1123 - added support to 'stormpath.spring.security.enabled = false' introducing StormpathWebSecurityDisabledConfiguration

Author: Mario

extensions/spring/boot/stormpath-spring-security-spring-boot-starter/src/main/resources/META-INF/spring.factories

@@ -1,2 +1 @@
-org.springframework.boot.autoconfigure.EnableAutoConfiguration = com.stormpath.spring.boot.autoconfigure.StormpathSpringSecurityAutoConfiguration
-org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer = com.stormpath.spring.config.StormpathWebSecurityConfigurer
+org.springframework.boot.autoconfigure.EnableAutoConfiguration = com.stormpath.spring.boot.autoconfigure.StormpathSpringSecurityAutoConfiguration

extensions/spring/boot/stormpath-spring-security-webmvc-spring-boot-starter/src/main/java/com/stormpath/spring/boot/autoconfigure/StormpathWebSecurityAutoConfiguration.java

@@ -21,7 +21,6 @@
 import com.stormpath.sdk.servlet.filter.account.AccountResolverFilter;
 import com.stormpath.sdk.servlet.mvc.ErrorModelFactory;
 import com.stormpath.spring.config.AbstractStormpathWebSecurityConfiguration;
-import com.stormpath.spring.config.StormpathWebSecurityConfigurer;
 import com.stormpath.spring.filter.ContentNegotiationSpringSecurityAuthenticationFilter;
 import com.stormpath.spring.filter.StormpathSecurityContextPersistenceFilter;
 import com.stormpath.spring.filter.StormpathWrapperFilter;
@@ -34,6 +33,7 @@
 import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.security.config.annotation.SecurityConfigurerAdapter;
 import org.springframework.security.web.AuthenticationEntryPoint;
 import org.springframework.security.web.authentication.AuthenticationFailureHandler;
 import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
@@ -72,9 +72,10 @@ public AuthenticationFailureHandler stormpathAuthenticationFailureHandler() {
     }
 
     @Bean
-    @ConditionalOnMissingBean(name="stormpathWebSecurityConfigurer")
-    public StormpathWebSecurityConfigurer stormpathWebSecurityConfigurer() {
-        return super.stormpathWebSecurityConfigurer();
+    @Override
+    @ConditionalOnMissingBean(name="stormpathSecurityConfigurerAdapter")
+    public SecurityConfigurerAdapter stormpathSecurityConfigurerAdapter() {
+        return super.stormpathSecurityConfigurerAdapter();
     }
 
     @Bean

extensions/spring/boot/stormpath-spring-security-webmvc-spring-boot-starter/src/main/java/com/stormpath/spring/boot/autoconfigure/StormpathWebSecurityDisabledAutoConfiguration.java

@@ -0,0 +1,59 @@
+/*
+ * Copyright 2017 Stormpath, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.stormpath.spring.boot.autoconfigure;
+
+import com.stormpath.spring.config.AbstractStormpathWebSecurityDisabledConfiguration;
+import org.springframework.boot.autoconfigure.AutoConfigureAfter;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnClass;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.config.annotation.SecurityConfigurerAdapter;
+import org.springframework.security.web.authentication.logout.LogoutHandler;
+import org.springframework.web.servlet.DispatcherServlet;
+
+import javax.servlet.Filter;
+import javax.servlet.Servlet;
+
+/**
+ * @since 1.3.0
+ */
+@SuppressWarnings("SpringFacetCodeInspection")
+@Configuration
+@ConditionalOnProperty(name = {"stormpath.enabled", "stormpath.web.enabled"}, matchIfMissing = true)
+@ConditionalOnClass({Servlet.class, Filter.class, DispatcherServlet.class})
+@ConditionalOnWebApplication
+@AutoConfigureAfter(StormpathWebSecurityAutoConfiguration.class)
+public class StormpathWebSecurityDisabledAutoConfiguration extends AbstractStormpathWebSecurityDisabledConfiguration {
+
+    @Bean
+    @ConditionalOnMissingBean(name="stormpathSecurityConfigurerAdapter")
+    @ConditionalOnProperty(name = "stormpath.spring.security.enabled", havingValue = "false")
+    public SecurityConfigurerAdapter stormpathSecurityConfigurerAdapter() {
+        //This bean will only be created if `stormpath.spring.security.enabled` is false
+        return super.stormpathSecurityConfigurerAdapter();
+    }
+
+    @Bean
+    @ConditionalOnMissingBean(name="stormpathLogoutHandler")
+    @ConditionalOnProperty(name = "stormpath.spring.security.enabled", havingValue = "false")
+    public LogoutHandler stormpathLogoutHandler() {
+        return super.stormpathLogoutHandler();
+    }
+
+}

extensions/spring/boot/stormpath-spring-security-webmvc-spring-boot-starter/src/main/resources/META-INF/spring.factories

@@ -1,2 +1,4 @@
 org.springframework.boot.autoconfigure.EnableAutoConfiguration = com.stormpath.spring.boot.autoconfigure.StormpathWebSecurityAutoConfiguration,\
-com.stormpath.spring.boot.autoconfigure.StormpathMethodSecurityAutoConfiguration
+com.stormpath.spring.boot.autoconfigure.StormpathMethodSecurityAutoConfiguration,\
+com.stormpath.spring.boot.autoconfigure.StormpathWebSecurityDisabledAutoConfiguration
+org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer = com.stormpath.spring.config.StormpathWebSecurityConfigurer

extensions/spring/stormpath-spring-security-webmvc/src/main/java/com/stormpath/spring/config/AbstractStormpathSecurityConfigurerAdapter.java

@@ -0,0 +1,84 @@
+/*
+ * Copyright 2017 Stormpath, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.stormpath.spring.config;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.beans.factory.annotation.Qualifier;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.security.config.annotation.SecurityConfigurerAdapter;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.web.DefaultSecurityFilterChain;
+import org.springframework.security.web.authentication.logout.LogoutHandler;
+
+/**
+ * @since 1.3.0
+ */
+public abstract class AbstractStormpathSecurityConfigurerAdapter extends SecurityConfigurerAdapter<DefaultSecurityFilterChain, HttpSecurity> {
+
+    private static final Logger log = LoggerFactory.getLogger(AbstractStormpathSecurityConfigurerAdapter.class);
+
+    @Autowired
+    @Qualifier("stormpathLogoutHandler")
+    protected LogoutHandler logoutHandler;
+
+    @Value("#{ @environment['stormpath.web.enabled'] ?: true }")
+    protected boolean stormpathWebEnabled;
+
+    @Value("#{ @environment['stormpath.web.login.enabled'] ?: true }")
+    protected boolean loginEnabled;
+
+    @Value("#{ @environment['stormpath.web.login.uri'] ?: '/login' }")
+    protected String loginUri;
+
+    @Value("#{ @environment['stormpath.web.logout.enabled'] ?: true }")
+    protected boolean logoutEnabled;
+
+    @Value("#{ @environment['stormpath.web.logout.uri'] ?: '/logout' }")
+    protected String logoutUri;
+
+    @Value("#{ @environment['stormpath.web.forgotPassword.enabled'] ?: true }")
+    protected boolean forgotEnabled;
+
+    @Value("#{ @environment['stormpath.web.forgotPassword.uri'] ?: '/forgot' }")
+    protected String forgotUri;
+
+    @Value("#{ @environment['stormpath.web.changePassword.enabled'] ?: true }")
+    protected boolean changeEnabled;
+
+    @Value("#{ @environment['stormpath.web.changePassword.uri'] ?: '/change' }")
+    protected String changeUri;
+
+    @Value("#{ @environment['stormpath.web.register.enabled'] ?: true }")
+    protected boolean registerEnabled;
+
+    @Value("#{ @environment['stormpath.web.register.uri'] ?: '/register' }")
+    protected String registerUri;
+
+    @Value("#{ @environment['stormpath.web.verifyEmail.enabled'] ?: true }")
+    protected boolean verifyEnabled;
+
+    @Value("#{ @environment['stormpath.web.verifyEmail.uri'] ?: '/verify' }")
+    protected String verifyUri;
+
+    @Value("#{ @environment['stormpath.web.csrf.token.enabled'] ?: true }")
+    protected boolean csrfTokenEnabled;
+
+    @Value("#{ @environment['stormpath.web.resendVerification.uri'] ?: '/resendVerification' }")
+    protected String resendVerificationUri;
+
+}

extensions/spring/stormpath-spring-security-webmvc/src/main/java/com/stormpath/spring/config/AbstractStormpathWebSecurityConfiguration.java

@@ -47,6 +47,7 @@
 import org.springframework.core.annotation.Order;
 import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.authentication.AuthenticationProvider;
+import org.springframework.security.config.annotation.SecurityConfigurerAdapter;
 import org.springframework.security.web.AuthenticationEntryPoint;
 import org.springframework.security.web.authentication.AuthenticationFailureHandler;
 import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
@@ -153,9 +154,11 @@ public abstract class AbstractStormpathWebSecurityConfiguration {
     @Qualifier("stormpathWrappedServletRequestFactory")
     private WrappedServletRequestFactory wrappedServletRequestFactory;
 
+    @Value("#{ @environment['stormpath.spring.security.enabled'] ?: true }")
+    protected boolean stormpathSecurityEnabled;
 
-    public StormpathWebSecurityConfigurer stormpathWebSecurityConfigurer() {
-        return new StormpathWebSecurityConfigurer();
+    public SecurityConfigurerAdapter stormpathSecurityConfigurerAdapter() {
+        return new StormpathSecurityConfigurerAdapter();
     }
 
     public AuthenticationSuccessHandler stormpathAuthenticationSuccessHandler() {

extensions/spring/stormpath-spring-security-webmvc/src/main/java/com/stormpath/spring/config/AbstractStormpathWebSecurityDisabledConfiguration.java

@@ -0,0 +1,44 @@
+/*
+ * Copyright 2017 Stormpath, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.stormpath.spring.config;
+
+import com.stormpath.sdk.authc.AuthenticationResult;
+import com.stormpath.sdk.servlet.http.Saver;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.beans.factory.annotation.Qualifier;
+import org.springframework.core.annotation.Order;
+import org.springframework.security.config.annotation.SecurityConfigurerAdapter;
+import org.springframework.security.web.authentication.logout.LogoutHandler;
+
+/**
+ * @since 1.3.0
+ */
+@Order(100)
+public abstract class AbstractStormpathWebSecurityDisabledConfiguration {
+
+    @Autowired
+    @Qualifier("stormpathAuthenticationResultSaver")
+    protected Saver<AuthenticationResult> authenticationResultSaver; //provided by stormpath-spring-webmvc
+
+    public SecurityConfigurerAdapter stormpathSecurityConfigurerAdapter() {
+        //This bean will only be created if `stormpath.spring.security.enabled` is false
+        return new DisabledStormpathSecurityConfigurerAdapter();
+    }
+
+    public LogoutHandler stormpathLogoutHandler() {
+        return new StormpathLogoutHandler(authenticationResultSaver);
+    }
+}

extensions/spring/stormpath-spring-security-webmvc/src/main/java/com/stormpath/spring/config/DisabledStormpathSecurityConfigurerAdapter.java

@@ -0,0 +1,55 @@
+/*
+ * Copyright 2017 Stormpath, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.stormpath.spring.config;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.beans.factory.annotation.Qualifier;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.web.authentication.logout.LogoutHandler;
+
+/**
+ * @since 1.3.0
+ */
+public class DisabledStormpathSecurityConfigurerAdapter extends AbstractStormpathSecurityConfigurerAdapter {
+
+    @Autowired
+    @Qualifier("stormpathLogoutHandler")
+    protected LogoutHandler logoutHandler;
+
+    @Override
+    public void init(HttpSecurity http) throws Exception {
+        if (stormpathWebEnabled) {
+            if (csrfTokenEnabled) {
+                //Since our Spring Securoty integration is disabled and we are using our own CSRF tokens then we want
+                //to avoid our own pages to be validated by Spring Security, otherwise they will fail
+                disableCsrf(loginUri, loginEnabled, http);
+                disableCsrf(logoutUri, logoutEnabled, http);
+                disableCsrf(forgotUri, forgotEnabled, http);
+                disableCsrf(changeUri, changeEnabled, http);
+                disableCsrf(registerUri, registerEnabled, http);
+                disableCsrf(verifyUri, verifyEnabled, http);
+
+            }
+            http.logout().addLogoutHandler(logoutHandler);
+        }
+    }
+
+    private void disableCsrf(String endpoint, boolean doDisable, HttpSecurity http) throws Exception {
+        if (doDisable) {
+            http.csrf().ignoringAntMatchers(endpoint);
+        }
+    }
+}

extensions/spring/stormpath-spring-security-webmvc/src/main/java/com/stormpath/spring/config/EnableStormpathWebSecurity.java

@@ -31,5 +31,5 @@
 @EnableStormpathWebMvc
 @EnableStormpathSecurity
 @EnableWebSecurity
-@Import({StormpathWebSecurityConfiguration.class, StormpathMethodSecurityConfiguration.class})
+@Import({StormpathWebSecurityConfiguration.class, StormpathWebSecurityDisabledConfiguration.class, StormpathMethodSecurityConfiguration.class})
 public @interface EnableStormpathWebSecurity {}