Brendon/gameyfin
1
0
Fork 0
mirror of https://github.com/BrenBroZAYT/gameyfin.git synced 2026-06-13 16:40:01 +00:00
Code Issues Packages Projects Releases Wiki Activity

Update SecurityConfig to use SecurityFilterChain

Browse Source
This commit is contained in:
grimsi
2025-09-25 13:18:36 +02:00
parent f523187971
commit f43140eb2a
1 changed files with 41 additions and 34 deletions
Download Patch File Download Diff File Expand all files Collapse all files
app/src/main/kotlin/org/gameyfin/app/core/security/SecurityConfig.kt
+41 -34
View File
@@ -1,60 +1,69 @@
package org.gameyfin.app.core.security package org.gameyfin.app.core.security
import com.vaadin.flow.spring.security.VaadinWebSecurity import com.vaadin.flow.spring.security.VaadinAwareSecurityContextHolderStrategyConfiguration
import com.vaadin.flow.spring.security.VaadinSecurityConfigurer
import com.vaadin.hilla.route.RouteUtil
import org.gameyfin.app.config.ConfigProperties import org.gameyfin.app.config.ConfigProperties
import org.gameyfin.app.config.ConfigService import org.gameyfin.app.config.ConfigService
import org.springframework.context.annotation.Bean import org.springframework.context.annotation.Bean
import org.springframework.context.annotation.Conditional import org.springframework.context.annotation.Conditional
import org.springframework.context.annotation.Configuration import org.springframework.context.annotation.Configuration
import org.springframework.context.annotation.Import
import org.springframework.core.env.Environment import org.springframework.core.env.Environment
import org.springframework.http.HttpStatus import org.springframework.http.HttpStatus
import org.springframework.security.config.annotation.web.builders.HttpSecurity import org.springframework.security.config.annotation.web.builders.HttpSecurity
import org.springframework.security.config.annotation.web.builders.WebSecurity
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity
import org.springframework.security.config.annotation.web.configurers.AuthorizeHttpRequestsConfigurer
import org.springframework.security.config.http.SessionCreationPolicy import org.springframework.security.config.http.SessionCreationPolicy
import org.springframework.security.core.session.SessionRegistry import org.springframework.security.core.session.SessionRegistry
import org.springframework.security.oauth2.client.registration.ClientRegistration import org.springframework.security.oauth2.client.registration.ClientRegistration
import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository
import org.springframework.security.oauth2.client.registration.InMemoryClientRegistrationRepository import org.springframework.security.oauth2.client.registration.InMemoryClientRegistrationRepository
import org.springframework.security.oauth2.core.AuthorizationGrantType import org.springframework.security.oauth2.core.AuthorizationGrantType
import org.springframework.security.web.SecurityFilterChain
import org.springframework.security.web.authentication.logout.HttpStatusReturningLogoutSuccessHandler import org.springframework.security.web.authentication.logout.HttpStatusReturningLogoutSuccessHandler
@Configuration @Configuration
@EnableWebSecurity @EnableWebSecurity
@Import(
VaadinAwareSecurityContextHolderStrategyConfiguration::class
)
class SecurityConfig( class SecurityConfig(
private val environment: Environment, private val environment: Environment,
private val config: ConfigService, private val config: ConfigService,
private val ssoAuthenticationSuccessHandler: SsoAuthenticationSuccessHandler, private val ssoAuthenticationSuccessHandler: SsoAuthenticationSuccessHandler,
private val sessionRegistry: SessionRegistry private val sessionRegistry: SessionRegistry
) : VaadinWebSecurity() { ) {
companion object { companion object {
const val SSO_PROVIDER_KEY = "oidc" const val SSO_PROVIDER_KEY = "oidc"
} }
@Throws(Exception::class) @Bean
override fun configure(http: HttpSecurity) { fun filterChain(http: HttpSecurity, routeUtil: RouteUtil): SecurityFilterChain {
http.authorizeHttpRequests { auth ->
// Configure your static resources with public access before calling super.configure(HttpSecurity) as it adds final anyRequest matcher // Set default security policy that permits Hilla internal requests and denies all other
http.authorizeHttpRequests { auth: AuthorizeHttpRequestsConfigurer<HttpSecurity>.AuthorizationManagerRequestMatcherRegistry -> auth.requestMatchers(routeUtil::isRouteAllowed).permitAll()
auth.requestMatchers("/login").permitAll() // Gameyfin static resources and public endpoints
.requestMatchers("/setup").permitAll() .requestMatchers(
.requestMatchers("/reset-password").permitAll() "/login",
.requestMatchers("/accept-invitation").permitAll() "/setup",
.requestMatchers("/public/**").permitAll() "/reset-password",
.requestMatchers("/images/**").permitAll() "/accept-invitation",
.requestMatchers("/favicon.ico").permitAll() "/public/**",
.requestMatchers("/favicon.svg").permitAll() "/images/**",
"/favicon.ico",
// Dynamic public access for certain endpoints "/favicon.svg"
auth.requestMatchers("/").access(DynamicPublicAccessAuthorizationManager(config)) ).permitAll()
.requestMatchers("/game/**").access(DynamicPublicAccessAuthorizationManager(config)) // Dynamic public access for certain endpoints
.requestMatchers("/library/**").access(DynamicPublicAccessAuthorizationManager(config)) .requestMatchers(
.requestMatchers("/search/**").access(DynamicPublicAccessAuthorizationManager(config)) "/",
.requestMatchers("/requests/**").access(DynamicPublicAccessAuthorizationManager(config)) "/game/**",
.requestMatchers("/download/**").access(DynamicPublicAccessAuthorizationManager(config)) "/library/**",
"/search/**",
"/requests/**",
"/download/**"
).access(DynamicPublicAccessAuthorizationManager(config))
} }
http.sessionManagement { sessionManagement -> http.sessionManagement { sessionManagement ->
@@ -67,9 +76,10 @@ class SecurityConfig(
// Not needed since the frontend is served by the backend // Not needed since the frontend is served by the backend
http.cors { cors -> cors.disable() } http.cors { cors -> cors.disable() }
super.configure(http) http.with(VaadinSecurityConfigurer.vaadin()) { configurer ->
// use a custom login view and redirect to root on logout
setLoginView(http, "/login", "/") configurer.loginView("/login", "/")
}
if (config.get(ConfigProperties.SSO.OIDC.Enabled) == true) { if (config.get(ConfigProperties.SSO.OIDC.Enabled) == true) {
// Use custom success handler to handle user registration // Use custom success handler to handle user registration
@@ -82,15 +92,12 @@ class SecurityConfig(
exceptionHandling.authenticationEntryPoint(CustomAuthenticationEntryPoint()) exceptionHandling.authenticationEntryPoint(CustomAuthenticationEntryPoint())
} }
} }
}
@Throws(Exception::class)
public override fun configure(web: WebSecurity) {
super.configure(web)
if ("dev" in environment.activeProfiles) { if ("dev" in environment.activeProfiles) {
web.ignoring().requestMatchers("/h2-console/**") http.authorizeHttpRequests { auth -> auth.requestMatchers("/h2-console/**").permitAll() }
} }
return http.build()
} }
@Bean @Bean