Spring security cleanup #3
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
added 10 commits
July 15, 2015 16:20
- csrf is enabled by default - logoutUrl is /logout by default - rememberMe support automatically removes the remember-me cookie - the logout success url is /login?logout by default - cleaned unused imports
This provides additional features that are useful. Also updated to EnableWebSecurity annotation since EnableWebMvcSecurity is deprecated in 4.0
This allows for using it with MockMvc testing
Some of the tests relied on HTTP Basic authentication. However, this was not enabled. The tests were verifying the status as 200, but that was actually the result of the login page which TestRestTemplate saw since it automatically followed the redirects. We also update the tests to use the HTTP Status code now. NOTE: Spring Security does content negotiation when both Form and HTTP Basic are enabled. It will perform HTTP Basic if it looks like a REST call (i.e. application/json). If it does not look like a REST call, then form log in will be used. The order matters for formLogin() and httpBasic() as it impacts which will be used (401 or redirect to log in page) in the event Spring Security cannot guess what to do.
- Demonstrate how nice MockMvc is - Demonstrates Spring Security integration See Javadoc of MockMvcWebSecurity Tests for the integration.
This is certainly a preference, but it makes the configuration a bit less verbose.
It is good (even in demos) to hash passwords. Here we has using BCrypt.
With HTTP Basic enabled, we don't need the LoginService. Any REST client (including JavaScript) can use HTTP Basic authentication. NOTE: By default Spring Security will return a 401 with out the WWW-Authenticate header to JavaScript clients. This is necessary since the browser will not allow JavaScript to handle a response with the WWW-Authenticate header. This is determined by detecting the precense of X-Requested-With header. Also of interest is that Spring Security can use the HttpServletRequest as a login service too. This means that the JavaEELoginService could also be used with Spring Security.
|
Thanks Rob! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
I thought I would suggest some improvements to the Spring Security sample. I broke this up into a number of commits in case you only want some of the changes. Please let me know if you have any questions.