JWTSecurityConfig.java
package org.linkedopenactors.rdfpub.config.security;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.http.HttpMethod;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.oauth2.server.resource.authentication.JwtIssuerAuthenticationManagerResolver;
import org.springframework.security.web.SecurityFilterChain;
@Configuration
public class JWTSecurityConfig {
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
JwtIssuerAuthenticationManagerResolver authenticationManagerResolver = new JwtIssuerAuthenticationManagerResolver(
"https://login.m4h.network/auth/realms/LOA", "https://idp.example.org/issuerTwo");
http.csrf().disable() // TODO csrf !!
.authorizeRequests(authz -> authz.antMatchers(HttpMethod.GET, "/foos/**")
.hasAuthority("SCOPE_read")
.antMatchers(HttpMethod.POST, "/foos")
.hasAuthority("SCOPE_write")
.antMatchers("/asPublic/dump", "/actuator/env").hasRole("admin") // TODO validate that this is only accessible by admins
.antMatchers(
"/actors", // TODO !! Secure
"/dump", // TODO !! Secure
"/",
"/content/**",
"/actuator/**",
"/api-doc",
"/v3/api-docs/**",
"/swagger-resources/**",
"/swagger-ui/**",
"/swagger-ui/index.html**",
"/swagger-ui.html",
"/webjars/**",
"/asPublic/sparql",
"/.well-known/webfinger/",
"/.well-known/webfinger*",
"/.well-known/rdfpub",
"/error"
,"/*/"
,"/*"
,"/*/outbox"
,"/*/outbox/*"
,"/*/inbox"
,"/*"
,"/*/objects/*"//
,"/.well-known/oauth-authorization-server"
).permitAll()
.anyRequest()
.authenticated())
// .oauth2ResourceServer(oauth2 -> oauth2.jwt());
.oauth2ResourceServer(oauth2 -> oauth2
.authenticationManagerResolver(authenticationManagerResolver)
);
return http.build();
}
}