From 21526b1a55b24d0b0d415d3d4ffc12a36360c6f1 Mon Sep 17 00:00:00 2001 From: Pekka Helenius Date: Sun, 4 Oct 2020 13:04:39 +0300 Subject: [PATCH] Spring security: Fix access to H2 console; update config Signed-off-by: Pekka Helenius --- .../bookstore/config/WebSecurityConfig.java | 24 ++++++++++--------- .../templates/fragments/devusers.html | 1 + 2 files changed, 14 insertions(+), 11 deletions(-) diff --git a/bookstore/src/main/java/com/fjordtek/bookstore/config/WebSecurityConfig.java b/bookstore/src/main/java/com/fjordtek/bookstore/config/WebSecurityConfig.java index fc51f01..6a74d64 100644 --- a/bookstore/src/main/java/com/fjordtek/bookstore/config/WebSecurityConfig.java +++ b/bookstore/src/main/java/com/fjordtek/bookstore/config/WebSecurityConfig.java @@ -40,16 +40,12 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter { @Autowired private UserDetailServiceImpl userDetailService; - @Autowired - private static BookStoreAccessDeniedHandler bookStoreAccessDeniedHandler; - @Autowired public void configureGlobal(AuthenticationManagerBuilder authManagerBuilder) throws Exception { authManagerBuilder.userDetailsService(userDetailService); } - /* * Have different HTTP security policies for: * @@ -70,9 +66,10 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter { authorize -> authorize .anyRequest().hasAuthority("ADMIN") ) - .httpBasic() + .httpBasic() .and() - .csrf().disable() + .csrf() + .disable() ; } @@ -89,9 +86,11 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter { */ @Override protected void configure(HttpSecurity httpSecurity) throws Exception { + httpSecurity .authorizeRequests() .antMatchers( + "/h2-console/**", "/", "/booklist", "/error", @@ -105,24 +104,27 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter { .authenticated() .and() .formLogin() - // TODO do not expose /login URI end point (prevent direct access) - .defaultSuccessUrl("/booklist") -// .loginPage("/booklist") -// .permitAll() + .defaultSuccessUrl("/booklist") + .permitAll() .and() .logout() .logoutSuccessUrl("/booklist") .permitAll() .invalidateHttpSession(true) .clearAuthentication(true) + .deleteCookies("JSESSIONID") .and() .exceptionHandling() - .accessDeniedHandler(bookStoreAccessDeniedHandler) + .accessDeniedHandler(new BookStoreAccessDeniedHandler()) .and() .csrf() + .ignoringAntMatchers("/h2-console/**") .and() .sessionManagement() .sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED) + .and() + .headers() + .frameOptions().sameOrigin() ; } diff --git a/bookstore/src/main/resources/templates/fragments/devusers.html b/bookstore/src/main/resources/templates/fragments/devusers.html index 09b6343..ebc5f38 100644 --- a/bookstore/src/main/resources/templates/fragments/devusers.html +++ b/bookstore/src/main/resources/templates/fragments/devusers.html @@ -43,6 +43,7 @@ + H2 database console