Search in sources :

Example 1 with RequestTypeMatchers

use of alfio.config.authentication.support.RequestTypeMatchers in project alf.io by alfio-event.

the class APITokenAuthWebSecurity method configure.

// https://stackoverflow.com/a/48448901
@Override
protected void configure(HttpSecurity http) throws Exception {
    APIKeyAuthFilter filter = new APIKeyAuthFilter();
    filter.setAuthenticationManager(authentication -> {
        // 
        String apiKey = (String) authentication.getPrincipal();
        // check if user type ->
        User user = userRepository.findByUsername(apiKey).orElseThrow(() -> new BadCredentialsException("Api key " + apiKey + " don't exists"));
        if (!user.isEnabled()) {
            throw new DisabledException("Api key " + apiKey + " is disabled");
        }
        if (User.Type.API_KEY != user.getType()) {
            throw new WrongAccountTypeException("Wrong account type for username " + apiKey);
        }
        if (!user.isCurrentlyValid(ZonedDateTime.now(ClockProvider.clock()))) {
            throw new DisabledException("Api key " + apiKey + " is expired");
        }
        return new APITokenAuthentication(authentication.getPrincipal(), authentication.getCredentials(), authorityRepository.findRoles(apiKey).stream().map(SimpleGrantedAuthority::new).collect(Collectors.toList()));
    });
    http.requestMatcher(RequestTypeMatchers::isTokenAuthentication).sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and().csrf().disable().authorizeRequests().antMatchers(ADMIN_PUBLIC_API + "/**").hasRole(API_CLIENT).antMatchers(ADMIN_API + "/check-in/**").hasAnyRole(OPERATOR, SUPERVISOR).antMatchers(HttpMethod.GET, ADMIN_API + "/events").hasAnyRole(OPERATOR, SUPERVISOR, AuthenticationConstants.SPONSOR).antMatchers(HttpMethod.GET, ADMIN_API + "/user-type", ADMIN_API + "/user/details").hasAnyRole(OPERATOR, SUPERVISOR, AuthenticationConstants.SPONSOR).antMatchers(ADMIN_API + "/**").denyAll().antMatchers(HttpMethod.POST, "/api/attendees/sponsor-scan").hasRole(AuthenticationConstants.SPONSOR).antMatchers(HttpMethod.GET, "/api/attendees/*/ticket/*").hasAnyRole(OPERATOR, SUPERVISOR, API_CLIENT).antMatchers("/**").authenticated().and().addFilter(filter);
}
Also used : APIKeyAuthFilter(alfio.config.authentication.support.APIKeyAuthFilter) SimpleGrantedAuthority(org.springframework.security.core.authority.SimpleGrantedAuthority) User(alfio.model.user.User) RequestTypeMatchers(alfio.config.authentication.support.RequestTypeMatchers) APITokenAuthentication(alfio.config.authentication.support.APITokenAuthentication) DisabledException(org.springframework.security.authentication.DisabledException) BadCredentialsException(org.springframework.security.authentication.BadCredentialsException) WrongAccountTypeException(alfio.config.authentication.support.WrongAccountTypeException)

Aggregations

APIKeyAuthFilter (alfio.config.authentication.support.APIKeyAuthFilter)1 APITokenAuthentication (alfio.config.authentication.support.APITokenAuthentication)1 RequestTypeMatchers (alfio.config.authentication.support.RequestTypeMatchers)1 WrongAccountTypeException (alfio.config.authentication.support.WrongAccountTypeException)1 User (alfio.model.user.User)1 BadCredentialsException (org.springframework.security.authentication.BadCredentialsException)1 DisabledException (org.springframework.security.authentication.DisabledException)1 SimpleGrantedAuthority (org.springframework.security.core.authority.SimpleGrantedAuthority)1