1 package de.juplo.yourshouter;
3 import org.springframework.context.annotation.Configuration;
4 import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
5 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
6 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
7 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
8 import org.springframework.security.web.AuthenticationEntryPoint;
13 public class WebSecurityConfig extends WebSecurityConfigurerAdapter
18 * Override the default-implementation to configure the authentication
19 * mechanism of Spring Security.
22 * We suppress the support of CSRF-tokens for our canvas-page, because
23 * the implementation consideres the initial call of Facebook to
24 * the canvas-page of our app as invalid, because it is issued as a post
25 * and the CSRF-token is missing.
28 * We inject our specialized implementation of the
29 * {@link AuthenticationEntryPoint}-interface.
32 * We configure the mechanism, that adds securtiy headers to the response,
33 * to disable the headers, that deny, to display our content insiede a frame,
34 * because otherwise, the browser would not render our content, when the
35 * app is displayed inside of Facebook through our canvas-page.
38 * Last but not least, we configure the pages, that should be accessible
39 * without authentication.
44 protected void configure(HttpSecurity http) throws Exception
49 * Neither the Facebook-Canvas nor the H2-console does send a proper
50 * CSRF-token in its POST-requests. Hence, this feature has to be
51 * disabled for this pages.
53 .ignoringAntMatchers("/canvas/*", "/h2-console/*")
57 * All pages must be allowed, to be displayed inside a frame.
58 * Otherwise, the content will not show up after a successfull
59 * login through the Facebook-Canvas, because it is shown inside
62 .frameOptions().disable()
65 .antMatchers("/canvas/*").permitAll()
66 .anyRequest().authenticated();
72 * Override the default-implementation, to configure Spring Security to use
73 * in-memory authentication.
76 public void configure(AuthenticationManagerBuilder auth)
80 auth.inMemoryAuthentication();