PreAuthConfiguration.java
package cn.home1.oss.lib.security.starter;
import static cn.home1.oss.boot.autoconfigure.AppSecurity.ENABLED;
import static cn.home1.oss.boot.autoconfigure.AppSecurityProperties.APP_SECURITY;
import static cn.home1.oss.lib.security.api.GenericUser.GENERIC_USER_COOKIE;
import static cn.home1.oss.lib.security.api.GenericUser.GENERIC_USER_TOKEN;
import static cn.home1.oss.lib.security.starter.PermitedRequestConfiguration.PERMITED_REQUEST_MATCHER;
import static java.lang.Boolean.FALSE;
import cn.home1.oss.boot.autoconfigure.AppProperties;
import cn.home1.oss.boot.autoconfigure.AppSecurityProperties;
import cn.home1.oss.boot.autoconfigure.ConditionalOnAppSecurity;
import cn.home1.oss.lib.common.crypto.Cryptos;
import cn.home1.oss.lib.common.crypto.EncodeCipher;
import cn.home1.oss.lib.common.crypto.Jwt;
import cn.home1.oss.lib.security.api.BaseUserDetailsAuthenticationProvider;
import cn.home1.oss.lib.security.api.GenericUser;
import cn.home1.oss.lib.security.api.User;
import cn.home1.oss.lib.security.internal.preauth.PreAuthTestUserFilter;
import cn.home1.oss.lib.security.internal.preauth.PreAuthTokenAuthenticationProvider;
import cn.home1.oss.lib.security.internal.preauth.PreAuthTokenFilter;
import cn.home1.oss.lib.security.internal.preauth.PreAuthTokenProcessingFilter;
import cn.home1.oss.lib.webmvc.api.DomainResolver;
import cn.home1.oss.lib.webmvc.api.JsonToken;
import cn.home1.oss.lib.webmvc.api.JsonWebToken;
import cn.home1.oss.lib.webmvc.api.SecureToken;
import cn.home1.oss.lib.webmvc.api.TokenBasedCookie;
import cn.home1.oss.lib.webmvc.api.TypeSafeCookie;
import cn.home1.oss.lib.webmvc.api.TypeSafeToken;
import cn.home1.oss.lib.webmvc.api.UrlEncodedToken;
import com.fasterxml.jackson.databind.ObjectMapper;
import lombok.extern.slf4j.Slf4j;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.boot.autoconfigure.web.ServerProperties;
import org.springframework.boot.context.properties.ConfigurationProperties;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.annotation.Order;
import org.springframework.core.env.Environment;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
import org.springframework.security.web.util.matcher.RequestMatcher;
import java.util.List;
import java.util.concurrent.TimeUnit;
/**
* Created by zhanghaolun on 16/8/19.
*/
@Order(PreAuthConfiguration.ORDER_PRE_AUTH)
@Configuration
@ConfigurationProperties(prefix = APP_SECURITY)
@Slf4j
public class PreAuthConfiguration extends SecurityConfigurerAdapter<PreAuthConfiguration> {
public static final int ORDER_PRE_AUTH = BasicAuthConfiguration.ORDER_BASIC_AUTH + 1;
static final String PRE_AUTH_AUTHENTICATION_PROVIDER = "preAuthAuthenticationProvider";
@Autowired
private AppProperties appProperties;
@Autowired
private DomainResolver domainResolver;
@Autowired
private Environment environment;
@Autowired
private ObjectMapper objectMapper;
@Qualifier(PERMITED_REQUEST_MATCHER)
@Autowired(required = false)
private RequestMatcher permitedRequestMatcher;
@Autowired
private ServerProperties serverProperties;
@Autowired(required = false)
@SuppressWarnings("rawtypes")
private BaseUserDetailsAuthenticationProvider userDetailsAuthenticationProvider;
public static int getMaxAge(final ServerProperties serverProperties) {
final Integer maxAge = serverProperties.getSession().getCookie().getMaxAge();
final int defaultMaxAge = (int) TimeUnit.DAYS.toSeconds(1L);
return maxAge != null ? maxAge : defaultMaxAge;
}
@Override
public void configure(final HttpSecurity http) {
if (this.appProperties.getSecurityEnabled()) {
final PreAuthTokenFilter preAuthTokenFilter = this.preAuthTokenFilter();
http.addFilterBefore(preAuthTokenFilter, UsernamePasswordAuthenticationFilter.class);
if (this.appProperties.getSecurityUseTestUser()) {
http.addFilterAfter(this.preAuthTestUserFilter(), BasicAuthenticationFilter.class);
http.addFilterAfter(this.preAuthTokenProcessingFilter(), PreAuthTestUserFilter.class);
} else {
http.addFilterAfter(this.preAuthTokenProcessingFilter(), BasicAuthenticationFilter.class);
}
}
}
@Bean(name = GENERIC_USER_COOKIE)
public TypeSafeCookie<GenericUser> genericUserCookie() {
// server.session.cookie.comment= # Comment for the session cookie.
// server.session.cookie.domain= # Domain for the session cookie.
// server.session.cookie.http-only= # "HttpOnly" flag for the session cookie.
// server.session.cookie.max-age= # Maximum age of the session cookie in seconds.
// server.session.cookie.name= # Session cookie name.
// server.session.cookie.path= # Path of the session cookie.
// server.session.cookie.secure= # "Secure" flag for the session cookie.
final TypeSafeToken<GenericUser> token = this.genericUserToken();
return new TokenBasedCookie<>( //
this.domainResolver, //
true, //
getMaxAge(this.serverProperties), //
"generic_user", //
false, //
token //
);
}
@Bean(name = GENERIC_USER_TOKEN)
public TypeSafeToken<GenericUser> genericUserToken() {
final AppSecurityProperties appSecurityProperties = this.appProperties.getSecurity();
TypeSafeToken<GenericUser> token = new JsonToken<>(GenericUser.class, this.objectMapper);
final Jwt jwtCipher = Cryptos.cipher(appSecurityProperties.getJwtKey());
if (jwtCipher != null) {
token = new JsonWebToken<>(token, jwtCipher, getMaxAge(this.serverProperties));
} else {
log.warn("INSECURE ! JwtKey not set. Using plain text token.");
}
final EncodeCipher cookieCipher = Cryptos.cipher(appSecurityProperties.getCookieKey());
if (cookieCipher != null) {
token = new SecureToken<>(token, cookieCipher);
}
token = new UrlEncodedToken<>(token);
return token;
}
public PreAuthTokenFilter preAuthTokenFilter() {
final PreAuthTokenFilter filter = new PreAuthTokenFilter();
filter.setCookie(this.genericUserCookie());
filter.setEnvironment(this.environment);
filter.setPermitedRequestMatcher(this.permitedRequestMatcher);
filter.setToken(this.genericUserToken());
return filter;
}
public PreAuthTokenProcessingFilter preAuthTokenProcessingFilter() {
final PreAuthTokenProcessingFilter filter = new PreAuthTokenProcessingFilter();
filter.setEnvironment(this.environment);
return filter;
}
@SuppressWarnings("unchecked")
public PreAuthTestUserFilter preAuthTestUserFilter() {
final PreAuthTestUserFilter filter;
if (this.appProperties.getSecurityUseTestUser()) {
final String defaultTestUser = this.appProperties.getSecurityDefaultTestUser();
final List<User> testUsers = this.userDetailsAuthenticationProvider.initTestUsers();
filter = new PreAuthTestUserFilter(defaultTestUser, testUsers);
filter.setEnvironment(this.environment);
filter.setToken(this.genericUserToken());
} else {
this.userDetailsAuthenticationProvider.deleteTestUsers();
filter = null;
}
return filter;
}
@Bean(name = PRE_AUTH_AUTHENTICATION_PROVIDER)
@ConditionalOnAppSecurity(ENABLED)
public AuthenticationProvider preAuthAuthenticationProvider() {
// this.appProperties.getSecurityUseTestUser() ? new NoOpPreAuthenticatedAuthenticationProvider()
return new PreAuthTokenAuthenticationProvider(FALSE);
}
}