From 0a1507f405c9060eabe5c5d964b04bcc36d95699 Mon Sep 17 00:00:00 2001
From: Matt Raible <matt@raibledesigns.com>
Date: Thu, 19 Dec 2013 13:42:19 -0700
Subject: [PATCH] Converted from XML to JavaConfig for Spring Security. Login
 works, requesting REST services does not (403).

---
 pom.xml                                       | 39 ++++++++----
 .../rest/resources/UserResource.java          | 20 +++----
 .../security/WebSecurityConfig.java           | 52 ++++++++++++++++
 src/main/resources/context.xml                | 59 ++++++-------------
 src/main/webapp/WEB-INF/web.xml               | 43 ++++++++------
 5 files changed, 130 insertions(+), 83 deletions(-)
 create mode 100644 src/main/java/net/dontdrinkandroot/example/angularrestspringsecurity/security/WebSecurityConfig.java

diff --git a/pom.xml b/pom.xml
index 2cc886a..0baf8ea 100644
--- a/pom.xml
+++ b/pom.xml
@@ -7,12 +7,11 @@
 	<packaging>war</packaging>
 
 	<properties>
-		<!-- Spring Security is based on Spring 3.0.7 -->
-		<spring.version>3.0.7.RELEASE</spring.version>
-		<spring.security.version>3.1.4.RELEASE</spring.security.version>
+		<spring.version>4.0.0.RELEASE</spring.version>
+		<spring.security.version>3.2.0.RELEASE</spring.security.version>
 		<jersey.version>1.17.1</jersey.version>
 		<org.slf4j.version>1.7.5</org.slf4j.version>
-		<javax.servlet-api.version>2.5</javax.servlet-api.version>
+		<javax.servlet-api.version>3.1.0</javax.servlet-api.version>
 		<org.hibernate.version>4.2.2.Final</org.hibernate.version>
 		<maven-compiler-plugin.version>3.1</maven-compiler-plugin.version>
 		<org.hsqldb.version>2.2.9</org.hsqldb.version>
@@ -50,6 +49,11 @@
 					<target>1.6</target>
 				</configuration>
 			</plugin>
+            <plugin>
+                <groupId>org.apache.tomcat.maven</groupId>
+                <artifactId>tomcat7-maven-plugin</artifactId>
+                <version>2.2</version>
+            </plugin>
 		</plugins>
 	</build>
 	
@@ -57,6 +61,19 @@
 		<developerConnection>scm:git:https://github.com/philipsorst/angular-rest-springsecurity.git</developerConnection>
 	</scm>
 
+    <!-- Force all dependencies to use Spring 4 -->
+    <dependencyManagement>
+        <dependencies>
+            <dependency>
+                <groupId>org.springframework</groupId>
+                <artifactId>spring-framework-bom</artifactId>
+                <version>${spring.version}</version>
+                <type>pom</type>
+                <scope>import</scope>
+            </dependency>
+        </dependencies>
+    </dependencyManagement>
+
 	<dependencies>
 
 		<dependency>
@@ -158,13 +175,13 @@
         	<artifactId>spring-security-config</artifactId>
         	<version>${spring.security.version}</version>
     	</dependency>
-    	
-    	<dependency>
-			<groupId>javax.servlet</groupId>
-			<artifactId>servlet-api</artifactId>
-			<version>${javax.servlet-api.version}</version>
-			<scope>provided</scope>
-		</dependency>
+
+        <dependency>
+            <groupId>javax.servlet</groupId>
+            <artifactId>javax.servlet-api</artifactId>
+            <version>${javax.servlet-api.version}</version>
+            <scope>provided</scope>
+        </dependency>
 
     	<dependency>
     		<groupId>org.springframework</groupId>
diff --git a/src/main/java/net/dontdrinkandroot/example/angularrestspringsecurity/rest/resources/UserResource.java b/src/main/java/net/dontdrinkandroot/example/angularrestspringsecurity/rest/resources/UserResource.java
index 872a985..f0a829d 100644
--- a/src/main/java/net/dontdrinkandroot/example/angularrestspringsecurity/rest/resources/UserResource.java
+++ b/src/main/java/net/dontdrinkandroot/example/angularrestspringsecurity/rest/resources/UserResource.java
@@ -1,19 +1,8 @@
 package net.dontdrinkandroot.example.angularrestspringsecurity.rest.resources;
 
-import java.util.HashMap;
-import java.util.Map;
-
-import javax.ws.rs.FormParam;
-import javax.ws.rs.POST;
-import javax.ws.rs.Path;
-import javax.ws.rs.Produces;
-import javax.ws.rs.core.MediaType;
-
 import net.dontdrinkandroot.example.angularrestspringsecurity.rest.TokenUtils;
 import net.dontdrinkandroot.example.angularrestspringsecurity.transfer.UserTransfer;
-
 import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.beans.factory.annotation.Qualifier;
 import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
 import org.springframework.security.core.Authentication;
@@ -23,6 +12,14 @@
 import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.stereotype.Component;
 
+import javax.ws.rs.FormParam;
+import javax.ws.rs.POST;
+import javax.ws.rs.Path;
+import javax.ws.rs.Produces;
+import javax.ws.rs.core.MediaType;
+import java.util.HashMap;
+import java.util.Map;
+
 
 @Component
 @Path("/user")
@@ -32,7 +29,6 @@ public class UserResource {
 	private UserDetailsService userService;
 
 	@Autowired
-	@Qualifier("authenticationManager")
 	private AuthenticationManager authManager;
 
 
diff --git a/src/main/java/net/dontdrinkandroot/example/angularrestspringsecurity/security/WebSecurityConfig.java b/src/main/java/net/dontdrinkandroot/example/angularrestspringsecurity/security/WebSecurityConfig.java
new file mode 100644
index 0000000..de063ad
--- /dev/null
+++ b/src/main/java/net/dontdrinkandroot/example/angularrestspringsecurity/security/WebSecurityConfig.java
@@ -0,0 +1,52 @@
+package net.dontdrinkandroot.example.angularrestspringsecurity.security;
+
+import net.dontdrinkandroot.example.angularrestspringsecurity.dao.user.UserDao;
+import net.dontdrinkandroot.example.angularrestspringsecurity.rest.AuthenticationTokenProcessingFilter;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.context.annotation.ImportResource;
+import org.springframework.http.HttpMethod;
+import org.springframework.security.authentication.AuthenticationManager;
+import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.config.http.SessionCreationPolicy;
+import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
+
+@Configuration
+@EnableWebSecurity
+@ImportResource("classpath:/context.xml")
+public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
+    @Override
+    protected void configure(HttpSecurity http) throws Exception {
+        // disable CSRF and Basic Authentication
+        http.csrf().disable().httpBasic().disable();
+
+        http.authorizeRequests()
+                .antMatchers("/rest/user/authenticate").permitAll()
+                .antMatchers(HttpMethod.GET, "/rest/news/**").hasRole("user")
+                .antMatchers(HttpMethod.PUT, "/rest/news/**").hasRole("admin")
+                .antMatchers(HttpMethod.POST, "/rest/news/**").hasRole("admin")
+                .antMatchers(HttpMethod.DELETE, "/rest/news/**").hasRole("admin");
+
+        // customization for REST Token AUTH
+        http.addFilterBefore(new AuthenticationTokenProcessingFilter(userDao), UsernamePasswordAuthenticationFilter.class)
+                .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
+    }
+
+    @Autowired
+    private UserDao userDao;
+
+    @Override
+    protected void configure(AuthenticationManagerBuilder authManagerBuilder) throws Exception {
+        authManagerBuilder.userDetailsService(userDao).passwordEncoder(new SaltedSHA256PasswordEncoder("secret"));
+    }
+
+    @Bean
+    @Override
+    public AuthenticationManager authenticationManagerBean() throws Exception {
+        return super.authenticationManagerBean();
+    }
+}
\ No newline at end of file
diff --git a/src/main/resources/context.xml b/src/main/resources/context.xml
index c0fca8c..730651c 100644
--- a/src/main/resources/context.xml
+++ b/src/main/resources/context.xml
@@ -8,16 +8,16 @@
 	xmlns:security="http://www.springframework.org/schema/security"
 	xsi:schemaLocation="
 			http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
-			http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.0.xsd
-			http://www.springframework.org/schema/jee http://www.springframework.org/schema/jee/spring-jee-3.0.xsd
-			http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util-3.0.xsd
-			http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-3.0.xsd
-			http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd">
+			http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
+			http://www.springframework.org/schema/jee http://www.springframework.org/schema/jee/spring-jee.xsd
+			http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd
+			http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx.xsd
+			http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd">
 
 	<context:annotation-config />
 
 	<!--
-		DATABASE SETUP 
+		DATABASE SETUP
 	 -->
 
 	<bean id="dataSource" class="org.apache.commons.dbcp.BasicDataSource">
@@ -42,13 +42,13 @@
 	<bean id="transactionManager" class="org.springframework.orm.jpa.JpaTransactionManager">
 		<property name="entityManagerFactory" ref="entityManagerFactory" />
 	</bean>
-	
+
 	<bean id="newsEntryDao" class="net.dontdrinkandroot.example.angularrestspringsecurity.dao.newsentry.JpaNewsEntryDao">
 	</bean>
-	
+
 	<bean id="userDao" class="net.dontdrinkandroot.example.angularrestspringsecurity.dao.user.JpaUserDao">
 	</bean>
-	
+
 	<bean id="dataBaseInitializer" class="net.dontdrinkandroot.example.angularrestspringsecurity.dao.DataBaseInitializer" init-method="initDataBase">
 		<constructor-arg ref="userDao" />
 		<constructor-arg ref="newsEntryDao" />
@@ -58,46 +58,21 @@
 	<tx:annotation-driven transaction-manager="transactionManager" />
 
 	<!--
-		INIT REST COMPONENTS 
+		INIT REST COMPONENTS
 	 -->
-	
+
 	<context:component-scan base-package="net.dontdrinkandroot.example.angularrestspringsecurity.rest.resources" />
-	
+
 	<bean id="objectMapper" class="org.codehaus.jackson.map.ObjectMapper" />
-	
-	<!-- 
+
+	<!--
 		SPRING SECURITY SETUP
 	-->
-	
+
 	<bean id="passwordEncoder" class="net.dontdrinkandroot.example.angularrestspringsecurity.security.SaltedSHA256PasswordEncoder">
 		<constructor-arg value="secret" />
 	</bean>
-	
-	<security:authentication-manager id="authenticationManager">
-		<security:authentication-provider user-service-ref="userDao">
-			<security:password-encoder ref="passwordEncoder"></security:password-encoder>
-		</security:authentication-provider>
-	</security:authentication-manager>
-
-	<security:http
-			realm="Protected API"
-			use-expressions="true"
-			auto-config="false"
-			create-session="stateless"
-			entry-point-ref="unauthorizedEntryPoint"
-			authentication-manager-ref="authenticationManager">
-		<security:custom-filter ref="authenticationTokenProcessingFilter" position="FORM_LOGIN_FILTER" />
-		<security:intercept-url pattern="/rest/user/authenticate" access="permitAll" />
-		<security:intercept-url method="GET" pattern="/rest/news/**" access="hasRole('user')" />
-		<security:intercept-url method="PUT" pattern="/rest/news/**" access="hasRole('admin')" />
-		<security:intercept-url method="POST" pattern="/rest/news/**" access="hasRole('admin')" />
-		<security:intercept-url method="DELETE" pattern="/rest/news/**" access="hasRole('admin')" />
-	</security:http>
-
-	<bean id="unauthorizedEntryPoint" class="net.dontdrinkandroot.example.angularrestspringsecurity.rest.UnauthorizedEntryPoint" />
-
-	<bean class="net.dontdrinkandroot.example.angularrestspringsecurity.rest.AuthenticationTokenProcessingFilter" id="authenticationTokenProcessingFilter">
-		<constructor-arg ref="userDao" />
-	</bean>
+
+    <!-- Configuration defined in WebSecurityConfig.java. The passwordEncoder bean is defined here b/c it's used by dataBaseInitializer. -->
 
 </beans>
\ No newline at end of file
diff --git a/src/main/webapp/WEB-INF/web.xml b/src/main/webapp/WEB-INF/web.xml
index eeb6cc6..0221135 100644
--- a/src/main/webapp/WEB-INF/web.xml
+++ b/src/main/webapp/WEB-INF/web.xml
@@ -1,24 +1,31 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xmlns="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
-	xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
-	id="WebApp_ID" version="2.5">
+<web-app xmlns="http://java.sun.com/xml/ns/javaee"
+      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+      xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
+      version="3.0">
 	
 	<display-name>angular-rest-springsecurity</display-name>
-	
-	<!--
-		Load Spring Context 
-	 -->
-	<context-param>
-		<param-name>contextConfigLocation</param-name>
-		<param-value>
-			classpath:/context.xml
-		</param-value>
-	</context-param>
+
+    <!--
+   		Load Spring Context
+   	 -->
+
+    <context-param>
+  		<param-name>contextClass</param-name>
+  		<param-value>
+              org.springframework.web.context.support.AnnotationConfigWebApplicationContext
+  		</param-value>
+  	</context-param>
+
+    <context-param>
+          <param-name>contextConfigLocation</param-name>
+          <param-value>net.dontdrinkandroot.example.angularrestspringsecurity.security.WebSecurityConfig</param-value>
+      </context-param>
+
 	<listener>
 		<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
 	</listener>
-	
+
 	<!--
 		Map the REST Servlet to /rest/ 
 	 -->
@@ -39,9 +46,9 @@
 		<servlet-name>RestService</servlet-name>
 		<url-pattern>/rest/*</url-pattern>
 	</servlet-mapping>
-	
+
 	<!--
-		Apply Spring Security Filter to all Requests 
+		Apply Spring Security Filter to all Requests
 	 -->
 	<filter>
         <filter-name>springSecurityFilterChain</filter-name>
@@ -51,5 +58,5 @@
         <filter-name>springSecurityFilterChain</filter-name>
         <url-pattern>/*</url-pattern>
     </filter-mapping>
-    
+
 </web-app>
\ No newline at end of file