From fad2b31abc3dca5b748565aeee192ac6694bfecb Mon Sep 17 00:00:00 2001
From: Kai Moritz <kai@juplo.de>
Date: Mon, 1 Feb 2016 09:28:09 +0100
Subject: [PATCH] Simplified the configuration of Spring-Security: defaults are
 not disabled

---
 .../juplo/yourshouter/WebSecurityConfig.java  | 65 ++++++++++---------
 1 file changed, 33 insertions(+), 32 deletions(-)

diff --git a/src/main/java/de/juplo/yourshouter/WebSecurityConfig.java b/src/main/java/de/juplo/yourshouter/WebSecurityConfig.java
index 738485e..2452adc 100644
--- a/src/main/java/de/juplo/yourshouter/WebSecurityConfig.java
+++ b/src/main/java/de/juplo/yourshouter/WebSecurityConfig.java
@@ -7,7 +7,6 @@ import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.web.AuthenticationEntryPoint;
-import org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter;
 
 
 @Configuration
@@ -17,57 +16,59 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter
   @Inject
   AuthenticationEntryPoint authenticationEntryPoint;
 
+
   /**
-   * We have to disable the default-configuration, because some of it does
-   * not work along with the canvas-page:
+   * @{@inheritDoc}
+   *
+   * Override the default-implementation to configure the authentication
+   * mechanism of Spring Security.
    * <ul>
    * <li>
-   * The support for CSRF-tokens consideres the initial call of Facebook to
+   * We suppress the support of CSRF-tokens for our canvas-page, because
+   * the implementation consideres the initial call of Facebook to
    * the canvas-page of our app as invalid, because it is issued as a post
    * and the CSRF-token is missing.
    * </li>
    * <li>
-   * In the default-configuration, the <code>X-Frame-Options: DENY</code> is
-   * set for every response. This prevents the browser from showing our
-   * response inside Facebook, becaus that is an iFrame and the header
-   * forbidds to display our content in a frame.
+   * We inject our specialized implementation of the
+   * {@link AuthenticationEntryPoint}-interface.
+   * </li>
+   * <li>
+   * We configure the mechanism, that adds securtiy headers to the response,
+   * to disable the headers, that deny, to display our content insiede a frame,
+   * because otherwise, the browser would not render our content, when the
+   * app is displayed inside of Facebook through our canvas-page.
+   * </li>
+   * <li>
+   * Last but not least, we configure the pages, that should be accessible
+   * without authentication.
    * </li>
    * </ul>
    */
-  public WebSecurityConfig()
-  {
-    super(true);
-  }
-
-
-  /**
-   * @{@inheritDoc}
-   *
-   * Override the default-implementation to configure the authentication
-   * mechanism of Spring Security.
-   *
-   * We drop the support of CSRF-tokens, inject our specialized implementation
-   * of the {@link AuthenticationEntryPoint}-interface , disable the headers,
-   * that deny, to display our content insiede a frame and configure the
-   * pages, that should be accessible without authentication.
-   * We also drop support for a logout-page and the default-login-in-page.
-   */
   @Override
   protected void configure(HttpSecurity http) throws Exception
   {
     http
-				.addFilter(new WebAsyncManagerIntegrationFilter())
+        .csrf()
+            /**
+             * The Facebook-Canvas does not send a proper CSRF-token in its
+             * POST-requests. Hence, this feature has to be disabled for all
+             * pages, that receive an initial call from the Facebook-Canvas.
+             */
+            .ignoringAntMatchers("/canvas/*")
+            .and()
         .exceptionHandling()
             .authenticationEntryPoint(authenticationEntryPoint)
             .and()
         .headers()
+            /**
+             * All pages must be allowed, to be displayed inside a frame.
+             * Otherwise, the content will not show up after a successfull
+             * login through the Facebook-Canvas, because it is shown inside
+             * a frame!
+             */
             .frameOptions().disable()
             .and()
-				.sessionManagement().and()
-				.securityContext().and()
-				.requestCache().and()
-				.anonymous().and()
-				.servletApi().and()
         .authorizeRequests()
             .antMatchers("/signin.html", "/signin/*", "/canvas/*").permitAll()
             .anyRequest().authenticated();
-- 
2.20.1