2
\$\begingroup\$

guys. The code below is spring security web adapter. I do not like configure(HttpSecurity) method that generates security confirmation policy. Any ideas to do it more readable and clear?

/**
* Spring security configuration
*
* @author Eugene Ustimenko
* @date Nov 5, 2014
*/
@Configuration
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
@Autowired
@Qualifier ("loginService")
private ILoginService loginService;
@Override
protected void configure (AuthenticationManagerBuilder auth)
 throws Exception {
auth.userDetailsService(loginService).passwordEncoder(passwordEncoder());
}
@Override
protected void configure (HttpSecurity http) throws Exception {
final RequestMatcher csrfRequestMatcher = new RequestMatcher() {
 private RegexRequestMatcher requestMatcher = new RegexRequestMatcher("/login/*", null);
 @Override
 public boolean matches (HttpServletRequest request) {
 return requestMatcher.matches(request);
 }
};
http.csrf()
 .requireCsrfProtectionMatcher(csrfRequestMatcher)
 .and().authorizeRequests().antMatchers("/admin/**").access("hasRole('ADMIN')")
 .and()
 .formLogin().loginPage("/login").failureUrl("/login?error")
 .usernameParameter("username").passwordParameter("password")
 .and()
 .logout().logoutSuccessUrl("/")
 .and()
 .csrf()
 .and()
 .exceptionHandling().accessDeniedPage("/403");
}
@Bean
public PasswordEncoder passwordEncoder () {
 final PasswordEncoder encoder = new BCryptPasswordEncoder();
 return encoder;
}
@Bean (name = "auth")
@Override
public AuthenticationManager authenticationManagerBean () throws Exception {
 return super.authenticationManagerBean();
}
}
asked Aug 23, 2015 at 22:44
\$\endgroup\$

1 Answer 1

2
\$\begingroup\$

You don't need to build this as one line. You could try splitting it out into multiple lines and add some comments to describe what you are doing.

I think the below example does what you want.

  • I have removed the anonymous RequestMatcher class. RegexRequestMatcher implements the RequestMatcher interface.
  • I have removed the second csrf() method call as it isn't needed.

@Override
protected void configure(final HttpSecurity http) throws Exception {
 // Enable csrf for login form
 http.csrf().requireCsrfProtectionMatcher(new RegexRequestMatcher("/login/*", null));
 // Configure login page
 http.formLogin().loginPage("/login").failureUrl("/login?error").usernameParameter("username").passwordParameter("password");
 // Configure logout redirect
 http.logout().logoutSuccessUrl("/");
 // Ensure admin pages have correct role
 http.authorizeRequests().antMatchers("/admin/**").hasRole("ADMIN");
 // Configure access denied exception redirect
 http.exceptionHandling().accessDeniedPage("/403");
}
answered Feb 12, 2016 at 9:54
\$\endgroup\$

Your Answer

Draft saved
Draft discarded

Sign up or log in

Sign up using Google
Sign up using Email and Password

Post as a guest

Required, but never shown

Post as a guest

Required, but never shown

By clicking "Post Your Answer", you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.