From 169c6e653849dd90cb7c6ede829dd7ba29c2c6a0 Mon Sep 17 00:00:00 2001
From: Paulo Gustavo Veiga <pveiga@wisemapping.com>
Date: Sat, 12 Aug 2023 18:57:13 -0700
Subject: [PATCH] Improve security filters

---
 wise-webapp/pom.xml                           | 14 +++++-
 .../wisemapping/config/SecurityConfig.java    | 44 ++++++++++++-------
 2 files changed, 41 insertions(+), 17 deletions(-)

diff --git a/wise-webapp/pom.xml b/wise-webapp/pom.xml
index 95d150a4..f39c3670 100644
--- a/wise-webapp/pom.xml
+++ b/wise-webapp/pom.xml
@@ -13,8 +13,8 @@
     </parent>
 
     <properties>
-        <org.springframework.version>6.0.10</org.springframework.version>
-        <org.springframework.addons>6.1.1</org.springframework.addons>
+        <org.springframework.version>6.0.11</org.springframework.version>
+        <org.springframework.addons>6.1.2</org.springframework.addons>
         <hibernate.version>6.2.6.Final</hibernate.version>
         <hibernate-validator.version>6.0.21.Final</hibernate-validator.version>
         <spring-security-taglibs.version>6.0.2</spring-security-taglibs.version>
@@ -51,6 +51,16 @@
             <version>${org.springframework.version}</version>
             <scope>compile</scope>
         </dependency>
+        <dependency>
+            <groupId>org.springframework</groupId>
+            <artifactId>spring-messaging</artifactId>
+            <version>${org.springframework.version}</version>
+        </dependency>
+        <dependency>
+            <groupId>org.springframework</groupId>
+            <artifactId>spring-websocket</artifactId>
+            <version>${org.springframework.version}</version>
+        </dependency>
         <dependency>
             <groupId>org.postgresql</groupId>
             <artifactId>postgresql</artifactId>
diff --git a/wise-webapp/src/main/java/com/wisemapping/config/SecurityConfig.java b/wise-webapp/src/main/java/com/wisemapping/config/SecurityConfig.java
index 9fdd5d31..fa362d4d 100644
--- a/wise-webapp/src/main/java/com/wisemapping/config/SecurityConfig.java
+++ b/wise-webapp/src/main/java/com/wisemapping/config/SecurityConfig.java
@@ -44,13 +44,12 @@ public class SecurityConfig {
                         matchers.requestMatchers(serviceMapper.pattern(("/**"))))
                 .authorizeHttpRequests(auth ->
                         auth
-                                .requestMatchers("/users/").permitAll()
-                                .requestMatchers("/users/resetPassword").permitAll()
-                                .requestMatchers("/oauth2/googlecallback").permitAll()
-                                .requestMatchers("/oauth2/confirmaccountsync").permitAll()
-                                .requestMatchers("/admin/**").hasAnyRole("ADMIN")
-                                .requestMatchers("/**").hasAnyRole("USER", "ADMIN")
-
+                                .requestMatchers(serviceMapper.pattern("/users/")).permitAll()
+                                .requestMatchers(serviceMapper.pattern("/users/resetPassword")).permitAll()
+                                .requestMatchers(serviceMapper.pattern("/oauth2/googlecallback")).permitAll()
+                                .requestMatchers(serviceMapper.pattern("/oauth2/confirmaccountsync")).permitAll()
+                                .requestMatchers(serviceMapper.pattern("/admin/**")).hasAnyRole("ADMIN")
+                                .requestMatchers(serviceMapper.pattern("/**")).hasAnyRole("USER", "ADMIN")
                 )
                 .sessionManagement(session -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
                 .httpBasic(httpBasic -> {
@@ -76,12 +75,21 @@ public class SecurityConfig {
                 .authorizeHttpRequests(
                         (auth) ->
                                 auth
-                                        .requestMatchers("/login", "logout").permitAll()
-                                        .requestMatchers("/registration", "registration-success", "/registration-google").permitAll()
-                                        .requestMatchers("/forgot-password", "/forgot-password-success").permitAll()
-                                        .requestMatchers("/maps/*/embed", "/maps/*/try", "/maps/*/public").permitAll()
-                                        .requestMatchers("/maps/*/document/xml-pub").permitAll()
-                                        .requestMatchers("/**").hasAnyRole("USER", "ADMIN")
+                                        .requestMatchers(mvcMatcher.pattern("/login")).permitAll()
+                                        .requestMatchers(mvcMatcher.pattern("/logout")).permitAll()
+
+                                        .requestMatchers(mvcMatcher.pattern("/registration")).permitAll()
+                                        .requestMatchers(mvcMatcher.pattern("/registration-success")).permitAll()
+                                        .requestMatchers(mvcMatcher.pattern("/registration-google")).permitAll()
+
+                                        .requestMatchers(mvcMatcher.pattern("/forgot-password")).permitAll()
+                                        .requestMatchers(mvcMatcher.pattern("/forgot-password-success")).permitAll()
+                                        .requestMatchers(mvcMatcher.pattern("/maps/*/embed")).permitAll()
+                                        .requestMatchers(mvcMatcher.pattern("/maps/*/try")).permitAll()
+                                        .requestMatchers(mvcMatcher.pattern("/maps/*/public")).permitAll()
+                                        .requestMatchers(restfullMapper.pattern("/maps/*/document/xml-pub")).permitAll()
+                                        .requestMatchers(mvcMatcher.pattern("/**")).hasAnyRole("USER", "ADMIN")
+                                        .requestMatchers(restfullMapper.pattern("/**")).hasAnyRole("USER", "ADMIN")
                                         .anyRequest().authenticated())
                 .formLogin((loginForm) ->
                         loginForm.loginPage("/c/login")
@@ -102,7 +110,7 @@ public class SecurityConfig {
                                 ).authenticationSuccessHandler(authenticationSuccessHandler)
                 )
                 .csrf((csrf) ->
-                        csrf.ignoringRequestMatchers("/logout"));
+                        csrf.ignoringRequestMatchers(mvcMatcher.pattern("/logout")));
 
         return http.build();
     }
@@ -110,9 +118,15 @@ public class SecurityConfig {
     @Bean
     @Order(3)
     public SecurityFilterChain shareResourcesFilterChain(@NotNull final HttpSecurity http, @NotNull final HandlerMappingIntrospector introspector) throws Exception {
+        final MvcRequestMatcher.Builder restfullMapper = new MvcRequestMatcher.Builder(introspector);
+
         return http.authorizeHttpRequests(
                 (auth) ->
-                        auth.requestMatchers("/static/**", "/css/**", "/js/**", "/images/**", "/*").permitAll()
+                        auth.requestMatchers(restfullMapper.pattern("/static/**")).permitAll().
+                                requestMatchers(restfullMapper.pattern("/css/**")).permitAll().
+                                requestMatchers(restfullMapper.pattern("/js/**")).permitAll().
+                                requestMatchers(restfullMapper.pattern("/images/**")).permitAll().
+                                requestMatchers(restfullMapper.pattern("/*")).permitAll()
         ).build();
     }