Skip to content
Snippets Groups Projects

renforcement sécurité Backend

Merged renforcement sécurité Backend
master into main
Merged Fatima Ezzahra Majidi requested to merge master into main
Compare
and
1 file
+ 30
12
Compare changes
  • Side-by-side
  • Inline
src/main/java/com/example/gestionstagesbackend/config/SecurityConfig.java
+ 30
12
@@ -2,6 +2,7 @@ package com.example.gestionstagesbackend.config;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.http.HttpMethod;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.config.annotation.authentication.configuration.AuthenticationConfiguration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
@@ -42,19 +43,36 @@ public class SecurityConfig {
.requestMatchers("/**").permitAll()
// Role-based access
.requestMatchers("/api/students").hasAuthority("ROLE_ETUDIANT")
.requestMatchers("/api/students/**").hasAuthority("ROLE_ETUDIANT")
.requestMatchers("/api/stages").hasAuthority("ROLE_ETUDIANT")
.requestMatchers("/api/stages/**").hasAuthority("ROLE_ENTREPRISE")
.requestMatchers("/api/students").hasAuthority("ROLE_SUPERVISEUR")
.requestMatchers("/api/students/**").hasAuthority("ROLE_SUPERVISEUR")
.requestMatchers("/api/stages").hasAuthority("ROLE_SUPERVISEUR")
.requestMatchers("/api/stages/**").hasAuthority("ROLE_SUPERVISEUR")
.requestMatchers("/api/enterprises/add").hasAuthority("ROLE_ENTREPRISE")
.requestMatchers("/api/enterprises/update").hasAuthority("ROLE_ENTREPRISE")
.requestMatchers("/api/enterprises/delete").hasAuthority("ROLE_ENTREPRISE")
.requestMatchers("/**").hasAuthority("ROLE_ADMIN")
// 👨‍🎓 STUDENTS (ETUDIANTS) - Can ONLY View Students & Stages
.requestMatchers(HttpMethod.GET, "/api/students").hasAuthority("ROLE_ETUDIANT")
.requestMatchers(HttpMethod.GET, "/api/stages").hasAuthority("ROLE_ETUDIANT")
// ENTERPRISES - Can CRUD Stages but NOT Students
.requestMatchers(HttpMethod.POST, "/api/stages/add").hasAuthority("ROLE_ENTREPRISE")
.requestMatchers(HttpMethod.PUT, "/api/stages/update/**").hasAuthority("ROLE_ENTREPRISE")
.requestMatchers(HttpMethod.DELETE, "/api/stages/delete/**").hasAuthority("ROLE_ENTREPRISE")
// SUPERVISEURS - Can CRUD Students & View Stages
.requestMatchers(HttpMethod.GET, "/api/students").hasAuthority("ROLE_SUPERVISEUR")
.requestMatchers(HttpMethod.POST, "/api/students/add").hasAuthority("ROLE_SUPERVISEUR")
.requestMatchers(HttpMethod.PUT, "/api/students/update/**").hasAuthority("ROLE_SUPERVISEUR")
.requestMatchers(HttpMethod.DELETE, "/api/students/delete/**").hasAuthority("ROLE_SUPERVISEUR")
.requestMatchers(HttpMethod.GET, "/api/stages").hasAuthority("ROLE_SUPERVISEUR")
// ENTERPRISES - Can CRUD their own Enterprise details
.requestMatchers(HttpMethod.POST, "/api/enterprises/add").hasAuthority("ROLE_ENTREPRISE")
.requestMatchers(HttpMethod.PUT, "/api/enterprises/update/**").hasAuthority("ROLE_ENTREPRISE")
.requestMatchers(HttpMethod.DELETE, "/api/enterprises/delete/**").hasAuthority("ROLE_ENTREPRISE")
// CANDIDATURES - Students Can Apply, Supervisors & Admins Can View & Manage
.requestMatchers(HttpMethod.POST, "/api/candidacies/add").hasAuthority("ROLE_ETUDIANT") // Students apply
.requestMatchers(HttpMethod.GET, "/api/candidacies").hasAnyAuthority("ROLE_ADMIN", "ROLE_SUPERVISEUR") // Admin & Supervisor can view
.requestMatchers(HttpMethod.PUT, "/api/candidacies/update/**").hasAuthority("ROLE_ADMIN") // Only Admins can update candidacies
.requestMatchers(HttpMethod.DELETE, "/api/candidacies/delete/**").hasAuthority("ROLE_ADMIN") // Only Admins can delete candidacies
// ADMIN ACCESS - Has Full Control Over Everything
.requestMatchers("/api/admin/**").hasAuthority("ROLE_ADMIN")
.requestMatchers("/**").hasAuthority("ROLE_ADMIN")
// Any other request requires authentication
.anyRequest().authenticated()
)