diff --git a/uw-spring-security-config/src/main/java/edu/wisc/uwss/configuration/HttpSecurityAmender.java b/uw-spring-security-config/src/main/java/edu/wisc/uwss/configuration/HttpSecurityAmender.java
index 6f89a949f59e820533a01b209de9e003283307dd..4ca350f213b735a092e17114b761526e6fa26bef 100644
--- a/uw-spring-security-config/src/main/java/edu/wisc/uwss/configuration/HttpSecurityAmender.java
+++ b/uw-spring-security-config/src/main/java/edu/wisc/uwss/configuration/HttpSecurityAmender.java
@@ -10,15 +10,21 @@ import org.springframework.security.config.annotation.web.configuration.WebSecur
* Callback interface provided to allow downstream projects to inject changes to the {@link HttpSecurity}
* provided by {@link WebSecurityConfigurerAdapter} AT THE RIGHT TIME, before it is closed off to change.
*
- * Both *WebSecurityConfiguration classes in the local and preauth packages depend on this interface and
- * call it at the end of {@link WebSecurityConfigurerAdapter#configure(HttpSecurity)}.
+ * {@link UWSpringSecurityWebConfigurerAdapter} depends on this interface and
+ * will invoke all implementing instances it at the end of {@link WebSecurityConfigurerAdapter#configure(HttpSecurity)}.
*
* @author Nicholas Blair
*/
public interface HttpSecurityAmender {
/**
- * Amend the {@link HttpSecurity} how you see fit.
+ * Amend the {@link HttpSecurity} how you see fit. Typically used when NOT using {@link EverythingRequiresAuthenticationConfiguration}.
+ *
+ * Some use cases:
+ * <ul>
+ * <li>Specifying authentication or authorization rules for specific URLs within your application.</li>
+ * <li>Internally by local-users and preauth to inject the appropriate spring security services.</li>
+ * </ul>
*
* @param httpSecurity
* @throws Exception
diff --git a/uw-spring-security-config/src/main/java/edu/wisc/uwss/configuration/UWSpringSecurityConfiguration.java b/uw-spring-security-config/src/main/java/edu/wisc/uwss/configuration/UWSpringSecurityConfiguration.java
index 6a1898e2d4922d09d8b036ad512d9b6c3a6f2eae..39b114212c7ea318ba9f741879d363a7193e4758 100644
--- a/uw-spring-security-config/src/main/java/edu/wisc/uwss/configuration/UWSpringSecurityConfiguration.java
+++ b/uw-spring-security-config/src/main/java/edu/wisc/uwss/configuration/UWSpringSecurityConfiguration.java
@@ -3,8 +3,10 @@
*/
package edu.wisc.uwss.configuration;
+import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.ComponentScan;
import org.springframework.context.annotation.Configuration;
+import org.springframework.context.annotation.Import;
/**
* Root {@link Configuration} class that consuming applications should reference in their ApplicationInitizalizers.
@@ -18,6 +20,7 @@ import org.springframework.context.annotation.Configuration;
@ComponentScan(basePackages={
"edu.wisc.uwss.configuration.local",
"edu.wisc.uwss.configuration.preauth" })
+@Import(UWSpringSecurityWebConfigurerAdapter.class)
public class UWSpringSecurityConfiguration {
}
diff --git a/uw-spring-security-config/src/main/java/edu/wisc/uwss/configuration/UWSpringSecurityWebConfigurerAdapter.java b/uw-spring-security-config/src/main/java/edu/wisc/uwss/configuration/UWSpringSecurityWebConfigurerAdapter.java
new file mode 100644
index 0000000000000000000000000000000000000000..2e6c00d58cdbdc74faa1aea1c243836975291de7
--- /dev/null
+++ b/uw-spring-security-config/src/main/java/edu/wisc/uwss/configuration/UWSpringSecurityWebConfigurerAdapter.java
@@ -0,0 +1,41 @@
+package edu.wisc.uwss.configuration;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+
+import java.util.ArrayList;
+import java.util.List;
+
+/**
+ * There can be only one {@link WebSecurityConfigurerAdapter}.
+ *
+ * @author Nicholas Blair
+ */
+@Configuration
+@EnableWebSecurity
+public class UWSpringSecurityWebConfigurerAdapter extends WebSecurityConfigurerAdapter {
+
+ protected final Logger logger = LoggerFactory.getLogger(this.getClass());
+ @Autowired(required=false)
+ List<HttpSecurityAmender> amenders = new ArrayList<>();
+
+ /**
+ * {@inheritDoc}
+ *
+ * Fires {@link HttpSecurityAmender#amend(HttpSecurity)} on all instances registered in the
+ * ApplicationContext.
+ */
+ @Override
+ protected void configure(HttpSecurity http) throws Exception {
+ logger.debug("configuring {} HttpSecurityAmenders", amenders.size());
+ for(HttpSecurityAmender amender: amenders) {
+ amender.amend(http);
+ logger.debug("configured HttpSecurityAmender {}", amender.toString());
+ }
+ }
+}
diff --git a/uw-spring-security-config/src/main/java/edu/wisc/uwss/configuration/development/SimulatePreAuthenticationHttpSecurityAmender.java b/uw-spring-security-config/src/main/java/edu/wisc/uwss/configuration/development/SimulatePreAuthenticationHttpSecurityAmender.java
new file mode 100644
index 0000000000000000000000000000000000000000..903d6079ee57d9c87a6b28c3f98dd84d80374dd0
--- /dev/null
+++ b/uw-spring-security-config/src/main/java/edu/wisc/uwss/configuration/development/SimulatePreAuthenticationHttpSecurityAmender.java
@@ -0,0 +1,45 @@
+package edu.wisc.uwss.configuration.development;
+
+import com.github.nblair.web.PreAuthenticationSimulationServletFilter;
+
+
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.web.context.SecurityContextPersistenceFilter;
+
+import javax.servlet.Filter;
+
+import edu.wisc.uwss.configuration.HttpSecurityAmender;
+
+/**
+ * {@link HttpSecurityAmender} useful for development environments.
+ *
+ * @see PreAuthenticationSimulationServletFilter
+ * @author Nicholas Blair
+ */
+public class SimulatePreAuthenticationHttpSecurityAmender implements HttpSecurityAmender{
+
+ private final Filter preAuthenticationSimulationServletFilter;
+
+ /**
+ * @param preAuthenticationSimulationServletFilter
+ */
+ public SimulatePreAuthenticationHttpSecurityAmender(Filter preAuthenticationSimulationServletFilter) {
+ this.preAuthenticationSimulationServletFilter = preAuthenticationSimulationServletFilter;
+ }
+
+ /**
+ * {@inheritDoc}
+ *
+ * Injects the {@link PreAuthenticationSimulationServletFilter} into the filterchain in the
+ * correct spot, so that the HttpServletRequest attributes it provides are available when the
+ * preauthentication filter tries to read them.
+ *
+ * @param http
+ * @throws Exception
+ */
+ @Override
+ public void amend(HttpSecurity http) throws Exception {
+ http.addFilterBefore(preAuthenticationSimulationServletFilter, SecurityContextPersistenceFilter.class);
+ }
+
+}
diff --git a/uw-spring-security-config/src/main/java/edu/wisc/uwss/configuration/local/LocalUsersWebSecurityConfiguration.java b/uw-spring-security-config/src/main/java/edu/wisc/uwss/configuration/local/LocalUsersWebSecurityConfiguration.java
index 14f8b3e4e50c090e9f4a23337c645647437eb7e2..cb93405f33d44e3830bffd66bb4cd295e9fa5030 100644
--- a/uw-spring-security-config/src/main/java/edu/wisc/uwss/configuration/local/LocalUsersWebSecurityConfiguration.java
+++ b/uw-spring-security-config/src/main/java/edu/wisc/uwss/configuration/local/LocalUsersWebSecurityConfiguration.java
@@ -13,7 +13,6 @@ import org.springframework.core.annotation.Order;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
-import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.core.userdetails.UserDetailsService;
import edu.wisc.uwss.configuration.HttpSecurityAmender;
@@ -28,35 +27,33 @@ import edu.wisc.uwss.configuration.combined.CombinedAuthentication;
@EnableWebSecurity
@Profile("local-users")
@Order(CombinedAuthentication.LOCAL_USERS_WEB_SECURITY_CONFIGURATION_ORDER)
-public class LocalUsersWebSecurityConfiguration extends WebSecurityConfigurerAdapter {
+public class LocalUsersWebSecurityConfiguration {
protected final Logger logger = LoggerFactory.getLogger(this.getClass());
-
- @Autowired(required=false)
- private HttpSecurityAmender amender = new HttpSecurityAmender.Default();
+
/**
- * {@inheritDoc}
- *
- * Enables {@link HttpSecurity#formLogin()} and {@link HttpSecurity#httpBasic()} for demo users.
+ *
+ * @return an {@link HttpSecurityAmender} that sets up formLogin and HTTP Basic
*/
- @Override
- protected void configure(HttpSecurity http) throws Exception {
- logger.debug("enter WebSecurityConfigurerAdapter#configure for local-users");
- http
- .formLogin()
- .and()
- .httpBasic()
- .and()
- .logout()
- .invalidateHttpSession(true);
-
- // CSRF protection is disabled, as without it /logout requires POST
- http
- .csrf().disable();
-
- amender.amend(http);
- }
+ @Bean
+ public HttpSecurityAmender localUsersHttpSecurityAmender() {
+ return new HttpSecurityAmender() {
+ @Override
+ public void amend(HttpSecurity http) throws Exception {
+ http
+ .formLogin()
+ .and()
+ .httpBasic()
+ .and()
+ .logout()
+ .invalidateHttpSession(true);
+ // CSRF protection is disabled, as without it /logout requires POST
+ http
+ .csrf().disable();
+ }
+ };
+ }
/**
* {@inheritDoc}
*
@@ -71,14 +68,4 @@ public class LocalUsersWebSecurityConfiguration extends WebSecurityConfigurerAda
auth.userDetailsService(userDetailsService);
}
- /**
- * Exposes the internal {@link HttpSecurity} as a bean so deployers can customize it further.
- *
- * @return
- * @throws Exception
- */
- @Bean
- public HttpSecurity httpSecurity() throws Exception {
- return getHttp();
- }
}
diff --git a/uw-spring-security-config/src/main/java/edu/wisc/uwss/configuration/preauth/PreAuthenticationDevelopmentConfiguration.java b/uw-spring-security-config/src/main/java/edu/wisc/uwss/configuration/preauth/PreAuthenticationDevelopmentConfiguration.java
index b654127a290024b5b29e68a9cc26c9d691953486..3a42cdc49cbf77e2f311f6613325fe74ff8d9a0d 100644
--- a/uw-spring-security-config/src/main/java/edu/wisc/uwss/configuration/preauth/PreAuthenticationDevelopmentConfiguration.java
+++ b/uw-spring-security-config/src/main/java/edu/wisc/uwss/configuration/preauth/PreAuthenticationDevelopmentConfiguration.java
@@ -20,6 +20,9 @@ import org.springframework.security.web.context.SecurityContextPersistenceFilter
import com.github.nblair.web.PreAuthenticationSimulationServletFilter;
import com.github.nblair.web.ProfileConditionalDelegatingFilterProxy;
+import edu.wisc.uwss.configuration.HttpSecurityAmender;
+import edu.wisc.uwss.configuration.development.SimulatePreAuthenticationHttpSecurityAmender;
+
/**
* Isolate PreAuthenticationServletFilter configuration.
*
@@ -36,15 +39,12 @@ public class PreAuthenticationDevelopmentConfiguration {
@Inject
Environment environment;
/**
- * @see HttpSecurity#authorizeRequests()
- * @param http
* @throws Exception
*/
- @Autowired
- public void amendHttpSecurity(HttpSecurity http) throws Exception {
+ @Bean
+ public HttpSecurityAmender httpSecurityAmender() throws Exception {
logger.warn("'preauth-dev' profile activated, setting up PreAuthenticationSimulationServletFilter. Confirm this not a production environment!");
- http
- .addFilterBefore(preAuthenticationSimulationFilter(), SecurityContextPersistenceFilter.class);
+ return new SimulatePreAuthenticationHttpSecurityAmender(preAuthenticationSimulationFilter());
}
/**
diff --git a/uw-spring-security-config/src/main/java/edu/wisc/uwss/configuration/preauth/PreAuthenticationHttpSecurityAmender.java b/uw-spring-security-config/src/main/java/edu/wisc/uwss/configuration/preauth/PreAuthenticationHttpSecurityAmender.java
new file mode 100644
index 0000000000000000000000000000000000000000..9bf6adc826c390d9d05e048ade63d21bd006e96b
--- /dev/null
+++ b/uw-spring-security-config/src/main/java/edu/wisc/uwss/configuration/preauth/PreAuthenticationHttpSecurityAmender.java
@@ -0,0 +1,43 @@
+package edu.wisc.uwss.configuration.preauth;
+
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.web.authentication.preauth.AbstractPreAuthenticatedProcessingFilter;
+
+import edu.wisc.uwss.configuration.HttpSecurityAmender;
+import edu.wisc.uwss.preauth.PreAuthLogoutSuccessHandler;
+import edu.wisc.uwss.preauth.UWUserDetailsAuthenticationFilter;
+
+/**
+ * {@link HttpSecurityAmender} intended to inject the appropriate filter and handler to
+ * support "preauthentication". This is typically used at UW to support NetID Login (SAML2 over Shibboleth).
+ *
+ * @author Nicholas Blair
+ */
+public class PreAuthenticationHttpSecurityAmender implements HttpSecurityAmender {
+ private final UWUserDetailsAuthenticationFilter authenticationFilter;
+ public PreAuthenticationHttpSecurityAmender(UWUserDetailsAuthenticationFilter authenticationFilter) {
+ this.authenticationFilter = authenticationFilter;
+ }
+ /**
+ * {@inheritDoc}
+ *
+ * <ul>
+ * <li>Adds {@link UWUserDetailsAuthenticationFilter} to the chain.</li>
+ * <li>Wires in {@link PreAuthLogoutSuccessHandler} to logout.</li>
+ * <li>Disables CSRF.</li>
+ * </ul>
+ */
+ @Override
+ public void amend(HttpSecurity http) throws Exception {
+ http
+ .addFilterBefore(authenticationFilter, AbstractPreAuthenticatedProcessingFilter.class)
+ .logout()
+ .logoutSuccessHandler(new PreAuthLogoutSuccessHandler())
+ .deleteCookies("JSESSIONID")
+ .invalidateHttpSession(true);
+
+ // CSRF protection is disabled, as without it /logout requires POST
+ http
+ .csrf().disable();
+ }
+}
diff --git a/uw-spring-security-config/src/main/java/edu/wisc/uwss/configuration/preauth/PreAuthenticationWebSecurityConfiguration.java b/uw-spring-security-config/src/main/java/edu/wisc/uwss/configuration/preauth/PreAuthenticationWebSecurityConfiguration.java
index 6d0eaebb5e6d64fca3a23be6583b80b061b23dcd..1bc2ea3dc73d1946107afd7f6ba8aa675b08ecb3 100644
--- a/uw-spring-security-config/src/main/java/edu/wisc/uwss/configuration/preauth/PreAuthenticationWebSecurityConfiguration.java
+++ b/uw-spring-security-config/src/main/java/edu/wisc/uwss/configuration/preauth/PreAuthenticationWebSecurityConfiguration.java
@@ -12,6 +12,7 @@ import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.Profile;
import org.springframework.core.annotation.Order;
+import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
@@ -34,51 +35,27 @@ import edu.wisc.uwss.preauth.UWUserDetailsAuthenticationFilter;
* @author Nicholas Blair
*/
@Configuration
-@EnableWebSecurity
@Profile("preauth")
@Order(CombinedAuthentication.PREAUTH_WEB_SECURITY_CONFIGURATION_ORDER)
-public class PreAuthenticationWebSecurityConfiguration extends WebSecurityConfigurerAdapter {
+public class PreAuthenticationWebSecurityConfiguration {
protected final Logger logger = LoggerFactory.getLogger(this.getClass());
-
- @Autowired(required=false)
- private HttpSecurityAmender amender = new HttpSecurityAmender.Default();
- /**
- /**
- * {@inheritDoc}
- *
- * <ul>
- * <li>Adds {@link UWUserDetailsAuthenticationFilter} to the chain, see {@link #authenticationFilter()}.</li>
- * <li>Enables {@link HttpSecurity#formLogin()} and {@link HttpSecurity#httpBasic()} for demo users.</li>
- * <li>Wires in {@link PreAuthLogoutSuccessHandler} to logout.</li>
- * </ul>
- */
- @Override
- protected void configure(HttpSecurity http) throws Exception {
- logger.debug("enter WebSecurityConfigurerAdapter#configure for preauth");
- http
- .addFilterBefore(authenticationFilter(), AbstractPreAuthenticatedProcessingFilter.class)
- .logout()
- .logoutSuccessHandler(new PreAuthLogoutSuccessHandler())
- .deleteCookies("JSESSIONID")
- .invalidateHttpSession(true);
-
- // CSRF protection is disabled, as without it /logout requires POST
- http
- .csrf().disable();
-
- amender.amend(http);
- }
+ @Autowired
+ private AuthenticationManager authenticationManager;
+
+ @Bean
+ public HttpSecurityAmender preAuthenticationHttpSecurityAmender() {
+ return new PreAuthenticationHttpSecurityAmender(authenticationFilter());
+ }
/**
*
* @return an instance of {@link UWUserDetailsAuthenticationFilter}
- * @throws Exception
*/
@Bean
- public Filter authenticationFilter() throws Exception {
+ public UWUserDetailsAuthenticationFilter authenticationFilter() {
UWUserDetailsAuthenticationFilter filter = new UWUserDetailsAuthenticationFilter();
- filter.setAuthenticationManager(authenticationManager());
+ filter.setAuthenticationManager(authenticationManager);
return filter;
}
@@ -95,14 +72,5 @@ public class PreAuthenticationWebSecurityConfiguration extends WebSecurityConfig
logger.debug("enter WebSecurityConfigurerAdapter#configureGlobal for preauth, injecting {} into AuthenticationManagerBuilder", authenticationProvider);
auth.authenticationProvider(authenticationProvider);
}
- /**
- * Exposes the internal {@link HttpSecurity} as a bean so deployers can customize it further.
- *
- * @return
- * @throws Exception
- */
- @Bean
- public HttpSecurity httpSecurity() throws Exception {
- return getHttp();
- }
+
}
diff --git a/uw-spring-security-sample-war/pom.xml b/uw-spring-security-sample-war/pom.xml
index 17656dd9e26c9dd3872657bcaffb7d21f6759b3b..8b6e6f1bf355553570b373e15cc733db15e667b7 100644
--- a/uw-spring-security-sample-war/pom.xml
+++ b/uw-spring-security-sample-war/pom.xml
@@ -109,5 +109,11 @@
<activeProfiles>local-users,preauth</activeProfiles>
</properties>
</profile>
+ <profile>
+ <id>combined-simulate-netid</id>
+ <properties>
+ <activeProfiles>local-users,preauth,preauth-simulate-netid</activeProfiles>
+ </properties>
+ </profile>
</profiles>
</project>
\ No newline at end of file
diff --git a/uw-spring-security-sample-war/src/main/java/edu/wisc/uwss/sample/configuration/DemonstrationOnlyPreAuthenticationConfiguration.java b/uw-spring-security-sample-war/src/main/java/edu/wisc/uwss/sample/configuration/DemonstrationOnlyPreAuthenticationConfiguration.java
index 0fe76ba93204f8c95682c985b91d5019843751aa..8fa219e701c99ec51aac505f582cfaad06b575de 100644
--- a/uw-spring-security-sample-war/src/main/java/edu/wisc/uwss/sample/configuration/DemonstrationOnlyPreAuthenticationConfiguration.java
+++ b/uw-spring-security-sample-war/src/main/java/edu/wisc/uwss/sample/configuration/DemonstrationOnlyPreAuthenticationConfiguration.java
@@ -29,6 +29,9 @@ import org.springframework.web.filter.DelegatingFilterProxy;
import com.github.nblair.web.PreAuthenticationSimulationServletFilter;
+import edu.wisc.uwss.configuration.HttpSecurityAmender;
+import edu.wisc.uwss.configuration.development.SimulatePreAuthenticationHttpSecurityAmender;
+
/**
* Demonstration-only sample {@link Configuration}.
* This Configuration injects a Servlet {@link Filter} that is useful for development environments
@@ -40,11 +43,14 @@ import com.github.nblair.web.PreAuthenticationSimulationServletFilter;
* @author Nicholas Blair
*/
@Configuration
-@Profile("preauth")
+@Profile("preauth-simulate-netid")
public class DemonstrationOnlyPreAuthenticationConfiguration {
@Inject
private Environment environment;
+
+ @Inject
+ private AuthenticationManager authenticationManager;
/**
* When "preauth" is enabled, we need to inject the {@link #authenticationFilter()} in the right
* spot in the Spring Security FilterChain.
@@ -56,10 +62,9 @@ public class DemonstrationOnlyPreAuthenticationConfiguration {
* @throws ServletException
* @throws Exception
*/
- @Autowired
- protected void amendHttpSecurity(HttpSecurity httpSecurity, AuthenticationManager authenticationManager) throws ServletException, Exception {
- httpSecurity
- .addFilterBefore(preAuthenticationSimulationFilter(), SecurityContextPersistenceFilter.class);;
+ @Bean
+ protected HttpSecurityAmender httpSecurityAmender(AuthenticationManager authenticationManager) throws ServletException, Exception {
+ return new SimulatePreAuthenticationHttpSecurityAmender(preAuthenticationSimulationFilter());
}
/**
* This Filter is intended to simulate pre-authentication by making every request appear to have the user attributes
diff --git a/uw-spring-security-sample-war/src/main/java/edu/wisc/uwss/sample/configuration/SampleWebSecurityConfiguration.java b/uw-spring-security-sample-war/src/main/java/edu/wisc/uwss/sample/configuration/SampleWebSecurityConfiguration.java
index ae21a81e006f3aedc56cda2acb914430cbddbe3d..7d80575218125a815dfa387f0370b007437f31e9 100644
--- a/uw-spring-security-sample-war/src/main/java/edu/wisc/uwss/sample/configuration/SampleWebSecurityConfiguration.java
+++ b/uw-spring-security-sample-war/src/main/java/edu/wisc/uwss/sample/configuration/SampleWebSecurityConfiguration.java
@@ -6,10 +6,13 @@ package edu.wisc.uwss.sample.configuration;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.Profile;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import edu.wisc.uwss.configuration.HttpSecurityAmender;
+
/**
* This {@link Configuration} class for the "local-users" {@link Profile} provides an example of how one would
* amend the {@link HttpSecurity} initialized in the various configuration classes in uw-spring-security-config.
@@ -22,19 +25,24 @@ public class SampleWebSecurityConfiguration {
static final Logger logger = LoggerFactory.getLogger(SampleWebSecurityConfiguration.class);
/**
* This example puts a constraint on the "/required" and "/profile" URLs, requiring visitors be authenticated.
- *
- * @param http the {@link HttpSecurity} instance made available via other {@link Configuration} classes in the -config module
+ *
* @throws Exception see {@link HttpSecurity#authorizeRequests()}
*/
- @Autowired
- public void amendHttpSecurity(HttpSecurity http) throws Exception {
- logger.info("amendHttpSecurity: setting up access controls for known urls");
- http.authorizeRequests()
- .antMatchers("/favicon.ico").permitAll()
- .antMatchers("/index.html").permitAll()
- .antMatchers("/lazy").permitAll()
- .antMatchers("/required").authenticated()
- .antMatchers("/profile").authenticated();
+ @Bean
+ public HttpSecurityAmender httpSecurityAmender() throws Exception {
+ return new HttpSecurityAmender() {
+ @Override
+ public void amend(HttpSecurity http) throws Exception {
+ logger.info("amendHttpSecurity: setting up access controls for known urls");
+ http.authorizeRequests()
+ .antMatchers("/favicon.ico").permitAll()
+ .antMatchers("/index.html").permitAll()
+ .antMatchers("/lazy").permitAll()
+ .antMatchers("/required").authenticated()
+ .antMatchers("/profile").authenticated();
+ }
+ };
+
}
}
diff --git a/uw-spring-security-sample-war/src/main/webapp/index.html b/uw-spring-security-sample-war/src/main/webapp/index.html
index 88712c225aa9a72c5b13b80d7742b4f529728b70..45116929dd2bae01e5a2ff1c78a1cc6e928c41ce 100644
--- a/uw-spring-security-sample-war/src/main/webapp/index.html
+++ b/uw-spring-security-sample-war/src/main/webapp/index.html
@@ -32,9 +32,19 @@
<li>Visit http://localhost:8080/index.html. Click 'Lazy authentication', expect JSON object representing UWUserDetails for 'Amy Administrator'.</li>
<li>Visit http://localhost:8080/index.html. Click 'Required authentication', expect JSON object representing UWUserDetails for 'Amy Administrator'.</li>
</ol>
+
+ <h3>combined</h3>
+ <p>Start VM eith 'mvn clean install jetty:run -P combined', visit http://localhost:8080/.</p>
+ <p>Note that with the 'combined' test here, we have nothing providing preauthentication attributes, so the app falls back to local-users forms. To see combined
+ with something that provides preauthentication attributes, see the 'combined-simulate-netid' test.</p>
+ <ol>
+ <li>Click 'Lazy authentication', expect "anonymousUser".</li>
+ <li>Visit http://localhost:8080/index.html. Click 'Lazy with "ignorepreauth"', expect "anonymousUser".</li>
+ <li>Visit http://localhost:8080/index.html. Click /required, expect login form. Enter credentials, submit, and expect JSON object representing current UWUserDetails.</li>
+ </ol>
- <h3>combined-auth</h3>
- <p>Start VM with 'mvn clean install jetty:run -P combined', visit http://localhost:8080/.</p>
+ <h3>combined-simulate-netid</h3>
+ <p>Start VM with 'mvn clean install jetty:run -P combined-simulate-netid', visit http://localhost:8080/.</p>
<ol>
<li>Click 'Lazy with "ignorepreauth"', expect "anonymousUser".</li>
<li>Visit http://localhost:8080/index.html. Click 'Lazy authentication', expect JSON object representing UWUserDetails for 'Amy Administrator'.</li>