You are viewing the documentation for Blueriq 17. Documentation for other versions is available in our documentation directory.

  • Created by Unknown User (m.woudstra), last modified on May 11, 2018

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 5 Next » 

package com.aquima.web.boot;

import com.aquima.interactions.project.impl.XssSafeValueFormatter;
import com.aquima.interactions.project.impl.xss.IXssBlacklist;
import com.aquima.interactions.project.impl.xss.IXssWhitelist;
import com.aquima.web.config.properties.SecurityConfigProperties;
import com.aquima.web.security.headers.ClickJackingProtectionHeaderWriter;
import com.aquima.web.security.headers.ContentTypeOptionsHeaderWriter;
import com.aquima.web.security.headers.StrictTransportProtectionHeaderWriter;
import com.aquima.web.security.headers.XssProtectionHeaderWriter;
import com.aquima.web.util.MvcRedirectHelper;

import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.annotation.Order;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.web.context.HttpSessionSecurityContextRepository;
import org.springframework.security.web.context.SecurityContextRepository;

@Configuration
@Order(50)
@ConditionalOnProperty(name = "blueriq.security.http.interactions.enabled", havingValue = "true", matchIfMissing = true)
public class RuntimeWebSecurityConfigurer extends WebSecurityConfigurerAdapter {

  private static final Logger LOG = LoggerFactory.getLogger(RuntimeWebSecurityConfigurer.class);

  @Autowired
 @Qualifier("blueriqAuthenticationManager")
  private AuthenticationManager authManager;

  @Autowired
 private SecurityConfigProperties securityProperties;

  @Autowired
 private MvcRedirectHelper redirectHelper;

  @Autowired
 private SecurityContextRepository securityContextRepository;

  public static class Mappings {
    public static final String TRIGGER_SECURITY_CHECK = "/server/noaccess.html";
    public static final String PERFORM_SECURITY_CHECK = "/server/securityCheck";
    public static final String LOGIN_PAGE = "/server/session/login.html";
    public static final String LOGOUT_PAGE = "/server/session/logout.html";
    public static final String LOGIN_SUCCESS_URL = "/server/start?loginSuccess=true";
    public static final String LOGIN_PAGE_ERROR = "/server/session/login.html?loginError=true";
  }

  @Override
 protected AuthenticationManager authenticationManager() throws Exception {
    return this.authManager;
  }

  @Override
 protected void configure(HttpSecurity http) throws Exception {
    http //
 .csrf().disable() //
 .headers() //
 .defaultsDisabled() //
 .addHeaderWriter(new ClickJackingProtectionHeaderWriter(this.securityProperties)) //
 .addHeaderWriter(new StrictTransportProtectionHeaderWriter(this.securityProperties)) //
 .addHeaderWriter(new ContentTypeOptionsHeaderWriter(this.securityProperties)) //
 .addHeaderWriter(new XssProtectionHeaderWriter(this.securityProperties)) //
 .and() //
 .sessionManagement() //
 .sessionFixation() //
 .none() //
 .and() //
 .authorizeRequests() //
 .antMatchers(this.redirectHelper.getNoAccessPath()) //
 .authenticated() //
 .and() //
 .formLogin() //
 .defaultSuccessUrl(Mappings.LOGIN_SUCCESS_URL, true) //
 .loginPage(Mappings.LOGIN_PAGE) //
 .loginProcessingUrl(Mappings.PERFORM_SECURITY_CHECK) //
 .permitAll() //
 .failureUrl(Mappings.LOGIN_PAGE_ERROR) //
 .and() //
 .anonymous() //
 .key("doesNotMatter").and() //
 .securityContext() //
 .securityContextRepository(securityContextRepository);
  }

  @Bean
 @ConditionalOnMissingBean(SecurityContextRepository.class)
  public SecurityContextRepository defaultSecurityContextRepository() {
    if (LOG.isInfoEnabled()) {
      LOG.info("Using default security context repository");
    }

    HttpSessionSecurityContextRepository repository = new HttpSessionSecurityContextRepository();
    repository.setDisableUrlRewriting(true);

    return repository;
  }

  @Autowired(required = false)
  public void registerXssWhitelist(IXssWhitelist whitelist) {
    XssSafeValueFormatter.register(whitelist);
  }

  @Autowired(required = false)
  public void registerXssBlacklist(IXssBlacklist blacklist) {
    XssSafeValueFormatter.register(blacklist);
  }

}
  • No labels

Didn't find the answer you were looking for? Try the advanced search