com.broadleafcommerce.auth.user.autoconfigure

Class AuthorizationServerWebSecurityConfiguration

java.lang.Object

org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter

com.broadleafcommerce.auth.user.autoconfigure.AuthorizationServerWebSecurityConfiguration

All Implemented Interfaces:

org.springframework.security.config.annotation.SecurityConfigurer<javax.servlet.Filter,org.springframework.security.config.annotation.web.builders.WebSecurity>, org.springframework.security.config.annotation.web.WebSecurityConfigurer<org.springframework.security.config.annotation.web.builders.WebSecurity>

@Configuration
 @EnableConfigurationProperties(value={AuthorizationServerProperties.class,UserLoginProperties.class,VerifyRedirectCookieProperties.class,UserLockoutProperties.class,EmbeddedLoginProperties.class})
 @AutoConfigureBefore(value=org.springframework.boot.autoconfigure.security.servlet.UserDetailsServiceAutoConfiguration.class)
public class AuthorizationServerWebSecurityConfiguration
extends org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter

Set up the spring security configuration for our OAuth server

Author:

Jeff Fischer, Samarth Dhruva (samarthd)

Constructor Summary

Constructors

Constructor and Description

AuthorizationServerWebSecurityConfiguration(org.springframework.security.web.savedrequest.RequestCache requestCache, AuthorizationServerProperties authorizationServerProps, StatelessUtil statelessUtil, org.springframework.security.oauth2.provider.ClientDetailsService clientDetailsService, AuthenticationLogoutHandler authenticationLogoutHandler, org.springframework.security.oauth2.client.web.AuthorizationRequestRepository<org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest> authorizationRequestRepository, org.springframework.security.authentication.AuthenticationDetailsSource<javax.servlet.http.HttpServletRequest,?> authenticationDetailsSource, org.springframework.security.web.authentication.session.SessionAuthenticationStrategy sessionAuthenticationStrategy, FormLoginAuthenticationProvider formLoginAuthenticationProvider, OAuth2SessionAuthenticationProvider oAuth2SessionAuthenticationProvider, VerifyRedirectCookieFilter verifyRedirectCookieFilter, ClientIdFilter clientIdFilter, UserLockoutService userLockoutService, EmbeddedLoginProperties embeddedLoginProperties, Optional<EmbeddedLoginAuthenticationProvider> embeddedLoginAuthenticationProvider, Optional<EmbeddedLoginTokenAuthenticationProvider> embeddedLoginTokenAuthenticationProvider, AuthorizationServerService<AuthorizationServer> authorizationServerService, AuthorizedClientService<AuthorizedClient> authorizedClientService, PasscodeService<PasswordToken,User> passcodeService, UserService<User> userService)

Method Summary

Modifier and Type	Method and Description
protected void	applyContentSecurityPolicyConfiguration(org.springframework.security.config.annotation.web.builders.HttpSecurity http)
org.springframework.security.web.AuthenticationEntryPoint	authenticationEntryPoint()
org.springframework.security.web.authentication.AuthenticationFailureHandler	authenticationFailureHandler()
org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler	authenticationSuccessHandler()
protected void	configure(org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder auth)
protected void	configure(org.springframework.security.config.annotation.web.builders.HttpSecurity http)
void	configure(org.springframework.security.config.annotation.web.builders.WebSecurity web)
ContentSecurityPolicyConfigurer	contentSecurityPolicyConfigurer(AuthorizationServerProperties authorizationServerProps)
AuthenticationFailureExceptionMapping	credentialsExpiredExceptionMapping()
EmbeddedLoginAuthenticationFailureHandler	embeddedLoginAuthenticationFailureHandler()
EmbeddedLoginAuthenticationFilter	embeddedLoginAuthenticationFilter()
org.springframework.boot.web.servlet.FilterRegistrationBean<EmbeddedLoginAuthenticationFilter>	embeddedLoginAuthenticationFilterRegistration(EmbeddedLoginAuthenticationFilter filter) Disable automatic Filter registration for EmbeddedLoginAuthenticationFilter.
EmbeddedLoginAuthenticationSuccessHandler<PasswordToken,User>	embeddedLoginAuthenticationSuccessHandler()
EmbeddedLoginTokenEndpointAuthenticationFilter	embeddedLoginTokenEndpointAuthenticationFilter()
org.springframework.boot.web.servlet.FilterRegistrationBean<EmbeddedLoginTokenEndpointAuthenticationFilter>	embeddedLoginTokenEndpointAuthenticationFilterRegistration(EmbeddedLoginTokenEndpointAuthenticationFilter filter) Disable automatic Filter registration for OAuth2TokenEndpointAuthenticationFilter.
FormLoginAuthenticationFilter	formLoginAuthenticationFilter()
org.springframework.boot.web.servlet.FilterRegistrationBean<FormLoginAuthenticationFilter>	formLoginAuthenticationFilterRegistration(FormLoginAuthenticationFilter formLoginAuthenticationFilter) Disable automatic Filter registration for FormLoginAuthenticationFilter.
protected ContentSecurityPolicyConfigurer	getContentSecurityPolicyConfigurer()
OAuth2SessionAuthenticationFilter	oAuth2SessionAuthenticationFilter()
org.springframework.boot.web.servlet.FilterRegistrationBean<OAuth2SessionAuthenticationFilter>	oAuth2SessionAuthenticationFilterRegistration(OAuth2SessionAuthenticationFilter filter) Disable automatic Filter registration for OAuth2SessionAuthenticationFilter.
RevokeRefreshTokenLogoutHandler	revokeRefreshTokenLogoutHandler()
void	setContentSecurityPolicyConfigurer(ContentSecurityPolicyConfigurer contentSecurityPolicyConfigurer)
void	setRedirectResolver(org.springframework.security.oauth2.provider.endpoint.RedirectResolver redirectResolver)
AuthenticationFailureExceptionMapping	userLockedExceptionMapping()
UserLoginService	userLoginService(OAuth2UserDetailsService clientUserDetailService, StatelessUtil statelessUtil)
AuthenticationFailureExceptionMapping	userNotActiveExceptionMapping()

Methods inherited from class org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter

authenticationManager, authenticationManagerBean, getApplicationContext, getHttp, init, setApplicationContext, setAuthenticationConfiguration, setContentNegotationStrategy, setObjectPostProcessor, setTrustResolver, userDetailsService, userDetailsServiceBean

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

AuthorizationServerWebSecurityConfiguration

public AuthorizationServerWebSecurityConfiguration(org.springframework.security.web.savedrequest.RequestCache requestCache,
                                                   AuthorizationServerProperties authorizationServerProps,
                                                   StatelessUtil statelessUtil,
                                                   org.springframework.security.oauth2.provider.ClientDetailsService clientDetailsService,
                                                   AuthenticationLogoutHandler authenticationLogoutHandler,
                                                   org.springframework.security.oauth2.client.web.AuthorizationRequestRepository<org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest> authorizationRequestRepository,
                                                   org.springframework.security.authentication.AuthenticationDetailsSource<javax.servlet.http.HttpServletRequest,?> authenticationDetailsSource,
                                                   org.springframework.security.web.authentication.session.SessionAuthenticationStrategy sessionAuthenticationStrategy,
                                                   FormLoginAuthenticationProvider formLoginAuthenticationProvider,
                                                   OAuth2SessionAuthenticationProvider oAuth2SessionAuthenticationProvider,
                                                   VerifyRedirectCookieFilter verifyRedirectCookieFilter,
                                                   ClientIdFilter clientIdFilter,
                                                   UserLockoutService userLockoutService,
                                                   EmbeddedLoginProperties embeddedLoginProperties,
                                                   Optional<EmbeddedLoginAuthenticationProvider> embeddedLoginAuthenticationProvider,
                                                   Optional<EmbeddedLoginTokenAuthenticationProvider> embeddedLoginTokenAuthenticationProvider,
                                                   AuthorizationServerService<AuthorizationServer> authorizationServerService,
                                                   AuthorizedClientService<AuthorizedClient> authorizedClientService,
                                                   PasscodeService<PasswordToken,User> passcodeService,
                                                   UserService<User> userService)

Method Detail

setRedirectResolver

@Autowired
public void setRedirectResolver(@Nullable
                                           org.springframework.security.oauth2.provider.endpoint.RedirectResolver redirectResolver)

setContentSecurityPolicyConfigurer

@Autowired
public void setContentSecurityPolicyConfigurer(@Nullable
                                                          ContentSecurityPolicyConfigurer contentSecurityPolicyConfigurer)

configure

public void configure(org.springframework.security.config.annotation.web.builders.WebSecurity web)

Specified by:

configure in interface org.springframework.security.config.annotation.SecurityConfigurer<javax.servlet.Filter,org.springframework.security.config.annotation.web.builders.WebSecurity>

Overrides:

configure in class org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter

configure

protected void configure(org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder auth)

Overrides:

configure in class org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter

configure

protected void configure(org.springframework.security.config.annotation.web.builders.HttpSecurity http)
                  throws Exception

Overrides:

configure in class org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter

Throws:

Exception

applyContentSecurityPolicyConfiguration

protected void applyContentSecurityPolicyConfiguration(org.springframework.security.config.annotation.web.builders.HttpSecurity http)
                                                throws Exception

Throws:

Exception

authenticationEntryPoint

@Bean
 @ConditionalOnMissingBean
public org.springframework.security.web.AuthenticationEntryPoint authenticationEntryPoint()

authenticationSuccessHandler

@Bean
 @ConditionalOnMissingBean
public org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler authenticationSuccessHandler()

authenticationFailureHandler

@Bean
 @ConditionalOnMissingBean
public org.springframework.security.web.authentication.AuthenticationFailureHandler authenticationFailureHandler()

embeddedLoginAuthenticationSuccessHandler

@Bean
 @ConditionalOnMissingBean
 @ConditionalOnProperty(value="broadleaf.auth.login.embedded.enabled")
public EmbeddedLoginAuthenticationSuccessHandler<PasswordToken,User> embeddedLoginAuthenticationSuccessHandler()

embeddedLoginAuthenticationFailureHandler

@Bean
 @ConditionalOnMissingBean
 @ConditionalOnProperty(value="broadleaf.auth.login.embedded.enabled")
public EmbeddedLoginAuthenticationFailureHandler embeddedLoginAuthenticationFailureHandler()

userNotActiveExceptionMapping

@Bean
 @ConditionalOnMissingBean(name="userNotActiveExceptionMapping")
public AuthenticationFailureExceptionMapping userNotActiveExceptionMapping()

credentialsExpiredExceptionMapping

@Bean
 @ConditionalOnMissingBean(name="credentialsExpiredExceptionMapping")
public AuthenticationFailureExceptionMapping credentialsExpiredExceptionMapping()

userLockedExceptionMapping

@Bean
 @ConditionalOnMissingBean(name="userLockedExceptionMapping")
public AuthenticationFailureExceptionMapping userLockedExceptionMapping()

revokeRefreshTokenLogoutHandler

@Bean
 @ConditionalOnMissingBean
public RevokeRefreshTokenLogoutHandler revokeRefreshTokenLogoutHandler()

formLoginAuthenticationFilter

@Bean
 @ConditionalOnMissingBean
public FormLoginAuthenticationFilter formLoginAuthenticationFilter()
                                                                                             throws Exception

Throws:

Exception

formLoginAuthenticationFilterRegistration

@Bean
 @ConditionalOnMissingBean(name="formLoginAuthenticationFilterRegistration")
public org.springframework.boot.web.servlet.FilterRegistrationBean<FormLoginAuthenticationFilter> formLoginAuthenticationFilterRegistration(FormLoginAuthenticationFilter formLoginAuthenticationFilter)

Disable automatic Filter registration for FormLoginAuthenticationFilter. It is manually added to security filter chain in configure(org.springframework.security.config.annotation.web.builders.WebSecurity).

See documentation file "register-security-filters.adoc" for information about how to properly register security filters.

embeddedLoginAuthenticationFilter

@Bean
 @ConditionalOnMissingBean
 @ConditionalOnProperty(value="broadleaf.auth.login.embedded.enabled")
public EmbeddedLoginAuthenticationFilter embeddedLoginAuthenticationFilter()
                                                                                                                                                                            throws Exception

Throws:

Exception

embeddedLoginAuthenticationFilterRegistration

@Bean
 @ConditionalOnMissingBean(name="embeddedLoginAuthenticationFilterRegistration")
 @ConditionalOnProperty(value="broadleaf.auth.login.embedded.enabled")
public org.springframework.boot.web.servlet.FilterRegistrationBean<EmbeddedLoginAuthenticationFilter> embeddedLoginAuthenticationFilterRegistration(EmbeddedLoginAuthenticationFilter filter)

Disable automatic Filter registration for EmbeddedLoginAuthenticationFilter. It is manually added to security filter chain in configure(org.springframework.security.config.annotation.web.builders.WebSecurity).

See documentation file "register-security-filters.adoc" for information about how to properly register security filters.

oAuth2SessionAuthenticationFilter

@Bean
 @ConditionalOnMissingBean
public OAuth2SessionAuthenticationFilter oAuth2SessionAuthenticationFilter()
                                                                                                     throws Exception

Throws:

Exception

oAuth2SessionAuthenticationFilterRegistration

@Bean
 @ConditionalOnMissingBean(name="oAuth2SessionAuthenticationFilterRegistration")
public org.springframework.boot.web.servlet.FilterRegistrationBean<OAuth2SessionAuthenticationFilter> oAuth2SessionAuthenticationFilterRegistration(OAuth2SessionAuthenticationFilter filter)

Disable automatic Filter registration for OAuth2SessionAuthenticationFilter. It is manually added to security filter chain in configure(org.springframework.security.config.annotation.web.builders.WebSecurity). It is also manually added to the chain for the TokenEndpoint in AuthorizationServerConfiguration. See documentation file "register-security-filters.adoc" for information about how to properly register security filters.

userLoginService

@Bean
 @ConditionalOnMissingBean
public UserLoginService userLoginService(OAuth2UserDetailsService clientUserDetailService,
                                                                          StatelessUtil statelessUtil)

contentSecurityPolicyConfigurer

@Bean
 @ConditionalOnMissingBean
public ContentSecurityPolicyConfigurer contentSecurityPolicyConfigurer(AuthorizationServerProperties authorizationServerProps)

embeddedLoginTokenEndpointAuthenticationFilter

@Bean
 @ConditionalOnMissingBean
 @ConditionalOnProperty(value="broadleaf.auth.login.embedded.enabled")
public EmbeddedLoginTokenEndpointAuthenticationFilter embeddedLoginTokenEndpointAuthenticationFilter()
                                                                                                                                                                                                      throws Exception

Throws:

Exception

embeddedLoginTokenEndpointAuthenticationFilterRegistration

@Bean
 @ConditionalOnMissingBean(name="embeddedLoginTokenEndpointAuthenticationFilterRegistration")
 @ConditionalOnProperty(value="broadleaf.auth.login.embedded.enabled")
public org.springframework.boot.web.servlet.FilterRegistrationBean<EmbeddedLoginTokenEndpointAuthenticationFilter> embeddedLoginTokenEndpointAuthenticationFilterRegistration(EmbeddedLoginTokenEndpointAuthenticationFilter filter)

Disable automatic Filter registration for OAuth2TokenEndpointAuthenticationFilter. It is manually added to the chain for the TokenEndpoint in AuthorizationServerConfiguration. That is the only location where this filter will be enabled, since it's only necessary for the TokenEndpoint.

See documentation file "register-security-filters.adoc" for information about how to properly register security filters.

getContentSecurityPolicyConfigurer

@Nullable
protected ContentSecurityPolicyConfigurer getContentSecurityPolicyConfigurer()