You are viewing the documentation for Blueriq 17. Documentation for other versions is available in our documentation directory.
package com.aquima.web.boot;
import com.aquima.interactions.project.impl.XssSafeValueFormatter;
import com.aquima.interactions.project.impl.xss.IXssBlacklist;
import com.aquima.interactions.project.impl.xss.IXssWhitelist;
import com.aquima.web.config.properties.SecurityConfigProperties;
import com.aquima.web.security.headers.ClickJackingProtectionHeaderWriter;
import com.aquima.web.security.headers.ContentTypeOptionsHeaderWriter;
import com.aquima.web.security.headers.StrictTransportProtectionHeaderWriter;
import com.aquima.web.security.headers.XssProtectionHeaderWriter;
import com.aquima.web.util.MvcRedirectHelper;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.annotation.Order;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.web.context.HttpSessionSecurityContextRepository;
import org.springframework.security.web.context.SecurityContextRepository;
@Configuration
@Order(50)
@ConditionalOnProperty(name = "blueriq.security.http.interactions.enabled", havingValue = "true", matchIfMissing = true)
public class RuntimeWebSecurityConfigurer extends WebSecurityConfigurerAdapter {
private static final Logger LOG = LoggerFactory.getLogger(RuntimeWebSecurityConfigurer.class);
@Autowired
@Qualifier("blueriqAuthenticationManager")
private AuthenticationManager authManager;
@Autowired
private SecurityConfigProperties securityProperties;
@Autowired
private MvcRedirectHelper redirectHelper;
@Autowired
private SecurityContextRepository securityContextRepository;
public static class Mappings {
public static final String TRIGGER_SECURITY_CHECK = "/server/noaccess.html";
public static final String PERFORM_SECURITY_CHECK = "/server/securityCheck";
public static final String LOGIN_PAGE = "/server/session/login.html";
public static final String LOGOUT_PAGE = "/server/session/logout.html";
public static final String LOGIN_SUCCESS_URL = "/server/start?loginSuccess=true";
public static final String LOGIN_PAGE_ERROR = "/server/session/login.html?loginError=true";
}
@Override
protected AuthenticationManager authenticationManager() throws Exception {
return this.authManager;
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http //
.csrf().disable() //
.headers() //
.defaultsDisabled() //
.addHeaderWriter(new ClickJackingProtectionHeaderWriter(this.securityProperties)) //
.addHeaderWriter(new StrictTransportProtectionHeaderWriter(this.securityProperties)) //
.addHeaderWriter(new ContentTypeOptionsHeaderWriter(this.securityProperties)) //
.addHeaderWriter(new XssProtectionHeaderWriter(this.securityProperties)) //
.and() //
.sessionManagement() //
.sessionFixation() //
.none() //
.and() //
.authorizeRequests() //
.antMatchers(this.redirectHelper.getNoAccessPath()) //
.authenticated() //
.and() //
.formLogin() //
.defaultSuccessUrl(Mappings.LOGIN_SUCCESS_URL, true) //
.loginPage(Mappings.LOGIN_PAGE) //
.loginProcessingUrl(Mappings.PERFORM_SECURITY_CHECK) //
.permitAll() //
.failureUrl(Mappings.LOGIN_PAGE_ERROR) //
.and() //
.anonymous() //
.key("doesNotMatter").and() //
.securityContext() //
.securityContextRepository(securityContextRepository);
}
@Bean
@ConditionalOnMissingBean(SecurityContextRepository.class)
public SecurityContextRepository defaultSecurityContextRepository() {
if (LOG.isInfoEnabled()) {
LOG.info("Using default security context repository");
}
HttpSessionSecurityContextRepository repository = new HttpSessionSecurityContextRepository();
repository.setDisableUrlRewriting(true);
return repository;
}
@Autowired(required = false)
public void registerXssWhitelist(IXssWhitelist whitelist) {
XssSafeValueFormatter.register(whitelist);
}
@Autowired(required = false)
public void registerXssBlacklist(IXssBlacklist blacklist) {
XssSafeValueFormatter.register(blacklist);
}
}
Overview
Content Tools