Skip to content

Spring security cleanup #3

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 10 commits into from
Nov 30, 2015
Merged

Conversation

rwinch
Copy link
Contributor

@rwinch rwinch commented Jul 15, 2015

I thought I would suggest some improvements to the Spring Security sample. I broke this up into a number of commits in case you only want some of the changes. Please let me know if you have any questions.

Rob Winch added 10 commits July 15, 2015 16:20
- csrf is enabled by default
- logoutUrl is /logout by default
- rememberMe support automatically removes the remember-me cookie
- the logout success url is /login?logout by default
- cleaned unused imports
This provides additional features that are useful.

Also updated to EnableWebSecurity annotation since EnableWebMvcSecurity
is deprecated in 4.0
This allows for using it with MockMvc testing
Some of the tests relied on HTTP Basic authentication. However, this was
not enabled. The tests were verifying the status as 200, but that was
actually the result of the login page which TestRestTemplate saw since it
automatically followed the redirects.

We also update the tests to use the HTTP Status code now.

NOTE:

Spring Security does content negotiation when both Form and HTTP
Basic are enabled. It will perform HTTP Basic if it looks like a REST call
(i.e. application/json). If it does not look like a REST call, then form
log in will be used. The order matters for formLogin() and httpBasic() as
it impacts which will be used (401 or redirect to log in page) in the event
Spring Security cannot guess what to do.
- Demonstrate how nice MockMvc is
- Demonstrates Spring Security integration See Javadoc of MockMvcWebSecurity
  Tests for the integration.
This is certainly a preference, but it makes the configuration a bit
less verbose.
It is good (even in demos) to hash passwords. Here we has using
BCrypt.
With HTTP Basic enabled, we don't need the LoginService. Any REST client
(including JavaScript) can use HTTP Basic authentication.

NOTE: By default Spring Security will return a 401 with out the
WWW-Authenticate header to JavaScript clients. This is necessary since
the browser will not allow JavaScript to handle a response with the
WWW-Authenticate header. This is determined by detecting the precense of
X-Requested-With header.

Also of interest is that Spring Security can use the HttpServletRequest
as a login service too. This means that the JavaEELoginService could also
be used with Spring Security.
mraible added a commit that referenced this pull request Nov 30, 2015
@mraible mraible merged commit 7cb3fef into mraible:master Nov 30, 2015
@mraible
Copy link
Owner

mraible commented Nov 30, 2015

Thanks Rob!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants