From 76129f69099e7cecc4fa723eb8f15c29a103edb1 Mon Sep 17 00:00:00 2001
From: Pekka Helenius <fincer89@hotmail.com>
Date: Sat, 3 Oct 2020 15:08:17 +0300
Subject: [PATCH] Differentiate REST API web security from Web Form security;
 HttpSecurity additions

Signed-off-by: Pekka Helenius <fincer89@hotmail.com>
---
 .../bookstore/config/WebSecurityConfig.java   | 106 +++++++++++++-----
 1 file changed, 77 insertions(+), 29 deletions(-)

diff --git a/bookstore/src/main/java/com/fjordtek/bookstore/config/WebSecurityConfig.java b/bookstore/src/main/java/com/fjordtek/bookstore/config/WebSecurityConfig.java
index c7cb40f..0990611 100644
--- a/bookstore/src/main/java/com/fjordtek/bookstore/config/WebSecurityConfig.java
+++ b/bookstore/src/main/java/com/fjordtek/bookstore/config/WebSecurityConfig.java
@@ -4,17 +4,20 @@ package com.fjordtek.bookstore.config;
 
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.core.annotation.Order;
 import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
 import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.config.http.SessionCreationPolicy;
 
 import com.fjordtek.bookstore.service.session.BookStoreAccessDeniedHandler;
 import com.fjordtek.bookstore.service.session.UserDetailServiceImpl;
 
 /**
 *
+* @see https://docs.spring.io/spring-security/site/docs/current/reference/html5/#multiple-httpsecurity
 *
 * @author Pekka Helenius
 */
@@ -30,13 +33,57 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
 	private UserDetailServiceImpl userDetailService;
 
 	@Autowired
-	private BookStoreAccessDeniedHandler bookStoreAccessDeniedHandler;
+	private static BookStoreAccessDeniedHandler bookStoreAccessDeniedHandler;
 
-	@Override
-	protected void configure(HttpSecurity httpSecurity) throws Exception {
-		httpSecurity
-		.authorizeRequests()
-			.antMatchers(
+    @Autowired
+    public void configureGlobal(AuthenticationManagerBuilder authManagerBuilder)
+    		throws Exception {
+    	authManagerBuilder.userDetailsService(userDetailService);
+    }
+
+
+    /*
+     * Have different HTTP security policies for:
+     *
+     * 1) native REST API end points
+     * 2) web form authentication & authorization
+     *
+     */
+
+	@Configuration
+	@Order(1)
+	public static class ApiWebSecurityConfig extends WebSecurityConfigurerAdapter {
+
+		@Override
+		protected void configure(HttpSecurity httpSecurity) throws Exception {
+			httpSecurity
+			.antMatcher("/api/**")
+			.authorizeRequests(
+					authorize -> authorize
+					.anyRequest().hasAuthority("ADMIN")
+					)
+			.httpBasic()
+			.and()
+				.csrf().disable()
+			;
+		}
+
+	}
+
+	@Configuration
+	@Order(2)
+	public static class WebFormWebSecurityConfig extends WebSecurityConfigurerAdapter {
+/*
+		@Override
+		public void configure(WebSecurity webSecurity) throws Exception {
+			webSecurity.ignoring().antMatchers("/foo/**");
+		}
+*/
+		@Override
+		protected void configure(HttpSecurity httpSecurity) throws Exception {
+			httpSecurity
+			.authorizeRequests()
+				.antMatchers(
 					"/",
 					"/booklist",
 					"/error",
@@ -45,31 +92,32 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
 					"/js/**",
 					"/images/**"
 					).permitAll()
-			.antMatchers("/apiref/**").hasAuthority("ADMIN")
-			.anyRequest()
-			.authenticated()
-		.and()
-			.formLogin()
+				.antMatchers("/apiref/**").hasAuthority("ADMIN")
+				.anyRequest()
+				.authenticated()
+			.and()
+				.formLogin()
+			// TODO do not expose /login URI end point (prevent direct access)
 				.defaultSuccessUrl("/booklist")
-//				.loginPage("/login")
-				.permitAll()
-		.and()
-			.logout()
-				.logoutSuccessUrl("/booklist")
-				.permitAll()
-				.invalidateHttpSession(true)
-		.and()
-			.exceptionHandling()
-			.accessDeniedHandler(bookStoreAccessDeniedHandler)
-		.and()
-			.csrf()
-		;
+//				.loginPage("/booklist")
+//				.permitAll()
+			.and()
+				.logout()
+					.logoutSuccessUrl("/booklist")
+					.permitAll()
+					.invalidateHttpSession(true)
+					.clearAuthentication(true)
+			.and()
+				.exceptionHandling()
+				.accessDeniedHandler(bookStoreAccessDeniedHandler)
+			.and()
+				.csrf()
+			.and()
+				.sessionManagement()
+					.sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED)
+			;
 
+		}
 	}
 
-    @Autowired
-    public void configureGlobal(AuthenticationManagerBuilder authManagerBuilder)
-    		throws Exception {
-    	authManagerBuilder.userDetailsService(userDetailService);
-    }
 }
\ No newline at end of file