package ru.ulstu.configuration; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer; import org.springframework.security.config.annotation.web.configurers.HeadersConfigurer; import org.springframework.security.web.SecurityFilterChain; import ru.ulstu.model.UserRoleConstants; @Configuration @EnableWebSecurity @EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true) public class SecurityConfiguration { private final Logger log = LoggerFactory.getLogger(SecurityConfiguration.class); private final String[] permittedUrls = new String[]{ "/login", "/index", "/news/**", "/meetings/**", "/files/**", "/docs/**", "/public/**", "/organizers", "/webjars/**", "/h2-console/*", "/h2-console", "/css/**", "/js/**", "/img/**", "/templates/**", "/webjars/**"}; @Bean public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { log.debug("Security enabled"); http .headers(headers -> headers.frameOptions(HeadersConfigurer.FrameOptionsConfig::sameOrigin)) .csrf(AbstractHttpConfigurer::disable) .authorizeHttpRequests(auth -> auth.requestMatchers("/").permitAll() .requestMatchers(permittedUrls).permitAll() .requestMatchers("/swagger-ui/*").hasAuthority(UserRoleConstants.ADMIN) .anyRequest().authenticated()) .formLogin(form -> form.loginPage("/login") .failureUrl("/loginError") .permitAll()) .logout(logout -> logout .logoutSuccessUrl(Constants.LOGOUT_URL) .invalidateHttpSession(false) .clearAuthentication(true) .deleteCookies(Constants.COOKIES_NAME) .permitAll()); return http.build(); } }