X-Git-Url: https://juplo.de/gitweb/?p=examples%2Ffacebook-app;a=blobdiff_plain;f=src%2Fmain%2Fjava%2Fde%2Fjuplo%2Fyourshouter%2FWebSecurityConfig.java;fp=src%2Fmain%2Fjava%2Fde%2Fjuplo%2Fyourshouter%2FWebSecurityConfig.java;h=738485e94fafc0631219a12b4d520862dbb47a51;hp=0000000000000000000000000000000000000000;hb=8f6d3c83aa9651e593b57b3d47cfd50a4ae73661;hpb=ca351a3eb7442fbb183aa62e1a58cd85bc1f2ef7

diff --git a/src/main/java/de/juplo/yourshouter/WebSecurityConfig.java b/src/main/java/de/juplo/yourshouter/WebSecurityConfig.java
new file mode 100644
index 0000000..738485e
--- /dev/null
+++ b/src/main/java/de/juplo/yourshouter/WebSecurityConfig.java
@@ -0,0 +1,89 @@
+package de.juplo.yourshouter;
+
+import javax.inject.Inject;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.web.AuthenticationEntryPoint;
+import org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter;
+
+
+@Configuration
+@EnableWebSecurity
+public class WebSecurityConfig extends WebSecurityConfigurerAdapter
+{
+  @Inject
+  AuthenticationEntryPoint authenticationEntryPoint;
+
+  /**
+   * We have to disable the default-configuration, because some of it does
+   * not work along with the canvas-page:
+   * <ul>
+   * <li>
+   * The support for CSRF-tokens consideres the initial call of Facebook to
+   * the canvas-page of our app as invalid, because it is issued as a post
+   * and the CSRF-token is missing.
+   * </li>
+   * <li>
+   * In the default-configuration, the <code>X-Frame-Options: DENY</code> is
+   * set for every response. This prevents the browser from showing our
+   * response inside Facebook, becaus that is an iFrame and the header
+   * forbidds to display our content in a frame.
+   * </li>
+   * </ul>
+   */
+  public WebSecurityConfig()
+  {
+    super(true);
+  }
+
+
+  /**
+   * @{@inheritDoc}
+   *
+   * Override the default-implementation to configure the authentication
+   * mechanism of Spring Security.
+   *
+   * We drop the support of CSRF-tokens, inject our specialized implementation
+   * of the {@link AuthenticationEntryPoint}-interface , disable the headers,
+   * that deny, to display our content insiede a frame and configure the
+   * pages, that should be accessible without authentication.
+   * We also drop support for a logout-page and the default-login-in-page.
+   */
+  @Override
+  protected void configure(HttpSecurity http) throws Exception
+  {
+    http
+				.addFilter(new WebAsyncManagerIntegrationFilter())
+        .exceptionHandling()
+            .authenticationEntryPoint(authenticationEntryPoint)
+            .and()
+        .headers()
+            .frameOptions().disable()
+            .and()
+				.sessionManagement().and()
+				.securityContext().and()
+				.requestCache().and()
+				.anonymous().and()
+				.servletApi().and()
+        .authorizeRequests()
+            .antMatchers("/signin.html", "/signin/*", "/canvas/*").permitAll()
+            .anyRequest().authenticated();
+  }
+
+  /**
+   * {@inheritDoc}
+   *
+   * Override the default-implementation, to configure Spring Security to use
+   * in-memory authentication.
+   */
+  @Override
+  public void configure(AuthenticationManagerBuilder auth)
+      throws
+        Exception
+  {
+    auth.inMemoryAuthentication();
+  }
+}