It sort of works, If I go to the actuator I get the http basic auth, if I
on the same session goto my pages.. I get an "ugly" access denied page and
not the configured wicket login page. So it sort of works..
If I just goto localhost:8080/ I get an default spring login page not the
wicket one.. Upon succesfull login it forwards me to the wicket login page,
where I can login again and then get to the real application..
Below my current code:
package dk.netdesign.ccadmin.frontend.security;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.annotation.Order;
import org.springframework.security.authentication.AuthenticationManager;
import
org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import
org.springframework.security.config.annotation.web.builders.HttpSecurity;
import
org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.provisioning.InMemoryUserDetailsManager;
import org.springframework.stereotype.Component;
@Configuration
public class WicketWebSecurityAdapterConfig extends
WebSecurityConfigurerAdapter {
@Configuration
@Order(1)
public static class RestSecurityConfig extends
WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.antMatcher("/actuator/**").authorizeRequests().anyRequest().hasRole("ACTUATOR")
.and().csrf().disable()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and().httpBasic();
}
}
@Configuration
@Order(2)
public static class WicketSecurityConfig extends
WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.antMatcher("/page/**").authorizeRequests()
.antMatchers("/page/login**").permitAll()
.antMatchers("/page/**").hasAnyAuthority("USER",
"ADMIN")
.and().formLogin().loginPage("/page/login").loginProcessingUrl("/fake-url")
.and().csrf().disable();
}
}
@Bean
public static BCryptPasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
@Bean(name = "authenticationManager")
@Override
public AuthenticationManager authenticationManagerBean() throws
Exception {
return super.authenticationManagerBean();
}
public interface IAuthenticationFacade {
Authentication getAuthentication();
}
@Component
public class AuthenticationFacade implements IAuthenticationFacade {
@Override
public Authentication getAuthentication() {
return SecurityContextHolder.getContext().getAuthentication();
}
}
@Bean
public UserDetailsService userDetailsService() {
InMemoryUserDetailsManager manager = new
InMemoryUserDetailsManager();
manager.createUser(
User.withUsername("admin")
.password(passwordEncoder().encode("admin")).authorities("USER", "ADMIN")
.build());
manager.createUser(
User.withUsername("actuator")
.password(passwordEncoder().encode("actuator")).roles("ACTUATOR")
.build());
return manager;
}
}
On Thu, Jan 24, 2019 at 3:19 PM nino martinez wael <
[email protected]> wrote:
> Thanks will try it:)
>
> On Thu, Jan 24, 2019 at 3:14 PM Zbynek Vavros <[email protected]>
> wrote:
>
>> In my case it works something like this:
>>
>> @Configuration
>> @EnableWebSecurity
>> public class SecurityConfiguration {
>>
>> @Configuration
>> @Order(1)
>> public static class RestSecurityConfig extends
>> WebSecurityConfigurerAdapter {
>>
>> .. user details service, auth providers etc
>>
>> @Override
>> protected void configure(HttpSecurity http) throws Exception {
>>
>>
>> http.antMatcher("/api/**").authorizeRequests().anyRequest().authenticated()
>> .and().csrf().disable()
>>
>>
>> .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
>> .and().httpBasic();
>> }
>> }
>>
>> @Configuration
>> @Order(2)
>> public static class WicketSecurityConfig extends
>> WebSecurityConfigurerAdapter {
>>
>> .. user details service, auth providers etc
>>
>> @Override
>> protected void configure(AuthenticationManagerBuilder auth) throws
>> Exception {
>> auth.authenticationProvider(wicketAuthenticationProvider);
>> }
>>
>> @Override
>> protected void configure(HttpSecurity http) throws Exception {
>> http.antMatcher("/page/**").authorizeRequests()
>> .antMatchers("/page/login**").permitAll()
>> .antMatchers("/page/**").hasRole("ROLE")
>>
>>
>> .and().formLogin().loginPage("/page/login").loginProcessingUrl("/fake-url")
>> .and().csrf().disable();
>> }
>>
>> @Override
>> @Bean(name = "authenticationManager")
>> public AuthenticationManager authenticationManagerBean() throws
>> Exception {
>> return super.authenticationManagerBean();
>> }
>> }
>> }
>>
>> The RestSecurityConfigwould be what you would do for actuators, for me
>> thats the REST API.
>> Not the order of "antMatcher", "authorizeRequests" and " antMatchers".
>>
>> Zbynek
>>
>> On Thu, Jan 24, 2019 at 3:09 PM nino martinez wael <
>> [email protected]> wrote:
>>
>> > do you have an example? OR is it just to cut them into two like:
>> > WebSecurityConfigurerAdapter A:
>> >
>> >
>> http.authorizeRequests().antMatchers("/actuator/**","/actuator").hasRole("ACTUATOR").and().httpBasic();
>> >
>> > WebSecurityConfigurerAdapter B:
>> > http
>> > .csrf().disable()
>> > .authorizeRequests().anyRequest().permitAll()
>> > .and()
>> > .logout()
>> > .permitAll();
>> > http.headers().frameOptions().disable();
>> >
>> >
>> > On Thu, Jan 24, 2019 at 3:06 PM Zbynek Vavros <[email protected]>
>> > wrote:
>> >
>> > > Hi,
>> > >
>> > > I did similar thing, the trick here is to use two
>> > > WebSecurityConfigurerAdaptes.
>> > >
>> > > Zbynek
>> > >
>> > > On Thu, Jan 24, 2019 at 2:55 PM nino martinez wael <
>> > > [email protected]> wrote:
>> > >
>> > > > Hope its okay to use the wicket user mailing list for this:)
>> > > >
>> > > > First of all thanks to MarcGiffing for making the project. But I
>> cannot
>> > > get
>> > > > actuator endpoints to work with spring security and wicket spring
>> > boot..
>> > > > I've tried a lot of things..
>> > > >
>> > > > IN my WebSecurityConfigurerAdapter:
>> > > >
>> > > > http
>> > > >
>> > > >
>> > > >
>> > >
>> >
>> .authorizeRequests().antMatchers("/actuator/**","/actuator").hasRole("ACTUATOR").and().httpBasic();
>> > > >
>> > > > http
>> > > > .csrf().disable()
>> > > > .authorizeRequests().anyRequest().permitAll()
>> > > > .and()
>> > > > .logout()
>> > > > .permitAll();
>> > > > http.headers().frameOptions().disable();
>> > > >
>> > > > But that just disables actuator and messes with the Wicket side of
>> the
>> > > > security.. Any one have some clues=
>> > > >
>> > > > --
>> > > > Best regards / Med venlig hilsen
>> > > > Nino Martinez
>> > > >
>> > >
>> >
>> >
>> > --
>> > Best regards / Med venlig hilsen
>> > Nino Martinez
>> >
>>
>
>
> --
> Best regards / Med venlig hilsen
> Nino Martinez
>
--
Best regards / Med venlig hilsen
Nino Martinez
