Spring Security: ported to Java configuration.

@see http://docs.spring.io/spring-security/site/docs/3.2.x/reference/htmlsingle/#jc
@see http://spring.io/blog/2013/07/02/spring-security-java-config-preview-introduction/
@see http://spring.io/blog/2013/07/03/spring-security-java-config-preview-web-security/
@see http://spring.io/blog/2013/07/04/spring-security-java-config-preview-method-security/

Fix #26

Author: php-coder

pom.xml

@@ -175,7 +175,6 @@
 		<dependency>
 			<groupId>org.springframework.security</groupId>
 			<artifactId>spring-security-config</artifactId>
-			<scope>runtime</scope>
 		</dependency>
 
 		<dependency>

src/main/config/checkstyle-suppressions.xml

@@ -7,8 +7,9 @@
 
 	<suppress checks="LineLength" files="AbstractPageWithForm.java" lines="27,28,33" />
 	<suppress checks="LineLength" files="Form.java" lines="31,32,37" />
-	<suppress checks="LineLength" files="Url.java" lines="73" />
+	<suppress checks="LineLength" files="Url.java" lines="72" />
 	<suppress checks="LineLength" files="ErrorController.java" lines="73" />
+	<suppress checks="LineLength" files="SecurityConfig.java" lines="35,36,40" />
 
 	<!-- false positives due to Lombok usage -->
 	<suppress checks="HideUtilityClassConstructor" files="ru.mystamps.web.model" />

src/main/java/ru/mystamps/web/Url.java

@@ -40,7 +40,6 @@ public final class Url {
 
 	public static final String REGISTRATION_PAGE     = "/account/register";
 
-	// defined at src/main/resources/spring/security.xml
 	public static final String AUTHENTICATION_PAGE   = "/account/auth";
 	public static final String LOGIN_PAGE            = "/account/login";
 	public static final String LOGOUT_PAGE           = "/account/logout";

src/main/java/ru/mystamps/web/support/spring/security/CustomUserDetails.java

@@ -31,7 +31,7 @@ public CustomUserDetails(User user, Collection<? extends GrantedAuthority> autho
 		this.user = user;
 	}
 
-	// used during authentication by password-encoder with salt-source
+	// used during authentication (see SecurityConfig.getSaltSource())
 	public String getSalt() {
 		return user.getSalt();
 	}

src/main/java/ru/mystamps/web/support/spring/security/SecurityConfig.java

@@ -21,44 +21,120 @@
 
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
-import org.springframework.context.annotation.ImportResource;
 import org.springframework.context.ApplicationListener;
+import org.springframework.http.HttpMethod;
 
+import org.springframework.context.MessageSource;
+import org.springframework.security.authentication.AuthenticationProvider;
+import org.springframework.security.authentication.dao.DaoAuthenticationProvider;
+import org.springframework.security.authentication.dao.ReflectionSaltSource;
+import org.springframework.security.authentication.dao.SaltSource;
 import org.springframework.security.authentication.encoding.PasswordEncoder;
 import org.springframework.security.authentication.encoding.ShaPasswordEncoder;
 import org.springframework.security.authentication.event.AuthenticationFailureBadCredentialsEvent;
+import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
+import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.builders.WebSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 import org.springframework.security.core.userdetails.UserDetailsService;
-import org.springframework.security.web.AuthenticationEntryPoint;
 
 import ru.mystamps.web.config.ServicesConfig;
+import ru.mystamps.web.Url;
 
 @Configuration
-@ImportResource("classpath:spring/security.xml")
-public class SecurityConfig {
+@EnableWebSecurity
+@EnableGlobalMethodSecurity(prePostEnabled = true)
+public class SecurityConfig extends WebSecurityConfigurerAdapter {
+	
+	@Inject
+	private MessageSource messageSource;
 
 	@Inject
 	private ServicesConfig servicesConfig;
 
-	@Bean
-	public ApplicationListener<AuthenticationFailureBadCredentialsEvent> getApplicationListener() {
-		return new AuthenticationFailureListener();
+	@Override
+	@SuppressWarnings("PMD.SignatureDeclareThrowsException")
+	public void configure(WebSecurity web) throws Exception {
+		web.ignoring().antMatchers("/static/**");
 	}
 
-	// Explicitly specified bean names due to its usage in XML config
+	@Override
+	@SuppressWarnings("PMD.SignatureDeclareThrowsException")
+	protected void configure(HttpSecurity http) throws Exception {
+		http
+			.authorizeRequests()
+				.antMatchers(Url.ADD_CATEGORY_PAGE).hasAuthority("CREATE_CATEGORY")
+				.antMatchers(Url.ADD_COUNTRY_PAGE).hasAuthority("CREATE_COUNTRY")
+				.antMatchers(Url.ADD_SERIES_PAGE).hasAuthority("CREATE_SERIES")
+				.regexMatchers(HttpMethod.POST, "/series/[0-9]+").hasAuthority("UPDATE_COLLECTION")
+				.anyRequest().permitAll()
+				.and()
+			.formLogin()
+				.loginPage(Url.AUTHENTICATION_PAGE)
+				.usernameParameter("login")
+				.passwordParameter("password")
+				.loginProcessingUrl(Url.LOGIN_PAGE)
+				.failureUrl(Url.AUTHENTICATION_PAGE + "?failed")
+				.defaultSuccessUrl(Url.INDEX_PAGE, true)
+				.permitAll()
+				.and()
+			.logout()
+				.logoutUrl(Url.LOGOUT_PAGE)
+				.logoutSuccessUrl(Url.INDEX_PAGE)
+				.invalidateHttpSession(true)
+				.permitAll()
+				.and()
+			.exceptionHandling()
+				.accessDeniedPage(Url.UNAUTHORIZED_PAGE)
+				// This entry point handles when you request a protected page and you are
+				// not yet authenticated (defaults to Http403ForbiddenEntryPoint)
+				.authenticationEntryPoint(new Http401UnauthorizedEntryPoint())
+				.and()
+			.rememberMe()
+				// TODO: GH #27
+				.disable()
+			.csrf()
+				// TODO: GH #25
+				.disable()
+			.headers()
+				// TODO
+				.disable();
+	}
 
-	@Bean(name = "passwordEncoder")
+	@Inject
+	protected void configure(AuthenticationManagerBuilder auth) {
+		auth.authenticationProvider(getAuthenticationProvider());
+	}
+
+	// Used in ServicesConfig.getUserService()
 	public PasswordEncoder getPasswordEncoder() {
 		return new ShaPasswordEncoder();
 	}
+
+	@Bean
+	public ApplicationListener<AuthenticationFailureBadCredentialsEvent> getApplicationListener() {
+		return new AuthenticationFailureListener();
+	}
 
-	@Bean(name = "customUserDetailsService")
-	public UserDetailsService getUserDetailsService() {
+	private UserDetailsService getUserDetailsService() {
 		return new CustomUserDetailsService(servicesConfig.getUserService());
 	}
 
-	@Bean(name = "http401UnauthorizedEntryPoint")
-	public AuthenticationEntryPoint getHttp401UnauthorizedEntryPoint() {
-		return new Http401UnauthorizedEntryPoint();
+	private SaltSource getSaltSource() {
+		ReflectionSaltSource saltSource = new ReflectionSaltSource();
+		saltSource.setUserPropertyToUse("salt");
+		return saltSource;
+	}
+	
+	private AuthenticationProvider getAuthenticationProvider() {
+		DaoAuthenticationProvider provider = new DaoAuthenticationProvider();
+		provider.setPasswordEncoder(getPasswordEncoder());
+		provider.setSaltSource(getSaltSource());
+		provider.setUserDetailsService(getUserDetailsService());
+		provider.setMessageSource(messageSource);
+		return provider;
 	}
 
 }