Skip to content

Commit

Permalink
dcoraboeuf#285 Isolating the GUI security in a configuration
Browse files Browse the repository at this point in the history
  • Loading branch information
@dcoraboeuf
dcoraboeuf committed Nov 29, 2013
1 parent 9758797 commit 12912d8
Showing 1 changed file with 23 additions and 16 deletions.
39 changes: 23 additions & 16 deletions ontrack-web/src/main/java/net/ontrack/web/config/WebSecurityConfig.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.annotation.Order;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
Expand All @@ -13,9 +14,6 @@
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

@Autowired
private AuthenticationSuccessHandler authenticationSuccessHandler;

@Autowired
private AuthenticationManager authenticationManager;

Expand All @@ -24,18 +22,27 @@ protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.parentAuthenticationManager(authenticationManager);
}

@Override
protected void configure(HttpSecurity http) throws Exception {
http
// FIXME ui/login protection for UI access in a separate configuration
// http.antMatcher("/ui/login")
// .httpBasic().realmName("ontrack").and()
// .authorizeRequests().antMatchers("/ui/login").hasAnyRole(SecurityRoles.ALL);
// FIXME Reenable CSRF protection (depends on the client)
// See http://docs.spring.io/spring-security/site/docs/3.2.0.RC2/reference/htmlsingle/#csrf-using
.csrf().disable()
.formLogin().loginPage("/login").successHandler(authenticationSuccessHandler).and()
.logout().logoutUrl("/logout").logoutSuccessUrl("/").and()
.authorizeRequests().anyRequest().permitAll();
@Configuration
@Order(10)
public static class GUIHTTPSecurityConfig extends WebSecurityConfigurerAdapter {

@Autowired
private AuthenticationSuccessHandler authenticationSuccessHandler;

@Override
protected void configure(HttpSecurity http) throws Exception {
http
// FIXME ui/login protection for UI access in a separate configuration
// http.antMatcher("/ui/login")
// .httpBasic().realmName("ontrack").and()
// .authorizeRequests().antMatchers("/ui/login").hasAnyRole(SecurityRoles.ALL);
// FIXME Reenable CSRF protection (depends on the client)
// See http://docs.spring.io/spring-security/site/docs/3.2.0.RC2/reference/htmlsingle/#csrf-using
.csrf().disable()
.formLogin().loginPage("/login").successHandler(authenticationSuccessHandler).and()
.logout().logoutUrl("/logout").logoutSuccessUrl("/").and()
.authorizeRequests().anyRequest().permitAll();
}

}
}

0 comments on commit 12912d8

Please sign in to comment.