-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathWebSecurityConfig.java
More file actions
89 lines (72 loc) · 3.8 KB
/
WebSecurityConfig.java
File metadata and controls
89 lines (72 loc) · 3.8 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
package hello;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.annotation.Order;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.provisioning.InMemoryUserDetailsManager;
import lombok.extern.slf4j.Slf4j;
@Configuration
@EnableWebSecurity
@Order(0)
@Slf4j
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().antMatchers("/", "/home").permitAll() // only permit access / and /home page
.anyRequest().authenticated() // other request need to authenticated
.and()
.formLogin().loginPage("/login").permitAll() // set default login page url "/login" and the login page is allowed permit all
.loginProcessingUrl("/signin") // changed the default sign page "/login" to become "/signin" for login processing
.usernameParameter("userid") // change the login form username to userid
.passwordParameter("passwd") // change the login form password to passwd
// implement the success handler
.successHandler((req,res,auth)->{ //Success handler invoked after successful authentication
for (GrantedAuthority authority : auth.getAuthorities()) {
log.info(authority.getAuthority());
}
log.info(auth.getName());
res.sendRedirect("/hello"); // Redirect user to index/home page
})
// implement the failure handler
.failureHandler((req,res,exp)->{ // Failure handler invoked after authentication failure
String errMsg="";
if(exp.getClass().isAssignableFrom(BadCredentialsException.class)){
errMsg="Invalid username or password.";
}else{
errMsg="Unknown error - "+exp.getMessage();
}
req.getSession().setAttribute("message", errMsg);
res.sendRedirect("/login"); // Redirect user to login page with error message.
})
.and().logout().logoutUrl("/logout") // specify the logout url
// implement the logout success handler
.logoutSuccessHandler((req,res,auth)->{ // Logout handler called after successful logout
req.getSession().setAttribute("message", "You are logged out successfully.");
res.sendRedirect("/login"); // Redirect user to login page with message.
})
.permitAll()
.and().csrf().disable(); // logout is allow to permit all
}
// Configure the authentication manager
// add the custom UserDetailsService
// mainly for formLogin
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
//auth.inMemoryAuthentication().withUser("admin").password("admin123").roles("USER");
auth.userDetailsService(new UserDetailsServiceImp()).passwordEncoder(passwordEncoder());
}
// newly added encoder method
@Bean
public BCryptPasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
};
}