--- /dev/null
+package de.juplo.yourshouter;
+
+import javax.inject.Inject;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.web.AuthenticationEntryPoint;
+import org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter;
+
+
+@Configuration
+@EnableWebSecurity
+public class WebSecurityConfig extends WebSecurityConfigurerAdapter
+{
+ @Inject
+ AuthenticationEntryPoint authenticationEntryPoint;
+
+ /**
+ * We have to disable the default-configuration, because some of it does
+ * not work along with the canvas-page:
+ * <ul>
+ * <li>
+ * The support for CSRF-tokens consideres the initial call of Facebook to
+ * the canvas-page of our app as invalid, because it is issued as a post
+ * and the CSRF-token is missing.
+ * </li>
+ * <li>
+ * In the default-configuration, the <code>X-Frame-Options: DENY</code> is
+ * set for every response. This prevents the browser from showing our
+ * response inside Facebook, becaus that is an iFrame and the header
+ * forbidds to display our content in a frame.
+ * </li>
+ * </ul>
+ */
+ public WebSecurityConfig()
+ {
+ super(true);
+ }
+
+
+ /**
+ * @{@inheritDoc}
+ *
+ * Override the default-implementation to configure the authentication
+ * mechanism of Spring Security.
+ *
+ * We drop the support of CSRF-tokens, inject our specialized implementation
+ * of the {@link AuthenticationEntryPoint}-interface , disable the headers,
+ * that deny, to display our content insiede a frame and configure the
+ * pages, that should be accessible without authentication.
+ * We also drop support for a logout-page and the default-login-in-page.
+ */
+ @Override
+ protected void configure(HttpSecurity http) throws Exception
+ {
+ http
+ .addFilter(new WebAsyncManagerIntegrationFilter())
+ .exceptionHandling()
+ .authenticationEntryPoint(authenticationEntryPoint)
+ .and()
+ .headers()
+ .frameOptions().disable()
+ .and()
+ .sessionManagement().and()
+ .securityContext().and()
+ .requestCache().and()
+ .anonymous().and()
+ .servletApi().and()
+ .authorizeRequests()
+ .antMatchers("/signin.html", "/signin/*", "/canvas/*").permitAll()
+ .anyRequest().authenticated();
+ }
+
+ /**
+ * {@inheritDoc}
+ *
+ * Override the default-implementation, to configure Spring Security to use
+ * in-memory authentication.
+ */
+ @Override
+ public void configure(AuthenticationManagerBuilder auth)
+ throws
+ Exception
+ {
+ auth.inMemoryAuthentication();
+ }
+}