Spring security cleanup #3

Merged
merged 10 commits into from Nov 30, 2015

Conversation

Projects
None yet
2 participants
@rwinch
Contributor

rwinch commented Jul 15, 2015

I thought I would suggest some improvements to the Spring Security sample. I broke this up into a number of commits in case you only want some of the changes. Please let me know if you have any questions.

rwinch added some commits Jul 15, 2015

Remove Unnecessary Clutter from WebSecurityConfig
- csrf is enabled by default
- logoutUrl is /logout by default
- rememberMe support automatically removes the remember-me cookie
- the logout success url is /login?logout by default
- cleaned unused imports
Update to Spring Security 4
This provides additional features that are useful.

Also updated to EnableWebSecurity annotation since EnableWebMvcSecurity
is deprecated in 4.0
Move index.html to templates so Spring Processes it
This allows for using it with MockMvc testing
Add HTTP Basic
Some of the tests relied on HTTP Basic authentication. However, this was
not enabled. The tests were verifying the status as 200, but that was
actually the result of the login page which TestRestTemplate saw since it
automatically followed the redirects.

We also update the tests to use the HTTP Status code now.

NOTE:

Spring Security does content negotiation when both Form and HTTP
Basic are enabled. It will perform HTTP Basic if it looks like a REST call
(i.e. application/json). If it does not look like a REST call, then form
log in will be used. The order matters for formLogin() and httpBasic() as
it impacts which will be used (401 or redirect to log in page) in the event
Spring Security cannot guess what to do.
Add MockMvc Test for Spring Security
- Demonstrate how nice MockMvc is
- Demonstrates Spring Security integration See Javadoc of MockMvcWebSecurity
  Tests for the integration.
Use varags permitAll()
This is certainly a preference, but it makes the configuration a bit
less verbose.
Use BCrypt for Passwords
It is good (even in demos) to hash passwords. Here we has using
BCrypt.
Remove LoginService
With HTTP Basic enabled, we don't need the LoginService. Any REST client
(including JavaScript) can use HTTP Basic authentication.

NOTE: By default Spring Security will return a 401 with out the
WWW-Authenticate header to JavaScript clients. This is necessary since
the browser will not allow JavaScript to handle a response with the
WWW-Authenticate header. This is determined by detecting the precense of
X-Requested-With header.

Also of interest is that Spring Security can use the HttpServletRequest
as a login service too. This means that the JavaEELoginService could also
be used with Spring Security.

mraible added a commit that referenced this pull request Nov 30, 2015

@mraible mraible merged commit 7cb3fef into mraible:master Nov 30, 2015

@mraible

This comment has been minimized.

Show comment
Hide comment
@mraible

mraible Nov 30, 2015

Owner

Thanks Rob!

Owner

mraible commented Nov 30, 2015

Thanks Rob!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment