Colin DAMON
--- a/borestop/src/main/java/com/ippon/borestop/config/SecurityConfiguration.java 0 → 100644

+ 117

− 0
+++ b/borestop/src/main/java/com/ippon/borestop/config/SecurityConfiguration.java 0 → 100644

+ 117

− 0
+package com.ippon.borestop.config;
+
+import com.ippon.borestop.common.infrastructure.Generated;
+import com.ippon.borestop.security.AuthoritiesConstants;
+import com.ippon.borestop.security.jwt.JWTConfigurer;
+import com.ippon.borestop.security.jwt.TokenProvider;
+import org.springframework.context.annotation.Bean;
+import org.springframework.http.HttpMethod;
+import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.builders.WebSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.config.http.SessionCreationPolicy;
+import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
+import org.springframework.security.crypto.password.PasswordEncoder;
+import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
+import org.springframework.security.web.context.HttpSessionSecurityContextRepository;
+import org.springframework.security.web.context.SecurityContextRepository;
+import org.springframework.security.web.csrf.CookieCsrfTokenRepository;
+import org.springframework.security.web.csrf.CsrfTokenRepository;
+import org.springframework.security.web.header.writers.ReferrerPolicyHeaderWriter;
+import org.springframework.web.filter.CorsFilter;
+
+@Generated
+@EnableWebSecurity
+@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true)
+public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
+  private final TokenProvider tokenProvider;
+
+  private final CorsFilter corsFilter;
+  private final AuthenticationErrorsHandler errorsHandler;
+
+  public SecurityConfiguration(TokenProvider tokenProvider, CorsFilter corsFilter, AuthenticationErrorsHandler errorsHandler) {
+    this.tokenProvider = tokenProvider;
+    this.corsFilter = corsFilter;
+    this.errorsHandler = errorsHandler;
+  }
+
+  @Bean
+  public PasswordEncoder passwordEncoder() {
+    return new BCryptPasswordEncoder();
+  }
+
+  @Override
+  public void configure(WebSecurity web) {
+    web
+      .ignoring()
+      .antMatchers(HttpMethod.OPTIONS, "/**")
+      .antMatchers("/app/**/*.{js,html}")
+      .antMatchers("/i18n/**")
+      .antMatchers("/content/**")
+      .antMatchers("/h2-console/**")
+      .antMatchers("/swagger-ui/index.html")
+      .antMatchers("/test/**");
+  }
+
+  @Override
+  public void configure(HttpSecurity http) throws Exception {
+    // @formatter:off
+        http
+            .csrf()
+            .csrfTokenRepository(csrfTokenRepository())
+            .disable()
+            .addFilterBefore(corsFilter, UsernamePasswordAuthenticationFilter.class)
+            .exceptionHandling()
+                .authenticationEntryPoint(errorsHandler)
+                .accessDeniedHandler(errorsHandler)
+        .and()
+            .headers()
+            .contentSecurityPolicy("default-src 'self'; frame-src 'self' data:; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://storage.googleapis.com; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:")
+        .and()
+            .referrerPolicy(ReferrerPolicyHeaderWriter.ReferrerPolicy.STRICT_ORIGIN_WHEN_CROSS_ORIGIN)
+        .and()
+            .featurePolicy("geolocation 'none'; midi 'none'; sync-xhr 'none'; microphone 'none'; camera 'none'; magnetometer 'none'; gyroscope 'none'; speaker 'none'; fullscreen 'self'; payment 'none'")
+        .and()
+            .frameOptions()
+            .deny()
+        .and()
+            .sessionManagement()
+            .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
+        .and()
+            .authorizeRequests()
+            .antMatchers("/api/authenticate").permitAll()
+            .antMatchers("/api/register").permitAll()
+            .antMatchers("/api/activate").permitAll()
+            .antMatchers("/api/account/reset-password/init").permitAll()
+            .antMatchers("/api/account/reset-password/finish").permitAll()
+            .antMatchers("/api/**").authenticated()
+            .antMatchers("/management/health").permitAll()
+            .antMatchers("/management/info").permitAll()
+            .antMatchers("/management/prometheus").permitAll()
+            .antMatchers("/management/**").hasAuthority(AuthoritiesConstants.ADMIN)
+        .and()
+            .httpBasic()
+        .and()
+            .apply(securityConfigurerAdapter())
+        .and()
+            .securityContext()
+                .securityContextRepository(securityContextRepository());
+  // @formatter:on
+  }
+
+  @Bean
+  public SecurityContextRepository securityContextRepository() {
+    return new HttpSessionSecurityContextRepository();
+  }
+
+  @Bean
+  public CsrfTokenRepository csrfTokenRepository() {
+    return CookieCsrfTokenRepository.withHttpOnlyFalse();
+  }
+
+  private JWTConfigurer securityConfigurerAdapter() {
+    return new JWTConfigurer(tokenProvider);
+  }
+}