cleanup finalize jwt auth
- Add sample login page
This commit is contained in:
Max W.
@@ -6,12 +6,14 @@ import org.springframework.context.annotation.Configuration;
|
||||
import org.springframework.security.config.Customizer;
|
||||
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
|
||||
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
|
||||
import org.springframework.security.config.annotation.web.configurers.HeadersConfigurer;
|
||||
import org.springframework.security.config.annotation.web.configurers.LogoutConfigurer;
|
||||
import org.springframework.security.config.http.SessionCreationPolicy;
|
||||
import org.springframework.security.core.userdetails.UserDetailsService;
|
||||
import org.springframework.security.core.userdetails.UsernameNotFoundException;
|
||||
import org.springframework.security.web.SecurityFilterChain;
|
||||
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
|
||||
import org.springframework.security.web.csrf.CookieCsrfTokenRepository;
|
||||
|
||||
@Configuration
|
||||
@EnableWebSecurity
|
||||
@@ -36,7 +38,9 @@ public class SecurityConfig {
|
||||
// TODO: Fix security config for this project (currently old state from sharepulse)
|
||||
|
||||
http
|
||||
.csrf(csrf -> csrf.ignoringRequestMatchers("/api/v1/**")) // Disable CSRF for API routes
|
||||
.csrf(csrf -> csrf
|
||||
.ignoringRequestMatchers("/api/v1/**")
|
||||
.csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())) // Disable CSRF for API routes
|
||||
.sessionManagement(sessionManagement -> sessionManagement
|
||||
.sessionCreationPolicy(SessionCreationPolicy.STATELESS) // No session will be created by Spring Security
|
||||
)
|
||||
@@ -44,10 +48,19 @@ public class SecurityConfig {
|
||||
.requestMatchers("/api/v1/secure/**").authenticated() // Secure these endpoints
|
||||
.anyRequest().permitAll() // All other requests are allowed without authentication
|
||||
)
|
||||
.headers(headers -> headers
|
||||
.frameOptions(HeadersConfigurer.FrameOptionsConfig::deny) // Prevent clickjacking
|
||||
//.contentSecurityPolicy(Customizer.withDefaults()) // Blocks loading of resources from other domains
|
||||
.xssProtection(Customizer.withDefaults())
|
||||
)
|
||||
.addFilterBefore(jwtAuthenticationFilter, UsernamePasswordAuthenticationFilter.class) // Apply JWT filter
|
||||
.logout(LogoutConfigurer::permitAll)
|
||||
.rememberMe(Customizer.withDefaults());
|
||||
.logout(LogoutConfigurer::permitAll);
|
||||
|
||||
return http.build();
|
||||
}
|
||||
|
||||
/**
|
||||
* Thoughts:
|
||||
* - Instead of disabling the contentSecurityPolicy we should simply provide our own libraries so that no external cdns are needed
|
||||
*/
|
||||
}
|
||||
|
||||
@@ -29,14 +29,16 @@ public class AuthenticationController {
|
||||
log.debug("Received AuthenticationRequest for username: " + authenticationRequest.getUsername());
|
||||
String token = authenticationService.authenticate(authenticationRequest.getUsername(), authenticationRequest.getPassword(), request.getRemoteAddr());
|
||||
|
||||
Map<String, Object> response = new HashMap<>();
|
||||
|
||||
if(token == null) {
|
||||
log.debug("Authentication failed for username: " + authenticationRequest.getUsername());
|
||||
return new ResponseEntity<>(HttpStatus.UNAUTHORIZED);
|
||||
response.put("error", "Authentication failed. Username or password incorrect.");
|
||||
return new ResponseEntity<>(response, HttpStatus.UNAUTHORIZED);
|
||||
}
|
||||
|
||||
Map<String, Object> response = new HashMap<>();
|
||||
response.put("token", token);
|
||||
|
||||
response.put("token", token);
|
||||
if(token == null) {
|
||||
log.debug("Authentication failed for username: " + authenticationRequest.getUsername());
|
||||
return new ResponseEntity<>(response, HttpStatus.UNAUTHORIZED);
|
||||
|
||||
Reference in New Issue
Block a user