work

Author: thomaswoehlke

src/main/java/org/woehlke/java/simpleworklist/config/WebSecurityConfig.java

@@ -3,41 +3,23 @@
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.boot.autoconfigure.ImportAutoConfiguration;
 import org.springframework.boot.context.properties.EnableConfigurationProperties;
-import org.springframework.context.ApplicationContext;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
-import org.springframework.core.io.support.SpringFactoriesLoader;
 import org.springframework.data.jpa.repository.config.EnableJpaAuditing;
 import org.springframework.data.web.config.EnableSpringDataWebSupport;
 import org.springframework.scheduling.annotation.EnableAsync;
-import org.springframework.security.authentication.*;
+import org.springframework.security.authentication.AuthenticationProvider;
 import org.springframework.security.authentication.dao.DaoAuthenticationProvider;
-import org.springframework.security.config.annotation.ObjectPostProcessor;
-import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
-import org.springframework.security.config.annotation.authentication.configuration.AuthenticationConfiguration;
+import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
-import org.springframework.security.config.annotation.web.builders.WebSecurity;
-//import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
-import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
-import org.springframework.security.config.annotation.web.configurers.DefaultLoginPageConfigurer;
 import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
 import org.springframework.security.crypto.password.PasswordEncoder;
 import org.springframework.security.web.SecurityFilterChain;
-import org.springframework.security.web.access.intercept.FilterSecurityInterceptor;
-import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
-import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
-import org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter;
-import org.springframework.web.accept.ContentNegotiationStrategy;
-import org.springframework.web.accept.HeaderContentNegotiationStrategy;
 import org.springframework.web.servlet.config.annotation.EnableWebMvc;
-import org.woehlke.java.simpleworklist.domain.security.access.ApplicationUserDetailsService;
-
-import java.util.HashMap;
-import java.util.List;
-import java.util.Map;
 
+import org.woehlke.java.simpleworklist.domain.security.access.ApplicationUserDetailsService;
 
 @Configuration
 @EnableAsync
@@ -51,6 +33,7 @@
     SimpleworklistProperties.class
 })
 @EnableWebSecurity
+@EnableMethodSecurity(securedEnabled = true)
 public class WebSecurityConfig /* extends WebSecurityConfigurerAdapter implements WebSecurityConfigurer<WebSecurity> */ {
 
     //private final AuthenticationManagerBuilder authenticationManagerBuilder;
@@ -255,8 +238,9 @@ public void configure(HttpSecurity builder) throws Exception {
 
     }
     */
+
     @Bean
-    public DaoAuthenticationProvider authenticationProvider(){
+    public AuthenticationProvider authenticationProvider(){
         DaoAuthenticationProvider d = new DaoAuthenticationProvider();
         d.setPasswordEncoder(encoder());
         d.setUserDetailsService(userDetailsService());
@@ -289,7 +273,7 @@ public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Excepti
             )
             .csrf()
             .and()
-            .logout((logout)->  logout
+            .logout((logout) ->  logout
                 .logoutUrl(simpleworklistProperties.getWebSecurity().getLogoutUrl())
                 .deleteCookies(simpleworklistProperties.getWebSecurity().getCookieNamesToClear())
                 .invalidateHttpSession(simpleworklistProperties.getWebSecurity().getInvalidateHttpSession())

src/main/java/org/woehlke/java/simpleworklist/domain/UserSelfserviceController.java

@@ -188,7 +188,8 @@ public String userPasswordStore(
                 return "user/selfservice/password";
             }
             if(!userAuthorizationService.confirmUserByLoginAndPassword(
-                user.getUserEmail(), userChangePasswordForm.getOldUserPassword())
+                user.getUserEmail(),
+                userChangePasswordForm.getOldUserPassword())
             ){
                 log.info("old Password is wrong");
                 String objectName = "userChangePasswordForm";

src/main/java/org/woehlke/java/simpleworklist/domain/db/user/accountpassword/UserAccountPasswordServiceImpl.java

@@ -3,6 +3,7 @@
 import lombok.extern.slf4j.Slf4j;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.security.authentication.AuthenticationManager;
+import org.springframework.security.authentication.AuthenticationProvider;
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.userdetails.UserDetails;
@@ -22,20 +23,26 @@ public class UserAccountPasswordServiceImpl implements UserAccountPasswordServic
 
     private final UserAccountRepository userAccountRepository;
     private final PasswordEncoder encoder;
-    private final AuthenticationManager authenticationManager;
+    //private final AuthenticationManager authenticationManager;
+    private final AuthenticationProvider authenticationProvider;
 
     @Autowired
-    public UserAccountPasswordServiceImpl(UserAccountRepository userAccountRepository, AuthenticationManager authenticationManager) {
+    public UserAccountPasswordServiceImpl(
+        UserAccountRepository userAccountRepository,
+        //AuthenticationManager authenticationManager,
+        AuthenticationProvider authenticationProvider
+    ) {
         this.userAccountRepository = userAccountRepository;
+        this.authenticationProvider = authenticationProvider;
         int strength = 10;
         this.encoder = new BCryptPasswordEncoder(strength);
-        this.authenticationManager = authenticationManager;
+        //this.authenticationManager = authenticationManager;
     }
 
     @Override
     public UserDetails updatePassword(UserDetails user, String newPassword) {
         UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(user.getUsername(), user.getPassword());
-        Authentication authenticationResult = authenticationManager.authenticate(token);
+        Authentication authenticationResult = authenticationProvider.authenticate(token);
         if (authenticationResult.isAuthenticated()) {
             UserAccount ua = userAccountRepository.findByUserEmail(user.getUsername());
             String pwEncoded = encoder.encode(newPassword);

src/main/java/org/woehlke/java/simpleworklist/domain/security/access/UserAuthorizationServiceImpl.java

@@ -2,7 +2,8 @@
 
 import lombok.extern.slf4j.Slf4j;
 import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.security.authentication.AuthenticationManager;
+//import org.springframework.security.authentication.AuthenticationManager;
+import org.springframework.security.authentication.AuthenticationProvider;
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
@@ -21,16 +22,18 @@
 public class UserAuthorizationServiceImpl implements UserAuthorizationService {
 
     private final UserAccountRepository userAccountRepository;
-    private final AuthenticationManager authenticationManager;
+    //private final AuthenticationManager authenticationManager;
+    private final AuthenticationProvider authenticationProvider;
     private final PasswordEncoder encoder;
 
     @Autowired
     public UserAuthorizationServiceImpl(
         UserAccountRepository userAccountRepository,
-        AuthenticationManager authenticationManager
-    ) {
+        //AuthenticationManager authenticationManager
+        AuthenticationProvider authenticationProvider) {
         this.userAccountRepository = userAccountRepository;
-        this.authenticationManager = authenticationManager;
+        this.authenticationProvider = authenticationProvider;
+        //this.authenticationManager = authenticationManager;
         int strength = 10;
         this.encoder = new BCryptPasswordEncoder(strength);
     }
@@ -46,7 +49,7 @@ public void changeUsersPassword(
             user.getUserEmail(),
             userAccountFormBean.getOldUserPassword()
         );
-        Authentication authenticationResult = authenticationManager.authenticate(token);
+        Authentication authenticationResult = authenticationProvider.authenticate(token);
         if(authenticationResult.isAuthenticated()){
             UserAccount ua = userAccountRepository.findByUserEmail(user.getUserEmail());
             String pwEncoded = this.encoder.encode(userAccountFormBean.getUserPassword());
@@ -64,7 +67,7 @@ public boolean confirmUserByLoginAndPassword(
             userEmail,
             oldUserPassword
         );
-        Authentication authenticationResult = authenticationManager.authenticate(token);
+        Authentication authenticationResult = authenticationProvider.authenticate(token);
         String oldPwEncoded = this.encoder.encode(oldUserPassword);
         log.info(userEmail+", "+oldPwEncoded);
         return authenticationResult.isAuthenticated();