Switched from the manual implemented authentication-layer to Spring Security

[examples/facebook-app] / src / main / java / de / juplo / yourshouter / WebSecurityConfig.java

diff --git a/src/main/java/de/juplo/yourshouter/WebSecurityConfig.java b/src/main/java/de/juplo/yourshouter/WebSecurityConfig.java
new file mode 100644 (file)
index 0000000..738485e
--- /dev/null
+++ b/src/main/java/de/juplo/yourshouter/WebSecurityConfig.java
@@ -0,0 +1,89 @@
+package de.juplo.yourshouter;
+
+import javax.inject.Inject;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.web.AuthenticationEntryPoint;
+import org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter;
+
+
+@Configuration
+@EnableWebSecurity
+public class WebSecurityConfig extends WebSecurityConfigurerAdapter
+{
+  @Inject
+  AuthenticationEntryPoint authenticationEntryPoint;
+
+  /**
+   * We have to disable the default-configuration, because some of it does
+   * not work along with the canvas-page:
+   * <ul>
+   * <li>
+   * The support for CSRF-tokens consideres the initial call of Facebook to
+   * the canvas-page of our app as invalid, because it is issued as a post
+   * and the CSRF-token is missing.
+   * </li>
+   * <li>
+   * In the default-configuration, the <code>X-Frame-Options: DENY</code> is
+   * set for every response. This prevents the browser from showing our
+   * response inside Facebook, becaus that is an iFrame and the header
+   * forbidds to display our content in a frame.
+   * </li>
+   * </ul>
+   */
+  public WebSecurityConfig()
+  {
+    super(true);
+  }
+
+
+  /**
+   * @{@inheritDoc}
+   *
+   * Override the default-implementation to configure the authentication
+   * mechanism of Spring Security.
+   *
+   * We drop the support of CSRF-tokens, inject our specialized implementation
+   * of the {@link AuthenticationEntryPoint}-interface , disable the headers,
+   * that deny, to display our content insiede a frame and configure the
+   * pages, that should be accessible without authentication.
+   * We also drop support for a logout-page and the default-login-in-page.
+   */
+  @Override
+  protected void configure(HttpSecurity http) throws Exception
+  {
+    http
+                               .addFilter(new WebAsyncManagerIntegrationFilter())
+        .exceptionHandling()
+            .authenticationEntryPoint(authenticationEntryPoint)
+            .and()
+        .headers()
+            .frameOptions().disable()
+            .and()
+                               .sessionManagement().and()
+                               .securityContext().and()
+                               .requestCache().and()
+                               .anonymous().and()
+                               .servletApi().and()
+        .authorizeRequests()
+            .antMatchers("/signin.html", "/signin/*", "/canvas/*").permitAll()
+            .anyRequest().authenticated();
+  }
+
+  /**
+   * {@inheritDoc}
+   *
+   * Override the default-implementation, to configure Spring Security to use
+   * in-memory authentication.
+   */
+  @Override
+  public void configure(AuthenticationManagerBuilder auth)
+      throws
+        Exception
+  {
+    auth.inMemoryAuthentication();
+  }
+}