82 lines
3.4 KiB
Java
82 lines
3.4 KiB
Java
/*
|
|
* This file is part of WebGoat, an Open Web Application Security Project utility. For details, please see http://www.owasp.org/
|
|
*
|
|
* Copyright (c) 2002 - 2019 Bruce Mayhew
|
|
*
|
|
* This program is free software; you can redistribute it and/or modify it under the terms of the
|
|
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
|
|
* License, or (at your option) any later version.
|
|
*
|
|
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
|
|
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
* General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU General Public License along with this program; if
|
|
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
|
|
* 02111-1307, USA.
|
|
*
|
|
* Getting Source ==============
|
|
*
|
|
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
|
|
*/
|
|
package org.owasp.webgoat.webwolf;
|
|
|
|
import lombok.AllArgsConstructor;
|
|
import org.owasp.webgoat.webwolf.user.UserService;
|
|
import org.springframework.beans.factory.annotation.Autowired;
|
|
import org.springframework.context.annotation.Bean;
|
|
import org.springframework.context.annotation.Configuration;
|
|
import org.springframework.http.HttpMethod;
|
|
import org.springframework.security.authentication.AuthenticationManager;
|
|
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
|
|
import org.springframework.security.config.annotation.authentication.configuration.AuthenticationConfiguration;
|
|
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
|
|
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
|
|
import org.springframework.security.core.userdetails.UserDetailsService;
|
|
import org.springframework.security.crypto.password.NoOpPasswordEncoder;
|
|
import org.springframework.security.web.SecurityFilterChain;
|
|
|
|
/** Security configuration for WebWolf. */
|
|
@Configuration
|
|
@AllArgsConstructor
|
|
@EnableWebSecurity
|
|
public class WebSecurityConfig {
|
|
|
|
private final UserService userDetailsService;
|
|
|
|
@Bean
|
|
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
|
|
http.authorizeHttpRequests(
|
|
auth -> auth.requestMatchers(HttpMethod.POST, "/fileupload").authenticated());
|
|
http.authorizeHttpRequests(
|
|
auth ->
|
|
auth.requestMatchers(HttpMethod.GET, "/files", "/mail", "/requests").authenticated());
|
|
http.authorizeHttpRequests().anyRequest().permitAll();
|
|
http.csrf().disable().formLogin().loginPage("/login").failureUrl("/login?error=true");
|
|
http.formLogin().loginPage("/login").defaultSuccessUrl("/home", true).permitAll();
|
|
http.logout().permitAll();
|
|
return http.build();
|
|
}
|
|
|
|
@Autowired
|
|
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
|
|
auth.userDetailsService(userDetailsService);
|
|
}
|
|
|
|
@Bean
|
|
public UserDetailsService userDetailsServiceBean() {
|
|
return userDetailsService;
|
|
}
|
|
|
|
@Bean
|
|
public AuthenticationManager authenticationManager(
|
|
AuthenticationConfiguration authenticationConfiguration) throws Exception {
|
|
return authenticationConfiguration.getAuthenticationManager();
|
|
}
|
|
|
|
@Bean
|
|
public NoOpPasswordEncoder passwordEncoder() {
|
|
return (NoOpPasswordEncoder) NoOpPasswordEncoder.getInstance();
|
|
}
|
|
}
|