✨ Add: project sources

Author: ImSejin

build.gradle

@@ -0,0 +1,38 @@
+plugins {
+    id 'org.springframework.boot' version '2.5.6'
+    id 'io.spring.dependency-management' version '1.0.11.RELEASE'
+    id 'java'
+}
+
+group = 'io.github.imsejin'
+version = '0.1.0'
+sourceCompatibility = JavaVersion.VERSION_11
+
+configurations {
+    compileOnly {
+        extendsFrom annotationProcessor
+    }
+}
+
+repositories {
+    mavenCentral()
+}
+
+dependencies {
+    implementation 'org.springframework.boot:spring-boot-starter-security'
+    implementation 'org.springframework.boot:spring-boot-starter-thymeleaf'
+    implementation 'org.springframework.boot:spring-boot-starter-web'
+    implementation 'org.thymeleaf.extras:thymeleaf-extras-springsecurity5'
+    implementation 'org.springframework.boot:spring-boot-devtools'
+
+    compileOnly 'org.projectlombok:lombok'
+    annotationProcessor 'org.projectlombok:lombok'
+
+    annotationProcessor 'org.springframework.boot:spring-boot-configuration-processor'
+    testImplementation 'org.springframework.boot:spring-boot-starter-test'
+    testImplementation 'org.springframework.security:spring-security-test'
+}
+
+test {
+    useJUnitPlatform()
+}

settings.gradle

@@ -0,0 +1 @@
+rootProject.name = 'study-spring-security'

src/main/java/io/github/imsejin/study/springsecurity/SpringSecurityApplication.java

@@ -0,0 +1,17 @@
+package io.github.imsejin.study.springsecurity;
+
+import org.springframework.boot.SpringApplication;
+import org.springframework.boot.autoconfigure.SpringBootApplication;
+import org.springframework.boot.context.properties.ConfigurationPropertiesScan;
+import org.springframework.scheduling.annotation.EnableAsync;
+
+@EnableAsync
+@SpringBootApplication
+@ConfigurationPropertiesScan
+public class SpringSecurityApplication {
+
+    public static void main(String[] args) {
+        SpringApplication.run(SpringSecurityApplication.class, args);
+    }
+
+}

src/main/java/io/github/imsejin/study/springsecurity/config/security/WebSecurityConfig.java

@@ -0,0 +1,201 @@
+package io.github.imsejin.study.springsecurity.config.security;
+
+import lombok.RequiredArgsConstructor;
+import org.springframework.security.authentication.AnonymousAuthenticationToken;
+import org.springframework.security.authentication.AuthenticationManager;
+import org.springframework.security.authentication.AuthenticationProvider;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.config.http.SessionCreationPolicy;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.core.context.SecurityContext;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.core.userdetails.UserDetailsService;
+import org.springframework.security.web.authentication.*;
+import org.springframework.security.web.authentication.logout.LogoutFilter;
+import org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler;
+import org.springframework.security.web.authentication.logout.SimpleUrlLogoutSuccessHandler;
+import org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter;
+import org.springframework.security.web.session.ConcurrentSessionFilter;
+import org.springframework.security.web.session.SessionManagementFilter;
+import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+import java.util.concurrent.TimeUnit;
+
+/**
+ * WebSecurityConfig
+ *
+ * @see AnonymousAuthenticationFilter
+ * @see AnonymousAuthenticationToken
+ */
+@EnableWebSecurity
+@RequiredArgsConstructor
+class WebSecurityConfig extends WebSecurityConfigurerAdapter {
+
+    private final UserDetailsService userDetailsService;
+
+    @Override
+    protected void configure(HttpSecurity http) throws Exception {
+        // Authentication(인증)
+        // All requests must be authenticated.
+        http.authorizeRequests().anyRequest().authenticated();
+
+        // Authorization(인가)
+        login(http);
+
+        logout(http);
+        rememberMe(http);
+        manageSession(http);
+    }
+
+    /**
+     * Login Form Flow
+     *
+     * <ol>
+     *     <li>Receive request.</li>
+     *     <li>{@link UsernamePasswordAuthenticationFilter} checks if request URL matches.</li>
+     *     <li>If {@link AntPathRequestMatcher} returns {@code true}, pass the next step,
+     *         else execute {@code chain.doFilter}.</li>
+     *     <li>Pass a {@link Authentication} with username and password.</li>
+     *     <li>{@link AuthenticationManager} delegates validation to {@link AuthenticationProvider}.</li>
+     *     <li>{@link AuthenticationProvider} validates the given user information.</li>
+     *     <li>If authentication succeed, return a {@link Authentication} with user and authorities,
+     *         else throw {@link AuthenticationException}.</li>
+     *     <li>{@link Authentication} is stored in {@link SecurityContext}.</li>
+     *     <li>Invoke {@link AuthenticationSuccessHandler}</li>
+     * </ol>
+     *
+     * @see UsernamePasswordAuthenticationFilter
+     */
+    private static void login(HttpSecurity http) throws Exception {
+        http.formLogin()
+//                .loginPage("/auth")                   // Request URL to go to custom login page(default: /login)
+                .defaultSuccessUrl("/home")           // Page to arrive after login succeed.
+                .failureUrl("/login")                 // Page to arrive after login failed.
+                .usernameParameter("id")              // Attribute 'name' in input tag.
+                .passwordParameter("pw")              // Attribute 'name' in input tag.
+                .loginProcessingUrl("/login-process") // Attribute 'action' in form tag.
+                .successHandler(new CustomAuthenticationSuccessHandler())
+                .failureHandler(new CustomAuthenticationFailureHandler())
+                // Request URL for login page must be passed without authentication.
+                // If not, you go to infinite redirect loop.
+                .permitAll();
+    }
+
+    /**
+     * Logout Flow
+     *
+     * <ol>
+     *     <li>Receive request.</li>
+     *     <li>{@link LogoutFilter} checks if request URL matches.</li>
+     *     <li>If {@link AntPathRequestMatcher} returns {@code true}, pass the next step,
+     *         else execute {@code chain.doFilter}.</li>
+     *     <li>Get a {@link Authentication} from {@link SecurityContext}.</li>
+     *     <li>Pass it to {@link SecurityContextLogoutHandler}.</li>
+     *     <li>Invalidate session, delete cookies and invoke {@link SecurityContextHolder#clearContext()}.</li>
+     *     <li>Delegate to {@link SimpleUrlLogoutSuccessHandler}.</li>
+     *     <li>Redirect to login page.</li>
+     * </ol>
+     *
+     * @see LogoutFilter
+     */
+    private static void logout(HttpSecurity http) throws Exception {
+        http.logout()
+//                .logoutUrl("/") // Request URL to go to custom logout page(default: POST /logout)
+                .logoutSuccessUrl("/auth")
+                .addLogoutHandler((request, response, authentication) -> {
+                    System.out.printf("logout-1: '%s'%n", authentication.getName());
+                    request.getSession().invalidate();
+                })
+                .logoutSuccessHandler((request, response, authentication) -> {
+                    System.out.printf("Good bye, '%s'!%n", authentication.getName());
+                    response.sendRedirect("/login");
+                })
+                .deleteCookies("remember-me");
+    }
+
+    /**
+     * Remember-me Flow
+     * (Sustain authenticated state and auto-login)
+     *
+     * <ol>
+     *     <li>When {@link Authentication} in {@link SecurityContext} is null and HTTP request
+     *         has cookie 'remember-me', execute {@link RememberMeAuthenticationFilter}.</li>
+     *     <li>Delegate the job to {@link RememberMeServices}.</li>
+     *     <li>Extract the token from cookies.</li>
+     *     <li>If the token exists, validate the decoded token,
+     *         else execute {@code chain.doFilter}(pass the next filter).</li>
+     *     <li>When token is invalid or user account doesn't exist, throw exception.</li>
+     *     <li>If pass all the validations, create new a {@link Authentication}.</li>
+     *     <li>Pass it to {@link AuthenticationManager}.</li>
+     * </ol>
+     *
+     * @see RememberMeAuthenticationFilter
+     */
+    private void rememberMe(HttpSecurity http) throws Exception {
+        http.rememberMe()
+                .rememberMeParameter("rememberMe") // default: remember-me
+                .tokenValiditySeconds(3600)        // default: 14 days
+                .alwaysRemember(false)
+                .userDetailsService(userDetailsService);
+    }
+
+    /**
+     * Session Management
+     *
+     * @see SessionManagementFilter
+     * @see ConcurrentSessionFilter
+     */
+    private static void manageSession(HttpSecurity http) throws Exception {
+        // Concurrent Session Management
+        http.sessionManagement()
+                .invalidSessionUrl("/invalid")
+                .maximumSessions(1) // If -1, allow infinite concurrent session login.
+                // If true, prevent a user from logging in and sustain the previous session.
+                // If false, allow a user to login and invalidate the previous session.
+                .maxSessionsPreventsLogin(false)
+                .expiredUrl("/expired");
+
+        // Protect against session fixation attack.
+        http.sessionManagement()
+                .sessionFixation()
+                .changeSessionId();
+
+        // Session creation policy.
+        http.sessionManagement()
+                .sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED);
+    }
+
+    /**
+     * Custom authentication success handler
+     *
+     * @see <a href="https://stackoverflow.com/questions/28103852/spring-boot-session-timeout">
+     * Spring Boot Session Timeout</a>
+     */
+    private static class CustomAuthenticationSuccessHandler implements AuthenticationSuccessHandler {
+        private static final int SESSION_TIMEOUT = (int) TimeUnit.SECONDS.toSeconds(60);
+
+        @Override
+        public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response,
+                                            Authentication authentication) throws IOException {
+            request.getSession().setMaxInactiveInterval(SESSION_TIMEOUT);
+            System.out.printf("Welcome-1, '%s'!%n", authentication.getName());
+            response.sendRedirect("/home");
+        }
+    }
+
+    private static class CustomAuthenticationFailureHandler implements AuthenticationFailureHandler {
+        @Override
+        public void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response,
+                                            AuthenticationException exception) throws IOException {
+            System.out.printf("Failed to login: '%s'%n", exception.getMessage());
+            response.sendRedirect("/");
+        }
+    }
+
+}

src/main/java/io/github/imsejin/study/springsecurity/view/auth/AuthController.java

@@ -0,0 +1,16 @@
+package io.github.imsejin.study.springsecurity.view.auth;
+
+import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.RequestMapping;
+
+@Controller
+@RequestMapping("auth")
+class AuthController {
+
+    @GetMapping
+    Object login() {
+        return "authentication";
+    }
+
+}

src/main/java/io/github/imsejin/study/springsecurity/view/home/HomeController.java

@@ -0,0 +1,16 @@
+package io.github.imsejin.study.springsecurity.view.home;
+
+import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.RequestMapping;
+
+@Controller
+@RequestMapping("home")
+class HomeController {
+
+    @GetMapping
+    Object welcome() {
+        return "home";
+    }
+
+}

src/main/resources/application.yml

@@ -0,0 +1,20 @@
+spring:
+  thymeleaf:
+    enabled: true
+    encoding: "UTF-8"
+    prefix: "classpath:/templates/view/"
+    suffix: ".html"
+  security:
+    user:
+      name: "user"
+      password: "1234"
+  devtools:
+    livereload:
+      enabled: true
+    restart:
+      enabled: true
+      poll-interval: "2s"
+#  mvc:
+#    view:
+#      prefix: "classpath:/templates/view/"
+#      suffix: ".html"

src/main/resources/templates/view/authentication.html

@@ -0,0 +1,24 @@
+<!DOCTYPE html>
+<html lang="ko">
+<head>
+    <meta charset="UTF-8">
+    <title>Authentication</title>
+</head>
+<body>
+<div>
+    <form method="post" action="/login-process">
+        <span>ID: </span>
+        <label for="username">
+            <input id="username" type="text" name="id" placeholder="Input your ID" />
+        </label>
+
+        <span>PW: </span>
+        <label for="password">
+            <input id="password" type="password" name="pw" placeholder="Input your password" />
+        </label>
+
+        <button type="submit">login</button>
+    </form>
+</div>
+</body>
+</html>

src/main/resources/templates/view/home.html

@@ -0,0 +1,10 @@
+<!DOCTYPE html>
+<html lang="ko">
+<head>
+    <meta charset="UTF-8">
+    <title>Welcome</title>
+</head>
+<body>
+<div>Welcome to my webpage!</div>
+</body>
+</html>

src/test/java/io/github/imsejin/study/springsecurity/SpringSecurityApplicationTest.java

@@ -0,0 +1,15 @@
+package io.github.imsejin.study.springsecurity;
+
+import org.junit.jupiter.api.Disabled;
+import org.junit.jupiter.api.Test;
+import org.springframework.boot.test.context.SpringBootTest;
+
+@Disabled
+@SpringBootTest
+class SpringSecurityApplicationTest {
+
+    @Test
+    void contextLoads() {
+    }
+
+}