Revize fdf6c32d
Přidáno uživatelem Michal Schwob před asi 2 roky(ů)
backend/src/main/java/cz/zcu/kiv/backendapi/security/SecurityConfig.java | ||
---|---|---|
21 | 21 |
import org.springframework.web.cors.CorsConfigurationSource; |
22 | 22 |
import org.springframework.web.cors.UrlBasedCorsConfigurationSource; |
23 | 23 |
|
24 |
import java.util.Arrays; |
|
25 |
import java.util.Collections; |
|
24 | 26 |
import java.util.HashMap; |
25 | 27 |
import java.util.Map; |
26 | 28 |
|
... | ... | |
63 | 65 |
PERMITTED_ENDPOINTS.put("/catalog-items", HttpMethod.GET); |
64 | 66 |
PERMITTED_ENDPOINTS.put("/catalog-items/**", HttpMethod.GET); |
65 | 67 |
PERMITTED_ENDPOINTS.put("/title-page", HttpMethod.GET); |
66 |
PERMITTED_ENDPOINTS.put("/sources", HttpMethod.GET); |
|
67 | 68 |
} |
68 | 69 |
|
69 | 70 |
/** |
... | ... | |
72 | 73 |
* @param http http security |
73 | 74 |
* @throws Exception exception |
74 | 75 |
*/ |
76 |
// TODO configure and check rights |
|
75 | 77 |
@Override |
76 | 78 |
protected void configure(HttpSecurity http) throws Exception { |
77 | 79 |
http.csrf().disable() |
... | ... | |
84 | 86 |
.authorizeRequests() |
85 | 87 |
.antMatchers(HttpMethod.GET, PERMITTED_ENDPOINTS.keySet().stream().filter(k -> PERMITTED_ENDPOINTS.get(k).equals(HttpMethod.GET)).toArray(String[]::new)).permitAll() |
86 | 88 |
.antMatchers(HttpMethod.POST, "/login").permitAll() |
87 |
.antMatchers(HttpMethod.POST, "/users", "/external-catalog-items").hasRole(Role.ADMIN.name())
|
|
89 |
.antMatchers("/external-catalog-items").hasRole(Role.ADMIN.name()) |
|
88 | 90 |
.antMatchers(HttpMethod.PATCH, "/users/*/permissions", "/users/*/password").hasRole(Role.ADMIN.name()) |
89 | 91 |
.antMatchers(HttpMethod.DELETE, "/users/**").hasRole(Role.ADMIN.name()) |
90 | 92 |
.antMatchers(HttpMethod.GET, "/users").hasRole(Role.ADMIN.name()) |
91 |
.antMatchers(HttpMethod.GET, "/path", "/external-catalog-items").hasAuthority(Permission.READ.name())
|
|
93 |
.antMatchers(HttpMethod.GET, "/path").hasAuthority(Permission.READ.name()) |
|
92 | 94 |
.antMatchers(HttpMethod.POST, "/catalog-items").hasAuthority(Permission.WRITE.name()) |
93 | 95 |
.antMatchers(HttpMethod.PUT, "/catalog-items/*").hasAuthority(Permission.WRITE.name()) |
94 | 96 |
.antMatchers(HttpMethod.DELETE, "/catalog-items/*").hasAuthority(Permission.DELETE.name()) |
95 |
.antMatchers(HttpMethod.POST, "/title-page", "/sources").hasRole(Role.ADMIN.name())
|
|
97 |
.antMatchers(HttpMethod.POST, "/title-page").hasRole(Role.ADMIN.name()) |
|
96 | 98 |
.anyRequest() |
97 | 99 |
.authenticated(); |
98 | 100 |
} |
... | ... | |
115 | 117 |
*/ |
116 | 118 |
@Bean |
117 | 119 |
public DaoAuthenticationProvider authenticationProvider() { |
118 |
DaoAuthenticationProvider provider = new DaoAuthenticationProvider(); |
|
120 |
final DaoAuthenticationProvider provider = new DaoAuthenticationProvider();
|
|
119 | 121 |
provider.setUserDetailsService(userDetailsService); |
120 | 122 |
provider.setPasswordEncoder(bCryptPasswordEncoder); |
121 | 123 |
return provider; |
... | ... | |
123 | 125 |
|
124 | 126 |
@Bean |
125 | 127 |
CorsConfigurationSource corsConfigurationSource() { |
126 |
UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource(); |
|
127 |
source.registerCorsConfiguration("/**", new CorsConfiguration().applyPermitDefaultValues()); |
|
128 |
final UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource(); |
|
129 |
CorsConfiguration corsConfiguration = new CorsConfiguration().applyPermitDefaultValues(); |
|
130 |
corsConfiguration.setAllowedMethods(java.util.List.of(HttpMethod.GET.name(), HttpMethod.HEAD.name(), HttpMethod.POST.name(), HttpMethod.DELETE.name(), HttpMethod.PATCH.name(), HttpMethod.PUT.name())); |
|
131 |
source.registerCorsConfiguration("/**", corsConfiguration); |
|
128 | 132 |
return source; |
129 | 133 |
} |
130 | 134 |
} |
Také k dispozici: Unified diff
Administation page finished
re #9818