seb-server/src/main/java/ch/ethz/seb/sebserver/gui/GuiWebsecurityConfig.java

81 lines
3.1 KiB
Java
Raw Normal View History

/*
* Copyright (c) 2018 ETH Zürich, Educational Development and Technology (LET)
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*/
package ch.ethz.seb.sebserver.gui;
2019-02-14 16:54:48 +01:00
import org.springframework.beans.factory.annotation.Autowired;
2019-08-08 20:35:57 +02:00
import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.annotation.Order;
2019-02-02 20:54:38 +01:00
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
2019-02-02 20:54:38 +01:00
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
import org.springframework.security.web.util.matcher.OrRequestMatcher;
import org.springframework.security.web.util.matcher.RequestMatcher;
2019-07-11 17:03:30 +02:00
import ch.ethz.seb.sebserver.gbl.api.API;
import ch.ethz.seb.sebserver.gbl.profile.GuiProfile;
@Configuration
@GuiProfile
2019-05-09 11:26:11 +02:00
@Order(5)
public class GuiWebsecurityConfig extends WebSecurityConfigurerAdapter {
2019-02-14 16:54:48 +01:00
@Autowired
private InstitutionalAuthenticationEntryPoint institutionalAuthenticationEntryPoint;
2019-01-28 16:58:06 +01:00
2019-08-08 20:35:57 +02:00
@Value("${sebserver.gui.entrypoint:/gui}")
private String guiEntryPoint;
/** Gui-service related public URLS from spring web security perspective */
public static final RequestMatcher PUBLIC_URLS = new OrRequestMatcher(
2019-07-11 17:03:30 +02:00
// OAuth entry-points
new AntPathRequestMatcher(API.OAUTH_REVOKE_TOKEN_ENDPOINT),
// GUI entry-point
2019-08-08 20:35:57 +02:00
// new AntPathRequestMatcher(guiEntryPoint),
// RAP/RWT resources has to be accessible
new AntPathRequestMatcher("/rwt-resources/**"),
// project specific static resources
2019-02-18 09:38:03 +01:00
new AntPathRequestMatcher("/images/**"),
new AntPathRequestMatcher("/favicon.ico"));
@Override
public void configure(final WebSecurity web) {
web
.ignoring()
2019-08-08 20:35:57 +02:00
.requestMatchers(PUBLIC_URLS)
.antMatchers(this.guiEntryPoint);
}
2019-02-02 20:54:38 +01:00
@Override
public void configure(final HttpSecurity http) throws Exception {
http
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.antMatcher("/**")
.authorizeRequests()
.anyRequest()
.authenticated()
.and()
.exceptionHandling()
2019-02-14 16:54:48 +01:00
.authenticationEntryPoint(this.institutionalAuthenticationEntryPoint)
2019-02-02 20:54:38 +01:00
.and()
.formLogin().disable()
.httpBasic().disable()
.logout().disable()
.headers().frameOptions().disable()
.and()
.csrf().disable();
}
}