Merge pull request #45 from nastiausenko/refactor/security-configuration

Improve the security configuration for URL paths
nastiausenko · Apr 18, 2024 · a96859f · a96859f
2 parents cf4b108 + 9c016b4
commit a96859f
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 4 deletions.
diff --git a/src/main/java/com/linkurlshorter/urlshortener/link/LinkController.java b/src/main/java/com/linkurlshorter/urlshortener/link/LinkController.java
@@ -25,7 +25,7 @@
  */
 @RestController
 @RequiredArgsConstructor
-@RequestMapping("/link")
+@RequestMapping("/api/V1/link")
 public class LinkController {
     private static final int SHORT_LINK_LIFETIME_IN_DAYS = 30;
     private static final String OPERATION_FORBIDDEN_MSG = "Operation forbidden!";

diff --git a/src/main/java/com/linkurlshorter/urlshortener/security/SecurityConfig.java b/src/main/java/com/linkurlshorter/urlshortener/security/SecurityConfig.java
@@ -4,6 +4,7 @@
 import lombok.RequiredArgsConstructor;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.http.HttpMethod;
 import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.config.annotation.authentication.configuration.AuthenticationConfiguration;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
@@ -52,9 +53,11 @@ public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
         return http
                 .csrf(AbstractHttpConfigurer::disable)
                 .authorizeHttpRequests(auth -> auth
-                        .requestMatchers("/api/V1/auth/**").permitAll()
-                        .requestMatchers("/api/V1/user/**").authenticated()
-                        .anyRequest().permitAll()
+                        .requestMatchers(HttpMethod.POST, "/api/V1/auth/**").permitAll()
+                        .requestMatchers(HttpMethod.POST, "/api/V1/user/**").authenticated()
+                        .requestMatchers(HttpMethod.GET, "/*").permitAll()
+                        .requestMatchers("/api/V1/link/**").authenticated()
+                        .anyRequest().denyAll()
                 )
                 .userDetailsService(customUserDetailsService)
                 .sessionManagement(session -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS))