Initial commitHEADmain

1 files changed, 117 insertions, 0 deletions

diff --git a/pse-server/src/main/java/org/psesquared/server/config/SecurityConfig.java b/pse-server/src/main/java/org/psesquared/server/config/SecurityConfig.java
new file mode 100644
index 0000000..8005160
--- /dev/null
+++ b/pse-server/src/main/java/org/psesquared/server/config/SecurityConfig.java
@@ -0,0 +1,117 @@
+package org.psesquared.server.config;
+
+import lombok.RequiredArgsConstructor;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.authentication.AuthenticationProvider;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.config.http.SessionCreationPolicy;
+import org.springframework.security.web.SecurityFilterChain;
+import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
+import org.springframework.web.cors.CorsConfiguration;
+import org.springframework.web.cors.CorsConfigurationSource;
+import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
+
+/**
+ * This class is responsible for configuring the {@link SecurityFilterChain}
+ * which determines the way authentication is handled with the server.
+ */
+@Configuration
+@EnableWebSecurity
+@RequiredArgsConstructor
+public class SecurityConfig {
+
+  /**
+   * The URL of the unsecured register-API-endpoint.
+   */
+  private static final String REGISTER_URL
+      = "/api/2/auth/register.json";
+
+  /**
+   * The URL of the unsecured forgotPassword-API-endpoint.
+   */
+  private static final String FORGOT_URL
+      = "/api/2/auth/{email}/forgot.json";
+
+  /**
+   * The URL of the unsecured verify-API-endpoint.
+   */
+  private static final String VERIFY_URL
+      = "/api/2/auth/{username}/verify.json";
+
+  /**
+   * The URL of the unsecured resetPassword-API-endpoint.
+   */
+  private static final String RESET_PASSWORD_URL
+      = "/api/2/auth/{username}/resetpassword.json";
+
+  /**
+   * The authentication filter for JWT authentication.
+   */
+  private final JwtAuthenticationFilter jwtAuthFilter;
+
+  /**
+   * The authentication provider specified in {@link ApplicationConfig}.
+   */
+  private final AuthenticationProvider authenticationProvider;
+
+  /**
+   * Configures the {@link SecurityFilterChain} with {@link HttpSecurity}
+   * in the following way:
+   * <br>
+   * 1. JWT authentication ("sessionid" cookie)
+   * <br>
+   * 2. HTTP basic authentication ("Authorization" header)
+   *
+   * @param http The HTTP security class
+   * @return The security filter chain
+   * @throws Exception If an error occurs
+   */
+  @Bean
+  public SecurityFilterChain securityFilterChain(final HttpSecurity http)
+      throws Exception {
+    http
+        .cors()
+        .and()
+        .csrf()
+        .disable()
+        .authorizeHttpRequests()
+        .requestMatchers(
+            REGISTER_URL,
+            FORGOT_URL,
+            VERIFY_URL,
+            RESET_PASSWORD_URL)
+        .permitAll()
+        .anyRequest()
+        .authenticated()
+        .and()
+        .authenticationProvider(authenticationProvider)
+        .addFilterBefore(jwtAuthFilter,
+            UsernamePasswordAuthenticationFilter.class)
+        .httpBasic()
+        .and()
+        .sessionManagement()
+        .sessionCreationPolicy(SessionCreationPolicy.STATELESS);
+    return http.build();
+  }
+
+  /**
+   * Ensures CORS is processed before Spring Security.
+   *
+   * @return The specified CORS configuration source
+   */
+  @Bean
+  CorsConfigurationSource corsConfigurationSource() {
+    CorsConfiguration configuration = new CorsConfiguration();
+    configuration.setAllowCredentials(true);
+    configuration.addAllowedOriginPattern("*");
+    configuration.addAllowedHeader("*");
+    configuration.addAllowedMethod("*");
+    UrlBasedCorsConfigurationSource source
+        = new UrlBasedCorsConfigurationSource();
+    source.registerCorsConfiguration("/**", configuration);
+    return source;
+  }
+
+}