Package org.dspace.app.rest.security

Class WebSecurityConfiguration

java.lang.Object

org.dspace.app.rest.security.WebSecurityConfiguration

@EnableWebSecurity
@Configuration
@EnableConfigurationProperties(org.springframework.boot.autoconfigure.security.SecurityProperties.class)
public class WebSecurityConfiguration
extends Object

Spring Security configuration for DSpace Server Webapp

Author:

Frederic Van Reet (frederic dot vanreet at atmire dot com), Tom Desair (tom dot desair at atmire dot com)

Field Summary

Fields

Modifier and Type	Field	Description
static final String	ADMIN_GRANT
static final String	ANONYMOUS_GRANT
static final String	AUTHENTICATED_GRANT

Constructor Summary

Constructors

Constructor	Description
WebSecurityConfiguration()

Method Summary

Modifier and Type	Method	Description
AuthenticationManager	authenticationManager()	Create a Spring Security AuthenticationManager with our custom AuthenticationProvider
CsrfTokenRepository	csrfTokenRepository()	Returns a custom DSpaceCsrfTokenRepository based on Spring Security's CookieCsrfTokenRepository, which is designed for Angular Apps.
DSpaceCsrfAuthenticationStrategy	dSpaceCsrfAuthenticationStrategy()	Returns a custom DSpaceCsrfAuthenticationStrategy, which ensures that (after authenticating) the CSRF token is only refreshed when it is used (or attempted to be used) by the client.
SecurityFilterChain	filterChain(HttpSecurity http)	Bean to customize security on specific endpoints

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Details

ADMIN_GRANT

public static final String ADMIN_GRANT

See Also:

• Constant Field Values

AUTHENTICATED_GRANT

public static final String AUTHENTICATED_GRANT

See Also:

• Constant Field Values

ANONYMOUS_GRANT

public static final String ANONYMOUS_GRANT

See Also:

• Constant Field Values

Constructor Details

WebSecurityConfiguration

public WebSecurityConfiguration()

Method Details

authenticationManager

@Bean
public AuthenticationManager authenticationManager()

Create a Spring Security AuthenticationManager with our custom AuthenticationProvider

Returns:

AuthenticationManager

filterChain

@Bean
public SecurityFilterChain filterChain(HttpSecurity http)
                                throws Exception

Bean to customize security on specific endpoints

Parameters:

http - HttpSecurity

Throws:

Exception

csrfTokenRepository

@Lazy
@Bean
public CsrfTokenRepository csrfTokenRepository()

Returns a custom DSpaceCsrfTokenRepository based on Spring Security's CookieCsrfTokenRepository, which is designed for Angular Apps.

The DSpaceCsrfTokenRepository stores the token in server-side cookie (for later verification), but sends it to the client as a DSPACE-XSRF-TOKEN header. The client is expected to return the token in either a header named X-XSRF-TOKEN *or* a URL parameter named "_csrf", at which point it is validated against the server-side cookie.

This behavior is based on the defaults for Angular apps: https://angular.io/guide/http#security-xsrf-protection. However, instead of sending an XSRF-TOKEN Cookie (as is usual for Angular apps), we send the DSPACE-XSRF-TOKEN header...as this ensures the Angular app can receive the token even if it is on a different domain.

Returns:

CsrfTokenRepository as described above

dSpaceCsrfAuthenticationStrategy

@Lazy
@Bean
public DSpaceCsrfAuthenticationStrategy dSpaceCsrfAuthenticationStrategy()

Returns a custom DSpaceCsrfAuthenticationStrategy, which ensures that (after authenticating) the CSRF token is only refreshed when it is used (or attempted to be used) by the client. This is defined as a bean so that it can also be used in other code to reset CSRF Tokens, see JWTTokenRestAuthenticationServiceImpl