sonderau/leagues-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
ea8484fca7b19bc73043f9d0d681eaa4d1ea4961
leagues-tools/spring-backend/src/main/java/com/osleague/groupironmen/config/SecurityConfig.java
sonderau ea8484fca7 Imagery imported for icons and items. Live updates working. 
Hover tooltip working. Features.md added for better tracking.
2025-10-28 08:41:04 +08:00

75 lines
3.0 KiB
Java
Raw Blame History

package com.osleague.groupironmen.config;
import com.osleague.groupironmen.security.TokenAuthenticationFilter;
import lombok.RequiredArgsConstructor;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
import org.springframework.web.cors.CorsConfigurationSource;
/**
* Security configuration for Group Ironmen API.
*
* Public endpoints (no authentication):
* - POST /api/create-group
* - GET /api/ge-prices
* - GET /api/captcha-enabled
* - GET /api/collection-log-info
*
* Protected endpoints (token authentication):
* - All /api/group/{group_name}/** endpoints
*/
@Configuration
@EnableWebSecurity
@RequiredArgsConstructor
public class SecurityConfig {
private final TokenAuthenticationFilter tokenAuthenticationFilter;
private final CorsConfigurationSource corsConfigurationSource;
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http
// Enable CORS
.cors(cors -> cors.configurationSource(corsConfigurationSource))
// Disable CSRF (stateless API with token auth)
.csrf(AbstractHttpConfigurer::disable)
// Stateless session (no cookies, no server-side sessions)
.sessionManagement(session ->
session.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
)
// Authorization rules
.authorizeHttpRequests(auth -> auth
// Public endpoints
.requestMatchers(
"/api/create-group",
"/api/ge-prices",
"/api/captcha-enabled",
"/api/collection-log-info"
).permitAll()
// Protected endpoints (require authentication)
.requestMatchers("/api/group/**").authenticated()
// Actuator endpoints (if enabled)
.requestMatchers("/actuator/**").permitAll()
// All other requests require authentication by default
.anyRequest().authenticated()
)
// Add custom token authentication filter before UsernamePasswordAuthenticationFilter
.addFilterBefore(tokenAuthenticationFilter, UsernamePasswordAuthenticationFilter.class);
return http.build();
}
}
Reference in New Issue View Git Blame Copy Permalink