** + * The Facebook-Canvas does not send a proper CSRF-token in its + * POST-requests. Hence, this feature has to be disabled for all + * pages, that receive an initial call from the Facebook-Canvas. + */ + .ignoringAntMatchers("/canvas/*") + .and() .exceptionHandling() .authenticationEntryPoint(authenticationEntryPoint) .and() .headers() + /** + * All pages must be allowed, to be displayed inside a frame. + * Otherwise, the content will not show up after a successfull + * login through the Facebook-Canvas, because it is shown inside + * a frame! + */ .frameOptions().disable() .and() - .sessionManagement().and() - .securityContext().and() - .requestCache().and() - .anonymous().and() - .servletApi().and() .authorizeRequests() .antMatchers("/signin.html", "/signin/*", "/canvas/*").permitAll() .anyRequest().authenticated(); -- 2.20.1