Started migration for Boot 1.3 and Security 4.1

Signed-off-by: kaizimmerm <kai.zimmermann@bosch-si.com>
This commit is contained in:
kaizimmerm
2016-07-07 12:39:40 +02:00
parent eff798393d
commit 04dad8d6de
25 changed files with 146 additions and 703 deletions

View File

@@ -13,7 +13,6 @@ import static org.springframework.context.annotation.AdviceMode.ASPECTJ;
import static org.springframework.core.Ordered.HIGHEST_PRECEDENCE;
import java.io.IOException;
import java.net.URI;
import javax.annotation.PostConstruct;
import javax.servlet.Filter;
@@ -22,7 +21,6 @@ import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.validation.constraints.NotNull;
import org.eclipse.hawkbit.ExcludePathAwareShallowETagFilter;
import org.eclipse.hawkbit.cache.CacheConstants;
@@ -69,7 +67,6 @@ import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.annotation.web.servlet.configuration.EnableWebMvcSecurity;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
@@ -79,9 +76,6 @@ import org.springframework.security.web.authentication.LoginUrlAuthenticationEnt
import org.springframework.security.web.authentication.preauth.RequestHeaderAuthenticationFilter;
import org.springframework.security.web.authentication.www.BasicAuthenticationEntryPoint;
import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
import org.springframework.security.web.header.writers.frameoptions.StaticAllowFromStrategy;
import org.springframework.security.web.header.writers.frameoptions.XFrameOptionsHeaderWriter;
import org.springframework.security.web.header.writers.frameoptions.XFrameOptionsHeaderWriter.XFrameOptionsMode;
import org.springframework.security.web.session.HttpSessionEventPublisher;
import org.springframework.security.web.session.SessionManagementFilter;
import org.vaadin.spring.security.VaadinSecurityContext;
@@ -98,7 +92,6 @@ import org.vaadin.spring.security.web.authentication.VaadinUrlAuthenticationSucc
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true, mode = ASPECTJ, proxyTargetClass = true, securedEnabled = true)
@EnableWebMvcSecurity
@Order(value = HIGHEST_PRECEDENCE)
public class SecurityManagedConfiguration {
@@ -188,9 +181,7 @@ public class SecurityManagedConfiguration {
controllerAnonymousDownloadFilter.setCheckForPrincipalChanges(true);
controllerAnonymousDownloadFilter.setAuthenticationDetailsSource(authenticationDetailsSource);
HttpSecurity httpSec = http.csrf().disable().headers()
.addHeaderWriter(new XFrameOptionsHeaderWriter(XFrameOptionsMode.DENY)).contentTypeOptions()
.xssProtection().httpStrictTransportSecurity().and();
HttpSecurity httpSec = http.csrf().disable();
if (springSecurityProperties.isRequireSsl()) {
httpSec = httpSec.requiresChannel().anyRequest().requiresSecure().and();
@@ -336,20 +327,12 @@ public class SecurityManagedConfiguration {
@Order(400)
@EnableVaadinSecurity
public static class UISecurityConfigurationAdapter extends WebSecurityConfigurerAdapter {
private static final String XFRAME_OPTION_DENY = "DENY";
private static final String XFRAME_OPTION_SAMEORIGIN = "SAMEORIGIN";
private static final String XFAME_OPTION_ALLOW_FROM = "ALLOW-FROM";
@Autowired
private VaadinSecurityContext vaadinSecurityContext;
@Autowired
private org.springframework.boot.autoconfigure.security.SecurityProperties springSecurityProperties;
@Autowired
private HawkbitSecurityProperties securityProperties;
/**
* post construct for setting the authentication success handler for the
* vaadin security context.
@@ -403,18 +386,6 @@ public class SecurityManagedConfiguration {
@Override
protected void configure(final HttpSecurity http) throws Exception {
// configuration xframe-option
final String confXframeOption = securityProperties.getXframe().getOption();
final String confAllowFromUri = securityProperties.getXframe().getAllowfrom();
if (XFAME_OPTION_ALLOW_FROM.equals(confXframeOption) && confAllowFromUri.isEmpty()) {
// if allow-from option is specified but no allowFromUri throw
// exception
throw new IllegalStateException("hawkbit.server.security.xframe.option has been specified as ALLOW-FROM"
+ " but no hawkbit.server.security.xframe.allowfrom has been set, "
+ "please ensure to set allow from URIs");
}
// workaround regex: we need to exclude the URL /UI/HEARTBEAT here
// because we bound the vaadin application to /UI and not to root,
// described in vaadin-forum:
@@ -431,12 +402,7 @@ public class SecurityManagedConfiguration {
"\"******************\\n** Requires HTTPS Security has been disabled for UI, should only be used for developing purposes **\\n******************\"");
}
// for UI integrator we allow frame integration on same origin
httpSec.headers()
.addHeaderWriter(confXframeOption.equals(XFAME_OPTION_ALLOW_FROM)
? new XFrameOptionsHeaderWriter(new StaticAllowFromStrategy(new URI(confAllowFromUri)))
: new XFrameOptionsHeaderWriter(xframeOptionFromStr(confXframeOption)))
.contentTypeOptions().xssProtection().httpStrictTransportSecurity().and()
httpSec
// UI
.authorizeRequests().antMatchers("/UI/login/**").permitAll().antMatchers("/UI/UIDL/**").permitAll()
.anyRequest().authenticated().and()
@@ -445,29 +411,6 @@ public class SecurityManagedConfiguration {
.and().logout().logoutUrl("/UI/logout").logoutSuccessUrl("/UI/login/#/");
}
/**
* Converts a given string into the {@link XFrameOptionsMode} enum. Only
* {@link XFrameOptionsMode#DENY} and
* {@link XFrameOptionsMode#SAMEORIGIN} any other string will be
* converted to the default {@link XFrameOptionsMode#SAMEORIGIN}.
*
* @param xframeOption
* the string of the xframe option
* @return an {@link XFrameOptionsMode} by the given string, in case
* string does not match an option then
* {@link XFrameOptionsMode#SAMEORIGIN} is returned
*/
private static XFrameOptionsMode xframeOptionFromStr(@NotNull final String xframeOption) {
switch (xframeOption) {
case XFRAME_OPTION_DENY:
return XFrameOptionsMode.DENY;
case XFRAME_OPTION_SAMEORIGIN:
// fall through to default because the same
default:
return XFrameOptionsMode.SAMEORIGIN;
}
}
@Override
public void configure(final WebSecurity webSecurity) throws Exception {
webSecurity.ignoring().antMatchers("/documentation/**", "/VAADIN/**", "/*.*", "/v2/api-docs/**",