opa-java/src/main/java/org/openpodcastapi/opa/config/SecurityConfig.java at 222c30ce35d4210c1ffc2996c7c2dfab74a0fab2 · OpenPodcastAPI/opa-java · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
package org.openpodcastapi.opa.config;

import org.openpodcastapi.opa.auth.ApiBearerTokenAuthenticationConverter;
import org.openpodcastapi.opa.auth.JwtAuthenticationProvider;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.annotation.Order;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.ProviderManager;
import org.springframework.security.authentication.dao.DaoAuthenticationProvider;
import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.oauth2.server.resource.web.authentication.BearerTokenAuthenticationFilter;
import org.springframework.security.web.AuthenticationEntryPoint;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.access.AccessDeniedHandler;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;

/// Security configuration for the Spring application
@Configuration
@EnableWebSecurity
@EnableMethodSecurity
public class SecurityConfig {

    private static final String[] PUBLIC_PAGES = {
            "/",
            "/login",
            "/logout-confirm",
            "/register",
            "/docs",
            "/docs/**",
            "/css/**",
            "/js/**",
            "/images/**",
            "/favicon.ico",
    };

    /// API-related security configuration
    ///
    /// @param http                      the security object to be configured
    /// @param jwtAuthenticationProvider the JWT provider used to handle JWT auth
    /// @param entryPoint                the entrypoint that commences the JWT auth
    /// @param deniedHandler             the handler that handles auth failures
    /// @param converter                 the bearer token converter that manages JWT validation
    /// @return the configured security object
    @Bean
    @Order(1)
    public SecurityFilterChain apiSecurity(
            HttpSecurity http,
            JwtAuthenticationProvider jwtAuthenticationProvider,
            AuthenticationEntryPoint entryPoint,
            AccessDeniedHandler deniedHandler,
            ApiBearerTokenAuthenticationConverter converter
    ) {

        final var jwtManager = new ProviderManager(jwtAuthenticationProvider);

        final var bearerFilter =
                new BearerTokenAuthenticationFilter(jwtManager, converter);

        bearerFilter.setAuthenticationFailureHandler(
                entryPoint::commence
        );

        http
                .securityMatcher("/api/**")
                .csrf(AbstractHttpConfigurer::disable)
                .formLogin(AbstractHttpConfigurer::disable)
                .logout(AbstractHttpConfigurer::disable)
                .sessionManagement(sm -> sm.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
                .authorizeHttpRequests(auth -> auth
                        .requestMatchers("/api/auth/**").permitAll()
                        .anyRequest().authenticated()
                )
                .exceptionHandling(ex -> ex
                        .authenticationEntryPoint(entryPoint)
                        .accessDeniedHandler(deniedHandler)
                )
                .addFilterBefore(bearerFilter, UsernamePasswordAuthenticationFilter.class);

        return http.build();
    }

    /// Web-related security configuration
    ///
    /// @param http the security object to be configured
    /// @return the configured security object
    @Bean
    @Order(2)
    public SecurityFilterChain webSecurity(HttpSecurity http) {
        return http
                .csrf(csrf -> csrf
                        .ignoringRequestMatchers("/docs", "/docs/**")
                )
                .sessionManagement(sm -> sm.sessionCreationPolicy(SessionCreationPolicy.ALWAYS))
                .authorizeHttpRequests(auth -> auth
                        .requestMatchers(PUBLIC_PAGES).permitAll()
                        .anyRequest().authenticated()
                )
                .formLogin(login -> login
                        .loginPage("/login")
                        .defaultSuccessUrl("/home", true)
                        .failureUrl("/login?error=true"))
                .logout(logout -> logout
                        .logoutUrl("/logout")
                        .logoutSuccessUrl("/")
                        .invalidateHttpSession(true)
                        .clearAuthentication(true)
                        .deleteCookies("JSESSIONID"))
                .build();
    }

    /// The default password encoder used for hashing and encoding user passwords and JWTs
    ///
    /// @return a configured password encoder
    @Bean
    public BCryptPasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder();
    }

    /// An authentication provider for password-based authentication
    ///
    /// @param userDetailsService the service for loading user data
    /// @param passwordEncoder    the default password encoder
    /// @return the configured authentication provider
    @Bean
    public DaoAuthenticationProvider daoAuthenticationProvider(UserDetailsService userDetailsService,
                                                               BCryptPasswordEncoder passwordEncoder) {
        final var provider = new DaoAuthenticationProvider(userDetailsService);
        provider.setPasswordEncoder(passwordEncoder);
        return provider;
    }

    /// An authentication provider for JWT-based authentication
    ///
    /// @param provider a configured provider
    /// @return a configured manager that uses the JWT auth provider
    /// @see JwtAuthenticationProvider for provider details
    @Bean(name = "jwtAuthManager")
    public AuthenticationManager jwtAuthenticationManager(JwtAuthenticationProvider provider) {
        return new ProviderManager(provider);
    }

    /// An authentication provider for API POST login
    ///
    /// @param daoProvider a configured auth provider
    /// @return a configured manager that uses basic username/password auth
    @Bean(name = "apiLoginManager", defaultCandidate = false)
    public AuthenticationManager apiLoginAuthenticationManager(
            DaoAuthenticationProvider daoProvider) {
        return new ProviderManager(daoProvider);
    }
}