diff --git a/pav-server/src/main/java/com/palnet/biz/config/WebSecurityConfig.java b/pav-server/src/main/java/com/palnet/biz/config/WebSecurityConfig.java index 6958be75..33fe2ca8 100644 --- a/pav-server/src/main/java/com/palnet/biz/config/WebSecurityConfig.java +++ b/pav-server/src/main/java/com/palnet/biz/config/WebSecurityConfig.java @@ -32,100 +32,100 @@ import java.util.Arrays; @EnableGlobalMethodSecurity(prePostEnabled = true) public class WebSecurityConfig extends WebSecurityConfigurerAdapter { - private final JwtAuthenticationEntryPoint jwtAuthenticationEntryPoint; - private final UserDetailsService jwtUserDetailsService; - private final JwtRequestFilter jwtRequestFilter; - - - private final String[] PERMITTED_URL = { - "/api/acnt/**", - "/api/ctr/cntrl/id/**", - "/api/server/**", - "/api/comn/file/download", - "/api/comn/file/download/**", - // 외부 연동 - "/api/external/laanc/**", - "/api/external/dos/**", - "/api/laanc/flight/plan", - // TEST - "/api/v1/utm", - /* swagger v2 */ - "/v2/api-docs", - "/swagger-resources", - "/swagger-resources/**", - "/configuration/ui", - "/configuration/security", + private final JwtAuthenticationEntryPoint jwtAuthenticationEntryPoint; + private final UserDetailsService jwtUserDetailsService; + private final JwtRequestFilter jwtRequestFilter; + + + private final String[] PERMITTED_URL = { + "/api/acnt/**", + "/api/ctr/cntrl/id/**", + "/api/server/**", + "/api/comn/file/download", + "/api/comn/file/download/**", + // 외부 연동 + "/api/external/laanc/**", + "/api/external/dos/**", + "/api/laanc/flight/plan", + // TEST + "/api/v1/utm", + /* swagger v2 */ + "/v2/api-docs", + "/swagger-resources", + "/swagger-resources/**", + "/configuration/ui", + "/configuration/security", // "/swagger-ui.html", - "/webjars/**", - /* swagger v3 */ - "/v3/api-docs/**", + "/webjars/**", + /* swagger v3 */ + "/v3/api-docs/**", // "/swagger-ui/**", - /* swagger spring doc */ - "/api-docs", - "/api-docs/**", - "/swagger-ui-custom.html", - "/v3/api-docs/**", - "/swagger-ui/**", - "/swagger-ui.html" - }; - - @Autowired - public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception { - // configure AuthenticationManager so that it knows from where to load - // user for matching credentials - // Use BCryptPasswordEncoder - auth.userDetailsService(jwtUserDetailsService).passwordEncoder(passwordEncoder()); - } - - @Bean - @Primary - public CorsConfigurationSource corsConfigurationSource() { - CorsConfiguration configuration = new CorsConfiguration(); - configuration.setAllowedOrigins(Arrays.asList("*")); - configuration.setAllowedMethods(Arrays.asList("GET", "POST", "PUT", "DELETE","OPTIONS")); - configuration.setAllowedHeaders(Arrays.asList("x-timezone","Accept-Language","Accept","X-Requested-With", "Content-Type", "Authorization", "X-XSRF-token")); - configuration.setAllowCredentials(false); - configuration.setMaxAge(3600L); - - UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource(); - source.registerCorsConfiguration("/**", configuration); - - return source; - } - - - @Bean - public PasswordEncoder passwordEncoder() { - return new BCryptPasswordEncoder(); - } - - @Bean - @Override - public AuthenticationManager authenticationManagerBean() throws Exception { - return super.authenticationManagerBean(); - } - - @Override - protected void configure(HttpSecurity httpSecurity) throws Exception { - // We don't need CSRF for this example - httpSecurity.csrf().disable() - .cors(cors -> corsConfigurationSource()) - // dont authenticate this particular request - .authorizeRequests() - .antMatchers(HttpMethod.OPTIONS,"/api/**").permitAll() - .antMatchers(HttpMethod.GET,"/ping").permitAll() - .antMatchers("/swagger-ui/**").permitAll() - .antMatchers(PERMITTED_URL).permitAll() - // all other requests need to be authenticated - .anyRequest().authenticated().and() - // make sure we use stateless session; session won't be used to - // store user's state. - .exceptionHandling().authenticationEntryPoint(jwtAuthenticationEntryPoint).and().sessionManagement() - .sessionCreationPolicy(SessionCreationPolicy.STATELESS); - - // Add a filter to validate the tokens with every request - httpSecurity.addFilterBefore(jwtRequestFilter, UsernamePasswordAuthenticationFilter.class); - } - - + /* swagger spring doc */ + "/api-docs", + "/api-docs/**", + "/swagger-ui-custom.html", + "/v3/api-docs/**", + "/swagger-ui/**", + "/swagger-ui.html" + }; + + @Autowired + public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception { + // configure AuthenticationManager so that it knows from where to load + // user for matching credentials + // Use BCryptPasswordEncoder + auth.userDetailsService(jwtUserDetailsService).passwordEncoder(passwordEncoder()); + } + + @Bean + @Primary + public CorsConfigurationSource corsConfigurationSource() { + CorsConfiguration configuration = new CorsConfiguration(); + configuration.setAllowedOrigins(Arrays.asList("*")); + configuration.setAllowedMethods(Arrays.asList("GET", "POST", "PUT", "PATCH", "DELETE", "OPTIONS")); + configuration.setAllowedHeaders(Arrays.asList("x-timezone", "Accept-Language", "Accept", "X-Requested-With", "Content-Type", "Authorization", "X-XSRF-token")); + configuration.setAllowCredentials(false); + configuration.setMaxAge(3600L); + + UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource(); + source.registerCorsConfiguration("/**", configuration); + + return source; + } + + + @Bean + public PasswordEncoder passwordEncoder() { + return new BCryptPasswordEncoder(); + } + + @Bean + @Override + public AuthenticationManager authenticationManagerBean() throws Exception { + return super.authenticationManagerBean(); + } + + @Override + protected void configure(HttpSecurity httpSecurity) throws Exception { + // We don't need CSRF for this example + httpSecurity.csrf().disable() + .cors(cors -> corsConfigurationSource()) + // dont authenticate this particular request + .authorizeRequests() + .antMatchers(HttpMethod.OPTIONS, "/api/**").permitAll() + .antMatchers(HttpMethod.GET, "/ping").permitAll() + .antMatchers("/swagger-ui/**").permitAll() + .antMatchers(PERMITTED_URL).permitAll() + // all other requests need to be authenticated + .anyRequest().authenticated().and() + // make sure we use stateless session; session won't be used to + // store user's state. + .exceptionHandling().authenticationEntryPoint(jwtAuthenticationEntryPoint).and().sessionManagement() + .sessionCreationPolicy(SessionCreationPolicy.STATELESS); + + // Add a filter to validate the tokens with every request + httpSecurity.addFilterBefore(jwtRequestFilter, UsernamePasswordAuthenticationFilter.class); + } + + } \ No newline at end of file