How to secure a web application with multiple realms using Spring's Java Config? -
i have web application 2 types of resources.
- web pages
- web services
i want secure web pages using 1 authentication provider (i.e. cas) , web services using authentication provider (i.e. basic authentication).
i found solution work here, uses xml, , prefer not use xml configuration if possible.
is there java config solution this?
well took while figure out how it...
basically split original security configuration class 3 separate configuration classes.
this how did it...
the main security configuration...
@configuration @import({webpagesecurityconfig.class, webservicesecurityconfig.class}) public class securityconfig { } the security configuration web pages... (url not begin /service/**)
@configuration @order(200) @enablewebmvcsecurity public class webpagesecurityconfig extends websecurityconfigureradapter { @autowired public void configureglobal(final authenticationmanagerbuilder auth) throws exception { auth.authenticationprovider(casauthenticationprovider()); } @override public void configure(final httpsecurity http) throws exception { http.csrf().disable(); http.requestmatcher(new requestmatcher() { @override public boolean matches(final httpservletrequest request) { final string url = request.getservletpath() + stringutils.defaultstring(request.getpathinfo()); return !(url.startswith("/service/")); } }); http.addfilter(casauthenticationfilter()).exceptionhandling().authenticationentrypoint(casauthenticationentrypoint()); http.authorizerequests(). antmatchers("/securedpage").hasauthority("role_cas_user"). // /securedpage can accessed cas user anyrequest().permitall(); // other pages unsecured } // general application security (cas authentication) @bean public casauthenticationfilter casauthenticationfilter() throws exception { final casauthenticationfilter casauthenticationfilter = new casauthenticationfilter(); casauthenticationfilter.setauthenticationmanager(authenticationmanager()); return casauthenticationfilter; } @bean public casauthenticationentrypoint casauthenticationentrypoint() { final casauthenticationentrypoint casauthenticationentrypoint = new casauthenticationentrypoint(); casauthenticationentrypoint.setloginurl(env.getrequiredproperty("cas.server.url") + "/login"); casauthenticationentrypoint.setserviceproperties(casserviceproperties()); return casauthenticationentrypoint; } @bean public serviceproperties casserviceproperties() { final serviceproperties serviceproperties = new serviceproperties(); serviceproperties.setservice(env.getrequiredproperty("cas.service.url") + "/j_spring_cas_security_check"); serviceproperties.setsendrenew(false); return serviceproperties; } @bean public casauthenticationprovider casauthenticationprovider() { final casauthenticationprovider casauthenticationprovider = new casauthenticationprovider(); casauthenticationprovider.setauthenticationuserdetailsservice(casauthenticationuserdetailsservice()); casauthenticationprovider.setserviceproperties(casserviceproperties()); casauthenticationprovider.setticketvalidator(casticketvalidator()); casauthenticationprovider.setkey("casauthenticationproviderkey"); casauthenticationprovider.setstatelessticketcache(casstatelessticketcache()); return casauthenticationprovider; } @bean public authenticationuserdetailsservice casauthenticationuserdetailsservice() { final abstractcasassertionuserdetailsservice authenticationuserdetailsservice = new abstractcasassertionuserdetailsservice() { @override protected userdetails loaduserdetails(final assertion assertion) { final string username = assertion.getprincipal().getname(); final list<grantedauthority> authorities = new arraylist<>(); authorities.add(new simplegrantedauthority("role_cas_user")); return new user(username, "notused", authorities); } }; return authenticationuserdetailsservice; } @bean public ticketvalidator casticketvalidator() { final saml11ticketvalidator ticketvalidator = new saml11ticketvalidator(env.getrequiredproperty("cas.server.url")); ticketvalidator.settolerance(env.getrequiredproperty("cas.ticket.tolerance", long.class)); return ticketvalidator; } @bean public statelessticketcache casstatelessticketcache() { final ehcachebasedticketcache ticketcache = new ehcachebasedticketcache(); ticketcache.setcache(cascache()); return ticketcache; } @bean(initmethod = "initialise", destroymethod = "dispose") public cache cascache() { final cache cache = new cache("castickets", 50, true, false, 3600, 900); return cache; } @autowired private environment env; } the security configuration restful web services (url starts /service/**)
@configuration @order(300) @enablewebmvcsecurity public class webservicesecurityconfig extends websecurityconfigureradapter { @autowired public void configureglobal(final authenticationmanagerbuilder auth) throws exception { auth.inmemoryauthentication(). withuser("admin").password("password").authorities(new simplegrantedauthority("role_ws_user")); } @override public void configure(final httpsecurity http) throws exception { http.csrf().disable(); http. antmatcher("/service/**"). // process urls begin /service/ sessionmanagement().sessioncreationpolicy(sessioncreationpolicy.stateless).and(). // restful web services stateless addfilter(wsauthenticationfilter()).exceptionhandling().authenticationentrypoint(wsauthenticationentrypoint()); http.authorizerequests().anyrequest().hasauthority("role_ws_user"); // requests secured } // web service security (basic authentication) @bean public basicauthenticationfilter wsauthenticationfilter() throws exception { final basicauthenticationfilter wsauthenticationfilter = new basicauthenticationfilter(authenticationmanager(), wsauthenticationentrypoint()); return wsauthenticationfilter; } @bean public basicauthenticationentrypoint wsauthenticationentrypoint() { final basicauthenticationentrypoint wsauthenticationentrypoint = new basicauthenticationentrypoint(); wsauthenticationentrypoint.setrealmname("my realm"); return wsauthenticationentrypoint; } @autowired private environment env; }