2
\$\begingroup\$

guys. The code below is spring security web adapter. I do not like configure(HttpSecurity) method that generates security confirmation policy. Any ideas to do it more readable and clear?

/**
* Spring security configuration
*
* @author Eugene Ustimenko
* @date Nov 5, 2014
*/
@Configuration
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {

@Autowired
@Qualifier ("loginService")
private ILoginService loginService;

@Override
protected void configure (AuthenticationManagerBuilder auth)
  throws Exception {

auth.userDetailsService(loginService).passwordEncoder(passwordEncoder());
}


@Override
protected void configure (HttpSecurity http) throws Exception {

final RequestMatcher csrfRequestMatcher = new RequestMatcher() {

  private RegexRequestMatcher requestMatcher = new RegexRequestMatcher("/login/*", null);

  @Override
  public boolean matches (HttpServletRequest request) {

    return requestMatcher.matches(request);
  }
};
http.csrf()
    .requireCsrfProtectionMatcher(csrfRequestMatcher)
    .and().authorizeRequests().antMatchers("/admin/**").access("hasRole('ADMIN')")
    .and()
    .formLogin().loginPage("/login").failureUrl("/login?error")
    .usernameParameter("username").passwordParameter("password")
    .and()
    .logout().logoutSuccessUrl("/")
    .and()
    .csrf()
    .and()
    .exceptionHandling().accessDeniedPage("/403");
}

@Bean
public PasswordEncoder passwordEncoder () {

  final PasswordEncoder encoder = new BCryptPasswordEncoder();
  return encoder;
}

@Bean (name = "auth")
@Override
public AuthenticationManager authenticationManagerBean () throws Exception {

  return super.authenticationManagerBean();
}
}
\$\endgroup\$

1 Answer 1

Reset to default
2
\$\begingroup\$

You don't need to build this as one line. You could try splitting it out into multiple lines and add some comments to describe what you are doing.

I think the below example does what you want.

  • I have removed the anonymous RequestMatcher class. RegexRequestMatcher implements the RequestMatcher interface.
  • I have removed the second csrf() method call as it isn't needed.

@Override
protected void configure(final HttpSecurity http) throws Exception {

    // Enable csrf for login form
    http.csrf().requireCsrfProtectionMatcher(new RegexRequestMatcher("/login/*", null));
    // Configure login page
    http.formLogin().loginPage("/login").failureUrl("/login?error").usernameParameter("username").passwordParameter("password");
    // Configure logout redirect
    http.logout().logoutSuccessUrl("/");
    // Ensure admin pages have correct role
    http.authorizeRequests().antMatchers("/admin/**").hasRole("ADMIN");
    // Configure access denied exception redirect
    http.exceptionHandling().accessDeniedPage("/403");

}
\$\endgroup\$

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.