Security config

1. package com.fuck.off.test;
2.  
3.  
4. import com.sbgpoc.van_der_sar.CustomUserDetailsService;
5. import com.sbgpoc.van_der_sar.JwtAuthenticationEntryPoint;
6. import com.sbgpoc.van_der_sar.JwtAuthenticationFilter;
7. import org.springframework.beans.factory.annotation.Autowired;
8. import org.springframework.context.annotation.Bean;
9. import org.springframework.context.annotation.Configuration;
10. import org.springframework.security.authentication.AuthenticationManager;
11. import org.springframework.security.config.BeanIds;
12. import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
13. import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
14. import org.springframework.security.config.annotation.web.builders.HttpSecurity;
15. import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
16. import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
17. import org.springframework.security.config.http.SessionCreationPolicy;
18. import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
19. import org.springframework.security.crypto.password.PasswordEncoder;
20. import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
21. /*
22. * Explanations:
23. *
24. * @Configuration - Indicates that a class declares one or more @Bean methods
25. * @EnableWebSecurity - self explanatory
26. * @EnableGlobalMethodSecurity(
27.         securedEnabled = true, - allows you to user @Secured
28.         jsr250Enabled  = true, - allows you to use @RolesAllowed
29.         prePostEnabled = true  - allows you to use @PreAuth
30.   )
31. *
32. * CustomUserDetailService - Spring security needs to load user to perform various role-based checks
33. *                         - Because of that it has a interface called UserDetailsService which has a single method that loads a user based on the username
34. *                         - loadByUsername(String username) - returns an instance of a class that implements CustomUserDetails interface
35. *
36. * JwtAuthenticationEntryPoint - This class is used to return a 401 unauthorized error to clients that try to access a protected resource without proper authentication
37. *                             - It implements Spring Security’s AuthenticationEntryPoint interface.
38. *
39. * JwtAuthenticationFilter - implements a filter that:
40. *                               1. reads JWT token from the Authorisation header of all the requests
41. *                               2. validates the token
42. *                               3. loads the user details associated with that token
43. *                               4. Sets the user details in Spring Security's SecurityContext -> Spring Security uses the user details to perform authorization checks
44. *
45. * AuthenticationManagerBuilder is used to create an AuthenticationManager instance which is the main Spring Security interface for authenticating a user.
46. * You can use AuthenticationManagerBuilder to build in-memory authentication, LDAP authentication, JDBC authentication, or add your custom authentication provider.
47. *
48. *
49. * HttpSecurity configurations - used to configure security functionalities like csrf, sessionManagement, and add rules to protect resources based on various conditions
50. * */
51.  
52.  
53. @Configuration
54. @EnableWebSecurity
55. @EnableGlobalMethodSecurity(
56.         securedEnabled = true,
57.         jsr250Enabled = true,
58.         prePostEnabled = true
59. )
60. public class SecurityConfig extends WebSecurityConfigurerAdapter {
61.  
62.  
63.     @Autowired
64.     private JwtAuthenticationEntryPoint unauthorizedHandler;
65.  
66.     @Autowired
67.     CustomUserDetailsService customUserDetailsService;
68.  
69.     @Bean
70.     public JwtAuthenticationFilter jwtAuthenticationFilter() {
71.         return new JwtAuthenticationFilter();
72.     }
73.  
74.     @Override
75.     public void configure(AuthenticationManagerBuilder authenticationManagerBuilder) throws Exception {
76.         authenticationManagerBuilder.userDetailsService(customUserDetailsService).passwordEncoder(passwordEncoder());
77.     }
78.  
79.  
80.     @Bean(BeanIds.AUTHENTICATION_MANAGER)
81.     @Override
82.     public AuthenticationManager authenticationManagerBean() throws Exception {
83.         return super.authenticationManagerBean();
84.     }
85.  
86.     @Bean
87.     public PasswordEncoder passwordEncoder() {
88.         return new BCryptPasswordEncoder();
89.     }
90.  
91.     @Override
92.     protected void configure(HttpSecurity http) throws Exception {
93.         http.cors()
94.                 .and()
95.                 .csrf().disable()
96.                 .exceptionHandling().authenticationEntryPoint(unauthorizedHandler)
97.                 .and()
98.                 .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
99.                 .and()
100.                 .authorizeRequests()
101.                 .antMatchers("/",
102.                         "/**/*.png",
103.                         "/**/*.gif",
104.                         "/**/*.svg",
105.                         "/**/*.jpg",
106.                         "/**/*.html",
107.                         "/**/*.css",
108.                         "/**/*.js").permitAll()
109.                 .anyRequest().authenticated();
110.  
111.         http.addFilterAfter(jwtAuthenticationFilter(), UsernamePasswordAuthenticationFilter.class);
112.     }
113. }