require auth for everything

seems popular these days
2025-10-28 18:37:47 +01:00 · 2023-12-30 14:24:24 +01:00
parent d83bed9edd
commit 3165137475
5 changed files with 15 additions and 37 deletions
--- a/server/src/main/java/com/usatiuk/tjv/y/server/security/User.java
+++ b/server/src/main/java/com/usatiuk/tjv/y/server/security/User.java
@@ -1,13 +0,0 @@
 package com.usatiuk.tjv.y.server.security;
 import org.springframework.security.core.GrantedAuthority;
 import java.util.Collection;
 public class User extends org.springframework.security.core.userdetails.User {
    public User(String uuid, String hash,
                Collection<? extends GrantedAuthority> authorities) {
        super(uuid, hash, authorities);
    }
 }
--- a/server/src/main/java/com/usatiuk/tjv/y/server/security/UserDetailsService.java
+++ b/server/src/main/java/com/usatiuk/tjv/y/server/security/UserDetailsService.java
@@ -3,6 +3,7 @@ package com.usatiuk.tjv.y.server.security;
 import com.usatiuk.tjv.y.server.entity.Person;
 import com.usatiuk.tjv.y.server.repository.PersonRepository;
 import org.springframework.security.core.authority.SimpleGrantedAuthority;
 import org.springframework.security.core.userdetails.User;
 import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.security.core.userdetails.UsernameNotFoundException;
 import org.springframework.stereotype.Service;
--- a/server/src/main/java/com/usatiuk/tjv/y/server/security/WebSecurityConfig.java
+++ b/server/src/main/java/com/usatiuk/tjv/y/server/security/WebSecurityConfig.java
@@ -1,14 +1,11 @@
 package com.usatiuk.tjv.y.server.security;
 import com.fasterxml.jackson.databind.ObjectMapper;
 import com.usatiuk.tjv.y.server.dto.ErrorTo;
 import jakarta.servlet.http.HttpServletRequest;
 import jakarta.servlet.http.HttpServletResponse;
 import org.springframework.beans.factory.annotation.Qualifier;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.http.HttpMethod;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.MediaType;
 import org.springframework.security.config.Customizer;
 import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
@@ -24,10 +21,9 @@ import org.springframework.stereotype.Component;
 import org.springframework.web.cors.CorsConfiguration;
 import org.springframework.web.cors.CorsConfigurationSource;
 import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
 import org.springframework.web.servlet.HandlerExceptionResolver;
 import org.springframework.web.servlet.handler.HandlerMappingIntrospector;
 import java.io.IOException;
 import java.io.OutputStream;
 import java.util.List;
@Configuration
@@ -42,17 +38,16 @@ public class WebSecurityConfig {
    @Component
    class ErrorAuthenticationEntryPoint implements AuthenticationEntryPoint {
        @Override
        public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException authException)
                throws IOException {
-            var err = new ErrorTo(List.of("Authentication failed"), HttpStatus.UNAUTHORIZED.value());
+        private final HandlerExceptionResolver resolver;
-            response.setContentType(MediaType.APPLICATION_JSON_VALUE);
+
-            response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
+        ErrorAuthenticationEntryPoint(@Qualifier("handlerExceptionResolver") HandlerExceptionResolver resolver) {
-            OutputStream responseStream = response.getOutputStream();
+            this.resolver = resolver;
-            ObjectMapper mapper = new ObjectMapper();
+        }
-            mapper.writeValue(responseStream, err);
+
-            responseStream.flush();
+        @Override
        public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException authException) {
            resolver.resolveException(request, response, null, authException);
        }
    }
@@ -62,12 +57,7 @@ public class WebSecurityConfig {
        return http.cors(Customizer.withDefaults())
                .csrf(AbstractHttpConfigurer::disable)
                .authorizeHttpRequests((authorize) -> authorize
                        .requestMatchers(mvc.pattern(HttpMethod.GET, "/post/**")).permitAll()
                        .requestMatchers(mvc.pattern(HttpMethod.GET, "/post*")).permitAll()
                        .requestMatchers(mvc.pattern(HttpMethod.POST, "/person")).permitAll()
                        .requestMatchers(mvc.pattern(HttpMethod.GET, "/person")).permitAll()
                        .requestMatchers(mvc.pattern(HttpMethod.GET, "/person/by-username/*")).permitAll()
                        .requestMatchers(mvc.pattern(HttpMethod.GET, "/person/by-uuid/*")).permitAll()
                        .requestMatchers(mvc.pattern(HttpMethod.POST, "/token")).permitAll()
                        .requestMatchers(mvc.pattern("/error")).permitAll()
                        .anyRequest().hasAuthority(UserRoles.ROLE_USER.name()))
--- a/server/src/test/java/com/usatiuk/tjv/y/server/controller/PersonControllerTest.java
+++ b/server/src/test/java/com/usatiuk/tjv/y/server/controller/PersonControllerTest.java
@@ -41,7 +41,7 @@ public class PersonControllerTest extends DemoDataDbTest {
    @Test
    void shouldGet() {
        var response = restTemplate.exchange(addr + "/person/by-username/" + person1.getUsername(),
-                HttpMethod.GET, HttpEntity.EMPTY, PersonTo.class);
+                HttpMethod.GET, new HttpEntity<>(createAuthHeaders(person1Auth)), PersonTo.class);
        Assertions.assertNotNull(response);
        Assertions.assertEquals(HttpStatus.OK, response.getStatusCode());
--- a/server/src/test/java/com/usatiuk/tjv/y/server/controller/PostControllerTest.java
+++ b/server/src/test/java/com/usatiuk/tjv/y/server/controller/PostControllerTest.java
@@ -51,7 +51,7 @@ public class PostControllerTest extends DemoDataDbTest {
    @Test
    void shouldGetPost() {
        var response = restTemplate.exchange(addr + "/post/" + post1.getId(), HttpMethod.GET,
-                HttpEntity.EMPTY, PostTo.class);
+                new HttpEntity<>(createAuthHeaders(person1Auth)), PostTo.class);
        Assertions.assertEquals(HttpStatus.OK, response.getStatusCode());
        var parsedResponse = response.getBody();
@@ -64,7 +64,7 @@ public class PostControllerTest extends DemoDataDbTest {
    @Test
    void shouldGetByAuthor() {
        var response = restTemplate.exchange(addr + "/post/by-author-uuid/" + person1.getUuid(), HttpMethod.GET,
-                HttpEntity.EMPTY, PostTo[].class);
+                new HttpEntity<>(createAuthHeaders(person1Auth)), PostTo[].class);
        Assertions.assertEquals(HttpStatus.OK, response.getStatusCode());
        var parsedResponse = response.getBody();