EN · DE · RU · FR · ES
← Index · ← File index · ← Prev · Next → · 📄 source

#309: SpringSecurityConfig.kt

projectforge-application/src/main/kotlin/org/projectforge/security/SpringSecurityConfig.kt Type: Kotlin · Role: Security · Source: projectforge-application/src/main/kotlin/org/projectforge/security/SpringSecurityConfig.kt 93 lines · 57 code · 29 comments · 7 blank
Source code file at projectforge-application/src/main/kotlin/org/projectforge/security/SpringSecurityConfig.kt containing Kotlin code for the Security layer.

Code Structure

Annotations: Bean, Configuration, Throws, Override

Classes: SpringSecurityConfig

Spring Beans: allowWebDavMethodsFirewall, passwordEncoder

Functions (4): securityFilterChain, allowWebDavMethodsFirewall, userDetailsService, passwordEncoder

Properties (2): firewall, manager

Imports: 13 packages

Package: org.projectforge.security

Source Code (abridged)

package org.projectforge.security

import org.projectforge.framework.utils.NumberHelper
import org.springframework.context.annotation.Bean
import org.springframework.context.annotation.Configuration
import org.springframework.security.config.Customizer
import org.springframework.security.config.annotation.web.builders.HttpSecurity
import org.springframework.security.core.userdetails.User
import org.springframework.security.core.userdetails.UserDetailsService
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder
import org.springframework.security.crypto.password.PasswordEncoder
import org.springframework.security.provisioning.InMemoryUserDetailsManager
import org.springframework.security.web.SecurityFilterChain
import org.springframework.security.web.firewall.HttpFirewall
import org.springframework.security.web.firewall.StrictHttpFirewall


@Configuration
open class SpringSecurityConfig {
    @Bean
    @Throws(Exception::class)
    open fun securityFilterChain(http: HttpSecurity, firewall: HttpFirewall): SecurityFilterChain {
        http
            .authorizeHttpRequests(Customizer { authorize ->
                authorize
                    .anyRequest().permitAll()
            } // Allow all requests without Authentication
            )
            .csrf({ csrf -> csrf.disable() }) // CSRF ist done by PF.
        // Configure the firewall to allow WebDAV methods:
        http.setSharedObject(HttpFirewall::class.java, firewall)
        return http.build()
    }

    @Bean
    open fun allowWebDavMethodsFirewall(): HttpFirewall {
        val firewall = StrictHttpFirewall()
        // HTTP-Methoden für WebDAV explizit erlauben
        firewall.setAllowedHttpMethods(
            listOf(
                "GET", "POST", "PUT", "DELETE", "OPTIONS", "HEAD",
                "PROPFIND", "REPORT", //"PROPPATCH", "MKCOL", "COPY", "MOVE",
                //"LOCK", "UNLOCK", "REPORT"
            )
        )
        return firewall
    }

    @Bean
    @Override
    open fun userDetailsService(): UserDetailsService {
        /**
         * The password is generated randomly and is not stored in the database.
         * Users aren't supported, random password is better than default password, just in case.
         */
        val manager = InMemoryUserDetailsManager();
        manager.createUser(
            User.withUsername("user")
                .password(passwordEncoder().encode(NumberHelper.getSecureRandomAlphanumeric(20)))
                .roles("USER")
                .build()
        );
        return manager;
    }

    @Bean
    open fun passwordEncoder(): PasswordEncoder {
        return BCryptPasswordEncoder();
    }
}

Git History

868d6abb7 2025 -> 2026
63081666f Source file headers: 2024-> 2025.
953455ae5 WIP: Carddav
7f2c255ae WIP: CardDav
921638f43 WIP