package kr.wisestone.owl.config; import kr.wisestone.owl.config.security.filter.AjaxSessionExpiredFilter; import kr.wisestone.owl.config.security.handler.AjaxAuthenticationEntryPoint; import kr.wisestone.owl.config.security.handler.AjaxAuthenticationFailureHandler; import kr.wisestone.owl.config.security.handler.AjaxAuthenticationSuccessHandler; import kr.wisestone.owl.config.security.handler.AjaxLogoutSuccessHandler; import kr.wisestone.owl.config.security.service.UserSecurityService; import kr.wisestone.owl.config.security.strategy.SecuritySessionExpiredStrategy; import kr.wisestone.owl.constant.Constants; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.security.authentication.AuthenticationManager; import org.springframework.security.authentication.dao.DaoAuthenticationProvider; import org.springframework.security.config.BeanIds; import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.builders.WebSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.core.session.SessionRegistry; import org.springframework.security.crypto.factory.PasswordEncoderFactories; import org.springframework.security.crypto.password.PasswordEncoder; import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter; import org.springframework.security.web.session.ConcurrentSessionFilter; import org.springframework.session.security.web.authentication.SpringSessionRememberMeServices; @Configuration @EnableWebSecurity public class SecurityConfiguration extends WebSecurityConfigurerAdapter { private static final String REMEMBER_ME_KEY = "rememberMe"; @Autowired private AjaxAuthenticationSuccessHandler ajaxAuthenticationSuccessHandler; @Autowired private AjaxAuthenticationFailureHandler ajaxAuthenticationFailureHandler; @Autowired private AjaxLogoutSuccessHandler ajaxLogoutSuccessHandler; @Autowired private AjaxAuthenticationEntryPoint authenticationEntryPoint; @Autowired private UserSecurityService userSecurityService; @Autowired private SessionRegistry sessionRegistry; @Autowired public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception { auth.userDetailsService(this.userSecurityService) .passwordEncoder(this.passwordEncoder()); } @Bean public DaoAuthenticationProvider authenticationProvider() { DaoAuthenticationProvider authenticationProvider = new DaoAuthenticationProvider(); authenticationProvider.setUserDetailsService(this.userSecurityService); authenticationProvider.setPasswordEncoder(this.passwordEncoder()); return authenticationProvider; } @Bean(name = BeanIds.AUTHENTICATION_MANAGER) @Override public AuthenticationManager authenticationManagerBean() throws Exception { return super.authenticationManagerBean(); } @Bean public PasswordEncoder passwordEncoder() { return PasswordEncoderFactories.createDelegatingPasswordEncoder(); } @Bean public AjaxSessionExpiredFilter ajaxSessionExpiredFilter() { return new AjaxSessionExpiredFilter(this.sessionRegistry); } @Bean public SecuritySessionExpiredStrategy securitySessionExpiredStrategy() { return new SecuritySessionExpiredStrategy(Constants.SESSION_EXPIRE_REDIRECT_URL); } @Bean public SpringSessionRememberMeServices springSessionRememberMeServices() { SpringSessionRememberMeServices springSessionRememberMeServices = new SpringSessionRememberMeServices(); springSessionRememberMeServices.setAlwaysRemember(false); springSessionRememberMeServices.setRememberMeParameterName(REMEMBER_ME_KEY); return springSessionRememberMeServices; } @Override public void configure(WebSecurity web) { web.ignoring() .antMatchers("/**/*.{js,css}"); } @Override protected void configure(HttpSecurity http) throws Exception { http.formLogin() .loginProcessingUrl("/security/login") .successHandler(this.ajaxAuthenticationSuccessHandler) .failureHandler(this.ajaxAuthenticationFailureHandler) .usernameParameter("j_username") .passwordParameter("j_password") .permitAll(); http.logout() .clearAuthentication(true) .logoutUrl("/security/logout") .logoutSuccessHandler(this.ajaxLogoutSuccessHandler) .deleteCookies("JSESSIONID", REMEMBER_ME_KEY) .invalidateHttpSession(true) .permitAll(); http.headers() .frameOptions() .disable() .and() .csrf() .disable() .httpBasic() .and() .exceptionHandling() .authenticationEntryPoint(this.authenticationEntryPoint); http.authorizeRequests() .antMatchers("/kakaoOAuth2CallBack").permitAll() .antMatchers("/naverOAuth2CallBack").permitAll() .antMatchers("/googleOAuth2CallBack").permitAll() .antMatchers("/facebookOAuth2CallBack").permitAll() .antMatchers("/user/addSocialLogin").permitAll() .antMatchers("/user/add").permitAll() .antMatchers("/user/getUserSession").permitAll() .antMatchers("/user/returnEmailPassword").permitAll() .antMatchers("/workspace/find").permitAll() .antMatchers("/workspace/findPrimaryWorkspace").permitAll() .antMatchers("/guide/detail").permitAll() .antMatchers("/language/change").permitAll() .antMatchers("/security/*").permitAll() .antMatchers("/api/issue").permitAll() .antMatchers("/api/issue/*").permitAll() .antMatchers("/**/*").authenticated(); // http.addFilter(new CustomAuthenticationFilter()); // http.addFilterBefore(new CustomAuthenticationFilter(), UsernamePasswordAuthenticationFilter.class); http.rememberMe() .rememberMeServices(this.springSessionRememberMeServices()); http.sessionManagement() .maximumSessions(1) .maxSessionsPreventsLogin(false) .expiredSessionStrategy(this.securitySessionExpiredStrategy()) .sessionRegistry(this.sessionRegistry).and().and() .addFilterBefore(this.ajaxSessionExpiredFilter(), ConcurrentSessionFilter.class); } }