Skip to content
Snippets Groups Projects

Master

Merged Fatima Ezzahra Majidi requested to merge master into main
12 files
+ 324
52
Compare changes
  • Side-by-side
  • Inline
Files
12
package com.example.gestionstagesbackend.Config;
package com.example.gestionstagesbackend.config;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityCustomizer;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.config.annotation.authentication.configuration.AuthenticationConfiguration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.authentication.configuration.AuthenticationConfiguration;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.web.cors.CorsConfiguration;
import org.springframework.web.cors.CorsConfigurationSource;
import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
import java.util.Arrays;
import java.util.Collections;
import java.util.List;
@Configuration
@EnableWebSecurity
@EnableMethodSecurity(prePostEnabled = true) // Enables @PreAuthorize
public class SecurityConfig {
@Bean
@@ -31,17 +32,49 @@ public class SecurityConfig {
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
http
.csrf(csrf -> csrf.disable())
.cors(cors -> cors.configurationSource(corsConfigurationSource())) // Enable CORS
.csrf(csrf -> csrf.disable()) // Disable CSRF for APIs
.authorizeHttpRequests(auth -> auth
.requestMatchers("/api/auth/**").permitAll() // Public routes
.requestMatchers("/api/students/**").hasAnyRole("SUPERVISEUR", "ADMIN")
.requestMatchers("/api/stages/**").hasAnyRole("ENTREPRISE", "ADMIN")
.requestMatchers("/api/enterprises/**").hasRole("ADMIN")
.requestMatchers("/api/candidacies/**").hasAnyRole("ETUDIANT", "ADMIN")
// Allow everyone to access login, register, and logout
.requestMatchers("/api/auth/login", "/api/auth/logout", "/api/auth/register").permitAll()
// Allow OPTIONS requests for CORS preflight
.requestMatchers("/**").permitAll()
// Role-based access
.requestMatchers("/api/students").hasAuthority("ROLE_ETUDIANT")
.requestMatchers("/api/students/**").hasAuthority("ROLE_ETUDIANT")
.requestMatchers("/api/stages").hasAuthority("ROLE_ETUDIANT")
.requestMatchers("/api/stages/**").hasAuthority("ROLE_ENTREPRISE")
.requestMatchers("/api/students").hasAuthority("ROLE_SUPERVISEUR")
.requestMatchers("/api/students/**").hasAuthority("ROLE_SUPERVISEUR")
.requestMatchers("/api/stages").hasAuthority("ROLE_SUPERVISEUR")
.requestMatchers("/api/stages/**").hasAuthority("ROLE_SUPERVISEUR")
.requestMatchers("/api/enterprises/add").hasAuthority("ROLE_ENTREPRISE")
.requestMatchers("/api/enterprises/update").hasAuthority("ROLE_ENTREPRISE")
.requestMatchers("/api/enterprises/delete").hasAuthority("ROLE_ENTREPRISE")
.requestMatchers("/**").hasAuthority("ROLE_ADMIN")
// Any other request requires authentication
.anyRequest().authenticated()
)
.sessionManagement(session -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS));
.formLogin()
.and()
.httpBasic();
return http.build();
}
@Bean
public CorsConfigurationSource corsConfigurationSource() {
CorsConfiguration configuration = new CorsConfiguration();
configuration.setAllowedOrigins(Collections.singletonList("http://localhost:3000")); // Frontend URL
configuration.setAllowedMethods(Arrays.asList("GET", "POST", "PUT", "DELETE", "OPTIONS")); // Allow these HTTP methods
configuration.setAllowedHeaders(Arrays.asList("Authorization", "Content-Type")); // Allow these headers
configuration.setAllowCredentials(true); // Allow cookies/auth headers
UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
source.registerCorsConfiguration("/**", configuration);
return source;
}
}
Loading