/java-webapp-security-examples

Spring security cleanup #3

Merged
merged 10 commits into from Nov 30, 2015

Conversation

Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
2 participants
@rwinch @mraible
@rwinch
Contributor

rwinch commented Jul 15, 2015

I thought I would suggest some improvements to the Spring Security sample. I broke this up into a number of commits in case you only want some of the changes. Please let me know if you have any questions.

rwinch added some commits Jul 15, 2015

@rwinch
Ignore Eclipse Project Files
b0095e2
@rwinch
Remove Unnecessary Clutter from WebSecurityConfig 
- csrf is enabled by default
- logoutUrl is /logout by default
- rememberMe support automatically removes the remember-me cookie
- the logout success url is /login?logout by default
- cleaned unused imports
61fe624
@rwinch
Update to Spring Security 4 
This provides additional features that are useful.

Also updated to EnableWebSecurity annotation since EnableWebMvcSecurity
is deprecated in 4.0
59fd7f8
@rwinch
Expose CsrfToken via REST endpoint
e5fe463
@rwinch
Move index.html to templates so Spring Processes it 
This allows for using it with MockMvc testing
dd130ef
@rwinch
Add HTTP Basic 
Some of the tests relied on HTTP Basic authentication. However, this was
not enabled. The tests were verifying the status as 200, but that was
actually the result of the login page which TestRestTemplate saw since it
automatically followed the redirects.

We also update the tests to use the HTTP Status code now.

NOTE:

Spring Security does content negotiation when both Form and HTTP
Basic are enabled. It will perform HTTP Basic if it looks like a REST call
(i.e. application/json). If it does not look like a REST call, then form
log in will be used. The order matters for formLogin() and httpBasic() as
it impacts which will be used (401 or redirect to log in page) in the event
Spring Security cannot guess what to do.
d6846ee
@rwinch
Add MockMvc Test for Spring Security 
- Demonstrate how nice MockMvc is
- Demonstrates Spring Security integration See Javadoc of MockMvcWebSecurity
  Tests for the integration.
5357d7a
@rwinch
Use varags permitAll() 
This is certainly a preference, but it makes the configuration a bit
less verbose.
a0d95eb
@rwinch
Use BCrypt for Passwords 
It is good (even in demos) to hash passwords. Here we has using
BCrypt.
063db8e
@rwinch
Remove LoginService 
With HTTP Basic enabled, we don't need the LoginService. Any REST client
(including JavaScript) can use HTTP Basic authentication.

NOTE: By default Spring Security will return a 401 with out the
WWW-Authenticate header to JavaScript clients. This is necessary since
the browser will not allow JavaScript to handle a response with the
WWW-Authenticate header. This is determined by detecting the precense of
X-Requested-With header.

Also of interest is that Spring Security can use the HttpServletRequest
as a login service too. This means that the JavaEELoginService could also
be used with Spring Security.
a10a2fb

mraible added a commit that referenced this pull request Nov 30, 2015

@mraible
Merge pull request #3 from rwinch/spring-security-cleanup 
Spring security cleanup
7cb3fef

@mraible mraible merged commit 7cb3fef into mraible:master Nov 30, 2015

@mraible

This comment has been minimized.

Show comment
Hide comment
@mraible

mraible Nov 30, 2015

Owner

Thanks Rob!
Owner

mraible commented Nov 30, 2015

Thanks Rob!
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment