package io.loli.box; import io.loli.box.dao.JpaReMemberMeRepository; import io.loli.box.entity.Role; import io.loli.box.social.RepositoryUserDetailsService; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.core.annotation.Order; import org.springframework.security.authentication.dao.DaoAuthenticationProvider; import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer; import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder; import org.springframework.security.crypto.password.PasswordEncoder; import org.springframework.security.web.authentication.rememberme.JdbcTokenRepositoryImpl; import org.springframework.security.web.util.matcher.AntPathRequestMatcher; /** * @author choco */ @EnableWebSecurity @Configuration @EnableGlobalMethodSecurity(prePostEnabled = true) @Order(6) public class SecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry registry = http.authorizeRequests(); registry.antMatchers("/admin/**").hasAuthority(Role.ADMIN.toString()) .antMatchers("/image/**").permitAll() // .antMatchers("/webjars/**").permitAll() // .antMatchers("/js/**").permitAll() // .antMatchers("/css/**").permitAll() // .antMatchers("/img/**").permitAll() .and().formLogin().loginPage("/signin").defaultSuccessUrl("/").permitAll() .and().logout().logoutRequestMatcher(new AntPathRequestMatcher("/logout")).permitAll() .and().csrf().ignoringAntMatchers("/admin/**"/*,"/oauth*//**"*/); http.headers().frameOptions().disable().and() .rememberMe().tokenRepository(reMemberMeRepository); } @Autowired private JpaReMemberMeRepository reMemberMeRepository; @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { auth.authenticationProvider(authProvider()); } @Bean public PasswordEncoder passwordEncoder() { return new BCryptPasswordEncoder(); } @Autowired public void configureGlobalSecurity(AuthenticationManagerBuilder auth) throws Exception { auth.userDetailsService(userDetailsService); auth.authenticationProvider(authProvider()); } @Autowired private RepositoryUserDetailsService userDetailsService; @Bean public DaoAuthenticationProvider authProvider() { DaoAuthenticationProvider authProvider = new DaoAuthenticationProvider(); authProvider.setUserDetailsService(userDetailsService); authProvider.setPasswordEncoder(passwordEncoder()); return authProvider; } }