50 lines
2.5 KiB
Java
50 lines
2.5 KiB
Java
package com.hiveops.guide.config;
|
|
|
|
import com.hiveops.guide.security.JwtAuthenticationFilter;
|
|
import org.springframework.context.annotation.Bean;
|
|
import org.springframework.context.annotation.Configuration;
|
|
import org.springframework.http.HttpMethod;
|
|
import org.springframework.http.HttpStatus;
|
|
import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;
|
|
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
|
|
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
|
|
import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
|
|
import org.springframework.security.config.http.SessionCreationPolicy;
|
|
import org.springframework.security.web.SecurityFilterChain;
|
|
import org.springframework.security.web.authentication.HttpStatusEntryPoint;
|
|
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
|
|
|
|
@Configuration
|
|
@EnableWebSecurity
|
|
@EnableMethodSecurity
|
|
public class SecurityConfig {
|
|
|
|
private final JwtAuthenticationFilter jwtAuthenticationFilter;
|
|
|
|
public SecurityConfig(JwtAuthenticationFilter jwtAuthenticationFilter) {
|
|
this.jwtAuthenticationFilter = jwtAuthenticationFilter;
|
|
}
|
|
|
|
@Bean
|
|
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
|
|
http
|
|
.cors(AbstractHttpConfigurer::disable)
|
|
.csrf(AbstractHttpConfigurer::disable)
|
|
.sessionManagement(s -> s.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
|
|
.exceptionHandling(ex -> ex
|
|
.authenticationEntryPoint(new HttpStatusEntryPoint(HttpStatus.UNAUTHORIZED)))
|
|
.authorizeHttpRequests(auth -> auth
|
|
.requestMatchers("/actuator/health", "/error").permitAll()
|
|
// Consumer: any authenticated customer, user, or admin
|
|
.requestMatchers(HttpMethod.GET, "/api/v1/guides/**")
|
|
.hasAnyRole("USER", "CUSTOMER", "ADMIN", "MSP_ADMIN", "QDS_ADMIN", "BCOS_ADMIN")
|
|
// Admin CRUD — handled by @PreAuthorize on the controller
|
|
.requestMatchers("/api/v1/admin/guides/**").authenticated()
|
|
.anyRequest().authenticated()
|
|
)
|
|
.addFilterBefore(jwtAuthenticationFilter, UsernamePasswordAuthenticationFilter.class);
|
|
|
|
return http.build();
|
|
}
|
|
}
|