Add method security web sample

Useful sample for common use case where user adds custom Authentication,
a form login, *and* global method security all the the same application.

spring-boot-samples/pom.xml

@@ -33,6 +33,7 @@
 		<module>spring-boot-sample-simple</module>
 		<module>spring-boot-sample-tomcat</module>
 		<module>spring-boot-sample-traditional</module>
+		<module>spring-boot-sample-web-method-security</module>
 		<module>spring-boot-sample-web-secure</module>
 		<module>spring-boot-sample-web-static</module>
 		<module>spring-boot-sample-web-jsp</module>

spring-boot-samples/spring-boot-sample-web-method-security/pom.xml

+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+	<modelVersion>4.0.0</modelVersion>
+	<parent>
+		<!-- Your own application should inherit from spring-boot-starter-parent -->
+		<groupId>org.springframework.boot</groupId>
+		<artifactId>spring-boot-samples</artifactId>
+		<version>1.0.0.BUILD-SNAPSHOT</version>
+	</parent>
+	<artifactId>spring-boot-sample-web-method-security</artifactId>
+	<packaging>jar</packaging>
+	<properties>
+		<main.basedir>${basedir}/../..</main.basedir>
+	</properties>
+	<dependencies>
+		<dependency>
+			<groupId>${project.groupId}</groupId>
+			<artifactId>spring-boot-starter-security</artifactId>
+			<version>${project.version}</version>
+		</dependency>
+		<dependency>
+			<groupId>${project.groupId}</groupId>
+			<artifactId>spring-boot-starter-thymeleaf</artifactId>
+			<version>${project.version}</version>
+		</dependency>
+		<dependency>
+			<groupId>${project.groupId}</groupId>
+			<artifactId>spring-boot-starter-test</artifactId>
+			<scope>test</scope>
+		</dependency>
+	</dependencies>
+	<build>
+		<plugins>
+			<plugin>
+				<groupId>org.springframework.boot</groupId>
+				<artifactId>spring-boot-maven-plugin</artifactId>
+			</plugin>
+		</plugins>
+	</build>
+</project>

spring-boot-samples/spring-boot-sample-web-method-security/src/main/java/sample/ui/method/SampleMethodSecurityApplication.java

+/*
+ * Copyright 2012-2014 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package sample.ui.method;
+
+import java.util.Date;
+import java.util.Map;
+
+import org.springframework.boot.autoconfigure.EnableAutoConfiguration;
+import org.springframework.boot.builder.SpringApplicationBuilder;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.ComponentScan;
+import org.springframework.core.Ordered;
+import org.springframework.core.annotation.Order;
+import org.springframework.security.access.annotation.Secured;
+import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
+import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
+import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.servlet.config.annotation.ViewControllerRegistry;
+import org.springframework.web.servlet.config.annotation.WebMvcConfigurerAdapter;
+
+@EnableAutoConfiguration
+@ComponentScan
+@EnableGlobalMethodSecurity(securedEnabled = true)
+public class SampleMethodSecurityApplication extends WebMvcConfigurerAdapter {
+
+	@Controller
+	protected static class HomeController {
+
+		@RequestMapping("/")
+		@Secured("ROLE_ADMIN")
+		public String home(Map<String, Object> model) {
+			model.put("message", "Hello World");
+			model.put("title", "Hello Home");
+			model.put("date", new Date());
+			return "home";
+		}
+
+	}
+
+	public static void main(String[] args) throws Exception {
+		new SpringApplicationBuilder(SampleMethodSecurityApplication.class).run(args);
+	}
+
+	@Override
+	public void addViewControllers(ViewControllerRegistry registry) {
+		registry.addViewController("/login").setViewName("login");
+		registry.addViewController("/access").setViewName("access");
+	}
+
+	@Bean
+	public ApplicationSecurity applicationSecurity() {
+		return new ApplicationSecurity();
+	}
+
+	@Order(Ordered.LOWEST_PRECEDENCE - 8)
+	protected static class ApplicationSecurity extends WebSecurityConfigurerAdapter {
+
+		@Override
+		protected void configure(AuthenticationManagerBuilder auth) throws Exception {
+			// @formatter:off
+			auth.inMemoryAuthentication()
+				.withUser("admin").password("admin").roles("ADMIN", "USER")
+			.and()
+				.withUser("user").password("user").roles("USER");
+			// @formatter:on
+		}
+
+		@Override
+		protected void configure(HttpSecurity http) throws Exception {
+			// @formatter:off
+			http
+				.authorizeRequests()
+					.antMatchers("/login").permitAll()
+					.anyRequest().fullyAuthenticated()
+			.and()
+				.formLogin().loginPage("/login").failureUrl("/login?error")
+			.and()
+				.logout().logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
+			.and()
+				.exceptionHandling().accessDeniedPage("/access?error");
+			// @formatter:on
+		}
+
+	}
+
+}

spring-boot-samples/spring-boot-sample-web-method-security/src/main/resources/application.properties

+spring.thymeleaf.cache: false
+debug: true

spring-boot-samples/spring-boot-sample-web-method-security/src/main/resources/logback.xml

+<?xml version="1.0" encoding="UTF-8"?>
+<configuration>
+	<include resource="org/springframework/boot/logging/logback/base.xml"/>	
+	<!-- logger name="org.springframework.boot" level="DEBUG"/-->
+	<logger name="org.springframework.security" level="DEBUG"/>
+</configuration>

spring-boot-samples/spring-boot-sample-web-method-security/src/main/resources/templates/access.html

+<!DOCTYPE html>
+<html xmlns:th="http://www.thymeleaf.org">
+<head>
+<title>Error</title>
+<link rel="stylesheet" th:href="@{/css/bootstrap.min.css}"
+	href="../../css/bootstrap.min.css" />
+</head>
+<body>
+	<div class="container">
+		<div class="navbar">
+			<div class="navbar-inner">
+				<a class="brand" href="http://www.thymeleaf.org"> Thymeleaf -
+					Plain </a>
+				<ul class="nav">
+					<li><a th:href="@{/}" href="home.html"> Home </a></li>
+					<li><a th:href="@{/logout}" href="logout"> Logout </a></li>
+				</ul>
+			</div>
+		</div>
+		<h1 th:text="${title}">Title</h1>
+		<p class="alert alert-error">Access denied:
+			you do not have permission for that resource</p>
+		<div th:text="${message}">Fake content</div>
+		<div>Please contact the operator with the above information.</div>
+	</div>
+</body>
+</html>

spring-boot-samples/spring-boot-sample-web-method-security/src/main/resources/templates/error.html

+<!DOCTYPE html>
+<html xmlns:th="http://www.thymeleaf.org">
+<head>
+<title>Error</title>
+<link rel="stylesheet" th:href="@{/css/bootstrap.min.css}"
+	href="../../css/bootstrap.min.css" />
+</head>
+<body>
+	<div class="container">
+		<div class="navbar">
+			<div class="navbar-inner">
+				<a class="brand" href="http://www.thymeleaf.org"> Thymeleaf -
+					Plain </a>
+				<ul class="nav">
+					<li><a th:href="@{/}" href="home.html"> Home </a></li>
+					<li><a th:href="@{/logout}" href="logout"> Logout </a></li>
+				</ul>
+			</div>
+		</div>
+		<h1 th:text="${title}">Title</h1>
+		<div id="created" th:text="${#dates.format(timestamp)}">July 11,
+			2012 2:17:16 PM CDT</div>
+		<div>
+			There was an unexpected error (type=<span th:text="${error}">Bad</span>, status=<span th:text="${status}">500</span>).
+		</div>
+		<div th:text="${message}">Fake content</div>
+		<div>
+			Please contact the operator with the above information.
+		</div>
+	</div>
+</body>
+</html>

spring-boot-samples/spring-boot-sample-web-method-security/src/main/resources/templates/home.html

+<!DOCTYPE html>
+<html xmlns:th="http://www.thymeleaf.org">
+<head>
+<title th:text="${title}">Title</title>
+<link rel="stylesheet" th:href="@{/css/bootstrap.min.css}"
+	href="../../css/bootstrap.min.css" />
+</head>
+<body>
+	<div class="container">
+		<div class="navbar">
+			<div class="navbar-inner">
+				<a class="brand" href="http://www.thymeleaf.org"> Thymeleaf -
+					Plain </a>
+				<ul class="nav">
+					<li><a th:href="@{/}" href="home.html"> Home </a></li>
+					<li><a th:href="@{/logout}" href="logout"> Logout </a></li>
+				</ul>
+			</div>
+		</div>
+		<h1 th:text="${title}">Title</h1>
+		<div th:text="${message}">Fake content</div>
+		<div id="created" th:text="${#dates.format(date)}">July 11,
+			2012 2:17:16 PM CDT</div>
+	</div>
+</body>
+</html>

spring-boot-samples/spring-boot-sample-web-method-security/src/main/resources/templates/login.html

+<!DOCTYPE html>
+<html xmlns:th="http://www.thymeleaf.org">
+<head>
+<title>Login</title>
+<link rel="stylesheet" th:href="@{/css/bootstrap.min.css}"
+	href="../../css/bootstrap.min.css" />
+</head>
+<body onload="document.f.username.focus();">
+	<div class="container">
+		<div class="navbar">
+			<div class="navbar-inner">
+				<a class="brand" href="http://www.thymeleaf.org"> Thymeleaf -
+					Plain </a>
+				<ul class="nav">
+					<li><a th:href="@{/}" href="home.html"> Home </a></li>
+				</ul>
+			</div>
+		</div>
+		<div class="content">
+			<p th:if="${param.logout}" class="alert">You have been logged out</p>
+			<p th:if="${param.error}" class="alert alert-error">There was an error, please try again</p>
+			<h2>Login with Username and Password</h2>
+			<form name="form" action="/login" method="POST">
+				<fieldset>
+					<input type="text" name="username" value="" placeholder="Username" />
+					<input type="password" name="password" placeholder="Password" />
+				</fieldset>
+				<input type="submit" id="login" value="Login"
+					class="btn btn-primary" /> <input type="hidden"
+					th:name="${_csrf.parameterName}" th:value="${_csrf.token}" />
+			</form>
+		</div>
+	</div>
+</body>
+</html>
\ No newline at end of file

spring-boot-samples/spring-boot-sample-web-method-security/src/test/java/sample/ui/method/SampleMethodSecurityApplicationTests.java

+/*
+ * Copyright 2012-2014 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package sample.ui.method;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertTrue;
+
+import java.io.IOException;
+import java.util.Arrays;
+import java.util.concurrent.Callable;
+import java.util.concurrent.Executors;
+import java.util.concurrent.Future;
+import java.util.concurrent.TimeUnit;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+
+import org.junit.AfterClass;
+import org.junit.BeforeClass;
+import org.junit.Test;
+import org.springframework.boot.SpringApplication;
+import org.springframework.context.ConfigurableApplicationContext;
+import org.springframework.http.HttpEntity;
+import org.springframework.http.HttpHeaders;
+import org.springframework.http.HttpMethod;
+import org.springframework.http.HttpStatus;
+import org.springframework.http.MediaType;
+import org.springframework.http.ResponseEntity;
+import org.springframework.http.client.ClientHttpResponse;
+import org.springframework.util.LinkedMultiValueMap;
+import org.springframework.util.MultiValueMap;
+import org.springframework.web.client.DefaultResponseErrorHandler;
+import org.springframework.web.client.RestTemplate;
+
+/**
+ * Basic integration tests for demo application.
+ * 
+ * @author Dave Syer
+ */
+public class SampleMethodSecurityApplicationTests {
+
+	private static ConfigurableApplicationContext context;
+
+	@BeforeClass
+	public static void start() throws Exception {
+		Future<ConfigurableApplicationContext> future = Executors
+				.newSingleThreadExecutor().submit(
+						new Callable<ConfigurableApplicationContext>() {
+							@Override
+							public ConfigurableApplicationContext call() throws Exception {
+								return SpringApplication
+										.run(SampleMethodSecurityApplication.class);
+							}
+						});
+		context = future.get(60, TimeUnit.SECONDS);
+	}
+
+	@AfterClass
+	public static void stop() {
+		if (context != null) {
+			context.close();
+		}
+	}
+
+	@Test
+	public void testHome() throws Exception {
+		HttpHeaders headers = new HttpHeaders();
+		headers.setAccept(Arrays.asList(MediaType.TEXT_HTML));
+		ResponseEntity<String> entity = getRestTemplate().exchange(
+				"http://localhost:8080", HttpMethod.GET, new HttpEntity<Void>(headers),
+				String.class);
+		assertEquals(HttpStatus.OK, entity.getStatusCode());
+		assertTrue("Wrong body (title doesn't match):\n" + entity.getBody(), entity
+				.getBody().contains("<title>Login"));
+	}
+
+	@Test
+	public void testLogin() throws Exception {
+		HttpHeaders headers = new HttpHeaders();
+		headers.setAccept(Arrays.asList(MediaType.TEXT_HTML));
+		MultiValueMap<String, String> form = new LinkedMultiValueMap<String, String>();
+		form.set("username", "admin");
+		form.set("password", "admin");
+		getCsrf(form, headers);
+		ResponseEntity<String> entity = getRestTemplate().exchange(
+				"http://localhost:8080/login", HttpMethod.POST,
+				new HttpEntity<MultiValueMap<String, String>>(form, headers),
+				String.class);
+		assertEquals(HttpStatus.FOUND, entity.getStatusCode());
+		assertEquals("http://localhost:8080/", entity.getHeaders().getLocation()
+				.toString());
+	}
+
+	@Test
+	public void testDenied() throws Exception {
+		HttpHeaders headers = new HttpHeaders();
+		headers.setAccept(Arrays.asList(MediaType.TEXT_HTML));
+		MultiValueMap<String, String> form = new LinkedMultiValueMap<String, String>();
+		form.set("username", "user");
+		form.set("password", "user");
+		getCsrf(form, headers);
+		ResponseEntity<String> entity = getRestTemplate().exchange(
+				"http://localhost:8080/login", HttpMethod.POST,
+				new HttpEntity<MultiValueMap<String, String>>(form, headers),
+				String.class);
+		assertEquals(HttpStatus.FOUND, entity.getStatusCode());
+		String cookie = entity.getHeaders().getFirst("Set-Cookie");
+		headers.set("Cookie", cookie);
+		ResponseEntity<String> page = getRestTemplate().exchange(
+				entity.getHeaders().getLocation(), HttpMethod.GET,
+				new HttpEntity<Void>(headers), String.class);
+		assertEquals(HttpStatus.FORBIDDEN, page.getStatusCode());
+		assertTrue("Wrong body (message doesn't match):\n" + entity.getBody(), page
+				.getBody().contains("Access denied"));
+	}
+
+	private void getCsrf(MultiValueMap<String, String> form, HttpHeaders headers) {
+		ResponseEntity<String> page = getRestTemplate().getForEntity(
+				"http://localhost:8080/login", String.class);
+		String cookie = page.getHeaders().getFirst("Set-Cookie");
+		headers.set("Cookie", cookie);
+		String body = page.getBody();
+		Matcher matcher = Pattern.compile("(?s).*name=\"_csrf\".*?value=\"([^\"]+).*")
+				.matcher(body);
+		matcher.find();
+		form.set("_csrf", matcher.group(1));
+	}
+
+	private RestTemplate getRestTemplate() {
+		RestTemplate restTemplate = new RestTemplate();
+		restTemplate.setErrorHandler(new DefaultResponseErrorHandler() {
+			@Override
+			public void handleError(ClientHttpResponse response) throws IOException {
+			}
+		});
+		return restTemplate;
+
+	}
+
+}