From 2038ce70ce108d0fb692bd9164b80dbf9acd769f Mon Sep 17 00:00:00 2001 From: bhtibrewal Date: Mon, 19 Feb 2024 00:14:34 +0530 Subject: [PATCH 1/4] add spring security dependency and SecurityConfig --- skill-tree/pom.xml | 4 ++ .../RDS/skilltree/Config/SecurityConfig.java | 39 +++++++++++++++++++ 2 files changed, 43 insertions(+) create mode 100644 skill-tree/src/main/java/com/RDS/skilltree/Config/SecurityConfig.java diff --git a/skill-tree/pom.xml b/skill-tree/pom.xml index b33f4826..3d5716bc 100644 --- a/skill-tree/pom.xml +++ b/skill-tree/pom.xml @@ -85,6 +85,10 @@ junit-jupiter test + + org.springframework.boot + spring-boot-starter-security + org.springframework.boot spring-boot-starter-actuator diff --git a/skill-tree/src/main/java/com/RDS/skilltree/Config/SecurityConfig.java b/skill-tree/src/main/java/com/RDS/skilltree/Config/SecurityConfig.java new file mode 100644 index 00000000..8041bf85 --- /dev/null +++ b/skill-tree/src/main/java/com/RDS/skilltree/Config/SecurityConfig.java @@ -0,0 +1,39 @@ +package com.RDS.skilltree.Config; + +import org.springframework.context.annotation.Bean; +import org.springframework.context.annotation.Configuration; +import org.springframework.security.config.annotation.web.builders.HttpSecurity; +import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; +import org.springframework.security.web.SecurityFilterChain; +import org.springframework.web.cors.CorsConfiguration; +import org.springframework.web.cors.CorsConfigurationSource; +import org.springframework.web.cors.UrlBasedCorsConfigurationSource; + +import java.util.Arrays; +import java.util.List; + +@EnableWebSecurity +@Configuration +public class SecurityConfig { + + + @Bean + public SecurityFilterChain filterChain(HttpSecurity http) throws Exception { + http + .cors(httpSecurityCorsConfigurer -> httpSecurityCorsConfigurer.configurationSource(corsConfigurationSource())); + + return http.build(); + } + @Bean + public CorsConfigurationSource corsConfigurationSource() { + CorsConfiguration configuration = new CorsConfiguration(); + configuration.setAllowedOriginPatterns(List.of("https://*.realdevsquad.com", "http://localhost:[*]")); + configuration.setAllowedMethods(Arrays.asList("GET", "POST", "PUT", "DELETE")); + configuration.setAllowedHeaders(Arrays.asList("Authorization", "Cache-Control", "Content-Type")); + configuration.setAllowCredentials(true); + + UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource(); + source.registerCorsConfiguration("/**", configuration); + return source; + } +} From 1fa2492fdfe0edae10b1e6f11c59f38276fb72e3 Mon Sep 17 00:00:00 2001 From: bhtibrewal Date: Mon, 19 Feb 2024 03:53:49 +0530 Subject: [PATCH 2/4] disable csrf --- .../main/java/com/RDS/skilltree/Config/SecurityConfig.java | 4 ++-- skill-tree/src/main/resources/application.properties | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/skill-tree/src/main/java/com/RDS/skilltree/Config/SecurityConfig.java b/skill-tree/src/main/java/com/RDS/skilltree/Config/SecurityConfig.java index 8041bf85..c85d6cfd 100644 --- a/skill-tree/src/main/java/com/RDS/skilltree/Config/SecurityConfig.java +++ b/skill-tree/src/main/java/com/RDS/skilltree/Config/SecurityConfig.java @@ -4,6 +4,7 @@ import org.springframework.context.annotation.Configuration; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; +import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer; import org.springframework.security.web.SecurityFilterChain; import org.springframework.web.cors.CorsConfiguration; import org.springframework.web.cors.CorsConfigurationSource; @@ -19,9 +20,8 @@ public class SecurityConfig { @Bean public SecurityFilterChain filterChain(HttpSecurity http) throws Exception { - http + http.csrf(AbstractHttpConfigurer::disable) .cors(httpSecurityCorsConfigurer -> httpSecurityCorsConfigurer.configurationSource(corsConfigurationSource())); - return http.build(); } @Bean diff --git a/skill-tree/src/main/resources/application.properties b/skill-tree/src/main/resources/application.properties index 693cd87d..8479b543 100644 --- a/skill-tree/src/main/resources/application.properties +++ b/skill-tree/src/main/resources/application.properties @@ -8,4 +8,4 @@ jwt.rds.public.key=${RDS_PUBLIC_KEY} API_V1_PREFIX=/api/v1 spring.datasource.version=8.1.0 management.endpoints.web.exposure.include=health,info,metrics - +logging.level.root=DEBUG From a06fd59216b010ce76090349e6a0a419d97735a8 Mon Sep 17 00:00:00 2001 From: bhtibrewal Date: Thu, 22 Feb 2024 21:46:32 +0530 Subject: [PATCH 3/4] address review comment --- .../main/java/com/RDS/skilltree/Config/SecurityConfig.java | 6 +++--- skill-tree/src/main/resources/application.properties | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/skill-tree/src/main/java/com/RDS/skilltree/Config/SecurityConfig.java b/skill-tree/src/main/java/com/RDS/skilltree/Config/SecurityConfig.java index c85d6cfd..47e915da 100644 --- a/skill-tree/src/main/java/com/RDS/skilltree/Config/SecurityConfig.java +++ b/skill-tree/src/main/java/com/RDS/skilltree/Config/SecurityConfig.java @@ -2,6 +2,7 @@ import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; +import org.springframework.http.HttpMethod; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer; @@ -17,10 +18,9 @@ @Configuration public class SecurityConfig { - @Bean public SecurityFilterChain filterChain(HttpSecurity http) throws Exception { - http.csrf(AbstractHttpConfigurer::disable) + http .cors(httpSecurityCorsConfigurer -> httpSecurityCorsConfigurer.configurationSource(corsConfigurationSource())); return http.build(); } @@ -28,7 +28,7 @@ public SecurityFilterChain filterChain(HttpSecurity http) throws Exception { public CorsConfigurationSource corsConfigurationSource() { CorsConfiguration configuration = new CorsConfiguration(); configuration.setAllowedOriginPatterns(List.of("https://*.realdevsquad.com", "http://localhost:[*]")); - configuration.setAllowedMethods(Arrays.asList("GET", "POST", "PUT", "DELETE")); + configuration.setAllowedMethods(Arrays.asList(HttpMethod.HEAD.name(), HttpMethod.GET.name(), HttpMethod.POST.name(), HttpMethod.DELETE.name(), HttpMethod.PUT.name())); configuration.setAllowedHeaders(Arrays.asList("Authorization", "Cache-Control", "Content-Type")); configuration.setAllowCredentials(true); diff --git a/skill-tree/src/main/resources/application.properties b/skill-tree/src/main/resources/application.properties index 8479b543..e52bc361 100644 --- a/skill-tree/src/main/resources/application.properties +++ b/skill-tree/src/main/resources/application.properties @@ -8,4 +8,4 @@ jwt.rds.public.key=${RDS_PUBLIC_KEY} API_V1_PREFIX=/api/v1 spring.datasource.version=8.1.0 management.endpoints.web.exposure.include=health,info,metrics -logging.level.root=DEBUG +logging.level.root=ERROR From 8aea2bb8f521243fcc505057b74cbbaaa47bc233 Mon Sep 17 00:00:00 2001 From: bhtibrewal Date: Thu, 22 Feb 2024 21:48:59 +0530 Subject: [PATCH 4/4] address review comment --- .../src/main/java/com/RDS/skilltree/Config/SecurityConfig.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/skill-tree/src/main/java/com/RDS/skilltree/Config/SecurityConfig.java b/skill-tree/src/main/java/com/RDS/skilltree/Config/SecurityConfig.java index 47e915da..f45b8f41 100644 --- a/skill-tree/src/main/java/com/RDS/skilltree/Config/SecurityConfig.java +++ b/skill-tree/src/main/java/com/RDS/skilltree/Config/SecurityConfig.java @@ -20,7 +20,7 @@ public class SecurityConfig { @Bean public SecurityFilterChain filterChain(HttpSecurity http) throws Exception { - http + http.csrf(AbstractHttpConfigurer::disable) .cors(httpSecurityCorsConfigurer -> httpSecurityCorsConfigurer.configurationSource(corsConfigurationSource())); return http.build(); }