API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Jan 18th, 2017
102
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 6.70 KB | None | 0 0
raw download clone embed print report
  1. @EnableWebSecurity
  2. @EnableGlobalMethodSecurity(prePostEnabled = true) //Enables @PreAuthorize on methods
  3. public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
  4.  
  5. @Autowired
  6. private LDAPConfigurationBean ldapBean;
  7.  
  8. @Autowired
  9. protected void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
  10. //HERE GOES LDAP CONNECTION STUFF
  11. // Add the custom LDAP + Token provider to the Authentication provider chain
  12. auth.authenticationProvider(new TicketAndLDAPAuthenticationProvider(authenticator,authoritiesPopulator));
  13.  
  14. // Creating an LDAP provider using the authenticator and the populator.
  15. auth.authenticationProvider(new LdapAuthenticationProvider(authenticator,authoritiesPopulator));
  16.  
  17. }
  18.  
  19.  
  20. @Configuration
  21. @Order(1)
  22. public static class ConfigureFilters extends WebSecurityConfigurerAdapter {
  23. protected void configure(HttpSecurity http) throws Exception {
  24. http.csrf().disable();
  25. http.addFilterBefore(new TicketAndLDAPAuthenticationFilter(),UsernamePasswordAuthenticationFilter.class);
  26. }
  27. }
  28.  
  29. //Management Endpoints Authorization
  30. @Configuration
  31. @Order(2)
  32. public static class EndpointsWebSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter {
  33. protected void configure(HttpSecurity http) throws Exception {
  34. http
  35. .antMatcher("/manage/health")
  36. .authorizeRequests()
  37. .anyRequest().permitAll();
  38. }
  39. }
  40.  
  41. //API Authentication+Authorization
  42. @Configuration
  43. @Order(3)
  44. public static class ApiWebSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter {
  45.  
  46. @Autowired
  47. private RestAuthenticationEntryPoint authenticationEntryPoint;
  48. @Autowired
  49. private RestAuthSuccessHandler authSuccessHandler;
  50. @Autowired
  51. private RestAuthFailureHandler authFailureHandler;
  52. @Autowired
  53. private RestLogoutSuccessHandler logoutSuccessHandler;
  54.  
  55. private String LOGIN_PATH = "/api/authenticate";
  56. private String USERNAME = "username";
  57. private String PASSWORD = "password";
  58.  
  59. protected void configure(HttpSecurity http) throws Exception {
  60. /*CSRF configuration*/
  61. http.csrf().disable();
  62.  
  63. http
  64. .antMatcher(LOGIN_PATH)
  65. .authorizeRequests()
  66. .anyRequest().permitAll();
  67.  
  68. http
  69. .antMatcher("/api/**")
  70. //Stateless session creation - no session will be created or used by Spring Security
  71. .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
  72. .and()
  73. .exceptionHandling()
  74. .authenticationEntryPoint(authenticationEntryPoint)
  75. .and()
  76. .formLogin().permitAll()
  77. .loginProcessingUrl(LOGIN_PATH)
  78. .usernameParameter(USERNAME)
  79. .passwordParameter(PASSWORD)
  80. .successHandler(authSuccessHandler)
  81. .failureHandler(authFailureHandler)
  82. .and()
  83. .logout().permitAll()
  84. .logoutSuccessHandler(logoutSuccessHandler);
  85.  
  86. http
  87. .authorizeRequests().anyRequest().authenticated();
  88. }
  89. }
  90.  
  91. //JSP Authentication+Authorization
  92. @Configuration
  93. @Order(4)
  94. public static class FormLoginWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {
  95.  
  96. @Override
  97. protected void configure(HttpSecurity http) throws Exception {
  98. /*CSRF configuration*/
  99. http.csrf().disable();
  100.  
  101. /*Static content*/
  102. http
  103. .authorizeRequests()
  104. .antMatchers("/css*//**").permitAll()
  105. .antMatchers("/images*//**").permitAll()
  106. .antMatchers("/scripts*//**").permitAll()
  107. .antMatchers("/fonts*//**").permitAll()
  108. .antMatchers("/login*").anonymous();
  109.  
  110. /*Login / Logout configuration*/
  111. http
  112. .formLogin()
  113. .loginPage("/login.htm").permitAll()
  114. .defaultSuccessUrl("/index.htm?name=******")
  115. .failureUrl("/login.htm?error=true")
  116. .and()
  117. .logout().permitAll()
  118. .logoutSuccessUrl("/login.htm")
  119. .invalidateHttpSession(true)
  120. .deleteCookies("JSESSIONID");
  121.  
  122. /*URL roles authorizations*/
  123. http
  124. .authorizeRequests().anyRequest().authenticated();
  125. }
  126. }
  127. }
  128.  
  129. public class TicketAndLDAPAuthenticationFilter extends AbstractAuthenticationProcessingFilter {
  130. public TicketAndLDAPAuthenticationFilter() {
  131. super("/*");
  132. }
  133.  
  134. @Override
  135. public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException {
  136. //Save the password for later
  137. String username = request.getParameter("username");
  138. String password = request.getParameter("password");
  139.  
  140. TicketAndLDAPAuthenticationToken token = new TicketAndLDAPAuthenticationToken(username,password,null);
  141.  
  142. return token;
  143. }
  144. }
  145.  
  146. public class TicketAndLDAPAuthenticationToken extends UsernamePasswordAuthenticationToken {
  147. private AuthTicket otp;
  148. private String restoredPassword;
  149.  
  150.  
  151. public TicketAndLDAPAuthenticationToken( String username, String password, RestAuthLoginTicket otp ) {
  152. super( username, password );
  153. this.otp = otp;
  154. }
  155.  
  156. public AuthTicket getOTP() {
  157. return otp;
  158. }
  159.  
  160. public AuthTicket getOtp() {
  161. return otp;
  162. }
  163.  
  164. public void setOtp(AuthTicket otp) {
  165. this.otp = otp;
  166. }
  167. }
  168.  
  169. public class TicketAndLDAPAuthenticationProvider extends LdapAuthenticationProvider {
  170.  
  171. @Autowired
  172. TokenUtils tokenUtils;
  173.  
  174. public TicketAndLDAPAuthenticationProvider(LdapAuthenticator authenticator, LdapAuthoritiesPopulator authoritiesPopulator) {
  175. super(authenticator, authoritiesPopulator);
  176. }
  177.  
  178. @Override
  179. public Authentication authenticate(Authentication authentication) throws AuthenticationException {
  180. TicketAndLDAPAuthenticationToken token = (TicketAndLDAPAuthenticationToken) super.authenticate(authentication);
  181. token.setOtp(tokenUtils.getTicket(token));
  182. return token;
  183. }
  184.  
  185.  
  186. @Override
  187. public boolean supports(Class<?> authentication) {
  188. return TicketAndLDAPAuthenticationToken.class.isAssignableFrom(authentication);
  189. }
  190. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!