Projekt

Obecné

Profil

« Předchozí | Další » 

Revize 4afeda3d

Přidáno uživatelem Jakub Šmíd před asi 2 roky(ů)

Checked, added and fixed rights to endpoints

re #9511

Zobrazit rozdíly:

backend/src/main/java/cz/zcu/kiv/backendapi/security/SecurityConfig.java
21 21 
import org.springframework.web.cors.CorsConfigurationSource;
22 22 
import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
23 23 

  		




  
  24
  
    
import java.util.HashMap;


  		




  
  25
  
    
import java.util.Map;


  		




  
  26
  
    

  		




  24
  27
  
    
/**


  		




  25
  28
  
    
 * Security config class


  		




  26
  29
  
    
 */


  		




  ......




  28
  31
  
    
@EnableWebSecurity


  		




  29
  32
  
    
@RequiredArgsConstructor


  		




  30
  33
  
    
public class SecurityConfig extends WebSecurityConfigurerAdapter {


  		




  
  34
  
    

  		




  
  35
  
    
    /**


  		




  
  36
  
    
     * Map of permitted endpoints with HTTP method (user does not need to be authenticated perform the request)


  		




  
  37
  
    
     */


  		




  
  38
  
    
    private static final Map<String, HttpMethod> PERMITTED_ENDPOINTS;


  		




  
  39
  
    

  		




  31
  40
  
    
    /**


  		




  32
  41
  
    
     * User detail service


  		




  33
  42
  
    
     */


  		




  ......




  43
  52
  
    
     */


  		




  44
  53
  
    
    private final JwtUtils jwtUtils;


  		




  45
  54
  
    

  		




  46
  
  
    
    /**


  		




  47
  
  
    
     * List of permitted pages without login


  		




  48
  
  
    
     */


  		




  49
  
  
    
    private final String[] permittedUrls = new String[]{"/login", "/users/token", "/swagger-ui/**",


  		




  50
  
  
    
            "/swagger-ui.html", "/v3/api-docs", "/v3/api-docs/swagger-config"};


  		




  
  55
  
    
    static {


  		




  
  56
  
    
        PERMITTED_ENDPOINTS = new HashMap<>();


  		




  
  57
  
    
        PERMITTED_ENDPOINTS.put("/login", HttpMethod.POST);


  		




  
  58
  
    
        PERMITTED_ENDPOINTS.put("/users/token", HttpMethod.GET);


  		




  
  59
  
    
        PERMITTED_ENDPOINTS.put("/swagger-ui/**", HttpMethod.GET);


  		




  
  60
  
    
        PERMITTED_ENDPOINTS.put("/swagger-ui.html", HttpMethod.GET);


  		




  
  61
  
    
        PERMITTED_ENDPOINTS.put("/v3/api-docs", HttpMethod.GET);


  		




  
  62
  
    
        PERMITTED_ENDPOINTS.put("/v3/api-docs/swagger-config", HttpMethod.GET);


  		




  
  63
  
    
        PERMITTED_ENDPOINTS.put("/catalog-items", HttpMethod.GET);


  		




  
  64
  
    
        PERMITTED_ENDPOINTS.put("/catalog-items/**", HttpMethod.GET);


  		




  
  65
  
    
    }


  		




  51
  66
  
    

  		




  52
  67
  
    
    /**


  		




  53
  68
  
    
     * Security configuration


  		




  ......




  55
  70
  
    
     * @param http http security


  		




  56
  71
  
    
     * @throws Exception exception


  		




  57
  72
  
    
     */


  		




  
  73
  
    
    // TODO configure and check rights


  		




  58
  74
  
    
    @Override


  		




  59
  75
  
    
    protected void configure(HttpSecurity http) throws Exception {


  		




  60
  76
  
    
        http.csrf().disable()


  		




  ......




  63
  79
  
    
                .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)


  		




  64
  80
  
    
                .and()


  		




  65
  81
  
    
                .addFilter(new JwtUsernameAndPasswordAuthenticationFilter(authenticationManager(), jwtUtils))


  		




  66
  
  
    
                .addFilterAfter(new JwtTokenVerifier(jwtUtils, permittedUrls), JwtUsernameAndPasswordAuthenticationFilter.class)


  		




  
  82
  
    
                .addFilterAfter(new JwtTokenVerifier(jwtUtils, PERMITTED_ENDPOINTS), JwtUsernameAndPasswordAuthenticationFilter.class)


  		




  67
  83
  
    
                .authorizeRequests()


  		




  68
  
  
    
                .antMatchers(permittedUrls).permitAll()


  		




  69
  
  
    
                .antMatchers("/user/update-permissions/**", "/user/reset-password/**").hasRole(Role.ADMIN.name())


  		




  70
  
  
    
                .antMatchers(HttpMethod.DELETE, "/user/**").hasRole(Role.ADMIN.name())


  		




  71
  
  
    
                .antMatchers("/write/**").hasAuthority(Permission.WRITE.name())


  		




  72
  
  
    
                .antMatchers("/read/**").hasAuthority(Permission.READ.name())


  		




  73
  
  
    
                .antMatchers("/delete/**").hasAuthority(Permission.DELETE.name())


  		




  
  84
  
    
                .antMatchers(HttpMethod.GET, PERMITTED_ENDPOINTS.keySet().stream().filter(k -> PERMITTED_ENDPOINTS.get(k).equals(HttpMethod.GET)).toArray(String[]::new)).permitAll()


  		




  
  85
  
    
                .antMatchers(HttpMethod.POST, "/login").permitAll()


  		




  
  86
  
    
                .antMatchers(HttpMethod.PATCH, "/users/*/permissions", "/users/*/password").hasRole(Role.ADMIN.name())


  		




  
  87
  
    
                .antMatchers(HttpMethod.DELETE, "/users/**").hasRole(Role.ADMIN.name())


  		




  
  88
  
    
                .antMatchers(HttpMethod.GET, "/users").hasRole(Role.ADMIN.name())


  		




  
  89
  
    
                .antMatchers(HttpMethod.GET, "/path").hasAuthority(Permission.READ.name())


  		




  
  90
  
    
                .antMatchers(HttpMethod.POST, "/catalog-items").hasAuthority(Permission.WRITE.name())


  		




  
  91
  
    
                .antMatchers(HttpMethod.PUT, "/catalog-items/*").hasAuthority(Permission.WRITE.name())


  		




  
  92
  
    
                .antMatchers(HttpMethod.DELETE, "/catalog-items/*").hasAuthority(Permission.DELETE.name())


  		




  74
  93
  
    
                .anyRequest()


  		




  75
  94
  
    
                .authenticated();


  		




  76
  95
  
    
    }


  		












  

    
      backend/src/main/java/cz/zcu/kiv/backendapi/security/jwt/JwtTokenVerifier.java
    
  





  8
  8
  
    
import lombok.RequiredArgsConstructor;


  		




  9
  9
  
    
import lombok.extern.slf4j.Slf4j;


  		




  10
  10
  
    
import org.springframework.http.HttpHeaders;


  		




  
  11
  
    
import org.springframework.http.HttpMethod;


  		




  11
  12
  
    
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;


  		




  12
  13
  
    
import org.springframework.security.core.authority.SimpleGrantedAuthority;


  		




  13
  14
  
    
import org.springframework.security.core.context.SecurityContextHolder;


  		




  ......




  19
  20
  
    
import javax.servlet.http.HttpServletRequest;


  		




  20
  21
  
    
import javax.servlet.http.HttpServletResponse;


  		




  21
  22
  
    
import java.io.IOException;


  		




  22
  
  
    
import java.util.Arrays;


  		




  23
  23
  
    
import java.util.Collection;


  		




  24
  24
  
    
import java.util.List;


  		




  
  25
  
    
import java.util.Map;


  		




  25
  26
  
    
import java.util.stream.Collectors;


  		




  26
  27
  
    

  		




  27
  28
  
    

  		




  ......




  38
  39
  
    
    private final JwtUtils jwtUtils;


  		




  39
  40
  
    

  		




  40
  41
  
    
    /**


  		




  41
  
  
    
     * Array or urls with this filter (JWT not needed for them)


  		




  
  42
  
    
     * Map of permitted endpoints with HTTP method (user does not need to be authenticated perform the request)


  		




  42
  43
  
    
     */


  		




  43
  
  
    
    private final String[] skipFilterUrls;


  		




  
  44
  
    
    private final Map<String, HttpMethod> skipFilterEndpoints;


  		




  44
  45
  
    

  		




  45
  46
  
    
    /**


  		




  46
  47
  
    
     * Filters request - checks for JWT token and validates it


  		




  ......




  83
  84
  
    
     *


  		




  84
  85
  
    
     * @param request request


  		




  85
  86
  
    
     * @return true if given request should not be scanned for JWT, false otherwise


  		




  86
  
  
    
     * @throws ServletException servlet exception


  		




  87
  87
  
    
     */


  		




  88
  88
  
    
    @Override


  		




  89
  
  
    
    protected boolean shouldNotFilter(HttpServletRequest request) throws ServletException {


  		




  90
  
  
    
        return Arrays.stream(skipFilterUrls).anyMatch(url -> new AntPathRequestMatcher(url).matches(request));


  		




  
  89
  
    
    protected boolean shouldNotFilter(HttpServletRequest request) {


  		




  
  90
  
    
        return skipFilterEndpoints.entrySet().stream().anyMatch(e -> new AntPathRequestMatcher(e.getKey(), e.getValue().toString()).matches(request));


  		




  91
  91
  
    
    }


  		




  92
  92
  
    
}


  		












Také k dispozici:  Unified diff