added securing methods of services,

MrChebik · MrChebik · commit 6b59bede7e2f · 2017-02-07T17:40:06.000+02:00
fix creation of user -- user have one role, ROLE_USER
diff --git a/pom.xml b/pom.xml
@@ -56,6 +56,11 @@
             <artifactId>joda-time-hibernate</artifactId>
             <version>1.4</version>
         </dependency>
+        <dependency>
+            <groupId>com.google.guava</groupId>
+            <artifactId>guava</artifactId>
+            <version>19.0</version>
+        </dependency>
         <!-- SMTP -->
         <dependency>
             <groupId>com.sun.mail</groupId>
@@ -120,6 +125,11 @@
             <artifactId>spring-security-web</artifactId>
             <version>4.2.1.RELEASE</version>
         </dependency>
+        <dependency>
+            <groupId>org.springframework.security</groupId>
+            <artifactId>spring-security-taglibs</artifactId>
+            <version>4.2.1.RELEASE</version>
+        </dependency>
         <dependency>
             <groupId>org.springframework.security</groupId>
             <artifactId>spring-security-test</artifactId>
diff --git a/src/main/java/ru/mrchebik/service/CategoryService.java b/src/main/java/ru/mrchebik/service/CategoryService.java
@@ -1,5 +1,6 @@
 package ru.mrchebik.service;
 
+import org.springframework.security.access.prepost.PreAuthorize;
 import ru.mrchebik.model.Category;
 
 import java.util.List;
@@ -8,12 +9,24 @@
  * Created by mrchebik on 14.01.17.
  */
 public interface CategoryService {
+    @PreAuthorize("hasRole('ROLE_USER')")
     void add(Category category);
+
+    @PreAuthorize("hasRole('ROLE_USER')")
     void edit(String name, long categoryId);
+
+    @PreAuthorize("hasRole('ROLE_USER')")
     Category findById(long id);
+
+    @PreAuthorize("hasRole('ROLE_USER')")
     Category findByParentIdThroughCategoryId(long parentId, long userId);
+
+    @PreAuthorize("hasRole('ROLE_USER')")
     List<Category> findByParentId(long parentId, long userId);
+
+    @PreAuthorize("hasRole('ROLE_USER')")
     List<Category> findAll(long userId);
-    long findMaxLevel(long userId);
+
+    @PreAuthorize("hasRole('ROLE_USER')")
     void remove(long id);
 }
diff --git a/src/main/java/ru/mrchebik/service/CommentService.java b/src/main/java/ru/mrchebik/service/CommentService.java
@@ -1,5 +1,6 @@
 package ru.mrchebik.service;
 
+import org.springframework.security.access.prepost.PreAuthorize;
 import ru.mrchebik.model.Comment;
 
 import java.util.List;
@@ -8,9 +9,18 @@
  * Created by mrchebik on 14.01.17.
  */
 public interface CommentService {
+    @PreAuthorize("hasRole('ROLE_USER')")
     Comment addComment(Comment comment);
+
+    @PreAuthorize("hasRole('ROLE_USER')")
     void editComment(Comment comment);
+
+    @PreAuthorize("hasRole('ROLE_USER')")
     Comment findComment(long id);
+
+    @PreAuthorize("hasRole('ROLE_USER')")
     List<Comment> findComments(long id);
+
+    @PreAuthorize("hasRole('ROLE_USER')")
     void removeComment(long id);
 }
diff --git a/src/main/java/ru/mrchebik/service/PostService.java b/src/main/java/ru/mrchebik/service/PostService.java
@@ -1,5 +1,6 @@
 package ru.mrchebik.service;
 
+import org.springframework.security.access.prepost.PreAuthorize;
 import ru.mrchebik.model.Post;
 
 import java.util.List;
@@ -8,9 +9,18 @@
  * Created by mrchebik on 14.01.17.
  */
 public interface PostService {
+    @PreAuthorize("hasRole('ROLE_USER')")
     Post add(Post post);
+
+    @PreAuthorize("hasRole('ROLE_USER')")
     long findLastPostId(long userId);
+
+    @PreAuthorize("hasRole('ROLE_USER')")
     List<Post> findPosts(long userId);
+
+    @PreAuthorize("hasRole('ROLE_USER')")
     Post findPost(long postId);
+
+    @PreAuthorize("hasRole('ROLE_USER')")
     void remove(long id);
 }
diff --git a/src/main/java/ru/mrchebik/service/ReaderService.java b/src/main/java/ru/mrchebik/service/ReaderService.java
@@ -1,5 +1,6 @@
 package ru.mrchebik.service;
 
+import org.springframework.security.access.prepost.PreAuthorize;
 import ru.mrchebik.model.Reader;
 
 import java.util.List;
@@ -8,9 +9,18 @@
  * Created by mrchebik on 03.02.17.
  */
 public interface ReaderService {
+    @PreAuthorize("hasRole('ROLE_USER')")
     void add(Reader reader);
+
+    @PreAuthorize("hasRole('ROLE_USER')")
     Reader findOne(long userIdMain, long userIdFollower);
+
+    @PreAuthorize("hasRole('ROLE_USER')")
     List<Reader> findAllMain(long userIdMain);
+
+    @PreAuthorize("hasRole('ROLE_USER')")
     List<Reader> findAllFollower(long userIdMain);
+
+    @PreAuthorize("hasRole('ROLE_USER')")
     void delete(long id);
 }
diff --git a/src/main/java/ru/mrchebik/service/SecurityService.java b/src/main/java/ru/mrchebik/service/SecurityService.java
@@ -4,6 +4,5 @@
  * Created by mrchebik on 15.01.17.
  */
 public interface SecurityService {
-    String findLoggedInUsername();
     void autologin(final String username, final String password);
 }
diff --git a/src/main/java/ru/mrchebik/service/UserService.java b/src/main/java/ru/mrchebik/service/UserService.java
@@ -1,20 +1,32 @@
 package ru.mrchebik.service;
 
+import org.springframework.security.access.prepost.PreAuthorize;
 import ru.mrchebik.model.User;
 
-import java.util.List;
-
 /**
  * Created by mrchebik on 14.01.17.
  */
 public interface UserService {
     User add(User user);
+
+    @PreAuthorize("hasRole('ROLE_USER')")
     void changeUsername(String email, String username);
+
+    @PreAuthorize("hasRole('ROLE_USER')")
     void changePassword(String email, String password);
+
+    @PreAuthorize("hasRole('ROLE_USER')")
     void changeEmail(String email, String newEmail);
+
+    @PreAuthorize("hasRole('ROLE_USER')")
     User findOne(long userId);
+
+    @PreAuthorize("hasRole('ROLE_USER')")
     User findByEmail(String email);
+
+    @PreAuthorize("hasRole('ROLE_USER')")
     User findByUsername(String username);
-    List<User> findUsers();
+
+    @PreAuthorize("hasRole('ROLE_USER')")
     void remove(long id);
 }
diff --git a/src/main/java/ru/mrchebik/service/impl/CategoryServiceImpl.java b/src/main/java/ru/mrchebik/service/impl/CategoryServiceImpl.java
@@ -50,11 +50,6 @@ public List<Category> findAll(long userId) {
         return categoryRepository.findAll(userId);
     }
 
-    @Override
-    public long findMaxLevel(long userId) {
-        return (long) categoryRepository.findMaxLevel(userId);
-    }
-
     @Override
     public void remove(long id) {
         categoryRepository.delete(id);
diff --git a/src/main/java/ru/mrchebik/service/impl/SecurityServiceImpl.java b/src/main/java/ru/mrchebik/service/impl/SecurityServiceImpl.java
@@ -4,7 +4,6 @@
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.context.SecurityContextHolder;
-import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.stereotype.Service;
 import ru.mrchebik.service.SecurityService;
 
@@ -18,16 +17,6 @@ public class SecurityServiceImpl implements SecurityService {
     @Resource
     private AuthenticationManager authenticationManager;
 
-    @Override
-    public String findLoggedInUsername() {
-        Object userDetails = SecurityContextHolder.getContext().getAuthentication().getDetails();
-        if (userDetails instanceof UserDetails) {
-            return ((UserDetails)userDetails).getUsername();
-        }
-
-        return null;
-    }
-
     @Override
     public void autologin(final String username, final String password) {
         UsernamePasswordAuthenticationToken usernamePasswordAuthenticationToken = new UsernamePasswordAuthenticationToken(username, password);
diff --git a/src/main/java/ru/mrchebik/service/impl/UserServiceImpl.java b/src/main/java/ru/mrchebik/service/impl/UserServiceImpl.java
@@ -1,6 +1,6 @@
 package ru.mrchebik.service.impl;
 
-import org.springframework.security.access.prepost.PreAuthorize;
+import com.google.common.collect.Sets;
 import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
 import org.springframework.stereotype.Repository;
 import org.springframework.stereotype.Service;
@@ -11,8 +11,6 @@
 import ru.mrchebik.service.UserService;
 
 import javax.annotation.Resource;
-import java.util.HashSet;
-import java.util.List;
 
 /**
  * Created by mrchebik on 14.01.17.
@@ -31,7 +29,7 @@ public class UserServiceImpl implements UserService {
     @Override
     public User add(User user) {
         user.setPassword(bCryptPasswordEncoder.encode(user.getPassword()));
-        user.setRoles(new HashSet<>(roleRepository.findAll()));
+        user.setRoles(Sets.newHashSet(roleRepository.findOne(1L)));
         return userRepository.saveAndFlush(user);
     }
 
@@ -68,12 +66,6 @@ public User findByEmail(String email) {
     }
 
     @Override
-    public List<User> findUsers() {
-        return userRepository.findAll();
-    }
-
-    @Override
-    @PreAuthorize("hasRole('ROLE_ADMIN')")
     public void remove(long id) {
         userRepository.delete(id);
     }
diff --git a/src/main/webapp/WEB-INF/spring/appServlet/security-context.xml b/src/main/webapp/WEB-INF/spring/appServlet/security-context.xml
@@ -2,7 +2,6 @@
 <beans:beans xmlns="http://www.springframework.org/schema/security"
              xmlns:beans="http://www.springframework.org/schema/beans"
              xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-             xmlns:security="http://www.springframework.org/schema/c"
              xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.1.xsd
     http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd">
 
@@ -13,8 +12,6 @@
         <beans:constructor-arg name="strength" value="11" />
     </beans:bean>
 
-    <global-method-security secured-annotations="enabled" />
-
     <http auto-config="true" >
         <intercept-url pattern="/blog/**" access="authenticated" />
         <intercept-url pattern="/auth/**" access="permitAll" />
diff --git a/src/main/webapp/WEB-INF/spring/appServlet/servlet-context.xml b/src/main/webapp/WEB-INF/spring/appServlet/servlet-context.xml
@@ -6,6 +6,7 @@
        xmlns:jpa="http://www.springframework.org/schema/data/jpa"
        xmlns:tx="http://www.springframework.org/schema/tx"
        xmlns:mvc="http://www.springframework.org/schema/mvc" xmlns:aop="http://www.springframework.org/schema/aop"
+       xmlns:security="http://www.springframework.org/schema/security"
        xsi:schemaLocation="http://www.springframework.org/schema/mvc
     http://www.springframework.org/schema/mvc/spring-mvc.xsd
     http://www.springframework.org/schema/tx
@@ -15,7 +16,11 @@
     http://www.springframework.org/schema/context
     http://www.springframework.org/schema/context/spring-context.xsd
     http://www.springframework.org/schema/data/jpa
-    http://www.springframework.org/schema/data/jpa/spring-jpa.xsd http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop.xsd">
+    http://www.springframework.org/schema/data/jpa/spring-jpa.xsd
+    http://www.springframework.org/schema/aop
+    http://www.springframework.org/schema/aop/spring-aop.xsd
+    http://www.springframework.org/schema/security
+    http://www.springframework.org/schema/security/spring-security.xsd">
 
     <bean id="userSession" class="ru.mrchebik.session.UserSession" scope="session">
         <aop:scoped-proxy/>
@@ -66,4 +71,6 @@
 
     <tx:annotation-driven transaction-manager="transactionManager"/>
 
+    <security:global-method-security pre-post-annotations="enabled" />
+
 </beans>

Original file line number	Diff line number	Diff line change
`@@ -4,6 +4,5 @@`
`4`	`4`	`* Created by mrchebik on 15.01.17.`
`5`	`5`	`*/`
`6`	`6`	`public interface SecurityService {`
`7`		`- String findLoggedInUsername();`
`8`	`7`	`void autologin(final String username, final String password);`
`9`	`8`	`}`