From c0b0c06b256301355aab87e4c67d57222a6a7899 Mon Sep 17 00:00:00 2001 From: Andrey Date: Wed, 12 Apr 2023 12:55:45 +0300 Subject: [PATCH] fix: allow access to endpoints using role hierarchy --- .../security/SecurityConfiguration.java | 15 +++++++++++---- src/main/java/ua/kishkastrybaie/user/Role.java | 6 +++++- src/main/java/ua/kishkastrybaie/user/User.java | 2 +- 3 files changed, 17 insertions(+), 6 deletions(-) diff --git a/src/main/java/ua/kishkastrybaie/security/SecurityConfiguration.java b/src/main/java/ua/kishkastrybaie/security/SecurityConfiguration.java index 4cca03b..40bc035 100644 --- a/src/main/java/ua/kishkastrybaie/security/SecurityConfiguration.java +++ b/src/main/java/ua/kishkastrybaie/security/SecurityConfiguration.java @@ -19,6 +19,7 @@ import org.springframework.security.authentication.AuthenticationManager; import org.springframework.security.authentication.ProviderManager; import org.springframework.security.authentication.dao.DaoAuthenticationProvider; +import org.springframework.security.authorization.AuthorityAuthorizationManager; import org.springframework.security.config.Customizer; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; @@ -33,6 +34,7 @@ import org.springframework.security.oauth2.jwt.NimbusJwtEncoder; import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationProvider; import org.springframework.security.web.SecurityFilterChain; +import org.springframework.security.web.access.intercept.RequestAuthorizationContext; import org.springframework.web.cors.CorsConfiguration; import org.springframework.web.cors.CorsConfigurationSource; import org.springframework.web.cors.UrlBasedCorsConfigurationSource; @@ -65,6 +67,10 @@ public PasswordEncoder passwordEncoder() { @Bean public SecurityFilterChain securityFilterChain(HttpSecurity httpSecurity) throws Exception { + AuthorityAuthorizationManager hasRoleUser = + AuthorityAuthorizationManager.hasRole(Role.USER.name()); + hasRoleUser.setRoleHierarchy(roleHierarchy()); + return httpSecurity .csrf(AbstractHttpConfigurer::disable) .cors(Customizer.withDefaults()) @@ -75,7 +81,7 @@ public SecurityFilterChain securityFilterChain(HttpSecurity httpSecurity) throws .requestMatchers(GET, PUBLIC_GET_ENDPOINTS) .permitAll() .requestMatchers(USER_ENDPOINTS) - .hasRole(Role.USER.name()) + .access(hasRoleUser) .anyRequest() .hasRole(Role.ADMIN.name())) .sessionManagement( @@ -88,9 +94,10 @@ public SecurityFilterChain securityFilterChain(HttpSecurity httpSecurity) throws @Bean RoleHierarchy roleHierarchy() { Map> roleHierarchyMap = new HashMap<>(); - roleHierarchyMap.put(Role.ADMIN.name(), List.of(Role.USER.name())); + roleHierarchyMap.put(Role.ADMIN.withPrefix(), List.of(Role.USER.withPrefix())); RoleHierarchyImpl roleHierarchy = new RoleHierarchyImpl(); roleHierarchy.setHierarchy(RoleHierarchyUtils.roleHierarchyFromMap(roleHierarchyMap)); + return roleHierarchy; } @@ -107,7 +114,6 @@ CorsConfigurationSource corsConfigurationSource() { return source; } - @Bean @Primary JwtEncoder jwtAccessTokenEncoder() { @@ -135,7 +141,8 @@ JwtDecoder jwtRefreshTokenDecoder() { @Bean @Qualifier("refreshToken") JwtAuthenticationProvider jwtAuthenticationProvider() { - JwtAuthenticationProvider jwtAuthenticationProvider = new JwtAuthenticationProvider(jwtRefreshTokenDecoder()); + JwtAuthenticationProvider jwtAuthenticationProvider = + new JwtAuthenticationProvider(jwtRefreshTokenDecoder()); jwtAuthenticationProvider.setJwtAuthenticationConverter(jwtToUserConverter); return jwtAuthenticationProvider; } diff --git a/src/main/java/ua/kishkastrybaie/user/Role.java b/src/main/java/ua/kishkastrybaie/user/Role.java index f58da7e..da2569d 100644 --- a/src/main/java/ua/kishkastrybaie/user/Role.java +++ b/src/main/java/ua/kishkastrybaie/user/Role.java @@ -2,5 +2,9 @@ public enum Role { USER, - ADMIN + ADMIN; + + public String withPrefix() { + return "ROLE_" + name().toUpperCase(); + } } diff --git a/src/main/java/ua/kishkastrybaie/user/User.java b/src/main/java/ua/kishkastrybaie/user/User.java index 35ea4f9..408050b 100644 --- a/src/main/java/ua/kishkastrybaie/user/User.java +++ b/src/main/java/ua/kishkastrybaie/user/User.java @@ -54,7 +54,7 @@ public void setEmail(String email) { @Override public Collection getAuthorities() { - return List.of(new SimpleGrantedAuthority("ROLE_" + role.name())); + return List.of(new SimpleGrantedAuthority(role.withPrefix())); } @Override