add roles

Author: rasmushy

src/main/java/com/apina/api/config/JwtAuthenticationFilter.java

@@ -7,6 +7,7 @@
 import jakarta.servlet.http.HttpServletResponse;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
+import org.springframework.beans.factory.annotation.Value;
 import org.springframework.context.annotation.Lazy;
 import org.springframework.lang.NonNull;
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
@@ -27,6 +28,17 @@ public class JwtAuthenticationFilter extends OncePerRequestFilter {
     private final JwtService jwtService;
     private final UserDetailsService userDetailsService;
 
+    private static final Logger Logger = LoggerFactory.getLogger(JwtAuthenticationFilter.class);
+
+    @Value("${security.jwt.uri}")
+    private String uri;
+
+    @Value("${security.jwt.header}")
+    private String authorizationHeader;
+
+    @Value("${security.jwt.prefix}")
+    private String prefix;
+
     public JwtAuthenticationFilter(@Lazy JwtService jwtService, @Lazy UserDetailsService userDetailsService, @Lazy HandlerExceptionResolver handlerExceptionResolver) {
         this.handlerExceptionResolver = handlerExceptionResolver;
         this.jwtService = jwtService;
@@ -35,9 +47,20 @@ public JwtAuthenticationFilter(@Lazy JwtService jwtService, @Lazy UserDetailsSer
 
     @Override
     protected void doFilterInternal(@NonNull HttpServletRequest request, @NonNull HttpServletResponse response, @NonNull FilterChain filterChain) throws ServletException, IOException {
-        final String authHeader = request.getHeader("Authorization");
-        if (authHeader == null || !authHeader.startsWith("Bearer ")) {
-            filterChain.doFilter(request, response);
+        final String authHeader = request.getHeader(authorizationHeader);
+        final String corsHeader = request.getHeader("Access-Control-Request-Method");
+        Logger.info("Request: {}, Method {}, AuthHeader: {}", request.getRequestURI(), request.getMethod(), authHeader);
+        if (corsHeader != null && "OPTIONS".equals(request.getMethod())) {
+            Logger.info("CORS request detected for options. Setting status to 200.");
+            response.setStatus(HttpServletResponse.SC_OK);
+            return;
+        }
+        if (authHeader == null || !authHeader.startsWith(prefix + " ")) {
+            if (request.getMethod().equals("GET") || request.getRequestURI().contains(uri)) {
+                filterChain.doFilter(request, response);
+                return;
+            }
+            handlerExceptionResolver.resolveException(request, response, null, new Exception("Missing or invalid Authorization header"));
             return;
         }
         try {

src/main/java/com/apina/api/config/SecurityConfig.java

@@ -12,40 +12,60 @@
 import org.springframework.security.web.SecurityFilterChain;
 import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
 import org.springframework.web.servlet.config.annotation.CorsRegistry;
+import org.springframework.web.servlet.config.annotation.EnableWebMvc;
+import org.springframework.web.servlet.config.annotation.ViewControllerRegistry;
 import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
+
 // SecurityConfig.java
 @Configuration
 @EnableWebSecurity
+@EnableWebMvc
 public class SecurityConfig implements WebMvcConfigurer {
 
     private final AuthenticationProvider authenticationProvider;
     private final JwtAuthenticationFilter jwtAuthenticationFilter;
 
-    private static final String ADMIN = "ADMIN";
-    private static final String API_GYM = "/api/gym/**";
-    private static final String API_GYMS = "/api/gyms/**";
-    private static final String API_USER = "/api/user/**";
+    @Value("${app.roles.admin}")
+    private String ADMIN;
+
+    @Value("${app.roles.user}")
+    private String USER;
 
     @Value("${app.cors.allowed-origins}")
     private String allowedOrigin;
 
+    @Value("${app.cors.allowed-headers}")
+    private String allowedHeaders;
+
+    @Value("${app.cors.allowed-methods}")
+    private String allowedMethods;
+
+    private static final String API_GYM = "/api/gym/**";
+    private static final String API_GYMS = "/api/gyms/**";
+    private static final String API_USER = "/api/user/**";
+    private static final String API_AUTH = "/api/auth/**";
+    private static final String SWAGGER_UI_HTML = "/swagger-ui.html";
+    private static final String[] SWAGGER_UI = {"/", "/swagger-ui/**", "/v3/api-docs/**", SWAGGER_UI_HTML, "/webjars/**", "/swagger-resources/**"};
+
     public SecurityConfig(AuthenticationProvider authenticationProvider, JwtAuthenticationFilter jwtAuthenticationFilter) {
         this.authenticationProvider = authenticationProvider;
         this.jwtAuthenticationFilter = jwtAuthenticationFilter;
     }
 
-
     @Bean
     public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
         http.csrf(AbstractHttpConfigurer::disable)
                 .authorizeHttpRequests(auth -> auth
-                        .requestMatchers("/api/auth/**","/", "/swagger-ui/**", "/v3/api-docs/**", "/swagger-ui.html", "/webjars/**", "/swagger-resources/**").permitAll()
+                        .requestMatchers(SWAGGER_UI).permitAll()
+                        .requestMatchers(HttpMethod.OPTIONS, "/api/**").permitAll()
+                        .requestMatchers(HttpMethod.GET, API_GYM, API_GYMS, API_USER).permitAll()
+                        .requestMatchers(HttpMethod.POST, API_AUTH).permitAll()
+                        .requestMatchers(HttpMethod.POST, API_GYM).hasAnyRole(ADMIN, USER)
+                        .requestMatchers(HttpMethod.PUT, API_USER).hasAnyRole(ADMIN, USER)
+                        .requestMatchers(HttpMethod.POST, API_GYMS).hasRole(ADMIN)
+                        .requestMatchers(HttpMethod.PUT, API_GYMS, API_GYM).hasRole(ADMIN)
                         .requestMatchers(HttpMethod.DELETE, API_GYMS, API_GYM, API_USER).hasRole(ADMIN)
-                        .requestMatchers(HttpMethod.POST, API_GYMS, API_GYM).hasRole(ADMIN)
-                        .requestMatchers(HttpMethod.PUT, API_GYMS, API_GYM, API_USER).hasRole(ADMIN)
-                        .requestMatchers(HttpMethod.GET, API_GYMS, API_GYM, API_USER).permitAll()
-                        .anyRequest()
-                        .authenticated())
+                        .anyRequest().fullyAuthenticated())
                 .sessionManagement(session -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
                 .authenticationProvider(authenticationProvider)
                 .addFilterBefore(jwtAuthenticationFilter, UsernamePasswordAuthenticationFilter.class);
@@ -56,9 +76,18 @@ public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
     public void addCorsMappings(CorsRegistry registry) {
         registry.addMapping("/api/**")
                 .allowedOriginPatterns(allowedOrigin)
-                .allowedMethods("GET", "POST", "PUT", "DELETE", "OPTIONS")
-                .allowedHeaders("*")
+                .allowedMethods(allowedMethods)
+                .allowedHeaders(allowedHeaders)
                 .allowCredentials(true);
     }
+
+    @Override
+    public void addViewControllers(ViewControllerRegistry registry) {
+        registry.addRedirectViewController("/", SWAGGER_UI_HTML);
+        registry.addRedirectViewController("/swagger", SWAGGER_UI_HTML);
+        registry.addRedirectViewController("/swagger-ui", SWAGGER_UI_HTML);
+        registry.addRedirectViewController("/swagger-ui/", SWAGGER_UI_HTML);
+    }
+
 }
 

src/main/java/com/apina/api/controllers/GymController.java

@@ -14,6 +14,7 @@
 import java.util.List;
 
 import static com.apina.api.util.ControllerUtils.isAdmin;
+import static com.apina.api.util.ControllerUtils.isUser;
 @RestController
 @RequestMapping("/api")
 public class GymController {
@@ -29,7 +30,7 @@ public GymController(GymService gymService) {
     public GymDTO postGym(@RequestBody GymDTO gymDTO) {
         Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
         LOGGER.info("postGym: {}", authentication);
-        if (isAdmin(authentication)) {
+        if (isAdmin(authentication) || isUser(authentication)) {
             return gymService.save(gymDTO);
         }
         return null;

src/main/java/com/apina/api/controllers/UserController.java

@@ -14,6 +14,7 @@
 import java.util.List;
 
 import static com.apina.api.util.ControllerUtils.isAdmin;
+import static com.apina.api.util.ControllerUtils.isCurrentUser;
 //UserController.java
 @RestController
 @RequestMapping("/api/user")
@@ -94,7 +95,7 @@ public ResponseEntity<String> deleteAllUsers() {
     public ResponseEntity<UserDTO> updateUser(@PathVariable String username) {
         Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
         LOGGER.info("updateUser: {}", authentication);
-        if (isAdmin(authentication)) {
+        if (isAdmin(authentication) || isCurrentUser(authentication, username)) {
             UserDTO user = userService.findByUsername(username).orElse(null);
             if (user != null) {
                 return ResponseEntity.ok(userService.update(user));

src/main/java/com/apina/api/util/ControllerUtils.java

@@ -8,4 +8,14 @@ public class ControllerUtils {
     public static boolean isAdmin(Authentication authentication) {
         return authentication.isAuthenticated() && authentication.getAuthorities().stream().anyMatch(a -> a.getAuthority().equals(ROLE_ADMIN));
     }
+
+    public static boolean isCurrentUser(Authentication authentication, String username) {
+        return authentication.isAuthenticated() && authentication.getName().equals(username);
+    }
+
+    public static boolean isUser(Authentication authentication) {
+        return authentication.isAuthenticated() && authentication.getAuthorities().stream().anyMatch(a -> a.getAuthority().equals("ROLE_USER"));
+    }
+
 }
+