Created
June 6, 2018 21:15
-
-
Save darbyluv2code/ea9fc14383aac0ec418e2452b256454b to your computer and use it in GitHub Desktop.
Spring CRM REST - DemoSecurityConfig (basic)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| package com.luv2code.springdemo.config; | |
| import org.springframework.context.annotation.Configuration; | |
| import org.springframework.http.HttpMethod; | |
| import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; | |
| import org.springframework.security.config.annotation.web.builders.HttpSecurity; | |
| import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; | |
| import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; | |
| import org.springframework.security.config.http.SessionCreationPolicy; | |
| import org.springframework.security.core.userdetails.User; | |
| import org.springframework.security.core.userdetails.User.UserBuilder; | |
| @Configuration | |
| @EnableWebSecurity | |
| public class DemoSecurityConfig extends WebSecurityConfigurerAdapter { | |
| @Override | |
| protected void configure(AuthenticationManagerBuilder auth) throws Exception { | |
| // add our users for in memory authentication | |
| UserBuilder users = User.withDefaultPasswordEncoder(); | |
| auth.inMemoryAuthentication() | |
| .withUser(users.username("john").password("test123").roles("EMPLOYEE")) | |
| .withUser(users.username("mary").password("test123").roles("EMPLOYEE", "MANAGER")) | |
| .withUser(users.username("susan").password("test123").roles("EMPLOYEE", "ADMIN")); | |
| } | |
| @Override | |
| protected void configure(HttpSecurity http) throws Exception { | |
| // secures all REST endpoints under "/api/customers" | |
| http.authorizeRequests() | |
| .antMatchers("/api/customers/**").authenticated() | |
| .and() | |
| .httpBasic() | |
| .and() | |
| .csrf().disable() | |
| .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS); | |
| // Why disable CSRF? | |
| // | |
| // Spring Security 5 has CSRF enabled by default. You would need to send over CSRF tokens. | |
| // However, CSRF generally does not apply for REST APIs. CSRF protection is a request that could be processed by a browser by normal users. | |
| // If you are only creating a REST service that is used by non-browser clients, you will likely want to disable CSRF protection. | |
| // | |
| // For more details, see this link: | |
| // http://www.tothenew.com/blog/fortifying-your-rest-api-using-spring-security/ | |
| // Why disable sessions? | |
| // | |
| // For our application, we would like avoid the use of cookies for sesson tracking. This should force the REST client | |
| // to enter user name and password for each request. However, this is not always the case depending on the REST client / browser | |
| // you are using. Your mileage will vary here (for example, this doesn't work in Eclipse embedded browser). | |
| // | |
| // For more details, see this link | |
| // http://www.baeldung.com/spring-security-session | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment