Created
February 18, 2019 04:12
-
-
Save darbyluv2code/8e3354382db205cea5010245253b0daf to your computer and use it in GitHub Desktop.
Security for MVC and REST in the same app
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| package com.luv2code.springboot.thymeleafdemo.config; | |
| import org.springframework.context.annotation.Bean; | |
| import org.springframework.context.annotation.Configuration; | |
| import org.springframework.core.annotation.Order; | |
| import org.springframework.http.HttpMethod; | |
| import org.springframework.security.config.annotation.web.builders.HttpSecurity; | |
| import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; | |
| import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; | |
| import org.springframework.security.config.http.SessionCreationPolicy; | |
| import org.springframework.security.core.userdetails.User; | |
| import org.springframework.security.core.userdetails.User.UserBuilder; | |
| import org.springframework.security.core.userdetails.UserDetailsService; | |
| import org.springframework.security.provisioning.InMemoryUserDetailsManager; | |
| @EnableWebSecurity | |
| public class MultiHttpSecurityConfig { | |
| @Bean | |
| public UserDetailsService userDetailsService() throws Exception { | |
| // add our users for in memory authentication | |
| UserBuilder users = User.withDefaultPasswordEncoder(); | |
| InMemoryUserDetailsManager manager = new InMemoryUserDetailsManager(); | |
| manager.createUser(users.username("john").password("test123").roles("EMPLOYEE").build()); | |
| manager.createUser(users.username("mary").password("test123").roles("EMPLOYEE", "MANAGER").build()); | |
| manager.createUser(users.username("susan").password("test123").roles("EMPLOYEE", "ADMIN").build()); | |
| return manager; | |
| } | |
| @Configuration | |
| @Order(1) | |
| public static class ApiWebSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter { | |
| protected void configure(HttpSecurity http) throws Exception { | |
| http | |
| .antMatcher("/magic-api/**") | |
| .authorizeRequests() | |
| .antMatchers(HttpMethod.GET, "/magic-api/employees").hasRole("EMPLOYEE") | |
| .antMatchers(HttpMethod.GET, "/magic-api/employees/**").hasRole("EMPLOYEE") | |
| .antMatchers(HttpMethod.POST, "/magic-api/employees").hasAnyRole("MANAGER", "ADMIN") | |
| .antMatchers(HttpMethod.POST, "/magic-api/employees/**").hasAnyRole("MANAGER", "ADMIN") | |
| .antMatchers(HttpMethod.PUT, "/magic-api/employees").hasAnyRole("MANAGER", "ADMIN") | |
| .antMatchers(HttpMethod.PUT, "/magic-api/employees/**").hasAnyRole("MANAGER", "ADMIN") | |
| .antMatchers(HttpMethod.DELETE, "/magic-api/employees/**").hasRole("ADMIN") | |
| .and() | |
| .httpBasic() | |
| .and() | |
| .csrf().disable() | |
| .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS); | |
| } | |
| } | |
| @Configuration | |
| public static class FormLoginWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter { | |
| @Override | |
| protected void configure(HttpSecurity http) throws Exception { | |
| http | |
| .authorizeRequests() | |
| .antMatchers("/employees/showForm*").hasAnyRole("MANAGER", "ADMIN") | |
| .antMatchers("/employees/save*").hasAnyRole("MANAGER", "ADMIN") | |
| .antMatchers("/employees/delete").hasRole("ADMIN") | |
| .antMatchers("/employees/**").hasRole("EMPLOYEE") | |
| .antMatchers("/resources/**").permitAll() | |
| .and() | |
| .formLogin() | |
| .loginPage("/showMyLoginPage") | |
| .loginProcessingUrl("/authenticateTheUser") | |
| .permitAll() | |
| .and() | |
| .logout().permitAll() | |
| .and() | |
| .exceptionHandling().accessDeniedPage("/access-denied"); | |
| } | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment