seminar/src/main/java/ru/ulstu/configuration/SecurityConfiguration.java

package ru.ulstu.configuration;

import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
import org.springframework.security.config.annotation.web.configurers.HeadersConfigurer;
import org.springframework.security.web.SecurityFilterChain;
import ru.ulstu.model.UserRoleConstants;

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true)
public class SecurityConfiguration {
    private final Logger log = LoggerFactory.getLogger(SecurityConfiguration.class);
    private final String[] permittedUrls = new String[]{
            "/login", "/index", "/news/**",
            "/meetings/**", "/files/**", "/docs/**",
            "/public/**", "/organizers", "/webjars/**",
            "/h2-console/*", "/h2-console",
            "/css/**", "/js/**", "/img/**",
            "/templates/**", "/webjars/**"};

    @Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        log.debug("Security enabled");

        http
                .headers(headers -> headers.frameOptions(HeadersConfigurer.FrameOptionsConfig::sameOrigin))
                .csrf(AbstractHttpConfigurer::disable)
                .authorizeHttpRequests(auth ->
                        auth.requestMatchers("/").permitAll()
                                .requestMatchers(permittedUrls).permitAll()
                                .requestMatchers("/swagger-ui/*").hasAuthority(UserRoleConstants.ADMIN)
                                .anyRequest().authenticated())
                .formLogin(form ->
                        form.loginPage("/login")
                                .failureUrl("/loginError")
                                .permitAll())
                .logout(logout ->
                        logout
                                .logoutSuccessUrl(Constants.LOGOUT_URL)
                                .invalidateHttpSession(false)
                                .clearAuthentication(true)
                                .deleteCookies(Constants.COOKIES_NAME)
                                .permitAll());
        return http.build();
    }
}