Package com.emc.documentum.rest.context.jc

Class AbstractWebSecurity

java.lang.Object
com.emc.documentum.rest.context.jc.AbstractWebSecurity
All Implemented Interfaces:
org.springframework.beans.factory.InitializingBean
Direct Known Subclasses:
AbstractLogoutWebSecurity
public abstract class AbstractWebSecurity extends Object implements org.springframework.beans.factory.InitializingBean
Provides a convenient base class for creating a customize Documentum REST Services authentication scheme. The implementation allows customization by overriding methods. The implementation can be made conditional when it is annotated by AuthSchemeProfile. The implementation should specify an order by Order ranged from 1 to 98.
See Also:

  • Field Summary

    Fields
    Modifier and Type
    Field
    Description
    protected DefaultSecurityRuntime
    defaultRT
    Default security runtime properties.
    protected org.springframework.security.web.firewall.HttpFirewall
    httpFirewall
     

  • Constructor Summary

    Constructors
    Constructor
    Description
    AbstractWebSecurity()
     
    AbstractWebSecurity(boolean disableDefaults)
     

  • Method Summary

    Modifier and Type
    Method
    Description
    void
    afterPropertiesSet()
    Set properties after the bean initialization.
    protected abstract org.springframework.security.authentication.AuthenticationProvider[]
    authenticationProviders()
    Provides authentication providers for this security configuration's authentication manager.
    protected org.springframework.security.config.annotation.web.builders.HttpSecurity
    base(org.springframework.security.config.annotation.web.builders.HttpSecurity http)
    Configures the base configurations for the HTTP security.
    protected org.springframework.security.config.annotation.web.configurers.HeadersConfigurer<org.springframework.security.config.annotation.web.builders.HttpSecurity>
    cacheControl(org.springframework.security.config.annotation.web.builders.HttpSecurity http)
    Configures Cache-Control header.
    protected void
    configure(org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder auth)
    Configures the authentication manager.
    protected void
    configure(org.springframework.security.config.annotation.web.builders.HttpSecurity http)
    Configures the HTTP security for the custom authentication.
    void
    configure(org.springframework.security.config.annotation.web.builders.WebSecurity web)
     
    protected abstract void
    configureSecurityFilters(org.springframework.security.config.annotation.web.builders.HttpSecurity http)
    Configures custom security filters for the custom authentication.
    protected org.springframework.security.config.annotation.web.configurers.HeadersConfigurer<org.springframework.security.config.annotation.web.builders.HttpSecurity>
    contentTypeOptions(org.springframework.security.config.annotation.web.builders.HttpSecurity http)
    Configures Content Type Options header.
    protected org.springframework.security.config.annotation.web.builders.HttpSecurity
    disableLogout(org.springframework.security.config.annotation.web.builders.HttpSecurity http)
    Disables the logout for the HTTP security from setLogout(boolean).
    protected abstract org.springframework.security.web.AuthenticationEntryPoint
    entryPoint()
    Provides an authentication entry point to customize the authentication error handling.
    protected org.springframework.security.config.annotation.web.configurers.ExceptionHandlingConfigurer<org.springframework.security.config.annotation.web.builders.HttpSecurity>
    errorHandling(org.springframework.security.config.annotation.web.builders.HttpSecurity http)
    Configures the error handling for the HTTP security from entryPoint().
    protected org.springframework.security.config.annotation.web.builders.HttpSecurity
    headers(org.springframework.security.config.annotation.web.builders.HttpSecurity http)
    Configures default security headers.
    protected org.springframework.security.config.annotation.web.configurers.HeadersConfigurer<org.springframework.security.config.annotation.web.builders.HttpSecurity>
    hsts(org.springframework.security.config.annotation.web.builders.HttpSecurity http)
    Configures HTTP Strict Transport Security (HSTS) header.
    protected org.springframework.security.config.annotation.web.builders.HttpSecurity
    interceptUrl(org.springframework.security.config.annotation.web.builders.HttpSecurity http)
    Sets the URL pattern for the HTTP security from setRootAuthUrl(String).
    protected org.springframework.security.config.annotation.web.builders.HttpSecurity
    secureChannel(org.springframework.security.config.annotation.web.builders.HttpSecurity http)
    Sets the security channel for the HTTP security from setRequireHttps(boolean).
    org.springframework.security.web.SecurityFilterChain
    securityFilterChain(org.springframework.security.config.annotation.web.builders.HttpSecurity http)
     
    protected org.springframework.security.config.annotation.web.configurers.SessionManagementConfigurer<org.springframework.security.config.annotation.web.builders.HttpSecurity>
    sessions(org.springframework.security.config.annotation.web.builders.HttpSecurity http)
    Configures HTTP session management for the HTTP security.
    protected void
    setLogout(boolean logout)
    Specifies whether this configuration is defined for logout.
    protected void
    setRequireHttps(boolean requireHttps)
    Specifies whether to require HTTPS for the custom authentication.
    protected void
    setRootAuthUrl(String rootAuthUrl)
    Specifies the root URL pattern for the custom authentication.
    org.springframework.security.config.annotation.web.configuration.WebSecurityCustomizer
    webSecurityCustomizer()
     
    protected org.springframework.security.config.annotation.web.configurers.HeadersConfigurer<org.springframework.security.config.annotation.web.builders.HttpSecurity>
    xFrameOptions(org.springframework.security.config.annotation.web.builders.HttpSecurity http)
    Configures X-Frame-Options header.
    protected org.springframework.security.config.annotation.web.configurers.HeadersConfigurer<org.springframework.security.config.annotation.web.builders.HttpSecurity>
    xssProtection(org.springframework.security.config.annotation.web.builders.HttpSecurity http)
    Configures X-XSS-Protection header.

    Methods inherited from class java.lang.Object

    clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

  • Field Details

    • defaultRT

      @Autowired protected DefaultSecurityRuntime defaultRT
      Default security runtime properties. Properties set in 'rest-api-runtime.properties' will override the default values.

    • httpFirewall

      @Autowired protected org.springframework.security.web.firewall.HttpFirewall httpFirewall

  • Constructor Details

    • AbstractWebSecurity

      public AbstractWebSecurity()

    • AbstractWebSecurity

      public AbstractWebSecurity(boolean disableDefaults)

  • Method Details

    • authenticationProviders

      protected abstract org.springframework.security.authentication.AuthenticationProvider[] authenticationProviders()
      Provides authentication providers for this security configuration's authentication manager.
      Returns:
      authentication providers

    • configureSecurityFilters

      protected abstract void configureSecurityFilters(org.springframework.security.config.annotation.web.builders.HttpSecurity http) throws Exception
      Configures custom security filters for the custom authentication.
      Parameters:
      http - Spring HTTP security configuration instance
      Throws:
      Exception - when there are configuration errors

    • entryPoint

      protected abstract org.springframework.security.web.AuthenticationEntryPoint entryPoint() throws Exception
      Provides an authentication entry point to customize the authentication error handling.
      Returns:
      authentication entry point
      Throws:
      Exception - when there are configuration errors

    • setRootAuthUrl

      protected void setRootAuthUrl(String rootAuthUrl)
      Specifies the root URL pattern for the custom authentication. Defaults to DefaultSecurityRuntime.rootAuthUrl.
      Parameters:
      rootAuthUrl - root URL pattern

    • setRequireHttps

      protected void setRequireHttps(boolean requireHttps)
      Specifies whether to require HTTPS for the custom authentication. Defaults to false.
      Parameters:
      requireHttps - true indicates to require HTTPS; false for otherwise.

    • setLogout

      protected void setLogout(boolean logout)
      Specifies whether this configuration is defined for logout. Defaults to false.
      Parameters:
      logout - true indicates it is logout configuration; false for otherwise.

    • afterPropertiesSet

      public void afterPropertiesSet() throws Exception
      Set properties after the bean initialization. The overriding method in subclasses must call "super.afterPropertiesSet()" before its own properties setting.
      Specified by:
      afterPropertiesSet in interface org.springframework.beans.factory.InitializingBean
      Throws:
      Exception - for properties setting errors

    • configure

      protected void configure(org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder auth) throws Exception
      Configures the authentication manager. Authentication providers from authenticationProviders()are added into the authentication manager in this method.
      Parameters:
      auth - the authentication manager builder
      Throws:
      Exception - when there are configuration errors

    • configure

      protected void configure(org.springframework.security.config.annotation.web.builders.HttpSecurity http) throws Exception
      Configures the HTTP security for the custom authentication. Fundamental security configurations are applied to the input HTTP security. The implementation can completely override this method with Spring security guide, but to be noted that all fundamental security configurations provided by Documentum REST Services are lost in the overriding method. So it is not suggested to override this method in a custom authentication unless you are fully aware of the security internals.
      Parameters:
      http - HTTP security configuration
      Throws:
      Exception - when there are configuration errors

    • base

      protected org.springframework.security.config.annotation.web.builders.HttpSecurity base(org.springframework.security.config.annotation.web.builders.HttpSecurity http) throws Exception
      Configures the base configurations for the HTTP security. HTTP session creation is stateless. Spring default CSRF is disabled. Spring default Anonymous is disabled.
      Parameters:
      http - HTTP security configuration
      Returns:
      the customized HTTP security configuration
      Throws:
      Exception - when there are configuration errors

    • sessions

      protected org.springframework.security.config.annotation.web.configurers.SessionManagementConfigurer<org.springframework.security.config.annotation.web.builders.HttpSecurity> sessions(org.springframework.security.config.annotation.web.builders.HttpSecurity http) throws Exception
      Configures HTTP session management for the HTTP security. HTTP session creation is stateless.
      Parameters:
      http - HTTP security configuration
      Returns:
      the customized HTTP security configuration
      Throws:
      Exception - when there are configuration errors

    • headers

      protected org.springframework.security.config.annotation.web.builders.HttpSecurity headers(org.springframework.security.config.annotation.web.builders.HttpSecurity http) throws Exception
      Configures default security headers. By default, below HTTP security headers are enabled:
      • HTTP Strict Transport Security (HSTS)
      • Cache Control
      • Content Type Options
      • X-Frame-Options
      • X-XSS-Protection
      Parameters:
      http - HTTP security configuration.
      Returns:
      the customized HTTP security configuration
      Throws:
      Exception - when there are configuration errors

    • hsts

      protected org.springframework.security.config.annotation.web.configurers.HeadersConfigurer<org.springframework.security.config.annotation.web.builders.HttpSecurity> hsts(org.springframework.security.config.annotation.web.builders.HttpSecurity http) throws Exception
      Configures HTTP Strict Transport Security (HSTS) header. By default, it is enabled. Below runtime properties are used for customizing this header:
      • rest.security.headers.hsts.disabled
      • rest.security.headers.hsts.include_sub_domains
      • rest.security.headers.hsts.max_age_in_seconds
      Please refer to "rest-api-runtime.properties.template" for details.
      Parameters:
      http - HTTP security configuration.
      Returns:
      the customized HTTP security configuration
      Throws:
      Exception - when there are configuration errors

    • cacheControl

      protected org.springframework.security.config.annotation.web.configurers.HeadersConfigurer<org.springframework.security.config.annotation.web.builders.HttpSecurity> cacheControl(org.springframework.security.config.annotation.web.builders.HttpSecurity http) throws Exception
      Configures Cache-Control header. By default, it is enabled. Below runtime properties are used for customizing this header:
      • rest.security.headers.cache_control.disabled
      Please refer to "rest-api-runtime.properties.template" for details.
      Parameters:
      http - HTTP security configuration.
      Returns:
      the customized HTTP security configuration
      Throws:
      Exception - when there are configuration errors

    • contentTypeOptions

      protected org.springframework.security.config.annotation.web.configurers.HeadersConfigurer<org.springframework.security.config.annotation.web.builders.HttpSecurity> contentTypeOptions(org.springframework.security.config.annotation.web.builders.HttpSecurity http) throws Exception
      Configures Content Type Options header. By default, it is enabled. Below runtime properties are used for customizing this header:
      • rest.security.headers.content_type_options.disabled
      Please refer to "rest-api-runtime.properties.template" for details.
      Parameters:
      http - HTTP security configuration.
      Returns:
      the customized HTTP security configuration
      Throws:
      Exception - when there are configuration errors

    • xFrameOptions

      protected org.springframework.security.config.annotation.web.configurers.HeadersConfigurer<org.springframework.security.config.annotation.web.builders.HttpSecurity> xFrameOptions(org.springframework.security.config.annotation.web.builders.HttpSecurity http) throws Exception
      Configures X-Frame-Options header. By default, it is enabled. Below runtime properties are used for customizing this header:
      • rest.security.headers.x_frame_options.disabled
      • rest.security.headers.x_frame_options.policy
      Please refer to "rest-api-runtime.properties.template" for details.
      Parameters:
      http - HTTP security configuration.
      Returns:
      the customized HTTP security configuration
      Throws:
      Exception - when there are configuration errors

    • xssProtection

      protected org.springframework.security.config.annotation.web.configurers.HeadersConfigurer<org.springframework.security.config.annotation.web.builders.HttpSecurity> xssProtection(org.springframework.security.config.annotation.web.builders.HttpSecurity http) throws Exception
      Configures X-XSS-Protection header. By default, it is enabled. Below runtime properties are used for customizing this header:
      • rest.security.headers.xss_protection.disabled
      • rest.security.headers.xss_protection.explicit_enable
      • rest.security.headers.xss_protection.block
      Please refer to "rest-api-runtime.properties.template" for details.
      Parameters:
      http - HTTP security configuration.
      Returns:
      the customized HTTP security configuration
      Throws:
      Exception - when there are configuration errors

    • errorHandling

      protected org.springframework.security.config.annotation.web.configurers.ExceptionHandlingConfigurer<org.springframework.security.config.annotation.web.builders.HttpSecurity> errorHandling(org.springframework.security.config.annotation.web.builders.HttpSecurity http) throws Exception
      Configures the error handling for the HTTP security from entryPoint().
      Parameters:
      http - HTTP security configuration
      Returns:
      the customized HTTP security exception handling configuration
      Throws:
      Exception - when there are configuration errors

    • disableLogout

      protected org.springframework.security.config.annotation.web.builders.HttpSecurity disableLogout(org.springframework.security.config.annotation.web.builders.HttpSecurity http) throws Exception
      Disables the logout for the HTTP security from setLogout(boolean).
      Parameters:
      http - HTTP security configuration
      Returns:
      the customized HTTP security configuration
      Throws:
      Exception - when there are configuration errors

    • interceptUrl

      protected org.springframework.security.config.annotation.web.builders.HttpSecurity interceptUrl(org.springframework.security.config.annotation.web.builders.HttpSecurity http) throws Exception
      Sets the URL pattern for the HTTP security from setRootAuthUrl(String).
      Parameters:
      http - HTTP security configuration
      Returns:
      the customized HTTP security configuration
      Throws:
      Exception - when there are configuration errors

    • secureChannel

      protected org.springframework.security.config.annotation.web.builders.HttpSecurity secureChannel(org.springframework.security.config.annotation.web.builders.HttpSecurity http) throws Exception
      Sets the security channel for the HTTP security from setRequireHttps(boolean).
      Parameters:
      http - HTTP security configuration
      Returns:
      the customized HTTP security configuration
      Throws:
      Exception - when there are configuration errors

    • configure

      public void configure(org.springframework.security.config.annotation.web.builders.WebSecurity web)

    • securityFilterChain

      public org.springframework.security.web.SecurityFilterChain securityFilterChain(org.springframework.security.config.annotation.web.builders.HttpSecurity http) throws Exception
      Throws:
      Exception

    • webSecurityCustomizer

      public org.springframework.security.config.annotation.web.configuration.WebSecurityCustomizer webSecurityCustomizer()