How to secure a web application with multiple realms using Spring's Java Config? -


i have web application 2 types of resources.

  • web pages
  • web services

i want secure web pages using 1 authentication provider (i.e. cas) , web services using authentication provider (i.e. basic authentication).

i found solution work here, uses xml, , prefer not use xml configuration if possible.

is there java config solution this?

well took while figure out how it...

basically split original security configuration class 3 separate configuration classes.

this how did it...

the main security configuration...

@configuration @import({webpagesecurityconfig.class, webservicesecurityconfig.class}) public class securityconfig { }

the security configuration web pages... (url not begin /service/**)

@configuration @order(200) @enablewebmvcsecurity public class webpagesecurityconfig extends websecurityconfigureradapter {     @autowired     public void configureglobal(final authenticationmanagerbuilder auth) throws exception {         auth.authenticationprovider(casauthenticationprovider());     }      @override     public void configure(final httpsecurity http) throws exception {         http.csrf().disable();          http.requestmatcher(new requestmatcher() {             @override             public boolean matches(final httpservletrequest request) {                 final string url = request.getservletpath() + stringutils.defaultstring(request.getpathinfo());                 return !(url.startswith("/service/"));             }  });         http.addfilter(casauthenticationfilter()).exceptionhandling().authenticationentrypoint(casauthenticationentrypoint());         http.authorizerequests().             antmatchers("/securedpage").hasauthority("role_cas_user"). // /securedpage can accessed cas user             anyrequest().permitall(); // other pages unsecured     }      // general application security (cas authentication)      @bean     public casauthenticationfilter casauthenticationfilter() throws exception {         final casauthenticationfilter casauthenticationfilter = new casauthenticationfilter();         casauthenticationfilter.setauthenticationmanager(authenticationmanager());         return casauthenticationfilter;     }      @bean     public casauthenticationentrypoint casauthenticationentrypoint() {         final casauthenticationentrypoint casauthenticationentrypoint = new casauthenticationentrypoint();         casauthenticationentrypoint.setloginurl(env.getrequiredproperty("cas.server.url") + "/login");         casauthenticationentrypoint.setserviceproperties(casserviceproperties());         return casauthenticationentrypoint;     }      @bean     public serviceproperties casserviceproperties() {         final serviceproperties serviceproperties = new serviceproperties();         serviceproperties.setservice(env.getrequiredproperty("cas.service.url") + "/j_spring_cas_security_check");         serviceproperties.setsendrenew(false);         return serviceproperties;     }      @bean     public casauthenticationprovider casauthenticationprovider() {         final casauthenticationprovider casauthenticationprovider = new casauthenticationprovider();         casauthenticationprovider.setauthenticationuserdetailsservice(casauthenticationuserdetailsservice());         casauthenticationprovider.setserviceproperties(casserviceproperties());         casauthenticationprovider.setticketvalidator(casticketvalidator());         casauthenticationprovider.setkey("casauthenticationproviderkey");         casauthenticationprovider.setstatelessticketcache(casstatelessticketcache());         return casauthenticationprovider;     }      @bean     public authenticationuserdetailsservice casauthenticationuserdetailsservice() {         final abstractcasassertionuserdetailsservice authenticationuserdetailsservice = new abstractcasassertionuserdetailsservice() {              @override             protected userdetails loaduserdetails(final assertion assertion) {                 final string username = assertion.getprincipal().getname();                 final list<grantedauthority> authorities = new arraylist<>();                 authorities.add(new simplegrantedauthority("role_cas_user"));                                 return new user(username, "notused", authorities);             }         };          return authenticationuserdetailsservice;     }      @bean     public ticketvalidator casticketvalidator() {         final saml11ticketvalidator ticketvalidator = new saml11ticketvalidator(env.getrequiredproperty("cas.server.url"));         ticketvalidator.settolerance(env.getrequiredproperty("cas.ticket.tolerance", long.class));         return ticketvalidator;     }      @bean     public statelessticketcache casstatelessticketcache() {         final ehcachebasedticketcache ticketcache =  new ehcachebasedticketcache();         ticketcache.setcache(cascache());         return ticketcache;     }      @bean(initmethod = "initialise", destroymethod = "dispose")     public cache cascache() {         final cache cache = new cache("castickets", 50, true, false, 3600, 900);         return cache;     }             @autowired     private environment env; }

the security configuration restful web services (url starts /service/**)

@configuration @order(300) @enablewebmvcsecurity public class webservicesecurityconfig extends websecurityconfigureradapter {     @autowired     public void configureglobal(final authenticationmanagerbuilder auth) throws exception {         auth.inmemoryauthentication().             withuser("admin").password("password").authorities(new simplegrantedauthority("role_ws_user"));     }      @override     public void configure(final httpsecurity http) throws exception {         http.csrf().disable();          http.             antmatcher("/service/**"). // process urls begin /service/             sessionmanagement().sessioncreationpolicy(sessioncreationpolicy.stateless).and(). // restful web services stateless             addfilter(wsauthenticationfilter()).exceptionhandling().authenticationentrypoint(wsauthenticationentrypoint());          http.authorizerequests().anyrequest().hasauthority("role_ws_user"); // requests secured     }      // web service security (basic authentication)      @bean     public basicauthenticationfilter wsauthenticationfilter() throws exception {         final basicauthenticationfilter wsauthenticationfilter = new basicauthenticationfilter(authenticationmanager(), wsauthenticationentrypoint());         return wsauthenticationfilter;     }      @bean     public basicauthenticationentrypoint wsauthenticationentrypoint() {         final basicauthenticationentrypoint wsauthenticationentrypoint = new basicauthenticationentrypoint();         wsauthenticationentrypoint.setrealmname("my realm");         return wsauthenticationentrypoint;     }      @autowired     private environment env; }

-

Popular posts from this blog

html/hta mutiple file in audio player -

ok started coding .hta application , pretty html page .hta extension , adde mp3 player , did work <object data="test.mp3" type="audio/mp3" width="200" height="40"> <param name="src" value="test.mp3"> <param name="autostart" value="0"> </object> but it's 1 song playing again , again , plz there way add multiple files playlist believe it's should added "src" parameters not sure, i'm starting did add "," in between , , tried ";" none of them working i'm waiting answers :d i wanna know if can show me how become familiar tag see it's helpful , powerful activex, audio,video,pdf .... files i'm waiting impatiently [i don't know object, plz plz more clear] get inspired example hta_audio_player.hta <html> <head> <title>hackoo audio player playlist hackoo 2014</title> <hta:app...
Read more

debugging - Reference - What does this error mean in PHP? -

what this? this number of answers warnings, errors , notices might encounter while programming php , have no clue how fix. community wiki, invited participate in adding , maintaining list. why this? questions "headers sent" or "calling member of non-object" pop on stack overflow. root cause of questions same. answers questions typically repeat them , show op line change in his/her particular case. these answers not add value site because apply op's particular code. other users having same error can not read solution out of because localized. sad, because once understood root cause, fixing error trivial. hence, list tries explain solution in general way apply. what should here? if question has been marked duplicate of this, please find error message below , apply fix code. answers contain further links investigate in case shouldn't clear general answer alone. if want contribute, please add "favorite" error message, warning or notic...
Read more