Permalink
Browse files

SEC-2444: Convert Java Config samples to thymeleaf and tiles

  • Loading branch information...
1 parent 0d12397 commit 4708287ad352893ef935094518ff21e3b296581b @rwinch rwinch committed Dec 12, 2013
Showing with 416 additions and 81,271 deletions.
  1. +1 −0 .gitignore
  2. +1 −0 build.gradle
  3. +0 −2 docs/guides/src/asciidoc/_hello-includes/secure-the-application.asc
  4. +25 −42 docs/guides/src/asciidoc/form.asc
  5. +15 −43 docs/guides/src/asciidoc/hellomvc.asc
  6. +1 −0 gradle/javaprojects.gradle
  7. +8 −1 ...in/java/org/springframework/security/samples/config/MessageSecurityWebApplicationInitializer.java
  8. +2 −14 samples/concurrency-jc/src/main/java/org/springframework/security/samples/config/SecurityConfig.java
  9. +0 −5 samples/concurrency-jc/src/main/webapp/WEB-INF/decorators.xml
  10. +0 −138 samples/concurrency-jc/src/main/webapp/WEB-INF/decorators/main.jsp
  11. +0 −39 samples/concurrency-jc/src/main/webapp/WEB-INF/views/login.jspx
  12. +0 −26 samples/concurrency-jc/src/main/webapp/WEB-INF/views/messages/compose.jspx
  13. +0 −40 samples/concurrency-jc/src/main/webapp/WEB-INF/views/messages/inbox.jspx
  14. +0 −24 samples/concurrency-jc/src/main/webapp/WEB-INF/views/messages/show.jspx
  15. +0 −1 ...in/java/org/springframework/security/samples/config/MessageSecurityWebApplicationInitializer.java
  16. +27 −0 samples/form-jc/src/main/resources/views/login.html
  17. +0 −5 samples/form-jc/src/main/webapp/WEB-INF/decorators.xml
  18. +0 −138 samples/form-jc/src/main/webapp/WEB-INF/decorators/main.jsp
  19. +0 −1,092 samples/form-jc/src/main/webapp/resources/css/bootstrap-responsive.css
  20. +0 −6,039 samples/form-jc/src/main/webapp/resources/css/bootstrap.css
  21. +0 −2 ...in/java/org/springframework/security/samples/config/MessageSecurityWebApplicationInitializer.java
  22. 0 samples/hellojs-jc/src/main/{webapp → resources}/resources/js/bootstrap.js
  23. 0 samples/hellojs-jc/src/main/{webapp → resources}/resources/js/jquery-1.8.3.js
  24. 0 samples/hellojs-jc/src/main/{webapp → resources}/resources/js/knockout-2.3.0.js
  25. 0 samples/hellojs-jc/src/main/{webapp → resources}/resources/js/message.js
  26. +0 −5 samples/hellojs-jc/src/main/webapp/WEB-INF/decorators.xml
  27. +0 −149 samples/hellojs-jc/src/main/webapp/WEB-INF/decorators/main.jsp
  28. +0 −184 samples/hellojs-jc/src/main/webapp/WEB-INF/views/messages/inbox.jspx
  29. +0 −1,092 samples/hellojs-jc/src/main/webapp/resources/css/bootstrap-responsive.css
  30. +0 −6,039 samples/hellojs-jc/src/main/webapp/resources/css/bootstrap.css
  31. BIN samples/hellojs-jc/src/main/webapp/resources/img/favicon.ico
  32. BIN samples/hellojs-jc/src/main/webapp/resources/img/logo.png
  33. +0 −5 samples/hellomvc-jc/src/main/webapp/WEB-INF/decorators.xml
  34. +0 −138 samples/hellomvc-jc/src/main/webapp/WEB-INF/decorators/main.jsp
  35. +0 −26 samples/hellomvc-jc/src/main/webapp/WEB-INF/views/messages/compose.jspx
  36. +0 −40 samples/hellomvc-jc/src/main/webapp/WEB-INF/views/messages/inbox.jspx
  37. +0 −24 samples/hellomvc-jc/src/main/webapp/WEB-INF/views/messages/show.jspx
  38. +0 −1,092 samples/hellomvc-jc/src/main/webapp/resources/css/bootstrap-responsive.css
  39. +0 −6,039 samples/hellomvc-jc/src/main/webapp/resources/css/bootstrap.css
  40. BIN samples/hellomvc-jc/src/main/webapp/resources/img/favicon.ico
  41. BIN samples/hellomvc-jc/src/main/webapp/resources/img/logo.png
  42. +3 −15 samples/inmemory-jc/src/main/java/org/springframework/security/samples/config/SecurityConfig.java
  43. +0 −5 samples/inmemory-jc/src/main/webapp/WEB-INF/decorators.xml
  44. +0 −138 samples/inmemory-jc/src/main/webapp/WEB-INF/decorators/main.jsp
  45. +0 −39 samples/inmemory-jc/src/main/webapp/WEB-INF/views/login.jspx
  46. +0 −26 samples/inmemory-jc/src/main/webapp/WEB-INF/views/messages/compose.jspx
  47. +0 −40 samples/inmemory-jc/src/main/webapp/WEB-INF/views/messages/inbox.jspx
  48. +0 −24 samples/inmemory-jc/src/main/webapp/WEB-INF/views/messages/show.jspx
  49. +0 −1,092 samples/inmemory-jc/src/main/webapp/resources/css/bootstrap-responsive.css
  50. +0 −6,039 samples/inmemory-jc/src/main/webapp/resources/css/bootstrap.css
  51. BIN samples/inmemory-jc/src/main/webapp/resources/img/favicon.ico
  52. BIN samples/inmemory-jc/src/main/webapp/resources/img/logo.png
  53. +0 −1,092 samples/insecuremvc/src/main/webapp/resources/css/bootstrap-responsive.css
  54. +0 −6,039 samples/insecuremvc/src/main/webapp/resources/css/bootstrap.css
  55. BIN samples/insecuremvc/src/main/webapp/resources/img/favicon.ico
  56. BIN samples/insecuremvc/src/main/webapp/resources/img/logo.png
  57. +1 −14 samples/jdbc-jc/src/main/java/org/springframework/security/samples/config/SecurityConfig.java
  58. +0 −5 samples/jdbc-jc/src/main/webapp/WEB-INF/decorators.xml
  59. +0 −138 samples/jdbc-jc/src/main/webapp/WEB-INF/decorators/main.jsp
  60. +0 −39 samples/jdbc-jc/src/main/webapp/WEB-INF/views/login.jspx
  61. +0 −26 samples/jdbc-jc/src/main/webapp/WEB-INF/views/messages/compose.jspx
  62. +0 −40 samples/jdbc-jc/src/main/webapp/WEB-INF/views/messages/inbox.jspx
  63. +0 −24 samples/jdbc-jc/src/main/webapp/WEB-INF/views/messages/show.jspx
  64. +0 −1,092 samples/jdbc-jc/src/main/webapp/resources/css/bootstrap-responsive.css
  65. +0 −6,039 samples/jdbc-jc/src/main/webapp/resources/css/bootstrap.css
  66. BIN samples/jdbc-jc/src/main/webapp/resources/img/favicon.ico
  67. BIN samples/jdbc-jc/src/main/webapp/resources/img/logo.png
  68. +1 −14 samples/ldap-jc/src/main/java/org/springframework/security/samples/config/SecurityConfig.java
  69. +0 −5 samples/ldap-jc/src/main/webapp/WEB-INF/decorators.xml
  70. +0 −138 samples/ldap-jc/src/main/webapp/WEB-INF/decorators/main.jsp
  71. +0 −39 samples/ldap-jc/src/main/webapp/WEB-INF/views/login.jspx
  72. +0 −26 samples/ldap-jc/src/main/webapp/WEB-INF/views/messages/compose.jspx
  73. +0 −40 samples/ldap-jc/src/main/webapp/WEB-INF/views/messages/inbox.jspx
  74. +0 −24 samples/ldap-jc/src/main/webapp/WEB-INF/views/messages/show.jspx
  75. +0 −1,092 samples/ldap-jc/src/main/webapp/resources/css/bootstrap-responsive.css
  76. +0 −6,039 samples/ldap-jc/src/main/webapp/resources/css/bootstrap.css
  77. BIN samples/ldap-jc/src/main/webapp/resources/img/favicon.ico
  78. BIN samples/ldap-jc/src/main/webapp/resources/img/logo.png
  79. +3 −2 samples/messages-jc/build.gradle
  80. +12 −6 samples/messages-jc/pom.xml
  81. +2 −5 ...c/src/main/java/org/springframework/security/samples/config/MessageWebApplicationInitializer.java
  82. +7 −0 samples/messages-jc/src/main/java/org/springframework/security/samples/mvc/MessageController.java
  83. +35 −6 ...essages-jc/src/main/java/org/springframework/security/samples/mvc/config/WebMvcConfiguration.java
  84. 0 ...rency-jc/src/main/webapp → messages-jc/src/main/resources}/resources/css/bootstrap-responsive.css
  85. 0 ...les/{concurrency-jc/src/main/webapp → messages-jc/src/main/resources}/resources/css/bootstrap.css
  86. BIN samples/{concurrency-jc/src/main/webapp → messages-jc/src/main/resources}/resources/img/favicon.ico
  87. BIN samples/{concurrency-jc/src/main/webapp → messages-jc/src/main/resources}/resources/img/logo.png
  88. +57 −0 samples/messages-jc/src/main/resources/tiles/tiles-def.xml
  89. +122 −0 samples/messages-jc/src/main/resources/views/layout.html
  90. +40 −0 samples/messages-jc/src/main/resources/views/messages/compose.html
  91. +29 −0 samples/messages-jc/src/main/resources/views/messages/inbox.html
  92. +20 −0 samples/messages-jc/src/main/resources/views/messages/show.html
  93. +1 −1 samples/openid-jc/src/main/java/org/springframework/security/samples/config/SecurityConfig.java
  94. 0 samples/openid-jc/src/main/{webapp → resources}/resources/css/openid.css
  95. BIN samples/{form-jc/src/main/webapp → openid-jc/src/main/resources}/resources/img/favicon.ico
  96. BIN samples/{form-jc/src/main/webapp → openid-jc/src/main/resources}/resources/img/logo.png
  97. 0 samples/openid-jc/src/main/{webapp → resources}/resources/js/jquery-1.2.6.min.js
  98. 0 samples/openid-jc/src/main/{webapp → resources}/resources/js/openid-client/jquery.query-2.1.3.js
  99. 0 samples/openid-jc/src/main/{webapp → resources}/resources/js/openid-client/openid-client-config.js
  100. 0 samples/openid-jc/src/main/{webapp → resources}/resources/js/openid-client/openid-client.js
  101. 0 samples/openid-jc/src/main/{webapp → resources}/resources/js/openid-jquery.js
  102. 0 samples/openid-jc/src/main/{webapp/WEB-INF → resources}/views/user/show.jspx
  103. +0 −5 samples/openid-jc/src/main/webapp/WEB-INF/decorators.xml
  104. +0 −138 samples/openid-jc/src/main/webapp/WEB-INF/decorators/main.jsp
  105. +0 −68 samples/openid-jc/src/main/webapp/WEB-INF/views/login.jspx
  106. +0 −26 samples/openid-jc/src/main/webapp/WEB-INF/views/messages/compose.jspx
  107. +0 −40 samples/openid-jc/src/main/webapp/WEB-INF/views/messages/inbox.jspx
  108. +0 −24 samples/openid-jc/src/main/webapp/WEB-INF/views/messages/show.jspx
  109. +0 −1,092 samples/openid-jc/src/main/webapp/resources/css/bootstrap-responsive.css
  110. +0 −6,039 samples/openid-jc/src/main/webapp/resources/css/bootstrap.css
  111. BIN samples/openid-jc/src/main/webapp/resources/img/aol.gif
  112. BIN samples/openid-jc/src/main/webapp/resources/img/blogger.ico
  113. BIN samples/openid-jc/src/main/webapp/resources/img/claimid.ico
  114. BIN samples/openid-jc/src/main/webapp/resources/img/facebook.gif
  115. BIN samples/openid-jc/src/main/webapp/resources/img/favicon.ico
  116. BIN samples/openid-jc/src/main/webapp/resources/img/flickr.ico
  117. BIN samples/openid-jc/src/main/webapp/resources/img/google.gif
  118. BIN samples/openid-jc/src/main/webapp/resources/img/livejournal.ico
  119. BIN samples/openid-jc/src/main/webapp/resources/img/logo.png
  120. BIN samples/openid-jc/src/main/webapp/resources/img/myopenid.ico
  121. BIN samples/openid-jc/src/main/webapp/resources/img/openid-inputicon.gif
  122. BIN samples/openid-jc/src/main/webapp/resources/img/openid.gif
  123. BIN samples/openid-jc/src/main/webapp/resources/img/technorati.ico
  124. BIN samples/openid-jc/src/main/webapp/resources/img/verisign.gif
  125. BIN samples/openid-jc/src/main/webapp/resources/img/verisign.ico
  126. BIN samples/openid-jc/src/main/webapp/resources/img/vidoop.ico
  127. BIN samples/openid-jc/src/main/webapp/resources/img/wordpress.ico
  128. BIN samples/openid-jc/src/main/webapp/resources/img/yahoo.gif
  129. +0 −5 samples/preauth-jc/src/main/webapp/WEB-INF/decorators.xml
  130. +0 −138 samples/preauth-jc/src/main/webapp/WEB-INF/decorators/main.jsp
  131. +0 −36 samples/preauth-jc/src/main/webapp/WEB-INF/views/login.jspx
  132. +0 −26 samples/preauth-jc/src/main/webapp/WEB-INF/views/messages/compose.jspx
  133. +0 −40 samples/preauth-jc/src/main/webapp/WEB-INF/views/messages/inbox.jspx
  134. +0 −24 samples/preauth-jc/src/main/webapp/WEB-INF/views/messages/show.jspx
  135. +0 −1,092 samples/preauth-jc/src/main/webapp/resources/css/bootstrap-responsive.css
  136. +0 −6,039 samples/preauth-jc/src/main/webapp/resources/css/bootstrap.css
  137. BIN samples/preauth-jc/src/main/webapp/resources/img/favicon.ico
  138. BIN samples/preauth-jc/src/main/webapp/resources/img/logo.png
  139. +0 −5 samples/rememberme-jc/src/main/webapp/WEB-INF/decorators.xml
  140. +0 −138 samples/rememberme-jc/src/main/webapp/WEB-INF/decorators/main.jsp
  141. +0 −41 samples/rememberme-jc/src/main/webapp/WEB-INF/views/login.jspx
  142. +0 −26 samples/rememberme-jc/src/main/webapp/WEB-INF/views/messages/compose.jspx
  143. +0 −40 samples/rememberme-jc/src/main/webapp/WEB-INF/views/messages/inbox.jspx
  144. +0 −24 samples/rememberme-jc/src/main/webapp/WEB-INF/views/messages/show.jspx
  145. +0 −1,092 samples/rememberme-jc/src/main/webapp/resources/css/bootstrap-responsive.css
  146. +0 −6,039 samples/rememberme-jc/src/main/webapp/resources/css/bootstrap.css
  147. BIN samples/rememberme-jc/src/main/webapp/resources/img/favicon.ico
  148. BIN samples/rememberme-jc/src/main/webapp/resources/img/logo.png
  149. +3 −15 samples/x509-jc/src/etc/server.xml
  150. +0 −1 samples/x509-jc/src/main/java/org/springframework/security/samples/config/SecurityConfig.java
  151. +0 −1,092 samples/x509-jc/src/main/webapp/resources/css/bootstrap-responsive.css
  152. +0 −6,039 samples/x509-jc/src/main/webapp/resources/css/bootstrap.css
  153. BIN samples/x509-jc/src/main/webapp/resources/img/favicon.ico
  154. BIN samples/x509-jc/src/main/webapp/resources/img/logo.png
View
@@ -19,3 +19,4 @@ build/
*.iws
.gradle/
atlassian-ide-plugin.xml
+/samples
View
@@ -31,6 +31,7 @@ allprojects {
group = 'org.springframework.security'
repositories {
+ mavenCentral()
maven { url "http://repo.springsource.org/plugins-release" }
maven { url "http://repo.terracotta.org/maven2/" }
}
@@ -50,8 +50,6 @@ The next step is to create a Spring Security configuration.
----
package org.springframework.security.samples.config;
-import org.springframework.beans.factory.annotation.Autowired;
-
import org.springframework.context.annotation.*;
import org.springframework.security.config.annotation.authentication.builders.*;
import org.springframework.security.config.annotation.web.configuration.*;
@@ -150,65 +150,48 @@ public class WebMvcConfiguration extends WebMvcConfigurerAdapter {
registry.addViewController("/login").setViewName("login");
registry.setOrder(Ordered.HIGHEST_PRECEDENCE);
}
-
- @Bean
- public InternalResourceViewResolver jspxViewResolver() {
- InternalResourceViewResolver result = new InternalResourceViewResolver();
- result.setPrefix("/WEB-INF/views/");
- result.setSuffix(".jspx");
- return result;
- }
}
----
== Creating a login view
-Our existing configuration means that all we need to do is create a *login.jspx* file with the following contents:
+Our existing configuration means that all we need to do is create a *login.html* file with the following contents:
-.src/main/webapp/WEB-INF/views/login.jspx
+.src/main/resources/views/login.html
[source,xml]
----
-<jsp:root xmlns:jsp="http://java.sun.com/JSP/Page"
- xmlns:spring="http://www.springframework.org/tags"
- xmlns:c="http://java.sun.com/jsp/jstl/core"
- xmlns:form="http://www.springframework.org/tags/form" version="2.0">
- <jsp:directive.page language="java" contentType="text/html" />
-<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
-<head>
-<title>Please Login</title>
-</head>
-<body>
- <c:url value="/login" var="loginUrl"/>
- <form:form name="f" action="${loginUrl}" method="post"> <1>
- <fieldset>
- <legend>Please Login</legend>
- <c:if test="${param.error != null}"> <2>
- <div class="alert alert-error">
+<html xmlns:th="http://www.thymeleaf.org" xmlns:tiles="http://www.thymeleaf.org">
+ <head>
+ <title tiles:fragment="title">Messages : Create</title>
+ </head>
+ <body>
+ <div tiles:fragment="content">
+ <form name="f" th:action="@{/login}" method="post"> <1>
+ <fieldset>
+ <legend>Please Login</legend>
+ <div th:if="${param.error}" class="alert alert-error"> <2>
Invalid username and password.
</div>
- </c:if>
- <c:if test="${param.logout != null}"> <3>
- <div class="alert alert-success">
+ <div th:if="${param.logout}" class="alert alert-success"> <3>
You have been logged out.
</div>
- </c:if>
- <label for="username">Username</label>
- <input type="text" id="username" name="username"/> <4>
- <label for="password">Password</label>
- <input type="password" id="password" name="password"/> <5>
- <div class="form-actions">
- <button type="submit" class="btn">Log in</button>
- </div>
- </fieldset>
- </form:form>
-</body>
+ <label for="username">Username</label>
+ <input type="text" id="username" name="username"/> <4>
+ <label for="password">Password</label>
+ <input type="password" id="password" name="password"/> <5>
+ <div class="form-actions">
+ <button type="submit" class="btn">Log in</button>
+ </div>
+ </fieldset>
+ </form>
+ </div>
+ </body>
</html>
-</jsp:root>
----
<1> The URL we submit our username and password to is the same URL as our login form (i.e. */login*), but a *POST* instead of a *GET*.
<2> When authentication fails, the browser is redirected to */login?error* so we can display an error message by detecting if the parameter *error* is non-null.
-<3> When we are successfully loged out, the browser is redirected to */login?logout* so we can display an logout success message by detecting if the parameter *logout* is non-null.
+<3> When we are successfully logged out, the browser is redirected to */login?logout* so we can display an logout success message by detecting if the parameter *logout* is non-null.
<4> The username should be present on the HTTP parameter username
<5> The password should be present on the HTTP parameter password
@@ -34,16 +34,14 @@ We have created the Spring Security configuration, but we still need to register
----
package org.springframework.security.samples.config;
-import org.springframework.core.annotation.*;
import org.springframework.security.web.context.*;
-@Order(2)
public class MessageSecurityWebApplicationInitializer
extends AbstractSecurityWebApplicationInitializer {
}
----
-The `MessageSecurityWebApplicationInitializer` will automatically register the springSecurityFilterChain Filter for every URL in your application. We add `@Order(2)` so the springSecurityFilterChain is inserted before our Sitemesh Filter declared in <<message-web-application-inititializer-java, MessageWebApplicationInitializer.java>>
+The `MessageSecurityWebApplicationInitializer` will automatically register the springSecurityFilterChain Filter for every URL in your application. If Filters are added within other `WebApplicationInitializer` instances we can use `@Order` to control the ordering of the Filter instances.
=== Verify SecurityConfig is loaded
@@ -53,7 +51,6 @@ Just because <<security-config-java,SecurityConfig>> exists, does not mean that
.MessageWebApplicationInitializer.java
[source,java]
----
-@Order(1)
public class MessageWebApplicationInitializer extends
AbstractAnnotationConfigDispatcherServletInitializer {
@@ -86,64 +83,39 @@ include::{hello-include-dir}/exploring-the-secured-application.asc[]
==== Displaying the user name
-Now that we have authenticated, let's update the application to display the username if the user is authenticated. Update main.jsp to contain the following snippet:
+Now that we have authenticated, let's see how our application is displaying the username if the user is authenticated.
-.src/main/webapp/WEB-INF/decorators/main.jsp
+.messages-jc/src/main/resources/views/layout.html
[source,html]
-[subs="verbatim,quotes"]
----
-<div class="nav-collapse collapse">
- *<c:if test="${pageContext.request.remoteUser != null}">
- <p class="navbar-text pull-right">
- <c:out value="${pageContext.request.remoteUser}"/>
+<div th:if="${#httpServletRequest.remoteUser != null}">
+ <p th:text="${#httpServletRequest.remoteUser}">
+ sample_user
</p>
- </c:if>*
- <ul class="nav">
- <c:url var="inboxUrl" value="/"/>
- <li><a href="${inboxUrl}">Inbox</a></li>
- <c:url var="composeUrl" value="/?form"/>
- <li><a href="${composeUrl}">Compose</a></li>
- </ul>
</div>
----
-WARNING: The `<c:out />` tag ensures the username is escaped to avoid http://en.wikipedia.org/wiki/Cross-site_scripting[XSS vulnerabilities] Regardless of how an application renders user inputed values, it should ensure that the values are properly escaped.
+In our samples we use http://www.thymeleaf.org/[Thymeleaf], but any view technology will work. The point is to check the HttpServletRequest#getRemoteUser() method for the current user. This works because Spring Security integrates with the <<servlet-api-integration,Servlet API methods>>. Specifically, it is integrating with `HttpServletRequest#getRemoteUser()`.
-Refresh the page at http://localhost:8080/sample/ and you will see the user name displayed. This works because Spring Security integrates with the <<servlet-api-integration,Servlet API methods>>. Specifically, it is integrating with `HttpServletRequest#getRemoteUser()`.
+WARNING: The Thymeleaf ensures the username is escaped to avoid http://en.wikipedia.org/wiki/Cross-site_scripting[XSS vulnerabilities] Regardless of how an application renders user inputed values, it should ensure that the values are properly escaped.
==== Logging out
-Now that we can view the user name, let's update the application to allow logging out. Update the body of index.jsp to contain a log out link as shown below:
+We can view the user name, but how are we able to log out? Below you can see how we are able to log out.
-.src/main/webapp/index.jsp
+.messages-jc/src/main/resources/views/layout.html
[source,html]
-[subs="verbatim,quotes"]
----
-<div class="nav-collapse collapse">
- <c:if test="${pageContext.request.remoteUser != null}">
- *<c:url var="logoutUrl" value="/logout"/>
- <form:form class="navbar-form pull-right" action="${logoutUrl}" method="post">
- <input type="submit" value="Log out" />
- </form:form>*
-
- <p class="navbar-text pull-right">
- <c:out value="${pageContext.request.remoteUser}"/>
- </p>
- </c:if>
- <ul class="nav">
- <c:url var="inboxUrl" value="/"/>
- <li><a href="${inboxUrl}">Inbox</a></li>
- <c:url var="composeUrl" value="/?form"/>
- <li><a href="${composeUrl}">Compose</a></li>
- </ul>
-</div>
+<form th:action="@{/logout}" method="post">
+ <input type="submit" value="Log out" />
+</form>
----
In order to help protect against http://en.wikipedia.org/wiki/Cross-site_request_forgery[CSRF attacks], by default, Spring Security Java Configuration log out requires:
* the HTTP method must be a POST
-* the CSRF token must be added to the request. Since we are using Spring MVC, the CSRF token is automatically added as a hidden input for you (view the source to see it). If you were not using Spring MVC, you can access the CsrfToken on the ServletRequest using the attribute _csrf
+* the CSRF token must be added to the request. Since we are using Thymeleaf, the CSRF token is automatically added as a hidden input for you (view the source to see it). If you were not using Spring MVC or Thymeleaf, you can access the CsrfToken on the ServletRequest using the attribute _csrf
-Refresh the page at http://localhost:8080/sample/ and you will see the log out button. Click the button and see that the application logs you out successfully.
+Click the button and see that the application logs you out successfully.
== Conclusion
@@ -27,6 +27,7 @@ ext.seleniumVersion = '2.33.0'
ext.groovyVersion = '2.0.5'
ext.spockVersion = '0.7-groovy-2.0'
ext.gebVersion = '0.9.0'
+ext.thymeleafVersion = '2.1.2.RELEASE'
ext.powerMockDependencies = [
"org.powermock:powermock-core:$powerMockVersion",
@@ -16,11 +16,18 @@
package org.springframework.security.samples.config;
import org.springframework.security.web.context.AbstractSecurityWebApplicationInitializer;
+import org.springframework.security.web.session.HttpSessionEventPublisher;
/**
- * No customizations of {@link AbstractSecurityWebApplicationInitializer} are necessary.
+ * We customize {@link AbstractSecurityWebApplicationInitializer} to enable the
+ * {@link HttpSessionEventPublisher}.
*
* @author Rob Winch
*/
public class MessageSecurityWebApplicationInitializer extends AbstractSecurityWebApplicationInitializer {
+
+ @Override
+ protected boolean enableHttpSessionEventPublisher() {
+ return true;
+ }
}
@@ -5,41 +5,29 @@
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
-import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled=true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {
- @Override
- public void configure(WebSecurity web) throws Exception {
- web
- .ignoring()
- .antMatchers("/resources/**");
- }
-
@Autowired
public void registerGlobalAuthentication(
AuthenticationManagerBuilder auth) throws Exception {
auth
.inMemoryAuthentication()
- .withUser("user").password("password").roles("USER").and()
- .withUser("admin").password("password").roles("USER", "ADMIN");
+ .withUser("user").password("password").roles("USER");
}
@Override
protected void configure(
HttpSecurity http) throws Exception {
http
.authorizeRequests()
- .antMatchers("/users**","/sessions/**").hasRole("ADMIN")
- .antMatchers("/resources/**","/signup").permitAll()
- .anyRequest().hasRole("USER")
+ .anyRequest().authenticated()
.and()
.formLogin()
- .permitAll()
.and()
.sessionManagement()
.maximumSessions(1)
@@ -1,5 +0,0 @@
-<decorators defaultdir="/WEB-INF/decorators">
- <decorator name="main" page="main.jsp">
- <pattern>/*</pattern>
- </decorator>
-</decorators>
Oops, something went wrong.

0 comments on commit 4708287

Please sign in to comment.