feat: improved SecurityConfiguration
This commit is contained in:
filippo-ferrari
parent
bdcff2461c
commit
a957bc6266
1 changed files with 26 additions and 37 deletions
|
|
@ -1,7 +1,9 @@
|
||||||
package com.application.munera;
|
package com.application.munera;
|
||||||
|
|
||||||
|
import com.application.munera.repositories.UserRepository;
|
||||||
import com.application.munera.views.login.LoginView;
|
import com.application.munera.views.login.LoginView;
|
||||||
import com.vaadin.flow.spring.security.VaadinWebSecurity;
|
import com.vaadin.flow.spring.security.VaadinWebSecurity;
|
||||||
|
import org.springframework.beans.factory.annotation.Autowired;
|
||||||
import org.springframework.context.annotation.Bean;
|
import org.springframework.context.annotation.Bean;
|
||||||
import org.springframework.context.annotation.Configuration;
|
import org.springframework.context.annotation.Configuration;
|
||||||
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
|
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
|
||||||
|
|
@ -9,64 +11,51 @@ import org.springframework.security.config.annotation.web.builders.WebSecurity;
|
||||||
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
|
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
|
||||||
import org.springframework.security.core.userdetails.User;
|
import org.springframework.security.core.userdetails.User;
|
||||||
import org.springframework.security.core.userdetails.UserDetails;
|
import org.springframework.security.core.userdetails.UserDetails;
|
||||||
|
import org.springframework.security.core.userdetails.UsernameNotFoundException;
|
||||||
|
import org.springframework.security.crypto.password.NoOpPasswordEncoder;
|
||||||
import org.springframework.security.provisioning.InMemoryUserDetailsManager;
|
import org.springframework.security.provisioning.InMemoryUserDetailsManager;
|
||||||
import org.springframework.security.provisioning.UserDetailsManager;
|
import org.springframework.security.provisioning.UserDetailsManager;
|
||||||
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
|
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
|
||||||
|
|
||||||
@EnableWebSecurity
|
@EnableWebSecurity
|
||||||
@Configuration
|
@Configuration
|
||||||
public class SecurityConfiguration
|
public class SecurityConfiguration extends VaadinWebSecurity {
|
||||||
extends VaadinWebSecurity {
|
|
||||||
|
@Autowired
|
||||||
|
private UserRepository userRepository;
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
protected void configure(HttpSecurity http) throws Exception {
|
protected void configure(HttpSecurity http) throws Exception {
|
||||||
// Delegating the responsibility of general configurations
|
|
||||||
// of http security to the super class. It's configuring
|
|
||||||
// the followings: Vaadin's CSRF protection by ignoring
|
|
||||||
// framework's internal requests, default request cache,
|
|
||||||
// ignoring public views annotated with @AnonymousAllowed,
|
|
||||||
// restricting access to other views/endpoints, and enabling
|
|
||||||
// NavigationAccessControl authorization.
|
|
||||||
// You can add any possible extra configurations of your own
|
|
||||||
// here (the following is just an example):
|
|
||||||
|
|
||||||
// http.rememberMe().alwaysRemember(false);
|
|
||||||
|
|
||||||
// Configure your static resources with public access before calling
|
|
||||||
// super.configure(HttpSecurity) as it adds final anyRequest matcher
|
|
||||||
http.authorizeHttpRequests(auth -> auth.requestMatchers(new AntPathRequestMatcher("/public/**"))
|
http.authorizeHttpRequests(auth -> auth.requestMatchers(new AntPathRequestMatcher("/public/**"))
|
||||||
.permitAll());
|
.permitAll());
|
||||||
|
|
||||||
super.configure(http);
|
super.configure(http);
|
||||||
|
|
||||||
// This is important to register your login view to the
|
|
||||||
// navigation access control mechanism:
|
|
||||||
setLoginView(http, LoginView.class);
|
setLoginView(http, LoginView.class);
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public void configure(WebSecurity web) throws Exception {
|
public void configure(WebSecurity web) throws Exception {
|
||||||
// Customize your WebSecurity configuration.
|
|
||||||
super.configure(web);
|
super.configure(web);
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
|
||||||
* Demo UserDetailsManager which only provides two hardcoded
|
|
||||||
* in memory users and their roles.
|
|
||||||
* NOTE: This shouldn't be used in real world applications.
|
|
||||||
*/
|
|
||||||
@Bean
|
@Bean
|
||||||
public UserDetailsManager userDetailsService() {
|
public UserDetailsManager userDetailsManager() {
|
||||||
UserDetails user =
|
return new InMemoryUserDetailsManager() {
|
||||||
User.withUsername("user")
|
@Override
|
||||||
.password("{noop}user")
|
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
|
||||||
.roles("USER")
|
com.application.munera.data.User user = userRepository.findByUsername(username);
|
||||||
|
if (user == null) {
|
||||||
|
throw new UsernameNotFoundException("User not found");
|
||||||
|
}
|
||||||
|
return User.withUsername(user.getUsername())
|
||||||
|
.password(user.getPassword())
|
||||||
|
.roles(user.getRoles().split(","))
|
||||||
.build();
|
.build();
|
||||||
UserDetails admin =
|
}
|
||||||
User.withUsername("admin")
|
};
|
||||||
.password("{noop}admin")
|
}
|
||||||
.roles("ADMIN")
|
|
||||||
.build();
|
@Bean
|
||||||
return new InMemoryUserDetailsManager(user, admin);
|
public static NoOpPasswordEncoder passwordEncoder() {
|
||||||
|
return (NoOpPasswordEncoder) NoOpPasswordEncoder.getInstance();
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
Loading…
Reference in a new issue