1 package de.juplo.yourshouter;
3 import javax.inject.Inject;
4 import org.springframework.context.annotation.Configuration;
5 import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
6 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
7 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
8 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
9 import org.springframework.security.web.AuthenticationEntryPoint;
10 import org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter;
15 public class WebSecurityConfig extends WebSecurityConfigurerAdapter
18 AuthenticationEntryPoint authenticationEntryPoint;
21 * We have to disable the default-configuration, because some of it does
22 * not work along with the canvas-page:
25 * The support for CSRF-tokens consideres the initial call of Facebook to
26 * the canvas-page of our app as invalid, because it is issued as a post
27 * and the CSRF-token is missing.
30 * In the default-configuration, the <code>X-Frame-Options: DENY</code> is
31 * set for every response. This prevents the browser from showing our
32 * response inside Facebook, becaus that is an iFrame and the header
33 * forbidds to display our content in a frame.
37 public WebSecurityConfig()
46 * Override the default-implementation to configure the authentication
47 * mechanism of Spring Security.
49 * We drop the support of CSRF-tokens, inject our specialized implementation
50 * of the {@link AuthenticationEntryPoint}-interface , disable the headers,
51 * that deny, to display our content insiede a frame and configure the
52 * pages, that should be accessible without authentication.
53 * We also drop support for a logout-page and the default-login-in-page.
56 protected void configure(HttpSecurity http) throws Exception
59 .addFilter(new WebAsyncManagerIntegrationFilter())
61 .authenticationEntryPoint(authenticationEntryPoint)
64 .frameOptions().disable()
66 .sessionManagement().and()
67 .securityContext().and()
72 .antMatchers("/signin.html", "/signin/*", "/canvas/*").permitAll()
73 .anyRequest().authenticated();
79 * Override the default-implementation, to configure Spring Security to use
80 * in-memory authentication.
83 public void configure(AuthenticationManagerBuilder auth)
87 auth.inMemoryAuthentication();