1010import org .springframework .security .config .annotation .method .configuration .EnableMethodSecurity ;
1111import org .springframework .security .config .annotation .web .builders .HttpSecurity ;
1212import org .springframework .security .config .annotation .web .configuration .EnableWebSecurity ;
13+ import org .springframework .security .config .annotation .web .configurers .AbstractHttpConfigurer ;
1314import org .springframework .security .config .http .SessionCreationPolicy ;
1415import org .springframework .security .data .repository .query .SecurityEvaluationContextExtension ;
1516import org .springframework .security .web .SecurityFilterChain ;
@@ -27,24 +28,44 @@ public class WebSecurityConfig {
2728 @ Bean
2829 protected SecurityFilterChain securityFilterChain (HttpSecurity http ) throws Exception {
2930 http .authorizeHttpRequests ((auth ) -> auth
30- .requestMatchers (HttpMethod .GET , "/identity" ).authenticated ()
31- .requestMatchers (HttpMethod .GET , "/users" ).authenticated ()
32- .requestMatchers (HttpMethod .POST , "/users" ).anonymous ()
33- .requestMatchers (HttpMethod .POST , "/users/*" ).denyAll ()
34- .requestMatchers (HttpMethod .POST , "/projects" ).authenticated ()
35- .requestMatchers (HttpMethod .PUT , "/projects/*" ).authenticated ()
36- .requestMatchers (HttpMethod .DELETE , "/projects/*" ).authenticated ()
37- .requestMatchers (HttpMethod .POST , "/*/*" ).authenticated ()
38- .requestMatchers (HttpMethod .PUT , "/*/*" ).authenticated ()
39- .requestMatchers (HttpMethod .PATCH , "/*/*" ).authenticated ()
40- .requestMatchers (HttpMethod .DELETE , "/*/*" ).authenticated ()
41- .requestMatchers (HttpMethod .GET , "/portfolios/search/findByVisibility" ).permitAll ()
42- .requestMatchers (HttpMethod .GET , "/portfolios/**" ).authenticated ()
43- .anyRequest ().permitAll ())
44- .csrf ((csrf ) -> csrf .disable ())
45- .sessionManagement ((session ) -> session .sessionCreationPolicy (SessionCreationPolicy .STATELESS ))
46- .cors ((cors ) -> cors .configurationSource (corsConfigurationSource ()))
47- .httpBasic ((httpBasic ) -> httpBasic .realmName ("demo" ));
31+ .requestMatchers (HttpMethod .GET , "/identity" ).authenticated ()
32+ // Users
33+ .requestMatchers (HttpMethod .GET , "/users" ).authenticated ()
34+ .requestMatchers (HttpMethod .POST , "/users" ).anonymous ()
35+ .requestMatchers (HttpMethod .GET , "/users/{username}" ).anonymous ()
36+ .requestMatchers (HttpMethod .POST , "/users/*" ).denyAll ()
37+ //Admins
38+ .requestMatchers (HttpMethod .GET , "/admins" ).hasRole ("ADMIN" )
39+ .requestMatchers (HttpMethod .POST , "/admins" ).hasRole ("ADMIN" )
40+ .requestMatchers (HttpMethod .GET , "/admins/{username}" ).hasRole ("ADMIN" )
41+ .requestMatchers (HttpMethod .POST , "/admins/*/suspend" ).hasRole ("ADMIN" )
42+ .requestMatchers (HttpMethod .POST , "/admins/*" ).denyAll ()
43+ //Creators
44+ .requestMatchers (HttpMethod .GET , "/creators" ).permitAll ()
45+ .requestMatchers (HttpMethod .POST , "/creators" ).permitAll ()
46+ .requestMatchers (HttpMethod .GET , "/creators/{username}" ).permitAll ()
47+ .requestMatchers (HttpMethod .PUT , "/creators/{username}" ).hasRole ("ADMIN" )
48+ .requestMatchers (HttpMethod .POST , "/creators/*" ).hasRole ("ADMIN" )
49+ //Projects
50+ .requestMatchers (HttpMethod .POST , "/projects" ).authenticated ()
51+ .requestMatchers (HttpMethod .PUT , "/projects/*" ).authenticated ()
52+ .requestMatchers (HttpMethod .DELETE , "/projects/*" ).authenticated ()
53+ //Portfolios
54+ .requestMatchers (HttpMethod .GET , "/portfolios/search/findByVisibility" ).permitAll ()
55+ .requestMatchers (HttpMethod .GET , "/portfolios/**" ).authenticated ()
56+ //Profile
57+ .requestMatchers (HttpMethod .POST , "/profiles" ).hasRole ("CREATOR" )
58+ //Default
59+ .requestMatchers (HttpMethod .POST , "/*/*" ).authenticated ()
60+ .requestMatchers (HttpMethod .PUT , "/*/*" ).authenticated ()
61+ .requestMatchers (HttpMethod .PATCH , "/*/*" ).authenticated ()
62+ .requestMatchers (HttpMethod .DELETE , "/*/*" ).authenticated ()
63+ .anyRequest ().permitAll ())
64+ .csrf (AbstractHttpConfigurer ::disable )
65+ .sessionManagement ((session ) ->
66+ session .sessionCreationPolicy (SessionCreationPolicy .STATELESS ))
67+ .cors ((cors ) -> cors .configurationSource (corsConfigurationSource ()))
68+ .httpBasic ((httpBasic ) -> httpBasic .realmName ("demo" ));
4869 return http .build ();
4970 }
5071
0 commit comments