update spring security config

2024-09-20 07:16:26 +08:00 · 2022-11-01 23:05:45 +01:00 · 2022-11-01 23:05:45 +01:00 · 8360ae9f02
parent 41bc10b68d
commit 8360ae9f02
1 changed files with 19 additions and 5 deletions
--- a/src/main/java/org/araymond/joal/web/config/security/WebSecurityConfig.java
+++ b/src/main/java/org/araymond/joal/web/config/security/WebSecurityConfig.java
@ -2,17 +2,23 @@ package org.araymond.joal.web.config.security;

 import org.araymond.joal.web.annotations.ConditionalOnWebUi;
 import org.springframework.beans.factory.annotation.Value;
+import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 import org.springframework.security.config.http.SessionCreationPolicy;
+import org.springframework.security.provisioning.InMemoryUserDetailsManager;
+import org.springframework.security.web.DefaultSecurityFilterChain;
+import org.springframework.security.web.SecurityFilterChain;

 /**
 * Created by raymo on 29/07/2017.
 */
@ConditionalOnWebUi
+@EnableWebSecurity
@Configuration
-public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
+public class WebSecurityConfig {
    private final String pathPrefix;
    private final boolean shouldDisableFrameOptions;

@ -24,19 +30,27 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
        this.shouldDisableFrameOptions = shouldDisableFrameOptions;
    }

-    @Override
-    protected void configure(final HttpSecurity http) throws Exception {
+    @Bean
+    SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        if (this.shouldDisableFrameOptions) {
            http.headers().frameOptions().disable();
        }

-        http
+        return http
                .httpBasic().disable()
+                .formLogin().disable()
                .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()
                .authorizeRequests()
                .antMatchers("/" + this.pathPrefix).permitAll()
                .antMatchers("/" + this.pathPrefix + "/ui/**").permitAll()
-                .anyRequest().denyAll();
+                .anyRequest().denyAll()
+                .and().build();
+    }
+
+    // Provide an empty UserDetailService to prevent spring from injecting a default one with a valid random password.
+    @Bean
+    public InMemoryUserDetailsManager userDetailsService() {
+        return new InMemoryUserDetailsManager();
    }

 }