User session system

pom.xml

@@ -32,8 +32,9 @@
             <url>https://jcenter.bintray.com</url>
         </repository>
     </repositories>
-    <dependencies>
 
+
+    <dependencies>
         <!-- Spring -->
         <dependency>
             <groupId>org.springframework.boot</groupId>
@@ -71,6 +72,13 @@
             <version>1.2.5</version>
         </dependency>
 
+        <!-- Caching -->
+        <dependency>
+            <groupId>com.github.ben-manes.caffeine</groupId>
+            <artifactId>caffeine</artifactId>
+            <version>2.9.1</version>
+        </dependency>
+
         <!-- Esper CEP -->
         <dependency>
             <groupId>com.espertech</groupId>
@@ -131,21 +139,21 @@
         </dependency>
 
 
-		<!-- IText -->
-		<!-- https://mvnrepository.com/artifact/com.itextpdf/itext7-core -->
-		<dependency>
-			<groupId>com.itextpdf</groupId>
-			<artifactId>itext7-core</artifactId>
-			<version>7.1.10</version>
-			<type>pom</type>
-		</dependency>
+        <!-- IText -->
+        <!-- https://mvnrepository.com/artifact/com.itextpdf/itext7-core -->
+        <dependency>
+            <groupId>com.itextpdf</groupId>
+            <artifactId>itext7-core</artifactId>
+            <version>7.1.10</version>
+            <type>pom</type>
+        </dependency>
 
-		<!-- JFree Chart -->
-		<dependency>
-			<groupId>org.jfree</groupId>
-			<artifactId>jfreechart</artifactId>
-			<version>1.5.0</version>
-		</dependency>
+        <!-- JFree Chart -->
+        <dependency>
+            <groupId>org.jfree</groupId>
+            <artifactId>jfreechart</artifactId>
+            <version>1.5.0</version>
+        </dependency>
 
         <!--Apache Commons -->
         <dependency>
@@ -175,6 +183,13 @@
             <artifactId>swagger2markup</artifactId>
             <version>1.3.3</version>
         </dependency>
+
+        <!--Cglib -->
+        <dependency>
+            <groupId>cglib</groupId>
+            <artifactId>cglib</artifactId>
+            <version>3.3.0</version>
+        </dependency>
     </dependencies>
 
     <build>

src/main/java/de/ipvs/as/mbp/Initializer.java

@@ -7,10 +7,6 @@
 import org.springframework.web.filter.HiddenHttpMethodFilter;
 import org.springframework.web.servlet.support.AbstractAnnotationConfigDispatcherServletInitializer;
 
-/**
- *
- * @author rafaelkperes
- */
 public class Initializer
         extends AbstractAnnotationConfigDispatcherServletInitializer {
 

src/main/java/de/ipvs/as/mbp/RestConfiguration.java

@@ -15,7 +15,6 @@
 import de.ipvs.as.mbp.domain.rules.RuleAction;
 import de.ipvs.as.mbp.domain.rules.RuleTrigger;
 import de.ipvs.as.mbp.domain.testing.TestDetails;
-import de.ipvs.as.mbp.domain.user.Authority;
 import de.ipvs.as.mbp.domain.user.User;
 import de.ipvs.as.mbp.error.EntityNotFoundException;
 import de.ipvs.as.mbp.error.MissingPermissionException;
@@ -67,7 +66,7 @@ public void configureRepositoryRestConfiguration(RepositoryRestConfiguration con
                 Device.class,
                 Operator.class, MonitoringOperator.class,
                 Actuator.class, Sensor.class,
-                User.class, Authority.class,
+                User.class,
                 EntityType.class,
                 EnvironmentModel.class,
                 Rule.class, RuleTrigger.class, RuleAction.class,

src/main/java/de/ipvs/as/mbp/SecurityConfiguration.java

@@ -1,69 +1,57 @@
 package de.ipvs.as.mbp;
 
-import de.ipvs.as.mbp.security.RestAuthenticationEntryPoint;
-import de.ipvs.as.mbp.service.UserDetailsServiceImpl;
-import org.springframework.beans.factory.BeanInitializationException;
+import de.ipvs.as.mbp.security.UserSessionCookieFilter;
+import de.ipvs.as.mbp.service.user.UserSessionService;
+import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.context.annotation.Import;
 import org.springframework.http.HttpMethod;
-import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
+import org.springframework.http.HttpStatus;
 import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.builders.WebSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
-import org.springframework.security.core.userdetails.UserDetailsService;
+import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
+import org.springframework.security.config.http.SessionCreationPolicy;
 import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
 import org.springframework.security.crypto.password.PasswordEncoder;
+import org.springframework.security.web.authentication.HttpStatusEntryPoint;
+import org.springframework.security.web.context.SecurityContextPersistenceFilter;
 import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
 
-/**
- * Security configuration
- *
- * @author Imeri Amil
- */
-
 @Configuration
+@Import(UserSessionService.class)
 @EnableWebSecurity
 @EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true)
 public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
 
-    @Bean
-    public RestAuthenticationEntryPoint restAuthenticationEntryPoint() {
-        return new RestAuthenticationEntryPoint();
-    }
+    //URLs to important pages
+    public static final String URL_LOGIN = "/login";
+    public static final String URL_LOGOUT = "/logout";
 
-    @Bean
-    public UserDetailsService mongoUserDetails() {
-        return new UserDetailsServiceImpl();
+    //Cookie filter for validating session cookies
+    private final UserSessionCookieFilter userSessionCookieFilter;
+
+    @Autowired
+    public SecurityConfiguration(UserSessionService userSessionService) {
+        this.userSessionCookieFilter = new UserSessionCookieFilter(userSessionService);
     }
 
     @Bean
     public PasswordEncoder passwordEncoder() {
         return new BCryptPasswordEncoder();
     }
 
-    @Override
-    public void configure(AuthenticationManagerBuilder auth) {
-        try {
-            UserDetailsService userDetailsService = mongoUserDetails();
-            auth
-                    .userDetailsService(userDetailsService)
-                    .passwordEncoder(passwordEncoder());
-        } catch (Exception e) {
-            throw new BeanInitializationException("Security configuration failed", e);
-        }
-    }
-
     @Override
     public void configure(WebSecurity web) throws Exception {
         web.ignoring()
                 .antMatchers(HttpMethod.OPTIONS, "/**")
                 .antMatchers("/resources/**")
                 .antMatchers("/webapp/**")
-                .antMatchers("/login", "/templates/register")
+                .antMatchers(URL_LOGIN, "/templates/register")
                 .antMatchers(HttpMethod.GET, RestConfiguration.BASE_PATH + "/settings/mbpinfo")
-                .antMatchers(HttpMethod.POST, RestConfiguration.BASE_PATH + "/users/authenticate")
                 .antMatchers(HttpMethod.POST, RestConfiguration.BASE_PATH + "/users")
                 .antMatchers(HttpMethod.POST, RestConfiguration.BASE_PATH + "/checkOauthTokenUser")
                 .antMatchers(HttpMethod.POST, RestConfiguration.BASE_PATH + "/checkOauthTokenSuperuser")
@@ -72,16 +60,21 @@ public void configure(WebSecurity web) throws Exception {
 
     @Override
     protected void configure(HttpSecurity http) throws Exception {
+        //Configure HTTP security
         http
-                .csrf().disable()
-                .httpBasic().authenticationEntryPoint(restAuthenticationEntryPoint())
-                .and()
-                .authorizeRequests()
-                .antMatchers(HttpMethod.POST, "/api/authenticate").permitAll()
-                .antMatchers("/api/**").authenticated()
-                .and()
-                .logout()
-                .logoutRequestMatcher(new AntPathRequestMatcher("/logout")).logoutSuccessUrl("/login")
-                .invalidateHttpSession(true).deleteCookies("JSESSIONID");
+                .sessionManagement(c -> c.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
+                .csrf(AbstractHttpConfigurer::disable)
+                .logout(c -> {
+                    c.logoutRequestMatcher(new AntPathRequestMatcher(URL_LOGOUT));
+                    c.deleteCookies(UserSessionCookieFilter.SESSION_COOKIE_NAME);
+                    c.logoutSuccessHandler(userSessionCookieFilter);
+                })
+                .authorizeRequests(c -> {
+                    c.antMatchers("/api/users/login").permitAll();
+                    c.antMatchers("/api/**").authenticated();
+                })
+                .exceptionHandling(c -> c
+                        .authenticationEntryPoint(new HttpStatusEntryPoint(HttpStatus.UNAUTHORIZED)))
+                .addFilterAfter(userSessionCookieFilter, SecurityContextPersistenceFilter.class);
     }
 }

src/main/java/de/ipvs/as/mbp/WebServletConfiguration.java

@@ -11,6 +11,7 @@
 import org.springframework.data.web.config.EnableSpringDataWebSupport;
 import org.springframework.hateoas.MediaTypes;
 import org.springframework.hateoas.config.EnableHypermediaSupport;
+import org.springframework.security.web.context.AbstractSecurityWebApplicationInitializer;
 import org.springframework.web.method.support.HandlerMethodArgumentResolver;
 import org.springframework.web.servlet.ViewResolver;
 import org.springframework.web.servlet.config.annotation.ContentNegotiationConfigurer;
@@ -32,7 +33,7 @@
         Constants.ROOT_PACKAGE
 })
 @EnableHypermediaSupport(type = EnableHypermediaSupport.HypermediaType.HAL)
-public class WebServletConfiguration implements WebMvcConfigurer {
+public class WebServletConfiguration extends AbstractSecurityWebApplicationInitializer implements WebMvcConfigurer {
 
     @Autowired
     private ApplicationContext applicationContext;

src/main/java/de/ipvs/as/mbp/domain/user/UserAuthData.java → src/main/java/de/ipvs/as/mbp/domain/user/UserLoginData.java

@@ -7,12 +7,30 @@
  * Wrapper for user login data that is passed with an user authentication request.
  */
 @ApiModel(description = "Login data for user authentication requests")
-public class UserAuthData {
+public class UserLoginData {
     @ApiModelProperty(notes = "Username of the user to authenticate", example = "MyUser", required = true)
     private String username;
     @ApiModelProperty(notes = "Password of the user to authenticate", example = "secret", required = true)
     private String password;
 
+    /**
+     * Creates a new empty user auth data object.
+     */
+    public UserLoginData() {
+
+    }
+
+    /**
+     * Creates a new user auth data object from a given username and password.
+     *
+     * @param username The user name to use
+     * @param password The password to use
+     */
+    public UserLoginData(String username, String password) {
+        this.username = username;
+        this.password = password;
+    }
+
     /**
      * Returns the username that is part of the auth data.
      *