fxies
This commit is contained in:
Mykhailo Svishchov
@@ -5,6 +5,7 @@ import com.honey.honey.security.admin.JwtAuthenticationFilter;
|
|||||||
import lombok.RequiredArgsConstructor;
|
import lombok.RequiredArgsConstructor;
|
||||||
import org.springframework.context.annotation.Bean;
|
import org.springframework.context.annotation.Bean;
|
||||||
import org.springframework.context.annotation.Configuration;
|
import org.springframework.context.annotation.Configuration;
|
||||||
|
import org.springframework.core.Ordered;
|
||||||
import org.springframework.core.annotation.Order;
|
import org.springframework.core.annotation.Order;
|
||||||
import org.springframework.security.authentication.AuthenticationManager;
|
import org.springframework.security.authentication.AuthenticationManager;
|
||||||
import org.springframework.security.authentication.ProviderManager;
|
import org.springframework.security.authentication.ProviderManager;
|
||||||
@@ -12,13 +13,14 @@ import org.springframework.security.authentication.dao.DaoAuthenticationProvider
|
|||||||
import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;
|
import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;
|
||||||
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
|
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
|
||||||
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
|
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
|
||||||
import org.springframework.security.config.annotation.web.configuration.WebSecurityCustomizer;
|
|
||||||
import org.springframework.security.config.http.SessionCreationPolicy;
|
import org.springframework.security.config.http.SessionCreationPolicy;
|
||||||
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
|
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
|
||||||
import org.springframework.security.crypto.password.PasswordEncoder;
|
import org.springframework.security.crypto.password.PasswordEncoder;
|
||||||
import org.springframework.security.web.SecurityFilterChain;
|
import org.springframework.security.web.SecurityFilterChain;
|
||||||
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
|
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
|
||||||
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
|
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
|
||||||
|
import org.springframework.security.web.util.matcher.OrRequestMatcher;
|
||||||
|
import org.springframework.security.web.util.matcher.RequestMatcher;
|
||||||
import org.springframework.web.cors.CorsConfiguration;
|
import org.springframework.web.cors.CorsConfiguration;
|
||||||
import org.springframework.web.cors.CorsConfigurationSource;
|
import org.springframework.web.cors.CorsConfigurationSource;
|
||||||
import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
|
import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
|
||||||
@@ -54,16 +56,28 @@ public class AdminSecurityConfig {
|
|||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Ignore Swagger/OpenAPI paths so they bypass Spring Security entirely (no 401).
|
* Swagger/OpenAPI docs: permitAll with highest precedence so the default Spring Boot chain
|
||||||
* Using WebSecurityCustomizer is more reliable than a separate SecurityFilterChain on some environments (e.g. Railway).
|
* (which requires auth for /**) never handles these paths. Includes webjars and resources
|
||||||
|
* so the UI can load CSS/JS.
|
||||||
*/
|
*/
|
||||||
@Bean
|
@Bean
|
||||||
public WebSecurityCustomizer webSecurityCustomizer() {
|
@Order(Ordered.HIGHEST_PRECEDENCE)
|
||||||
return web -> web.ignoring().requestMatchers(
|
public SecurityFilterChain swaggerSecurityFilterChain(HttpSecurity http) throws Exception {
|
||||||
|
RequestMatcher swaggerMatcher = new OrRequestMatcher(
|
||||||
new AntPathRequestMatcher("/swagger-ui/**"),
|
new AntPathRequestMatcher("/swagger-ui/**"),
|
||||||
|
new AntPathRequestMatcher("/swagger-ui.html"),
|
||||||
new AntPathRequestMatcher("/v3/api-docs"),
|
new AntPathRequestMatcher("/v3/api-docs"),
|
||||||
new AntPathRequestMatcher("/v3/api-docs/**")
|
new AntPathRequestMatcher("/v3/api-docs/**"),
|
||||||
|
new AntPathRequestMatcher("/webjars/**"),
|
||||||
|
new AntPathRequestMatcher("/swagger-resources/**"),
|
||||||
|
new AntPathRequestMatcher("/configuration/**")
|
||||||
);
|
);
|
||||||
|
http
|
||||||
|
.securityMatcher(swaggerMatcher)
|
||||||
|
.authorizeHttpRequests(auth -> auth.anyRequest().permitAll())
|
||||||
|
.csrf(csrf -> csrf.disable())
|
||||||
|
.sessionManagement(session -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS));
|
||||||
|
return http.build();
|
||||||
}
|
}
|
||||||
|
|
||||||
@Bean
|
@Bean
|
||||||
|
|||||||
@@ -24,7 +24,7 @@ public class WebConfig implements WebMvcConfigurer {
|
|||||||
// User session interceptor for all other authenticated endpoints
|
// User session interceptor for all other authenticated endpoints
|
||||||
registry.addInterceptor(authInterceptor)
|
registry.addInterceptor(authInterceptor)
|
||||||
.excludePathPatterns(
|
.excludePathPatterns(
|
||||||
"/ping",
|
"/ping",
|
||||||
"/actuator/**",
|
"/actuator/**",
|
||||||
"/api/auth/tma/session", // Session creation endpoint doesn't require auth
|
"/api/auth/tma/session", // Session creation endpoint doesn't require auth
|
||||||
"/api/telegram/webhook/**", // Telegram webhook (token in path, validated in controller)
|
"/api/telegram/webhook/**", // Telegram webhook (token in path, validated in controller)
|
||||||
@@ -32,7 +32,15 @@ public class WebConfig implements WebMvcConfigurer {
|
|||||||
"/api/check_user/**", // User check endpoint for external applications (open endpoint)
|
"/api/check_user/**", // User check endpoint for external applications (open endpoint)
|
||||||
"/api/deposit_webhook/**", // 3rd party deposit completion webhook (token in path, no auth)
|
"/api/deposit_webhook/**", // 3rd party deposit completion webhook (token in path, no auth)
|
||||||
"/api/notify_broadcast/**", // Notify broadcast start/stop (token in path, no auth)
|
"/api/notify_broadcast/**", // Notify broadcast start/stop (token in path, no auth)
|
||||||
"/api/admin/**" // Admin endpoints are handled by Spring Security
|
"/api/admin/**", // Admin endpoints are handled by Spring Security
|
||||||
|
// Swagger / OpenAPI docs (no auth required for documentation)
|
||||||
|
"/swagger-ui/**",
|
||||||
|
"/swagger-ui.html",
|
||||||
|
"/v3/api-docs",
|
||||||
|
"/v3/api-docs/**",
|
||||||
|
"/webjars/**",
|
||||||
|
"/swagger-resources/**",
|
||||||
|
"/configuration/**"
|
||||||
);
|
);
|
||||||
|
|
||||||
// User-based rate limiting for payment creation and payout creation (applied after auth interceptor)
|
// User-based rate limiting for payment creation and payout creation (applied after auth interceptor)
|
||||||
|
|||||||
Reference in New Issue
Block a user