1 package de.juplo.yourshouter;
3 import javax.inject.Inject;
4 import org.springframework.context.annotation.Configuration;
5 import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
6 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
7 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
8 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
9 import org.springframework.security.web.AuthenticationEntryPoint;
14 public class WebSecurityConfig extends WebSecurityConfigurerAdapter
17 AuthenticationEntryPoint authenticationEntryPoint;
23 * Override the default-implementation to configure the authentication
24 * mechanism of Spring Security.
27 * We suppress the support of CSRF-tokens for our canvas-page, because
28 * the implementation consideres the initial call of Facebook to
29 * the canvas-page of our app as invalid, because it is issued as a post
30 * and the CSRF-token is missing.
33 * We inject our specialized implementation of the
34 * {@link AuthenticationEntryPoint}-interface.
37 * We configure the mechanism, that adds securtiy headers to the response,
38 * to disable the headers, that deny, to display our content insiede a frame,
39 * because otherwise, the browser would not render our content, when the
40 * app is displayed inside of Facebook through our canvas-page.
43 * Last but not least, we configure the pages, that should be accessible
44 * without authentication.
49 protected void configure(HttpSecurity http) throws Exception
54 * Neither the Facebook-Canvas nor the H2-console does send a proper
55 * CSRF-token in its POST-requests. Hence, this feature has to be
56 * disabled for this pages.
58 .ignoringAntMatchers("/canvas/*", "/h2-console/*")
61 .authenticationEntryPoint(authenticationEntryPoint)
65 * All pages must be allowed, to be displayed inside a frame.
66 * Otherwise, the content will not show up after a successfull
67 * login through the Facebook-Canvas, because it is shown inside
70 .frameOptions().disable()
73 .antMatchers("/signin.html", "/signin/*", "/canvas/*").permitAll()
74 .anyRequest().authenticated();
80 * Override the default-implementation, to configure Spring Security to use
81 * in-memory authentication.
84 public void configure(AuthenticationManagerBuilder auth)
88 auth.inMemoryAuthentication();