WIP: Restrict access to /management endpoint to ROLE_ADMIN

34a4d337 · Daniel Gerhardt · f363f4d5 · 34a4d337
Commit 34a4d337 authored 5 years ago by Daniel Gerhardt
--- a/src/main/java/de/thm/arsnova/config/SecurityConfig.java
+++ b/src/main/java/de/thm/arsnova/config/SecurityConfig.java
@@ -32,6 +32,7 @@ import org.pac4j.oidc.client.OidcClient;
 import org.pac4j.oidc.config.OidcConfiguration;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
+import org.springframework.boot.actuate.autoconfigure.endpoint.web.WebEndpointProperties;
 import org.springframework.boot.context.properties.EnableConfigurationProperties;
 import org.springframework.context.annotation.AdviceMode;
 import org.springframework.context.annotation.Bean;
@@ -145,6 +146,25 @@ public class SecurityConfig extends WebSecurityConfigurerAdapter {
 		}
 	}
+	@Configuration
+	@Order(3)
+	@Profile("!test")
+	public class ManagementHttpSecurityConfig extends HttpSecurityConfig {
+		private final String managementPath;
+		public ManagementHttpSecurityConfig(final WebEndpointProperties webEndpointProperties) {
+			managementPath = webEndpointProperties.getBasePath();
+		}
+		@Override
+		protected void configure(final HttpSecurity http) throws Exception {
+			super.configure(http);
+			http.antMatcher(managementPath);
+			http.authorizeRequests().anyRequest().hasRole("ADMIN");
+			http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
+		}
+	}
 	@Configuration
 	@Order(2)
 	@Profile("!test")