Spring Security + Thymeleaf (CSRF) (#695)

* Expression-Based Access Control

PermitAll, hasRole, hasAnyRole etc.
I modified classes regards to Security

* Added test cases for Spring Security Expressions

* Handler Interceptor - logging example

* Test for logger interceptor

* Removed conflicted part

* UserInterceptor (adding user information to model)

* Spring Handler Interceptor - session timers

* Spring Security CSRF attack protection with Thymeleaf

spring-thymeleaf/src/main/java/com/baeldung/thymeleaf/config/InitSecurity.java

@@ -0,0 +1,11 @@
+package com.baeldung.thymeleaf.config;
+
+import org.springframework.security.web.context.AbstractSecurityWebApplicationInitializer;
+
+public class InitSecurity extends AbstractSecurityWebApplicationInitializer {
+
+    public InitSecurity() {
+        super(WebMVCSecurity.class);
+
+    }
+}

spring-thymeleaf/src/main/java/com/baeldung/thymeleaf/config/WebApp.java

@@ -20,7 +20,7 @@ public class WebApp extends AbstractAnnotationConfigDispatcherServletInitializer
 
 	@Override
 	protected Class<?>[] getServletConfigClasses() {
-		return new Class<?>[] { WebMVCConfig.class };
+		return new Class<?>[] { WebMVCConfig.class, WebMVCSecurity.class, InitSecurity.class };
 	}
 
 	@Override

spring-thymeleaf/src/main/java/com/baeldung/thymeleaf/config/WebMVCConfig.java

@@ -1,6 +1,5 @@
 package com.baeldung.thymeleaf.config;
 
-import com.baeldung.thymeleaf.formatter.NameFormatter;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.ComponentScan;
 import org.springframework.context.annotation.Configuration;
@@ -14,6 +13,8 @@ import org.thymeleaf.spring4.SpringTemplateEngine;
 import org.thymeleaf.spring4.view.ThymeleafViewResolver;
 import org.thymeleaf.templateresolver.ServletContextTemplateResolver;
 
+import com.baeldung.thymeleaf.formatter.NameFormatter;
+
 @Configuration
 @EnableWebMvc
 @ComponentScan({ "com.baeldung.thymeleaf" })

spring-thymeleaf/src/main/java/com/baeldung/thymeleaf/config/WebMVCSecurity.java

@@ -0,0 +1,50 @@
+package com.baeldung.thymeleaf.config;
+
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.authentication.AuthenticationManager;
+import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
+import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.builders.WebSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+
+@Configuration
+@EnableWebSecurity
+@EnableGlobalMethodSecurity(securedEnabled = true, prePostEnabled = true)
+public class WebMVCSecurity extends WebSecurityConfigurerAdapter {
+	
+    @Bean
+    @Override
+    public AuthenticationManager authenticationManagerBean() throws Exception {
+        return super.authenticationManagerBean();
+    }
+
+    public WebMVCSecurity() {
+        super();
+    }
+
+    @Override
+    protected void configure(final AuthenticationManagerBuilder auth) throws Exception {
+        auth.inMemoryAuthentication().withUser("user1").password("user1Pass").authorities("ROLE_USER");
+    }
+
+    @Override
+    public void configure(final WebSecurity web) throws Exception {
+        web.ignoring().antMatchers("/resources/**");
+    }
+
+    @Override
+    protected void configure(final HttpSecurity http) throws Exception {
+        http
+        .authorizeRequests()
+        .anyRequest()
+        .authenticated()
+        .and()
+        .httpBasic()
+        .and()
+        ;
+    }
+
+}

spring-thymeleaf/src/main/webapp/WEB-INF/views/csrfAttack.html

@@ -0,0 +1,12 @@
+<!DOCTYPE html>
+<html>
+<head>
+    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/>
+</head>
+<body>
+<form action="http://localhost:8080/spring-thymeleaf/saveStudent" method="post">
+    <input type="hidden" name="payload" value="CSRF attack!"/>
+    <input type="submit" />
+</form>
+</body>
+</html>