package ru.ulstu.fc.config; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer; import org.springframework.security.config.annotation.web.configurers.HeadersConfigurer; import org.springframework.security.web.SecurityFilterChain; import ru.ulstu.fc.user.model.UserRoleConstants; @Configuration @EnableWebSecurity public class SecurityConfiguration { private final Logger log = LoggerFactory.getLogger(SecurityConfiguration.class); private final String[] permittedUrls = new String[]{ "/login", "/index", "/user/register", "/public/**", "/organizers", "/webjars/**", "/error", "/register", "/h2-console/*", "/h2-console", "/css/**", "/js/**", "/img/**", "/templates/**", "/webjars/**"}; @Bean public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { log.debug("Security enabled"); http .headers(headers -> headers.frameOptions(HeadersConfigurer.FrameOptionsConfig::sameOrigin)) .csrf(AbstractHttpConfigurer::disable) .authorizeHttpRequests(auth -> auth.requestMatchers("/").permitAll() .requestMatchers(permittedUrls).permitAll() .requestMatchers("/swagger-ui.html").hasAuthority(UserRoleConstants.ADMIN) .anyRequest().authenticated()) .formLogin(form -> form.loginPage("/login") .failureUrl("/loginError") .permitAll()) .logout(logout -> logout .logoutSuccessUrl(Constants.LOGOUT_URL) .invalidateHttpSession(false) .clearAuthentication(true) .deleteCookies(Constants.COOKIES_NAME) .permitAll()); return http.build(); } }