próby skonfigurania security

ebb9e9cc · Patryk Czarnik · 6b7c45f0 · ebb9e9cc · ebb9e9cc · ebb9e9cc
Commit ebb9e9cc authored Apr 26, 2023 by Patryk Czarnik
3 changed files
--- a/PC30-SklepSpring/src/main/java/sklep/security/SecurityConfig.java
+++ b/PC30-SklepSpring/src/main/java/sklep/security/SecurityConfig.java
@@ -3,17 +3,29 @@ package sklep.security;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.web.SecurityFilterChain;

 @Configuration
+@EnableWebSecurity
 public class SecurityConfig {
 	@Bean
 	SecurityFilterChain setHttpSecurity(HttpSecurity httpSecurity) throws Exception {
-		httpSecurity.authorizeHttpRequests()
-			.anyRequest().permitAll()
-		.and()
-			.csrf().disable()
-		;
+		httpSecurity
+			.authorizeHttpRequests((authz) -> authz
+					.anyRequest().permitAll()
+//					.requestMatchers("/").permitAll()
+//					.requestMatchers("/whoami").permitAll()
+//					.requestMatchers("/*.css").permitAll()
+//					.requestMatchers("/hello", "/time").permitAll()
+//					.requestMatchers("/alt?/**").authenticated() // zalogowany jako ktokolwiek
+//					.requestMatchers("/products/new", "/products/*/edit").hasAuthority("ROLE_manager")
+//					.requestMatchers("/products/**").permitAll()
+//					.requestMatchers("/customers/new", "/customers/*/edit").hasAuthority("ROLE_manager")
+//					.requestMatchers("/customers/**").authenticated()
+//					.anyRequest().denyAll()
+				)
+			.formLogin();
 		return httpSecurity.build();
 	}
 	

--- a/PC30-SklepSpring/src/main/java/sklep/security/stary_config.txt
+++ b/PC30-SklepSpring/src/main/java/sklep/security/stary_config.txt
+package com.example.demo.security;
+
+import javax.sql.DataSource;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.crypto.factory.PasswordEncoderFactories;
+import org.springframework.security.crypto.password.PasswordEncoder;
+
+@Configuration
+public class SecurityConfig2 extends WebSecurityConfigurerAdapter {
+	@Autowired
+	private DataSource dataSource;
+
+	@Override
+	protected void configure(HttpSecurity http) throws Exception {
+		http.authorizeHttpRequests()
+			.antMatchers("/products/new", "/products/*/edit").hasAuthority("ROLE_manager") // tylko manager może edytować
+	        .antMatchers("/customers/new", "/customers/*/edit").hasAuthority("ROLE_manager")
+	        .antMatchers("/products/find").authenticated() // zalogowany jako ktokolwiek może wyszukiwać
+	        .antMatchers("/", "/whoami", "/products/**", "/customers/**", "/*.css").permitAll() // dostęp dla wszystkich
+	        .antMatchers("/products?", "/products?/**").permitAll() // inne wersje listy produktów
+	        .antMatchers("/rest/**").permitAll()
+	        // .antMatchers("/login").anonymous() // nie może być zalogowany! - ale to przestało działać...
+	        .antMatchers("/login").permitAll()
+	        .antMatchers("/logout").authenticated() // zalogowany jako ktokolwiek
+	        .anyRequest().denyAll() // pozostałe adresy blokujemy
+		.and()
+			.formLogin()
+		.and()
+			.csrf().disable();
+	}
+	
+	@Override
+	protected void configure(AuthenticationManagerBuilder auth) throws Exception {
+		PasswordEncoder passwordEncoder = PasswordEncoderFactories.createDelegatingPasswordEncoder();
+		
+		auth.jdbcAuthentication()
+			.dataSource(dataSource)
+			.passwordEncoder(passwordEncoder)
+			.usersByUsernameQuery("SELECT username, password, enabled FROM spring_accounts WHERE username = ?")
+			.authoritiesByUsernameQuery("SELECT username, role FROM spring_account_roles WHERE username = ?");
+
+// wersja inMemory:	
+//		auth.inMemoryAuthentication()
+//			.withUser("ala").password("{noop}abc123").roles("manager", "sprzedawca")
+//		.and()
+//			.withUser("ola").password("{noop}abc123").roles("sprzedawca")
+//		.and()
+//			.withUser("ula").password("{noop}abc123").roles();
+	}
+	
+	
+}
--- a/PC30-SklepSpring/src/main/webapp/WEB-INF/templates/whoami.jsp
+++ b/PC30-SklepSpring/src/main/webapp/WEB-INF/templates/whoami.jsp
 <%@page language="java" contentType="text/html; charset=UTF-8" pageEncoding="UTF-8"%>
-<%@taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>
+<%@taglib prefix="c" uri="jakarta.tags.core" %>
 <!DOCTYPE html>
 <html>
 <head>