From: elgekko Date: Mon, 22 May 2023 20:27:40 +0000 (+0200) Subject: Spring security added (disabled) X-Git-Url: http://git.useribm.hu/?a=commitdiff_plain;h=1303ad593a5a53b44d46dc0d780453548ca8135e;p=sly-crm.git Spring security added (disabled) --- diff --git a/KB.md b/KB.md index 7bd7e77..62aa230 100644 --- a/KB.md +++ b/KB.md @@ -53,6 +53,12 @@ https://www.zkoss.org/javadoc/8.5.0/jsdoc/index.html?zk/Widget.html http://books.zkoss.org/zk-mvvm-book/8.0/index.html https://www.zkoss.org/documentation#References +##### Spring ZK Security + +https://www.zkoss.org/wiki/ZK_Spring_Essentials/Working_with_ZK_Spring/Working_with_ZK_Spring_Security/Secure_a_ZK_Application_with_Spring_Security +https://www.zkoss.org/wiki/ZK_Spring_Essentials/Working_with_ZK_Spring/Working_with_ZK_Spring_Security/Add_Security_in_the_View_Layer +(To enable remove @SpringBootApplication with exludes and @ComponentScan) + ##### ZK Style https://www.zkoss.org/wiki/ZK_Developer's_Reference/Theming_and_Styling/ZK_Official_Themes diff --git a/lis-app/src/main/java/hu/user/lis/app/Main.java b/lis-app/src/main/java/hu/user/lis/app/Main.java index f4eb029..d170059 100644 --- a/lis-app/src/main/java/hu/user/lis/app/Main.java +++ b/lis-app/src/main/java/hu/user/lis/app/Main.java @@ -5,6 +5,7 @@ package hu.user.lis.app; +import hu.user.lis.ui.config.WebSecurityConfig; import org.apache.logging.log4j.LogManager; import org.apache.logging.log4j.Logger; import org.springframework.boot.SpringApplication; @@ -13,11 +14,19 @@ import org.springframework.boot.builder.SpringApplicationBuilder; import org.springframework.boot.web.servlet.support.SpringBootServletInitializer; import org.springframework.context.ApplicationContext; import org.springframework.context.ApplicationListener; +import org.springframework.context.annotation.ComponentScan; +import org.springframework.context.annotation.FilterType; import org.springframework.context.event.ContextRefreshedEvent; import org.springframework.core.SpringVersion; import org.springframework.web.servlet.config.annotation.EnableWebMvc; -@SpringBootApplication(scanBasePackages = {"hu.user.lis"}) +//@SpringBootApplication(scanBasePackages = {"hu.user.lis"}) +@SpringBootApplication(exclude = { + org.springframework.boot.autoconfigure.security.servlet.SecurityAutoConfiguration.class, + org.springframework.boot.actuate.autoconfigure.security.servlet.ManagementWebSecurityAutoConfiguration.class} +) +@ComponentScan(basePackages = {"hu.user.lis"}, excludeFilters = { + @ComponentScan.Filter(type = FilterType.ASSIGNABLE_TYPE, value = WebSecurityConfig.class)}) @EnableWebMvc public class Main extends SpringBootServletInitializer implements ApplicationListener { @@ -32,19 +41,18 @@ public class Main extends SpringBootServletInitializer implements ApplicationLis // AnsiConsole.systemUninstall(); } - @Override - protected SpringApplicationBuilder configure(SpringApplicationBuilder builder) { - logger.info("Starting configure"); - return builder.sources(Main.class); - } - - private static void dumpComponents(ApplicationContext applicationContext) { for (String beanName : applicationContext.getBeanDefinitionNames()) { logger.info("Found {}", beanName); } } + @Override + protected SpringApplicationBuilder configure(SpringApplicationBuilder builder) { + logger.info("Starting configure"); + return builder.sources(Main.class); + } + @Override public void onApplicationEvent(ContextRefreshedEvent contextRefreshedEvent) { logger.info("Context refreshed"); diff --git a/lis-ui/pom.xml b/lis-ui/pom.xml index 6a6d746..904dc3f 100644 --- a/lis-ui/pom.xml +++ b/lis-ui/pom.xml @@ -26,6 +26,10 @@ org.springframework.boot spring-boot-starter-web + + org.springframework.boot + spring-boot-starter-security + org.javassist javassist diff --git a/lis-ui/src/main/java/hu/user/lis/ui/config/WebSecurityConfig.java b/lis-ui/src/main/java/hu/user/lis/ui/config/WebSecurityConfig.java new file mode 100644 index 0000000..45d38a4 --- /dev/null +++ b/lis-ui/src/main/java/hu/user/lis/ui/config/WebSecurityConfig.java @@ -0,0 +1,64 @@ +package hu.user.lis.ui.config; + +import org.springframework.context.annotation.Bean; +import org.springframework.context.annotation.Configuration; +import org.springframework.http.HttpMethod; +import org.springframework.security.config.annotation.web.builders.HttpSecurity; +import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; +import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; +import org.springframework.security.core.userdetails.User; +import org.springframework.security.core.userdetails.UserDetails; +import org.springframework.security.core.userdetails.UserDetailsService; +import org.springframework.security.provisioning.InMemoryUserDetailsManager; + +/** + * This is an example of minimal configuration for ZK + Spring Security, we open as less access as possible to run a ZK-based application. + * Please understand the configuration and modify it upon your requirement. + */ +@Configuration +@EnableWebSecurity +public class WebSecurityConfig extends WebSecurityConfigurerAdapter { + private static final String ZUL_FILES = "/zkau/web/**/*.zul"; + private static final String ZK_RESOURCES = "/zkres/**"; + // allow desktop cleanup after logout or when reloading login page + private static final String REMOVE_DESKTOP_REGEX = "/zkau\\?dtid=.*&cmd_0=rmDesktop&.*"; + + @Override + protected void configure(HttpSecurity http) throws Exception { + // you need to disable spring CSRF to make ZK AU pass security filter + // ZK already sends a AJAX request with a built-in CSRF token, + // please refer to https://www.zkoss.org/wiki/ZK%20Developer's%20Reference/Security%20Tips/Cross-site%20Request%20Forgery + http.csrf().disable(); + http.authorizeRequests() + .antMatchers(ZUL_FILES).denyAll() // block direct access to zul under class path web resource folder + .antMatchers(HttpMethod.GET, ZK_RESOURCES).permitAll() // allow zk resources + .regexMatchers(HttpMethod.GET, REMOVE_DESKTOP_REGEX).permitAll() // allow desktop cleanup + .requestMatchers(req -> "rmDesktop".equals(req.getParameter("cmd_0"))).permitAll() // allow desktop cleanup from ZATS + .mvcMatchers("/", "/login", "/logout").permitAll() //permit the URL for login and logout + .mvcMatchers("/secure").hasRole("USER") + .anyRequest().authenticated() //enforce all requests to be authenticated + .and() + .formLogin() + .loginPage("/login").defaultSuccessUrl("/secure/main") + .and() + .logout().logoutUrl("/logout").logoutSuccessUrl("/"); + } + + /** + * Creates an {@link InMemoryUserDetailsManager} for demo/testing purposes only. DON'T use this in production, see: {@link User#withUserDetails}! + * + * @return userDetailsService + */ + @Bean + @Override + public UserDetailsService userDetailsService() { + UserDetails user = + User.withDefaultPasswordEncoder() + .username("user") + .password("password") + .roles("USER") + .build(); + + return new InMemoryUserDetailsManager(user); + } +} \ No newline at end of file diff --git a/lis-ui/src/main/resources/web/login.zul b/lis-ui/src/main/resources/web/login.zul new file mode 100644 index 0000000..0134778 --- /dev/null +++ b/lis-ui/src/main/resources/web/login.zul @@ -0,0 +1,26 @@ + + + + + + + + + + + + + + + + +