Package org.dspace.app.rest.security

Class WebSecurityConfiguration

java.lang.Object
org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter
org.dspace.app.rest.security.WebSecurityConfiguration
All Implemented Interfaces:
org.springframework.security.config.annotation.SecurityConfigurer<javax.servlet.Filter,org.springframework.security.config.annotation.web.builders.WebSecurity>, org.springframework.security.config.annotation.web.WebSecurityConfigurer<org.springframework.security.config.annotation.web.builders.WebSecurity>
@EnableWebSecurity @Configuration @EnableConfigurationProperties(org.springframework.boot.autoconfigure.security.SecurityProperties.class) @EnableGlobalMethodSecurity(prePostEnabled=true) public class WebSecurityConfiguration extends org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter
Spring Security configuration for DSpace Server Webapp
Author:
Frederic Van Reet (frederic dot vanreet at atmire dot com), Tom Desair (tom dot desair at atmire dot com)

  • Field Summary

    Fields
    Modifier and Type
    Field
    Description
    static final String
    ADMIN_GRANT
     
    static final String
    ANONYMOUS_GRANT
     
    static final String
    AUTHENTICATED_GRANT
     

  • Constructor Summary

    Constructors
    Constructor
    Description
    WebSecurityConfiguration()
     

  • Method Summary

    Modifier and Type
    Method
    Description
    protected void
    configure(org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder auth)
     
    protected void
    configure(org.springframework.security.config.annotation.web.builders.HttpSecurity http)
     
    void
    configure(org.springframework.security.config.annotation.web.builders.WebSecurity webSecurity)
     
    org.springframework.security.web.csrf.CsrfTokenRepository
    csrfTokenRepository()
    Returns a custom DSpaceCsrfTokenRepository based on Spring Security's CookieCsrfTokenRepository, which is designed for Angular Apps.

    Methods inherited from class org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter

    authenticationManager, authenticationManagerBean, getApplicationContext, getHttp, init, setApplicationContext, setAuthenticationConfiguration, setContentNegotationStrategy, setObjectPostProcessor, setTrustResolver, userDetailsService, userDetailsServiceBean

    Methods inherited from class java.lang.Object

    clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

  • Field Details

  • Constructor Details

    • WebSecurityConfiguration

      public WebSecurityConfiguration()

  • Method Details

    • configure

      public void configure(org.springframework.security.config.annotation.web.builders.WebSecurity webSecurity) throws Exception
      Specified by:
      configure in interface org.springframework.security.config.annotation.SecurityConfigurer<javax.servlet.Filter,org.springframework.security.config.annotation.web.builders.WebSecurity>
      Overrides:
      configure in class org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter
      Throws:
      Exception

    • configure

      protected void configure(org.springframework.security.config.annotation.web.builders.HttpSecurity http) throws Exception
      Overrides:
      configure in class org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter
      Throws:
      Exception

    • configure

      protected void configure(org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder auth) throws Exception
      Overrides:
      configure in class org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter
      Throws:
      Exception

    • csrfTokenRepository

      @Lazy @Bean public org.springframework.security.web.csrf.CsrfTokenRepository csrfTokenRepository()
      Returns a custom DSpaceCsrfTokenRepository based on Spring Security's CookieCsrfTokenRepository, which is designed for Angular Apps.

      The DSpaceCsrfTokenRepository stores the token in server-side cookie (for later verification), but sends it to the client as a DSPACE-XSRF-TOKEN header. The client is expected to return the token in either a header named X-XSRF-TOKEN *or* a URL parameter named "_csrf", at which point it is validated against the server-side cookie.

      This behavior is based on the defaults for Angular apps: https://angular.io/guide/http#security-xsrf-protection. However, instead of sending an XSRF-TOKEN Cookie (as is usual for Angular apps), we send the DSPACE-XSRF-TOKEN header...as this ensures the Angular app can receive the token even if it is on a different domain.

      Returns:
      CsrfTokenRepository as described above