Package org.dspace.app.rest.security

Class WebSecurityConfiguration

java.lang.Object

org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter

org.dspace.app.rest.security.WebSecurityConfiguration

All Implemented Interfaces:

org.springframework.security.config.annotation.SecurityConfigurer<javax.servlet.Filter,org.springframework.security.config.annotation.web.builders.WebSecurity>, org.springframework.security.config.annotation.web.WebSecurityConfigurer<org.springframework.security.config.annotation.web.builders.WebSecurity>

@EnableWebSecurity
@Configuration
@EnableConfigurationProperties(org.springframework.boot.autoconfigure.security.SecurityProperties.class)
@EnableGlobalMethodSecurity(prePostEnabled=true)
public class WebSecurityConfiguration
extends org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter

Spring Security configuration for DSpace Server Webapp

Author:

Frederic Van Reet (frederic dot vanreet at atmire dot com), Tom Desair (tom dot desair at atmire dot com)

Field Summary

Fields

Modifier and Type	Field	Description
static String	ADMIN_GRANT
static String	ANONYMOUS_GRANT
static String	AUTHENTICATED_GRANT

Constructor Summary

Constructors

Constructor	Description
WebSecurityConfiguration()

Method Summary

Modifier and Type	Method	Description
protected void	configure(org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder auth)
protected void	configure(org.springframework.security.config.annotation.web.builders.HttpSecurity http)
void	configure(org.springframework.security.config.annotation.web.builders.WebSecurity webSecurity)
org.springframework.security.web.csrf.CsrfTokenRepository	getCsrfTokenRepository()	Returns a custom DSpaceCsrfTokenRepository based on Spring Security's CookieCsrfTokenRepository, which is designed for Angular Apps.

Methods inherited from class org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter

authenticationManager, authenticationManagerBean, getApplicationContext, getHttp, init, setApplicationContext, setAuthenticationConfiguration, setContentNegotationStrategy, setObjectPostProcessor, setTrustResolver, userDetailsService, userDetailsServiceBean

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

ADMIN_GRANT

public static final String ADMIN_GRANT

See Also:

Constant Field Values

AUTHENTICATED_GRANT

public static final String AUTHENTICATED_GRANT

See Also:

Constant Field Values

ANONYMOUS_GRANT

public static final String ANONYMOUS_GRANT

See Also:

Constant Field Values

Constructor Detail

WebSecurityConfiguration

public WebSecurityConfiguration()

Method Detail

configure

public void configure(org.springframework.security.config.annotation.web.builders.WebSecurity webSecurity)
               throws Exception

Specified by:

configure in interface org.springframework.security.config.annotation.SecurityConfigurer<javax.servlet.Filter,org.springframework.security.config.annotation.web.builders.WebSecurity>

Overrides:

configure in class org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter

Throws:

Exception

configure

protected void configure(org.springframework.security.config.annotation.web.builders.HttpSecurity http)
                  throws Exception

Overrides:

configure in class org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter

Throws:

Exception

configure

protected void configure(org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder auth)
                  throws Exception

Overrides:

configure in class org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter

Throws:

Exception

getCsrfTokenRepository

public org.springframework.security.web.csrf.CsrfTokenRepository getCsrfTokenRepository()

Returns a custom DSpaceCsrfTokenRepository based on Spring Security's CookieCsrfTokenRepository, which is designed for Angular Apps.

The DSpaceCsrfTokenRepository stores the token in server-side cookie (for later verification), but sends it to the client as a DSPACE-XSRF-TOKEN header. The client is expected to return the token in either a header named X-XSRF-TOKEN *or* a URL parameter named "_csrf", at which point it is validated against the server-side cookie.

This behavior is based on the defaults for Angular apps: https://angular.io/guide/http#security-xsrf-protection. However, instead of sending an XSRF-TOKEN Cookie (as is usual for Angular apps), we send the DSPACE-XSRF-TOKEN header...as this ensures the Angular app can receive the token even if it is on a different domain.

Returns:

CsrfTokenRepository as described above