package de.juplo.yourshouter;
import javax.inject.Inject;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.web.AuthenticationEntryPoint;
@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter
{
@Inject
AuthenticationEntryPoint authenticationEntryPoint;
/**
* @{@inheritDoc}
*
* Override the default-implementation to configure the authentication
* mechanism of Spring Security.
*
* -
* We suppress the support of CSRF-tokens for our canvas-page, because
* the implementation consideres the initial call of Facebook to
* the canvas-page of our app as invalid, because it is issued as a post
* and the CSRF-token is missing.
*
* -
* We inject our specialized implementation of the
* {@link AuthenticationEntryPoint}-interface.
*
* -
* We configure the mechanism, that adds securtiy headers to the response,
* to disable the headers, that deny, to display our content insiede a frame,
* because otherwise, the browser would not render our content, when the
* app is displayed inside of Facebook through our canvas-page.
*
* -
* Last but not least, we configure the pages, that should be accessible
* without authentication.
*
*
*/
@Override
protected void configure(HttpSecurity http) throws Exception
{
http
.csrf()
/**
* Neither the Facebook-Canvas nor the H2-console does send a proper
* CSRF-token in its POST-requests. Hence, this feature has to be
* disabled for this pages.
*/
.ignoringAntMatchers("/canvas/*", "/h2-console/*")
.and()
.exceptionHandling()
.authenticationEntryPoint(authenticationEntryPoint)
.and()
.headers()
/**
* All pages must be allowed, to be displayed inside a frame.
* Otherwise, the content will not show up after a successfull
* login through the Facebook-Canvas, because it is shown inside
* a frame!
*/
.frameOptions().disable()
.and()
.authorizeRequests()
.antMatchers("/signin.html", "/signin/*", "/canvas/*").permitAll()
.anyRequest().authenticated();
}
/**
* {@inheritDoc}
*
* Override the default-implementation, to configure Spring Security to use
* in-memory authentication.
*/
@Override
public void configure(AuthenticationManagerBuilder auth)
throws
Exception
{
auth.inMemoryAuthentication();
}
}