[jira] [Commented] (METRON-503) Metron REST API

Thu, 19 Jan 2017 11:30:54 -0800 

    [ 
https://issues.apache.org/jira/browse/METRON-503?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15830463#comment-15830463
 ] 

ASF GitHub Bot commented on METRON-503:
---------------------------------------

Github user jjmeyer0 commented on a diff in the pull request:

    https://github.com/apache/incubator-metron/pull/316#discussion_r96935736
  
    --- Diff: 
metron-interface/metron-rest/src/main/java/org/apache/metron/rest/config/WebSecurityConfig.java
 ---
    @@ -0,0 +1,89 @@
    +/**
    + * Licensed to the Apache Software Foundation (ASF) under one
    + * or more contributor license agreements.  See the NOTICE file
    + * distributed with this work for additional information
    + * regarding copyright ownership.  The ASF licenses this file
    + * to you under the Apache License, Version 2.0 (the
    + * "License"); you may not use this file except in compliance
    + * with the License.  You may obtain a copy of the License at
    + *
    + *     http://www.apache.org/licenses/LICENSE-2.0
    + *
    + * Unless required by applicable law or agreed to in writing, software
    + * distributed under the License is distributed on an "AS IS" BASIS,
    + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    + * See the License for the specific language governing permissions and
    + * limitations under the License.
    + */
    +package org.apache.metron.rest.config;
    +
    +import org.springframework.beans.factory.annotation.Autowired;
    +import org.springframework.context.annotation.Configuration;
    +import org.springframework.core.env.Environment;
    +import 
org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
    +import 
org.springframework.security.config.annotation.web.builders.HttpSecurity;
    +import 
org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
    +import 
org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
    +import 
org.springframework.security.web.authentication.logout.HttpStatusReturningLogoutSuccessHandler;
    +import org.springframework.security.web.csrf.CookieCsrfTokenRepository;
    +import org.springframework.stereotype.Controller;
    +import org.springframework.web.bind.annotation.RequestMapping;
    +
    +import javax.sql.DataSource;
    +import java.util.Arrays;
    +
    +@Configuration
    +@EnableWebSecurity
    +@Controller
    +public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
    +
    +    private static final String CSRF_ENABLE_PROFILE = "csrf-enable";
    +
    +    @Autowired
    +    private Environment environment;
    +
    +    @RequestMapping({"/login", "/logout", "/sensors", "/sensors*/**"})
    +    public String handleNGRequests() {
    +        return "forward:/index.html";
    +    }
    +
    +    @Override
    +    protected void configure(HttpSecurity http) throws Exception {
    +        http
    +                .authorizeRequests()
    +                .antMatchers("/", "/home", "/login").permitAll()
    +                .antMatchers("/app/**").permitAll()
    +                .antMatchers("/vendor/**").permitAll()
    +                .antMatchers("/fonts/**").permitAll()
    +                .antMatchers("/assets/images/**").permitAll()
    +                .antMatchers("/*.js").permitAll()
    +                .antMatchers("/*.ttf").permitAll()
    +                .antMatchers("/*.woff2").permitAll()
    +                .anyRequest().authenticated()
    +                .and().httpBasic()
    +                .and()
    +                .logout()
    +                .logoutSuccessHandler(new 
HttpStatusReturningLogoutSuccessHandler())
    +                .invalidateHttpSession(true)
    +                .deleteCookies("JSESSIONID");
    +        if 
(Arrays.asList(environment.getActiveProfiles()).contains(CSRF_ENABLE_PROFILE)) {
    +            
http.csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse());
    +        } else {
    +            http.csrf().disable();
    +        }
    +    }
    +
    +    @Autowired
    +    private DataSource dataSource;
    +
    +    @Autowired
    +    public void configureJdbc(AuthenticationManagerBuilder auth) throws 
Exception {
    +        auth
    +                .jdbcAuthentication()
    +                .dataSource(dataSource)
    +                .withUser("user").password("password").roles("USER").and()
    +                .withUser("user1").password("password").roles("USER").and()
    --- End diff --
    
    I forget exactly how spring handles these. If I recall, I believe they are 
always going to be there. Correct? If so we should probably only add these if 
we are using a specific profile (eg. only do this for dev).


> Metron REST API
> ---------------
>
>                 Key: METRON-503
>                 URL: https://issues.apache.org/jira/browse/METRON-503
>             Project: Metron
>          Issue Type: New Feature
>            Reporter: Ryan Merriman
>            Assignee: Ryan Merriman
>         Attachments: Metron REST API.docx
>
>
> As discussed on the dev list ([DISCUSS] Metron REST API Requirements), this 
> Jira includes adding a REST API to Metron.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to