Refactor BFF Package Structure #64
@ -5,64 +5,13 @@ import org.springframework.boot.autoconfigure.SpringBootApplication;
|
||||
import org.springframework.boot.context.properties.ConfigurationPropertiesScan;
|
||||
import org.springframework.boot.context.properties.EnableConfigurationProperties;
|
||||
import org.springframework.boot.web.servlet.support.SpringBootServletInitializer;
|
||||
import org.springframework.context.annotation.Bean;
|
||||
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
|
||||
import org.springframework.security.web.SecurityFilterChain;
|
||||
import org.springframework.security.web.util.matcher.RequestMatcher;
|
||||
import org.springframework.security.web.util.matcher.RequestMatchers;
|
||||
import org.springframework.web.cors.CorsConfiguration;
|
||||
import se.su.dsv.studentportalen.bff.login.BFFAuthenticationEntryPoint;
|
||||
|
||||
import java.util.List;
|
||||
|
||||
import static org.springframework.security.web.util.matcher.AntPathRequestMatcher.antMatcher;
|
||||
|
||||
@SpringBootApplication
|
||||
@EnableConfigurationProperties
|
||||
@ConfigurationPropertiesScan
|
||||
public class Studentportalen extends SpringBootServletInitializer {
|
||||
|
||||
private static final RequestMatcher DOCUMENTATION_MATCHER = RequestMatchers.anyOf(
|
||||
antMatcher("/swagger"),
|
||||
antMatcher("/swagger-ui/**"),
|
||||
antMatcher("/v3/api-docs/**"));
|
||||
|
||||
public static void main(String[] args) {
|
||||
SpringApplication.run(Studentportalen.class, args);
|
||||
}
|
||||
|
||||
@Bean
|
||||
public SecurityFilterChain securityFilterChain(
|
||||
HttpSecurity http,
|
||||
FrontendConfiguration frontendConfiguration)
|
||||
throws Exception
|
||||
{
|
||||
http.exceptionHandling(exception -> exception
|
||||
.authenticationEntryPoint(new BFFAuthenticationEntryPoint()));
|
||||
http.oauth2Login(login -> login
|
||||
.defaultSuccessUrl(frontendConfiguration.url(), true));
|
||||
http.authorizeHttpRequests(authorize -> authorize
|
||||
.requestMatchers(DOCUMENTATION_MATCHER).permitAll()
|
||||
.anyRequest().authenticated());
|
||||
http.cors(cors -> cors
|
||||
.configurationSource(_ -> frontendOnlyCors(frontendConfiguration)));
|
||||
return http.build();
|
||||
}
|
||||
|
||||
private static CorsConfiguration frontendOnlyCors(FrontendConfiguration frontendConfiguration) {
|
||||
var corsConfiguration = new CorsConfiguration();
|
||||
corsConfiguration.setAllowedOrigins(List.of(frontendConfiguration.url()));
|
||||
corsConfiguration.setAllowedMethods(List.of("GET", "POST"));
|
||||
|
||||
// Allow the frontend to see the X-Authorization-Url header
|
||||
corsConfiguration.setExposedHeaders(List.of("X-Authorization-Url"));
|
||||
|
||||
// To allow the session cookie to be included
|
||||
corsConfiguration.setAllowCredentials(true);
|
||||
|
||||
// Content-Type is allowed by default but with a restriction on the value
|
||||
// The restriction does not allow "application/json" so we add it as an allowed header
|
||||
corsConfiguration.setAllowedHeaders(List.of("Content-Type"));
|
||||
return corsConfiguration;
|
||||
}
|
||||
}
|
||||
|
||||
@ -0,0 +1,51 @@
|
||||
package se.su.dsv.studentportalen.bff.config;
|
||||
|
||||
import org.springframework.context.annotation.Bean;
|
||||
import org.springframework.context.annotation.Configuration;
|
||||
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
|
||||
import org.springframework.security.web.SecurityFilterChain;
|
||||
import org.springframework.web.cors.CorsConfiguration;
|
||||
import se.su.dsv.studentportalen.bff.login.BFFAuthenticationEntryPoint;
|
||||
|
||||
import java.util.List;
|
||||
|
||||
@Configuration
|
||||
public class SecurityConfiguration {
|
||||
|
||||
@Bean
|
||||
public SecurityFilterChain securityFilterChain(
|
||||
HttpSecurity http,
|
||||
FrontendConfiguration frontendConfiguration)
|
||||
throws Exception
|
||||
{
|
||||
http.exceptionHandling(exception -> exception
|
||||
.authenticationEntryPoint(new BFFAuthenticationEntryPoint()));
|
||||
http.oauth2Login(login -> login
|
||||
.defaultSuccessUrl(frontendConfiguration.url(), true));
|
||||
http.authorizeHttpRequests(authorize -> authorize
|
||||
.requestMatchers("/swagger", "/swagger-ui/**", "/v3/api-docs/**").permitAll()
|
||||
.anyRequest().authenticated());
|
||||
http.cors(cors -> cors
|
||||
.configurationSource(_ -> frontendOnlyCors(frontendConfiguration)));
|
||||
http.csrf(csrf -> csrf.spa());
|
||||
return http.build();
|
||||
}
|
||||
|
||||
private static CorsConfiguration frontendOnlyCors(FrontendConfiguration frontendConfiguration) {
|
||||
var corsConfiguration = new CorsConfiguration();
|
||||
corsConfiguration.setAllowedOrigins(List.of(frontendConfiguration.url()));
|
||||
corsConfiguration.setAllowedMethods(List.of("GET", "POST", "PUT", "DELETE"));
|
||||
|
||||
// Allow the frontend to see the X-Authorization-Url header
|
||||
corsConfiguration.setExposedHeaders(List.of("X-Authorization-Url"));
|
||||
|
||||
// To allow the session cookie to be included
|
||||
corsConfiguration.setAllowCredentials(true);
|
||||
|
||||
// Content-Type is allowed by default but with a restriction on the value
|
||||
// The restriction does not allow "application/json" so we add it as an allowed header
|
||||
// X-XSRF-TOKEN is needed for CSRF protection
|
||||
corsConfiguration.setAllowedHeaders(List.of("Content-Type", "X-XSRF-TOKEN"));
|
||||
return corsConfiguration;
|
||||
}
|
||||
}
|
||||
Loading…
x
Reference in New Issue
Block a user