-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathWebSecurityConfig.java
More file actions
61 lines (55 loc) · 2.91 KB
/
Copy pathWebSecurityConfig.java
File metadata and controls
61 lines (55 loc) · 2.91 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
package cat.udl.eps.softarch.demo.config;
import java.util.Arrays;
import java.util.List;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.http.HttpMethod;
import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.data.repository.query.SecurityEvaluationContextExtension;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.web.cors.CorsConfiguration;
import org.springframework.web.cors.CorsConfigurationSource;
import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
@Configuration
@EnableWebSecurity
@EnableMethodSecurity
public class WebSecurityConfig {
@Value("${allowed-origins}")
String[] allowedOrigins;
@Bean
protected SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
http.authorizeHttpRequests((auth) -> auth
.requestMatchers(HttpMethod.GET, "/identity").authenticated()
.requestMatchers(HttpMethod.POST, "/users").anonymous()
.requestMatchers(HttpMethod.POST, "/users/*").denyAll()
.requestMatchers(HttpMethod.POST, "/*").authenticated()
.requestMatchers(HttpMethod.PUT, "/*/*").authenticated()
.requestMatchers(HttpMethod.PATCH, "/*/*").authenticated()
.requestMatchers(HttpMethod.DELETE, "/*/*").authenticated()
.anyRequest().permitAll())
.csrf((csrf) -> csrf.disable())
.sessionManagement((session) -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
.cors((cors) -> cors.configurationSource(corsConfigurationSource()))
.httpBasic((httpBasic) -> httpBasic.realmName("demo"));
return http.build();
}
@Bean
CorsConfigurationSource corsConfigurationSource() {
CorsConfiguration corsConfiguration = new CorsConfiguration();
corsConfiguration.setAllowedOriginPatterns(Arrays.asList(allowedOrigins));
corsConfiguration.setAllowedMethods(Arrays.asList("GET", "POST", "PUT", "PATCH", "DELETE", "OPTIONS"));
corsConfiguration.setAllowedHeaders(List.of("*"));
corsConfiguration.setAllowCredentials(true);
UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
source.registerCorsConfiguration("/**", corsConfiguration);
return source;
}
@Bean
public SecurityEvaluationContextExtension securityEvaluationContextExtension() {
return new SecurityEvaluationContextExtension();
}
}