From 75d4ac98275575d9cb94c3a0fc8f9f82b83a05ad Mon Sep 17 00:00:00 2001 From: "fabio.formosa" Date: Wed, 22 Apr 2020 23:23:46 +0200 Subject: [PATCH] #6 added login success strategies --- .../DeprecatedWebSecurityConfig.java | 89 +++++++++++++++++++ .../configuration/WebSecurityConfig.java | 88 ------------------ .../configuration/WebSecurityConfigJWT.java | 10 +-- .../configuration/helpers/LoginConfig.java | 2 +- .../helpers/impl/FormLoginConfig.java | 2 +- .../UsernamePasswordFiterLoginConfig.java | 10 +-- .../properties/JwtSecurityProperties.java | 20 ++++- .../security/JwtTokenHelper.java | 20 +---- .../auth/JwtAuthenticationFilter.java | 14 +-- .../JwtAuthenticationSuccessHandlerImpl.java | 47 +++++----- .../security/auth/LogoutSuccess.java | 22 ++--- .../src/main/resources/application.yml | 4 +- 12 files changed, 159 insertions(+), 169 deletions(-) create mode 100644 quartz-manager-api/src/main/java/it/fabioformosa/quartzmanager/configuration/DeprecatedWebSecurityConfig.java delete mode 100644 quartz-manager-api/src/main/java/it/fabioformosa/quartzmanager/configuration/WebSecurityConfig.java diff --git a/quartz-manager-api/src/main/java/it/fabioformosa/quartzmanager/configuration/DeprecatedWebSecurityConfig.java b/quartz-manager-api/src/main/java/it/fabioformosa/quartzmanager/configuration/DeprecatedWebSecurityConfig.java new file mode 100644 index 0000000..5c9f8bf --- /dev/null +++ b/quartz-manager-api/src/main/java/it/fabioformosa/quartzmanager/configuration/DeprecatedWebSecurityConfig.java @@ -0,0 +1,89 @@ +package it.fabioformosa.quartzmanager.configuration; + +import javax.annotation.Resource; + +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.beans.factory.annotation.Value; +import org.springframework.core.annotation.Order; +import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; +import org.springframework.security.config.annotation.web.builders.HttpSecurity; +import org.springframework.security.config.annotation.web.builders.WebSecurity; +import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; +import org.springframework.security.crypto.factory.PasswordEncoderFactories; +import org.springframework.security.crypto.password.PasswordEncoder; +import org.springframework.security.web.util.matcher.AntPathRequestMatcher; + +import it.fabioformosa.quartzmanager.security.ComboEntryPoint; +import it.fabioformosa.quartzmanager.security.auth.AuthenticationFailureHandler; +import it.fabioformosa.quartzmanager.security.auth.AuthenticationSuccessHandler; + +@Deprecated +//@Configuration +//@EnableWebSecurity +//@EnableGlobalMethodSecurity(prePostEnabled = true) +public class DeprecatedWebSecurityConfig extends WebSecurityConfigurerAdapter { + + // @Configuration + @Order(1) + public static class ApiWebSecurityConfig extends WebSecurityConfigurerAdapter { + @Override + protected void configure(HttpSecurity http) throws Exception { + http.csrf().disable() // + .antMatcher("/notifications").authorizeRequests().anyRequest().hasAnyRole("ADMIN").and() + .httpBasic(); + } + + @Override + public void configure(WebSecurity web) throws Exception { + web.ignoring().antMatchers("/","/v2/api-docs", + "/swagger-resources/**", + "/swagger-ui.html", + "/webjars/**", + "/csrf"); + } + } + + // @Configuration + @Order(2) + public static class FormWebSecurityConfig extends WebSecurityConfigurerAdapter { + + @Resource + private ComboEntryPoint comboEntryPoint; + + @Autowired + private AuthenticationSuccessHandler authenticationSuccessHandler; + + @Autowired + private AuthenticationFailureHandler authenticationFailureHandler; + + @Override + protected void configure(HttpSecurity http) throws Exception { + // http.csrf().ignoringAntMatchers("/api/login", "/api/signup").and() // + http.cors().and().csrf().disable().exceptionHandling().authenticationEntryPoint(comboEntryPoint) + .and()// + .authorizeRequests().anyRequest().authenticated().and()// + .formLogin().loginPage("/api/login").successHandler(authenticationSuccessHandler) + .failureHandler(authenticationFailureHandler).and().logout() + .logoutRequestMatcher(new AntPathRequestMatcher("/api/logout")) + .logoutSuccessUrl("/manager"); + } + + @Override + public void configure(WebSecurity web) throws Exception { + web.ignoring().antMatchers("/css/**", "/js/**", "/img/**", "/lib/**", "/webjars/**"); + } + } + + @Value("${quartz-manager.account.user}") + private String adminUser; + + @Value("${quartz-manager.account.pwd}") + private String adminPwd; + + @Autowired + public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception { + PasswordEncoder encoder = PasswordEncoderFactories.createDelegatingPasswordEncoder(); + auth.inMemoryAuthentication().withUser(adminUser).password(encoder.encode(adminPwd)).roles("ADMIN"); + } + +} diff --git a/quartz-manager-api/src/main/java/it/fabioformosa/quartzmanager/configuration/WebSecurityConfig.java b/quartz-manager-api/src/main/java/it/fabioformosa/quartzmanager/configuration/WebSecurityConfig.java deleted file mode 100644 index b0b9f6f..0000000 --- a/quartz-manager-api/src/main/java/it/fabioformosa/quartzmanager/configuration/WebSecurityConfig.java +++ /dev/null @@ -1,88 +0,0 @@ -package it.fabioformosa.quartzmanager.configuration; - -import javax.annotation.Resource; - -import org.springframework.beans.factory.annotation.Autowired; -import org.springframework.beans.factory.annotation.Value; -import org.springframework.core.annotation.Order; -import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; -import org.springframework.security.config.annotation.web.builders.HttpSecurity; -import org.springframework.security.config.annotation.web.builders.WebSecurity; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; -import org.springframework.security.crypto.factory.PasswordEncoderFactories; -import org.springframework.security.crypto.password.PasswordEncoder; -import org.springframework.security.web.util.matcher.AntPathRequestMatcher; - -import it.fabioformosa.quartzmanager.security.ComboEntryPoint; -import it.fabioformosa.quartzmanager.security.auth.AuthenticationFailureHandler; -import it.fabioformosa.quartzmanager.security.auth.AuthenticationSuccessHandler; - -//@Configuration -//@EnableWebSecurity -//@EnableGlobalMethodSecurity(prePostEnabled = true) -public class WebSecurityConfig extends WebSecurityConfigurerAdapter { - - // @Configuration - @Order(1) - public static class ApiWebSecurityConfig extends WebSecurityConfigurerAdapter { - @Override - public void configure(WebSecurity web) throws Exception { - web.ignoring().antMatchers("/","/v2/api-docs", - "/swagger-resources/**", - "/swagger-ui.html", - "/webjars/**", - "/csrf"); - } - - @Override - protected void configure(HttpSecurity http) throws Exception { - http.csrf().disable() // - .antMatcher("/notifications").authorizeRequests().anyRequest().hasAnyRole("ADMIN").and() - .httpBasic(); - } - } - - // @Configuration - @Order(2) - public static class FormWebSecurityConfig extends WebSecurityConfigurerAdapter { - - @Resource - private ComboEntryPoint comboEntryPoint; - - @Autowired - private AuthenticationSuccessHandler authenticationSuccessHandler; - - @Autowired - private AuthenticationFailureHandler authenticationFailureHandler; - - @Override - public void configure(WebSecurity web) throws Exception { - web.ignoring().antMatchers("/css/**", "/js/**", "/img/**", "/lib/**", "/webjars/**"); - } - - @Override - protected void configure(HttpSecurity http) throws Exception { - // http.csrf().ignoringAntMatchers("/api/login", "/api/signup").and() // - http.cors().and().csrf().disable().exceptionHandling().authenticationEntryPoint(comboEntryPoint) - .and()// - .authorizeRequests().anyRequest().authenticated().and()// - .formLogin().loginPage("/api/login").successHandler(authenticationSuccessHandler) - .failureHandler(authenticationFailureHandler).and().logout() - .logoutRequestMatcher(new AntPathRequestMatcher("/api/logout")) - .logoutSuccessUrl("/manager"); - } - } - - @Value("${quartz-manager.account.user}") - private String adminUser; - - @Value("${quartz-manager.account.pwd}") - private String adminPwd; - - @Autowired - public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception { - PasswordEncoder encoder = PasswordEncoderFactories.createDelegatingPasswordEncoder(); - auth.inMemoryAuthentication().withUser(adminUser).password(encoder.encode(adminPwd)).roles("ADMIN"); - } - -} diff --git a/quartz-manager-api/src/main/java/it/fabioformosa/quartzmanager/configuration/WebSecurityConfigJWT.java b/quartz-manager-api/src/main/java/it/fabioformosa/quartzmanager/configuration/WebSecurityConfigJWT.java index 16bedb9..79e11ba 100644 --- a/quartz-manager-api/src/main/java/it/fabioformosa/quartzmanager/configuration/WebSecurityConfigJWT.java +++ b/quartz-manager-api/src/main/java/it/fabioformosa/quartzmanager/configuration/WebSecurityConfigJWT.java @@ -35,7 +35,6 @@ import it.fabioformosa.quartzmanager.security.auth.TokenAuthenticationFilter; * @author Fabio.Formosa * */ - @Configuration @EnableWebSecurity @EnableGlobalMethodSecurity(prePostEnabled = true) @@ -53,7 +52,7 @@ public class WebSecurityConfigJWT extends WebSecurityConfigurerAdapter { private LogoutSuccess logoutSuccess; @Autowired - private LoginConfig loginConfigurer; + private LoginConfig loginConfig; @Autowired private InMemoryAccountProperties inMemoryAccountProps; @@ -75,13 +74,14 @@ public class WebSecurityConfigJWT extends WebSecurityConfigurerAdapter { protected void configure(HttpSecurity http) throws Exception { // http.csrf().ignoringAntMatchers("/api/login", "/api/signup") // // .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()) // + http.csrf().disable() // .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and() // - .exceptionHandling().authenticationEntryPoint(restAuthEntryPoint()).and() - .addFilterBefore(jwtAuthenticationTokenFilter(), BasicAuthenticationFilter.class) + .exceptionHandling().authenticationEntryPoint(restAuthEntryPoint()).and() // + .addFilterBefore(jwtAuthenticationTokenFilter(), BasicAuthenticationFilter.class) // .authorizeRequests().anyRequest().authenticated(); - loginConfigurer.configureLoginHandler(http, authenticationManager()).logout().logoutRequestMatcher(new AntPathRequestMatcher("/api/logout")) + loginConfig.login(http, authenticationManager()).logout().logoutRequestMatcher(new AntPathRequestMatcher("/api/logout")) .logoutSuccessHandler(logoutSuccess).deleteCookies(TOKEN_COOKIE); } diff --git a/quartz-manager-api/src/main/java/it/fabioformosa/quartzmanager/configuration/helpers/LoginConfig.java b/quartz-manager-api/src/main/java/it/fabioformosa/quartzmanager/configuration/helpers/LoginConfig.java index be5b2fd..0692c50 100644 --- a/quartz-manager-api/src/main/java/it/fabioformosa/quartzmanager/configuration/helpers/LoginConfig.java +++ b/quartz-manager-api/src/main/java/it/fabioformosa/quartzmanager/configuration/helpers/LoginConfig.java @@ -5,6 +5,6 @@ import org.springframework.security.config.annotation.web.builders.HttpSecurity; public interface LoginConfig { - HttpSecurity configureLoginHandler(HttpSecurity http, AuthenticationManager authenticationManager) throws Exception; + HttpSecurity login(HttpSecurity http, AuthenticationManager authenticationManager) throws Exception; } diff --git a/quartz-manager-api/src/main/java/it/fabioformosa/quartzmanager/configuration/helpers/impl/FormLoginConfig.java b/quartz-manager-api/src/main/java/it/fabioformosa/quartzmanager/configuration/helpers/impl/FormLoginConfig.java index e683754..3e70044 100644 --- a/quartz-manager-api/src/main/java/it/fabioformosa/quartzmanager/configuration/helpers/impl/FormLoginConfig.java +++ b/quartz-manager-api/src/main/java/it/fabioformosa/quartzmanager/configuration/helpers/impl/FormLoginConfig.java @@ -23,7 +23,7 @@ public class FormLoginConfig implements LoginConfig { private AuthenticationFailureHandler authenticationFailureHandler; @Override - public HttpSecurity configureLoginHandler( + public HttpSecurity login( HttpSecurity http, AuthenticationManager authenticationManager) throws Exception { return http.formLogin().loginPage(API_LOGIN).successHandler(authenticationSuccessHandler).failureHandler(authenticationFailureHandler).and(); } diff --git a/quartz-manager-api/src/main/java/it/fabioformosa/quartzmanager/configuration/helpers/impl/UsernamePasswordFiterLoginConfig.java b/quartz-manager-api/src/main/java/it/fabioformosa/quartzmanager/configuration/helpers/impl/UsernamePasswordFiterLoginConfig.java index 1a89bff..8305e42 100644 --- a/quartz-manager-api/src/main/java/it/fabioformosa/quartzmanager/configuration/helpers/impl/UsernamePasswordFiterLoginConfig.java +++ b/quartz-manager-api/src/main/java/it/fabioformosa/quartzmanager/configuration/helpers/impl/UsernamePasswordFiterLoginConfig.java @@ -1,6 +1,5 @@ package it.fabioformosa.quartzmanager.configuration.helpers.impl; -import it.fabioformosa.quartzmanager.security.auth.JwtAuthenticationSuccessHandler; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty; import org.springframework.http.HttpMethod; @@ -12,8 +11,8 @@ import org.springframework.stereotype.Component; import org.springframework.web.filter.GenericFilterBean; import it.fabioformosa.quartzmanager.configuration.helpers.LoginConfig; -import it.fabioformosa.quartzmanager.security.JwtTokenHelper; import it.fabioformosa.quartzmanager.security.auth.JwtAuthenticationFilter; +import it.fabioformosa.quartzmanager.security.auth.JwtAuthenticationSuccessHandler; @Component @ConditionalOnProperty(prefix = "quartz-manager.security.login-model", name = "userpwd-filter-enabled", havingValue = "true", matchIfMissing = false) @@ -21,20 +20,17 @@ public class UsernamePasswordFiterLoginConfig implements LoginConfig { private static final String API_LOGIN = "/api/login"; - @Autowired - private JwtTokenHelper jwtTokenHelper; - @Autowired private JwtAuthenticationSuccessHandler jwtAuthenticationSuccessHandler; public GenericFilterBean authenticationProcessingFilter(AuthenticationManager authenticationManager) throws Exception { - JwtAuthenticationFilter authenticationProcessingFilter = new JwtAuthenticationFilter(authenticationManager, jwtTokenHelper, jwtAuthenticationSuccessHandler); + JwtAuthenticationFilter authenticationProcessingFilter = new JwtAuthenticationFilter(authenticationManager, jwtAuthenticationSuccessHandler); authenticationProcessingFilter.setRequiresAuthenticationRequestMatcher(new RegexRequestMatcher(API_LOGIN, HttpMethod.POST.name(), false)); return authenticationProcessingFilter; } @Override - public HttpSecurity configureLoginHandler(HttpSecurity http, AuthenticationManager authenticationManager) throws Exception { + public HttpSecurity login(HttpSecurity http, AuthenticationManager authenticationManager) throws Exception { return http.addFilterAfter(authenticationProcessingFilter(authenticationManager), AbstractPreAuthenticatedProcessingFilter.class); } diff --git a/quartz-manager-api/src/main/java/it/fabioformosa/quartzmanager/configuration/properties/JwtSecurityProperties.java b/quartz-manager-api/src/main/java/it/fabioformosa/quartzmanager/configuration/properties/JwtSecurityProperties.java index d2e9f49..e33baba 100644 --- a/quartz-manager-api/src/main/java/it/fabioformosa/quartzmanager/configuration/properties/JwtSecurityProperties.java +++ b/quartz-manager-api/src/main/java/it/fabioformosa/quartzmanager/configuration/properties/JwtSecurityProperties.java @@ -1,10 +1,12 @@ package it.fabioformosa.quartzmanager.configuration.properties; +import lombok.Data; import lombok.Getter; import lombok.Setter; import org.springframework.boot.context.properties.ConfigurationProperties; import org.springframework.context.annotation.Configuration; + @Configuration @ConfigurationProperties(prefix = "quartz-manager.security.jwt") @Getter @Setter @@ -12,6 +14,20 @@ public class JwtSecurityProperties { private boolean enabled; private String secret; private long expirationInSec; - private String header; - private String cookie; + + private CookieStrategy cookieStrategy; + private HeaderStrategy headerStrategy; + + @Data + public static class CookieStrategy { + private boolean enabled; + private String cookie; + } + + @Data + public static class HeaderStrategy { + private boolean enabled; + private String header; + } + } \ No newline at end of file diff --git a/quartz-manager-api/src/main/java/it/fabioformosa/quartzmanager/security/JwtTokenHelper.java b/quartz-manager-api/src/main/java/it/fabioformosa/quartzmanager/security/JwtTokenHelper.java index e3b2b82..a7d570e 100644 --- a/quartz-manager-api/src/main/java/it/fabioformosa/quartzmanager/security/JwtTokenHelper.java +++ b/quartz-manager-api/src/main/java/it/fabioformosa/quartzmanager/security/JwtTokenHelper.java @@ -37,20 +37,6 @@ public class JwtTokenHelper { @Value("${app.name}") private String APP_NAME; - // @Value("${jwt.secret}") - // private String SECRET; - // - // @Value("${jwt.expires_in_sec}") - // private int EXPIRES_IN_SEC; - // - // @Value("${jwt.header}") - // private String AUTH_HEADER; - - // @Autowired - // UserDetailsService userDetailsService; - // - // @Value("${jwt.cookie}") - // private String AUTH_COOKIE; @Autowired private JwtSecurityProperties jwtSecurityProps; @@ -131,11 +117,11 @@ public class JwtTokenHelper { } public String getToken(HttpServletRequest request) { - Cookie authCookie = getCookieValueByName(request, jwtSecurityProps.getCookie()); + Cookie authCookie = getCookieValueByName(request, jwtSecurityProps.getCookieStrategy().getCookie()); if ( authCookie != null ) return authCookie.getValue(); - String authHeader = request.getHeader(jwtSecurityProps.getHeader()); + String authHeader = request.getHeader(jwtSecurityProps.getHeaderStrategy().getHeader()); if ( authHeader != null && authHeader.startsWith("Bearer ")) return authHeader.substring(7); @@ -168,6 +154,6 @@ public class JwtTokenHelper { } public void setHeader(HttpServletResponse response, String token) { - response.addHeader(jwtSecurityProps.getHeader(), "Bearer " + token); + response.addHeader(jwtSecurityProps.getHeaderStrategy().getHeader(), "Bearer " + token); } } diff --git a/quartz-manager-api/src/main/java/it/fabioformosa/quartzmanager/security/auth/JwtAuthenticationFilter.java b/quartz-manager-api/src/main/java/it/fabioformosa/quartzmanager/security/auth/JwtAuthenticationFilter.java index a2bf6b2..7d43fa8 100644 --- a/quartz-manager-api/src/main/java/it/fabioformosa/quartzmanager/security/auth/JwtAuthenticationFilter.java +++ b/quartz-manager-api/src/main/java/it/fabioformosa/quartzmanager/security/auth/JwtAuthenticationFilter.java @@ -4,23 +4,17 @@ import javax.servlet.FilterChain; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; -import lombok.SneakyThrows; import org.springframework.security.authentication.AuthenticationManager; import org.springframework.security.core.Authentication; -import org.springframework.security.core.userdetails.UserDetails; import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter; -import it.fabioformosa.quartzmanager.security.JwtTokenHelper; - -import java.io.IOException; +import lombok.SneakyThrows; public class JwtAuthenticationFilter extends UsernamePasswordAuthenticationFilter { - private final JwtTokenHelper jwtTokenHelper; private JwtAuthenticationSuccessHandler jwtAuthenticationSuccessHandler; - public JwtAuthenticationFilter(AuthenticationManager authenticationManager, JwtTokenHelper jwtTokenHelper, JwtAuthenticationSuccessHandler jwtAuthenticationSuccessHandler) { - this.jwtTokenHelper = jwtTokenHelper; + public JwtAuthenticationFilter(AuthenticationManager authenticationManager, JwtAuthenticationSuccessHandler jwtAuthenticationSuccessHandler) { this.jwtAuthenticationSuccessHandler = jwtAuthenticationSuccessHandler; setAuthenticationManager(authenticationManager); } @@ -31,10 +25,6 @@ public class JwtAuthenticationFilter extends UsernamePasswordAuthenticationFilte HttpServletResponse res, FilterChain chain, Authentication auth) { - UserDetails user = (UserDetails) auth.getPrincipal(); - String token = jwtTokenHelper.generateToken(user.getUsername()); - jwtTokenHelper.setHeader(res, token); - jwtAuthenticationSuccessHandler.onSuccess(auth, res); } } diff --git a/quartz-manager-api/src/main/java/it/fabioformosa/quartzmanager/security/auth/JwtAuthenticationSuccessHandlerImpl.java b/quartz-manager-api/src/main/java/it/fabioformosa/quartzmanager/security/auth/JwtAuthenticationSuccessHandlerImpl.java index 79f1afc..c342478 100644 --- a/quartz-manager-api/src/main/java/it/fabioformosa/quartzmanager/security/auth/JwtAuthenticationSuccessHandlerImpl.java +++ b/quartz-manager-api/src/main/java/it/fabioformosa/quartzmanager/security/auth/JwtAuthenticationSuccessHandlerImpl.java @@ -1,26 +1,26 @@ package it.fabioformosa.quartzmanager.security.auth; -import com.fasterxml.jackson.databind.ObjectMapper; -import it.fabioformosa.quartzmanager.security.JwtTokenHelper; -import it.fabioformosa.quartzmanager.security.model.UserTokenState; +import java.io.IOException; + +import javax.servlet.http.Cookie; +import javax.servlet.http.HttpServletResponse; + import org.springframework.beans.factory.annotation.Autowired; -import org.springframework.beans.factory.annotation.Value; import org.springframework.security.core.Authentication; import org.springframework.security.core.userdetails.User; import org.springframework.stereotype.Component; -import javax.servlet.http.Cookie; -import javax.servlet.http.HttpServletResponse; -import java.io.IOException; +import com.fasterxml.jackson.databind.ObjectMapper; + +import it.fabioformosa.quartzmanager.configuration.properties.JwtSecurityProperties; +import it.fabioformosa.quartzmanager.security.JwtTokenHelper; +import it.fabioformosa.quartzmanager.security.model.UserTokenState; @Component public class JwtAuthenticationSuccessHandlerImpl implements JwtAuthenticationSuccessHandler { - @Value("${quartz-manager.security.jwt.expiration-in-sec}") - private int EXPIRES_IN_SEC; - - @Value("${quartz-manager.security.jwt.cookie}") - private String TOKEN_COOKIE; + @Autowired + private JwtSecurityProperties jwtSecurityProps; private final JwtTokenHelper jwtTokenHelper; @@ -28,7 +28,7 @@ public class JwtAuthenticationSuccessHandlerImpl implements JwtAuthenticationSuc @Autowired public JwtAuthenticationSuccessHandlerImpl(JwtTokenHelper tokenHelper, ObjectMapper objectMapper) { - this.jwtTokenHelper = tokenHelper; + jwtTokenHelper = tokenHelper; this.objectMapper = objectMapper; } @@ -36,17 +36,20 @@ public class JwtAuthenticationSuccessHandlerImpl implements JwtAuthenticationSuc public void onSuccess(Authentication authentication, HttpServletResponse response) throws IOException { User user = (User) authentication.getPrincipal(); - String jws = jwtTokenHelper.generateToken(user.getUsername()); + String jwtToken = jwtTokenHelper.generateToken(user.getUsername()); - //set cookie or set header? - Cookie authCookie = new Cookie(TOKEN_COOKIE, jws); - authCookie.setHttpOnly(true); - authCookie.setMaxAge(EXPIRES_IN_SEC); - authCookie.setPath("/quartz-manager"); - response.addCookie(authCookie); + if(jwtSecurityProps.getCookieStrategy().isEnabled()) { + Cookie authCookie = new Cookie(jwtSecurityProps.getCookieStrategy().getCookie(), jwtToken); + authCookie.setHttpOnly(true); + authCookie.setMaxAge((int) jwtSecurityProps.getExpirationInSec()); + authCookie.setPath("/quartz-manager"); + response.addCookie(authCookie); + } - // JWT is also in the response - UserTokenState userTokenState = new UserTokenState(jws, EXPIRES_IN_SEC); + if(jwtSecurityProps.getHeaderStrategy().isEnabled()) + jwtTokenHelper.setHeader(response, jwtToken); + + UserTokenState userTokenState = new UserTokenState(jwtToken, jwtSecurityProps.getExpirationInSec()); String jwtResponse = objectMapper.writeValueAsString(userTokenState); response.setContentType("application/json"); response.getWriter().write(jwtResponse); diff --git a/quartz-manager-api/src/main/java/it/fabioformosa/quartzmanager/security/auth/LogoutSuccess.java b/quartz-manager-api/src/main/java/it/fabioformosa/quartzmanager/security/auth/LogoutSuccess.java index 82d2f17..c52e09f 100644 --- a/quartz-manager-api/src/main/java/it/fabioformosa/quartzmanager/security/auth/LogoutSuccess.java +++ b/quartz-manager-api/src/main/java/it/fabioformosa/quartzmanager/security/auth/LogoutSuccess.java @@ -18,18 +18,18 @@ import com.fasterxml.jackson.databind.ObjectMapper; @Component public class LogoutSuccess implements LogoutSuccessHandler { - @Autowired - ObjectMapper objectMapper; + @Autowired + private ObjectMapper objectMapper; - @Override - public void onLogoutSuccess(HttpServletRequest httpServletRequest, HttpServletResponse response, Authentication authentication) - throws IOException, ServletException { - Map result = new HashMap<>(); - result.put( "result", "success" ); - response.setContentType("application/json"); - response.getWriter().write( objectMapper.writeValueAsString( result ) ); - response.setStatus(HttpServletResponse.SC_OK); + @Override + public void onLogoutSuccess(HttpServletRequest httpServletRequest, HttpServletResponse response, Authentication authentication) + throws IOException, ServletException { + Map result = new HashMap<>(); + result.put( "result", "success" ); + response.setContentType("application/json"); + response.getWriter().write(objectMapper.writeValueAsString(result)); + response.setStatus(HttpServletResponse.SC_OK); - } + } } \ No newline at end of file diff --git a/quartz-manager-api/src/main/resources/application.yml b/quartz-manager-api/src/main/resources/application.yml index 125dcbc..53892f1 100644 --- a/quartz-manager-api/src/main/resources/application.yml +++ b/quartz-manager-api/src/main/resources/application.yml @@ -35,10 +35,8 @@ quartz-manager: enabled: true secret: "bibidibobidiboo" expiration-in-sec: 28800 # 8 hours - header: "Authorization" - cookie: AUTH-TOKEN header-strategy: - enabled: false + enabled: true header: "Authorization" cookie-strategy: enabled: true