package org.berzerkula.builddb.config; import org.berzerkula.builddb.BuilddbConstants; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder; import org.springframework.security.crypto.password.PasswordEncoder; import org.springframework.security.web.SecurityFilterChain; @Configuration @EnableWebSecurity @EnableMethodSecurity public class SecurityConfig { private static final String[] ADMINLIST = {"/admin", "/actuator/beans", "/actuator/env", "actuator/metrics", "/actuator/shutdown"}; private static final String[] CLIENTLIST = {"/client", "/pkgs/**"}; private static final String[] WHITELIST = {"/", "/register", "/login", "/actuator/health", "/actuator/info", "/contact"}; @Bean public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { return http .securityMatcher("/**") //.requiresChannel(channel -> channel.anyRequest().requiresSecure()) .authorizeHttpRequests( auth -> auth .requestMatchers(WHITELIST).permitAll() .requestMatchers(ADMINLIST).hasRole(BuilddbConstants.ROLE_ADMIN) .requestMatchers(CLIENTLIST).hasRole(BuilddbConstants.ROLE_CLIENT) .anyRequest().authenticated() ) .csrf(csrf -> csrf .ignoringRequestMatchers("/actuator/shutdown")) .formLogin(form -> form .loginPage("/login") .usernameParameter("email") .passwordParameter("password") .defaultSuccessUrl("/", true) ) .headers(headers -> headers .httpStrictTransportSecurity(hsts -> hsts .includeSubDomains(true) .maxAgeInSeconds(40) .preload(false))) .logout(config -> config.logoutSuccessUrl("/")) .build(); } @Bean public PasswordEncoder passwordEncoder() { return new BCryptPasswordEncoder(); } }