admin/honey-be
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fxies

Browse Source
This commit is contained in:
Mykhailo Svishchov
2026-03-05 15:10:04 +02:00
parent abd18f5692
commit 6269e248bc
2 changed files with 30 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
src/main/java/com/honey/honey/config/AdminSecurityConfig.java
View File

@@ -5,6 +5,7 @@ import com.honey.honey.security.admin.JwtAuthenticationFilter;
import lombok.RequiredArgsConstructor; import lombok.RequiredArgsConstructor;
import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration; import org.springframework.context.annotation.Configuration;
import org.springframework.core.Ordered;
import org.springframework.core.annotation.Order; import org.springframework.core.annotation.Order;
import org.springframework.security.authentication.AuthenticationManager; import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.ProviderManager; import org.springframework.security.authentication.ProviderManager;
@@ -12,13 +13,14 @@ import org.springframework.security.authentication.dao.DaoAuthenticationProvider
import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity; import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityCustomizer;
import org.springframework.security.config.http.SessionCreationPolicy; import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder; import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder; import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.web.SecurityFilterChain; import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter; import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher; import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
import org.springframework.security.web.util.matcher.OrRequestMatcher;
import org.springframework.security.web.util.matcher.RequestMatcher;
import org.springframework.web.cors.CorsConfiguration; import org.springframework.web.cors.CorsConfiguration;
import org.springframework.web.cors.CorsConfigurationSource; import org.springframework.web.cors.CorsConfigurationSource;
import org.springframework.web.cors.UrlBasedCorsConfigurationSource; import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
@@ -54,16 +56,28 @@ public class AdminSecurityConfig {
} }
/** /**
* Ignore Swagger/OpenAPI paths so they bypass Spring Security entirely (no 401). * Swagger/OpenAPI docs: permitAll with highest precedence so the default Spring Boot chain
* Using WebSecurityCustomizer is more reliable than a separate SecurityFilterChain on some environments (e.g. Railway). * (which requires auth for /**) never handles these paths. Includes webjars and resources
* so the UI can load CSS/JS.
*/ */
@Bean @Bean
public WebSecurityCustomizer webSecurityCustomizer() { @Order(Ordered.HIGHEST_PRECEDENCE)
return web -> web.ignoring().requestMatchers( public SecurityFilterChain swaggerSecurityFilterChain(HttpSecurity http) throws Exception {
RequestMatcher swaggerMatcher = new OrRequestMatcher(
new AntPathRequestMatcher("/swagger-ui/**"), new AntPathRequestMatcher("/swagger-ui/**"),
new AntPathRequestMatcher("/swagger-ui.html"),
new AntPathRequestMatcher("/v3/api-docs"), new AntPathRequestMatcher("/v3/api-docs"),
new AntPathRequestMatcher("/v3/api-docs/**") new AntPathRequestMatcher("/v3/api-docs/**"),
new AntPathRequestMatcher("/webjars/**"),
new AntPathRequestMatcher("/swagger-resources/**"),
new AntPathRequestMatcher("/configuration/**")
); );
http
.securityMatcher(swaggerMatcher)
.authorizeHttpRequests(auth -> auth.anyRequest().permitAll())
.csrf(csrf -> csrf.disable())
.sessionManagement(session -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS));
return http.build();
} }
@Bean @Bean

10
src/main/java/com/honey/honey/config/WebConfig.java
View File

@@ -32,7 +32,15 @@ public class WebConfig implements WebMvcConfigurer {
"/api/check_user/**", // User check endpoint for external applications (open endpoint) "/api/check_user/**", // User check endpoint for external applications (open endpoint)
"/api/deposit_webhook/**", // 3rd party deposit completion webhook (token in path, no auth) "/api/deposit_webhook/**", // 3rd party deposit completion webhook (token in path, no auth)
"/api/notify_broadcast/**", // Notify broadcast start/stop (token in path, no auth) "/api/notify_broadcast/**", // Notify broadcast start/stop (token in path, no auth)
"/api/admin/**" // Admin endpoints are handled by Spring Security "/api/admin/**", // Admin endpoints are handled by Spring Security
// Swagger / OpenAPI docs (no auth required for documentation)
"/swagger-ui/**",
"/swagger-ui.html",
"/v3/api-docs",
"/v3/api-docs/**",
"/webjars/**",
"/swagger-resources/**",
"/configuration/**"
); );
// User-based rate limiting for payment creation and payout creation (applied after auth interceptor) // User-based rate limiting for payment creation and payout creation (applied after auth interceptor)