package com.skycrate.backend.skycrateBackend.config; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.security.authentication.AuthenticationProvider; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.http.SessionCreationPolicy; import org.springframework.security.web.SecurityFilterChain; import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter; import org.springframework.web.cors.CorsConfiguration; import org.springframework.web.cors.CorsConfigurationSource; import org.springframework.web.cors.UrlBasedCorsConfigurationSource; import java.util.List; @Configuration @EnableWebSecurity public class SecurityConfiguration { private final AuthenticationProvider authenticationProvider; private final JwtAuthenticationFilter jwtAuthenticationFilter; public SecurityConfiguration( JwtAuthenticationFilter jwtAuthenticationFilter, AuthenticationProvider authenticationProvider ) { this.authenticationProvider = authenticationProvider; this.jwtAuthenticationFilter = jwtAuthenticationFilter; } // @Bean // public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { // http.csrf() // .disable() // .authorizeHttpRequests() // .requestMatchers("/api/hdfs/**") // Specific API endpoints that don't require authentication // .permitAll() // .requestMatchers("/api/**") // Other endpoints that should be open // .permitAll() // .anyRequest() // .authenticated() // All other requests require authentication // .and() // .sessionManagement() // .sessionCreationPolicy(SessionCreationPolicy.STATELESS) // .and() // .authenticationProvider(authenticationProvider) // .addFilterBefore(jwtAuthenticationFilter, UsernamePasswordAuthenticationFilter.class); // // return http.build(); // } @Bean public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { return http .securityMatcher("/**") .authorizeHttpRequests(auth -> auth .requestMatchers("/api/hdfs/**", "/api/**").permitAll() .anyRequest().authenticated() ) .sessionManagement(session -> session .sessionCreationPolicy(SessionCreationPolicy.STATELESS) ) .authenticationProvider(authenticationProvider) .addFilterBefore(jwtAuthenticationFilter, UsernamePasswordAuthenticationFilter.class) .csrf(csrf -> csrf.disable()) .cors(cors -> {}) // 🔥 This line enables CORS and connects to your CorsConfigurationSource bean .build(); } // @Bean // CorsConfigurationSource corsConfigurationSource() { // CorsConfiguration configuration = new CorsConfiguration(); // // configuration.setAllowedOrigins(List.of("*")); // configuration.setAllowedMethods(List.of("GET", "PUT", "DELETE", "POST")); // configuration.setAllowedHeaders(List.of("Authorization", "Content-Type")); // // UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource(); // // source.registerCorsConfiguration("/**", configuration); // // return source; // } @Bean CorsConfigurationSource corsConfigurationSource() { CorsConfiguration configuration = new CorsConfiguration(); // 🔥 Allow all origins (wildcard) safely with credentials configuration.setAllowedOriginPatterns(List.of("*")); configuration.setAllowedMethods(List.of("GET", "POST", "PUT", "DELETE", "OPTIONS")); configuration.setAllowedHeaders(List.of("*")); configuration.setExposedHeaders(List.of("Authorization")); configuration.setAllowCredentials(true); // Needed for cookies / Authorization headers UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource(); source.registerCorsConfiguration("/**", configuration); return source; } }