Home Explore Help
Sign In
pagobo
/
UV_SAIC_GUI
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: b01bcfca16
Branches Tags
UV_SAIC_GUI
/
src
/
main
/
java
/
es
/
uv
/
saic
/
config
/
SecurityConfig.java

SecurityConfig.java 6.3 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151 
  1. package es.uv.saic.config;
    2. 

  2. 

  3. import java.util.ArrayList;
    4. 

  4. import java.util.Collections;
    5. 

  5. import java.util.List;
    6. 

  6. 

  7. import org.springframework.beans.factory.annotation.Autowired;
    8. 

  8. import org.springframework.beans.factory.annotation.Value;
    9. 

  9. import org.springframework.context.annotation.Bean;
    10. 

  10. import org.springframework.context.annotation.Configuration;
    11. 

  11. import org.springframework.security.authentication.AuthenticationManager;
    12. 

  12. import org.springframework.security.authorization.AuthorizationDecision;
    13. 

  13. import org.springframework.security.authorization.AuthorizationManager;
    14. 

  14. import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
    15. 

  15. import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;
    16. 

  16. import org.springframework.security.config.annotation.web.builders.HttpSecurity;
    17. 

  17. import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
    18. 

  18. import org.springframework.security.config.http.SessionCreationPolicy;
    19. 

  19. import org.springframework.security.core.session.SessionRegistry;
    20. 

  20. import org.springframework.security.core.session.SessionRegistryImpl;
    21. 

  21. import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
    22. 

  22. import org.springframework.security.crypto.password.PasswordEncoder;
    23. 

  23. import org.springframework.security.ldap.DefaultSpringSecurityContextSource;
    24. 

  24. import org.springframework.security.web.SecurityFilterChain;
    25. 

  25. import org.springframework.security.web.access.intercept.RequestAuthorizationContext;
    26. 

  26. import org.springframework.security.web.authentication.session.CompositeSessionAuthenticationStrategy;
    27. 

  27. import org.springframework.security.web.authentication.session.ConcurrentSessionControlAuthenticationStrategy;
    28. 

  28. import org.springframework.security.web.authentication.session.RegisterSessionAuthenticationStrategy;
    29. 

  29. import org.springframework.security.web.authentication.session.SessionAuthenticationStrategy;
    30. 

  30. import org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy;
    31. 

  31. import org.springframework.security.web.session.HttpSessionEventPublisher;
    32. 

  32. import org.springframework.security.web.util.matcher.IpAddressMatcher;
    33. 

  33. 

  34. import es.uv.saic.service.AuthProvider;
    35. 

  35. import jakarta.servlet.http.HttpServletRequest;
    36. 

  36. 

  37. 

  38. @Configuration
    39. 

  39. @EnableWebSecurity
    40. 

  40. @EnableMethodSecurity
    41. 

  41. public class SecurityConfig {
    42. 

  42. 

  43. 	@Autowired
    44. 

  44. 	AuthProvider authProvider;
    45. 

  45. 	
    46. 

  46. 	@Value("${saic.actuator.validIp}")
    47. 

  47. 	private String validIp;
    48. 

  48. 	
    49. 

  49. 	@Bean
    50. 

  50. 	public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
    51. 

  51. 		http.authorizeHttpRequests((auth) -> auth
    52. 

  52. 	        	.requestMatchers("/", "/css/**", "/js/**", "/img/**", "/logos/*", "/logos/**").permitAll()
    53. 

  53. 	        	.requestMatchers("/login**").permitAll()
    54. 

  54. 	        	.requestMatchers("/keepalive").permitAll()
    55. 

  55. 				.requestMatchers("/public/**").permitAll()
    56. 

  56. 	        	.requestMatchers("/actuator/**").access(hasIpAddress(this.validIp))
    57. 

  57. 	        )
    58. 

  58. 	        .authorizeHttpRequests((auth)-> auth
    59. 

  59. 	            //.anyRequest().fullyAuthenticated()
    60. 

  60. 				.anyRequest().permitAll()
    61. 

  61. 	        )
    62. 

  62. 	        .formLogin((form) -> form
    63. 

  63. 	            .loginPage("/login")
    64. 

  64. 	            .defaultSuccessUrl("/procedures?_new=1",true)
    65. 

  65. 	            .failureUrl("/login?error=noauth")
    66. 

  66. 	            .successHandler(new AuthSuccessHandler())
    67. 

  67. 	            .permitAll()
    68. 

  68. 	        )
    69. 

  69. 	        .logout((logout) -> logout
    70. 

  70. 	        	.logoutSuccessUrl("/login")
    71. 

  71. 	        	.invalidateHttpSession(true)
    72. 

  72. 	        	.clearAuthentication(true)
    73. 

  73. 	        	.deleteCookies("JSESSIONID")
    74. 

  74.                 .deleteCookies("SESSION")
    75. 

  75.              )
    76. 

  76. 	        .csrf((csrf) -> csrf.disable());
    77. 

  77. 		
    78. 

  78. 		http.sessionManagement((session) -> session
    79. 

  79. 				.sessionAuthenticationErrorUrl("/login?error=expired")
    80. 

  80. 				.invalidSessionUrl("/login?error=expired")
    81. 

  81. 				.maximumSessions(1)
    82. 

  82. 				.expiredUrl("/login?error=expired")
    83. 

  83. 				.maxSessionsPreventsLogin(false)
    84. 

  84. 			    .sessionRegistry(sessionRegistry())
    85. 

  85. 		    )
    86. 

  86. 			.sessionManagement((session) -> session
    87. 

  87. 				.sessionAuthenticationStrategy(concurrentSession())
    88. 

  88. 			    .sessionFixation()
    89. 

  89. 			    .newSession()
    90. 

  90. 			    .sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED)
    91. 

  91. 			);
    92. 

  92. 	
    93. 

  93. 		http.headers((headers) -> headers
    94. 

  94. 				.frameOptions((options) -> options.sameOrigin())
    95. 

  95. 		    );
    96. 

  96. 	
    97. 

  97. 	    return http.build();
    98. 

  98. 	}
    99. 

  99. 	
    100. 

  100. 	private static AuthorizationManager<RequestAuthorizationContext> hasIpAddress(String ipAddress) {
    101. 

  101.         IpAddressMatcher ipAddressMatcher = new IpAddressMatcher(ipAddress);
    102. 

  102.         return (authentication, context) -> {
    103. 

  103.             HttpServletRequest request = context.getRequest();
    104. 

  104.             return new AuthorizationDecision(ipAddressMatcher.matches(request));
    105. 

  105.         };
    106. 

  106.     }
    107. 

  107. 	    
    108. 

  108.     @Bean
    109. 

  109.     public AuthenticationManager authenticationManager(HttpSecurity http) throws Exception {
    110. 

  110.         return http.getSharedObject(AuthenticationManagerBuilder.class)
    111. 

  111.         		   .authenticationProvider(authProvider)
    112. 

  112.         		   .build();
    113. 

  113.     }
    114. 

  114.     
    115. 

  115.     @Bean
    116. 

  116.     public SessionRegistry sessionRegistry() {
    117. 

  117.         return new SessionRegistryImpl();
    118. 

  118.     }
    119. 

  119.     
    120. 

  120.     @Bean
    121. 

  121.     public DefaultSpringSecurityContextSource contextSource() {
    122. 

  122.         return  new DefaultSpringSecurityContextSource(
    123. 

  123.                 Collections.singletonList("ldap://ldap.uv.es"), "dc=uv,dc=es");
    124. 

  124.     }
    125. 

  125.     
    126. 

  126.     @Bean
    127. 

  127.     public PasswordEncoder passwordEncoder() {
    128. 

  128.         return new BCryptPasswordEncoder();
    129. 

  129.     }
    130. 

  130.     
    131. 

  131.     @Bean
    132. 

  132.     public HttpSessionEventPublisher httpSessionEventPublisher() {
    133. 

  133.         return new HttpSessionEventPublisher();
    134. 

  134.     }
    135. 

  135.      
    136. 

  136.     @Bean
    137. 

  137.     public CompositeSessionAuthenticationStrategy concurrentSession() {
    138. 

  138. 

  139.          ConcurrentSessionControlAuthenticationStrategy concurrentAuthenticationStrategy = new ConcurrentSessionControlAuthenticationStrategy(sessionRegistry());
    140. 

  140.          concurrentAuthenticationStrategy.setMaximumSessions(1);
    141. 

  141.          concurrentAuthenticationStrategy.setExceptionIfMaximumExceeded(true);
    142. 

  142.          List<SessionAuthenticationStrategy> delegateStrategies = new ArrayList<SessionAuthenticationStrategy>();
    143. 

  143.          delegateStrategies.add(concurrentAuthenticationStrategy);
    144. 

  144.          delegateStrategies.add(new SessionFixationProtectionStrategy());
    145. 

  145.          delegateStrategies.add(new RegisterSessionAuthenticationStrategy(sessionRegistry()));
    146. 

  146. 

  147.          CompositeSessionAuthenticationStrategy authenticationStrategy =  new CompositeSessionAuthenticationStrategy(delegateStrategies);
    148. 

  148.          return authenticationStrategy;
    149. 

  149.      }
    150. 

  150. 	
    151. 

  151. }
    152.