build.gradle
dependencies {
compile 'org.springframework.webflow:spring-webflow:2.4.5.RELEASE'
compile 'org.springframework.security:spring-security-web:4.2.3.RELEASE'
compile 'org.springframework.security:spring-security-config:4.2.3.RELEASE'
compile 'org.springframework.security:spring-security-taglibs:4.2.3.RELEASE'
compile 'org.springframework:spring-jdbc:4.3.10.RELEASE'
}
Files:
├── security
│ ├── BasePermissionEvaluator.java
│ ├── WebMvcConfig.java
│ ├── WebSecurityConfig.java
│ └── WebSecurityFilterChain.java
└── web
└── MvcWebApplicationInitializer.java
BasePermissionEvaluator.java
package spring.security;
import java.io.Serializable;
import org.springframework.security.access.PermissionEvaluator;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.stereotype.Component;
@Component
public class BasePermissionEvaluator implements PermissionEvaluator {
@Override
public boolean hasPermission(Authentication authentication, Object targetDomainObject, Object permission) {
boolean result = false;
int size = authentication.getAuthorities().size();
if (size == 1 && authentication.getAuthorities().contains("ROLE_ANONYMOUS")){
result = false;
}else{
result = authentication.getAuthorities().contains(new SimpleGrantedAuthority(String.valueOf(targetDomainObject)))
&& authentication.getAuthorities().contains(new SimpleGrantedAuthority(String.valueOf(permission))) ;
}
return result;
}
@Override
public boolean hasPermission(Authentication authentication, Serializable targetId, String targetType, Object permission){
return false;
}
}
WebMvcConfig.java
package spring.security;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.ComponentScan;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.web.servlet.config.annotation.DefaultServletHandlerConfigurer;
import org.springframework.web.servlet.config.annotation.EnableWebMvc;
import org.springframework.web.servlet.config.annotation.WebMvcConfigurerAdapter;
import org.springframework.web.servlet.view.InternalResourceViewResolver;
@Configuration
@EnableWebMvc
@EnableWebSecurity
@ComponentScan(basePackages = { "com.brunorozendo"})
public class WebMvcConfig extends WebMvcConfigurerAdapter {
@Bean
public InternalResourceViewResolver viewResolver() {
InternalResourceViewResolver resolver = new InternalResourceViewResolver();
resolver.setPrefix("/WEB-INF/view/");
resolver.setSuffix(".jsp");
return resolver;
}
@Override
public void configureDefaultServletHandling(DefaultServletHandlerConfigurer configurer) {
configurer.enable();
}
}
WebSecurityConfig.java
package spring.security;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.access.PermissionEvaluator;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler;
import javax.naming.Context;
import javax.naming.InitialContext;
import javax.sql.DataSource;
import java.sql.Connection;
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
public void configure(WebSecurity web) throws Exception {
DefaultWebSecurityExpressionHandler a = new DefaultWebSecurityExpressionHandler();
a.setPermissionEvaluator(new BasePermissionEvaluator());
web.ignoring().antMatchers("/js/**").and()
.ignoring().antMatchers("/css/**").and()
.expressionHandler(a)
//.debug(true)
;
}
@Bean
public PermissionEvaluator permissionEvaluator(){
return new BasePermissionEvaluator();
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
/* .antMatchers("/login").permitAll()
.anyRequest()
.authenticated()
.and()*/
.anyRequest()
.permitAll()
.and()
.formLogin()
.loginPage("/login")
.loginProcessingUrl("/authenticate")
.failureForwardUrl("/login?login_error=1")
.defaultSuccessUrl("/",true)
.and()
.logout()
.logoutSuccessUrl("/")
.and()
.rememberMe()
.and()
.httpBasic();
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.
jdbcAuthentication()
.dataSource(getDataSource())
.authoritiesByUsernameQuery(getAuthoritiesByUsernameQuerySQL())
.usersByUsernameQuery(getUsersByUsernameQuerySQL())
.groupAuthoritiesByUsername(getGroupAuthoritiesByUsernameSQL())
;
}
private DataSource getDataSource() {
DataSource ds = null;
try {
Context initCtx = new InitialContext();
Context envCtx = (Context) initCtx.lookup("java:comp/env");
ds = (DataSource)envCtx.lookup("jdbc/h2db");
Connection conn = ds.getConnection();
conn.close();
} catch (Exception e) {
e.printStackTrace();
}
return ds;
}
private String getAuthoritiesByUsernameQuerySQL(){
StringBuffer sql = new StringBuffer();
sql.append(" select ");
sql.append(" u.tx_username, ");
sql.append(" p.tx_perfil ");
sql.append(" from ");
sql.append(" tb_user u ");
sql.append(" inner join ");
sql.append(" tb_user_tb_perfil up ");
sql.append(" ON ");
sql.append(" u.id_user = up.id_user ");
sql.append(" inner join ");
sql.append(" tb_perfil p ");
sql.append(" ON ");
sql.append(" up.id_perfil = p.id_perfil ");
sql.append(" where ");
sql.append(" u.tx_username = ? ");
return sql.toString();
}
private String getUsersByUsernameQuerySQL(){
StringBuffer sql = new StringBuffer();
sql.append(" select ");
sql.append(" u.tx_username, ");
sql.append(" HEXTORAW(u.tx_pass) as tx_pass, ");
sql.append(" true ");
sql.append(" from ");
sql.append(" tb_user u ");
sql.append(" WHERE ");
sql.append(" u.tx_username = ? ");
return sql.toString();
}
private String getGroupAuthoritiesByUsernameSQL(){
StringBuffer sql = new StringBuffer();
sql.append(" select ");
sql.append(" p.id_perfil, ");
sql.append(" p.tx_perfil, ");
sql.append(" pm.tx_permission ");
sql.append(" from ");
sql.append(" tb_permission pm ");
sql.append(" inner join ");
sql.append(" tb_permission_tb_perfil pb ");
sql.append(" ON pb.id_permission = pm.id_permission ");
sql.append(" inner join ");
sql.append(" tb_perfil p ");
sql.append(" ON p.id_perfil = pb.id_perfil ");
sql.append(" inner join ");
sql.append(" tb_user_tb_perfil up ");
sql.append(" ON up.id_perfil = p.id_perfil ");
sql.append(" inner join ");
sql.append(" tb_user u ");
sql.append(" ON u.id_user = up.id_user ");
sql.append(" where ");
sql.append(" u.tx_username = ? ");
return sql.toString();
}
}
WebSecurityFilterChain.java
package spring.security;
import org.springframework.security.web.context.AbstractSecurityWebApplicationInitializer;
public class WebSecurityFilterChain extends AbstractSecurityWebApplicationInitializer{
}
/*
public class SecurityWebApplicationInitializer extends AbstractSecurityWebApplicationInitializer { }
é equivalente as linha abaixo no web.xml
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>
org.springframework.web.filter.DelegatingFilterProxy
</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>ERROR</dispatcher>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>
*/
MvcWebApplicationInitializer.java
package spring.web;
import spring.security.WebMvcConfig;
import spring.security.WebSecurityConfig;
import org.springframework.web.servlet.support.AbstractAnnotationConfigDispatcherServletInitializer;
public class MvcWebApplicationInitializer extends AbstractAnnotationConfigDispatcherServletInitializer {
@Override
protected Class<?>[] getRootConfigClasses() {
return new Class[] { WebSecurityConfig.class, WebMvcConfig.class };
}
@Override
protected Class<?>[] getServletConfigClasses() {
return null;
}
@Override
protected String[] getServletMappings() {
return new String[] { "/" };
}
}
thx, it helped me