2017-08-08 20:14:14 +07:00
package io.spring.api.security ;
2018-04-10 16:31:51 +07:00
import org.springframework.beans.factory.annotation.Value ;
2017-08-08 20:14:14 +07:00
import org.springframework.context.annotation.Bean ;
import org.springframework.context.annotation.Configuration ;
import org.springframework.http.HttpMethod ;
2018-05-10 13:49:55 +07:00
import org.springframework.http.HttpStatus ;
2017-08-08 20:14:14 +07:00
import org.springframework.security.config.annotation.web.builders.HttpSecurity ;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity ;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter ;
import org.springframework.security.config.http.SessionCreationPolicy ;
2018-05-10 13:49:55 +07:00
import org.springframework.security.web.authentication.HttpStatusEntryPoint ;
2017-08-08 20:14:14 +07:00
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter ;
2017-10-27 12:30:57 +07:00
import org.springframework.web.cors.CorsConfiguration ;
import org.springframework.web.cors.CorsConfigurationSource ;
import org.springframework.web.cors.UrlBasedCorsConfigurationSource ;
import static java.util.Arrays.asList ;
2017-08-08 20:14:14 +07:00
@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
2018-04-10 16:31:51 +07:00
@Value ( " ${spring.h2.console.enabled:false} " )
private boolean h2ConsoleEnabled ;
2017-08-08 20:14:14 +07:00
@Bean
public JwtTokenFilter jwtTokenFilter ( ) {
return new JwtTokenFilter ( ) ;
}
@Override
protected void configure ( HttpSecurity http ) throws Exception {
2018-04-10 16:31:51 +07:00
if ( h2ConsoleEnabled )
http . authorizeRequests ( )
. antMatchers ( " /h2-console " , " /h2-console/** " ) . permitAll ( )
. and ( )
. headers ( ) . frameOptions ( ) . sameOrigin ( ) ;
2017-08-08 20:14:14 +07:00
http . csrf ( ) . disable ( )
2017-10-27 12:30:57 +07:00
. cors ( )
. and ( )
2018-05-10 13:49:55 +07:00
. exceptionHandling ( ) . authenticationEntryPoint ( new HttpStatusEntryPoint ( HttpStatus . UNAUTHORIZED ) )
2017-08-08 20:14:14 +07:00
. and ( )
. sessionManagement ( ) . sessionCreationPolicy ( SessionCreationPolicy . STATELESS ) . and ( )
. authorizeRequests ( )
2017-08-18 11:09:07 +07:00
. antMatchers ( HttpMethod . OPTIONS ) . permitAll ( )
2017-08-17 16:17:37 +07:00
. antMatchers ( HttpMethod . GET , " /articles/feed " ) . authenticated ( )
2017-08-08 20:14:14 +07:00
. antMatchers ( HttpMethod . POST , " /users " , " /users/login " ) . permitAll ( )
2017-08-18 11:09:07 +07:00
. antMatchers ( HttpMethod . GET , " /articles/** " , " /profiles/** " , " /tags " ) . permitAll ( )
2018-04-10 16:31:51 +07:00
. anyRequest ( ) . authenticated ( ) ;
2017-08-08 20:14:14 +07:00
http . addFilterBefore ( jwtTokenFilter ( ) , UsernamePasswordAuthenticationFilter . class ) ;
}
2017-10-27 12:30:57 +07:00
@Bean
public CorsConfigurationSource corsConfigurationSource ( ) {
final CorsConfiguration configuration = new CorsConfiguration ( ) ;
configuration . setAllowedOrigins ( asList ( " * " ) ) ;
configuration . setAllowedMethods ( asList ( " HEAD " ,
" GET " , " POST " , " PUT " , " DELETE " , " PATCH " ) ) ;
// setAllowCredentials(true) is important, otherwise:
// The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'.
configuration . setAllowCredentials ( true ) ;
// setAllowedHeaders is important! Without it, OPTIONS preflight request
// will fail with 403 Invalid CORS request
configuration . setAllowedHeaders ( asList ( " Authorization " , " Cache-Control " , " Content-Type " ) ) ;
final UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource ( ) ;
source . registerCorsConfiguration ( " /** " , configuration ) ;
return source ;
}
2017-08-08 20:14:14 +07:00
}