package project.educatum.config; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.boot.autoconfigure.security.oauth2.client.EnableOAuth2Sso; import org.springframework.context.annotation.Configuration; import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.builders.WebSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.core.userdetails.UserDetailsService; import org.springframework.security.crypto.password.PasswordEncoder; import org.springframework.web.servlet.config.annotation.ResourceHandlerRegistry; import org.springframework.web.servlet.config.annotation.WebMvcConfigurerAdapter; @Configuration @EnableOAuth2Sso @EnableWebSecurity public class SecurityConfig extends WebSecurityConfigurerAdapter { private final PasswordEncoder passwordEncoder; private final CustomAuthenticationProvider customAuthenticationProvider; public SecurityConfig(PasswordEncoder passwordEncoder, CustomAuthenticationProvider customAuthenticationProvider) { this.passwordEncoder = passwordEncoder; this.customAuthenticationProvider = customAuthenticationProvider; } @Override public void configure(WebSecurity web) throws Exception { web.ignoring().antMatchers("/h2**"); web.ignoring().antMatchers("/**"); } @Override protected void configure(HttpSecurity http) throws Exception { http.csrf().disable() .authorizeRequests() .antMatchers("/", "/home", "/assets/**", "/register", "/login").permitAll() .antMatchers("/admin/**").hasRole("ADMIN") .anyRequest() .authenticated() .and() .formLogin() .loginPage("/login").permitAll() .failureUrl("/login?error=BadCredentials") .defaultSuccessUrl("/home", true) .and() .logout() .logoutUrl("/logout") .clearAuthentication(true) .invalidateHttpSession(true) .deleteCookies("JSESSIONID") .logoutSuccessUrl("/login"); } @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { auth.authenticationProvider(customAuthenticationProvider); } }