NapoleonDynamite/munera-vaadin
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat: improved SecurityConfiguration

Browse source
This commit is contained in:
filippo-ferrari 2024-09-06 19:15:16 +02:00
parent bdcff2461c
commit a957bc6266
1 changed files with 26 additions and 37 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

63
src/main/java/com/application/munera/SecurityConfiguration.java
View file

@ -1,7 +1,9 @@
package com.application.munera;
import com.application.munera.repositories.UserRepository;
import com.application.munera.views.login.LoginView;
import com.vaadin.flow.spring.security.VaadinWebSecurity;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
@ -9,64 +11,51 @@ import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.security.crypto.password.NoOpPasswordEncoder;
import org.springframework.security.provisioning.InMemoryUserDetailsManager;
import org.springframework.security.provisioning.UserDetailsManager;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
@EnableWebSecurity
@Configuration
public class SecurityConfiguration
extends VaadinWebSecurity {
public class SecurityConfiguration extends VaadinWebSecurity {
@Autowired
private UserRepository userRepository;
@Override
protected void configure(HttpSecurity http) throws Exception {
// Delegating the responsibility of general configurations
// of http security to the super class. It's configuring
// the followings: Vaadin's CSRF protection by ignoring
// framework's internal requests, default request cache,
// ignoring public views annotated with @AnonymousAllowed,
// restricting access to other views/endpoints, and enabling
// NavigationAccessControl authorization.
// You can add any possible extra configurations of your own
// here (the following is just an example):
// http.rememberMe().alwaysRemember(false);
// Configure your static resources with public access before calling
// super.configure(HttpSecurity) as it adds final anyRequest matcher
http.authorizeHttpRequests(auth -> auth.requestMatchers(new AntPathRequestMatcher("/public/**"))
.permitAll());
super.configure(http);
// This is important to register your login view to the
// navigation access control mechanism:
setLoginView(http, LoginView.class);
}
@Override
public void configure(WebSecurity web) throws Exception {
// Customize your WebSecurity configuration.
super.configure(web);
}
/**
* Demo UserDetailsManager which only provides two hardcoded
* in memory users and their roles.
* NOTE: This shouldn't be used in real world applications.
*/
@Bean
public UserDetailsManager userDetailsService() {
UserDetails user =
User.withUsername("user")
.password("{noop}user")
.roles("USER")
public UserDetailsManager userDetailsManager() {
return new InMemoryUserDetailsManager() {
@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
com.application.munera.data.User user = userRepository.findByUsername(username);
if (user == null) {
throw new UsernameNotFoundException("User not found");
}
return User.withUsername(user.getUsername())
.password(user.getPassword())
.roles(user.getRoles().split(","))
.build();
UserDetails admin =
User.withUsername("admin")
.password("{noop}admin")
.roles("ADMIN")
.build();
return new InMemoryUserDetailsManager(user, admin);
}
};
}
@Bean
public static NoOpPasswordEncoder passwordEncoder() {
return (NoOpPasswordEncoder) NoOpPasswordEncoder.getInstance();
}
}