JAVA-12754: removed module spring-5-security
This commit is contained in:
sampadawagde
parent
7e0f6db35b
commit
4761c771c1
@ -1,13 +0,0 @@
|
||||
## Spring 5 Security
|
||||
|
||||
This module contains articles about Spring Security 5
|
||||
|
||||
## Relevant articles:
|
||||
|
||||
- [A Custom Spring SecurityConfigurer](https://www.baeldung.com/spring-security-custom-configurer)
|
||||
- [New Password Storage In Spring Security 5](https://www.baeldung.com/spring-security-5-password-storage)
|
||||
- [Default Password Encoder in Spring Security 5](https://www.baeldung.com/spring-security-5-default-password-encoder)
|
||||
- [Guide to the AuthenticationManagerResolver in Spring Security](https://www.baeldung.com/spring-security-authenticationmanagerresolver)
|
||||
- [Manual Logout With Spring Security](https://www.baeldung.com/spring-security-manual-logout)
|
||||
- [How to Disable Spring Security Logout Redirects](https://www.baeldung.com/spring-security-disable-logout-redirects)
|
||||
- [Prevent Cross-Site Scripting (XSS) in a Spring Application](https://www.baeldung.com/spring-prevent-xss)
|
||||
@ -1,84 +0,0 @@
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<project xmlns="http://maven.apache.org/POM/4.0.0"
|
||||
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
|
||||
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
|
||||
<modelVersion>4.0.0</modelVersion>
|
||||
<artifactId>spring-5-security</artifactId>
|
||||
<version>0.0.1-SNAPSHOT</version>
|
||||
<name>spring-5-security</name>
|
||||
<packaging>jar</packaging>
|
||||
<description>spring 5 security sample project</description>
|
||||
|
||||
<parent>
|
||||
<groupId>com.baeldung</groupId>
|
||||
<artifactId>parent-boot-2</artifactId>
|
||||
<version>0.0.1-SNAPSHOT</version>
|
||||
<relativePath>../../parent-boot-2</relativePath>
|
||||
</parent>
|
||||
|
||||
<dependencies>
|
||||
<dependency>
|
||||
<groupId>org.springframework.boot</groupId>
|
||||
<artifactId>spring-boot-starter-security</artifactId>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>org.springframework.boot</groupId>
|
||||
<artifactId>spring-boot-starter-web</artifactId>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>org.springframework.boot</groupId>
|
||||
<artifactId>spring-boot-starter-thymeleaf</artifactId>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>org.thymeleaf.extras</groupId>
|
||||
<artifactId>thymeleaf-extras-springsecurity5</artifactId>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>org.springframework</groupId>
|
||||
<artifactId>spring-test</artifactId>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>org.springframework.boot</groupId>
|
||||
<artifactId>spring-boot-starter-test</artifactId>
|
||||
<scope>test</scope>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>org.springframework.security</groupId>
|
||||
<artifactId>spring-security-test</artifactId>
|
||||
<scope>test</scope>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>org.owasp.esapi</groupId>
|
||||
<artifactId>esapi</artifactId>
|
||||
<version>${esapi.version}</version>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>org.jsoup</groupId>
|
||||
<artifactId>jsoup</artifactId>
|
||||
<version>${jsoup.version}</version>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>commons-io</groupId>
|
||||
<artifactId>commons-io</artifactId>
|
||||
<version>${commons-io.version}</version>
|
||||
</dependency>
|
||||
</dependencies>
|
||||
|
||||
<build>
|
||||
<plugins>
|
||||
<plugin>
|
||||
<groupId>org.springframework.boot</groupId>
|
||||
<artifactId>spring-boot-maven-plugin</artifactId>
|
||||
<configuration>
|
||||
<mainClass>com.baeldung.passwordstorage.PasswordStorageApplication</mainClass>
|
||||
<layout>JAR</layout>
|
||||
</configuration>
|
||||
</plugin>
|
||||
</plugins>
|
||||
</build>
|
||||
|
||||
<properties>
|
||||
<jsoup.version>1.13.1</jsoup.version>
|
||||
</properties>
|
||||
|
||||
</project>
|
||||
@ -1,11 +0,0 @@
|
||||
package com.baeldung.authresolver;
|
||||
|
||||
import org.springframework.boot.SpringApplication;
|
||||
import org.springframework.boot.autoconfigure.SpringBootApplication;
|
||||
|
||||
@SpringBootApplication
|
||||
public class AuthResolverApplication {
|
||||
public static void main(String[] args) {
|
||||
SpringApplication.run(AuthResolverApplication.class, args);
|
||||
}
|
||||
}
|
||||
@ -1,18 +0,0 @@
|
||||
package com.baeldung.authresolver;
|
||||
|
||||
import org.springframework.security.core.Authentication;
|
||||
import org.springframework.web.bind.annotation.GetMapping;
|
||||
import org.springframework.web.bind.annotation.RestController;
|
||||
|
||||
@RestController
|
||||
public class AuthResolverController {
|
||||
@GetMapping("/customer/welcome")
|
||||
public String sayWelcomeToCustomer(Authentication authentication) {
|
||||
return String.format("Welcome to our site, %s!", authentication.getPrincipal());
|
||||
}
|
||||
|
||||
@GetMapping("/employee/welcome")
|
||||
public String sayWelcomeToEmployee(Authentication authentication) {
|
||||
return String.format("Welcome to our company, %s!", authentication.getPrincipal());
|
||||
}
|
||||
}
|
||||
@ -1,96 +0,0 @@
|
||||
package com.baeldung.authresolver;
|
||||
|
||||
import java.util.Collections;
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
import org.springframework.context.annotation.Configuration;
|
||||
import org.springframework.security.authentication.AuthenticationManager;
|
||||
import org.springframework.security.authentication.AuthenticationManagerResolver;
|
||||
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
|
||||
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
|
||||
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
|
||||
import org.springframework.security.core.Authentication;
|
||||
import org.springframework.security.core.authority.SimpleGrantedAuthority;
|
||||
import org.springframework.security.core.userdetails.UsernameNotFoundException;
|
||||
import org.springframework.security.web.authentication.AuthenticationConverter;
|
||||
import org.springframework.security.web.authentication.AuthenticationFilter;
|
||||
import org.springframework.security.web.authentication.www.BasicAuthenticationConverter;
|
||||
import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
|
||||
|
||||
@Configuration
|
||||
public class CustomWebSecurityConfigurer extends WebSecurityConfigurerAdapter {
|
||||
|
||||
public AuthenticationConverter authenticationConverter() {
|
||||
return new BasicAuthenticationConverter();
|
||||
}
|
||||
|
||||
public AuthenticationManagerResolver<HttpServletRequest> resolver() {
|
||||
return request -> {
|
||||
if (request
|
||||
.getPathInfo()
|
||||
.startsWith("/employee")) {
|
||||
return employeesAuthenticationManager();
|
||||
}
|
||||
return customersAuthenticationManager();
|
||||
};
|
||||
}
|
||||
|
||||
public AuthenticationManager customersAuthenticationManager() {
|
||||
return authentication -> {
|
||||
if (isCustomer(authentication)) {
|
||||
return new UsernamePasswordAuthenticationToken(
|
||||
authentication.getPrincipal(),
|
||||
authentication.getCredentials(),
|
||||
Collections.singletonList(new SimpleGrantedAuthority("ROLE_USER"))
|
||||
);
|
||||
}
|
||||
throw new UsernameNotFoundException(authentication
|
||||
.getPrincipal()
|
||||
.toString());
|
||||
};
|
||||
}
|
||||
|
||||
private boolean isCustomer(Authentication authentication) {
|
||||
return (authentication
|
||||
.getPrincipal()
|
||||
.toString()
|
||||
.startsWith("customer"));
|
||||
}
|
||||
|
||||
private boolean isEmployee(Authentication authentication) {
|
||||
return (authentication
|
||||
.getPrincipal()
|
||||
.toString()
|
||||
.startsWith("employee"));
|
||||
}
|
||||
|
||||
private AuthenticationFilter authenticationFilter() {
|
||||
AuthenticationFilter filter = new AuthenticationFilter(
|
||||
resolver(), authenticationConverter());
|
||||
filter.setSuccessHandler((request, response, auth) -> {});
|
||||
return filter;
|
||||
}
|
||||
|
||||
private AuthenticationManager employeesAuthenticationManager() {
|
||||
return authentication -> {
|
||||
if (isEmployee(authentication)) {
|
||||
return new UsernamePasswordAuthenticationToken(
|
||||
authentication.getPrincipal(),
|
||||
authentication.getCredentials(),
|
||||
Collections.singletonList(new SimpleGrantedAuthority("ROLE_USER"))
|
||||
);
|
||||
}
|
||||
throw new UsernameNotFoundException(authentication
|
||||
.getPrincipal()
|
||||
.toString());
|
||||
};
|
||||
}
|
||||
|
||||
@Override
|
||||
protected void configure(HttpSecurity http) {
|
||||
http.addFilterBefore(
|
||||
authenticationFilter(),
|
||||
BasicAuthenticationFilter.class
|
||||
);
|
||||
}
|
||||
|
||||
}
|
||||
@ -1,32 +0,0 @@
|
||||
package com.baeldung.dsl;
|
||||
|
||||
import java.util.List;
|
||||
|
||||
import org.springframework.http.HttpStatus;
|
||||
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
|
||||
import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
|
||||
import org.springframework.security.web.access.intercept.FilterSecurityInterceptor;
|
||||
|
||||
public class ClientErrorLoggingConfigurer extends AbstractHttpConfigurer<ClientErrorLoggingConfigurer, HttpSecurity> {
|
||||
|
||||
private List<HttpStatus> errorCodes;
|
||||
|
||||
public ClientErrorLoggingConfigurer(List<HttpStatus> errorCodes) {
|
||||
this.errorCodes = errorCodes;
|
||||
}
|
||||
|
||||
public ClientErrorLoggingConfigurer() {
|
||||
|
||||
}
|
||||
|
||||
@Override
|
||||
public void init(HttpSecurity http) throws Exception {
|
||||
// initialization code
|
||||
}
|
||||
|
||||
@Override
|
||||
public void configure(HttpSecurity http) throws Exception {
|
||||
http.addFilterAfter(new ClientErrorLoggingFilter(errorCodes), FilterSecurityInterceptor.class);
|
||||
}
|
||||
|
||||
}
|
||||
@ -1,57 +0,0 @@
|
||||
package com.baeldung.dsl;
|
||||
|
||||
import java.io.IOException;
|
||||
import java.util.List;
|
||||
|
||||
import javax.servlet.FilterChain;
|
||||
import javax.servlet.ServletException;
|
||||
import javax.servlet.ServletRequest;
|
||||
import javax.servlet.ServletResponse;
|
||||
import javax.servlet.http.HttpServletResponse;
|
||||
|
||||
import org.apache.logging.log4j.LogManager;
|
||||
import org.apache.logging.log4j.Logger;
|
||||
import org.springframework.http.HttpStatus;
|
||||
import org.springframework.security.core.Authentication;
|
||||
import org.springframework.security.core.context.SecurityContextHolder;
|
||||
import org.springframework.web.filter.GenericFilterBean;
|
||||
|
||||
public class ClientErrorLoggingFilter extends GenericFilterBean {
|
||||
|
||||
private static final Logger logger = LogManager.getLogger(ClientErrorLoggingFilter.class);
|
||||
|
||||
private List<HttpStatus> errorCodes;
|
||||
|
||||
public ClientErrorLoggingFilter(List<HttpStatus> errorCodes) {
|
||||
this.errorCodes = errorCodes;
|
||||
}
|
||||
|
||||
@Override
|
||||
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
|
||||
|
||||
Authentication auth = SecurityContextHolder.getContext()
|
||||
.getAuthentication();
|
||||
|
||||
if (auth == null) {
|
||||
chain.doFilter(request, response);
|
||||
return;
|
||||
}
|
||||
int status = ((HttpServletResponse) response).getStatus();
|
||||
if (status < 400 || status >= 500) {
|
||||
chain.doFilter(request, response);
|
||||
return;
|
||||
}
|
||||
|
||||
if (errorCodes == null) {
|
||||
logger.debug("User " + auth.getName() + " encountered error " + status);
|
||||
} else {
|
||||
if (errorCodes.stream()
|
||||
.anyMatch(s -> s.value() == status)) {
|
||||
logger.debug("User " + auth.getName() + " encountered error " + status);
|
||||
}
|
||||
}
|
||||
|
||||
chain.doFilter(request, response);
|
||||
}
|
||||
|
||||
}
|
||||
@ -1,13 +0,0 @@
|
||||
package com.baeldung.dsl;
|
||||
|
||||
import org.springframework.boot.SpringApplication;
|
||||
import org.springframework.boot.autoconfigure.SpringBootApplication;
|
||||
|
||||
@SpringBootApplication
|
||||
public class CustomConfigurerApplication {
|
||||
|
||||
public static void main(String[] args) {
|
||||
SpringApplication.run(CustomConfigurerApplication.class, args);
|
||||
}
|
||||
|
||||
}
|
||||
@ -1,14 +0,0 @@
|
||||
package com.baeldung.dsl;
|
||||
|
||||
import org.springframework.web.bind.annotation.GetMapping;
|
||||
import org.springframework.web.bind.annotation.RestController;
|
||||
|
||||
@RestController
|
||||
public class MyController {
|
||||
|
||||
@GetMapping("/admin")
|
||||
public String getAdminPage() {
|
||||
return "Hello Admin";
|
||||
}
|
||||
|
||||
}
|
||||
@ -1,50 +0,0 @@
|
||||
package com.baeldung.dsl;
|
||||
|
||||
import org.springframework.context.annotation.Bean;
|
||||
import org.springframework.context.annotation.Configuration;
|
||||
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
|
||||
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
|
||||
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
|
||||
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
|
||||
import org.springframework.security.crypto.password.PasswordEncoder;
|
||||
|
||||
@Configuration
|
||||
public class SecurityConfig extends WebSecurityConfigurerAdapter {
|
||||
|
||||
@Override
|
||||
protected void configure(HttpSecurity http) throws Exception {
|
||||
http.authorizeRequests()
|
||||
.antMatchers("/admin*")
|
||||
.hasAnyRole("ADMIN")
|
||||
.anyRequest()
|
||||
.authenticated()
|
||||
.and()
|
||||
.formLogin()
|
||||
.and()
|
||||
.apply(clientErrorLogging());
|
||||
}
|
||||
|
||||
@Bean
|
||||
public ClientErrorLoggingConfigurer clientErrorLogging() {
|
||||
return new ClientErrorLoggingConfigurer();
|
||||
}
|
||||
|
||||
@Override
|
||||
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
|
||||
auth.inMemoryAuthentication()
|
||||
.passwordEncoder(passwordEncoder())
|
||||
.withUser("user1")
|
||||
.password(passwordEncoder().encode("user"))
|
||||
.roles("USER")
|
||||
.and()
|
||||
.withUser("admin")
|
||||
.password(passwordEncoder().encode("admin"))
|
||||
.roles("ADMIN");
|
||||
}
|
||||
|
||||
@Bean
|
||||
public PasswordEncoder passwordEncoder() {
|
||||
return new BCryptPasswordEncoder();
|
||||
}
|
||||
|
||||
}
|
||||
@ -1,14 +0,0 @@
|
||||
package com.baeldung.inmemory;
|
||||
|
||||
import org.springframework.boot.SpringApplication;
|
||||
import org.springframework.boot.autoconfigure.SpringBootApplication;
|
||||
|
||||
@SpringBootApplication
|
||||
public class InMemoryAuthApplication {
|
||||
|
||||
public static void main(String[] args) {
|
||||
SpringApplication.run(InMemoryAuthApplication.class, args);
|
||||
}
|
||||
|
||||
|
||||
}
|
||||
@ -1,21 +0,0 @@
|
||||
package com.baeldung.inmemory;
|
||||
|
||||
import java.util.Arrays;
|
||||
import java.util.List;
|
||||
import org.springframework.web.bind.annotation.GetMapping;
|
||||
import org.springframework.web.bind.annotation.RestController;
|
||||
|
||||
@RestController
|
||||
public class InMemoryAuthController {
|
||||
|
||||
@GetMapping("/public/hello")
|
||||
public List<String> publicHello() {
|
||||
return Arrays.asList("Hello", "World", "from", "Public");
|
||||
}
|
||||
|
||||
@GetMapping("/private/hello")
|
||||
public List<String> privateHello() {
|
||||
return Arrays.asList("Hello", "World", "from", "Private");
|
||||
}
|
||||
|
||||
}
|
||||
@ -1,34 +0,0 @@
|
||||
package com.baeldung.inmemory;
|
||||
|
||||
import org.springframework.context.annotation.Configuration;
|
||||
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
|
||||
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
|
||||
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
|
||||
import org.springframework.security.crypto.factory.PasswordEncoderFactories;
|
||||
import org.springframework.security.crypto.password.PasswordEncoder;
|
||||
|
||||
@Configuration
|
||||
public class InMemoryAuthWebSecurityConfigurer extends WebSecurityConfigurerAdapter {
|
||||
|
||||
@Override
|
||||
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
|
||||
PasswordEncoder encoder = PasswordEncoderFactories.createDelegatingPasswordEncoder();
|
||||
auth.inMemoryAuthentication()
|
||||
.passwordEncoder(encoder)
|
||||
.withUser("spring")
|
||||
.password(encoder.encode("secret"))
|
||||
.roles("USER");
|
||||
}
|
||||
|
||||
@Override
|
||||
protected void configure(HttpSecurity http) throws Exception {
|
||||
http.authorizeRequests()
|
||||
.antMatchers("/private/**")
|
||||
.authenticated()
|
||||
.antMatchers("/public/**")
|
||||
.permitAll()
|
||||
.and()
|
||||
.httpBasic();
|
||||
}
|
||||
|
||||
}
|
||||
@ -1,29 +0,0 @@
|
||||
package com.baeldung.inmemory;
|
||||
|
||||
import org.springframework.context.annotation.Configuration;
|
||||
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
|
||||
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
|
||||
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
|
||||
|
||||
//@Configuration
|
||||
public class InMemoryNoOpAuthWebSecurityConfigurer extends WebSecurityConfigurerAdapter {
|
||||
|
||||
@Override
|
||||
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
|
||||
auth.inMemoryAuthentication()
|
||||
.withUser("spring")
|
||||
.password("{noop}secret")
|
||||
.roles("USER");
|
||||
}
|
||||
|
||||
@Override
|
||||
protected void configure(HttpSecurity http) throws Exception {
|
||||
http.authorizeRequests()
|
||||
.antMatchers("/private/**")
|
||||
.authenticated()
|
||||
.antMatchers("/public/**")
|
||||
.permitAll()
|
||||
.and()
|
||||
.httpBasic();
|
||||
}
|
||||
}
|
||||
@ -1,13 +0,0 @@
|
||||
package com.baeldung.logoutredirects;
|
||||
|
||||
import org.springframework.boot.SpringApplication;
|
||||
import org.springframework.boot.autoconfigure.SpringBootApplication;
|
||||
|
||||
@SpringBootApplication
|
||||
public class LogoutApplication {
|
||||
|
||||
public static void main(String[] args) {
|
||||
SpringApplication.run(LogoutApplication.class, args);
|
||||
}
|
||||
|
||||
}
|
||||
@ -1,27 +0,0 @@
|
||||
package com.baeldung.logoutredirects.securityconfig;
|
||||
|
||||
import javax.servlet.http.HttpServletResponse;
|
||||
|
||||
import org.springframework.context.annotation.Configuration;
|
||||
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
|
||||
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
|
||||
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
|
||||
|
||||
@Configuration
|
||||
@EnableWebSecurity
|
||||
public class SpringSecurityConfig extends WebSecurityConfigurerAdapter {
|
||||
|
||||
@Override
|
||||
protected void configure(HttpSecurity http) throws Exception {
|
||||
http.authorizeRequests(authz -> authz.mvcMatchers("/login")
|
||||
.permitAll()
|
||||
.anyRequest()
|
||||
.authenticated())
|
||||
.logout(logout -> logout.permitAll()
|
||||
.logoutSuccessHandler((request, response, authentication) -> {
|
||||
response.setStatus(HttpServletResponse.SC_OK);
|
||||
}));
|
||||
|
||||
}
|
||||
|
||||
}
|
||||
@ -1,11 +0,0 @@
|
||||
package com.baeldung.manuallogout;
|
||||
|
||||
import org.springframework.boot.SpringApplication;
|
||||
import org.springframework.boot.autoconfigure.SpringBootApplication;
|
||||
|
||||
@SpringBootApplication
|
||||
public class ManualLogoutApplication {
|
||||
public static void main(String[] args) {
|
||||
SpringApplication.run(ManualLogoutApplication.class, args);
|
||||
}
|
||||
}
|
||||
@ -1,95 +0,0 @@
|
||||
package com.baeldung.manuallogout;
|
||||
|
||||
import static org.springframework.security.web.header.writers.ClearSiteDataHeaderWriter.Directive.CACHE;
|
||||
import static org.springframework.security.web.header.writers.ClearSiteDataHeaderWriter.Directive.COOKIES;
|
||||
import static org.springframework.security.web.header.writers.ClearSiteDataHeaderWriter.Directive.EXECUTION_CONTEXTS;
|
||||
import static org.springframework.security.web.header.writers.ClearSiteDataHeaderWriter.Directive.STORAGE;
|
||||
|
||||
import javax.servlet.ServletException;
|
||||
import javax.servlet.http.Cookie;
|
||||
|
||||
import org.slf4j.Logger;
|
||||
import org.slf4j.LoggerFactory;
|
||||
import org.springframework.context.annotation.Configuration;
|
||||
import org.springframework.core.annotation.Order;
|
||||
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
|
||||
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
|
||||
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
|
||||
import org.springframework.security.web.authentication.logout.HeaderWriterLogoutHandler;
|
||||
import org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler;
|
||||
import org.springframework.security.web.header.writers.ClearSiteDataHeaderWriter;
|
||||
|
||||
@Configuration
|
||||
@EnableWebSecurity
|
||||
public class SimpleSecurityConfiguration {
|
||||
|
||||
private static Logger logger = LoggerFactory.getLogger(SimpleSecurityConfiguration.class);
|
||||
|
||||
@Order(4)
|
||||
@Configuration
|
||||
public static class LogoutOnRequestConfiguration extends WebSecurityConfigurerAdapter {
|
||||
@Override
|
||||
protected void configure(HttpSecurity http) throws Exception {
|
||||
http.antMatcher("/request/**")
|
||||
.authorizeRequests(authz -> authz.anyRequest()
|
||||
.permitAll())
|
||||
.logout(logout -> logout.logoutUrl("/request/logout")
|
||||
.addLogoutHandler((request, response, auth) -> {
|
||||
try {
|
||||
request.logout();
|
||||
} catch (ServletException e) {
|
||||
logger.error(e.getMessage());
|
||||
}
|
||||
}));
|
||||
}
|
||||
}
|
||||
|
||||
@Order(3)
|
||||
@Configuration
|
||||
public static class DefaultLogoutConfiguration extends WebSecurityConfigurerAdapter {
|
||||
@Override
|
||||
protected void configure(HttpSecurity http) throws Exception {
|
||||
http.antMatcher("/basic/**")
|
||||
.authorizeRequests(authz -> authz.anyRequest()
|
||||
.permitAll())
|
||||
.logout(logout -> logout.logoutUrl("/basic/basiclogout"));
|
||||
}
|
||||
}
|
||||
|
||||
@Order(2)
|
||||
@Configuration
|
||||
public static class AllCookieClearingLogoutConfiguration extends WebSecurityConfigurerAdapter {
|
||||
@Override
|
||||
protected void configure(HttpSecurity http) throws Exception {
|
||||
http.antMatcher("/cookies/**")
|
||||
.authorizeRequests(authz -> authz.anyRequest()
|
||||
.permitAll())
|
||||
.logout(logout -> logout.logoutUrl("/cookies/cookielogout")
|
||||
.addLogoutHandler(new SecurityContextLogoutHandler())
|
||||
.addLogoutHandler((request, response, auth) -> {
|
||||
for (Cookie cookie : request.getCookies()) {
|
||||
String cookieName = cookie.getName();
|
||||
Cookie cookieToDelete = new Cookie(cookieName, null);
|
||||
cookieToDelete.setMaxAge(0);
|
||||
response.addCookie(cookieToDelete);
|
||||
}
|
||||
}));
|
||||
}
|
||||
}
|
||||
|
||||
@Order(1)
|
||||
@Configuration
|
||||
public static class ClearSiteDataHeaderLogoutConfiguration extends WebSecurityConfigurerAdapter {
|
||||
|
||||
private static final ClearSiteDataHeaderWriter.Directive[] SOURCE = { CACHE, COOKIES, STORAGE, EXECUTION_CONTEXTS };
|
||||
|
||||
@Override
|
||||
protected void configure(HttpSecurity http) throws Exception {
|
||||
http.antMatcher("/csd/**")
|
||||
.authorizeRequests(authz -> authz.anyRequest()
|
||||
.permitAll())
|
||||
.logout(logout -> logout.logoutUrl("/csd/csdlogout")
|
||||
.addLogoutHandler(new HeaderWriterLogoutHandler(new ClearSiteDataHeaderWriter(SOURCE))));
|
||||
}
|
||||
}
|
||||
}
|
||||
@ -1,35 +0,0 @@
|
||||
package com.baeldung.passwordstorage;
|
||||
|
||||
import org.slf4j.Logger;
|
||||
import org.slf4j.LoggerFactory;
|
||||
import org.springframework.context.ApplicationListener;
|
||||
import org.springframework.context.annotation.Bean;
|
||||
import org.springframework.context.annotation.Configuration;
|
||||
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
|
||||
import org.springframework.security.authentication.event.AuthenticationSuccessEvent;
|
||||
import org.springframework.security.core.Authentication;
|
||||
import org.springframework.security.crypto.password.PasswordEncoder;
|
||||
|
||||
@Configuration
|
||||
public class BaeldungPasswordEncoderSetup {
|
||||
|
||||
private final static Logger LOG = LoggerFactory.getLogger(BaeldungPasswordEncoderSetup.class);
|
||||
|
||||
@Bean
|
||||
public ApplicationListener<AuthenticationSuccessEvent> authenticationSuccessListener(final PasswordEncoder encoder) {
|
||||
|
||||
return (AuthenticationSuccessEvent event) -> {
|
||||
final Authentication auth = event.getAuthentication();
|
||||
|
||||
if (auth instanceof UsernamePasswordAuthenticationToken && auth.getCredentials() != null) {
|
||||
|
||||
final CharSequence clearTextPass = (CharSequence) auth.getCredentials(); // 1
|
||||
final String newPasswordHash = encoder.encode(clearTextPass); // 2
|
||||
|
||||
LOG.info("New password hash {} for user {}", newPasswordHash, auth.getName());
|
||||
|
||||
((UsernamePasswordAuthenticationToken) auth).eraseCredentials(); // 3
|
||||
}
|
||||
};
|
||||
}
|
||||
}
|
||||
@ -1,13 +0,0 @@
|
||||
package com.baeldung.passwordstorage;
|
||||
|
||||
import org.springframework.boot.SpringApplication;
|
||||
import org.springframework.boot.autoconfigure.SpringBootApplication;
|
||||
|
||||
@SpringBootApplication
|
||||
public class PasswordStorageApplication {
|
||||
|
||||
public static void main(String[] args) {
|
||||
SpringApplication.run(PasswordStorageApplication.class, args);
|
||||
}
|
||||
|
||||
}
|
||||
@ -1,55 +0,0 @@
|
||||
package com.baeldung.passwordstorage;
|
||||
|
||||
import org.springframework.context.annotation.Bean;
|
||||
import org.springframework.context.annotation.Configuration;
|
||||
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
|
||||
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
|
||||
import org.springframework.security.core.userdetails.User;
|
||||
import org.springframework.security.core.userdetails.UserDetailsService;
|
||||
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
|
||||
import org.springframework.security.crypto.password.DelegatingPasswordEncoder;
|
||||
import org.springframework.security.crypto.password.NoOpPasswordEncoder;
|
||||
import org.springframework.security.crypto.password.PasswordEncoder;
|
||||
import org.springframework.security.crypto.password.StandardPasswordEncoder;
|
||||
import org.springframework.security.crypto.scrypt.SCryptPasswordEncoder;
|
||||
import org.springframework.security.provisioning.InMemoryUserDetailsManager;
|
||||
|
||||
import java.util.Collections;
|
||||
import java.util.HashMap;
|
||||
import java.util.Map;
|
||||
|
||||
@Configuration
|
||||
public class PasswordStorageWebSecurityConfigurer extends WebSecurityConfigurerAdapter {
|
||||
|
||||
@Override
|
||||
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
|
||||
auth.eraseCredentials(false) // 4
|
||||
.userDetailsService(getUserDefaultDetailsService())
|
||||
.passwordEncoder(passwordEncoder());
|
||||
}
|
||||
|
||||
@Bean
|
||||
public UserDetailsService getUserDefaultDetailsService() {
|
||||
return new InMemoryUserDetailsManager(User
|
||||
.withUsername("baeldung")
|
||||
.password("{noop}SpringSecurity5")
|
||||
.authorities(Collections.emptyList())
|
||||
.build());
|
||||
}
|
||||
|
||||
@Bean
|
||||
public PasswordEncoder passwordEncoder() {
|
||||
// set up the list of supported encoders and their prefixes
|
||||
PasswordEncoder defaultEncoder = new StandardPasswordEncoder();
|
||||
Map<String, PasswordEncoder> encoders = new HashMap<>();
|
||||
encoders.put("bcrypt", new BCryptPasswordEncoder());
|
||||
encoders.put("scrypt", new SCryptPasswordEncoder());
|
||||
encoders.put("noop", NoOpPasswordEncoder.getInstance());
|
||||
|
||||
DelegatingPasswordEncoder passwordEncoder = new DelegatingPasswordEncoder("bcrypt", encoders);
|
||||
passwordEncoder.setDefaultPasswordEncoderForMatches(defaultEncoder);
|
||||
|
||||
return passwordEncoder;
|
||||
}
|
||||
|
||||
}
|
||||
@ -1,14 +0,0 @@
|
||||
package com.baeldung.xss;
|
||||
|
||||
import org.springframework.boot.SpringApplication;
|
||||
import org.springframework.boot.autoconfigure.SpringBootApplication;
|
||||
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
|
||||
|
||||
@SpringBootApplication
|
||||
@EnableWebSecurity
|
||||
public class Application {
|
||||
|
||||
public static void main(String[] args) {
|
||||
SpringApplication.run(Application.class, args);
|
||||
}
|
||||
}
|
||||
@ -1,25 +0,0 @@
|
||||
package com.baeldung.xss;
|
||||
|
||||
import org.springframework.context.annotation.Configuration;
|
||||
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
|
||||
import org.springframework.security.config.annotation.web.builders.WebSecurity;
|
||||
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
|
||||
|
||||
@Configuration
|
||||
public class SecurityConf extends WebSecurityConfigurerAdapter {
|
||||
|
||||
@Override
|
||||
public void configure(WebSecurity web) {
|
||||
// Ignoring here is only for this example. Normally people would apply their own authentication/authorization policies
|
||||
web.ignoring().antMatchers("/**");
|
||||
}
|
||||
|
||||
@Override
|
||||
protected void configure(HttpSecurity http) throws Exception {
|
||||
http
|
||||
.headers()
|
||||
.xssProtection()
|
||||
.and()
|
||||
.contentSecurityPolicy("script-src 'self'");
|
||||
}
|
||||
}
|
||||
@ -1,545 +0,0 @@
|
||||
#
|
||||
# OWASP Enterprise Security API (ESAPI) Properties file -- PRODUCTION Version
|
||||
#
|
||||
# This file is part of the Open Web Application Security Project (OWASP)
|
||||
# Enterprise Security API (ESAPI) project. For details, please see
|
||||
# https://owasp.org/www-project-enterprise-security-api/
|
||||
#
|
||||
# Copyright (c) 2008,2009 - The OWASP Foundation
|
||||
#
|
||||
# DISCUSS: This may cause a major backwards compatibility issue, etc. but
|
||||
# from a name space perspective, we probably should have prefaced
|
||||
# all the property names with ESAPI or at least OWASP. Otherwise
|
||||
# there could be problems is someone loads this properties file into
|
||||
# the System properties. We could also put this file into the
|
||||
# esapi.jar file (perhaps as a ResourceBundle) and then allow an external
|
||||
# ESAPI properties be defined that would overwrite these defaults.
|
||||
# That keeps the application's properties relatively simple as usually
|
||||
# they will only want to override a few properties. If looks like we
|
||||
# already support multiple override levels of this in the
|
||||
# DefaultSecurityConfiguration class, but I'm suggesting placing the
|
||||
# defaults in the esapi.jar itself. That way, if the jar is signed,
|
||||
# we could detect if those properties had been tampered with. (The
|
||||
# code to check the jar signatures is pretty simple... maybe 70-90 LOC,
|
||||
# but off course there is an execution penalty (similar to the way
|
||||
# that the separate sunjce.jar used to be when a class from it was
|
||||
# first loaded). Thoughts?
|
||||
###############################################################################
|
||||
#
|
||||
# WARNING: Operating system protection should be used to lock down the .esapi
|
||||
# resources directory and all the files inside and all the directories all the
|
||||
# way up to the root directory of the file system. Note that if you are using
|
||||
# file-based implementations, that some files may need to be read-write as they
|
||||
# get updated dynamically.
|
||||
#
|
||||
#===========================================================================
|
||||
# ESAPI Configuration
|
||||
#
|
||||
# If true, then print all the ESAPI properties set here when they are loaded.
|
||||
# If false, they are not printed. Useful to reduce output when running JUnit tests.
|
||||
# If you need to troubleshoot a properties related problem, turning this on may help.
|
||||
# This is 'false' in the src/test/resources/.esapi version. It is 'true' by
|
||||
# default for reasons of backward compatibility with earlier ESAPI versions.
|
||||
ESAPI.printProperties=true
|
||||
|
||||
# ESAPI is designed to be easily extensible. You can use the reference implementation
|
||||
# or implement your own providers to take advantage of your enterprise's security
|
||||
# infrastructure. The functions in ESAPI are referenced using the ESAPI locator, like:
|
||||
#
|
||||
# String ciphertext =
|
||||
# ESAPI.encryptor().encrypt("Secret message"); // Deprecated in 2.0
|
||||
# CipherText cipherText =
|
||||
# ESAPI.encryptor().encrypt(new PlainText("Secret message")); // Preferred
|
||||
#
|
||||
# Below you can specify the classname for the provider that you wish to use in your
|
||||
# application. The only requirement is that it implement the appropriate ESAPI interface.
|
||||
# This allows you to switch security implementations in the future without rewriting the
|
||||
# entire application.
|
||||
#
|
||||
# ExperimentalAccessController requires ESAPI-AccessControlPolicy.xml in .esapi directory
|
||||
ESAPI.AccessControl=org.owasp.esapi.reference.DefaultAccessController
|
||||
# FileBasedAuthenticator requires users.txt file in .esapi directory
|
||||
ESAPI.Authenticator=org.owasp.esapi.reference.FileBasedAuthenticator
|
||||
ESAPI.Encoder=org.owasp.esapi.reference.DefaultEncoder
|
||||
ESAPI.Encryptor=org.owasp.esapi.reference.crypto.JavaEncryptor
|
||||
|
||||
ESAPI.Executor=org.owasp.esapi.reference.DefaultExecutor
|
||||
ESAPI.HTTPUtilities=org.owasp.esapi.reference.DefaultHTTPUtilities
|
||||
ESAPI.IntrusionDetector=org.owasp.esapi.reference.DefaultIntrusionDetector
|
||||
# Log4JFactory Requires log4j.xml or log4j.properties in classpath - http://www.laliluna.de/log4j-tutorial.html
|
||||
# Note that this is now considered deprecated!
|
||||
ESAPI.Logger=org.owasp.esapi.logging.slf4j.Slf4JLogFactory
|
||||
#ESAPI.Logger=org.owasp.esapi.logging.log4j.Log4JLogFactory
|
||||
#ESAPI.Logger=org.owasp.esapi.logging.java.JavaLogFactory
|
||||
# To use the new SLF4J logger in ESAPI (see GitHub issue #129), set
|
||||
# ESAPI.Logger=org.owasp.esapi.logging.slf4j.Slf4JLogFactory
|
||||
# and do whatever other normal SLF4J configuration that you normally would do for your application.
|
||||
ESAPI.Randomizer=org.owasp.esapi.reference.DefaultRandomizer
|
||||
ESAPI.Validator=org.owasp.esapi.reference.DefaultValidator
|
||||
|
||||
#===========================================================================
|
||||
# ESAPI Authenticator
|
||||
#
|
||||
Authenticator.AllowedLoginAttempts=3
|
||||
Authenticator.MaxOldPasswordHashes=13
|
||||
Authenticator.UsernameParameterName=username
|
||||
Authenticator.PasswordParameterName=password
|
||||
# RememberTokenDuration (in days)
|
||||
Authenticator.RememberTokenDuration=14
|
||||
# Session Timeouts (in minutes)
|
||||
Authenticator.IdleTimeoutDuration=20
|
||||
Authenticator.AbsoluteTimeoutDuration=120
|
||||
|
||||
#===========================================================================
|
||||
# ESAPI Encoder
|
||||
#
|
||||
# ESAPI canonicalizes input before validation to prevent bypassing filters with encoded attacks.
|
||||
# Failure to canonicalize input is a very common mistake when implementing validation schemes.
|
||||
# Canonicalization is automatic when using the ESAPI Validator, but you can also use the
|
||||
# following code to canonicalize data.
|
||||
#
|
||||
# ESAPI.Encoder().canonicalize( "%22hello world"" );
|
||||
#
|
||||
# Multiple encoding is when a single encoding format is applied multiple times. Allowing
|
||||
# multiple encoding is strongly discouraged.
|
||||
Encoder.AllowMultipleEncoding=false
|
||||
|
||||
# Mixed encoding is when multiple different encoding formats are applied, or when
|
||||
# multiple formats are nested. Allowing multiple encoding is strongly discouraged.
|
||||
Encoder.AllowMixedEncoding=false
|
||||
|
||||
# The default list of codecs to apply when canonicalizing untrusted data. The list should include the codecs
|
||||
# for all downstream interpreters or decoders. For example, if the data is likely to end up in a URL, HTML, or
|
||||
# inside JavaScript, then the list of codecs below is appropriate. The order of the list is not terribly important.
|
||||
Encoder.DefaultCodecList=HTMLEntityCodec,PercentCodec,JavaScriptCodec
|
||||
|
||||
|
||||
#===========================================================================
|
||||
# ESAPI Encryption
|
||||
#
|
||||
# The ESAPI Encryptor provides basic cryptographic functions with a simplified API.
|
||||
# To get started, generate a new key using java -classpath esapi.jar org.owasp.esapi.reference.crypto.JavaEncryptor
|
||||
# There is not currently any support for key rotation, so be careful when changing your key and salt as it
|
||||
# will invalidate all signed, encrypted, and hashed data.
|
||||
#
|
||||
# WARNING: Not all combinations of algorithms and key lengths are supported.
|
||||
# If you choose to use a key length greater than 128, you MUST download the
|
||||
# unlimited strength policy files and install in the lib directory of your JRE/JDK.
|
||||
# See http://java.sun.com/javase/downloads/index.jsp for more information.
|
||||
#
|
||||
# ***** IMPORTANT: Do NOT forget to replace these with your own values! *****
|
||||
# To calculate these values, you can run:
|
||||
# java -classpath esapi.jar org.owasp.esapi.reference.crypto.JavaEncryptor
|
||||
#
|
||||
#Encryptor.MasterKey=
|
||||
#Encryptor.MasterSalt=
|
||||
|
||||
# Provides the default JCE provider that ESAPI will "prefer" for its symmetric
|
||||
# encryption and hashing. (That is it will look to this provider first, but it
|
||||
# will defer to other providers if the requested algorithm is not implemented
|
||||
# by this provider.) If left unset, ESAPI will just use your Java VM's current
|
||||
# preferred JCE provider, which is generally set in the file
|
||||
# "$JAVA_HOME/jre/lib/security/java.security".
|
||||
#
|
||||
# The main intent of this is to allow ESAPI symmetric encryption to be
|
||||
# used with a FIPS 140-2 compliant crypto-module. For details, see the section
|
||||
# "Using ESAPI Symmetric Encryption with FIPS 140-2 Cryptographic Modules" in
|
||||
# the ESAPI 2.0 Symmetric Encryption User Guide, at:
|
||||
# http://owasp-esapi-java.googlecode.com/svn/trunk/documentation/esapi4java-core-2.0-symmetric-crypto-user-guide.html
|
||||
# However, this property also allows you to easily use an alternate JCE provider
|
||||
# such as "Bouncy Castle" without having to make changes to "java.security".
|
||||
# See Javadoc for SecurityProviderLoader for further details. If you wish to use
|
||||
# a provider that is not known to SecurityProviderLoader, you may specify the
|
||||
# fully-qualified class name of the JCE provider class that implements
|
||||
# java.security.Provider. If the name contains a '.', this is interpreted as
|
||||
# a fully-qualified class name that implements java.security.Provider.
|
||||
#
|
||||
# NOTE: Setting this property has the side-effect of changing it in your application
|
||||
# as well, so if you are using JCE in your application directly rather than
|
||||
# through ESAPI (you wouldn't do that, would you? ;-), it will change the
|
||||
# preferred JCE provider there as well.
|
||||
#
|
||||
# Default: Keeps the JCE provider set to whatever JVM sets it to.
|
||||
Encryptor.PreferredJCEProvider=
|
||||
|
||||
# AES is the most widely used and strongest encryption algorithm. This
|
||||
# should agree with your Encryptor.CipherTransformation property.
|
||||
# Warning: This property does not control the default reference implementation for
|
||||
# ESAPI 2.0 using JavaEncryptor. Also, this property will be dropped
|
||||
# in the future.
|
||||
# @deprecated
|
||||
Encryptor.EncryptionAlgorithm=AES
|
||||
# For ESAPI Java 2.0 - New encrypt / decrypt methods use this.
|
||||
Encryptor.CipherTransformation=AES/CBC/PKCS5Padding
|
||||
|
||||
# Applies to ESAPI 2.0 and later only!
|
||||
# Comma-separated list of cipher modes that provide *BOTH*
|
||||
# confidentiality *AND* message authenticity. (NIST refers to such cipher
|
||||
# modes as "combined modes" so that's what we shall call them.) If any of these
|
||||
# cipher modes are used then no MAC is calculated and stored
|
||||
# in the CipherText upon encryption. Likewise, if one of these
|
||||
# cipher modes is used with decryption, no attempt will be made
|
||||
# to validate the MAC contained in the CipherText object regardless
|
||||
# of whether it contains one or not. Since the expectation is that
|
||||
# these cipher modes support support message authenticity already,
|
||||
# injecting a MAC in the CipherText object would be at best redundant.
|
||||
#
|
||||
# Note that as of JDK 1.5, the SunJCE provider does not support *any*
|
||||
# of these cipher modes. Of these listed, only GCM and CCM are currently
|
||||
# NIST approved. YMMV for other JCE providers. E.g., Bouncy Castle supports
|
||||
# GCM and CCM with "NoPadding" mode, but not with "PKCS5Padding" or other
|
||||
# padding modes.
|
||||
Encryptor.cipher_modes.combined_modes=GCM,CCM,IAPM,EAX,OCB,CWC
|
||||
|
||||
# Applies to ESAPI 2.0 and later only!
|
||||
# Additional cipher modes allowed for ESAPI 2.0 encryption. These
|
||||
# cipher modes are in _addition_ to those specified by the property
|
||||
# 'Encryptor.cipher_modes.combined_modes'.
|
||||
# Note: We will add support for streaming modes like CFB & OFB once
|
||||
# we add support for 'specified' to the property 'Encryptor.ChooseIVMethod'
|
||||
# (probably in ESAPI 2.1).
|
||||
# DISCUSS: Better name?
|
||||
Encryptor.cipher_modes.additional_allowed=CBC
|
||||
|
||||
# Default key size to use for cipher specified by Encryptor.EncryptionAlgorithm.
|
||||
# Note that this MUST be a valid key size for the algorithm being used
|
||||
# (as specified by Encryptor.EncryptionAlgorithm). So for example, if AES is used,
|
||||
# it must be 128, 192, or 256. If DESede is chosen, then it must be either 112 or 168.
|
||||
#
|
||||
# Note that 128-bits is almost always sufficient and for AES it appears to be more
|
||||
# somewhat more resistant to related key attacks than is 256-bit AES.)
|
||||
#
|
||||
# Defaults to 128-bits if left blank.
|
||||
#
|
||||
# NOTE: If you use a key size > 128-bits, then you MUST have the JCE Unlimited
|
||||
# Strength Jurisdiction Policy files installed!!!
|
||||
#
|
||||
Encryptor.EncryptionKeyLength=128
|
||||
|
||||
# This is the _minimum_ key size (in bits) that we allow with ANY symmetric
|
||||
# cipher for doing encryption. (There is no minimum for decryption.)
|
||||
#
|
||||
# Generally, if you only use one algorithm, this should be set the same as
|
||||
# the Encryptor.EncryptionKeyLength property.
|
||||
Encryptor.MinEncryptionKeyLength=128
|
||||
|
||||
# Because 2.x uses CBC mode by default, it requires an initialization vector (IV).
|
||||
# (All cipher modes except ECB require an IV.) There are two choices: we can either
|
||||
# use a fixed IV known to both parties or allow ESAPI to choose a random IV. While
|
||||
# the IV does not need to be hidden from adversaries, it is important that the
|
||||
# adversary not be allowed to choose it. Also, random IVs are generally much more
|
||||
# secure than fixed IVs. (In fact, it is essential that feed-back cipher modes
|
||||
# such as CFB and OFB use a different IV for each encryption with a given key so
|
||||
# in such cases, random IVs are much preferred. By default, ESAPI 2.0 uses random
|
||||
# IVs. If you wish to use 'fixed' IVs, set 'Encryptor.ChooseIVMethod=fixed' and
|
||||
# uncomment the Encryptor.fixedIV.
|
||||
#
|
||||
# Valid values: random|fixed|specified 'specified' not yet implemented; planned for 2.3
|
||||
# 'fixed' is deprecated as of 2.2
|
||||
# and will be removed in 2.3.
|
||||
Encryptor.ChooseIVMethod=random
|
||||
|
||||
|
||||
# If you choose to use a fixed IV, then you must place a fixed IV here that
|
||||
# is known to all others who are sharing your secret key. The format should
|
||||
# be a hex string that is the same length as the cipher block size for the
|
||||
# cipher algorithm that you are using. The following is an *example* for AES
|
||||
# from an AES test vector for AES-128/CBC as described in:
|
||||
# NIST Special Publication 800-38A (2001 Edition)
|
||||
# "Recommendation for Block Cipher Modes of Operation".
|
||||
# (Note that the block size for AES is 16 bytes == 128 bits.)
|
||||
#
|
||||
# @Deprecated -- fixed IVs are deprecated as of the 2.2 release and support
|
||||
# will be removed in the next release (tentatively, 2.3).
|
||||
# If you MUST use this, at least replace this IV with one
|
||||
# that your legacy application was using.
|
||||
Encryptor.fixedIV=0x000102030405060708090a0b0c0d0e0f
|
||||
|
||||
# Whether or not CipherText should use a message authentication code (MAC) with it.
|
||||
# This prevents an adversary from altering the IV as well as allowing a more
|
||||
# fool-proof way of determining the decryption failed because of an incorrect
|
||||
# key being supplied. This refers to the "separate" MAC calculated and stored
|
||||
# in CipherText, not part of any MAC that is calculated as a result of a
|
||||
# "combined mode" cipher mode.
|
||||
#
|
||||
# If you are using ESAPI with a FIPS 140-2 cryptographic module, you *must* also
|
||||
# set this property to false. That is because ESAPI takes the master key and
|
||||
# derives 2 keys from it--a key for the MAC and a key for encryption--and
|
||||
# because ESAPI is not itself FIPS 140-2 verified such intermediary aterations
|
||||
# to keys from FIPS approved sources would have the effect of making your FIPS
|
||||
# approved key generation and thus your FIPS approved JCE provider unapproved!
|
||||
# More details in
|
||||
# documentation/esapi4java-core-2.0-readme-crypto-changes.html
|
||||
# documentation/esapi4java-core-2.0-symmetric-crypto-user-guide.html
|
||||
# You have been warned.
|
||||
Encryptor.CipherText.useMAC=true
|
||||
|
||||
# Whether or not the PlainText object may be overwritten and then marked
|
||||
# eligible for garbage collection. If not set, this is still treated as 'true'.
|
||||
Encryptor.PlainText.overwrite=true
|
||||
|
||||
# Do not use DES except in a legacy situations. 56-bit is way too small key size.
|
||||
#Encryptor.EncryptionKeyLength=56
|
||||
#Encryptor.MinEncryptionKeyLength=56
|
||||
#Encryptor.EncryptionAlgorithm=DES
|
||||
|
||||
# TripleDES is considered strong enough for most purposes.
|
||||
# Note: There is also a 112-bit version of DESede. Using the 168-bit version
|
||||
# requires downloading the special jurisdiction policy from Sun.
|
||||
#Encryptor.EncryptionKeyLength=168
|
||||
#Encryptor.MinEncryptionKeyLength=112
|
||||
#Encryptor.EncryptionAlgorithm=DESede
|
||||
|
||||
Encryptor.HashAlgorithm=SHA-512
|
||||
Encryptor.HashIterations=1024
|
||||
Encryptor.DigitalSignatureAlgorithm=SHA1withDSA
|
||||
Encryptor.DigitalSignatureKeyLength=1024
|
||||
Encryptor.RandomAlgorithm=SHA1PRNG
|
||||
Encryptor.CharacterEncoding=UTF-8
|
||||
|
||||
# This is the Pseudo Random Function (PRF) that ESAPI's Key Derivation Function
|
||||
# (KDF) normally uses. Note this is *only* the PRF used for ESAPI's KDF and
|
||||
# *not* what is used for ESAPI's MAC. (Currently, HmacSHA1 is always used for
|
||||
# the MAC, mostly to keep the overall size at a minimum.)
|
||||
#
|
||||
# Currently supported choices for JDK 1.5 and 1.6 are:
|
||||
# HmacSHA1 (160 bits), HmacSHA256 (256 bits), HmacSHA384 (384 bits), and
|
||||
# HmacSHA512 (512 bits).
|
||||
# Note that HmacMD5 is *not* supported for the PRF used by the KDF even though
|
||||
# the JDKs support it. See the ESAPI 2.0 Symmetric Encryption User Guide
|
||||
# further details.
|
||||
Encryptor.KDF.PRF=HmacSHA256
|
||||
#===========================================================================
|
||||
# ESAPI HttpUtilties
|
||||
#
|
||||
# The HttpUtilities provide basic protections to HTTP requests and responses. Primarily these methods
|
||||
# protect against malicious data from attackers, such as unprintable characters, escaped characters,
|
||||
# and other simple attacks. The HttpUtilities also provides utility methods for dealing with cookies,
|
||||
# headers, and CSRF tokens.
|
||||
#
|
||||
# Default file upload location (remember to escape backslashes with \\)
|
||||
HttpUtilities.UploadDir=C:\\ESAPI\\testUpload
|
||||
HttpUtilities.UploadTempDir=C:\\temp
|
||||
# Force flags on cookies, if you use HttpUtilities to set cookies
|
||||
HttpUtilities.ForceHttpOnlySession=false
|
||||
HttpUtilities.ForceSecureSession=false
|
||||
HttpUtilities.ForceHttpOnlyCookies=true
|
||||
HttpUtilities.ForceSecureCookies=true
|
||||
# Maximum size of HTTP header key--the validator regex may have additional values.
|
||||
HttpUtilities.MaxHeaderNameSize=256
|
||||
# Maximum size of HTTP header value--the validator regex may have additional values.
|
||||
HttpUtilities.MaxHeaderValueSize=4096
|
||||
# Maximum size of JSESSIONID for the application--the validator regex may have additional values.
|
||||
HttpUtilities.HTTPJSESSIONIDLENGTH=50
|
||||
# Maximum length of a URL (see https://stackoverflow.com/questions/417142/what-is-the-maximum-length-of-a-url-in-different-browsers)
|
||||
HttpUtilities.URILENGTH=2000
|
||||
# Maximum length of a redirect
|
||||
HttpUtilities.maxRedirectLength=512
|
||||
# Maximum length for an http scheme
|
||||
HttpUtilities.HTTPSCHEMELENGTH=10
|
||||
# Maximum length for an http host
|
||||
HttpUtilities.HTTPHOSTLENGTH=100
|
||||
# Maximum length for an http path
|
||||
HttpUtilities.HTTPPATHLENGTH=150
|
||||
#Maximum length for a context path
|
||||
HttpUtilities.contextPathLength=150
|
||||
#Maximum length for an httpServletPath
|
||||
HttpUtilities.HTTPSERVLETPATHLENGTH=100
|
||||
#Maximum length for an http query parameter name
|
||||
HttpUtilities.httpQueryParamNameLength=100
|
||||
#Maximum length for an http query parameter -- old default was 2000, but that's the max length for a URL...
|
||||
HttpUtilities.httpQueryParamValueLength=500
|
||||
# File upload configuration
|
||||
HttpUtilities.ApprovedUploadExtensions=.pdf,.doc,.docx,.ppt,.pptx,.xls,.xlsx,.rtf,.txt,.jpg,.png
|
||||
HttpUtilities.MaxUploadFileBytes=500000000
|
||||
# Using UTF-8 throughout your stack is highly recommended. That includes your database driver,
|
||||
# container, and any other technologies you may be using. Failure to do this may expose you
|
||||
# to Unicode transcoding injection attacks. Use of UTF-8 does not hinder internationalization.
|
||||
HttpUtilities.ResponseContentType=text/html; charset=UTF-8
|
||||
# This is the name of the cookie used to represent the HTTP session
|
||||
# Typically this will be the default "JSESSIONID"
|
||||
HttpUtilities.HttpSessionIdName=JSESSIONID
|
||||
#Sets whether or not we will overwrite http status codes to 200.
|
||||
HttpUtilities.OverwriteStatusCodes=true
|
||||
#Sets the application's base character encoding. This is forked from the Java Encryptor property.
|
||||
HttpUtilities.CharacterEncoding=UTF-8
|
||||
|
||||
#===========================================================================
|
||||
# ESAPI Executor
|
||||
# CHECKME - This should be made OS independent. Don't use unsafe defaults.
|
||||
# # Examples only -- do NOT blindly copy!
|
||||
# For Windows:
|
||||
# Executor.WorkingDirectory=C:\\Windows\\Temp
|
||||
# Executor.ApprovedExecutables=C:\\Windows\\System32\\cmd.exe,C:\\Windows\\System32\\runas.exe
|
||||
# For *nux, MacOS:
|
||||
# Executor.WorkingDirectory=/tmp
|
||||
# Executor.ApprovedExecutables=/bin/bash
|
||||
Executor.WorkingDirectory=
|
||||
Executor.ApprovedExecutables=
|
||||
|
||||
|
||||
#===========================================================================
|
||||
# ESAPI Logging
|
||||
# Set the application name if these logs are combined with other applications
|
||||
Logger.ApplicationName=ExampleApplication
|
||||
# If you use an HTML log viewer that does not properly HTML escape log data, you can set LogEncodingRequired to true
|
||||
Logger.LogEncodingRequired=false
|
||||
# Determines whether ESAPI should log the application name. This might be clutter in some single-server/single-app environments.
|
||||
Logger.LogApplicationName=true
|
||||
# Determines whether ESAPI should log the server IP and port. This might be clutter in some single-server environments.
|
||||
Logger.LogServerIP=true
|
||||
# LogFileName, the name of the logging file. Provide a full directory path (e.g., C:\\ESAPI\\ESAPI_logging_file) if you
|
||||
# want to place it in a specific directory.
|
||||
Logger.LogFileName=ESAPI_logging_file
|
||||
# MaxLogFileSize, the max size (in bytes) of a single log file before it cuts over to a new one (default is 10,000,000)
|
||||
Logger.MaxLogFileSize=10000000
|
||||
# Determines whether ESAPI should log the user info.
|
||||
Logger.UserInfo=true
|
||||
# Determines whether ESAPI should log the session id and client IP.
|
||||
Logger.ClientInfo=true
|
||||
|
||||
#===========================================================================
|
||||
# ESAPI Intrusion Detection
|
||||
#
|
||||
# Each event has a base to which .count, .interval, and .action are added
|
||||
# The IntrusionException will fire if we receive "count" events within "interval" seconds
|
||||
# The IntrusionDetector is configurable to take the following actions: log, logout, and disable
|
||||
# (multiple actions separated by commas are allowed e.g. event.test.actions=log,disable
|
||||
#
|
||||
# Custom Events
|
||||
# Names must start with "event." as the base
|
||||
# Use IntrusionDetector.addEvent( "test" ) in your code to trigger "event.test" here
|
||||
# You can also disable intrusion detection completely by changing
|
||||
# the following parameter to true
|
||||
#
|
||||
IntrusionDetector.Disable=false
|
||||
#
|
||||
IntrusionDetector.event.test.count=2
|
||||
IntrusionDetector.event.test.interval=10
|
||||
IntrusionDetector.event.test.actions=disable,log
|
||||
|
||||
# Exception Events
|
||||
# All EnterpriseSecurityExceptions are registered automatically
|
||||
# Call IntrusionDetector.getInstance().addException(e) for Exceptions that do not extend EnterpriseSecurityException
|
||||
# Use the fully qualified classname of the exception as the base
|
||||
|
||||
# any intrusion is an attack
|
||||
IntrusionDetector.org.owasp.esapi.errors.IntrusionException.count=1
|
||||
IntrusionDetector.org.owasp.esapi.errors.IntrusionException.interval=1
|
||||
IntrusionDetector.org.owasp.esapi.errors.IntrusionException.actions=log,disable,logout
|
||||
|
||||
# for test purposes
|
||||
# CHECKME: Shouldn't there be something in the property name itself that designates
|
||||
# that these are for testing???
|
||||
IntrusionDetector.org.owasp.esapi.errors.IntegrityException.count=10
|
||||
IntrusionDetector.org.owasp.esapi.errors.IntegrityException.interval=5
|
||||
IntrusionDetector.org.owasp.esapi.errors.IntegrityException.actions=log,disable,logout
|
||||
|
||||
# rapid validation errors indicate scans or attacks in progress
|
||||
# org.owasp.esapi.errors.ValidationException.count=10
|
||||
# org.owasp.esapi.errors.ValidationException.interval=10
|
||||
# org.owasp.esapi.errors.ValidationException.actions=log,logout
|
||||
|
||||
# sessions jumping between hosts indicates session hijacking
|
||||
IntrusionDetector.org.owasp.esapi.errors.AuthenticationHostException.count=2
|
||||
IntrusionDetector.org.owasp.esapi.errors.AuthenticationHostException.interval=10
|
||||
IntrusionDetector.org.owasp.esapi.errors.AuthenticationHostException.actions=log,logout
|
||||
|
||||
|
||||
#===========================================================================
|
||||
# ESAPI Validation
|
||||
#
|
||||
# The ESAPI Validator works on regular expressions with defined names. You can define names
|
||||
# either here, or you may define application specific patterns in a separate file defined below.
|
||||
# This allows enterprises to specify both organizational standards as well as application specific
|
||||
# validation rules.
|
||||
#
|
||||
# Use '\p{L}' (without the quotes) within the character class to match
|
||||
# any Unicode LETTER. You can also use a range, like: \u00C0-\u017F
|
||||
# You can also use any of the regex flags as documented at
|
||||
# https://docs.oracle.com/javase/tutorial/essential/regex/pattern.html, e.g. (?u)
|
||||
#
|
||||
Validator.ConfigurationFile=validation.properties
|
||||
|
||||
# Validators used by ESAPI
|
||||
Validator.AccountName=^[a-zA-Z0-9]{3,20}$
|
||||
Validator.SystemCommand=^[a-zA-Z\\-\\/]{1,64}$
|
||||
Validator.RoleName=^[a-z]{1,20}$
|
||||
|
||||
#the word TEST below should be changed to your application
|
||||
#name - only relative URL's are supported
|
||||
Validator.Redirect=^\\/test.*$
|
||||
|
||||
# Global HTTP Validation Rules
|
||||
# Values with Base64 encoded data (e.g. encrypted state) will need at least [a-zA-Z0-9\/+=]
|
||||
Validator.HTTPScheme=^(http|https)$
|
||||
Validator.HTTPServerName=^[a-zA-Z0-9_.\\-]*$
|
||||
Validator.HTTPCookieName=^[a-zA-Z0-9\\-_]{1,32}$
|
||||
Validator.HTTPCookieValue=^[a-zA-Z0-9\\-\\/+=_ ]*$
|
||||
# Note that headerName and Value length is also configured in the HTTPUtilities section
|
||||
Validator.HTTPHeaderName=^[a-zA-Z0-9\\-_]{1,256}$
|
||||
Validator.HTTPHeaderValue=^[a-zA-Z0-9()\\-=\\*\\.\\?;,+\\/:&_ ]*$
|
||||
Validator.HTTPServletPath=^[a-zA-Z0-9.\\-\\/_]*$
|
||||
Validator.HTTPPath=^[a-zA-Z0-9.\\-_]*$
|
||||
Validator.HTTPURL=^.*$
|
||||
Validator.HTTPJSESSIONID=^[A-Z0-9]{10,32}$
|
||||
|
||||
|
||||
# Contributed by Fraenku@gmx.ch
|
||||
# Github Issue 126 https://github.com/ESAPI/esapi-java-legacy/issues/126
|
||||
Validator.HTTPParameterName=^[a-zA-Z0-9_\\-]{1,32}$
|
||||
Validator.HTTPParameterValue=^[\\p{L}\\p{N}.\\-/+=_ !$*?@]{0,1000}$
|
||||
Validator.HTTPContextPath=^/[a-zA-Z0-9.\\-_]*$
|
||||
Validator.HTTPQueryString=^([a-zA-Z0-9_\\-]{1,32}=[\\p{L}\\p{N}.\\-/+=_ !$*?@%]*&?)*$
|
||||
Validator.HTTPURI=^/([a-zA-Z0-9.\\-_]*/?)*$
|
||||
|
||||
|
||||
# Validation of file related input
|
||||
Validator.FileName=^[a-zA-Z0-9!@#$%^&{}\\[\\]()_+\\-=,.~'` ]{1,255}$
|
||||
Validator.DirectoryName=^[a-zA-Z0-9:/\\\\!@#$%^&{}\\[\\]()_+\\-=,.~'` ]{1,255}$
|
||||
|
||||
# Validation of dates. Controls whether or not 'lenient' dates are accepted.
|
||||
# See DataFormat.setLenient(boolean flag) for further details.
|
||||
Validator.AcceptLenientDates=false
|
||||
|
||||
# ~~~~~ Important Note ~~~~~
|
||||
# This is a workaround to make sure that a commit to address GitHub issue #509
|
||||
# doesn't accidentally break someone's production code. So essentially what we
|
||||
# are doing is to reverting back to the previous possibly buggy (by
|
||||
# documentation intent at least), but, by now, expected legacy behavior.
|
||||
# Prior to the code changes for issue #509, if invalid / malicious HTML input was
|
||||
# observed, AntiSamy would simply attempt to sanitize (cleanse) it and it would
|
||||
# only be logged. However, the code change made ESAPI comply with its
|
||||
# documentation, which stated that a ValidationException should be thrown in
|
||||
# such cases. Unfortunately, changing this behavior--especially when no one is
|
||||
# 100% certain that the documentation was correct--could break existing code
|
||||
# using ESAPI so after a lot of debate, issue #521 was created to restore the
|
||||
# previous behavior, but still allow the documented behavior. (We did this
|
||||
# because it wasn't really causing an security issues since AntiSamy would clean
|
||||
# it up anyway and we value backward compatibility as long as it doesn't clearly
|
||||
# present security vulnerabilities.)
|
||||
# More defaults about this are written up under GitHub issue #521 and
|
||||
# the pull request it references. Future major releases of ESAPI (e.g., ESAPI 3.x)
|
||||
# will not support this previous behavior, but it will remain for ESAPI 2.x.
|
||||
# Set this to 'throw' if you want the originally intended behavior of throwing
|
||||
# that was fixed via issue #509. Set to 'clean' if you want want the HTML input
|
||||
# sanitized instead.
|
||||
#
|
||||
# Possible values:
|
||||
# clean -- Use the legacy behavior where unsafe HTML input is logged and the
|
||||
# sanitized (i.e., clean) input as determined by AntiSamy and your
|
||||
# AntiSamy rules is returned. This is the default behavior if this
|
||||
# new property is not found.
|
||||
# throw -- The new, presumably correct and originally intended behavior where
|
||||
# a ValidationException is thrown when unsafe HTML input is
|
||||
# encountered.
|
||||
#
|
||||
#Validator.HtmlValidationAction=clean
|
||||
Validator.HtmlValidationAction=throw
|
||||
|
||||
# With the fix for #310 to enable loading antisamy-esapi.xml from the classpath
|
||||
# also an enhancement was made to be able to use a different filename for the configuration.
|
||||
# You don't have to configure the filename here, but in that case the code will keep looking for antisamy-esapi.xml.
|
||||
# This is the default behaviour of ESAPI.
|
||||
#
|
||||
#Validator.HtmlValidationConfigurationFile=antisamy-esapi.xml
|
||||
@ -1,7 +0,0 @@
|
||||
server.port=8081
|
||||
|
||||
logging.level.root=INFO
|
||||
|
||||
logging.level.com.baeldung.dsl.ClientErrorLoggingFilter=DEBUG
|
||||
|
||||
logging.level.org.springframework.security=DEBUG
|
||||
@ -1,13 +0,0 @@
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<configuration>
|
||||
<appender name="STDOUT" class="ch.qos.logback.core.ConsoleAppender">
|
||||
<encoder>
|
||||
<pattern>%d{HH:mm:ss.SSS} [%thread] %-5level %logger{36} - %msg%n
|
||||
</pattern>
|
||||
</encoder>
|
||||
</appender>
|
||||
|
||||
<root level="INFO">
|
||||
<appender-ref ref="STDOUT" />
|
||||
</root>
|
||||
</configuration>
|
||||
@ -1,11 +0,0 @@
|
||||
<!DOCTYPE HTML>
|
||||
<html>
|
||||
<head>
|
||||
<title>Home</title>
|
||||
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
|
||||
</head>
|
||||
<body>
|
||||
Home
|
||||
Welcome!
|
||||
</body>
|
||||
</html>
|
||||
@ -1,17 +0,0 @@
|
||||
package com.baeldung;
|
||||
|
||||
import org.junit.Test;
|
||||
import org.junit.runner.RunWith;
|
||||
import org.springframework.boot.test.context.SpringBootTest;
|
||||
import org.springframework.test.context.junit4.SpringRunner;
|
||||
|
||||
import com.baeldung.dsl.CustomConfigurerApplication;
|
||||
|
||||
@RunWith(SpringRunner.class)
|
||||
@SpringBootTest(classes = CustomConfigurerApplication.class)
|
||||
public class SpringContextTest {
|
||||
|
||||
@Test
|
||||
public void whenSpringContextIsBootstrapped_thenNoExceptions() {
|
||||
}
|
||||
}
|
||||
@ -1,82 +0,0 @@
|
||||
package com.baeldung.authresolver;
|
||||
|
||||
import org.junit.Before;
|
||||
import org.junit.FixMethodOrder;
|
||||
import org.junit.Test;
|
||||
import org.junit.runner.RunWith;
|
||||
import org.junit.runners.MethodSorters;
|
||||
import org.springframework.beans.factory.annotation.Autowired;
|
||||
import org.springframework.boot.test.context.SpringBootTest;
|
||||
import org.springframework.security.web.FilterChainProxy;
|
||||
import org.springframework.test.context.junit4.SpringRunner;
|
||||
import org.springframework.test.web.servlet.MockMvc;
|
||||
import org.springframework.test.web.servlet.setup.MockMvcBuilders;
|
||||
import org.springframework.util.Base64Utils;
|
||||
import org.springframework.web.context.WebApplicationContext;
|
||||
|
||||
import static org.springframework.security.test.web.servlet.setup.SecurityMockMvcConfigurers.springSecurity;
|
||||
import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
|
||||
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
|
||||
|
||||
@RunWith(SpringRunner.class)
|
||||
@SpringBootTest(webEnvironment = SpringBootTest.WebEnvironment.RANDOM_PORT, classes = AuthResolverApplication.class)
|
||||
@FixMethodOrder(MethodSorters.NAME_ASCENDING)
|
||||
public class AuthResolverIntegrationTest {
|
||||
|
||||
@Autowired
|
||||
private FilterChainProxy springSecurityFilterChain;
|
||||
|
||||
@Autowired
|
||||
private WebApplicationContext wac;
|
||||
|
||||
private MockMvc mockMvc;
|
||||
|
||||
@Before
|
||||
public void setup() {
|
||||
this.mockMvc = MockMvcBuilders
|
||||
.webAppContextSetup(wac)
|
||||
.apply(springSecurity(springSecurityFilterChain))
|
||||
.build();
|
||||
}
|
||||
|
||||
@Test
|
||||
public void givenCustomerCredential_whenWelcomeCustomer_thenExpectOk() throws Exception {
|
||||
this.mockMvc
|
||||
.perform(get("/customer/welcome")
|
||||
.header(
|
||||
"Authorization", String.format("Basic %s", Base64Utils.encodeToString("customer1:pass1".getBytes()))
|
||||
)
|
||||
)
|
||||
.andExpect(status().is2xxSuccessful());
|
||||
}
|
||||
|
||||
@Test
|
||||
public void givenEmployeeCredential_whenWelcomeCustomer_thenExpect401Status() throws Exception {
|
||||
this.mockMvc
|
||||
.perform(get("/customer/welcome")
|
||||
.header(
|
||||
"Authorization", "Basic " + Base64Utils.encodeToString("employee1:pass1".getBytes()))
|
||||
)
|
||||
.andExpect(status().isUnauthorized());
|
||||
}
|
||||
|
||||
@Test
|
||||
public void givenEmployeeCredential_whenWelcomeEmployee_thenExpectOk() throws Exception {
|
||||
this.mockMvc
|
||||
.perform(get("/employee/welcome")
|
||||
.header(
|
||||
"Authorization", "Basic " + Base64Utils.encodeToString("employee1:pass1".getBytes()))
|
||||
)
|
||||
.andExpect(status().is2xxSuccessful());
|
||||
}
|
||||
|
||||
@Test
|
||||
public void givenCustomerCredential_whenWelcomeEmployee_thenExpect401Status() throws Exception {
|
||||
this.mockMvc
|
||||
.perform(get("/employee/welcome")
|
||||
.header(
|
||||
"Authorization", "Basic " + Base64Utils.encodeToString("customer1:pass1".getBytes()))
|
||||
)
|
||||
.andExpect(status().isUnauthorized());
|
||||
}
|
||||
}
|
||||
@ -1,48 +0,0 @@
|
||||
package com.baeldung.inmemory;
|
||||
|
||||
import static org.junit.Assert.assertEquals;
|
||||
|
||||
import org.junit.Test;
|
||||
import org.junit.runner.RunWith;
|
||||
import org.springframework.beans.factory.annotation.Autowired;
|
||||
import org.springframework.boot.test.context.SpringBootTest;
|
||||
import org.springframework.boot.test.context.SpringBootTest.WebEnvironment;
|
||||
import org.springframework.boot.test.web.client.TestRestTemplate;
|
||||
import org.springframework.http.HttpStatus;
|
||||
import org.springframework.http.ResponseEntity;
|
||||
import org.springframework.test.context.junit4.SpringRunner;
|
||||
|
||||
@RunWith(SpringRunner.class)
|
||||
@SpringBootTest(classes = InMemoryAuthApplication.class, webEnvironment = WebEnvironment.RANDOM_PORT)
|
||||
public class InMemoryAuthControllerIntegrationTest {
|
||||
|
||||
@Autowired
|
||||
private TestRestTemplate template;
|
||||
|
||||
@Test
|
||||
public void givenRequestOnPublicService_shouldSucceedWith200() throws Exception {
|
||||
ResponseEntity<String> result = template.getForEntity("/public/hello", String.class);
|
||||
assertEquals(HttpStatus.OK, result.getStatusCode());
|
||||
}
|
||||
|
||||
@Test
|
||||
public void givenRequestOnPrivateService_shouldFailWith401() throws Exception {
|
||||
ResponseEntity<String> result = template.getForEntity("/private/hello", String.class);
|
||||
assertEquals(HttpStatus.UNAUTHORIZED, result.getStatusCode());
|
||||
}
|
||||
|
||||
@Test
|
||||
public void givenAuthRequestOnPrivateService_shouldSucceedWith200() throws Exception {
|
||||
ResponseEntity<String> result = template.withBasicAuth("spring", "secret")
|
||||
.getForEntity("/private/hello", String.class);
|
||||
assertEquals(HttpStatus.OK, result.getStatusCode());
|
||||
}
|
||||
|
||||
@Test
|
||||
public void givenInvalidAuthRequestOnPrivateService_shouldSucceedWith200() throws Exception {
|
||||
ResponseEntity<String> result = template.withBasicAuth("spring", "wrong")
|
||||
.getForEntity("/private/hello", String.class);
|
||||
assertEquals(HttpStatus.UNAUTHORIZED, result.getStatusCode());
|
||||
}
|
||||
|
||||
}
|
||||
@ -1,34 +0,0 @@
|
||||
package com.baeldung.logoutredirects;
|
||||
|
||||
import org.junit.Test;
|
||||
import org.junit.runner.RunWith;
|
||||
import org.springframework.beans.factory.annotation.Autowired;
|
||||
import org.springframework.boot.test.autoconfigure.web.servlet.WebMvcTest;
|
||||
import org.springframework.security.test.context.support.WithMockUser;
|
||||
import org.springframework.test.context.junit4.SpringRunner;
|
||||
import org.springframework.test.web.servlet.MockMvc;
|
||||
|
||||
import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.csrf;
|
||||
import static org.springframework.security.test.web.servlet.response.SecurityMockMvcResultMatchers.unauthenticated;
|
||||
import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post;
|
||||
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.*;
|
||||
|
||||
@RunWith(SpringRunner.class)
|
||||
@WebMvcTest()
|
||||
public class LogoutApplicationUnitTest {
|
||||
|
||||
@Autowired
|
||||
private MockMvc mockMvc;
|
||||
|
||||
@WithMockUser(value = "spring")
|
||||
@Test
|
||||
public void whenLogout_thenDisableRedirect() throws Exception {
|
||||
|
||||
this.mockMvc.perform(post("/logout").with(csrf()))
|
||||
.andExpect(status().isOk())
|
||||
.andExpect(jsonPath("$").doesNotExist())
|
||||
.andExpect(unauthenticated())
|
||||
.andReturn();
|
||||
}
|
||||
|
||||
}
|
||||
@ -1,96 +0,0 @@
|
||||
package com.baeldung.manuallogout;
|
||||
|
||||
import static org.junit.Assert.assertNull;
|
||||
import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.csrf;
|
||||
import static org.springframework.security.test.web.servlet.response.SecurityMockMvcResultMatchers.unauthenticated;
|
||||
import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post;
|
||||
import static org.springframework.test.web.servlet.result.MockMvcResultHandlers.print;
|
||||
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.cookie;
|
||||
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.header;
|
||||
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
|
||||
|
||||
import javax.servlet.http.Cookie;
|
||||
import javax.servlet.http.HttpSession;
|
||||
|
||||
import org.junit.Test;
|
||||
import org.junit.runner.RunWith;
|
||||
import org.springframework.beans.factory.annotation.Autowired;
|
||||
import org.springframework.boot.test.autoconfigure.web.servlet.WebMvcTest;
|
||||
import org.springframework.mock.web.MockHttpServletRequest;
|
||||
import org.springframework.mock.web.MockHttpSession;
|
||||
import org.springframework.security.test.context.support.WithMockUser;
|
||||
import org.springframework.test.context.junit4.SpringRunner;
|
||||
import org.springframework.test.web.servlet.MockMvc;
|
||||
|
||||
@RunWith(SpringRunner.class)
|
||||
@WebMvcTest()
|
||||
public class ManualLogoutIntegrationTest {
|
||||
|
||||
private static final String CLEAR_SITE_DATA_HEADER = "Clear-Site-Data";
|
||||
public static final int EXPIRY = 60 * 10;
|
||||
public static final String COOKIE_NAME = "customerName";
|
||||
public static final String COOKIE_VALUE = "myName";
|
||||
public static final String ATTRIBUTE_NAME = "att";
|
||||
public static final String ATTRIBUTE_VALUE = "attvalue";
|
||||
|
||||
@Autowired
|
||||
private MockMvc mockMvc;
|
||||
|
||||
@WithMockUser(value = "spring")
|
||||
@Test
|
||||
public void givenLoggedUserWhenUserLogoutThenSessionClearedAndNecessaryCookieCleared() throws Exception {
|
||||
|
||||
this.mockMvc.perform(post("/basic/basiclogout").secure(true)
|
||||
.with(csrf()))
|
||||
.andExpect(status().is3xxRedirection())
|
||||
.andExpect(unauthenticated())
|
||||
.andReturn();
|
||||
}
|
||||
|
||||
@WithMockUser(value = "spring")
|
||||
@Test
|
||||
public void givenLoggedUserWhenUserLogoutThenSessionClearedAndAllCookiesCleared() throws Exception {
|
||||
|
||||
MockHttpSession session = new MockHttpSession();
|
||||
session.setAttribute(ATTRIBUTE_NAME, ATTRIBUTE_VALUE);
|
||||
|
||||
Cookie randomCookie = new Cookie(COOKIE_NAME, COOKIE_VALUE);
|
||||
randomCookie.setMaxAge(EXPIRY); // 10 minutes
|
||||
|
||||
MockHttpServletRequest requestStateAfterLogout = this.mockMvc.perform(post("/cookies/cookielogout").secure(true)
|
||||
.with(csrf())
|
||||
.session(session)
|
||||
.cookie(randomCookie))
|
||||
.andExpect(status().is3xxRedirection())
|
||||
.andExpect(unauthenticated())
|
||||
.andExpect(cookie().maxAge(COOKIE_NAME, 0))
|
||||
.andReturn()
|
||||
.getRequest();
|
||||
|
||||
HttpSession sessionStateAfterLogout = requestStateAfterLogout.getSession();
|
||||
assertNull(sessionStateAfterLogout.getAttribute(ATTRIBUTE_NAME));
|
||||
}
|
||||
|
||||
@WithMockUser(value = "spring")
|
||||
@Test
|
||||
public void givenLoggedUserWhenUserLogoutThenClearDataSiteHeaderPresent() throws Exception {
|
||||
|
||||
this.mockMvc.perform(post("/csd/csdlogout").secure(true)
|
||||
.with(csrf()))
|
||||
.andDo(print())
|
||||
.andExpect(status().is3xxRedirection())
|
||||
.andExpect(header().exists(CLEAR_SITE_DATA_HEADER))
|
||||
.andReturn();
|
||||
}
|
||||
|
||||
@WithMockUser(value = "spring")
|
||||
@Test
|
||||
public void givenLoggedUserWhenUserLogoutOnRequestThenSessionCleared() throws Exception {
|
||||
|
||||
this.mockMvc.perform(post("/request/logout").secure(true)
|
||||
.with(csrf()))
|
||||
.andExpect(status().is3xxRedirection())
|
||||
.andExpect(unauthenticated())
|
||||
.andReturn();
|
||||
}
|
||||
}
|
||||
@ -1,12 +0,0 @@
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<configuration scan="true" scanPeriod="15 seconds" debug="false">
|
||||
<appender name="STDOUT" class="ch.qos.logback.core.ConsoleAppender">
|
||||
<encoder>
|
||||
<pattern>[%d{ISO8601}]-[%thread] %-5level %logger - %msg%n</pattern>
|
||||
</encoder>
|
||||
</appender>
|
||||
|
||||
<root level="INFO">
|
||||
<appender-ref ref="STDOUT" />
|
||||
</root>
|
||||
</configuration>
|
||||
Loading…
x
Reference in New Issue
Block a user