From c0426179368f9069e5b77194de22a540a771983e Mon Sep 17 00:00:00 2001
From: Robert Kohanyi <robert.kohanyi@metapack.com>
Date: Sat, 16 Apr 2016 14:20:12 +0100
Subject: [PATCH 1/4] Add (commented out) config for Spring Channel Security

---
 .../main/java/org/baeldung/spring/SecSecurityConfig.java | 8 ++++++++
 .../src/main/resources/webSecurityConfig.xml             | 9 +++++++++
 2 files changed, 17 insertions(+)

diff --git a/spring-security-mvc-login/src/main/java/org/baeldung/spring/SecSecurityConfig.java b/spring-security-mvc-login/src/main/java/org/baeldung/spring/SecSecurityConfig.java
index 08cb09384b..0cc6df19ae 100644
--- a/spring-security-mvc-login/src/main/java/org/baeldung/spring/SecSecurityConfig.java
+++ b/spring-security-mvc-login/src/main/java/org/baeldung/spring/SecSecurityConfig.java
@@ -38,6 +38,14 @@ public class SecSecurityConfig extends WebSecurityConfigurerAdapter {
         .antMatchers("/login*").permitAll()
         .anyRequest().authenticated()
         .and()
+        //.requiresChannel()
+        //.antMatchers("/login*", "/perform_log*").requiresSecure()
+        //.anyRequest().requiresInsecure()
+        //.and()
+        //.sessionManagement()
+        //.sessionFixation()
+        //.none()
+        //.and()
         .formLogin()
         .loginPage("/login.html")
         .loginProcessingUrl("/perform_login")
diff --git a/spring-security-mvc-login/src/main/resources/webSecurityConfig.xml b/spring-security-mvc-login/src/main/resources/webSecurityConfig.xml
index ec4cf60eb5..0b77e64c74 100644
--- a/spring-security-mvc-login/src/main/resources/webSecurityConfig.xml
+++ b/spring-security-mvc-login/src/main/resources/webSecurityConfig.xml
@@ -11,6 +11,12 @@
         <intercept-url pattern="/anonymous*" access="isAnonymous()"/>
         <intercept-url pattern="/login*" access="permitAll"/>
         <intercept-url pattern="/**" access="isAuthenticated()"/>
+        <!--
+        <intercept-url pattern="/anonymous*" access="isAnonymous()" requires-channel="http"/>
+        <intercept-url pattern="/login*" access="permitAll" requires-channel="https"/>
+        <intercept-url pattern="/perform_log*" access="permitAll" requires-channel="https"/>
+        <intercept-url pattern="/**" access="isAuthenticated()" requires-channel="http"/>
+        -->
 
         <csrf disabled="true"/>
         
@@ -19,6 +25,9 @@
 
         <logout logout-url="/perform_logout" delete-cookies="JSESSIONID" success-handler-ref="customLogoutSuccessHandler"/>
 
+        <!--
+        <session-management session-fixation-protection="none"/>
+        -->
     </http>
 
     <beans:bean name="customLogoutSuccessHandler" class="org.baeldung.security.CustomLogoutSuccessHandler"/>

From cddd15019c64a5dcc80f505af530a81d99356a43 Mon Sep 17 00:00:00 2001
From: Robert Kohanyi <robert.kohanyi@metapack.com>
Date: Sun, 24 Apr 2016 20:48:07 +0100
Subject: [PATCH 2/4] Refined the url pattern for perform_login, remove
 permitAll (it's not needed, works either way)

---
 .../src/main/java/org/baeldung/spring/SecSecurityConfig.java  | 2 +-
 .../src/main/resources/webSecurityConfig.xml                  | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/spring-security-mvc-login/src/main/java/org/baeldung/spring/SecSecurityConfig.java b/spring-security-mvc-login/src/main/java/org/baeldung/spring/SecSecurityConfig.java
index 0cc6df19ae..b4d0a6466b 100644
--- a/spring-security-mvc-login/src/main/java/org/baeldung/spring/SecSecurityConfig.java
+++ b/spring-security-mvc-login/src/main/java/org/baeldung/spring/SecSecurityConfig.java
@@ -39,7 +39,7 @@ public class SecSecurityConfig extends WebSecurityConfigurerAdapter {
         .anyRequest().authenticated()
         .and()
         //.requiresChannel()
-        //.antMatchers("/login*", "/perform_log*").requiresSecure()
+        //.antMatchers("/login*", "/perform_login").requiresSecure()
         //.anyRequest().requiresInsecure()
         //.and()
         //.sessionManagement()
diff --git a/spring-security-mvc-login/src/main/resources/webSecurityConfig.xml b/spring-security-mvc-login/src/main/resources/webSecurityConfig.xml
index 0b77e64c74..460f3422d5 100644
--- a/spring-security-mvc-login/src/main/resources/webSecurityConfig.xml
+++ b/spring-security-mvc-login/src/main/resources/webSecurityConfig.xml
@@ -14,12 +14,12 @@
         <!--
         <intercept-url pattern="/anonymous*" access="isAnonymous()" requires-channel="http"/>
         <intercept-url pattern="/login*" access="permitAll" requires-channel="https"/>
-        <intercept-url pattern="/perform_log*" access="permitAll" requires-channel="https"/>
+        <intercept-url pattern="/perform_login" requires-channel="https"/>
         <intercept-url pattern="/**" access="isAuthenticated()" requires-channel="http"/>
         -->
 
         <csrf disabled="true"/>
-        
+
         <form-login login-page='/login.html' login-processing-url="/perform_login" default-target-url="/homepage.html" authentication-failure-url="/login.html?error=true"
             always-use-default-target="true"/>
 

From 01be10edbb7cc5dd94b337f3cf92bb57617248d5 Mon Sep 17 00:00:00 2001
From: Robert Kohanyi <robert.kohanyi@metapack.com>
Date: Mon, 2 May 2016 16:11:59 +0100
Subject: [PATCH 3/4] /anonymous.html doesn't require http to set explicitely
 after we set it for /**

---
 .../src/main/resources/webSecurityConfig.xml                    | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/spring-security-mvc-login/src/main/resources/webSecurityConfig.xml b/spring-security-mvc-login/src/main/resources/webSecurityConfig.xml
index 460f3422d5..3bba50a87d 100644
--- a/spring-security-mvc-login/src/main/resources/webSecurityConfig.xml
+++ b/spring-security-mvc-login/src/main/resources/webSecurityConfig.xml
@@ -12,7 +12,7 @@
         <intercept-url pattern="/login*" access="permitAll"/>
         <intercept-url pattern="/**" access="isAuthenticated()"/>
         <!--
-        <intercept-url pattern="/anonymous*" access="isAnonymous()" requires-channel="http"/>
+        <intercept-url pattern="/anonymous*" access="isAnonymous()"/>
         <intercept-url pattern="/login*" access="permitAll" requires-channel="https"/>
         <intercept-url pattern="/perform_login" requires-channel="https"/>
         <intercept-url pattern="/**" access="isAuthenticated()" requires-channel="http"/>

From d0aee4efa9994d3a010246c821f161740e902fa4 Mon Sep 17 00:00:00 2001
From: Robert Kohanyi <robert.kohanyi@metapack.com>
Date: Mon, 2 May 2016 16:56:50 +0100
Subject: [PATCH 4/4] Create new sec conf activated by https spring profile
 based on Slavisa's idea

---
 .../spring/ChannelSecSecurityConfig.java      | 69 +++++++++++++++++++
 .../baeldung/spring/SecSecurityConfig.java    | 10 +--
 .../resources/channelWebSecurityConfig.xml    | 37 ++++++++++
 .../src/main/resources/webSecurityConfig.xml  | 10 ---
 4 files changed, 108 insertions(+), 18 deletions(-)
 create mode 100644 spring-security-mvc-login/src/main/java/org/baeldung/spring/ChannelSecSecurityConfig.java
 create mode 100644 spring-security-mvc-login/src/main/resources/channelWebSecurityConfig.xml

diff --git a/spring-security-mvc-login/src/main/java/org/baeldung/spring/ChannelSecSecurityConfig.java b/spring-security-mvc-login/src/main/java/org/baeldung/spring/ChannelSecSecurityConfig.java
new file mode 100644
index 0000000000..4f736360b9
--- /dev/null
+++ b/spring-security-mvc-login/src/main/java/org/baeldung/spring/ChannelSecSecurityConfig.java
@@ -0,0 +1,69 @@
+package org.baeldung.spring;
+
+import org.baeldung.security.CustomLogoutSuccessHandler;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.context.annotation.Profile;
+import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.web.authentication.logout.LogoutSuccessHandler;
+
+@Configuration
+// @ImportResource({ "classpath:channelWebSecurityConfig.xml" })
+@EnableWebSecurity
+@Profile("https")
+public class ChannelSecSecurityConfig extends WebSecurityConfigurerAdapter {
+
+    public ChannelSecSecurityConfig() {
+        super();
+    }
+
+    @Override
+    protected void configure(final AuthenticationManagerBuilder auth) throws Exception {
+        // @formatter:off
+        auth.inMemoryAuthentication()
+        .withUser("user1").password("user1Pass").roles("USER")
+        .and()
+        .withUser("user2").password("user2Pass").roles("USER");
+        // @formatter:on
+    }
+
+    @Override
+    protected void configure(final HttpSecurity http) throws Exception {
+        // @formatter:off
+        http
+        .csrf().disable()
+        .authorizeRequests()
+        .antMatchers("/anonymous*").anonymous()
+        .antMatchers("/login*").permitAll()
+        .anyRequest().authenticated()
+        .and()
+        .requiresChannel()
+        .antMatchers("/login*", "/perform_login").requiresSecure()
+        .anyRequest().requiresInsecure()
+        .and()
+        .sessionManagement()
+        .sessionFixation()
+        .none()
+        .and()
+        .formLogin()
+        .loginPage("/login.html")
+        .loginProcessingUrl("/perform_login")
+        .defaultSuccessUrl("/homepage.html",true)
+        .failureUrl("/login.html?error=true")
+        .and()
+        .logout()
+        .logoutUrl("/perform_logout")
+        .deleteCookies("JSESSIONID")
+        .logoutSuccessHandler(logoutSuccessHandler());
+        // @formatter:on
+    }
+
+    @Bean
+    public LogoutSuccessHandler logoutSuccessHandler() {
+        return new CustomLogoutSuccessHandler();
+    }
+
+}
diff --git a/spring-security-mvc-login/src/main/java/org/baeldung/spring/SecSecurityConfig.java b/spring-security-mvc-login/src/main/java/org/baeldung/spring/SecSecurityConfig.java
index b4d0a6466b..654c934fac 100644
--- a/spring-security-mvc-login/src/main/java/org/baeldung/spring/SecSecurityConfig.java
+++ b/spring-security-mvc-login/src/main/java/org/baeldung/spring/SecSecurityConfig.java
@@ -3,6 +3,7 @@ package org.baeldung.spring;
 import org.baeldung.security.CustomLogoutSuccessHandler;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.context.annotation.Profile;
 import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
@@ -12,6 +13,7 @@ import org.springframework.security.web.authentication.logout.LogoutSuccessHandl
 @Configuration
 // @ImportResource({ "classpath:webSecurityConfig.xml" })
 @EnableWebSecurity
+@Profile("!https")
 public class SecSecurityConfig extends WebSecurityConfigurerAdapter {
 
     public SecSecurityConfig() {
@@ -38,14 +40,6 @@ public class SecSecurityConfig extends WebSecurityConfigurerAdapter {
         .antMatchers("/login*").permitAll()
         .anyRequest().authenticated()
         .and()
-        //.requiresChannel()
-        //.antMatchers("/login*", "/perform_login").requiresSecure()
-        //.anyRequest().requiresInsecure()
-        //.and()
-        //.sessionManagement()
-        //.sessionFixation()
-        //.none()
-        //.and()
         .formLogin()
         .loginPage("/login.html")
         .loginProcessingUrl("/perform_login")
diff --git a/spring-security-mvc-login/src/main/resources/channelWebSecurityConfig.xml b/spring-security-mvc-login/src/main/resources/channelWebSecurityConfig.xml
new file mode 100644
index 0000000000..de073b8aac
--- /dev/null
+++ b/spring-security-mvc-login/src/main/resources/channelWebSecurityConfig.xml
@@ -0,0 +1,37 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<beans:beans xmlns="http://www.springframework.org/schema/security" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:beans="http://www.springframework.org/schema/beans"
+    xsi:schemaLocation="
+		http://www.springframework.org/schema/security 
+        http://www.springframework.org/schema/security/spring-security-4.0.xsd
+		http://www.springframework.org/schema/beans 
+        http://www.springframework.org/schema/beans/spring-beans-4.2.xsd"
+>
+
+    <http use-expressions="true">
+        <intercept-url pattern="/anonymous*" access="isAnonymous()"/>
+        <intercept-url pattern="/login*" access="permitAll" requires-channel="https"/>
+        <intercept-url pattern="/perform_login" requires-channel="https"/>
+        <intercept-url pattern="/**" access="isAuthenticated()" requires-channel="http"/>
+
+        <csrf disabled="true"/>
+
+        <form-login login-page='/login.html' login-processing-url="/perform_login" default-target-url="/homepage.html" authentication-failure-url="/login.html?error=true"
+            always-use-default-target="true"/>
+
+        <logout logout-url="/perform_logout" delete-cookies="JSESSIONID" success-handler-ref="customLogoutSuccessHandler"/>
+
+        <session-management session-fixation-protection="none"/>
+    </http>
+
+    <beans:bean name="customLogoutSuccessHandler" class="org.baeldung.security.CustomLogoutSuccessHandler"/>
+
+    <authentication-manager>
+        <authentication-provider>
+            <user-service>
+                <user name="user1" password="user1Pass" authorities="ROLE_USER"/>
+                <user name="user2" password="user2Pass" authorities="ROLE_USER"/>
+            </user-service>
+        </authentication-provider>
+    </authentication-manager>
+
+</beans:beans>
\ No newline at end of file
diff --git a/spring-security-mvc-login/src/main/resources/webSecurityConfig.xml b/spring-security-mvc-login/src/main/resources/webSecurityConfig.xml
index 3bba50a87d..7a736d0024 100644
--- a/spring-security-mvc-login/src/main/resources/webSecurityConfig.xml
+++ b/spring-security-mvc-login/src/main/resources/webSecurityConfig.xml
@@ -11,12 +11,6 @@
         <intercept-url pattern="/anonymous*" access="isAnonymous()"/>
         <intercept-url pattern="/login*" access="permitAll"/>
         <intercept-url pattern="/**" access="isAuthenticated()"/>
-        <!--
-        <intercept-url pattern="/anonymous*" access="isAnonymous()"/>
-        <intercept-url pattern="/login*" access="permitAll" requires-channel="https"/>
-        <intercept-url pattern="/perform_login" requires-channel="https"/>
-        <intercept-url pattern="/**" access="isAuthenticated()" requires-channel="http"/>
-        -->
 
         <csrf disabled="true"/>
 
@@ -24,10 +18,6 @@
             always-use-default-target="true"/>
 
         <logout logout-url="/perform_logout" delete-cookies="JSESSIONID" success-handler-ref="customLogoutSuccessHandler"/>
-
-        <!--
-        <session-management session-fixation-protection="none"/>
-        -->
     </http>
 
     <beans:bean name="customLogoutSuccessHandler" class="org.baeldung.security.CustomLogoutSuccessHandler"/>