From 07f66f65ed4764ab12b0dacbcac92d6db263c939 Mon Sep 17 00:00:00 2001 From: Pierre Tellier Date: Wed, 12 Feb 2025 12:04:59 +0100 Subject: [PATCH] feat: comments and security comfiguration improved. --- .../WebSecurityCustomConfiguration.java | 35 ++++++++++++++----- 1 file changed, 27 insertions(+), 8 deletions(-) diff --git a/MyINPulse-back/src/main/java/enseirb/myinpulse/config/WebSecurityCustomConfiguration.java b/MyINPulse-back/src/main/java/enseirb/myinpulse/config/WebSecurityCustomConfiguration.java index b3525af..637b6c2 100644 --- a/MyINPulse-back/src/main/java/enseirb/myinpulse/config/WebSecurityCustomConfiguration.java +++ b/MyINPulse-back/src/main/java/enseirb/myinpulse/config/WebSecurityCustomConfiguration.java @@ -1,6 +1,7 @@ package enseirb.myinpulse.config; import enseirb.myinpulse.security.KeycloakJwtRolesConverter; +import org.springframework.beans.factory.annotation.Value; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.security.config.annotation.web.builders.HttpSecurity; @@ -14,37 +15,55 @@ import java.util.List; import static org.springframework.security.authorization.AuthorityAuthorizationManager.hasRole; + @Configuration -public class WebSecurityCustomConfiguration{ +public class WebSecurityCustomConfiguration { // CORS configuration - // TODO: make sure to only accept our own domains + + @Value("${VITE_APP_URL}") + private String frontendUrl; + + /** + * Configure the CORS (Cross Origin Ressource Sharing -- a security feature) configuration. + * The only allowed website is the frontend, defined in the .env file. + * + * @return the CORS configuration used by the backend + */ @Bean public CorsConfigurationSource corsConfigurationSource() { CorsConfiguration configuration = new CorsConfiguration(); - configuration.setAllowedOrigins(List.of("*")); + configuration.setAllowedOrigins(List.of(frontendUrl)); configuration.setAllowedMethods(Arrays.asList("GET", "OPTIONS")); configuration.setAllowedHeaders( Arrays.asList( "authorization", "content-type", - "x-auth-token")); // Do not remove, this fixes the CORS errors when - // unauthenticated + "x-auth-token")); UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource(); source.registerCorsConfiguration("/**", configuration); return source; } + /** + * Configure the authorisation required for each path. + * admin endpoints are under /admin/* and entrepreneur are under /entrepreneur/* + * If endpoints dont require authentication, they are under /unauth/ + * + * @param http automatically filled in by spring. + * @return a securityfilterchain, automatically used by spring. + * @throws Exception TODO: figure out when the exception are raised + */ @Bean public SecurityFilterChain filterChain(HttpSecurity http) throws Exception { http.authorizeHttpRequests( authorize -> authorize - .requestMatchers("/random2") + .requestMatchers("/entrepreneur/**") .access(hasRole("REALM_MyINPulse-entrepreneur")) - .requestMatchers("/random") + .requestMatchers("/admin/**") .access(hasRole("REALM_MyINPulse-admin")) - .requestMatchers("/random3") + .requestMatchers("/unauth/**") .permitAll() .anyRequest() .authenticated())