Class AuthorizationServerWebSecurityConfiguration
java.lang.Object
org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter
com.broadleafcommerce.auth.user.autoconfigure.AuthorizationServerWebSecurityConfiguration
- All Implemented Interfaces:
org.springframework.security.config.annotation.SecurityConfigurer<javax.servlet.Filter,
,org.springframework.security.config.annotation.web.builders.WebSecurity> org.springframework.security.config.annotation.web.WebSecurityConfigurer<org.springframework.security.config.annotation.web.builders.WebSecurity>
@Configuration
@EnableConfigurationProperties({AuthorizationServerProperties.class,UserLoginProperties.class,VerifyRedirectCookieProperties.class,UserLockoutProperties.class,EmbeddedLoginProperties.class,UserPasswordProperties.class})
@AutoConfigureBefore(org.springframework.boot.autoconfigure.security.servlet.UserDetailsServiceAutoConfiguration.class)
public class AuthorizationServerWebSecurityConfiguration
extends org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter
Set up the spring security configuration for our OAuth server
- Author:
- Jeff Fischer, Samarth Dhruva (samarthd)
-
Constructor Summary
ConstructorDescriptionAuthorizationServerWebSecurityConfiguration
(org.springframework.security.web.savedrequest.RequestCache requestCache, AuthorizationServerProperties authorizationServerProps, StatelessUtil statelessUtil, org.springframework.security.oauth2.provider.ClientDetailsService clientDetailsService, AuthenticationLogoutHandler authenticationLogoutHandler, org.springframework.security.oauth2.client.web.AuthorizationRequestRepository<org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest> authorizationRequestRepository, org.springframework.security.authentication.AuthenticationDetailsSource<javax.servlet.http.HttpServletRequest, ?> authenticationDetailsSource, org.springframework.security.web.authentication.session.SessionAuthenticationStrategy sessionAuthenticationStrategy, FormLoginAuthenticationProvider formLoginAuthenticationProvider, OAuth2SessionAuthenticationProvider oAuth2SessionAuthenticationProvider, VerifyRedirectCookieFilter verifyRedirectCookieFilter, ClientIdFilter clientIdFilter, UserLockoutService userLockoutService, EmbeddedLoginProperties embeddedLoginProperties, Optional<EmbeddedLoginAuthenticationProvider> embeddedLoginAuthenticationProvider, Optional<EmbeddedLoginTokenAuthenticationProvider> embeddedLoginTokenAuthenticationProvider, AuthorizationServerService<AuthorizationServer> authorizationServerService, AuthorizedClientService<AuthorizedClient> authorizedClientService, PasscodeService<PasswordToken, User> passcodeService, UserService<User> userService) -
Method Summary
Modifier and TypeMethodDescriptionprotected void
applyContentSecurityPolicyConfiguration
(org.springframework.security.config.annotation.web.builders.HttpSecurity http) protected void
applyFrameOptionsConfiguration
(org.springframework.security.config.annotation.web.builders.HttpSecurity http) org.springframework.security.web.AuthenticationEntryPoint
org.springframework.security.web.authentication.AuthenticationFailureHandler
org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler
protected void
configure
(org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder auth) protected void
configure
(org.springframework.security.config.annotation.web.builders.HttpSecurity http) void
configure
(org.springframework.security.config.annotation.web.builders.WebSecurity web) contentSecurityPolicyConfigurer
(AuthorizationServerProperties authorizationServerProps) org.springframework.boot.web.servlet.FilterRegistrationBean<EmbeddedLoginAuthenticationFilter>
Disable automatic Filter registration forEmbeddedLoginAuthenticationFilter
.org.springframework.boot.web.servlet.FilterRegistrationBean<EmbeddedLoginTokenEndpointAuthenticationFilter>
embeddedLoginTokenEndpointAuthenticationFilterRegistration
(EmbeddedLoginTokenEndpointAuthenticationFilter filter) Disable automatic Filter registration forOAuth2TokenEndpointAuthenticationFilter
.org.springframework.boot.web.servlet.FilterRegistrationBean<FormLoginAuthenticationFilter>
formLoginAuthenticationFilterRegistration
(FormLoginAuthenticationFilter formLoginAuthenticationFilter) Disable automatic Filter registration forFormLoginAuthenticationFilter
.protected ContentSecurityPolicyConfigurer
org.springframework.boot.web.servlet.FilterRegistrationBean<OAuth2SessionAuthenticationFilter>
Disable automatic Filter registration forOAuth2SessionAuthenticationFilter
.void
setContentSecurityPolicyConfigurer
(ContentSecurityPolicyConfigurer contentSecurityPolicyConfigurer) void
setRedirectResolver
(org.springframework.security.oauth2.provider.endpoint.RedirectResolver redirectResolver) userLoginService
(OAuth2UserDetailsService clientUserDetailService, StatelessUtil statelessUtil) Methods inherited from class org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter
authenticationManager, authenticationManagerBean, getApplicationContext, getHttp, init, setApplicationContext, setAuthenticationConfiguration, setContentNegotationStrategy, setObjectPostProcessor, setTrustResolver, userDetailsService, userDetailsServiceBean
-
Constructor Details
-
AuthorizationServerWebSecurityConfiguration
public AuthorizationServerWebSecurityConfiguration(org.springframework.security.web.savedrequest.RequestCache requestCache, AuthorizationServerProperties authorizationServerProps, StatelessUtil statelessUtil, org.springframework.security.oauth2.provider.ClientDetailsService clientDetailsService, AuthenticationLogoutHandler authenticationLogoutHandler, org.springframework.security.oauth2.client.web.AuthorizationRequestRepository<org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest> authorizationRequestRepository, org.springframework.security.authentication.AuthenticationDetailsSource<javax.servlet.http.HttpServletRequest, ?> authenticationDetailsSource, org.springframework.security.web.authentication.session.SessionAuthenticationStrategy sessionAuthenticationStrategy, FormLoginAuthenticationProvider formLoginAuthenticationProvider, OAuth2SessionAuthenticationProvider oAuth2SessionAuthenticationProvider, VerifyRedirectCookieFilter verifyRedirectCookieFilter, ClientIdFilter clientIdFilter, UserLockoutService userLockoutService, EmbeddedLoginProperties embeddedLoginProperties, Optional<EmbeddedLoginAuthenticationProvider> embeddedLoginAuthenticationProvider, Optional<EmbeddedLoginTokenAuthenticationProvider> embeddedLoginTokenAuthenticationProvider, AuthorizationServerService<AuthorizationServer> authorizationServerService, AuthorizedClientService<AuthorizedClient> authorizedClientService, PasscodeService<PasswordToken, User> passcodeService, UserService<User> userService)
-
-
Method Details
-
setRedirectResolver
@Autowired public void setRedirectResolver(@Nullable org.springframework.security.oauth2.provider.endpoint.RedirectResolver redirectResolver) -
setContentSecurityPolicyConfigurer
@Autowired @Lazy public void setContentSecurityPolicyConfigurer(@Nullable ContentSecurityPolicyConfigurer contentSecurityPolicyConfigurer) -
configure
public void configure(org.springframework.security.config.annotation.web.builders.WebSecurity web) - Specified by:
configure
in interfaceorg.springframework.security.config.annotation.SecurityConfigurer<javax.servlet.Filter,
org.springframework.security.config.annotation.web.builders.WebSecurity> - Overrides:
configure
in classorg.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter
-
configure
protected void configure(org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder auth) - Overrides:
configure
in classorg.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter
-
configure
protected void configure(org.springframework.security.config.annotation.web.builders.HttpSecurity http) throws Exception - Overrides:
configure
in classorg.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter
- Throws:
Exception
-
applyContentSecurityPolicyConfiguration
protected void applyContentSecurityPolicyConfiguration(org.springframework.security.config.annotation.web.builders.HttpSecurity http) throws Exception - Throws:
Exception
-
applyFrameOptionsConfiguration
protected void applyFrameOptionsConfiguration(org.springframework.security.config.annotation.web.builders.HttpSecurity http) throws Exception - Throws:
Exception
-
authenticationEntryPoint
@Bean @ConditionalOnMissingBean public org.springframework.security.web.AuthenticationEntryPoint authenticationEntryPoint() -
authenticationSuccessHandler
@Bean @ConditionalOnMissingBean public org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler authenticationSuccessHandler() -
authenticationFailureHandler
@Bean @ConditionalOnMissingBean public org.springframework.security.web.authentication.AuthenticationFailureHandler authenticationFailureHandler() -
embeddedLoginAuthenticationSuccessHandler
@Bean @ConditionalOnMissingBean @ConditionalOnProperty("broadleaf.auth.login.embedded.enabled") public EmbeddedLoginAuthenticationSuccessHandler<PasswordToken,User> embeddedLoginAuthenticationSuccessHandler() -
embeddedLoginAuthenticationFailureHandler
@Bean @ConditionalOnMissingBean @ConditionalOnProperty("broadleaf.auth.login.embedded.enabled") public EmbeddedLoginAuthenticationFailureHandler embeddedLoginAuthenticationFailureHandler() -
userNotActiveExceptionMapping
@Bean @ConditionalOnMissingBean(name="userNotActiveExceptionMapping") public AuthenticationFailureExceptionMapping userNotActiveExceptionMapping() -
credentialsExpiredExceptionMapping
@Bean @ConditionalOnMissingBean(name="credentialsExpiredExceptionMapping") public AuthenticationFailureExceptionMapping credentialsExpiredExceptionMapping() -
userLockedExceptionMapping
@Bean @ConditionalOnMissingBean(name="userLockedExceptionMapping") public AuthenticationFailureExceptionMapping userLockedExceptionMapping() -
revokeRefreshTokenLogoutHandler
@Bean @ConditionalOnMissingBean public RevokeRefreshTokenLogoutHandler revokeRefreshTokenLogoutHandler() -
formLoginAuthenticationFilter
@Bean @ConditionalOnMissingBean public FormLoginAuthenticationFilter formLoginAuthenticationFilter() throws Exception- Throws:
Exception
-
formLoginAuthenticationFilterRegistration
@Bean @ConditionalOnMissingBean(name="formLoginAuthenticationFilterRegistration") public org.springframework.boot.web.servlet.FilterRegistrationBean<FormLoginAuthenticationFilter> formLoginAuthenticationFilterRegistration(FormLoginAuthenticationFilter formLoginAuthenticationFilter) Disable automatic Filter registration forFormLoginAuthenticationFilter
. It is manually added to security filter chain inconfigure(org.springframework.security.config.annotation.web.builders.WebSecurity)
.See documentation file "register-security-filters.adoc" for information about how to properly register security filters.
-
embeddedLoginAuthenticationFilter
@Bean @ConditionalOnMissingBean @ConditionalOnProperty("broadleaf.auth.login.embedded.enabled") public EmbeddedLoginAuthenticationFilter embeddedLoginAuthenticationFilter() throws Exception- Throws:
Exception
-
embeddedLoginAuthenticationFilterRegistration
@Bean @ConditionalOnMissingBean(name="embeddedLoginAuthenticationFilterRegistration") @ConditionalOnProperty("broadleaf.auth.login.embedded.enabled") public org.springframework.boot.web.servlet.FilterRegistrationBean<EmbeddedLoginAuthenticationFilter> embeddedLoginAuthenticationFilterRegistration(EmbeddedLoginAuthenticationFilter filter) Disable automatic Filter registration forEmbeddedLoginAuthenticationFilter
. It is manually added to security filter chain inconfigure(org.springframework.security.config.annotation.web.builders.WebSecurity)
.See documentation file "register-security-filters.adoc" for information about how to properly register security filters.
-
oAuth2SessionAuthenticationFilter
@Bean @ConditionalOnMissingBean public OAuth2SessionAuthenticationFilter oAuth2SessionAuthenticationFilter() throws Exception- Throws:
Exception
-
oAuth2SessionAuthenticationFilterRegistration
@Bean @ConditionalOnMissingBean(name="oAuth2SessionAuthenticationFilterRegistration") public org.springframework.boot.web.servlet.FilterRegistrationBean<OAuth2SessionAuthenticationFilter> oAuth2SessionAuthenticationFilterRegistration(OAuth2SessionAuthenticationFilter filter) Disable automatic Filter registration forOAuth2SessionAuthenticationFilter
. It is manually added to security filter chain inconfigure(org.springframework.security.config.annotation.web.builders.WebSecurity)
. It is also manually added to the chain for theTokenEndpoint
inAuthorizationServerConfiguration
. See documentation file "register-security-filters.adoc" for information about how to properly register security filters. -
userLoginService
@Bean @ConditionalOnMissingBean public UserLoginService userLoginService(OAuth2UserDetailsService clientUserDetailService, StatelessUtil statelessUtil) -
contentSecurityPolicyConfigurer
@Bean @ConditionalOnMissingBean public ContentSecurityPolicyConfigurer contentSecurityPolicyConfigurer(AuthorizationServerProperties authorizationServerProps) -
embeddedLoginTokenEndpointAuthenticationFilter
@Bean @ConditionalOnMissingBean @ConditionalOnProperty("broadleaf.auth.login.embedded.enabled") public EmbeddedLoginTokenEndpointAuthenticationFilter embeddedLoginTokenEndpointAuthenticationFilter() throws Exception- Throws:
Exception
-
embeddedLoginTokenEndpointAuthenticationFilterRegistration
@Bean @ConditionalOnMissingBean(name="embeddedLoginTokenEndpointAuthenticationFilterRegistration") @ConditionalOnProperty("broadleaf.auth.login.embedded.enabled") public org.springframework.boot.web.servlet.FilterRegistrationBean<EmbeddedLoginTokenEndpointAuthenticationFilter> embeddedLoginTokenEndpointAuthenticationFilterRegistration(EmbeddedLoginTokenEndpointAuthenticationFilter filter) Disable automatic Filter registration forOAuth2TokenEndpointAuthenticationFilter
. It is manually added to the chain for theTokenEndpoint
inAuthorizationServerConfiguration
. That is the only location where this filter will be enabled, since it's only necessary for theTokenEndpoint
.See documentation file "register-security-filters.adoc" for information about how to properly register security filters.
-
getContentSecurityPolicyConfigurer
-