package com.skycrate.backend.skycrateBackend.config; import com.skycrate.backend.skycrateBackend.security.JwtAuthenticationFilter; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.http.HttpMethod; import org.springframework.security.authentication.AuthenticationProvider; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.http.SessionCreationPolicy; import org.springframework.security.web.SecurityFilterChain; import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter; @Configuration public class SecurityConfig { private final AuthenticationProvider authenticationProvider; private final JwtAuthenticationFilter jwtAuthenticationFilter; public SecurityConfig(AuthenticationProvider authenticationProvider, JwtAuthenticationFilter jwtAuthenticationFilter) { this.authenticationProvider = authenticationProvider; this.jwtAuthenticationFilter = jwtAuthenticationFilter; } @Bean public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { http .csrf(csrf -> csrf.disable()) .sessionManagement(session -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS)) .authenticationProvider(authenticationProvider) .authorizeHttpRequests(auth -> auth .requestMatchers("/api/auth/logout","/api/auth/login", "/api/auth/register", "/actuator/**").permitAll() .requestMatchers(HttpMethod.GET, "/public/**").permitAll() .anyRequest().authenticated() ) .requiresChannel(channel -> channel .anyRequest().requiresSecure() ) .headers(headers -> headers .httpStrictTransportSecurity(hsts -> hsts .includeSubDomains(true) .maxAgeInSeconds(31536000) ) // Spring Security 6+ no longer supports xss.block(true), so we just enable or disable it. .xssProtection(xss -> xss.disable()) .frameOptions(frame -> frame.deny()) ) .addFilterBefore(jwtAuthenticationFilter, UsernamePasswordAuthenticationFilter.class); return http.build(); } }