rwinch / spring-security-4.1-and-beyond Goto Github PK

We should have tests accessing the application before security exists. When we add security, we will need to fix those tests

We already have a formLogin().permitAll()

cc @jgrandja

Rather than @RequestMapping(method = RequestMethod.POST) we can use @PostMapping. There are other similar updates we can make too

This requires all JS to be self hosted

cc @jgrandja

Hi:
The current build.gradle will import jackson-databind-2.9.0 jar which causes springboot's staring up failure for reason of java.lang.NoClassDefFoundError: com/fasterxml/jackson/annotation/JsonMerge.

After modifying the build.gradle's dependencies as following , spring boot starts up successfully.

dependencies {
compile ".............
..............
"javax.servlet:jstl"
compile "com.fasterxml.jackson.core:jackson-databind:2.8.7"
compile ('com.maxmind.geoip2:geoip2:2.7.0'){
exclude group: 'com.fasterxml.jackson.core', module: 'jackson-databind'
}

Another way to learn:
The netbeans 8.2 tested maven version of presentation branch is post here -https://github.com/mingqin1/spring-security-4.1-and-beyond/tree/presentation . The maven converted codes serve the purpose of encourage of learning . All the credits go to Rob Winch, Joe Grandja

Our tests should be more focused. For example, we should not need to authenticate to delete Joe's messages. The test is deleting the messages...not authenticating as Joe. Instead, we should leverage @WithMockUser, with(csrf()), etc.

We can add additional tests that are specific to does CSRF work with cookies, does authentication work, etc.

We should make it so that the mouse demonstrates you can click on the link in the Summary that leads to the details. Currently it looks like text rather than a link.

To demonstrate CORS we need to split into two different apps. We should have it setup this way before we add security since CORS is really a Spring MVC application.

Requires change to Spring Security's LogoutConfigurer

See https://spring.io/blog/2013/07/11/spring-security-java-config-preview-readability/

• and on new line
• noformat tags

If a save is attempted and validation fails we should give meaningful error messages

Right now the default page doesn't load anything. See http://localhost:8080/

We should load the inbox instead of a blank page.

We should either remove spring-data-rest or the controllers that handle the REST calls. If we remove spring-data-rest, I believe we can remove WorkAroundsConfig

We should allow access to the home page and deny access to any rest resources. The processing of the rest resource should trigger a 401 which should trigger the authentication dialog to pop up. This demonstrates the content negotiation within Spring Security

This is similar to https://github.com/rwinch/spring-state-securing-restful-apis/blob/master/messages-session/src/main/java/sample/config/SecurityConfig.java#L28

Also see https://youtu.be/Z1DfpxQ84as?t=21m45s

Rather than "/custom-login" and "/login-error" use "/login" and "/login?error" to:

• reduce configuration
• make more like a real application (no real app will have custom- in the URL)

NOTE See #7

cc @jgrandja

The beginning of the application should not use a custom userdetailservice, but one is present

I was not able to run the rest application using

gradle bootRun I am getting following error.

FasterXML/jackson-databind#1539