-
Notifications
You must be signed in to change notification settings - Fork 0
/
SecurityConfiguration.kt
62 lines (56 loc) · 2.45 KB
/
SecurityConfiguration.kt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
package com.aamdigital.aambackendservice.security
import com.aamdigital.aambackendservice.error.ForbiddenAccessException
import com.aamdigital.aambackendservice.error.UnauthorizedAccessException
import org.springframework.context.annotation.Bean
import org.springframework.context.annotation.Configuration
import org.springframework.http.HttpMethod
import org.springframework.security.config.annotation.method.configuration.EnableReactiveMethodSecurity
import org.springframework.security.config.annotation.web.reactive.EnableWebFluxSecurity
import org.springframework.security.config.web.server.ServerHttpSecurity
import org.springframework.security.core.AuthenticationException
import org.springframework.security.web.server.SecurityWebFilterChain
import org.springframework.security.web.server.ServerAuthenticationEntryPoint
import org.springframework.security.web.server.authorization.ServerAccessDeniedHandler
import org.springframework.web.server.ServerWebExchange
import reactor.core.publisher.Mono
@Configuration
@EnableWebFluxSecurity
@EnableReactiveMethodSecurity
class SecurityConfiguration {
@Bean
fun securityWebFilterChain(
http: ServerHttpSecurity,
): SecurityWebFilterChain {
return http
.authorizeExchange {
it.pathMatchers(HttpMethod.GET, "/").permitAll()
it.pathMatchers(HttpMethod.GET, "/actuator").permitAll()
it.pathMatchers(HttpMethod.GET, "/actuator/**").permitAll()
it.anyExchange().authenticated()
}
.csrf {
it.disable()
}
.exceptionHandling {
it.accessDeniedHandler(customServerAccessDeniedHandler())
it.authenticationEntryPoint(CustomAuthenticationEntryPoint())
}
.oauth2ResourceServer {
it.jwt {}
}
.build()
}
private fun customServerAccessDeniedHandler(): ServerAccessDeniedHandler {
return ServerAccessDeniedHandler { _, denied ->
throw ForbiddenAccessException(
message = "Access Token not sufficient for operation",
cause = denied
)
}
}
private class CustomAuthenticationEntryPoint : ServerAuthenticationEntryPoint {
override fun commence(exchange: ServerWebExchange, ex: AuthenticationException): Mono<Void> {
throw UnauthorizedAccessException("Access Token invalid or missing")
}
}
}