juplo.de Git - examples/facebook-app/blob - src/main/java/de/juplo/yourshouter/WebSecurityConfig.java

   1 package de.juplo.yourshouter;
   2
   3 import javax.inject.Inject;
   4 import org.springframework.context.annotation.Configuration;
   5 import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
   6 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
   7 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
   8 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
   9 import org.springframework.security.web.AuthenticationEntryPoint;
  10 import org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter;
  11
  12
  13 @Configuration
  14 @EnableWebSecurity
  15 public class WebSecurityConfig extends WebSecurityConfigurerAdapter
  16 {
  17   @Inject
  18   AuthenticationEntryPoint authenticationEntryPoint;
  19
  20   /**
  21    * We have to disable the default-configuration, because some of it does
  22    * not work along with the canvas-page:
  23    * <ul>
  24    * <li>
  25    * The support for CSRF-tokens consideres the initial call of Facebook to
  26    * the canvas-page of our app as invalid, because it is issued as a post
  27    * and the CSRF-token is missing.
  28    * </li>
  29    * <li>
  30    * In the default-configuration, the <code>X-Frame-Options: DENY</code> is
  31    * set for every response. This prevents the browser from showing our
  32    * response inside Facebook, becaus that is an iFrame and the header
  33    * forbidds to display our content in a frame.
  34    * </li>
  35    * </ul>
  36    */
  37   public WebSecurityConfig()
  38   {
  39     super(true);
  40   }
  41
  42
  43   /**
  44    * @{@inheritDoc}
  45    *
  46    * Override the default-implementation to configure the authentication
  47    * mechanism of Spring Security.
  48    *
  49    * We drop the support of CSRF-tokens, inject our specialized implementation
  50    * of the {@link AuthenticationEntryPoint}-interface , disable the headers,
  51    * that deny, to display our content insiede a frame and configure the
  52    * pages, that should be accessible without authentication.
  53    * We also drop support for a logout-page and the default-login-in-page.
  54    */
  55   @Override
  56   protected void configure(HttpSecurity http) throws Exception
  57   {
  58     http
  59                                 .addFilter(new WebAsyncManagerIntegrationFilter())
  60         .exceptionHandling()
  61             .authenticationEntryPoint(authenticationEntryPoint)
  62             .and()
  63         .headers()
  64             .frameOptions().disable()
  65             .and()
  66                                 .sessionManagement().and()
  67                                 .securityContext().and()
  68                                 .requestCache().and()
  69                                 .anonymous().and()
  70                                 .servletApi().and()
  71         .authorizeRequests()
  72             .antMatchers("/signin.html", "/signin/*", "/canvas/*").permitAll()
  73             .anyRequest().authenticated();
  74   }
  75
  76   /**
  77    * {@inheritDoc}
  78    *
  79    * Override the default-implementation, to configure Spring Security to use
  80    * in-memory authentication.
  81    */
  82   @Override
  83   public void configure(AuthenticationManagerBuilder auth)
  84       throws
  85         Exception
  86   {
  87     auth.inMemoryAuthentication();
  88   }
  89 }