X-Git-Url: https://juplo.de/gitweb/?a=blobdiff_plain;f=src%2Fmain%2Fjava%2Fde%2Fjuplo%2Fyourshouter%2FWebSecurityConfig.java;h=5b82a1237835c7dd5015d2370dd898a6a04f7b85;hb=HEAD;hp=738485e94fafc0631219a12b4d520862dbb47a51;hpb=8f6d3c83aa9651e593b57b3d47cfd50a4ae73661;p=examples%2Ffacebook-app

diff --git a/src/main/java/de/juplo/yourshouter/WebSecurityConfig.java b/src/main/java/de/juplo/yourshouter/WebSecurityConfig.java
index 738485e..5b82a12 100644
--- a/src/main/java/de/juplo/yourshouter/WebSecurityConfig.java
+++ b/src/main/java/de/juplo/yourshouter/WebSecurityConfig.java
@@ -7,7 +7,6 @@ import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.web.AuthenticationEntryPoint;
-import org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter;
 
 
 @Configuration
@@ -17,57 +16,59 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter
   @Inject
   AuthenticationEntryPoint authenticationEntryPoint;
 
+
   /**
-   * We have to disable the default-configuration, because some of it does
-   * not work along with the canvas-page:
+   * @{@inheritDoc}
+   *
+   * Override the default-implementation to configure the authentication
+   * mechanism of Spring Security.
    * <ul>
    * <li>
-   * The support for CSRF-tokens consideres the initial call of Facebook to
+   * We suppress the support of CSRF-tokens for our canvas-page, because
+   * the implementation consideres the initial call of Facebook to
    * the canvas-page of our app as invalid, because it is issued as a post
    * and the CSRF-token is missing.
    * </li>
    * <li>
-   * In the default-configuration, the <code>X-Frame-Options: DENY</code> is
-   * set for every response. This prevents the browser from showing our
-   * response inside Facebook, becaus that is an iFrame and the header
-   * forbidds to display our content in a frame.
+   * We inject our specialized implementation of the
+   * {@link AuthenticationEntryPoint}-interface.
+   * </li>
+   * <li>
+   * We configure the mechanism, that adds securtiy headers to the response,
+   * to disable the headers, that deny, to display our content insiede a frame,
+   * because otherwise, the browser would not render our content, when the
+   * app is displayed inside of Facebook through our canvas-page.
+   * </li>
+   * <li>
+   * Last but not least, we configure the pages, that should be accessible
+   * without authentication.
    * </li>
    * </ul>
    */
-  public WebSecurityConfig()
-  {
-    super(true);
-  }
-
-
-  /**
-   * @{@inheritDoc}
-   *
-   * Override the default-implementation to configure the authentication
-   * mechanism of Spring Security.
-   *
-   * We drop the support of CSRF-tokens, inject our specialized implementation
-   * of the {@link AuthenticationEntryPoint}-interface , disable the headers,
-   * that deny, to display our content insiede a frame and configure the
-   * pages, that should be accessible without authentication.
-   * We also drop support for a logout-page and the default-login-in-page.
-   */
   @Override
   protected void configure(HttpSecurity http) throws Exception
   {
     http
-				.addFilter(new WebAsyncManagerIntegrationFilter())
+        .csrf()
+            /**
+             * Neither the Facebook-Canvas nor the H2-console does send a proper
+             * CSRF-token in its POST-requests. Hence, this feature has to be
+             * disabled for this pages.
+             */
+            .ignoringAntMatchers("/canvas/*", "/h2-console/*")
+            .and()
         .exceptionHandling()
             .authenticationEntryPoint(authenticationEntryPoint)
             .and()
         .headers()
+            /**
+             * All pages must be allowed, to be displayed inside a frame.
+             * Otherwise, the content will not show up after a successfull
+             * login through the Facebook-Canvas, because it is shown inside
+             * a frame!
+             */
             .frameOptions().disable()
             .and()
-				.sessionManagement().and()
-				.securityContext().and()
-				.requestCache().and()
-				.anonymous().and()
-				.servletApi().and()
         .authorizeRequests()
             .antMatchers("/signin.html", "/signin/*", "/canvas/*").permitAll()
             .anyRequest().authenticated();