Started migration for Boot 1.3 and Security 4.1
Signed-off-by: kaizimmerm <kai.zimmermann@bosch-si.com>
This commit is contained in:
@@ -13,7 +13,6 @@ import static org.springframework.context.annotation.AdviceMode.ASPECTJ;
|
||||
import static org.springframework.core.Ordered.HIGHEST_PRECEDENCE;
|
||||
|
||||
import java.io.IOException;
|
||||
import java.net.URI;
|
||||
|
||||
import javax.annotation.PostConstruct;
|
||||
import javax.servlet.Filter;
|
||||
@@ -22,7 +21,6 @@ import javax.servlet.FilterConfig;
|
||||
import javax.servlet.ServletException;
|
||||
import javax.servlet.ServletRequest;
|
||||
import javax.servlet.ServletResponse;
|
||||
import javax.validation.constraints.NotNull;
|
||||
|
||||
import org.eclipse.hawkbit.ExcludePathAwareShallowETagFilter;
|
||||
import org.eclipse.hawkbit.cache.CacheConstants;
|
||||
@@ -69,7 +67,6 @@ import org.springframework.security.config.annotation.web.builders.HttpSecurity;
|
||||
import org.springframework.security.config.annotation.web.builders.WebSecurity;
|
||||
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
|
||||
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
|
||||
import org.springframework.security.config.annotation.web.servlet.configuration.EnableWebMvcSecurity;
|
||||
import org.springframework.security.config.http.SessionCreationPolicy;
|
||||
import org.springframework.security.core.Authentication;
|
||||
import org.springframework.security.core.authority.SimpleGrantedAuthority;
|
||||
@@ -79,9 +76,6 @@ import org.springframework.security.web.authentication.LoginUrlAuthenticationEnt
|
||||
import org.springframework.security.web.authentication.preauth.RequestHeaderAuthenticationFilter;
|
||||
import org.springframework.security.web.authentication.www.BasicAuthenticationEntryPoint;
|
||||
import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
|
||||
import org.springframework.security.web.header.writers.frameoptions.StaticAllowFromStrategy;
|
||||
import org.springframework.security.web.header.writers.frameoptions.XFrameOptionsHeaderWriter;
|
||||
import org.springframework.security.web.header.writers.frameoptions.XFrameOptionsHeaderWriter.XFrameOptionsMode;
|
||||
import org.springframework.security.web.session.HttpSessionEventPublisher;
|
||||
import org.springframework.security.web.session.SessionManagementFilter;
|
||||
import org.vaadin.spring.security.VaadinSecurityContext;
|
||||
@@ -98,7 +92,6 @@ import org.vaadin.spring.security.web.authentication.VaadinUrlAuthenticationSucc
|
||||
@Configuration
|
||||
@EnableWebSecurity
|
||||
@EnableGlobalMethodSecurity(prePostEnabled = true, mode = ASPECTJ, proxyTargetClass = true, securedEnabled = true)
|
||||
@EnableWebMvcSecurity
|
||||
@Order(value = HIGHEST_PRECEDENCE)
|
||||
public class SecurityManagedConfiguration {
|
||||
|
||||
@@ -188,9 +181,7 @@ public class SecurityManagedConfiguration {
|
||||
controllerAnonymousDownloadFilter.setCheckForPrincipalChanges(true);
|
||||
controllerAnonymousDownloadFilter.setAuthenticationDetailsSource(authenticationDetailsSource);
|
||||
|
||||
HttpSecurity httpSec = http.csrf().disable().headers()
|
||||
.addHeaderWriter(new XFrameOptionsHeaderWriter(XFrameOptionsMode.DENY)).contentTypeOptions()
|
||||
.xssProtection().httpStrictTransportSecurity().and();
|
||||
HttpSecurity httpSec = http.csrf().disable();
|
||||
|
||||
if (springSecurityProperties.isRequireSsl()) {
|
||||
httpSec = httpSec.requiresChannel().anyRequest().requiresSecure().and();
|
||||
@@ -336,20 +327,12 @@ public class SecurityManagedConfiguration {
|
||||
@Order(400)
|
||||
@EnableVaadinSecurity
|
||||
public static class UISecurityConfigurationAdapter extends WebSecurityConfigurerAdapter {
|
||||
|
||||
private static final String XFRAME_OPTION_DENY = "DENY";
|
||||
private static final String XFRAME_OPTION_SAMEORIGIN = "SAMEORIGIN";
|
||||
private static final String XFAME_OPTION_ALLOW_FROM = "ALLOW-FROM";
|
||||
|
||||
@Autowired
|
||||
private VaadinSecurityContext vaadinSecurityContext;
|
||||
|
||||
@Autowired
|
||||
private org.springframework.boot.autoconfigure.security.SecurityProperties springSecurityProperties;
|
||||
|
||||
@Autowired
|
||||
private HawkbitSecurityProperties securityProperties;
|
||||
|
||||
/**
|
||||
* post construct for setting the authentication success handler for the
|
||||
* vaadin security context.
|
||||
@@ -403,18 +386,6 @@ public class SecurityManagedConfiguration {
|
||||
@Override
|
||||
protected void configure(final HttpSecurity http) throws Exception {
|
||||
|
||||
// configuration xframe-option
|
||||
final String confXframeOption = securityProperties.getXframe().getOption();
|
||||
final String confAllowFromUri = securityProperties.getXframe().getAllowfrom();
|
||||
|
||||
if (XFAME_OPTION_ALLOW_FROM.equals(confXframeOption) && confAllowFromUri.isEmpty()) {
|
||||
// if allow-from option is specified but no allowFromUri throw
|
||||
// exception
|
||||
throw new IllegalStateException("hawkbit.server.security.xframe.option has been specified as ALLOW-FROM"
|
||||
+ " but no hawkbit.server.security.xframe.allowfrom has been set, "
|
||||
+ "please ensure to set allow from URIs");
|
||||
}
|
||||
|
||||
// workaround regex: we need to exclude the URL /UI/HEARTBEAT here
|
||||
// because we bound the vaadin application to /UI and not to root,
|
||||
// described in vaadin-forum:
|
||||
@@ -431,12 +402,7 @@ public class SecurityManagedConfiguration {
|
||||
"\"******************\\n** Requires HTTPS Security has been disabled for UI, should only be used for developing purposes **\\n******************\"");
|
||||
}
|
||||
|
||||
// for UI integrator we allow frame integration on same origin
|
||||
httpSec.headers()
|
||||
.addHeaderWriter(confXframeOption.equals(XFAME_OPTION_ALLOW_FROM)
|
||||
? new XFrameOptionsHeaderWriter(new StaticAllowFromStrategy(new URI(confAllowFromUri)))
|
||||
: new XFrameOptionsHeaderWriter(xframeOptionFromStr(confXframeOption)))
|
||||
.contentTypeOptions().xssProtection().httpStrictTransportSecurity().and()
|
||||
httpSec
|
||||
// UI
|
||||
.authorizeRequests().antMatchers("/UI/login/**").permitAll().antMatchers("/UI/UIDL/**").permitAll()
|
||||
.anyRequest().authenticated().and()
|
||||
@@ -445,29 +411,6 @@ public class SecurityManagedConfiguration {
|
||||
.and().logout().logoutUrl("/UI/logout").logoutSuccessUrl("/UI/login/#/");
|
||||
}
|
||||
|
||||
/**
|
||||
* Converts a given string into the {@link XFrameOptionsMode} enum. Only
|
||||
* {@link XFrameOptionsMode#DENY} and
|
||||
* {@link XFrameOptionsMode#SAMEORIGIN} any other string will be
|
||||
* converted to the default {@link XFrameOptionsMode#SAMEORIGIN}.
|
||||
*
|
||||
* @param xframeOption
|
||||
* the string of the xframe option
|
||||
* @return an {@link XFrameOptionsMode} by the given string, in case
|
||||
* string does not match an option then
|
||||
* {@link XFrameOptionsMode#SAMEORIGIN} is returned
|
||||
*/
|
||||
private static XFrameOptionsMode xframeOptionFromStr(@NotNull final String xframeOption) {
|
||||
switch (xframeOption) {
|
||||
case XFRAME_OPTION_DENY:
|
||||
return XFrameOptionsMode.DENY;
|
||||
case XFRAME_OPTION_SAMEORIGIN:
|
||||
// fall through to default because the same
|
||||
default:
|
||||
return XFrameOptionsMode.SAMEORIGIN;
|
||||
}
|
||||
}
|
||||
|
||||
@Override
|
||||
public void configure(final WebSecurity webSecurity) throws Exception {
|
||||
webSecurity.ignoring().antMatchers("/documentation/**", "/VAADIN/**", "/*.*", "/v2/api-docs/**",
|
||||
|
||||
Reference in New Issue
Block a user