Revize fdf6c32d
Přidáno uživatelem Michal Schwob před asi 2 roky(ů)
| backend/src/main/java/cz/zcu/kiv/backendapi/security/SecurityConfig.java | ||
|---|---|---|
| 21 | 21 |
import org.springframework.web.cors.CorsConfigurationSource; |
| 22 | 22 |
import org.springframework.web.cors.UrlBasedCorsConfigurationSource; |
| 23 | 23 |
|
| 24 |
import java.util.Arrays; |
|
| 25 |
import java.util.Collections; |
|
| 24 | 26 |
import java.util.HashMap; |
| 25 | 27 |
import java.util.Map; |
| 26 | 28 |
|
| ... | ... | |
| 63 | 65 |
PERMITTED_ENDPOINTS.put("/catalog-items", HttpMethod.GET);
|
| 64 | 66 |
PERMITTED_ENDPOINTS.put("/catalog-items/**", HttpMethod.GET);
|
| 65 | 67 |
PERMITTED_ENDPOINTS.put("/title-page", HttpMethod.GET);
|
| 66 |
PERMITTED_ENDPOINTS.put("/sources", HttpMethod.GET);
|
|
| 67 | 68 |
} |
| 68 | 69 |
|
| 69 | 70 |
/** |
| ... | ... | |
| 72 | 73 |
* @param http http security |
| 73 | 74 |
* @throws Exception exception |
| 74 | 75 |
*/ |
| 76 |
// TODO configure and check rights |
|
| 75 | 77 |
@Override |
| 76 | 78 |
protected void configure(HttpSecurity http) throws Exception {
|
| 77 | 79 |
http.csrf().disable() |
| ... | ... | |
| 84 | 86 |
.authorizeRequests() |
| 85 | 87 |
.antMatchers(HttpMethod.GET, PERMITTED_ENDPOINTS.keySet().stream().filter(k -> PERMITTED_ENDPOINTS.get(k).equals(HttpMethod.GET)).toArray(String[]::new)).permitAll() |
| 86 | 88 |
.antMatchers(HttpMethod.POST, "/login").permitAll() |
| 87 |
.antMatchers(HttpMethod.POST, "/users", "/external-catalog-items").hasRole(Role.ADMIN.name())
|
|
| 89 |
.antMatchers("/external-catalog-items").hasRole(Role.ADMIN.name())
|
|
| 88 | 90 |
.antMatchers(HttpMethod.PATCH, "/users/*/permissions", "/users/*/password").hasRole(Role.ADMIN.name()) |
| 89 | 91 |
.antMatchers(HttpMethod.DELETE, "/users/**").hasRole(Role.ADMIN.name()) |
| 90 | 92 |
.antMatchers(HttpMethod.GET, "/users").hasRole(Role.ADMIN.name()) |
| 91 |
.antMatchers(HttpMethod.GET, "/path", "/external-catalog-items").hasAuthority(Permission.READ.name())
|
|
| 93 |
.antMatchers(HttpMethod.GET, "/path").hasAuthority(Permission.READ.name()) |
|
| 92 | 94 |
.antMatchers(HttpMethod.POST, "/catalog-items").hasAuthority(Permission.WRITE.name()) |
| 93 | 95 |
.antMatchers(HttpMethod.PUT, "/catalog-items/*").hasAuthority(Permission.WRITE.name()) |
| 94 | 96 |
.antMatchers(HttpMethod.DELETE, "/catalog-items/*").hasAuthority(Permission.DELETE.name()) |
| 95 |
.antMatchers(HttpMethod.POST, "/title-page", "/sources").hasRole(Role.ADMIN.name())
|
|
| 97 |
.antMatchers(HttpMethod.POST, "/title-page").hasRole(Role.ADMIN.name()) |
|
| 96 | 98 |
.anyRequest() |
| 97 | 99 |
.authenticated(); |
| 98 | 100 |
} |
| ... | ... | |
| 115 | 117 |
*/ |
| 116 | 118 |
@Bean |
| 117 | 119 |
public DaoAuthenticationProvider authenticationProvider() {
|
| 118 |
DaoAuthenticationProvider provider = new DaoAuthenticationProvider(); |
|
| 120 |
final DaoAuthenticationProvider provider = new DaoAuthenticationProvider();
|
|
| 119 | 121 |
provider.setUserDetailsService(userDetailsService); |
| 120 | 122 |
provider.setPasswordEncoder(bCryptPasswordEncoder); |
| 121 | 123 |
return provider; |
| ... | ... | |
| 123 | 125 |
|
| 124 | 126 |
@Bean |
| 125 | 127 |
CorsConfigurationSource corsConfigurationSource() {
|
| 126 |
UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource(); |
|
| 127 |
source.registerCorsConfiguration("/**", new CorsConfiguration().applyPermitDefaultValues());
|
|
| 128 |
final UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource(); |
|
| 129 |
CorsConfiguration corsConfiguration = new CorsConfiguration().applyPermitDefaultValues(); |
|
| 130 |
corsConfiguration.setAllowedMethods(java.util.List.of(HttpMethod.GET.name(), HttpMethod.HEAD.name(), HttpMethod.POST.name(), HttpMethod.DELETE.name(), HttpMethod.PATCH.name(), HttpMethod.PUT.name())); |
|
| 131 |
source.registerCorsConfiguration("/**", corsConfiguration);
|
|
| 128 | 132 |
return source; |
| 129 | 133 |
} |
| 130 | 134 |
} |
Také k dispozici: Unified diff
Administation page finished
re #9818