levancho/gist:518a294455d42f6c5632f479f6178d4c

## gistfile1.txt
@Configuration
@EnableWebSecurity(debug = false)
public class DespaniDualSecurityConfig extends WebSecurityConfigurerAdapter {


    @Autowired
    DespSecurityManager secMan;

    @Autowired
    private UserServices userDetailsService;


    @Bean("jwtUtilWithoutDbCheckImpl")
    public JwtUtil tokeUtils () {
        return new JwtUtilWithoutDbCheckImpl();
    }


    private static final String[] AUTH_WHITELIST = {
            "/swagger-resources/**",
            "/swagger-ui.html",
            "**/manifest.json",
            "/**/manifest.json",
            "/favicons/**",
            "/logo/**",
            "/favicon.ico",
            "**/favicon.ico",
            "/v2/api-docs",
            "/webjars/**"
    };

    @Override
    public void configure(WebSecurity web) throws Exception {
        web.ignoring().antMatchers(AUTH_WHITELIST);
    }


    @Bean
    DaoAuthenticationProvider provider() {
        DaoAuthenticationProvider provider = new DaoAuthenticationProvider();
        provider.setPasswordEncoder(new BCryptPasswordEncoder());
        provider.setUserDetailsService(userDetailsService);
        return provider;
    }


    @Configuration
    @Order(10)
    @EnableGlobalMethodSecurity(prePostEnabled = true)
    public class JWTSecurityConfig extends WebSecurityConfigurerAdapter {

        @Autowired
        private UserServices userDetailsService;

        @Autowired
        DaoAuthenticationProvider provider;


        @Bean
        public JwtTokenFilter authenticationTokenFilterBean() throws Exception {
            return new JwtTokenFilter();
        }

        @Bean
        public JWTAuthenticationEntryPoint jwtAuthenticationEntryPoint() throws Exception {
            return new JWTAuthenticationEntryPoint();
        }


        @Override
        protected void configure(AuthenticationManagerBuilder auth) throws Exception {
            auth.authenticationProvider(provider);
        }

        @Bean
        @Override
        public AuthenticationManager authenticationManagerBean() throws Exception {
            return super.authenticationManagerBean();
        }

//        @Bean
//        @Override
//        public AuthenticationManagerBuilder authenticationManagerBean() throws Exception {
//            return new AuthenticationManagerBuilder();
//        }


        @Override
        protected void configure(HttpSecurity httpSecurity) throws Exception {

            httpSecurity
                    // we don't need CSRF because we store token in header
                    .csrf().disable()

                    .requestMatchers(matchers -> matchers
                            .antMatchers("/rest/v1/**","/rest/company/v1/**") // apply JWTSecurityConfig to requests matching "/api/**"
                    )

                    .authorizeRequests(authz -> authz
                            .anyRequest().authenticated()
                    )
                    .exceptionHandling().authenticationEntryPoint(jwtAuthenticationEntryPoint()).and()

                    // don't create session
                    .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.ALWAYS).and()

                    .addFilterBefore(authenticationTokenFilterBean(), UsernamePasswordAuthenticationFilter.class);

            // disable page caching
            httpSecurity.headers().cacheControl().disable();
        }
    }

    @Configuration
    @Order(20)
    public static class FormLoginConfigurationAdapter extends WebSecurityConfigurerAdapter {

//    @Bean
//    public IDespSecurityManager secManager() {
//        return new DespSecurityManager();
//    }
        @Autowired
        private UserServices userDetailsService;

        @Bean
        AuthenticationSuccessHandler despaniAuthenticationSuccessHandler() {
            return new DespaniAuthenticationSuccessHandler();
        }

//    @Autowired
//    RoleHierarchy roleHierarchy;
//
//    private SecurityExpressionHandler<FilterInvocation> webExpressionHandler() {
//        DefaultWebSecurityExpressionHandler defaultWebSecurityExpressionHandler = new DefaultWebSecurityExpressionHandler();
//        defaultWebSecurityExpressionHandler.setRoleHierarchy(roleHierarchy);
//        return defaultWebSecurityExpressionHandler;
//    }

        @Bean
        public SessionRegistry sessionRegistry() {
            return new SessionRegistryImpl();
        }

        @Override
        protected void configure(HttpSecurity http) throws Exception {

            http.sessionManagement()
                    .invalidSessionUrl("/login");
            http.csrf().disable().authorizeRequests()

                    .antMatchers("/public/**", "/themes/**", "/", "/xout", "/app/**", "/login**", "/js/**", "/static/**", "/css/**", "/fonts/**", "/images/**",
                            "/resources/**",
                            "/chat/**",
                            "/ckeditor/**",
                            "/ckeditor5/**",
                            "/tinymce/**",
                            "/resources/**",
                            "/react/**",
                            "/webjars/**",
                            "/favicons/**",
                            "**/manifest.json",
                            "/**/manifest.json",
                            "/stomp",
                            "/logo",
                            "/logo/**",
                            "/swagger-ui.html",
                            "/favicon.ico",
                            "**/favicon.ico",
                            "/swagger**",
                            "/rest/public/v1/**",
                            "/swagger-resources/**",
                            "/rest/webhooks/v1/**",

                            "/stomp/**")
                    .permitAll()
                    .antMatchers("/admin/**").hasAnyRole("MANAGER","ADMIN","SUPER_ADMIN")
                    .anyRequest().fullyAuthenticated()
                    .and()
                    .formLogin()
                    .loginPage("/login")
                    .successHandler(despaniAuthenticationSuccessHandler())

                    .failureUrl("/login?error")
                    .usernameParameter("username")
                    .permitAll()
                    .and()
                    .logout()
                    .logoutUrl("/logout")
                    .deleteCookies("remember-me")
                    .logoutSuccessUrl("/")
                    .permitAll()
                    .and()
//                    .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED).and()

                    .rememberMe();
        }

        @Override
        public void configure(AuthenticationManagerBuilder auth) throws Exception {
            auth
                    .userDetailsService(userDetailsService)
                    .passwordEncoder(new BCryptPasswordEncoder());
        }


    }
	@Configuration
	@EnableWebSecurity(debug = false)
	public class DespaniDualSecurityConfig extends WebSecurityConfigurerAdapter {


	@Autowired
	DespSecurityManager secMan;

	@Autowired
	private UserServices userDetailsService;


	@Bean("jwtUtilWithoutDbCheckImpl")
	public JwtUtil tokeUtils () {
	return new JwtUtilWithoutDbCheckImpl();
	}


	private static final String[] AUTH_WHITELIST = {
	"/swagger-resources/**",
	"/swagger-ui.html",
	"**/manifest.json",
	"/**/manifest.json",
	"/favicons/**",
	"/logo/**",
	"/favicon.ico",
	"**/favicon.ico",
	"/v2/api-docs",
	"/webjars/**"
	};

	@Override
	public void configure(WebSecurity web) throws Exception {
	web.ignoring().antMatchers(AUTH_WHITELIST);
	}



	@Bean
	DaoAuthenticationProvider provider() {
	DaoAuthenticationProvider provider = new DaoAuthenticationProvider();
	provider.setPasswordEncoder(new BCryptPasswordEncoder());
	provider.setUserDetailsService(userDetailsService);
	return provider;
	}


	@Configuration
	@Order(10)
	@EnableGlobalMethodSecurity(prePostEnabled = true)
	public class JWTSecurityConfig extends WebSecurityConfigurerAdapter {

	@Autowired
	private UserServices userDetailsService;

	@Autowired
	DaoAuthenticationProvider provider;


	@Bean
	public JwtTokenFilter authenticationTokenFilterBean() throws Exception {
	return new JwtTokenFilter();
	}

	@Bean
	public JWTAuthenticationEntryPoint jwtAuthenticationEntryPoint() throws Exception {
	return new JWTAuthenticationEntryPoint();
	}


	@Override
	protected void configure(AuthenticationManagerBuilder auth) throws Exception {
	auth.authenticationProvider(provider);
	}

	@Bean
	@Override
	public AuthenticationManager authenticationManagerBean() throws Exception {
	return super.authenticationManagerBean();
	}

	// @Bean
	// @Override
	// public AuthenticationManagerBuilder authenticationManagerBean() throws Exception {
	// return new AuthenticationManagerBuilder();
	// }


	@Override
	protected void configure(HttpSecurity httpSecurity) throws Exception {

	httpSecurity
	// we don't need CSRF because we store token in header
	.csrf().disable()

	.requestMatchers(matchers -> matchers
	.antMatchers("/rest/v1/","/rest/company/v1/") // apply JWTSecurityConfig to requests matching "/api/**"
	)

	.authorizeRequests(authz -> authz
	.anyRequest().authenticated()
	)
	.exceptionHandling().authenticationEntryPoint(jwtAuthenticationEntryPoint()).and()

	// don't create session
	.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.ALWAYS).and()

	.addFilterBefore(authenticationTokenFilterBean(), UsernamePasswordAuthenticationFilter.class);

	// disable page caching
	httpSecurity.headers().cacheControl().disable();
	}
	}

	@Configuration
	@Order(20)
	public static class FormLoginConfigurationAdapter extends WebSecurityConfigurerAdapter {

	// @Bean
	// public IDespSecurityManager secManager() {
	// return new DespSecurityManager();
	// }
	@Autowired
	private UserServices userDetailsService;

	@Bean
	AuthenticationSuccessHandler despaniAuthenticationSuccessHandler() {
	return new DespaniAuthenticationSuccessHandler();
	}

	// @Autowired
	// RoleHierarchy roleHierarchy;
	//
	// private SecurityExpressionHandler<FilterInvocation> webExpressionHandler() {
	// DefaultWebSecurityExpressionHandler defaultWebSecurityExpressionHandler = new DefaultWebSecurityExpressionHandler();
	// defaultWebSecurityExpressionHandler.setRoleHierarchy(roleHierarchy);
	// return defaultWebSecurityExpressionHandler;
	// }

	@Bean
	public SessionRegistry sessionRegistry() {
	return new SessionRegistryImpl();
	}

	@Override
	protected void configure(HttpSecurity http) throws Exception {

	http.sessionManagement()
	.invalidSessionUrl("/login");
	http.csrf().disable().authorizeRequests()

	.antMatchers("/public/", "/themes/", "/", "/xout", "/app/", "/login", "/js/", "/static/", "/css/", "/fonts/", "/images/**",
	"/resources/**",
	"/chat/**",
	"/ckeditor/**",
	"/ckeditor5/**",
	"/tinymce/**",
	"/resources/**",
	"/react/**",
	"/webjars/**",
	"/favicons/**",
	"**/manifest.json",
	"/**/manifest.json",
	"/stomp",
	"/logo",
	"/logo/**",
	"/swagger-ui.html",
	"/favicon.ico",
	"**/favicon.ico",
	"/swagger**",
	"/rest/public/v1/**",
	"/swagger-resources/**",
	"/rest/webhooks/v1/**",

	"/stomp/**")
	.permitAll()
	.antMatchers("/admin/**").hasAnyRole("MANAGER","ADMIN","SUPER_ADMIN")
	.anyRequest().fullyAuthenticated()
	.and()
	.formLogin()
	.loginPage("/login")
	.successHandler(despaniAuthenticationSuccessHandler())

	.failureUrl("/login?error")
	.usernameParameter("username")
	.permitAll()
	.and()
	.logout()
	.logoutUrl("/logout")
	.deleteCookies("remember-me")
	.logoutSuccessUrl("/")
	.permitAll()
	.and()
	// .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED).and()

	.rememberMe();
	}

	@Override
	public void configure(AuthenticationManagerBuilder auth) throws Exception {
	auth
	.userDetailsService(userDetailsService)
	.passwordEncoder(new BCryptPasswordEncoder());
	}


	}