refactor: upgrade security configuration

KnowHowSpringBoot · Nov 20, 2023 · 4445ab9 · 4445ab9
1 parent 53c942b
commit 4445ab9
Showing 1 changed file with 24 additions and 11 deletions.
diff --git a/src/main/java/dev/knowhowto/jwtsecured/config/SecurityConfiguration.java b/src/main/java/dev/knowhowto/jwtsecured/config/SecurityConfiguration.java
@@ -7,6 +7,7 @@
 import org.springframework.security.authentication.AuthenticationProvider;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
 import org.springframework.security.config.http.SessionCreationPolicy;
 import org.springframework.security.web.SecurityFilterChain;
 import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
@@ -16,23 +17,35 @@
 @RequiredArgsConstructor
 public class SecurityConfiguration {
 
+  private static final String[] WHITE_LIST_URL = {"/api/v1/auth/**",
+      "/v2/api-docs",
+      "/v3/api-docs",
+      "/v3/api-docs/**",
+      "/swagger-resources",
+      "/swagger-resources/**",
+      "/configuration/ui",
+      "/configuration/security",
+      "/swagger-ui/**",
+      "/webjars/**",
+      "/swagger-ui.html"};
+
   private final JwtAuthenticationFilter jwtAuthFilter;
   private final AuthenticationProvider authenticationProvider;
 
   @Bean
   public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
+
     http
-        .csrf()
-        .disable()
-        .authorizeHttpRequests()
-        .requestMatchers("/api/v1/auth/**")
-        .permitAll()
-        .anyRequest()
-        .authenticated()
-        .and()
-        .sessionManagement()
-        .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
-        .and()
+        .csrf(AbstractHttpConfigurer::disable)
+        .authorizeHttpRequests(req ->
+            req.requestMatchers(WHITE_LIST_URL)
+                .permitAll()
+                .requestMatchers("/api/v1/auth/**")
+                .permitAll()
+                .anyRequest()
+                .authenticated()
+        )
+        .sessionManagement(session -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
         .authenticationProvider(authenticationProvider)
         .addFilterBefore(jwtAuthFilter, UsernamePasswordAuthenticationFilter.class);