Add security on endpoints and handle 403 responses.

2023-11-30 14:56:03 +01:00
parent 96345c703a
commit 920fbe489d
7 changed files with 60 additions and 23 deletions
--- a/sportshub-application/src/main/java/org/sportshub/application/configuration/SecurityConfiguration.java
+++ b/sportshub-application/src/main/java/org/sportshub/application/configuration/SecurityConfiguration.java
@@ -1,9 +1,13 @@
 package org.sportshub.application.configuration;

+import static org.sportshub.domain.user.model.UserRole.ADMIN;
+import static org.springframework.http.HttpMethod.GET;
+import static org.springframework.http.HttpMethod.OPTIONS;
+import static org.springframework.http.HttpMethod.POST;
+import static org.springframework.security.config.http.SessionCreationPolicy.STATELESS;
 import org.sportshub.application.security.JwtAuthenticationFilter;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
-import org.springframework.http.HttpMethod;
 import org.springframework.security.config.Customizer;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
@@ -12,7 +16,6 @@ import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
 import org.springframework.security.crypto.password.PasswordEncoder;
 import org.springframework.security.web.SecurityFilterChain;
 import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
-import org.springframework.security.web.util.matcher.AntPathRequestMatcher;

 import static jakarta.servlet.DispatcherType.FORWARD;
 import static jakarta.servlet.http.HttpServletResponse.SC_FORBIDDEN;
@@ -29,27 +32,29 @@ public class SecurityConfiguration {
        httpSecurity
            .csrf(AbstractHttpConfigurer::disable)
            .httpBasic(Customizer.withDefaults())
+            .exceptionHandling(configurer -> configurer
+                .authenticationEntryPoint((request, response, authException) -> response.sendError(SC_UNAUTHORIZED))
+                .accessDeniedHandler((request, response, accessDeniedException) -> response.sendError(SC_FORBIDDEN))
+            )
            .addFilterBefore(jwtAuthenticationFilter, UsernamePasswordAuthenticationFilter.class)
+            .sessionManagement(customizer -> customizer.sessionCreationPolicy(STATELESS))
            .authorizeHttpRequests(requests -> requests
                .dispatcherTypeMatchers(FORWARD).permitAll()
                .requestMatchers(
-                    HttpMethod.GET,
-                    "/api/health/check"
+                    GET,
+                    "/api/health/check",
+                    "/error"
                ).permitAll()
                .requestMatchers(
-                    HttpMethod.POST,
+                    GET,
+                    "/api/users"
+                ).hasAuthority(ADMIN.name())
+                .requestMatchers(
+                    POST,
                    "/api/users/login"
                ).permitAll()
+                .requestMatchers(OPTIONS).permitAll()
                .anyRequest().authenticated()
-            )
-            .exceptionHandling(configurer -> configurer
-                .defaultAuthenticationEntryPointFor(
-                    (request, response, authException) -> response.sendError(SC_UNAUTHORIZED),
-                    new AntPathRequestMatcher("/api/**")
-                ).defaultAccessDeniedHandlerFor(
-                    (request, response, accessDeniedException) -> response.sendError(SC_FORBIDDEN),
-                    new AntPathRequestMatcher("/api/**")
-                )
            );

        return httpSecurity.build();
--- a/sportshub-application/src/main/java/org/sportshub/application/security/model/CustomUserDetails.java
+++ b/sportshub-application/src/main/java/org/sportshub/application/security/model/CustomUserDetails.java
@@ -1,10 +1,11 @@
 package org.sportshub.application.security.model;

-import static java.util.Collections.emptyList;
 import java.util.Collection;

 import org.sportshub.domain.user.model.User;
+import org.sportshub.domain.user.model.UserRole;
 import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.authority.SimpleGrantedAuthority;
 import org.springframework.security.core.userdetails.UserDetails;

 public class CustomUserDetails implements UserDetails {
@@ -16,7 +17,12 @@ public class CustomUserDetails implements UserDetails {

    @Override
    public Collection<? extends GrantedAuthority> getAuthorities() {
-        return emptyList();
+        return user.roles()
+            .stream()
+            .map(UserRole::name)
+            .map(role -> "ROLE_" + role)
+            .map(SimpleGrantedAuthority::new)
+            .toList();
    }

    @Override