wip

psi-probe-core/src/main/java/psiprobe/ProbeConfig.java

@@ -36,6 +36,7 @@
 import org.springframework.web.servlet.ViewResolver;
 import org.springframework.web.servlet.config.annotation.EnableWebMvc;
 import org.springframework.web.servlet.config.annotation.InterceptorRegistry;
+import org.springframework.web.servlet.config.annotation.ResourceHandlerRegistry;
 import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
 import org.springframework.web.servlet.handler.BeanNameUrlHandlerMapping;
 import org.springframework.web.servlet.i18n.CookieLocaleResolver;
@@ -360,6 +361,11 @@ public void addInterceptors(InterceptorRegistry registry) {
     registry.addInterceptor(getLocaleChangeInterceptor());
   }
 
+  @Override
+  public void addResourceHandlers(ResourceHandlerRegistry registry) {
+    registry.addResourceHandler("/webjars/**").addResourceLocations("/webjars/");
+  }
+
   /**
    * Gets the locale change interceptor.
    *

psi-probe-core/src/main/java/psiprobe/ProbeSecurityConfig.java

@@ -21,6 +21,8 @@
 import java.util.List;
 import java.util.TreeMap;
 
+import javax.servlet.http.HttpServletRequest;
+
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.security.access.AccessDecisionVoter;
@@ -30,12 +32,17 @@
 import org.springframework.security.access.vote.RoleVoter;
 import org.springframework.security.authentication.AuthenticationProvider;
 import org.springframework.security.authentication.ProviderManager;
+import org.springframework.security.authorization.AuthorityAuthorizationManager;
+import org.springframework.security.authorization.AuthorizationDecision;
+import org.springframework.security.authorization.AuthorizationManager;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.core.authority.mapping.SimpleAttributes2GrantedAuthoritiesMapper;
 import org.springframework.security.web.DefaultSecurityFilterChain;
 import org.springframework.security.web.FilterChainProxy;
 import org.springframework.security.web.SecurityFilterChain;
 import org.springframework.security.web.access.ExceptionTranslationFilter;
+import org.springframework.security.web.access.intercept.AuthorizationFilter;
 import org.springframework.security.web.access.intercept.DefaultFilterInvocationSecurityMetadataSource;
 import org.springframework.security.web.access.intercept.FilterSecurityInterceptor;
 import org.springframework.security.web.authentication.Http403ForbiddenEntryPoint;
@@ -47,6 +54,7 @@
 import org.springframework.security.web.authentication.preauth.j2ee.J2eePreAuthenticatedProcessingFilter;
 import org.springframework.security.web.authentication.preauth.j2ee.WebXmlMappableAttributesRetriever;
 import org.springframework.security.web.context.SecurityContextPersistenceFilter;
+import org.springframework.security.web.context.SecurityContextRepository;
 import org.springframework.security.web.savedrequest.HttpSessionRequestCache;
 import org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter;
 import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
@@ -59,6 +67,22 @@
 @EnableWebSecurity
 public class ProbeSecurityConfig {
 
+  /**
+   * Gets the security filter chain.
+   *
+   * @param http the http
+   * @return the security filter chain
+   * @throws Exception the exception
+   */
+  @Bean(name = "securityFilterChain")
+  public SecurityFilterChain getSecurityFilterChain(HttpSecurity http) throws Exception {
+    http.authorizeHttpRequests().requestMatchers("/webjars/**").permitAll().requestMatchers("/**")
+        .permitAll().and().addFilter(getSecurityContextPersistenceFilter())
+        .addFilter(getJ2eePreAuthenticatedProcessingFilter()).addFilter(getLogoutFilter())
+        .addFilter(getExceptionTranslationFilter()).addFilter(getAuthorizationFilter());
+    return http.build();
+  }
+
   /**
    * Gets the filter chain proxy.
    *
@@ -94,6 +118,7 @@ public SecurityContextPersistenceFilter getSecurityContextPersistenceFilter() {
     return new SecurityContextPersistenceFilter();
   }
 
+
   /**
    * Gets the pre authenticated authentication provider.
    *
@@ -213,12 +238,12 @@ public ExceptionTranslationFilter getExceptionTranslationFilter() {
    *
    * @return the affirmative based
    */
-  @Bean(name = "affirmativeBased")
-  public AffirmativeBased getAffirmativeBased() {
-    List<AccessDecisionVoter<? extends Object>> decisionVoters = new ArrayList<>();
-    decisionVoters.add(getRoleVoter());
+  @Bean(name = "authorizationManager")
+  public AuthorizationManager<HttpServletRequest> getAuthorizationManager() {
+    List<AuthorizationManager<HttpServletRequest>> decisionVoters = new ArrayList<>();
+    decisionVoters.add(getAuthorityAuthorizationManager());
 
-    AffirmativeBased based = new AffirmativeBased(decisionVoters);
+    AuthorizationDecision based = new AuthorizationDecision(decisionVoters);
     based.setAllowIfAllAbstainDecisions(false);
     return based;
   }
@@ -228,9 +253,9 @@ public AffirmativeBased getAffirmativeBased() {
    *
    * @return the filter security interceptor
    */
-  @Bean(name = "filterSecurityInterceptor")
-  public FilterSecurityInterceptor getFilterSecurityInterceptor() {
-    FilterSecurityInterceptor interceptor = new FilterSecurityInterceptor();
+  @Bean(name = "authorizationFilter")
+  public AuthorizationFilter getAuthorizationFilter() {
+    AuthorizationFilter interceptor = new AuthorizationFilter(getAuthorizationManager());
     interceptor.setAuthenticationManager(getProviderManager());
     interceptor.setAccessDecisionManager(getAffirmativeBased());
 
@@ -258,9 +283,9 @@ public FilterSecurityInterceptor getFilterSecurityInterceptor() {
    *
    * @return the role voter
    */
-  @Bean(name = "roleVoter")
-  public RoleVoter getRoleVoter() {
-    return new RoleVoter();
+  @Bean(name = "authorityAuthorizationManager")
+  public AuthorityAuthorizationManager<HttpServletRequest> getAuthorityAuthorizationManager() {
+    return new AuthorityAuthorizationManager();
   }
 
   /**