in server/src/main/java/com/epam/indigoeln/config/security/WebSecurityConfig.java [150:312]
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http
.sessionManagement() // add session management
.maximumSessions(-1) // set unlimited number of sessions per User // TODO think about this
.sessionRegistry(sessionRegistry());
if (Arrays.asList(environment.getActiveProfiles()).contains(Application.Profile.CORS)) {
http.cors();
}
http.addFilterBefore(sessionExpirationFilter(), ConcurrentSessionFilter.class);
// http
// .csrf(csrf -> csrf
// .csrfTokenRepository(cookieCsrfTokenRepository())
// .ignoringRequestMatchers("/api/authentication", "/api/logout", "/websocket/**") // For solving a problem with login after logout
// );
// http
// .addFilterAfter(new CsrfCookieFilter(), BasicAuthenticationFilter.class);
http.csrf(AbstractHttpConfigurer::disable);
http
.exceptionHandling()
.accessDeniedHandler(new CustomAccessDeniedHandler())
.authenticationEntryPoint(authenticationEntryPoint)
.and()
.rememberMe()
.rememberMeServices(rememberMeServices)
.rememberMeParameter("remember-me")
.key(securityProperties.getRemembermeKey())
.and()
.formLogin()
.loginProcessingUrl("/api/authentication")
.successHandler(ajaxAuthenticationSuccessHandler)
.failureHandler(ajaxAuthenticationFailureHandler)
.usernameParameter("j_username")
.passwordParameter("j_password")
.permitAll()
.and()
.logout()
.logoutUrl("/api/logout")
.logoutSuccessHandler(ajaxLogoutSuccessHandler)
.deleteCookies(CookieConstants.JSESSIONID, CookieConstants.CSRF_TOKEN)
.permitAll()
.and()
.headers()
.frameOptions()
.disable()
.and()
.authorizeRequests()
// account resource
.requestMatchers(HttpMethod.GET, "/api/accounts/**").authenticated()
.requestMatchers(HttpMethod.GET, "/api/accounts/account/roles").hasAuthority(ROLE_EDITOR.name())
// experiment_file resource
.requestMatchers(HttpMethod.GET, "/api/experiment_files").hasAnyAuthority(EXPERIMENT_READERS)
.requestMatchers(HttpMethod.GET, "/api/experiment_files/**").hasAnyAuthority(EXPERIMENT_READERS)
.requestMatchers(HttpMethod.POST, "/api/experiment_files").hasAnyAuthority(EXPERIMENT_CREATORS)
.requestMatchers(HttpMethod.DELETE, "/api/experiment_files/**")
.hasAnyAuthority(EXPERIMENT_CREATORS)
// experiment resource
//this request secured with method security
.requestMatchers(HttpMethod.GET, "/api/projects/*/notebooks/*/experiments")
.authenticated()
.requestMatchers(HttpMethod.GET, "/api/projects/*/notebooks/*/experiments/all")
.hasAuthority(CONTENT_EDITOR.name())
.requestMatchers(HttpMethod.GET, "/api/projects/*/notebooks/*/experiments/**")
.hasAnyAuthority(EXPERIMENT_READERS)
.requestMatchers(HttpMethod.POST, "/api/projects/*/notebooks/*/experiments")
.hasAnyAuthority(EXPERIMENT_CREATORS)
.requestMatchers(HttpMethod.POST, "/api/projects/*/notebooks/*/experiments/**")
.hasAnyAuthority(EXPERIMENT_CREATORS)
.requestMatchers(HttpMethod.PUT, "/api/projects/*/notebooks/*/experiments")
.hasAnyAuthority(EXPERIMENT_CREATORS)
.requestMatchers(HttpMethod.PUT, "/api/projects/*/notebooks/*/experiments/**")
.hasAnyAuthority(EXPERIMENT_CREATORS)
.requestMatchers(HttpMethod.DELETE, "/api/projects/*/notebooks/*/experiments/**")
.hasAnyAuthority(EXPERIMENT_REMOVERS)
// notebook resource
//this request secured with method security
.requestMatchers(HttpMethod.GET, "/api/projects/*/notebooks").authenticated()
.requestMatchers(HttpMethod.GET, "/api/projects/*/notebooks/all")
.hasAuthority(CONTENT_EDITOR.name())
.requestMatchers(HttpMethod.GET, "/api/projects/*/notebooks/**").hasAnyAuthority(NOTEBOOK_READERS)
.requestMatchers(HttpMethod.POST, "/api/projects/*/notebooks").hasAnyAuthority(NOTEBOOK_CREATORS)
.requestMatchers(HttpMethod.PUT, "/api/projects/*/notebooks").hasAnyAuthority(NOTEBOOK_CREATORS)
.requestMatchers(HttpMethod.DELETE, "/api/projects/*/notebooks/**")
.hasAnyAuthority(NOTEBOOK_REMOVERS)
// project_file resource
.requestMatchers(HttpMethod.GET, "/api/project_files").hasAnyAuthority(PROJECT_READERS)
.requestMatchers(HttpMethod.GET, "/api/project_files/**").hasAnyAuthority(PROJECT_READERS)
.requestMatchers(HttpMethod.POST, "/api/project_files").hasAnyAuthority(PROJECT_CREATORS)
.requestMatchers(HttpMethod.DELETE, "/api/project_files/**").hasAnyAuthority(PROJECT_CREATORS)
// project resource
.requestMatchers(HttpMethod.GET, "/api/projects").hasAnyAuthority(PROJECT_READERS)
.requestMatchers(HttpMethod.GET, "/api/projects/all").hasAuthority(CONTENT_EDITOR.name())
.requestMatchers(HttpMethod.GET, "/api/projects/**").hasAnyAuthority(PROJECT_READERS)
.requestMatchers(HttpMethod.POST, "/api/projects").hasAnyAuthority(PROJECT_CREATORS)
.requestMatchers(HttpMethod.PUT, "/api/projects").hasAnyAuthority(PROJECT_CREATORS)
.requestMatchers(HttpMethod.DELETE, "/api/projects/**").hasAnyAuthority(PROJECT_REMOVERS)
// role resource
.requestMatchers(HttpMethod.GET, "/api/roles").hasAnyAuthority(ROLE_READERS)
.requestMatchers(HttpMethod.GET, "/api/roles/**").hasAuthority(ROLE_EDITOR.name())
.requestMatchers(HttpMethod.POST, "/api/roles").hasAuthority(ROLE_EDITOR.name())
.requestMatchers(HttpMethod.PUT, "/api/roles").hasAuthority(ROLE_EDITOR.name())
.requestMatchers(HttpMethod.DELETE, "/api/roles/**").hasAuthority(ROLE_EDITOR.name())
// template resource
.requestMatchers(HttpMethod.GET, "/api/templates").hasAnyAuthority(TEMPLATE_READERS)
.requestMatchers(HttpMethod.GET, "/api/templates/**").hasAuthority(TEMPLATE_EDITOR.name())
.requestMatchers(HttpMethod.POST, "/api/templates").hasAuthority(TEMPLATE_EDITOR.name())
.requestMatchers(HttpMethod.PUT, "/api/templates").hasAuthority(TEMPLATE_EDITOR.name())
.requestMatchers(HttpMethod.DELETE, "/api/templates/**").hasAuthority(TEMPLATE_EDITOR.name())
// user resource
.requestMatchers(HttpMethod.GET, "/api/users").hasAnyAuthority(USER_READERS)
.requestMatchers(HttpMethod.GET, "/api/users/permission-management").hasAnyAuthority(USER_READERS)
.requestMatchers(HttpMethod.GET, "/api/users/**").hasAuthority(USER_EDITOR.name())
.requestMatchers(HttpMethod.POST, "/api/users").hasAuthority(USER_EDITOR.name())
.requestMatchers(HttpMethod.PUT, "/api/users").hasAuthority(USER_EDITOR.name())
.requestMatchers(HttpMethod.DELETE, "/api/users/**").hasAuthority(USER_EDITOR.name())
// dictionary resource
.requestMatchers(HttpMethod.GET, "/api/dictionaries").hasAnyAuthority(DICTIONARY_READERS)
.requestMatchers(HttpMethod.GET, "/api/dictionaries/**").hasAnyAuthority(DICTIONARY_READERS)
.requestMatchers(HttpMethod.POST, "/api/dictionaries").hasAuthority(DICTIONARY_EDITOR.name())
.requestMatchers(HttpMethod.PUT, "/api/dictionaries").hasAuthority(DICTIONARY_EDITOR.name())
.requestMatchers(HttpMethod.DELETE, "/api/dictionaries/**").hasAuthority(DICTIONARY_EDITOR.name())
//search resource
.requestMatchers(HttpMethod.POST, "/api/search").hasAuthority(GLOBAL_SEARCH.name())
.requestMatchers(HttpMethod.GET, "/api/search/experiments").hasAnyAuthority(EXPERIMENT_READERS)
// spring boot endpoints
// https://docs.spring.io/spring-boot/docs/current/reference/html/production-ready-endpoints.html
.requestMatchers("/health/**").anonymous()
.requestMatchers("/trace/**").anonymous()
.requestMatchers("/dump/**").anonymous()
.requestMatchers("/shutdown/**").anonymous()
.requestMatchers("/beans/**").anonymous()
.requestMatchers("/configprops/**").anonymous()
.requestMatchers("/info/**").anonymous()
.requestMatchers("/autoconfig/**").anonymous()
.requestMatchers("/env/**").anonymous()
.requestMatchers("/trace/**").anonymous()
.requestMatchers("/mappings/**").anonymous()
// others
.requestMatchers("/api/bingodb/**").authenticated()
.requestMatchers("/api/calculations/**").authenticated()
.requestMatchers("/api/renderer/**").authenticated()
.requestMatchers(HttpMethod.POST, "/api/signature/document").hasAnyAuthority(EXPERIMENT_CREATORS)
.requestMatchers("/api/signature/**").authenticated()
.requestMatchers("/api/user_reagents/**").authenticated()
.requestMatchers("/protected/**").authenticated()
//restrictions for swagger
.requestMatchers("/swagger-ui.html").authenticated()
.requestMatchers("/v2/api-docs").authenticated()
.requestMatchers("/websocket/**").authenticated()
//print
.requestMatchers(HttpMethod.GET, "/api/print/project/*").hasAnyAuthority(PROJECT_READERS)
.requestMatchers(HttpMethod.GET, "/api/print/project/*/notebook/*")
.hasAnyAuthority(NOTEBOOK_READERS)
.requestMatchers(HttpMethod.GET, "/api/print/project/*/notebook/*/experiment/*")
.hasAnyAuthority(EXPERIMENT_READERS);
return http.build();
}