com.auth0.spring.security.api

Class Auth0SecurityConfig

java.lang.Object

org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter

com.auth0.spring.security.api.Auth0SecurityConfig

All Implemented Interfaces:

org.springframework.security.config.annotation.SecurityConfigurer<javax.servlet.Filter,org.springframework.security.config.annotation.web.builders.WebSecurity>, org.springframework.security.config.annotation.web.WebSecurityConfigurer<org.springframework.security.config.annotation.web.builders.WebSecurity>

@Configuration
 @EnableWebSecurity
 @EnableGlobalMethodSecurity(prePostEnabled=true)
 @Order(value=2147483640)
 @ConditionalOnProperty(prefix="auth0",
                       name="defaultAuth0ApiSecurityEnabled")
public class Auth0SecurityConfig
extends org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter

Auth0 Security Config that wires together dependencies required Applications are expected to extend this Config

Field Summary

Fields

Modifier and Type	Field and Description
protected String	authorityStrategy
protected boolean	base64EncodedSecret
protected String	clientId
protected String	clientSecret
protected String	domain
protected String	issuer
protected String	publicKeyPath default to empty string as HS256 is default
protected String	securedRoute
protected String	signingAlgorithm default to HS256 for backwards compatibility

Constructor Summary

Constructors

Constructor and Description
Auth0SecurityConfig()

Method Summary

Modifier and Type	Method and Description
Auth0AuthenticationEntryPoint	auth0AuthenticationEntryPoint()
Auth0AuthenticationFilter	auth0AuthenticationFilter(Auth0AuthenticationEntryPoint entryPoint)
org.springframework.boot.web.servlet.FilterRegistrationBean	auth0AuthenticationFilterRegistration(Auth0AuthenticationFilter filter) We do this to ensure our Filter is only loaded once into Application Context If using Spring Boot, any GenericFilterBean in the context will be automatically added to the filter chain.
Auth0AuthenticationProvider	auth0AuthenticationProvider()
org.springframework.security.authentication.AuthenticationManager	authenticationManagerBean()
AuthorityStrategy	authorityStrategy()
protected void	authorizeRequests(org.springframework.security.config.annotation.web.builders.HttpSecurity http) Lightweight default configuration that offers basic authorization checks for authenticated users on secured endpoint, and sets up a Principal user object with granted authorities
protected void	configure(org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder auth)
protected void	configure(org.springframework.security.config.annotation.web.builders.HttpSecurity http)
void	configure(org.springframework.security.config.annotation.web.builders.WebSecurity web)
Auth0CORSFilter	simpleCORSFilter()

Methods inherited from class org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter

authenticationManager, getApplicationContext, getHttp, init, setApplicationContext, setAuthenticationConfiguration, setContentNegotationStrategy, setObjectPostProcessor, setTrustResolver, userDetailsService, userDetailsServiceBean

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

domain

@Value(value="${auth0.domain}")
protected String domain

issuer

@Value(value="${auth0.issuer}")
protected String issuer

clientId

@Value(value="${auth0.clientId}")
protected String clientId

clientSecret

@Value(value="${auth0.clientSecret}")
protected String clientSecret

securedRoute

@Value(value="${auth0.securedRoute}")
protected String securedRoute

authorityStrategy

@Value(value="${auth0.authorityStrategy}")
protected String authorityStrategy

base64EncodedSecret

@Value(value="${auth0.base64EncodedSecret}")
protected boolean base64EncodedSecret

signingAlgorithm

@Value(value="${auth0.signingAlgorithm:HS256}")
protected String signingAlgorithm

default to HS256 for backwards compatibility

publicKeyPath

@Value(value="${auth0.publicKeyPath:}")
protected String publicKeyPath

default to empty string as HS256 is default

Constructor Detail

Auth0SecurityConfig

public Auth0SecurityConfig()

Method Detail

authenticationManagerBean

@Autowired
 @Bean(name="auth0AuthenticationManager")
public org.springframework.security.authentication.AuthenticationManager authenticationManagerBean()
                                                                                                                                                 throws Exception

Overrides:

authenticationManagerBean in class org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter

Throws:

Exception

simpleCORSFilter

@Bean
public Auth0CORSFilter simpleCORSFilter()

authorityStrategy

@Bean(name="authorityStrategy")
public AuthorityStrategy authorityStrategy()

auth0AuthenticationProvider

@Bean(name="auth0AuthenticationProvider")
public Auth0AuthenticationProvider auth0AuthenticationProvider()

auth0AuthenticationEntryPoint

@Bean(name="auth0EntryPoint")
public Auth0AuthenticationEntryPoint auth0AuthenticationEntryPoint()

auth0AuthenticationFilter

@Bean(name="auth0Filter")
public Auth0AuthenticationFilter auth0AuthenticationFilter(Auth0AuthenticationEntryPoint entryPoint)

auth0AuthenticationFilterRegistration

@Bean(name="auth0AuthenticationFilterRegistration")
public org.springframework.boot.web.servlet.FilterRegistrationBean auth0AuthenticationFilterRegistration(Auth0AuthenticationFilter filter)

We do this to ensure our Filter is only loaded once into Application Context If using Spring Boot, any GenericFilterBean in the context will be automatically added to the filter chain. Since we want to support Servlet 2.x and 3.x we should not extend OncePerRequestFilter therefore instead we explicitly define FilterRegistrationBean and disable.

configure

protected void configure(org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder auth)
                  throws Exception

Overrides:

configure in class org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter

Throws:

Exception

configure

public void configure(org.springframework.security.config.annotation.web.builders.WebSecurity web)
               throws Exception

Specified by:

configure in interface org.springframework.security.config.annotation.SecurityConfigurer<javax.servlet.Filter,org.springframework.security.config.annotation.web.builders.WebSecurity>

Overrides:

configure in class org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter

Throws:

Exception

configure

protected void configure(org.springframework.security.config.annotation.web.builders.HttpSecurity http)
                  throws Exception

Overrides:

configure in class org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter

Throws:

Exception

authorizeRequests

protected void authorizeRequests(org.springframework.security.config.annotation.web.builders.HttpSecurity http)
                          throws Exception

Lightweight default configuration that offers basic authorization checks for authenticated users on secured endpoint, and sets up a Principal user object with granted authorities

For simple apps, this is sufficient, however for applications wishing to specify fine-grained endpoint access restrictions, use Role / Group level endpoint authorization etc, then this configuration should be disabled and a copy, augmented with your own requirements provided. See Sample app for example Override this function in subclass to apply custom authentication / authorization strategies to your application endpoints

Throws:

Exception