|
|
|
|
@ -32,100 +32,100 @@ import java.util.Arrays;
|
|
|
|
|
@EnableGlobalMethodSecurity(prePostEnabled = true) |
|
|
|
|
public class WebSecurityConfig extends WebSecurityConfigurerAdapter { |
|
|
|
|
|
|
|
|
|
private final JwtAuthenticationEntryPoint jwtAuthenticationEntryPoint; |
|
|
|
|
private final UserDetailsService jwtUserDetailsService; |
|
|
|
|
private final JwtRequestFilter jwtRequestFilter; |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
private final String[] PERMITTED_URL = { |
|
|
|
|
"/api/acnt/**", |
|
|
|
|
"/api/ctr/cntrl/id/**", |
|
|
|
|
"/api/server/**", |
|
|
|
|
"/api/comn/file/download", |
|
|
|
|
"/api/comn/file/download/**", |
|
|
|
|
// 외부 연동
|
|
|
|
|
"/api/external/laanc/**", |
|
|
|
|
"/api/external/dos/**", |
|
|
|
|
"/api/laanc/flight/plan", |
|
|
|
|
// TEST
|
|
|
|
|
"/api/v1/utm", |
|
|
|
|
/* swagger v2 */ |
|
|
|
|
"/v2/api-docs", |
|
|
|
|
"/swagger-resources", |
|
|
|
|
"/swagger-resources/**", |
|
|
|
|
"/configuration/ui", |
|
|
|
|
"/configuration/security", |
|
|
|
|
private final JwtAuthenticationEntryPoint jwtAuthenticationEntryPoint; |
|
|
|
|
private final UserDetailsService jwtUserDetailsService; |
|
|
|
|
private final JwtRequestFilter jwtRequestFilter; |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
private final String[] PERMITTED_URL = { |
|
|
|
|
"/api/acnt/**", |
|
|
|
|
"/api/ctr/cntrl/id/**", |
|
|
|
|
"/api/server/**", |
|
|
|
|
"/api/comn/file/download", |
|
|
|
|
"/api/comn/file/download/**", |
|
|
|
|
// 외부 연동
|
|
|
|
|
"/api/external/laanc/**", |
|
|
|
|
"/api/external/dos/**", |
|
|
|
|
"/api/laanc/flight/plan", |
|
|
|
|
// TEST
|
|
|
|
|
"/api/v1/utm", |
|
|
|
|
/* swagger v2 */ |
|
|
|
|
"/v2/api-docs", |
|
|
|
|
"/swagger-resources", |
|
|
|
|
"/swagger-resources/**", |
|
|
|
|
"/configuration/ui", |
|
|
|
|
"/configuration/security", |
|
|
|
|
// "/swagger-ui.html",
|
|
|
|
|
"/webjars/**", |
|
|
|
|
/* swagger v3 */ |
|
|
|
|
"/v3/api-docs/**", |
|
|
|
|
"/webjars/**", |
|
|
|
|
/* swagger v3 */ |
|
|
|
|
"/v3/api-docs/**", |
|
|
|
|
// "/swagger-ui/**",
|
|
|
|
|
/* swagger spring doc */ |
|
|
|
|
"/api-docs", |
|
|
|
|
"/api-docs/**", |
|
|
|
|
"/swagger-ui-custom.html", |
|
|
|
|
"/v3/api-docs/**", |
|
|
|
|
"/swagger-ui/**", |
|
|
|
|
"/swagger-ui.html" |
|
|
|
|
}; |
|
|
|
|
|
|
|
|
|
@Autowired |
|
|
|
|
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception { |
|
|
|
|
// configure AuthenticationManager so that it knows from where to load
|
|
|
|
|
// user for matching credentials
|
|
|
|
|
// Use BCryptPasswordEncoder
|
|
|
|
|
auth.userDetailsService(jwtUserDetailsService).passwordEncoder(passwordEncoder()); |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
@Bean |
|
|
|
|
@Primary |
|
|
|
|
public CorsConfigurationSource corsConfigurationSource() { |
|
|
|
|
CorsConfiguration configuration = new CorsConfiguration(); |
|
|
|
|
configuration.setAllowedOrigins(Arrays.asList("*")); |
|
|
|
|
configuration.setAllowedMethods(Arrays.asList("GET", "POST", "PUT", "DELETE","OPTIONS")); |
|
|
|
|
configuration.setAllowedHeaders(Arrays.asList("x-timezone","Accept-Language","Accept","X-Requested-With", "Content-Type", "Authorization", "X-XSRF-token")); |
|
|
|
|
configuration.setAllowCredentials(false); |
|
|
|
|
configuration.setMaxAge(3600L); |
|
|
|
|
|
|
|
|
|
UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource(); |
|
|
|
|
source.registerCorsConfiguration("/**", configuration); |
|
|
|
|
|
|
|
|
|
return source; |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
@Bean |
|
|
|
|
public PasswordEncoder passwordEncoder() { |
|
|
|
|
return new BCryptPasswordEncoder(); |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
@Bean |
|
|
|
|
@Override |
|
|
|
|
public AuthenticationManager authenticationManagerBean() throws Exception { |
|
|
|
|
return super.authenticationManagerBean(); |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
@Override |
|
|
|
|
protected void configure(HttpSecurity httpSecurity) throws Exception { |
|
|
|
|
// We don't need CSRF for this example
|
|
|
|
|
httpSecurity.csrf().disable() |
|
|
|
|
.cors(cors -> corsConfigurationSource()) |
|
|
|
|
// dont authenticate this particular request
|
|
|
|
|
.authorizeRequests() |
|
|
|
|
.antMatchers(HttpMethod.OPTIONS,"/api/**").permitAll() |
|
|
|
|
.antMatchers(HttpMethod.GET,"/ping").permitAll() |
|
|
|
|
.antMatchers("/swagger-ui/**").permitAll() |
|
|
|
|
.antMatchers(PERMITTED_URL).permitAll() |
|
|
|
|
// all other requests need to be authenticated
|
|
|
|
|
.anyRequest().authenticated().and() |
|
|
|
|
// make sure we use stateless session; session won't be used to
|
|
|
|
|
// store user's state.
|
|
|
|
|
.exceptionHandling().authenticationEntryPoint(jwtAuthenticationEntryPoint).and().sessionManagement() |
|
|
|
|
.sessionCreationPolicy(SessionCreationPolicy.STATELESS); |
|
|
|
|
|
|
|
|
|
// Add a filter to validate the tokens with every request
|
|
|
|
|
httpSecurity.addFilterBefore(jwtRequestFilter, UsernamePasswordAuthenticationFilter.class); |
|
|
|
|
} |
|
|
|
|
/* swagger spring doc */ |
|
|
|
|
"/api-docs", |
|
|
|
|
"/api-docs/**", |
|
|
|
|
"/swagger-ui-custom.html", |
|
|
|
|
"/v3/api-docs/**", |
|
|
|
|
"/swagger-ui/**", |
|
|
|
|
"/swagger-ui.html" |
|
|
|
|
}; |
|
|
|
|
|
|
|
|
|
@Autowired |
|
|
|
|
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception { |
|
|
|
|
// configure AuthenticationManager so that it knows from where to load
|
|
|
|
|
// user for matching credentials
|
|
|
|
|
// Use BCryptPasswordEncoder
|
|
|
|
|
auth.userDetailsService(jwtUserDetailsService).passwordEncoder(passwordEncoder()); |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
@Bean |
|
|
|
|
@Primary |
|
|
|
|
public CorsConfigurationSource corsConfigurationSource() { |
|
|
|
|
CorsConfiguration configuration = new CorsConfiguration(); |
|
|
|
|
configuration.setAllowedOrigins(Arrays.asList("*")); |
|
|
|
|
configuration.setAllowedMethods(Arrays.asList("GET", "POST", "PUT", "PATCH", "DELETE", "OPTIONS")); |
|
|
|
|
configuration.setAllowedHeaders(Arrays.asList("x-timezone", "Accept-Language", "Accept", "X-Requested-With", "Content-Type", "Authorization", "X-XSRF-token")); |
|
|
|
|
configuration.setAllowCredentials(false); |
|
|
|
|
configuration.setMaxAge(3600L); |
|
|
|
|
|
|
|
|
|
UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource(); |
|
|
|
|
source.registerCorsConfiguration("/**", configuration); |
|
|
|
|
|
|
|
|
|
return source; |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
@Bean |
|
|
|
|
public PasswordEncoder passwordEncoder() { |
|
|
|
|
return new BCryptPasswordEncoder(); |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
@Bean |
|
|
|
|
@Override |
|
|
|
|
public AuthenticationManager authenticationManagerBean() throws Exception { |
|
|
|
|
return super.authenticationManagerBean(); |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
@Override |
|
|
|
|
protected void configure(HttpSecurity httpSecurity) throws Exception { |
|
|
|
|
// We don't need CSRF for this example
|
|
|
|
|
httpSecurity.csrf().disable() |
|
|
|
|
.cors(cors -> corsConfigurationSource()) |
|
|
|
|
// dont authenticate this particular request
|
|
|
|
|
.authorizeRequests() |
|
|
|
|
.antMatchers(HttpMethod.OPTIONS, "/api/**").permitAll() |
|
|
|
|
.antMatchers(HttpMethod.GET, "/ping").permitAll() |
|
|
|
|
.antMatchers("/swagger-ui/**").permitAll() |
|
|
|
|
.antMatchers(PERMITTED_URL).permitAll() |
|
|
|
|
// all other requests need to be authenticated
|
|
|
|
|
.anyRequest().authenticated().and() |
|
|
|
|
// make sure we use stateless session; session won't be used to
|
|
|
|
|
// store user's state.
|
|
|
|
|
.exceptionHandling().authenticationEntryPoint(jwtAuthenticationEntryPoint).and().sessionManagement() |
|
|
|
|
.sessionCreationPolicy(SessionCreationPolicy.STATELESS); |
|
|
|
|
|
|
|
|
|
// Add a filter to validate the tokens with every request
|
|
|
|
|
httpSecurity.addFilterBefore(jwtRequestFilter, UsernamePasswordAuthenticationFilter.class); |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
} |
